Data Protection Addendum

Version 2024.1 (Last updated: June 2024)

This Data Protection Addendum (“Addendum“) forms part of the customer agreement or other agreement (“Master Agreement“) in place between the LTG entity identified in the Master Agreement (“Vendor“) and the customer entity (“Customer“).

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Master Agreement. Except as specifically modified below, the terms of the Master Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Master Agreement and replace any existing data processing agreement or data protection addendum between the parties. Except where the context requires otherwise, references in this Addendum to the Master Agreement are to the Master Agreement as amended by, and including, this Addendum.

1.              Definitions

1.1           In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1.1.1                “Applicable Data Protection Laws” means, as applicable, (a) the GDPR; (b) in respect of the United Kingdom, the GDPR as it forms part of the laws by virtue of section 3 of the European Union (Withdrawal Act 2018) and the Data Protection Act 2018 (“UK GDPR”); (c) any other national laws implementing or transposing the GDPR; and (d) the CCPA;

1.1.2                “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code 1798.100et.seq., as amended and supplemented by the California Privacy Rights Act of 2020, and their implementing regulations;

1.1.3                “Contracted Processor” means Vendor or a Sub-Processor;

1.1.4                “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;

1.1.5                “Customer Data” means all permitted electronic data stored by Customer or processed through use of the Services but does not include Prohibited Information;

1.1.6                “Customer Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Customer pursuant to or in connection with the Master Agreement;

1.1.7                “Data Subject” means the identified or identifiable living individual to whom Personal Data relates, or which otherwise constitutes a “consumer” under Applicable Data Protection Laws;

1.1.8                “EEA” means the European Economic Area;

1.1.9                “EU Standard Contractual Clauses” or “EU SCCs” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries;

1.1.10              “GDPR” means EU General Data Protection Regulation 2016/679;

1.1.11              “Personal Data” means any information relating to an identified or identifiable natural person, or which otherwise constitutes “personal data” or “personal information” under Applicable Data Protection Laws;

1.1.12              “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise processed;

1.1.13              “Processing” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

1.1.14              “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller;

1.1.15              “Restricted Transfer” means: (i) in relation to Customer Personal Data which is subject to the GDPR, a transfer of Customer Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) in relation to Customer Personal Data which is subject to the UK GDPR, a transfer of Customer Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the Data Protection Act 2018; and/or (iii) in relation to Customer Personal Data which is subject to the Swiss Federal Data Protection Act (“Swiss FADP“), a transfer of Customer Personal Data from Switzerland to any other country which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner;

1.1.16              “Services” means the subscription services to be made available to Customer pursuant to the Master Agreement;

1.1.17              “Standard Contractual Clauses” means the EU Standard Contractual Clauses, or the UK Addendum, as applicable;

1.1.18              “Sub-Processor” means any entity appointed by or on behalf of Vendor to Process Customer Personal Data on behalf of Customer in connection with the Master Agreement; and

1.1.19              “UK Addendum” means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner’s Office under section 119A(1) of the UK Data Protection Act 2018, Version B1.0, in force 21 March 2022.

2.              Authority

2.1           To the extent that Vendor processes Customer Personal Data pursuant to the Master Agreement and this Addendum, each party acknowledges that, for the purpose of Applicable Data Protection Laws, Customer is the Controller of the Customer Personal Data and Vendor is the Processor. The scope of this DPA shall cover all Customer Personal Data processed by Vendor that falls within the scope of Applicable Data Protection Laws. To the extent Vendor Processes Customer Personal Data and such processing is not governed by Applicable Data Protection Laws, Vendor shall Process such Customer Personal Data in accordance with the obligations of a Processor as set forth in this Addendum.

3.              Processing of Customer Personal Data

3.1           Vendor shall:

3.1.1                comply with all Applicable Data Protection Laws in the Processing of Customer Personal Data to the extent applicable to Vendor’s provision of Services under the Master Agreement;

3.1.2                not Process Customer Personal Data other than pursuant to the Master Agreement, this Addendum, or on the Customer’s documented instructions unless Processing is required by applicable laws to which the Vendor is subject, in which case Vendor shall to the extent permitted by applicable laws inform the Customer of that legal requirement before the relevant Processing of that Customer Personal Data; and

3.1.3                inform Customer if, in its opinion, Customer’s instructions violate Applicable Data Protection Laws.

3.2           Customer:

3.2.1                shall comply with all Applicable Data Protection Laws in its use of the Services;

3.2.2               acknowledges and agrees that it is solely responsible for the accuracy, quality, and legality of: (i) the Customer Personal Data; (ii) the means by which Customer acquired such Customer Personal Data (including without limitation all necessary consent(s) required from Data Subjects); and (iii) the instructions it provides to Vendor regarding the Processing of such Customer Personal Data (including without limitation ensuring that it falls within the scope of the consent provided by Data Subjects);

3.2.3               shall not provide or make available to Vendor any Personal Data in violation of the Master Agreement or otherwise inappropriate for the nature of the Services;

3.2.4               to the extent that it is reasonably necessary for the provision of the Services and consistent with the Master Agreement, instructs Vendor (and authorises Vendor to instruct each Sub-Processor) to: (i) Process Customer Personal Data; and (ii) transfer Customer Personal Data to any country or territory; and

3.2.5               warrants and represents that it is and will at all relevant times: (i) comply with sections 3.2.1 to 3.2.3); and (ii) remain duly and effectively authorised to give the instruction set out in section 3.2.4.

3.3           Appendix 1 to this Addendum sets out certain information regarding the Processing of the Customer Personal Data by Vendor.

4.              Personnel

4.1           Vendor shall take reasonable steps designed to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Customer Personal Data, in each case limiting access to those individuals who need to know/access the relevant Customer Personal Data, as necessary for the purposes of the Master Agreement, and to comply with Applicable Data Protection Laws in the context of that individual’s duties to the Contracted Processor, and subjecting all such individuals to confidentiality undertakings or professional or statutory obligations of confidentiality.

5.              Security

5.1           Vendor will maintain and enforce commercially reasonable physical and logical security methods and procedures to protect Customer Personal Data. Vendor will test its systems for potential security vulnerabilities at least annually. Vendor will use commercially reasonable efforts to remedy any breach of security or unauthorised access, and reserves the right to suspend access to the in the event of a suspected or actual security breach. Customer acknowledges that the services and data transmitted are provided via the Internet, a publicly-available computer network, and that such networks are susceptible to failure, attack and hacking. Vendor shall implement appropriate technical and operational measures to ensure a level of security appropriate to the general risks involved in the Services as required by Applicable Data Protection Laws. Notwithstanding any other provision, this section sets forth Vendor’s entire obligation to protect Customer Personal Data on the Services. Customer will maintain and enforce commercially reasonable security methods and procedures to prevent misuse of the log-in information of its employees and other users. Vendor shall not be liable for any damages incurred by Customer or any third party in connection with any unauthorised access resulting from the actions of Customer or its representatives.

6.              Subprocessing

6.1           Customer authorises Vendor to appoint Sub-Processors in accordance with this section 6 and any restrictions in the Master Agreement. Each Sub-Processor is also authorised to appoint sub- processors in accordance with this section 6.

6.2           Vendor may continue to use those Sub-Processors already engaged by Vendor as at the date of this Addendum. Where Vendor intends to make changes to the use of any of its Sub-Processors, it shall inform Customer 30 days prior to the date of the appointment of the new Sub-Processor. Where Customer objects to such a change (acting reasonably on the basis of any data protection concerns), Customer shall notify Vendor prior to the appointment date of the new Sub-Processor. In such case, Vendor and Customer shall meet in good faith, and if no agreement can be found, Customer shall during a reasonable timeframe be entitled to terminate the Master Agreement and any active underlying Order Form on no less than 30 days’ written notice.

6.3           On termination of the impacted services, pursuant to section 6.2, Customer shall be liable for any contracted fees or charges for the remainder of the term of the Master Agreement and any Order Forms thereunder. Notwithstanding the foregoing, Customer shall not be liable for any fees or charges related to any impacted services terminated, pursuant to section 6.2, based on the ground that the appointment of the relevant Sub-Processor does not or would not comply with Applicable Data Protection Laws.

6.4           With respect to each Sub-Processor, Vendor shall:

6.4.1                before the Sub-Processor first Processes Customer Personal Data (or, where relevant, in accordance with section 6.2), carry out adequate checks to ensure that the Sub- Processor is capable of providing the level of protection for Customer Personal Data required by Vendor;

6.4.2                ensure that it enters into a written agreement with each Sub-Processor on terms which offer at least a similar level of protection for Customer Personal Data as those set out in this Addendum and meet the requirements of Applicable Data Protection Laws; and

6.4.3                provide to Customer for review such copies of the Vendor agreement with Sub-Processors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as Customer may request from time to time.

7.              Data Subject Rights

7.1           Vendor shall promptly notify the Customer upon becoming aware of any request from a Data Subject under any Applicable Data Protection Laws in respect to Customer Personal Data. If requested by Customer, Vendor shall assist by implementing appropriate technical and organisational measures to assist the Customer’s obligations to respond to requests to exercise Data Subject rights. Vendor may apply an additional charge or charges, distinct from any charges or fees payable by Customer under the Master Agreement or applicable Addendum for the provision of assistance in responding to any Data Subject request. Charge(s) shall be at Vendor’s discretion; however, shall be proportionate to any level of assistance and agreed in advance.

8.              Personal Data Breach

8.1           Vendor shall notify Customer without undue delay upon Vendor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information regarding such Personal Data Breach.

8.2           Vendor shall cooperate with Customer and take such reasonable commercial steps to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

9.              Data Protection Impact Assessment and Prior Consultation

9.1           Vendor shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, which Customer reasonably considers to be required of Customer under Applicable Data Protection Laws, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, Vendor.

10.           Deletion or return of Customer Personal Data

10.1        The deletion, return or other treatment of Customer Personal Data on termination of the Master Agreement shall be managed in accordance with the terms of the Master Agreement.

10.2        Each Contracted Processor may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Vendor shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws or the Master Agreement requiring its storage and for no other purpose.

11.           Information and Audit rights

11.1        Subject to sections 11.2 to 11.3, Vendor shall make available to Customer on request all information reasonably necessary to demonstrate compliance with this Addendum, and shall, at Customer’s cost, allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data.

11.2        Customer undertaking an audit shall give Vendor reasonable notice of any audit or inspection to be conducted under section 11.1, and may only exercise its right to audit no more than once every twelve (12) months.

11.3        Save for any disclosures required for compliance with Applicable Data Protection Laws, Customer undertakes to keep, and ensure its auditors keep, all results or findings from any audit confidential and shall indemnify Vendor against any and all losses incurred by Vendor as a result of any breach of this section.

12.           CCPA

12.1         To the extent that Customer Personal Data includes personal information protected under the CCPA, the parties acknowledge and agree that Customer is a “Business” and Vendor is a “Service Provider”, as both terms are defined in the CCPA. Vendor will Process such Customer Personal Data in accordance with the CCPA insofar as it relates to the provision of the Services and will not sell, share, retain, use, or disclose such Customer Personal Data (protected under the CCPA) other than for the specific purpose of providing the Services or outside of a direct business relationship between Vendor and Customer. In addition, Vendor will not combine such Customer Personal Data (protected under the CCPA) it receives from, or on behalf of, Customer with Personal Data that Vendor receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, except where such combination is permitted under the CCPA. Vendor shall notify Customer if it becomes aware that it cannot comply with its obligations as a Service Provider under the CCPA.

13.           Data Transfer

13.1         Customer acknowledges and agrees that it may be necessary for Customer Personal Data to be transferred outside of the country or territory it originates from in order to perform services pursuant to the Master Agreement. In relation to any Customer Personal Data protected by the GDPR, the UK GDPR and/or the Swiss FADP, Learning Technologies  Group and its US affiliates included in its certification have certified their compliance and adherence to the EU-US Data Privacy Framework program (EU-U.S. DPF), the UK Extension to EU-U.S. DPF and the Swiss-US Data Privacy Framework program and applicable principles.

13.2         To the extent that a transfer of Customer Personal Data from Customer to Vendor is a Restricted Transfer, such transfer shall be subject to the appropriate Standard Contractual Clauses, which shall be deemed incorporated into and form part of this Addendum, as follows:

13.2.1              European Transfers. In relation to transfers of Customer Personal Data originating from the EEA and subject to the EU GDPR, the EU SCCs shall apply as follows:

(a)  Customer is the “data exporter” and Vendor is the “data importer”;

(b)  Module 2 (Controller to Processor) shall apply;

(c)  in clause 7, the optional docking clause shall apply;

(d)  in clause 9, option 2 applies, and the time period for prior notice of Sub-Processor changes is stated in section 6 of this Addendum;

(e)  in clause 11, the optional language does not apply;

(f)   in clause 17, option 1 applies, the EU SCCs are governed by Irish law;

(g)  in clause 18(b), disputes will be resolved before the courts of Ireland; and

(h)   Annex I, II and III of the EU SCCs shall be deemed completed with the information set out in Appendix I, II and III to this Addendum respectively;

13.2.2             United Kingdom Transfers. In relation to transfers of Customer Personal Data originating from the United Kingdom and subject to the UK GDPR, the UK Addendum shall apply as follows:

(a) in Table 1 of the UK Addendum, the parties’ key contact information is located in the Master Agreement and/or the relevant Order Form;

(b) in Table 2 of the UK Addendum, the relevant information about the version of the EU SCCs, modules, and selected clauses which this UK Addendum is appended to is located above in section 13.2.1 (European Transfers) of this Addendum;

(c) in Table 3 of the UK Addendum,

(i)        the information required for Annex 1A is located in Appendix I of this Addendum;

(ii)       the information required for Annex 1B is located in Appendix I of this Addendum;

(iii)     the information required for Annex II is located in Appendix II of this Addendum;

(iv)      the information required for Annex III is located in Appendix III of this Addendum; and

(d)  in Table 4 of the UK Addendum, neither party may end the UK Addendum.

13.2.3            Swiss Transfers. In relation to transfers of Customer Personal Data originating from Switzerland and subject to the Swiss FDPA, the EU SCCs as implemented under in section 13.2.1 (European Transfers) of this Addendum shall apply with the following modifications:

(a) all references in the EU SCCs to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss FADP, and references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of the Swiss FADP;

(b) all references to Member State will be interpreted to include Switzerland and Data Subjects in Switzerland are not excluded from enforcing their rights in their place of habitual residence in accordance with clause 18(c);

(c) in clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner;

(d) in clause 17, the EU SCCs are governed by the laws of Switzerland; and

(e) in clause 18(b), disputes will be resolved before the courts of Switzerland.

13.3        Vendor shall ensure adequate data transfer mechanisms are in place for any onwards data transfers to Sub-Processors to ensure compliance with the Applicable Data Protection Laws and protection of Customer Personal Data.

14.           Survival

14.1        Any provision of this Addendum that expressly or by implication is intended to come into or continue in force on or after termination or expiry of this Addendum shall remain in full force and effect.

15.           General Terms

15.1        Governing Law and Jurisdiction. The parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Master Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity, termination or the consequences of its nullity and all non-contractual or other obligations arising out of or in connection with it.

15.2        Limited Liability. Nothing in this Addendum reduces Vendor’s obligations under the Master Agreement in relation to the protection of Customer Personal Data or permits Vendor to Process (or permit the Processing of) Customer Personal Data in a manner which is prohibited by the Master Agreement. CUSTOMER AGREES AND ACCEPTS THAT IT SHALL NOT BE ENTITLED TO BRING A CLAIM UNDER BOTH THE MASTER AGREEMENT AND/OR THE RELEVANT ORDER FORM(S) AND THIS ADDENDUM FOR DAMAGE OR LOSS CAUSED BY THE SAME EVENT GIVING RISE TO THAT CLAIM. VENDOR’S ENTIRE AGGREGATE LIABILITY HEREUNDER SHALL BE AS STATED IN THE LIMITATION OF LIABILITY PROVISIONS AGREED BETWEEN CUSTOMER AND VENDOR IN THE MASTER AGREEMENT, AND VENDOR’S (OVERALL) AGGREGATE LIABILITY EXPOSURE TOWARDS THE CUSTOMER SHALL THEREFORE NOT BE EXPANDED AS A RESULT OF ENTERING INTO THIS ADDENDUM.

15.3        Order of Precedence. Subject to section 15.2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Master Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.

15.4        Severance. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

APPENDIX I

A.  LIST OF PARTIES

(1)        Data exporter(s):

Company Name, Address, and Contact Details: Customer as identified in the Master Agreement and/or the relevant Order Form.

Role: Controller

Signature & Date: By entering into the Master Agreement and/or the Order Form, data exporter is deemed to have signed this Addendum and the applicable Standard Contractual Clauses incorporated herein, including their Appendices/Annexes as of the effective date of the Master Agreement.

(2)        Data importer(s):

 

Company Name The Learning Technologies Group entity identified in the Master Agreement and/or the relevant Order Form
Address As identified in the Master Agreement and/or the relevant Order Form
Contact Person’s Name & Title Contact Details Art Machado, VP of Information Security, privacy@ltgplc.com
Activities  relevant  to  the  data transferred under these Clauses: As specified in Part (B) of Appendix I
Role (controller/processor) Processor

 

Signature & Date: By entering into the Master Agreement and/or the Order Form, data importer is deemed to have signed this Addendum and the applicable Standard Contractual Clauses incorporated herein, including their Appendices/Annexes as of the effective date of the Master Agreement.

B.  DESCRIPTION OF TRANSFER

Use the scroll bar below to locate information concerning each LTG SaaS business unit

 

Affirmity Breezy Bridge Gomo Learning Open LMS PeopleFluent Reflektive Rustici Software VectorVMS1 Watershed
Categories of Data Subjects whose Personal Data is transferred ·  Employee ·     Employees

·     Applicants

·     Employees ·     Employees ·     Employees ·     Employees

·     Applicants

·     Employees ·     Employees ·     Employees

·     Vendors

·     Employees
Categories of Personal Data transferred Customer Data as described in the Order Form. Customer Data as described in the Order Form. Customer Data as described in the Order Form. Customer Data as described in the Order Form. Customer Data as described in the Order Form. Customer Data as described in the Order Form. Customer Data as described in the Order Form. Customer Data as described in the Order Form. Customer Data as described in the Order Form. Customer Data as described in the Order Form.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures Not applicable. Not applicable Not applicable. Not applicable. Not applicable. Not applicable Not applicable Not applicable. Not applicable Not applicable.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). Continuous Continuous Continuous Continuous Continuous Continuous Continuous Continuous Continuous Continuous
Nature of the processing Processing activities may include as follows:

·    Collection

·    Storage

·    Recording

·    Organising

·    Making available

·    Combining

·    Blocking

·    Making anonymous

·    Erasure and deletion

·    Analysing

·    Providing statistics

Processing activities may include as follows:

·    Collection

·    Storage

·    Recording

·    Organising

·    Making available

·    Combining

·    Blocking

·    Making anonymous

·    Erasure and deletion

·    Analysing

·    Providing statistics

Processing activities may include as follows:

·    Collection

·    Storage

·    Recording

·    Organising

·    Making available

·    Combining

·    Blocking

·    Making anonymous

·    Erasure and deletion

·    Analysing

·    Providing statistics

Processing activities may include as follows:

·    Collection

·    Storage

·    Recording

·    Organising

·    Making available

·    Combining

·    Blocking

·    Making anonymous

·    Erasure and deletion

·    Analysing

·    Providing statistics

Processing activities may include as follows:

·    Collection

·    Storage

·    Recording

·    Organising

·    Making available

·    Combining

·    Blocking

·    Making anonymous

·    Erasure and deletion

·    Analysing

·    Providing statistics

Processing activities may include as follows:

·    Collection

·    Storage

·    Recording

·    Organising

·    Making available

·    Combining

·    Blocking

·    Making anonymous

·    Erasure and deletion

·    Analysing

·    Providing statistics

Processing activities may include as follows:

·    Collection

·    Storage

·    Recording

·    Organising

·    Making available

·    Combining

·    Blocking

·    Making anonymous

·    Erasure and deletion

·    Analysing

·    Providing statistics

Processing activities may include as follows:

·    Collection

·    Storage

·    Recording

·    Organising

·    Making available

·    Combining

·    Blocking

·    Making anonymous

·    Erasure and deletion

·    Analysing

·    Providing statistics

Processing activities may include as follows:

·    Collection

·    Storage

·    Recording

·    Organising

·    Making available

·    Combining

·    Blocking

·    Making anonymous

·    Erasure and deletion

·    Analysing

·    Providing statistics

Processing activities may include as follows:

·    Collection

·    Storage

·    Recording

·    Organising

·    Making available

·    Combining

·    Blocking

·    Making anonymous

·    Erasure and deletion

·    Analysing

·    Providing statistics

Purpose(s) of the data transfer and further processing In connection with the Services provided under the Master Agreement In connection with the Services provided under the Master Agreement In connection with the Services provided under the Master Agreement In connection with the Services provided under the Master Agreement In connection with the Services provided under the Master Agreement In connection with the Services provided under the Master Agreement In connection with the Services provided under the Master Agreement In connection with the Services provided under the Master Agreement In connection with the Services provided under the Master Agreement In connection with the Services provided under the Master Agreement
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period For the duration of the Master Agreement For the duration of the Master Agreement For the duration of the Master Agreement For the duration of the Master Agreement For the duration of the Master Agreement For the duration of the Master Agreement For the duration of the Master Agreement For the duration of the Master Agreement For the duration of the Master Agreement For the duration of the Master Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing As above. For additional details see: https://www.ltgplc.com/sub

-processor-list

As above. For additional details see: https://www.ltgplc.com/sub

-processor-list

As above. For additional details see: https://www.ltgplc.com/sub

-processor-list

As above. For additional details see: https://www.ltgplc.com/sub

-processor-list

As above. For additional details see: https://www.ltgplc.com/sub

-processor-list

As above. For additional details see: https://www.ltgplc.com/sub

-processor-list

As above. For additional details see: https://www.ltgplc.com/sub

-processor-list

As above. For additional details see: https://www.ltgplc.com/sub

-processor-list

As above. For additional details see: https://www.ltgplc.com/sub

-processor-list

As above. For additional details see: https://www.ltgplc.com/sub

-processor-list

C.  COMPETENT SUPERVISORY AUTHORITY FOR THE EU SCCs

Identify the competent supervisory authority/ies in accordance with clause 13 of the EU SCCs.

The Data Protection Commission, Ireland

Customer can specify the location(s) where Customer Data will be processed within the Vendor network (each a “Region”), including Regions in the EEA. Once Customer has             made its choice, Vendor will not transfer Customer Data from Customer’s selected Region(s) except as necessary to provide the Services initiated by Customer, or as necessary                     to comply with the law or valid and binding order of a governmental body.

APPENDIX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

EXPLANATORY NOTE:

The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Vendor will only use Customer Data for the purposes of fulfilling its obligations under the Agreement. Vendor will maintain and enforce physical and logical security procedures with respect to its access and maintenance of Customer Data contained on Vendor servers.

Vendor will use reasonable measures to secure and defend its location and equipment against “hackers” and others who may seek to modify or access the Vendor servers or the information found therein without authorization. Vendor will test its systems for potential security vulnerabilities at least annually.

Vendor has a written information security program (“Information Security Program”) that includes administrative, technical, and physical safeguards that protect against any reasonably anticipated threats or hazards to the confidentiality of the Customer Data, and protect against unauthorised access, use, disclosure, alteration, or destruction of the Customer Data. In particular, the Vendor’s Information Security Program shall include, but not be limited, to the following safeguards where appropriate or necessary to ensure the protection of Confidential Information and Personal Data.

Access Controls – policies, procedures, and physical and technical controls: (i) to limit physical access to its information systems and the facility or facilities in which they are housed to properly authorised persons and (ii) to authenticate and permit access only to authorised individuals.

Security Incident Procedures – policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Customer Data or information systems relating thereto, and procedures to identify and respond to validated security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes.

Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Customer Data or systems that contain Customer Data, including a data backup plan and a disaster recovery plan.

Device and Media Controls – policies and procedures that govern the receipt and removal of hardware and electronic media that contain Customer Data into and out of a Vendor data center, and the movement of these items within a Vendor data center, including policies and procedures to address the final disposition of Customer Data.

Audit controls – hardware, software, and/or procedural mechanisms that record activity in information systems that contain or use Customer Data.

Data Integrity – policies and procedures to guard against the unauthorised disclosure, improper alteration, or unauthorised destruction of Customer Data.

Transmission Security – encryption of electronic information while in transit to guard against unauthorised access to Customer Data that is being transmitted over public communications networks.

Secure Disposal – policies and procedures regarding the disposal of Customer Data, taking into account available technology that can be used to sanitise storage media such that stored data cannot be practicably read or reconstructed.

Testing – Vendor shall regularly test the key controls, systems and procedures of its Information Security Program to verify that they are properly implemented and effective in addressing the threats and risks identified. Tests will be conducted or reviewed in accordance with recognized industry standards (e.g. ISO27001 or SSAE18 and their successor audit standards, or similar industry recognized security audit standards).

Adjust the Program – Vendor shall monitor, evaluate, and adjust, as it deems necessary, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of Customer Data, and internal or external threats to Vendor or the Customer Data.

Security Training – Vendor shall provide annual security awareness and data privacy training for its employees that will have access to Customer Data.

Confidentiality – Vendor shall require that all its employees who are granted access to Customer Data undergo appropriate screening, where lawfully permitted, and enter into a confidentiality agreement prior to being granted such access.

Data Processor shall on request provide a summary of its information security policies it has implemented.

APPENDIX III

LIST OF SUB-PROCESSORS

Customer has authorised the use of the Sub-Processors as provided here: https://www.ltgplc.com/sub- processor-list

If Vendor wishes to use the services of a new Sub-Processor, it shall notify the Customer. If the Customer reasonably objects to the appointment of the new Sub-Processor the parties shall discuss in good faith the reasons for such objection and whether measures can be undertaken to meet those reasons. If within a period of 30 days from Vendor being notified of an objection the parties have been unable to agree the measures, the Customer shall be entitled to terminate the processing of the applicable Customer Personal Data within 7 days of the end of such 30 day period.

APPENDIX IV

EXCLUDED ACTIVITIES

This Addendum does not cover any Processing activities carried out by Vendor in its capacity as an independent Controller, including when it Processes Personal Data for the purpose of managing the relationship with Customer and invoicing.