The client who agrees to these terms (“Client”) has entered into a Terms of Use Agreement or SaaS Services Agreement with The Enlighten Company S/A (“Enspace”) under which Enspace has agreed to provide services to the Client (as amended from time to time, the “Agreement”).

This Data Protection Addendum, including its applicable Appendices (the “Addendum”), will take effect and replace any previously applicable data processing and security terms from the Addendum Effective Date (as defined below). This Addendum is part of the Agreement.

Any capitalized term used but not otherwise defined in this Addendum will have the meaning assigned to it in the Agreement.

1. Definitions

For the purposes of this Addendum, the terms below will have the meanings set forth below. Capitalized terms used but not otherwise defined in this Addendum will have the meanings set forth in the Agreement.

1.1 “Addendum Effective Date” means the date on which the parties agreed to this Addendum.
1.2 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity’s management, whether through ownership of voting securities, by contract, or otherwise.
1.3 “Audit Reports” has the meaning assigned in Section 5.4.4 (Audit Reports).
1.4 “CCPA” means the California Consumer Privacy Act of 2018.
1.5 “Client Personal Data” means any personal data or personal information of data subjects contained in the data provided or accessed by Enspace on behalf of the Client or the Client’s end users in connection with the Services.
1.6 “Global Data Protection Legislation” means the European Data Protection Legislation, CCPA, and LGPD as applicable to the processing of Client Personal Data under the Agreement.
1.7 “EEA” means the European Economic Area.
1.8 “EU” means the European Union.
1.9 “European Data Protection Legislation” means the GDPR and other data protection laws of the EU, its Member States, Switzerland, Iceland, Liechtenstein, Norway, and the United Kingdom applicable to the processing of Client Personal Data under the Agreement.
1.10 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and Council of April 27, 2016, concerning the protection of natural persons regarding the processing of personal data and the free movement of such data, repealing Directive 95/46/EC.
1.11 “Information Security Incident” means a breach of Enspace’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Client Personal Data in Enspace’s possession, custody, or control. “Information Security Incidents” do not include unsuccessful attempts or activities that do not compromise the security of Client Personal Data, including unsuccessful login attempts, pings, port scans, denial-of-service attacks, and other network attacks on firewalls or networked systems.
1.12 “LGPD” means Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados).
1.13 “Standard Contractual Clauses” or “SCCs” have the meaning set forth in Appendix 3 (Cross-Border Transfer Solutions) of this Addendum.
1.14 “Security Documentation” means all documents and information made available by Enspace in Section 5.4.1 (Audits).
1.15 “Security Measures” has the meaning assigned in Section 5.1.1 (Enspace’s Security Measures).
1.16 “Services” means the services and/or products to be provided by Enspace to the Client under the Agreement.
1.17 “Sub-Processors” means third parties authorized under this Addendum to process Client Personal Data in relation to the Services.
1.18 “Term” means the period from the Addendum Effective Date until the end of Enspace’s provision of the Services.
1.19 “Transfer Solution” means the Standard Contractual Clauses or another solution that allows for the legal transfer of personal data to a third country pursuant to Article 45 or 46 of the GDPR.
1.20 The terms “personal data”, “data subject”, “processing”, “controller”, “processor”, and “supervisory authority” as used in this Addendum have the meanings assigned in the GDPR and LGPD, as applicable, and the terms “data importer” and “data exporter” have the meanings assigned in the Standard Contractual Clauses. The terms “personal information”, “business”, and “service provider” have the meanings defined in the CCPA.

2. Duration of the Addendum

This Addendum will take effect on the Addendum Effective Date and, notwithstanding the expiration of the Term, will remain in effect until and automatically expire after the deletion of all Client Personal Data by Enspace as described in this Addendum.

3. Data Processing

3.1 Roles and Regulatory Compliance; Authorization

3.1.1 Responsibilities of the Processor and Controller. This Addendum applies only to the extent that we process Client Personal Data on behalf of the Client. If the European Data Protection Legislation, LGPD, or CCPA applies to the processing of Client Personal Data, the parties acknowledge and agree that:
(a) the subject matter and details of the processing are described in Appendix 1;
(b) Enspace is a processor of such Client Personal Data under the European Data Protection Legislation or LGPD, and/or a Service Provider with respect to such Client Personal Data under the CCPA, as applicable;
(c) the Client is a controller or processor of such Client Personal Data under the European Data Protection Legislation or LGPD, and/or a Business with respect to such Client Personal Data under the CCPA, as applicable; and
(d) each party will comply with the obligations applicable to it under the relevant Global Data Protection Legislation with respect to the processing of such Client Personal Data.

3.1.2 Authorization by Third-Party Controller. If the European Data Protection Legislation applies to the processing of Client Personal Data and the Client is a processor, the Client warrants to Enspace that the Client’s instructions and actions regarding such Client Personal Data, including its appointment of Enspace as another processor and its consent to Enspace’s onward transfers of Client Personal Data to its Sub-Processors, have been authorized by the relevant controller.

3.2 Scope of Processing

3.2.1 Client Instructions. By entering into this Addendum, the Client instructs Enspace to process Client Personal Data only in accordance with applicable law:
(a) to provide the Services;
(b) as authorized by the Agreement, including this Addendum and its Appendices; and
(c) as documented in any other written instructions provided by the Client and acknowledged in writing by Enspace as constituting instructions for the purposes of this Addendum.

3.2.2 Compliance by Enspace with Instructions. Enspace will only process Client Personal Data in accordance with the Client’s instructions described in Section 3.2.1 (including with respect to data transfers) (“Client Instructions”), unless applicable Global Data Protection Legislation to which Enspace is subject requires otherwise regarding the processing of Client Personal Data, in which case Enspace will notify the Client (unless prohibited by law from doing so for important public interest reasons).

4. Data Deletion

4.1 Deletion upon Termination. Unless otherwise provided in the Agreement, upon expiration of the Term, the Client instructs Enspace to delete all Client Personal Data (including existing copies) from Enspace’s systems as required and in accordance with applicable law as soon as reasonably possible, unless applicable law prevents Enspace from deleting such data. To the extent that the Client is subject to laws or regulations requiring Enspace to retain Client Personal Data after the expiration of the Term and the Client does not inform Enspace of such retention obligations, the Client will be solely responsible for any deletion of such data by Enspace in accordance with this Section 4.1.

5. Data Security

5.1 Enspace’s Security Measures, Controls, and Assistance

5.1.1 Enspace’s Security Measures. Enspace will implement and maintain technical and organizational measures to protect Client Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in Appendix 2 (the “Technical and Organizational Security Measures”). Enspace may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially diminish the overall security of the Services.

5.1.2 Enspace Staff Security Compliance. Enspace will grant access to Client Personal Data only to employees, contractors, and Sub-Processors who require such access within the scope of their performance and are subject to appropriate confidentiality agreements.

5.1.3 Enspace’s Security Assistance. Enspace will (considering the nature of the processing of Client Personal Data and the information available to Enspace) provide the Client with reasonable assistance necessary for the Client to comply with its obligations regarding Client Personal Data under the Global Data Protection Legislation, including Articles 32 to 34 (inclusive) of the GDPR and Articles 6 and 46 of the LGPD, by:
(a) implementing and maintaining the Security Measures in accordance with Section 5.1.1 (Enspace’s Security Measures);
(b) complying with the terms of Section 5.2 (Information Security Incidents); and
(c) providing the Client with Security Documentation in accordance with Section 5.4.1 (Review of Security Documentation) and the Agreement, including this Addendum.

5.2 Information Security Incidents

5.2.1 Notification of Information Security Incidents. If Enspace becomes aware of an Information Security Incident, Enspace will:
(a) notify the Client of the Information Security Incident without undue delay after becoming aware of the Information Security Incident; and
(b) take reasonable steps to identify the cause of such Information Security Incident, minimize damage, and prevent a recurrence.

5.2.2 Details of Information Security Incident. Notifications made under this Section 5.2 (Information Security Incidents) will describe, to the extent possible, the details of the Information Security Incident, including:
(i) the nature of the Information Security Incident, including, whenever possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records affected;
(ii) the name and contact details of the data protection officer or other point of contact where further information can be obtained;
(iii) the likely consequences of the Information Security Incident; and
(iv) measures taken, or proposed to be taken, to mitigate potential risks and measures Enspace recommends the Client take to address the Information Security Incident, including, where appropriate, measures to mitigate its possible adverse effects.

5.2.3 Notification. The Client is solely responsible for complying with incident notification laws applicable to the Client and for fulfilling any third-party notification obligations related to any Information Security Incident(s).

5.2.4 No Admission of Fault by Enspace. Enspace’s notification or response to an Information Security Incident under this Section 5.2 (Information Security Incidents) will not be construed as an acknowledgment by Enspace of any fault or liability regarding the Information Security Incident.

5.3 Client Security Responsibilities and Assessment

5.3.1 Client Security Responsibilities. The Client agrees that, without prejudice to Enspace’s obligations under Section 5.1 (Enspace’s Security Measures, Controls, and Assistance) and Section 5.2 (Information Security Incidents):
(a) The Client is solely responsible for the use of the Services, including:
(i) making appropriate use of the Services to ensure a level of security appropriate to the risk regarding Client Personal Data;
(ii) securing the account credentials, authentication systems, and devices the Client uses to access the Services;
(iii) protecting the Client’s systems and devices that Enspace uses to provide the Services; and
(iv) backing up its Client Personal Data.

(b) Enspace has no obligation to protect Client Personal Data that the Client chooses to store or transfer outside of Enspace’s systems and its Sub-Processors (e.g., offline or on-premises storage).

5.3.2 Client Security Assessment
(a) The Client is solely responsible for reviewing the Security Documentation and assessing for itself whether the Services, the Security Measures, and Enspace’s commitments under this Section 5 (Data Security) will meet the Client’s needs, including regarding any Client security obligations under applicable Global Data Protection Legislation.
(b) The Client acknowledges and agrees that (considering the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing Client Personal Data, as well as the risks to individuals), the Security Measures implemented and maintained by Enspace as defined in Section 5.1.1 (Enspace’s Security Measures) provide a level of security appropriate to the risk regarding Client Personal Data.

5.4 Compliance Reviews and Audits

5.4.1 Audits. The Client may audit Enspace’s compliance with its obligations under this Addendum once per year. Additionally, to the extent required by applicable Global Data Protection Legislation, including where required by the Client’s supervisory authority, the Client or the Client’s supervisory authority may conduct more frequent audits (including inspections). Enspace will contribute to such audits by providing the Client or the Client’s supervisory authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of processing activities applicable to the Services.

5.4.2 Objections to Third-Party Auditor. If a third party conducts the audit, Enspace may object to the auditor if, in Enspace’s reasonable opinion, the auditor is not adequately qualified or independent, is a competitor of Enspace, or is otherwise manifestly unsuitable. Such an objection by Enspace will require the Client to appoint another auditor or conduct the audit itself.

5.4.3 Audit Request. To request an audit, the Client must submit a detailed proposed audit plan to Enspace at least two weeks in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Enspace will review the proposed audit plan and provide the Client with any concerns or questions (e.g., any request for information that may compromise Enspace’s security, privacy, employment, or other relevant policies). Enspace will work cooperatively with the Client to agree on a final audit plan. Nothing in this Section 5.4 (Compliance Reviews and Audits) will require Enspace to violate any confidentiality obligations.

5.4.4 Audit Reports. If the requested audit scope is covered by an SSAE 16/18/ISAE 3402 Type 2, AICPA SOC 2 (SOC for Service Organizations: Trust Service Criteria), or a similar audit report conducted by a qualified third-party auditor (“Audit Reports”) within twelve (12) months of the Client’s audit request and Enspace confirms that there are no known material changes to the audited controls, the Client agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.

5.4.5 Conducting the Audit. The audit must be conducted during normal business hours at the applicable facility, subject to the agreed final audit plan and Enspace’s health and safety or other relevant policies, and must not unreasonably interfere with Enspace’s business activities.

5.4.6 Audit Conditions. The Client will promptly notify Enspace of any non-compliance discovered during an audit and provide Enspace with any audit reports generated in connection with any audit under this Section 5.4 (Compliance Reviews and Audits), unless prohibited by applicable Global Data Protection Legislation or otherwise instructed by a supervisory authority. The Client may use audit reports solely to meet its regulatory audit requirements and/or confirm compliance with the requirements of this Addendum. Audit reports and any information shared by Enspace during the audit process are the Confidential Information of the parties under the Agreement.

5.4.7 Audit Expenses. Any audits will be at the Client’s expense. The Client will reimburse Enspace for any time spent by Enspace or its Sub-Processors in connection with any audits or inspections under this Section 5.4 (Compliance Reviews and Audits) at Enspace’s then-current professional service rates, which will be made available to the Client upon request. The Client will be responsible for any fees charged by any auditor appointed by the Client to perform such an audit.

5.4.8 Standard Contractual Clauses. The parties agree that this Section 5.4 (Compliance Reviews and Audits) shall satisfy Enspace’s obligations under the audit requirements of the 2021 Standard Contractual Clauses applicable to the Data Importer under Clause 8 and Clause 13(a) and to any Sub-Processors under Clause 9.

6. Data Protection Impact Assessments and Consultation

Enspace will (considering the nature of the processing and the information available to Enspace) reasonably assist the Client in complying with its obligations under applicable Global Data Protection Legislation concerning data protection impact assessments and prior consultation, including, if applicable, obligations under Articles 35 and 36 of the GDPR, by:

6.1 Audit Reports and Security Measures. Making available for review copies of Audit Reports or other documentation that describe relevant aspects of Enspace’s information security program and the security measures applied in relation to it; and

6.2 Additional Information. Providing the information contained in the Agreement, including this Addendum.

7. Data Subject Rights

7.1 Client Responsibility for Requests. During the Term, if Enspace receives any request from a data subject regarding Client Personal Data, Enspace will, at its sole discretion: (i) notify the Client of the request, (ii) advise the data subject to submit their request to the Client, and/or (iii) inform the data subject that their request has been forwarded to the Client. The Client will be responsible for responding to any such request.

7.2 Enspace’s Assistance with Data Subject Requests. Enspace will (considering the nature of the processing of Client Personal Data) provide the Client with self-service functionality through the Services or other reasonable assistance as necessary for the Client to fulfill its obligation under applicable Global Data Protection Legislation to respond to data subject requests, including, if applicable, the Client’s obligation to respond to data subject rights requests set forth in Chapter III of the GDPR, Articles 18 and 19 of the LGPD, or Section 1798.105 of the CCPA. The Client will reimburse Enspace for any assistance beyond the provision of self-service features included as part of the Services at Enspace’s then-current professional service rates, which will be made available to the Client upon request.

8. Data Transfers

8.1 Data Storage and Processing Facilities. Enspace may, in accordance with Section 8.2 (Data Transfers Outside the EEA), store and process Client Personal Data anywhere Enspace or its Sub-Processors maintain facilities.

8.2 Data Transfers Outside the EEA

8.2.1 Enspace’s Transfer Obligations. If the storage and/or processing of Client Personal Data (as set forth in Section 8.1 (Data Storage and Processing Facilities)) involves transfers of Client Personal Data outside the EEA, the United Kingdom, or Switzerland, and European Data Protection Legislation applies to the transfers of such data (“Transferred Personal Data”), the terms set forth in Appendix 3 (International Transfer Solutions) will apply. Enspace will make such transfers in accordance with a Transfer Solution and will make information about that Transfer Solution available to the Client upon request.

8.2.2 Client’s Transfer Obligations. Regarding the Transferred Personal Data, the Client agrees that, if under European Data Protection Legislation Enspace reasonably requires the Client to use another Transfer Solution offered by Enspace (in addition to the Standard Contractual Clauses attached as Appendix 3 and incorporated by reference to the extent the Client is transferring Client Personal Data outside the EEA, the United Kingdom, or Switzerland to Enspace) and Enspace reasonably requests that the Client take any action (which may include executing documents) necessary to give full effect to such a solution, the Client will comply.

8.3 Disclosure of Confidential Information Containing Personal Data. If the Client has entered into Standard Contractual Clauses as described in Section 8.2 (Data Transfers Outside the EEA), Enspace will, notwithstanding any contrary term in the Agreement, make any disclosure of the Client’s Confidential Information containing personal data and any related notifications in accordance with such Standard Contractual Clauses. For the purposes of the Standard Contractual Clauses, the Client and Enspace agree that (i) the Client will act as the data exporter on its behalf and on behalf of any of the Client’s entities, and (ii) Enspace or its relevant Affiliate will act on its own behalf and/or on behalf of Enspace’s Affiliates as data importers.

9.1 Consent to Sub-Processor Engagement. The Client generally authorizes the engagement of any third parties as Sub-Processors and authorizes the onward transfer of Client Personal Data to any Sub-Processors engaged by Enspace. If the Client has entered into Standard Contractual Clauses as described in Section 8.2 (Data Transfers Outside the EEA), the above authorizations will constitute the Client’s prior written consent to Enspace’s subcontracting of the processing of Client Personal Data if such consent is required under the Standard Contractual Clauses.

9.2 Information on Sub-Processors. Information about Sub-Processors, including their roles and locations, is available at sales@be-enlighten.com (as may be updated periodically by Enspace in accordance with this Addendum).

9.3 Sub-Processor Engagement Requirements. When engaging any Sub-Processor, Enspace will enter into a written contract with such Sub-Processor containing data protection obligations no less protective than those in the Agreement (including this Addendum) concerning the protection of Client Personal Data to the extent applicable to the nature of the Services provided by such Sub-Processor. Enspace will remain responsible for all subcontracted obligations and for all acts and omissions of the Sub-Processor.

9.4 Opportunity to Object to Sub-Processor Changes. When any new Sub-Processor is engaged during the Term, Enspace will notify the Client of the engagement by email (including the relevant Sub-Processor’s name, location, and activities it will perform) at least 30 days before the new Sub-Processor processes any Client Personal Data. To receive email notifications related to Sub-Processor changes, the Client can register using the portal available at sales@be-enlighten.com.

The Client may object to any new Sub-Processor by providing written notice to Enspace within ten (10) business days after being informed of the Sub-Processor’s engagement as described above. If the Client objects to a new Sub-Processor, the Client and Enspace will work together in good faith to find a mutually acceptable resolution to address the objection. If the parties cannot reach a mutually acceptable resolution within a reasonable timeframe, the Client may, as its sole and exclusive remedy, terminate the Agreement by providing written notice to Enspace.

10.1 Enspace’s Processing Records. The Client acknowledges that Enspace is required under the GDPR to:
(a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on whose behalf Enspace is acting and, where applicable, the local representative of such processor or controller and the data protection officer; and
(b) make such information available to supervisory authorities.

Consequently, if the GDPR applies to the processing of Client Personal Data, the Client will provide such information to Enspace upon request and ensure that all information provided is accurate and kept up to date.

11.1 Limit of Liability. The total combined liability of either party and its Affiliates to the other party and its Affiliates, whether in contract, tort, or any other theory of liability, under or in connection with the Agreement, this Addendum, and the Standard Contractual Clauses, if entered as described in Section 8.2 (Data Transfers Outside the EEA), combined will be limited to the liability limitations or other liability caps agreed by the parties in the Agreement, subject to Section 11.2 (Exclusions from Liability Limitation).

11.2 Exclusions from Liability Limitation. Nothing in Section 11.1 (Limit of Liability) will affect either party’s liability to data subjects under the third-party beneficiary provisions of the Standard Contractual Clauses to the extent that the limitation of such rights is prohibited by European Data Protection Legislation.

12. Analysis. The Client acknowledges and agrees that Enspace may create and derive from the processing related to the Services anonymized and/or aggregated data that does not identify the Client or any individual, and use, disclose, or share such data with third parties to improve Enspace’s products and services and for its other legitimate business purposes.

13. Notices
Notwithstanding any contrary provisions in the Agreement, any notices required or permitted to be provided by Enspace to the Client may be provided (a) in accordance with the notice clause of the Agreement; (b) to Enspace’s primary points of contact with the Client; and/or (c) to any email provided by the Client for the purpose of delivering communications or alerts related to the Service. The Client is solely responsible for ensuring that such email addresses are valid.

14. Effect of These Terms
Notwithstanding any contrary provisions in the Agreement, to the extent of any conflict or inconsistency between this Addendum and the other terms of the Agreement, this Addendum shall prevail.

Appendix 1

Subject and Details of Data Processing

This Appendix 1 is incorporated into the Addendum and also forms part of the Standard Contractual Clauses (if such Standard Contractual Clauses are applicable to the Client).

Data Importer
The Data Importer (or Service Provider/Processor) is Enspace, a provider of productivity solutions.

Data Exporter
The Data Exporter (or Company/Controller) is the Client that is party to the Addendum.

Subject
The provision of Services to the Client by Enspace, as set forth in the Agreement and the Addendum.

Duration of Processing
The Term plus the period from the expiration of the Term until the deletion of all Client Personal Data by Enspace in accordance with the Addendum.

Nature and Purpose of Processing
Enspace will receive, process, and store Client Personal Data for the purpose of providing Services to the Client under the Agreement and the Addendum, communicating with the Client and its end users, providing customer support, monitoring, maintaining, and improving the Services, and otherwise fulfilling its obligations under the Agreement. Enspace does not sell Client Personal Data or the personal data of the Client’s end users and does not share such end-user information with third parties for compensation or the commercial interests of such third parties.

Categories of Personal Data

• First and last name
• Title
• Position
• Employer
• Contact information (company, email, phone, business address)
• Identification data
• Connection data
• Location data
• Other electronic data submitted, stored, sent, or received by an end user (which may include special categories of personal data under the GDPR or sensitive personal data under the LGPD, to the extent such data is submitted, stored, sent, or received by an end user; Enspace does not request or require any sensitive or special categories of personal data for providing the Services)
• Invoice or payment information related to the use of Enspace services
• Usage information

Sensitive Data
Enspace does not request or require any sensitive or special categories of personal data to provide the Services. Sensitive data may occasionally be processed through the Services if the Client or its end users choose to include sensitive data in communications transmitted using the Services or upload sensitive data to the Services. The Client is responsible for ensuring appropriate safeguards are in place before transmitting or processing, or allowing its end users to transmit or process, any sensitive data through the Services.

Data Subjects

• Employees, agents, consultants, and/or freelancers of the Client (who are natural persons)
• Individuals whose data is provided to Enspace through the Services by (or at the direction of) the Client
• End users authorized by the Client to use the Services

Sub-Processors
The Client consents to sub-processing by the designated entities.

Appendix 2

Technical and Organizational Security Measures

As of the Effective Date of the Addendum, Enspace will implement and maintain the technical and organizational security measures set forth below.

Enspace may update or modify such security measures from time to time, provided that such updates and modifications do not materially diminish the overall security of the Services.

The following table provides further information on the technical and organizational security measures:

Technical and Organizational Security Measure

• Data Anonymization and Encryption Measures: See Data Privacy Policy.
• Measures to Ensure the Confidentiality, Integrity, Availability, and Ongoing Resilience of Processing Systems and Services: See Security Policy and ISAE 3402 Report.
• Measures to Ensure Timely Restoration of Availability and Access to Personal Data in the Event of a Physical or Technical Incident: See Security Policy and ISAE 3402 Report.
• Processes for Regular Testing, Assessment, and Evaluation of the Effectiveness of Technical and Organizational Measures to Ensure Processing Security: See Security Policy and ISAE 3402 Report.
• User Identification and Authorization Measures: See Security Policy and ISAE 3402 Report.
• Measures for Data Protection During Transmission: See Security Policy and ISAE 3402 Report.
• Measures for Data Protection During Storage: See Security Policy and ISAE 3402 Report.
• Measures to Ensure the Physical Security of Locations Where Personal Data is Processed: See Security Policy and ISAE 3402 Report.
• Measures to Ensure Event Logging: See Security Policy and ISAE 3402 Report.
• Measures to Ensure System Configuration, Including Default Configuration: See Security Policy and ISAE 3402 Report.
• Measures for IT Governance and Internal IT and Security Management: See Security Policy and ISAE 3402 Report.
• Measures for Certification/Assurance of Processes and Products: See Security Policy and ISAE 3402 Report.
• Measures to Ensure Data Minimization: See Security Policy and ISAE 3402 Report.
• Measures to Ensure Data Quality: See Security Policy and ISAE 3402 Report.
• Measures to Ensure Accountability: See Security Policy and ISAE 3402 Report.
• Measures to Enable Data Portability and Ensure Data Erasure: See Security Policy and ISAE 3402 Report.

Sub-Processor Assistance Measures
When Enspace engages a Sub-Processor, Enspace and the Sub-Processor enter into an agreement with data protection obligations substantially similar to those contained in this Addendum. Each Sub-Processor contract must ensure that Enspace can meet its obligations to the Client.

Additionally, Sub-Processors must:

• (a) Notify Enspace in the event of a Security Incident so that Enspace can notify the Client;
• (b) Delete personal data when instructed by Enspace in accordance with the Client’s instructions to Enspace;
• (c) Not engage additional Sub-Processors without Enspace’s authorization;
• (d) Not change the location where personal data is processed.

Appendix 3
Cross-Border Data Transfer Solutions

1. Definitions
For the purposes of the Clauses:
For the purposes of this Addendum, the terms below will have the meanings set forth below. Capitalized terms used but not otherwise defined in this Addendum will have the meanings set forth in the Agreement.

1.1 “Standard Contractual Clauses” means, depending on the Client’s unique circumstances, any of the following:
1.1.1 UK International Data Transfer Addendum; or
1.1.2 2021 EU Standard Contractual Clauses (“EU SCCs”).

1.2 “UK International Data Transfer Addendum” means: the UK International Data Transfer Addendum (“IDTA”) to the EU Commission’s Standard Contractual Clauses (“EU SCCs”) (Version B1.0) issued by the UK Information Commissioner for Parties making Transfers (which may be amended, updated, or replaced from time to time).

1.3 “2021 Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.

2. Cross-Border Data Transfer Solutions

2.1 Precedence Order. If the Services are covered by more than one Transfer Solution, the transfer of personal data will be subject to a single Transfer Solution according to the following order of precedence:
(a) the applicable Standard Contractual Clauses, as set forth in Section 2.2 (UK Standard Contractual Clauses) or Section 2.3 (2021 Standard Contractual Clauses) of this Appendix 3; and, if neither (a) nor (b) apply, then
(c) other Transfer Solutions permitted by applicable Global Data Protection Legislation.

2.2 2021 Standard Contractual Clauses. The parties agree that the 2021 Standard Contractual Clauses will apply to personal data transferred through the Services from the European Economic Area, directly or through onward transfer, to any country or recipient outside the European Economic Area that is not recognized by the Commission as providing an adequate level of personal data protection. For data transfers from the European Economic Area that are subject to the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by reference) and completed as follows:

2.2.1 The 2021 Standard Contractual Clauses Module Two (Controller to Processor) will apply when the Client is the controller of the Client’s Personal Data and Enspace is processing the Client’s Personal Data.
2.2.2 The 2021 Standard Contractual Clauses Module Three (Processor to Processor) will apply when the Client is a processor of the Client’s Personal Data and Enspace is processing the Client’s Personal Data.
2.2.3 For each Module, where applicable:

(a) In Clause 7 of the 2021 Standard Contractual Clauses, the optional docking clause will not apply;
(b) In Clause 9 of the 2021 Standard Contractual Clauses, Option 2 “General Written Authorization” will apply, and the notice period for changes in Sub-Processor will be as set forth in Section 9 (Sub-Processors) of this Addendum;
(c) In Clause 11 of the 2021 Standard Contractual Clauses, the optional language will not apply;
(d) In Clause 17 (Option 1), the 2021 Standard Contractual Clauses will be governed by Irish law;
(e) In Clause 18(b) of the 2021 Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;
(f) In Annex I, Part A (List of Parties) of the 2021 Standard Contractual Clauses:

(i) Data Exporter: Client.
(ii) Contact Details: The email address(es) designated by the Client in the Client’s account through its notification preferences.
(iii) Role of Data Exporter: The role of the Data Exporter is defined in Section 3.1 (Roles and Regulatory Compliance; Authorization) of this Addendum. The parties acknowledge and agree that, concerning the processing of the Client’s Personal Data, the Client may act as a controller or processor, and Enspace is a processor. Enspace will process the Client’s Personal Data in accordance with the Client’s Instructions as set forth in Section 3.2.1.
(iv) Signature and Date: By entering into the Agreement, the Data Exporter is deemed to have signed these incorporated Standard Contractual Clauses, including their Annexes, as of the effective date of the Agreement.
(v) Data Importer: The Enlighten Company S/A dbo Enspace.
(vi) Address: 350 Tenth Ave Suite 500, San Diego, CA 92101
(vii) Contact Details: Enspace Data Security Team – data@enspace.io
(viii) Role of Data Importer: The parties acknowledge and agree that, concerning the processing of the Client’s Personal Data, the Client may act as a controller or processor, and Enspace is a processor. Enspace will process the Client’s Personal Data in accordance with the Client’s Instructions.
(ix) Signature and Date: By entering into the Agreement, the Data Importer is deemed to have signed these incorporated Standard Contractual Clauses, including their Annexes, as of the effective date of the Agreement.

(g) In Annex I, Part B (Description of the Transfer) of the 2021 Standard Contractual Clauses:

(i) The categories of data subjects are described in the “Data Subjects” section of Appendix 1 (Subject Matter and Details of Data Processing) of this Addendum.
(ii) The categories of personal data transferred are described in the “Categories of Personal Data” section of Appendix 1 (Subject Matter and Details of Data Processing) of this Addendum.
(iii) The Sensitive Data transferred are described in the “Sensitive Data” section of Appendix 1 (Subject Matter and Details of Data Processing) of this Addendum.
(iv) Signature and Date: By entering into the Agreement, the Data Exporter is deemed to have signed these incorporated Standard Contractual Clauses, including their Annexes, as of the effective date of the Agreement.
(v) The nature of the processing is described in the “Nature and Purpose of Processing” section of Appendix 1 (Subject Matter and Details of Data Processing) of this Addendum.
(vi) The purpose of the processing is described in the “Nature and Purpose of Processing” section of Appendix 1 (Subject Matter and Details of Data Processing) of this Addendum.

(vii) The period during which the personal data will be retained and the criteria used to determine this period are as follows:
Before the termination of the Agreement, Enspace will process the Client’s Personal Data stored for the permitted purposes set forth in Section 3.1.1 (Client Instructions) until the Client opts to delete or requests the return of such Client’s Personal Data in accordance with Section 4 of the Addendum. Before the termination of the Agreement, the Client agrees that it is solely responsible for deleting the Client’s Personal Data through the Services.
After the termination of the Agreement, Enspace will:
(i) provide the Client thirty (30) days from the effective date of termination to obtain a copy of any Client’s Personal Data stored through the Services, and
(ii) delete any Client’s Personal Data stored within thirty (30) days upon the Client’s request, unless alternative retention and/or deletion timelines are otherwise specified in the Agreement or subsequently agreed upon in writing by the parties.
Any Client’s Personal Data archived in Enspace’s backup systems will be securely isolated and protected from any further processing, except as required by applicable law or regulation.

(h) In Annex I, Part C of the 2021 Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority.

(i) Appendix 2 (Technical and Organizational Security Measures) of this Addendum serves as Annex II of the Standard Contractual Clauses.

2.3 Data Transfers from Switzerland. Regarding any transfer of personal data outside of Switzerland or of Personal Data governed by the Swiss Federal Data Protection Act (“FADP”) (and the revised FADP (“revFADP”) when effective) to a third country (without an adequacy decision or equivalent issued by the European Commission or competent Swiss authority), the Parties agree that the EU SCCs in this Addendum shall apply, subject to the following terms and conditions:

A. References: The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as used in the EU SCCs shall be interpreted to include the FADP and, where applicable, the revFADP.

B. Clause 13: To the extent that the transfer of Personal Data is subject solely to the FADP/revFADP, the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland is the exclusive supervisory authority.
To the extent that the transfer of Personal Data is governed by both the GDPR and the FADP/revFADP, the competent supervisory authority with parallel oversight (as per Annex IC of the EU SCCs) is the FDPIC, and where the transfer is governed by the GDPR, the criteria in Clause 13(a) for selecting the competent authority shall apply.

C. Clause 17: The EU SCCs will be governed by Swiss law if the transfer is subject solely to the FADP/revFADP or, in other cases, by the law of an EU Member State, provided that the law of the Member State permits third-party beneficiary rights.

D. Clause 18(b): Any dispute arising from the EU SCCs will be resolved by the courts of Switzerland if the transfer is subject solely to the FADP/revFADP, or by the courts of an EU Member State in other cases.

E. Clause 18(c): The term “Member State” shall not be construed to exclude data subjects in Switzerland from pursuing their rights in their habitual place of residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.

F. revFADP: The EU SCCs will protect the data of legal entities until the revFADP comes into force.

2.4 International Data Transfer Addendum (IDTA) of the UK.
The parties agree that the UK International Data Transfer Addendum will apply to personal data transferred through the Services from the United Kingdom, directly or by onward transfer, to any country or recipient outside the United Kingdom that is not recognized by the competent UK regulatory authority or UK government body as providing an adequate level of protection for personal data.
For data transfers from the UK subject to the UK International Data Transfer Addendum, the UK International Data Transfer Addendum shall be deemed executed (and incorporated into this Addendum by this reference) and completed as follows:

Part 1:

1. Table 1: Parties
   a. The Start Date is the date of the Parties’ last signature on this Addendum or the Agreement.
   b. The Parties are defined in Annex IA of the EU SCCs to which this IDTA is attached.

2. Table 2: Selected SCCs, Modules, and Clauses
   a. EU SCCs Addendum
   i. The version of the approved EU SCCs to which this IDTA is attached, including the appendix information, applies.

3. Table 3: Appendix Information
   a. Annex 1A: List of Parties
   i. The Parties are defined in Annex IA of the EU SCCs to which this IDTA is attached.
   b. Annex 1B: Transfer Description
   i. The Transfer Description is set forth in Annex IB of the EU SCCs to which this IDTA is attached.
   c. Annex II: Technical and Organizational Measures, including measures to ensure data security
   i. The technical and organizational measures are defined in Annex II of the EU SCCs to which this IDTA is attached.
   d. Annex III: List of Sub-processors
   i. Not applicable.

4. Table 4: Termination of this Addendum when the Approved Addendum Changes:
   a. The Exporter and Importer may terminate this IDTA as set forth in Section 19 of the IDTA.

Part 2: The Part 2 of the IDTA is hereby incorporated by reference.

2.5 Conflict. To the extent there is any direct conflict between the Standard Contractual Clauses and any other terms of this Addendum, the Agreement, or the Privacy Policy, the provisions of the Standard Contractual Clauses shall prevail.