DATA PROCESSING AGREEMENT

Last Modified: April 17, 2023

Scope
1. This Data Processing Agreement ("DPA") forms part of the agreement(s) for the purchase, use and/or licensing of products or services of Apryse ("Services"), together with its exhibits, or other incorporated or referenced documents and any other agreement(s) governed by such agreement(s) ("Agreement"), between Apryse and the customer that has executed or agreed to such agreement(s) ("Customer").
2. In the course of providing the Services to Customer under the Agreement, Apryse may Process Personal Data on behalf of the Customer in which case parties agree to comply with the provisions of this DPA. The provisions of this DPA shall only apply to the extent that (and as the case may be) Apryse (as the Processor) Processes Personal Data on behalf of the Customer (as the Controller) under the Agreement.
3. In case of conflict between any provision of this DPA and any provision or another part of the Agreement, this DPA shall prevail.
4. If at any time any provision of this DPA is or becomes illegal, invalid or unenforceable in any respect under any law of any jurisdiction, in whole or in part neither the legality, validity or enforceability of the remaining provisions of this DPA nor the legality, validity or enforceability of such provisions under the laws of any other jurisdiction will in any way be affected or impaired. Parties shall make all reasonable efforts and take all necessary actions to replace any illegal, invalid or unenforceable provision of this DPA with a valid, legal and enforceable provision having the same economic and legal effect for parties and reflecting to the fullest extent permitted by law the provision to be replaced.
5. The DPA is entered into for the term of the Agreement and remains in full force until the Processing of Personal Data is no longer required in the framework or pursuant to the Agreement or longer, if required by law or Data Protection Legislation.
6. If the Customer has any questions regarding the Processing of Personal Data by Apryse, Customer may send such questions to privacy@apryse.com.
Definitions
1. For the purpose of this DPA, the following terms shall have the following meaning. In case of any doubt or differences with the terms defined in the Data Protection Legislation, the definitions stipulated in the relevant Data Protection Legislation shall prevail.
  
  “Controller” means the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data carried out under its authority, for the purposes of the Consultancy Agreement and the DPA, being the Customer.
  
  “Data Protection Legislation” means the GDPR together with any other (data protection) laws resulting from the GDPR and/or all other applicable laws of any country with regard to the protection of Personal Data or privacy.
  
  “Data Subject” means an identified or identifiable natural person to whom the Personal Data relates. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. The relevant categories of Data Subjects are identified in this DPA.
  
  “GDPR” means the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
  
  “Apryse” means Apryse Software Inc, with a registered office at 500-838 West Hastings Street Vancouver, BC, V6C 0A6 Canada.
  
  “Personal Data” means any information relating to a Data Subject within the meaning of Article 4, 1) GDPR. The relevant categories of Personal Data that are provided to Apryse by, or on behalf of, the Customer, are identified in this DPA.
  
  “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed in connection with the Agreement and the provision of the Services.
  
  “Processing”, “Process(es)” or “Processed” means any operation or set of operation which is performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  
  “Processor” means a natural or legal person, public authority, agency or any other body which is authorised to process Personal Data on behalf of the Customer, being Apryse.
  
  “Security Measures” means the technical and organizational measures within the meaning of Article 32 GDPR aiming at protecting Personal Data against accidental or unlawful destruction or loss, as well as against non-authorised access, alteration or transmission.
  
  “SCCs”: means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, located at http://data.europa.eu/eli/dec_impl/2021/914/oj.
  
  “Sub-processor” means any Processor engaged as a sub-processor or subcontractor by Apryse and processes Personal Data for, on behalf of and in accordance with the instructions of Apryse.
  
  “Supervisory Authority” means an independent public authority which is established by a Member State pursuant to Article 51 GDPR.
  
  “Third Party” means any party who is not a Data Subject, Controller, Processor or Sub-processor under this DPA or a person who is authorised to process Personal Data under the direct authority of the Customer or Apryse.
2. Any other terms used in this DPA but not defined will have the same meaning as in the Data Protection Legislation or the Agreement.
Details of the Processing
1. Subject-nature: the Processing of Personal Data by Apryse (as Processor) on behalf of Customer (as Controller) relates to the performance of the Services as described in the Agreement and/or as further specified in the Services-related documentation (if any), and/or as further instructed by the Customer in its use of the Services of Apryse.
2. Means of the Processing: systems, software, products, Services, tools and/or servers of Apryse.
3. Categories of Personal Data: The Personal Data that will be processed will depend upon Customer’s use of the Services. To the extent Customer documents used with the Services contain Personal Data, it may consist of identifying information of end users (such as name, email address, physical address, IP address, or other unique identifier), financial data, identifying information of third parties with whom data is shared or to whom signature requests are sent, organization data, and any other Personal Data contained in documents, images and other content or data in electronic form stored or transmitted by end users via the Services.
4. Categories of Data Subjects: customers and/or prospective customers, end-users (authorized by the Customer to use the Services), partners, employees, agents or other service providers or contractors of the Customer.
5. Purposes of the Processing: to perform the Services as described in the Agreement, and/or to comply with other documented or written reasonable instructions provided by the Customer where such instructions are consistent with the terms of the Agreement.
6. Retention period(s): Apryse will Process Personal Data for the term of the Agreement, unless otherwise agreed upon in writing or as required by applicable law and no longer than is necessary for the purposes for which the Personal Data are Processed, unless applicable law requires longer storage of the Personal Data.
General
1. Apryse Processes the Personal Data only on behalf of the Customer and in accordance with the documented or written instructions of the Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by (Union or Member State) law to which Apryse is subject; in such a case, Apryse shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The Agreement, including this DPA, is the Customer’s complete instruction to Apryse with regard to the Processing of Personal Data. Any additional or alternate instructions must be given in writing and agreed upon by the parties.
2. Apryse shall only Process Personal Data in accordance with the purposes specified in section 3.5 above.
3. Apryse shall immediately inform the Customer if, in its opinion, an instruction infringes the GDPR or other Data Protection Legislation.
4. Any Processing of Personal Data by Apryse under the Agreement shall be performed in accordance with the applicable Data Protection Legislation, including the GDPR. Apryse is however not responsible for compliance with any laws applicable to the Customer or the Customer’s industry that are generally applicable to Apryse. The Customer shall comply with the applicable Data Protection Legislation, including the GDPR, as well as any other laws applicable to the Customer or the Customer’s industry. The Customer is solely responsible for the lawfulness of the Personal Data. The Customer represents and warrants that, where it provides any Personal Data to Apryse for Processing, it has duly informed the relevant Data Subject of their rights and obligations, and in particular has informed them of the possibility of Apryse processing their Personal Data on the Customer’s behalf and in accordance with its instructions. The Customer represents and warrants that the Processing of the Personal Data under the DPA is lawful.
5. Apryse ensures that the Personal Data is only disclosed to the personnel or persons acting on behalf of Apryse and that are authorized to Process the Personal Data and who need it to perform the Services and/or tasks under the Agreement. Apryse ensures that persons authorized to Process the Personal Data and/or its Sub-processors have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Transfer of Personal Data
1. Apryse agrees to keep all Personal Data and its Processing strictly secret and shall not disclose or reveal it, in whole or in part, directly or indirectly, to any Third Party, unless with prior written consent by the Customer or required by law.
2. The Customer agrees to allow transfers of Personal Data outside the country from which it was originally collected provided that such transfers are required in connection with the provision of the Services under the Agreement and such transfers take place in accordance with Data Protection Legislation, including, without limitation, completing any prior assessments required by Data Protection Legislation.
3. Where Apryse transfers Personal Data collected in the European Economic Area to a country outside the European Economic Area and without an adequacy decision under Article 45 of the GDPR, Apryse shall transfer Personal Data pursuant to the SCC’s These SSCs are linked in the definition above (and certain clauses have been selected in Exhibit 1 to this DPA), and are hereby incorporated in their entirety into this DPA and, to the extent applicable, Apryse shall ensure that its Sub- processors comply with the obligations of a data importer (as defined in the SCC’s).
Security Measures
Apryse shall implement and maintain all appropriate Security Measures to ensure a level of security to the risks in accordance with Article 32 GDPR. The Customer may request Apryse to provide an updated description of the implemented Security Measures
Sub-processor
1. The Customer acknowledges and agrees that Apryse may engage Sub-processors for the provision of the Services under the Agreement and that Apryse can transfer Personal Data to these Sub- processors in this context. Apryse shall inform the Customer upon request about all Sub-processors engaged and that Process Personal Data under the Agreement.
2. Apryse shall also inform the Customer of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Customer the opportunity to object to such changes. Customer may object by notifying Apryse in writing within ten (10) business days after receipt of Apryse’s communication advising of the new Sub-processor or changes.
3. Apryse shall enter into a written agreement with any engaged Sub-processor that contains data protection obligations no less protective than those contained in this DPA.
4. Where such Sub-processor fails to fulfil its Personal Data protection obligations in accordance with this DPA and/or Data Protection Legislation, Apryse shall be liable for the performance of that Sub-processor’s obligations.
Assistance and information obligations
1. Taking into account the nature of the Processing and the information available to Apryse, Apryse shall assist the Customer (i) by appropriate technical and organization measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR and (ii) in ensuring compliance with the obligations pursuant to Article 32-36 GDPR. Apryse shall assist the Customer as it carries out Data Protection Impact Assessments in accordance with Article 35 GDPR.
2. Apryse shall make available to the Customer all information necessary to demonstrate compliance the GDPR and in particular with the obligations laid down in Article 28 GDPR.
3. Apryse shall be entitled to invoice the Customer on a time and material basis at the then-current prices for any time expended for any such assistance within the meaning of this section 8.
Audits
1. The Customer is entitled to reasonably verify Apryse’s compliance with the DPA and the Data Protection Legislation, provided that Apryse shall have no obligation to provide confidential and/or proprietary information. To this extent, the Customer may, upon request in writing and with prior notice of thirty (30) calendar days, at its own expense, instruct acknowledged audit professionals to execute such audit or inspection: (i) once every twelve (12) months provided that such additional audit inquiries take place during normal office hours and shall not unreasonably impact in an adverse manner Apryse’s regular operations and do not prove to be incompatible with the applicable legislation or with the instructions of a competent authority; (ii) where a competent data protection authority requires this under Data Protection Legislation (including the GDPR); or (iii) following a Personal Data Breach.
2. Before the commencement of any such audit inquiries, parties shall mutually agree upon the scope, timing and duration of the audit, including conditions of confidentiality. During such audit, Apryse shall provide reasonable cooperation and assistance to the auditors.
3. The Customer shall promptly notify Apryse with information regarding any non-compliance discovered during the course of such audit. Audit reports, any other information to which the Customer or the audit professionals have access pursuant to any audit activities, as well as an attestation of the implementation of the Security Measures, will be considered confidential information.
4. Apryse shall be entitled to invoice the Customer on a time and material basis at the then-current applicable prices for any time expended for any such audit inquiries. The Customer shall not be entitled to claim compensation for any kind of audit expenses incurred by the Customer (unless the audit has revealed any breach or any failure by Apryse in which case Apryse shall bear the costs related to this breach or failure).
Personal Data Breaches
1. In the event of a Personal Data Breach, and irrespective of its cause, Apryse shall notify the Customer without undue delay after having become aware of such Personal Data Breach, specifying where known or readily identifiable: (i) the nature of the Personal Data Breach; (ii) the categories and approximate number of Data Subjects and Personal Data records concerned; (iii) as the case may be, any remedial actions taken or proposed to be taken to address the Personal Data Breach, to mitigate its effects and to prevent re-occurrence and (iv) the identity and contact details of any other contact person from whom more information can be obtained.
2. The Party responsible for the Personal Data Breach shall without undue delay further investigate the Personal Data Breach and shall keep the other Party informed of the progress of the investigation and take reasonable steps to further minimize the impact. Both parties agree to fully cooperate with such investigation and to assist each other in complying with any notification requirements and procedures.
Return and/or deletion of Personal Data
1. Upon termination of the DPA and/or the Agreement, Apryse shall delete or anonymize all Personal Data on its systems (without prejudice to any backup archives) at the latest sixty (60) calendar days after the last effective day of the DPA and/or the Agreement, unless otherwise instructed by the Customer or unless applicable law requires longer storage of the Personal Data.
2. Upon written request of the Customer, Apryse will provide the Customer with a readable copy in a standard format of the Personal Data on its systems. The costs related to such request / copy are at the Customer’s expense.
Liability
1. Apryse is only liable for the damage caused by the Processing of Personal Data under the DPA and/or the Agreement where it has not complied with the applicable Data Protection Legislation, including the GDPR, specifically directed to Processors and/or where it has acted outside or contrary to lawful instructions of the Customer.
2. The provisions of the Agreement on (limitation of) liability fully apply for the Processing of Personal Data by Apryse under the DPA and/or the Agreement. In any event, Apryse’s aggregate maximum liability under this DPA will be limited to the sum equal to the highest of the following amounts: (i) the fees paid under the Agreement by the Customer to Apryse or (ii) the amount of the insurance coverage offered by any of Apryse’s relevant insurance policies. The right to claim damages attributable to Apryse will be forfeited irrevocably six (6) months after the occurrence of the alleged error. The Customer must serve a notice of default within the aforementioned term, providing a detailed description thereof.

Exhibit 1

Standard Contractual Clauses - Clause Selections

To the extent legally required, by agreeing to this DPA, Customer and Apryse are deemed to have signed the SCCs as an additional safeguard, which form part of this DPA and will be deemed completed as follows:
1. Module 2 of the EU SCCs applies to transfers of Personal Data from Customer (as a Controller) to Apryse (as a Processor) and Module 3 applies to transfers of Personal Data from Customer (as a Processor) to Apryse (as a Subprocessor);
2. Clause 7 (the optional docking clause) is included;
3. Under Clause 9 (Use of Subprocessors), the Parties select Option 2 (General written authorization);
4. Under Clause 11 (Redress), the optional language requiring that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
5. Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights). The Parties select the laws of Ireland;
6. Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;
7. Annex I(A) and I(B) is completed as follows:
  1. LIST OF PARTIES
    
    Data exporter(s):
    
    The exporter (Controller) is Customer and Customer’s contact details and signature are as provided in the Agreement and the DPA.
    
    Data importer(s):
    
    The importer (Processor) is Apryse and Apryse’s contact details and signature are as provided in the Agreement and the DPA.
  2. DESCRIPTION OF TRANSFER
    
    Categories of data subjects whose personal data is transferred:
    
    Any data subjects whose Personal Data is contained in Customer data being used in the Services, as set out in the Agreement which describes the provision of Services to Customer, which may include Customer’s authorized users, representatives, and end users, including, without limitation, Customer’s employees, contractors, partners, suppliers, customers, and clients.
    
    Categories of personal data transferred:
    
    Any Personal Data that is provided by Customer to Apryse in connection with the Agreement, as described further in the DPA, including, without limitation, contact information such as name, address, telephone or mobile number, email address, and passwords.
    
    Sensitive data transferred (if applicable): N/A.
    
    The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
    
    On a continuous basis as needed to provide the Services to Customer for the term of the Agreement.
    
    Nature of the processing:
    
    The nature of the Processing is set out in the Agreement between the parties.
    
    Purpose(s) of the data transfer and further processing:
    
    The purposes of the data transfer are for Apryse to provide the Services pursuant to the Agreement.
    
    The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
    
    The data will be retained for the time period needed to accomplish the purposes of Processing, unless otherwise required by applicable law.
8. Under Annex I(C) (Competent supervisory authority), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission;
9. Annex II (Technical and organizational measures) is completed as provided the DPA; and
10. Annex III (List of Subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9, however Apryse’s Sub-processor list can be viewed as described in Section 7 above.
With respect to Personal Data transferred from the United Kingdom, for which the United Kingdom Data Protection Act of 2018 (“UK GDPR”) governs the international nature of the transfer, the International Data Transfer DPA to the SCCs (available as of the Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK SCCs”) forms part of this DPA and takes precedence over the rest of this DPA as set forth in the UK SCCs. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. The UK SCCs shall be deemed complete as follows: (a) the Parties’ details shall be the Parties and their Affiliates to the extent any of them are involved in such transfer; (b) the Key Contacts shall be the contacts set forth in the Agreement; (c) the Approved SCCs referenced in Table 2 shall be the SCCs as executed by the Parties; (d) either Party may end this DPA as set out in Section 19 of the UK SCCs; and (e) by entering into this DPA, the Parties are deemed to be signing the UK SCCs.