Service Express Data Processing Agreement

CUSTOMER DATA PROCESSING ADDENDUM

This Data Processing Addendum (the “Addendum”) forms a part of the written services agreement (“Agreement”) between Service Express, LLC, on behalf of itself and its Affiliates (“Service Express”), and the customer executing the Agreement (“Customer”). By signing or otherwise executing the Agreement, the parties enter into this Addendum to the extent applicable. Capitalized terms not defined herein have the meaning set forth in the Agreement.

HOW THIS ADDENDUM APPLIES:

This Addendum is an addendum to and forms part of the Agreement and applies to Personal Data is provided or otherwise made available by Customer to Service Express pursuant to the Agreement. This Addendum will be effective and replace any previously applicable data processing terms as of the date the parties execute the Agreement. This Addendum does not replace any comparable or additional rights relating to processing of Personal Data contained in the Agreement.

PERSONAL DATA PROCESSING TERMS:

1. DEFINITIONS.

CCPA” means California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq.

Data Laws” means all applicable state, federal and foreign laws and regulations related to the privacy or security of Personal Data, including but not limited to the CCPA and GDPR.

GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, together with (i) applicable national implementations of GDPR; (ii) in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; or (iii) in respect of Switzerland, Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.

Instructions” means Customer’s documented instructions for the processing of Personal Data as set out in the Agreement and this Addendum or as otherwise agreed by the parties in writing.

Personal Data” means information provided or otherwise made available by or on behalf of Customer to Service Express in the course of Service Express’s performance under the Agreement that: (i) identifies or can be used to identify an individual; (ii) can be used to authenticate an individual; or (iii) as otherwise defined by Data Laws, including, as the case may be, “personal data,” as defined under GDPR, and “personal information,” as defined under the CCPA.

Standard Contractual Clauses” means, as applicable, the clauses pursuant to (i) the European Commission’s decision (EU) 2021/915 4 June 2021 on Standard Contractual Clauses for the transfer of Personal Data to Processors established in Third Countries which do not ensure an adequate level of data protection; or (ii) the European Commission’s decision (Decision 2010/87/EU) on Standard Contractual Clauses for the transfer of Personal Data to Processors established in Third Countries which do not ensure an adequate level of data protection, or any set of clauses approved by the European Commission or UK’s Information Commissioner’s Office, as applicable, which supersedes or replaces such Standard Contractual Clauses.

2. SCOPE. This Addendum governs the processing by Service Express of Personal Data provided or otherwise made available by or on behalf of Customer for the purposes set forth in the Agreement. Except as otherwise set forth in the Agreement, the type of Personal Data Service Express may process in connection with the Agreement is limited to contact information (name, title, company, address, email, phone number) and the categories of individuals whose Personal Data is processed are personnel of Customer and Client. The subject matter and duration of the processing, and nature and purpose of the processing are set forth in the Agreement.

3. CCPA-SPECIFIC PROVISIONS. The following provisions shall apply to the processing by Service Express of Personal Data subject to the CCPA that is provided or otherwise made available to Service Express by or on behalf of Customer pursuant to the Agreement. As used in this Section 3, the terms “business”, “commercial purpose”, “processing”, “sale/sell/sold”, and “service provider” shall all have the same meaning as in the CCPA.

a. Relationship of the Parties. The parties agree that, for any Personal Data received by Service Express from or on behalf of Customer in connection with or as part of the performance of the Agreement, for the purposes of CCPA, Customer is the “business” and Service Express is the “service provider.”

b. Restrictions on Use of Personal Data. Service Express certifies that it is acting as a “service provider” in its performance under the Agreement and that it understands and will comply with the restrictions in this Addendum relating to Personal Data provided or made available by or on behalf of Customer. Service Express does not sell, rent, disclose, release, transfer, make available or otherwise communicate, such Personal Data to any third party for monetary or other valuable consideration or without restrictions. Service Express will not retain, use, or disclose such Personal Data for any purpose other than the specific purpose of performing Service Express’s obligations specified in the Agreement, and for no other purpose, including a commercial purpose other than providing the services under the Agreement.

c. Third Parties. Service Express shall obtain and maintain in effect a written agreement with any third party that processes Personal Data on behalf of Service Express, which agreement shall contain sufficient terms for Service Express to comply with the applicable provisions of this Addendum, including provisions no less restrictive as those set forth in this Section 3 related to the use and restrictions on sale of Personal Data provided or made available to Service Express by or on behalf of Customer.

4. GDPR-SPECIFIC PROVISIONS. The following provisions shall apply to the processing by Service Express of Personal Data subject to the GDPR that is provided or otherwise made available to Service Express by or on behalf of Customer pursuant to the Agreement. As used in this Section 4, the terms “controller”, “data subjects”, “personal data breach”, “processing”, “processor”, and “supervisory authority” shall all have the same meaning as in the GDPR.

a. Relationship of the Parties. The parties agree that, for any Personal Data received by Service Express from or on behalf of Customer in connection with or as part of the performance of the Agreement, for the purposes of GDPR, Customer is the “controller” or “processor,” as applicable, and Service Express is the “processor” or “sub-processor,” as applicable.

b. Instructions. Service Express shall process Personal Data solely on behalf of and in accordance with the Customer’s Instructions or as necessary to comply with applicable law. If Service Express determines that the Customer’s Instructions infringe GDPR, Service Express shall notify Customer as soon as reasonably practicable, and Service Express shall not be required to comply with such infringing Instruction unless and until the matter has been resolved by agreement of the parties or a competent authority determines that Instruction to be lawful.

c. Confidentiality. Service Express shall ensure that any individuals involved in the processing of Personal Data have committed themselves to protect the confidentiality of the Personal Data.

d. Security. Taking into account industry standards, the costs of implementation, the nature, scope, context and purposes of the processing, and any risks for the rights and freedoms of data subjects, Service Express shall take appropriate measures to ensure the security of Personal Data during processing in accordance with Article 32 of the GDPR, and shall use reasonable efforts to assist Customer, at Customer’s expense, in meeting Customer’s obligations with respect to the same.

e. Sub-processors. Service Express shall only engage another processor (each, a “sub-processor”) with the prior written consent of Customer. Notwithstanding the foregoing, Customer authorizes Service Express to engage sub-processors to process Personal Data as long as Service Express has in place a written contract with such sub-processor(s), which contract shall have the same obligations set out as in this Addendum, including, where applicable, Standard Contractual Clauses. Upon written request (email sufficient) by Customer, Service Express shall provide Customer an up-to-date list of all sub-processors involved in the processing of Personal Data. Customer has the right to object to any such sub-processors by notifying Service Express within fourteen (14) days after receipt of such list from Service Express. Service Express shall remain fully liable to Customer for a sub-processor’s failure to fulfill its data protection obligations.

f. Assistance. Service Express shall use reasonable efforts to assist Customer, at Customer’s request and expense, in meeting Customer’s obligations under GDPR in relation to notifying supervisory authorities of personal data breaches and communicating such personal data breaches to the affected data subjects. To the extent applicable in relation to Service Express’s processing of Personal Data and within the scope of the services provided by Service Express to Customer, Service Express shall cooperate with and assist Customer with any data protection impact assessment which Customer is required by GDPR to carry out in relation to the processing of Personal Data to be undertaken by Service Express. Service Express will provide assistance to Customer at Customer’s request as reasonably necessary for Customer to meet its obligations to the relevant supervisory authority in connection with the processing of Personal Data hereunder, including any necessary prior consultations with such supervisory authority.

g. Information and Audits. Service Express shall make available to Customer all relevant information reasonably necessary to demonstrate compliance with the requirements of this Addendum. Service Express shall allow for and contribute relevant information to audits, including reasonable inspections, conducted by Customer or another auditor mandated by Customer relating to Service Express’s processing activities pursuant to this Addendum, provided Customer or its auditor has agreed to a confidentiality agreement acceptable to Service Express intended to protect Service Express’s proprietary information and the confidentiality of information that Service Express processes on behalf of others. Service Express may reasonably limit the scope of the audit to protect the confidentiality of information that Service Express processes on behalf of others. Service Express shall immediately inform Customer if, in Service Express’s opinion, an instruction under this subsection (i) infringes GDPR.

h. Transfers. Service Express shall not transfer Personal Data outside the country to which Customer originally delivered it to Service Express for processing (or, if it was originally delivered to a location inside Europe, outside Europe) without Customer’s documented consent. With Customer’s documented consent, Service Express may transfer such Personal Data provided that Service Express shall ensure that a mechanism to achieve adequacy in respect of that processing is in place such as: (a) the requirement for Service Express and any sub-processor to execute with Customer or Service Express, as the case may be, Standard Contractual Clauses; or (b) the existence of any other specifically approved safeguard for data transfers (as recognized under GDPR) and/or a European Commission finding of adequacy. If Customer wishes to separately execute Standard Contractual Clauses, Customer must contact Service Express.

5. DATA SECURITY CONTROLS. Service Express has implemented security measures which are designed to protect against unauthorized or unlawful processing of, accidental loss, destruction, or damage of information such as Personal Data. In particular, Service Express has in place technical and organizational safeguards intended to: (i) maintain the security and confidentiality of Personal Data; (ii) protect against anticipated threats to the security and integrity of Personal Data; and (iii) protect against unauthorized access to or use of Personal Data. Customer acknowledges and agrees that it is satisfied that Service Express’s security measures are sufficient and appropriate to ensure the security of Personal Data during Processing in accordance with applicable Data Law. Service Express may change the security controls through the adoption of new or enhanced security technologies, and Customer authorizes Service Express to make such changes provided that they do not diminish the level of protection of Personal Data in Service Express’s possession, custody, or control.

6. OBLIGATIONS OF CUSTOMER.

a. Compliance. Customer shall comply with all applicable Data Laws, including, without limitation, maintaining all relevant regulatory registrations and notifications as required under Data Law and the terms of this Addendum.

b. Instructions. Customer shall ensure that its Instructions to Service Express at all times comply with Data Laws, and Customer acknowledges that Service Express is not responsible for determining if the Instructions are compliant. Customer agrees that Service Express shall not be liable for any claim brought by Customer or any third party (including, without limitation, a Data Subject, or regulatory or supervisory authority) arising from any action or omission by Service Express to the extent that such action or omission resulted from compliance with Customer’s Instructions. In any such event, Customer shall indemnify, defend and hold harmless Service Express from and against all expenses, losses, costs and damages.

c. Consents. Customer represents and warrants that it has obtained all necessary authorizations and affirmative consents required for compliance with applicable Data Law prior to disclosing, transferring, or otherwise making available, any Personal Data to Service Express, and that such authorizations and consents clearly and completely stated, without limitation: (i) what Personal Data was being collected, (ii) why it was being collected, and (iii) that it would be made available to Service Express as a processor.

7. DATA BREACH NOTIFICATION. Service Express shall notify Customer without undue delay after becoming aware of any accidental or unauthorized destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Service Express.

8. RESPONDING TO REQUESTS. Unless prohibited by applicable law, Service Express shall, as soon as reasonably practicable, forward to Customer all requests or notifications received from any data subject with respect to such data subject’s Personal Data. Service Express shall not respond to any data subject request unless instructed to do so in writing by Customer or otherwise required by applicable law. If Customer requests, Service Express shall reasonably assist Customer, by appropriate technical and organizational measures and at Customer’s expense, in Customer’s fulfillment of its obligation to respond to requests of data subjects to exercise their rights under applicable law, including providing access to their Personal Data.

9. DELETION OF PERSONAL INFORMATION. Upon expiration or termination of the Agreement and at Customer’s request, Service Express shall delete or return all Personal Data to Customer and will delete any existing copies of Personal Data in its possession or control, unless otherwise required by applicable law.

10. LIABILITY. Any claims arising from or in any way related to this Addendum or Service Express’s processing of Personal Data hereunder, including the Standard Contractual Clauses, shall be subject to any limitation of liability, dispute resolution requirements, and other limitations set forth in the Agreement.

11. ORDER OF PRECEDENCE. In the event of a conflict between the terms of this Addendum and the Agreement, the Addendum shall prevail with respect to the subject matter set forth herein.

12. LEGAL EFFECT. This Addendum shall only become legally binding between Service Express and Customer when the formalities set out in the Section “How this Addendum Applies” above have been fully completed.

Last updated: October 1, 2021

SUBCONTRACTOR DATA PROCESSING AGREEMENT

This Data Processing Addendum (the “Addendum”) forms a part of the Master Services Agreement or other written services agreement (“Agreement”) between Service Express, LLC, on behalf of itself and its Affiliates (“Service Express”), and the entity executing the Agreement (“Company”). By signing or otherwise executing the Agreement, the parties enter into this Addendum to the extent applicable. Capitalized terms not defined herein have the meaning set forth in the Agreement.

HOW THIS ADDENDUM APPLIES:

This Addendum is an addendum to and forms part of the Agreement and applies to Personal Data is provided or otherwise made available by one party (“Requesting Party”) to the other party (“Service Provider”) pursuant to the Agreement. This Addendum will be effective and replace any previously applicable data processing terms as of the date the parties execute the Agreement. This Addendum does not replace any comparable or additional rights relating to processing of Personal Data contained in the Agreement (including any existing data processing addendum to the Agreement).

PERSONAL DATA PROCESSING TERMS:

1. DEFINITIONS.

CCPA” means California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq.

Data Laws” means all applicable state, federal and foreign laws and regulations related to the privacy or security of Personal Data, including but not limited to the CCPA and GDPR.

GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, together with (i) applicable national implementations of GDPR; (ii) in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; or (iii) in respect of Switzerland, Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.

Personal Data” means information provided or otherwise made available by or on behalf of Requesting Party to Service Provider in the course of Service Provider’s performance under the Agreement that: (i) identifies or can be used to identify an individual; (ii) can be used to authenticate an individual; or (iii) as otherwise defined by Data Laws, including, as the case may be, “personal data,” as defined under GDPR, and “personal information,” as defined under the CCPA.

Standard Contractual Clauses” means, as applicable, the clauses pursuant to (i) the European Commission’s decision (EU) 2021/915 4 June 2021 on Standard Contractual Clauses for the transfer of Personal Data to Processors established in Third Countries which do not ensure an adequate level of data protection; or (ii) the European Commission’s decision (Decision 2010/87/EU) on Standard Contractual Clauses for the transfer of Personal Data to Processors established in Third Countries which do not ensure an adequate level of data protection, or any set of clauses approved by the European Commission or UK’s Information Commissioner’s Office, as applicable, which supersedes or replaces such Standard Contractual Clauses.

2. SCOPE. This Addendum governs the processing by Service Provider of Personal Data provided or otherwise made available by or on behalf of Requesting Party for the purposes set forth in the Agreement. The type of Personal Data Service Provider may process in connection with the Agreement is limited to contact information (name, title, company, address, email, phone number) and the categories of individuals whose Personal Data is processed are personnel of Requesting Party and Client. The subject matter and duration of the processing, and nature and purpose of the processing are set forth in the Agreement.

3. CCPA-SPECIFIC PROVISIONS. The following provisions shall apply to the processing by Service Provider of Personal Data subject to the CCPA that is provided or otherwise made available to Service Provider by or on behalf of Requesting Party pursuant to the Agreement. As used in this Section 3, the terms “business”, “commercial purpose”, “processing”, “sale/sell/sold”, and “service provider” shall all have the same meaning as in the CCPA.

a. Relationship of the Parties. The parties agree that, for any Personal Data received by Service Provider from or on behalf of Requesting Party in connection with or as part of the performance of the Agreement, for the purposes of CCPA, Requesting Party is the “business” and Service Provider is the “service provider.”

b. Restrictions on Use of Personal Data. Service Provider certifies that it is acting as a “service provider” in its performance under the Agreement and that it understands and will comply with the restrictions in this Addendum relating to Personal Data provided or made available by or on behalf of Requesting Party. Service Provider does not sell, rent, disclose, release, transfer, make available or otherwise communicate, such Personal Data to any third party for monetary or other valuable consideration or without restrictions. Service Provider will not retain, use, or disclose such Personal Data for any purpose other than the specific purpose of performing Service Provider’s obligations specified in the Agreement, and for no other purpose, including a commercial purpose other than providing the services under the Agreement.

c. Sub-processors. Service Provider shall obtain and maintain in effect a written agreement with any third party that processes Personal Data on behalf of Service Provider, which agreement shall contain sufficient terms for Service Provider to comply with the applicable provisions of this Addendum, including provisions no less restrictive as those set forth in this Section 3 related to the use and restrictions on sale of Personal Data provided or made available to Service Provider by or on behalf of Requesting Party.

4. GDPR-SPECIFIC PROVISIONS. The following provisions shall apply to the processing by Service Provider of Personal Data subject to the GDPR that is provided or otherwise made available to Service Provider by or on behalf of Requesting Party pursuant to the Agreement. As used in this Section 4, the terms “controller”, “data subjects”, “personal data breach”, “processing”, “processor”, and “supervisory authority” shall all have the same meaning as in the GDPR.

a. Relationship of the Parties. The parties agree that, for any Personal Data received by Service Provider from or on behalf of Requesting Party in connection with or as part of the performance of the Agreement, for the purposes of GDPR, Requesting Party is the “controller” or “processor,” as applicable, and Service Provider is the “processor” or “sub-processor,” as applicable.

b. Instructions. Service Provider shall process Personal Data solely on behalf of and in accordance with the Requesting Party’s documented instructions for the processing of Personal Data as set out in the Agreement and this Addendum or as otherwise agreed by the parties in writing (“Instructions”) or as necessary to comply with applicable law. If Service Provider determines that the Requesting Party’s Instructions infringe GDPR, Service Provider shall notify Requesting Party as soon as reasonably practicable, and Service Provider shall not be required to comply with such infringing Instruction unless and until the matter has been resolved by agreement of the parties or a competent authority determines that Instruction to be lawful.

c. Confidentiality. Service Provider shall ensure that any individuals involved in the processing of Personal Data have committed themselves to protect the confidentiality of the Personal Data.

d. Security. Taking into account industry standards, the costs of implementation, the nature, scope, context and purposes of the processing, and any risks for the rights and freedoms of data subjects, Service Provider shall take appropriate measures to ensure the security of Personal Data during processing in accordance with Article 32 of the GDPR, and shall use reasonable efforts to assist Requesting Party, at Requesting Party’s expense, in meeting Requesting Party’s obligations with respect to the same.

e. Sub-processors. Service Provider shall only engage another processor (each, a “sub-processor”) with the prior written consent of Requesting Party. Notwithstanding the foregoing, Requesting Party authorizes Service Provider to engage sub-processors to process Personal Data as long as Service Provider has in place a written contract with such sub-processor(s), which contract shall have the same obligations set out as in this Addendum, including, where applicable, Standard Contractual Clauses. Upon written request (email sufficient) by Requesting Party, Service Provider shall provide Requesting Party an up-to-date list of all sub-processors involved in the processing of Personal Data. Requesting Party has the right to object to any such sub-processors by notifying Service Provider within fourteen (14) days after receipt of such list from Service Provider. Service Provider shall remain fully liable to Requesting Party for a sub-processor’s failure to fulfill its data protection obligations.

f. Assistance. Service Provider shall use reasonable efforts to assist Requesting Party, at Requesting Party’s request and expense, in meeting Requesting Party’s obligations under GDPR in relation to notifying supervisory authorities of personal data breaches and communicating such personal data breaches to the affected data subjects. To the extent applicable in relation to Service Provider’s processing of Personal Data and within the scope of the services provided by Service Provider to Requesting Party, Service Provider shall cooperate with and assist Requesting Party with any data protection impact assessment which Requesting Party is required by GDPR to carry out in relation to the processing of Personal Data to be undertaken by Service Provider. Service Provider will provide assistance to Requesting Party at Requesting Party’s request as reasonably necessary for Requesting Party to meet its obligations to the relevant supervisory authority in connection with the processing of Personal Data hereunder, including any necessary prior consultations with such supervisory authority.

g. Information and Audits. Service Provider shall make available to Requesting Party all relevant information reasonably necessary to demonstrate compliance with the requirements of this Addendum. Service Provider shall allow for and contribute relevant information to audits, including reasonable inspections, conducted by Requesting Party or another auditor mandated by Requesting Party relating to Service Provider’s processing activities pursuant to this Addendum, provided Requesting Party or its auditor has agreed to a confidentiality agreement acceptable to Service Provider intended to protect Service Provider’s proprietary information and the confidentiality of information that Service Provider processes on behalf of others. Service Provider may reasonably limit the scope of the audit to protect the confidentiality of information that Service Provider processes on behalf of others. Service Provider shall immediately inform Requesting Party if, in Service Provider’s opinion, an instruction under this subsection (i) infringes GDPR.

h. Transfers. Service Provider shall not transfer Personal Data outside the country to which Requesting Party originally delivered it to Service Provider for processing (or, if it was originally delivered to a location inside Europe, outside Europe) without Requesting Party’s documented consent. With Requesting Party’s documented consent, Service Provider may transfer such Personal Data provided that Service Provider shall ensure that a mechanism to achieve adequacy in respect of that processing is in place such as: (a) the requirement for Service Provider and any sub-processor to execute with Requesting Party or Service Provider, as the case may be, Standard Contractual Clauses; or (b) the existence of any other specifically approved safeguard for data transfers (as recognized under GDPR) and/or a European Commission finding of adequacy. If Requesting Party wishes to separately execute Standard Contractual Clauses, Requesting Party must contact Service Provider.

5. DATA SECURITY CONTROLS. Service Provider has implemented security measures which are designed to protect against unauthorized or unlawful processing of, accidental loss, destruction, or damage of information such as Personal Data. In particular, Service Provider has in place technical and organizational safeguards intended to: (i) maintain the security and confidentiality of Personal Data; (ii) protect against anticipated threats to the security and integrity of Personal Data; and (iii) protect against unauthorized access to or use of Personal Data. Service Provider may change the security controls through the adoption of new or enhanced security technologies, and Requesting Party authorizes Service Provider to make such changes provided that they do not diminish the level of protection of Personal Data in Service Provider’s possession, custody, or control.

6. DATA BREACH NOTIFICATION. Service Provider shall notify Requesting Party without undue delay after becoming aware of any accidental or unauthorized destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Service Provider.

7. RESPONDING TO REQUESTS. Unless prohibited by applicable law, Service Provider shall, as soon as reasonably practicable, forward to Requesting Party all requests or notifications received from any data subject with respect to such data subject’s Personal Data. Service Provider shall not respond to any data subject request unless instructed to do so in writing by Requesting Party or otherwise required by applicable law. If Requesting Party requests, Service Provider shall reasonably assist Requesting Party, by appropriate technical and organizational measures and at Requesting Party’s expense, in Requesting Party’s fulfillment of its obligation to respond to requests of data subjects to exercise their rights under applicable law, including providing access to their Personal Data.

8. DELETION OF PERSONAL INFORMATION. Upon expiration or termination of the Agreement and at Requesting Party’s request, Service Provider shall delete or return all Personal Data to Requesting Party and will delete any existing copies of Personal Data in its possession or control, unless otherwise required by applicable law.

9. LIABILITY. Any claims arising from or in any way related to this Addendum or Service Provider’s processing of Personal Data hereunder, including the Standard Contractual Clauses, shall be subject to any limitation of liability, dispute resolution requirements, and other limitations set forth in the Agreement.

10. ORDER OF PRECEDENCE. In the event of a conflict between the terms of this Addendum and the Agreement, the Addendum shall prevail with respect to the subject matter set forth herein.

11. LEGAL EFFECT. This Addendum shall only become legally binding between Service Provider and Requesting Party when the formalities set out in the Section “How this Addendum Applies” above have been fully completed.

Last Updated October 1, 2021