Last Updated: December 20, 2023

Overview

This Data Processing Addendum, including its appendices ("DPA") shall govern any services provided to the customer listed in the Order Form (“Customer"), by OPSWAT Inc. and its Affiliates ("OPSWAT") as a Processor or Sub-processor to the extent personal data is processed.

Customer and OPSWAT shall each be referred to herein as a "Party" and together as "Parties".

This DPA supplements and is incorporated into any agreement between the Parties, including but not limited to OPSWAT’s Standard Terms and Conditions, OPSWAT’s Professional Services Terms and Conditions, OPSWAT’s Cybersecurity Assessment Terms of Service, or other sales, license, or similar agreement if applicable (the "Agreement"), and will remain in effect for the Term.

Without limiting the generality of the foregoing, the subject matter, nature, and purpose of the processing under this DPA is for the provision of the Services under the Agreement, and the categories of personal data and categories of data subjects are those necessary to provide the Services under the Agreement.

This DPA will be effective and replace any previously applicable data processing and security terms as of the DPA Effective Date.

1. Definitions

For purposes of this DPA, the terms below shall have the meanings set forth below. Capitalized terms that are used but not otherwise defined in this DPA shall have the meanings set forth in the Agreement.

“Affiliates” means, with respect to each party, entities that Control, are controlled by, or are under common Control with such party.

“Aggregated Data” means statistics, benchmarks, measures, and other information or data that is anonymized by removing personal or other information so the data cannot be attributable to a specific individual or Customer (using commercially reasonably efforts or as required by Applicable Laws).

“Applicable Laws” means applicable national, federal, state, and local laws, rules, guidelines, court or government agency orders, and regulations.

“Audit Reports” means ISO 27001, SSAE 16 SOC II or similar audit report performed by a qualified third party auditor.

“Control” means the beneficial ownership of more than fifty percent (50%) of the voting power or equity in an entity.

“Customer Personal Data” means information relating to an identified or identifiable natural person protected under Data Protection Legislation that Customer provides or make available to OPSWAT, or that OPSWAT otherwise Processes on Customer’s behalf, in each case, in connection with the provision of or as a part of the Services pursuant to the Agreement at any time until the termination of the Agreement.

“Data Controller Affiliates” means Customer’s Affiliates that have not signed their own Order Form or the Agreement with OPSWAT, which are entities: (a) subject to Data Protection Legislation; and (b) permitted to use the Services pursuant to the Agreement.

“Data Protection Legislation” means Applicable Laws, including but not limited to the laws of the EEA and/or member states (such as GDPR), United Kingdom, and Switzerland, applicable to the Processing of Customer Personal Data under the Agreement (in all cases, as amended, superseded, or replaced).

“Data Subject” means the individual to whom Customer Personal Data relates.

“EEA” means the European Economic Area.

“GDPR” means General Data Protection Regulation EU 2016/679.

“Information Security Incident” means a breach of security leading to accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access to Customer Personal Data in OPSWAT’s possession, custody, or control. “Information Security Incidents” does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

“Order Form” means an enrollment or ordering document.

"Processing” means any operation or set of operations which is performed on Customer Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Customer Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

“SCC” means the European Commission Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as may be amended, restated or superseded from time to time.

“Security Measures” means the technical and organizational measures used by OPSWAT to protect Customer Personal Data, as further described in Section 5.1 (OPSWAT’s Security Measures).

“Services” is defined in the Agreement, and additionally means services and/or products to be provided by OPSWAT to Customer under the Agreement as detailed in an Order Form.

“Sub-processors” means third parties, other than OPSWAT, engaged and authorized by OPSWAT, under this DPA to Process Customer Personal Data in relation to the Services.

“Term” shall have the meaning set forth in Section 2.

2. Duration of DPA

This DPA will take effect when the Agreement becomes effective and will automatically expire upon termination of the Agreement.

3. Processing of Data

3.1 Processing Scope; Customer Instructions; OPSWAT Compliance with Customer Instructions. By entering into this DPA, Customer instructs OPSWAT to Process Customer Personal Data only in accordance with Data Protection Legislation. OPSWAT will only Process Customer Personal Data in accordance with Customer's instructions: (a) to provide the Services; (b) as authorized by the Agreement, including this DPA; and (c) as documented in other written instructions provided by Customer and acknowledged in writing by OPSWAT as constituting instructions for purposes of this DPA, unless required to do so otherwise by Applicable Laws. The subject matter and details of Processing are described in Appendix 1 (Details of Processing).

3.2 Customer’s Responsibilities. Customer represents and warrants that (a) Customer has obtained any necessary authorizations, consents, and permissions under Data Protection Legislation for OPSWAT’s Processing of Customer Personal Data (including the transfer or provision of access to Customer Personal Data to OPSWAT) in accordance with the terms of this DPA; and (b) Customer’s instructions, decisions, and actions regarding the Processing of Customer Personal Data shall comply with Applicable Laws, including Data Protection Legislation. Customer will inform OPSWAT without undue delay if Customer is unable to comply with this Section 3.2 (Customer’s Responsibilities).

3.3 Analytics. OPSWAT may collect, develop, create, extract, compile, synthesize, analyze, use, commercialize, or share Aggregated Data with third parties for a variety of purposes, including to: (i) maintain, improve, market, and promote our Services; (ii) identify, understand, and anticipate performance and security issues and the factors that affect them; (iii) provide updates, enhancements, and personalized experiences to our customers; and (iv) research and develop new products and services. For the avoidance of doubt, Aggregated Data shall exclude Customer Personal Data or any information identifying Customer.

4. Deletion or Return of Data.

On the effective termination date of this DPA, or upon Customer’s written request, OPSWAT shall delete, give Customer access, correct, or return Customer Personal Data (including existing copies) from OPSWAT’s systems in accordance with Applicable Laws as soon as reasonably practicable, unless Applicable Laws require or allow OPSWAT to retain Customer Personal Data (e.g., Applicable Laws may allow OPSWAT to retain copies of Customer Personal Data stored electronically on data archives or back-up systems).

5. Data Security.

5.1 OPSWAT’s Security Measures. OPSWAT shall implement and maintain reasonably appropriate Security Measures to protect Customer Personal Data, as described under Appendix 2 (Security Measures). OPSWAT may update or modify the Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Services.

5.2 Security Compliance by OPSWAT Staff. OPSWAT will grant access to Customer Personal Data only to employees, independent contractors, OPSWAT Affiliates, and Sub-processors who need such access for the scope of their performance, and have confidentiality obligations that are not less restrictive than OPSWAT’s confidentiality obligations in the Agreement.

5.3 Information Security Incidents

5.3.1 Information Security Incident Notification. If OPSWAT becomes aware of an Information Security Incident, OPSWAT will: (a) notify Customer of the Information Security Incident without undue delay, according to Section 13 (Notices), after becoming aware of the Information Security Incident; and (b) take reasonable steps to identify the cause of such Information Security Incident, minimize harm, and prevent a recurrence. Except to the extent required by Applicable Laws, OPSWAT shall not make any notification to third parties of an Information Security Incident explicitly naming Customer without Customer’s prior written consent, other than to approved Sub-Processors, law enforcement, insurance adjusters, and OPSWAT’s Information Security Incident response service providers.

5.3.2 Notification. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling third party notification obligations related to any Information Security Incidents (e.g., Article 33 and 34 of the GDPR). In this case, OPSWAT will provide reasonable assistance to Customer.

5.3.3 No Acknowledgement of Fault by OPSWAT. OPSWAT’s notification of, or response to, an Information Security Incident under this Section 5.3 (Information Security Incidents) will not be construed as an acknowledgement by OPSWAT of any fault or liability with respect to the Information Security Incident.

5.4 Customer’s Security Responsibilities and Assessment.

5.4.1 Customer’s Security Responsibilities. Customer agrees that, without prejudice to OPSWAT’s obligations under Section 5.1 (OPSWAT’s Security Measures) and Section 5.3 (Information Security Incidents):

(a) Customer is solely responsible for its use of the Services, including:

(i) making appropriate use of the Services to ensure a level of security appropriate to the risk with respect to Customer Personal Data;

(ii) securing the account authentication credentials, systems and devices Customer uses to access the Services;

(iii) securing Customer’s systems and devices OPSWAT uses to provide the Services; and

(iv) backing up its Customer Personal Data.

(b) OPSWAT has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of OPSWAT’s and its Sub-processors’ systems (for example, offline or on-premises storage).

5.4.2 Customer’s Security Assessment.

(a) Customer is solely responsible for reviewing and evaluating for itself whether the Services, the Security Measures, and OPSWAT’s commitments under this Section 5 (Data Security) meet Customer’s needs, including with respect to any security obligations of Customer under Data Protection Legislation.

(b) Customer acknowledges and agrees that (taking into account industry standards, the costs of implementation and the nature, scope, context and purposes of the Processing of Customer Personal Data as well as the risks to data subjects) the Security Measures implemented and maintained by OPSWAT as set out in Appendix 2 (OPSWAT’s Security Measures) provide a level of security appropriate to the risk with respect to Customer Personal Data.

5.5 Reviews of Compliance. Audit Reports are available to Customer upon Customer’s written request and subject to the confidentiality obligations set forth in the Agreement.

6. Data Subject Rights

6.1 Customer’s Responsibility for Data Subject Requests. If OPSWAT receives any request from a data subject in relation to Customer Personal Data, to the extent permitted by Applicable Laws, OPSWAT will promptly notify Customer of any such request. Customer will be responsible for responding to any such request.

6.2 OPSWAT’s Data Subject Request Assistance. OPSWAT will (taking into account the nature of the Processing of Customer Personal Data) provide Customer with reasonable assistance as necessary for Customer to fulfil its obligation under Data Protection Legislation to respond to data subject requests. Customer shall reimburse OPSWAT for any fees or costs incurred in connection with such assistance at OPSWAT’s then-current professional services rates.

7. Data Transfers

OPSWAT may store and Process Customer Personal Data anywhere OPSWAT, its Affiliates, or its Sub-processors maintain operations, as provided in Section 8 below. For international transfers of Customer Personal Data subject to Data Protection Legislation in the EEA, Switzerland, and the United Kingdom, the terms of Appendix 3, Sections 1.10 and/or 1.11 shall apply.

8. Sub-processors

Customer authorizes OPSWAT to engage its Affiliates and other third parties as Sub-processors. The list of OPSWAT’s Sub-processors is available at https://www.opswat.com/legal/subprocessors and Customer may subscribe to updates to this list via RSS feed. If Customer enters into the SCC or other similar agreements, Customer’s signing of those agreements constitute Customer’s prior written authorization to the subcontracting by OPSWAT of the Processing of Customer Personal Data if such authorization is required under the SCC or other similar agreements. OPSWAT shall be liable for all obligations subcontracted to, and all acts and omissions of, its Sub-processors.

9. Data Controller Affiliates

9.1 Relationship and Communication. By signing this DPA, Customer acknowledges and agrees that it is entering into this DPA on behalf of itself and, to the extent required under applicable Data Protection Legislation, in the name and on behalf of its Data Controller Affiliates, to the extent OPSWAT Processes Customer Personal Data for which such Data Controller Affiliates qualify as the Controller, thereby establishing a DPA between OPSWAT and each Data Controller Affiliate, subject to the provisions of the Agreement and this DPA. Customer agrees to ensure each Data Controller Affiliate agrees to be bound by the obligations of this DPA. However, a Data Controller Affiliate is not and does not become a party to the Agreement, and is only a party to this DPA. All access and use of the Services by Data Controller Affiliate must comply with the Agreement and any violation of the Agreement by a Data Controller Affiliate shall be deemed a violation by Customer. The Customer that is the contracting party in the Agreement shall remain responsible for coordinating all communications with OPSWAT under this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Data Controller Affiliate.

9.2 Rights of Data Controller Affiliates. In the event a Data Controller Affiliate becomes a party to the DPA with OPSWAT, it shall do so only to the extent required under Data Protection Legislation. Except as expressly required by Data Protection Legislation for a Data Controller Affiliate to exercise a right or seek a remedy under this DPA from OPSWAT by itself directly, the Parties agree that: (a) the Customer that is the contracting party in the Agreement shall have the sole right to exercise any such right or seek any such remedy on behalf of the Data Controller Affiliate; and (b) the Customer that is the contracting party to the Agreement shall, to the extent not prohibited by Data Protection Legislation, exercise any such rights under this DPA in a combined manner for all of its Data Controller Affiliates together.

10. Audit Rights

Upon Customer's written request, OPSWAT shall supply a copy of its most recent Audit Report to Customer, which shall be subject to the confidentiality provisions of the Agreement as OPSWAT’s confidential information. OPSWAT shall also respond to any written audit questions submitted to it by the Customer, provided that the Customer shall not exercise this right more than once per year.

11. Jurisdiction-Specific Provisions

If OPSWAT Processes Personal Data from a jurisdiction listed in Appendix 3, the corresponding provisions will apply with respect to such Processing.

12. Liability Cap

Except to the extent prohibited by Applicable Laws, the total combined liability of either party and its Affiliates (including Data Controller Affiliates) towards the other party and its Affiliates, whether in contract, tort or any other theory of liability, under or in connection with the Agreement, this DPA, and the SCC, if entered into, will be limited to limitations on liability or other liability caps agreed by the Parties in the Agreement. OPSWAT and OPSWAT Affiliates’ total liability for all claims from Customer and all of its Data Controller Affiliates arising out of the Agreement or any DPA shall apply in aggregate for all claims under both the Agreement and all DPAs and shall not be understood to apply individually and severally to Customer or to any Data Controller Affiliate that is a contractual party to any such DPA.

13. Notices

Notices required or permitted to be given by a Party may be given (a) in accordance with the notice provisions of the Agreement; (b) to a Party’s primary points of contact with the other Party; and/or (c) to any email provided by Customer for the purpose of providing it with Service-related communications or alerts. Customer is solely responsible for ensuring that its emails are current and valid. A copy of all notices shall be emailed to: Legal@opswat.com.

14. Effect of These Terms

Except for the changes made by this DPA, the Agreement, and/or any other agreements related to the Services remain unchanged and in full force and effect. In the event of a conflict between the Agreement and this DPA, the provisions of this DPA shall control and govern with respect to the subject matter. In the event of a conflict between this DPA and the SCC, the provisions of the SCC shall control and govern with respect to the subject matter of the SCC.

15. Governing Law

This DPA shall be governed by the law of the same jurisdiction as the Agreement, except where and to the extent the Data Protection Legislation requires this DPA be governed by the law of another jurisdiction.

Please refer to our Privacy Policy at https://www.opswat.com/legal/privacy-policy for further detail regarding how OPSWAT Processes Customer Personal Data.

1. Physical Access Control.

OPSWAT employs measures designed to prevent unauthorized persons from gaining access to data processing systems in which Customer Personal Data is processed, such as the use of security personnel, secured buildings and data center premises.

2. System Access Control.

The following may, among other controls, be applied depending upon the particular Services ordered: authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and logging of access on several levels. For Services environment hosted by OPSWAT: (i) log-ins to Services environments by OPSWAT employees and Subprocessors are logged; (ii) logical access to the data centers is restricted and protected by firewall/VLAN and routing rules; and (iii) intrusion detection systems, centralized logging and alerting, and firewalls are used. OPSWAT manages each system that is part of the Services software development with security policies for each system. The polices are approved by the OPSWAT risk owner and managed by asset owners. For example, no independent contractor has access to a build system.

3. Transmission Control.

Except as otherwise specified for the Services (including within the Order Form, statement of work, or the applicable service specifications referenced in the Agreement), transmissions of data outside the Service environment are encrypted. OPSWAT maintains an appropriate network security program that includes encryption of Customer Personal Data. Some Services may be configurable by Customer to permit access to third party sites that require unencrypted communications. The content of communications (including sender and recipient addresses) sent through some email or messaging services may not be encrypted. Customer is solely responsible for the results of its decision to use such unencrypted communications or transmissions.

4. Input Control.

The source of Customer Personal Data is under the control of the Customer, and Customer Personal Data integration into the OPSWAT system is managed by secured file transfer (i.e. via web services or entered into the application) from OPSWAT. Some Services permit Customer to use unencrypted file transfer protocols. In such cases, Customer is solely responsible for its decision to use such unencrypted field transfer protocols.

5. Data Backup.

For Services hosted by OPSWAT: back-ups are taken on a regular basis; backups are secured using a combination of technical and physical controls, depending on the Services detailed in the Order Form.

6. Business Continuity; Disaster Recovery.

OPSWAT has implemented a business continuity and disaster recovery plan.

7. Supply Chain Security.

Sub-processors or third party components for Services are reviewed by an OPSWAT officer and OPSWAT Legal before they are used as part of the Services.

8. Vulnerability Scans.

Vulnerability scans are performed weekly to continuously determine risk threats which are remediated for this environment.

9. OPSWAT Sub-processors.

OPSWAT Sub-processors used for OPSWAT Products are assessed for security risks and require sign Data Processing Addendums (DPAs) and/or Standard Contractual Clauses with OPSWAT to ensure that minimum security requirements and service levels under the GDPR are adhered to.

10. Software Development.

Services software development follows strict Systems Development Life Cycle (“SDLC”) procedures, including OPSWAT Product Manager (“PM”) setting and executing requirements, design, implementation, unit testing, code review, automated testing, manual Quality Assurance (“QA”) testing, and acceptance testing.

11. Secure SDLC.

OPSWAT adopted OWSAP SAMM (Software Assurance Maturity Model) and OWASP ASVS (Application Security Verification Standard) for secure SDLC.

12. IT Security.

OPSWAT uses Multi-Factor Authentication (“MFA”) for secure authentication and follows the NIST 800-63B standards: https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver.

1. European Economic Area, Switzerland, and the United Kingdom

1.1 Scope. The following provisions shall apply only with respect to OPSWAT’s Processing of Customer Personal Data subject to Data Protection Legislation in the EEA, Switzerland, and the United Kingdom.

1.2 Definitions.

(a) The terms “Controller”, “Processor”, and “Supervisory Authority” shall have the meanings given in GDPR.

(b) “UK Addendum” means the International Data Transfer Addendum to the SCC, Version B1.0, as issued by the United Kingdom’s Information Commisioner’s Office.

1.3 Processor and Controller Responsibilities. The Parties acknowledge and agree that:

(a) OPSWAT is a Processor or Sub-processor, as applicable, of Customer Personal Data under the Data Protection Legislation;

(b) Customer is a Controller or Processor, as applicable, of Customer Personal Data under Data Protection Legislation;

(c) Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data; and

(d) each Party will comply with the obligations applicable to it under Data Protection Legislation with respect to the Processing of Customer Personal Data.

1.4 Authorization by Third Party Controller. If Customer is a Processor, Customer represents and warrants to OPSWAT that Customer’s instructions and actions with respect to Customer Personal Data, including its appointment of OPSWAT as a Processor, have been authorized by the relevant Controller. Customer acknowledges that OPSWAT is not responsible for collecting consent or authorization for Processing of Customer Personal Data.

1.5 Processing by OPSWAT to Comply with Applicable Law. If OPSWAT must Process Customer Personal Data contrary to Customer’s instructions or as authorized by the Agreement (including this DPA) to comply with Applicable Laws, OPSWAT shall inform Customer of the Applicable Laws before Processing, unless Applicable Laws prohibit such notice on important grounds of public interest.

1.6 Security Measures. OPSWAT shall (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects) implement appropriate Security Measures to ensure a level of security appropriate to the risk, including the Security Measures detailed in Appendix 2, and as appropriate:

(a) the pseudonymisation and encryption of Customer Personal Data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and Services, including the following specific measures and practices;

(c) the ability to restore the availability of and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; and

(d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing of Customer Personal Data.

1.7 Reasonable Assistance. OPSWAT will provide reasonable assistance to Customer, as required by Applicable Laws applicable to OPSWAT’s role as a Processor, for Customer to comply with Customer’s obligations to perform a data protection impact assessment under Article 35 GDPR. In situations where Customer’s Processing of Customer Personal Data results in a high risk to the rights and freedoms of data subjects, OPSWAT will provide reasonable assistance to Customer as it seeks prior consultation from a Supervisory Authority according to Article 36 GDPR.

1.8 Details of Information Security Incident. Notifications made pursuant to Section 5.3 of the DPA (Information Security Incidents) will:

(a) describe the nature of the Information Security Incident including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

(c) describe the likely consequences of the Information Security Incident; and

(d) describe the measures taken or proposed to be taken by OPSWAT to address the Information Security Incident, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

1.9 Audits of Compliance.

1.9.1 Customer may, upon reasonable prior written request with no less than forty-five (45) days’ prior written notice, audit OPSWAT’s compliance with its obligations under this DPA once every twelve (12) months during the term of the Agreement, to meet the requirements of Data Protection Legislation. Customer must perform all audits during regular OPSWAT business hours and may not unreasonably interfere with OPSWAT business activities. To the extent required by Data Protection Legislation, including where mandated by Customer’s Supervisory Authority, Customer or Customer’s Supervisory Authority may perform frequent audits.

1.9.2 If a third party is to conduct the audit, OPSWAT may object to the auditor if the auditor is, in OPSWAT’s reasonable opinion, not suitably qualified or independent, or an OPSWAT competitor. Such objection by OPSWAT will require Customer to appoint another auditor or conduct the audit itself.

1.9.3 To request an audit, Customer must submit a detailed proposed audit plan to OPSWAT at least two (2) weeks in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. OPSWAT will review the proposed audit plan and provide Customer with concerns or questions (for example, any request for information that could compromise OPSWAT security, privacy, employment, or other relevant policies). OPSWAT will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 1.9 (Audits of Compliance) shall require OPSWAT to breach duties of confidentiality.

1.9.4 If the requested audit scope is addressed in Audit Reports within twelve (12) months of Customer’s audit request and OPSWAT confirms there are no known material changes in the controls audited, Customer agrees to accept the Audit Reports in lieu of requesting an audit of the controls covered by the Audit Reports.

1.9.5 Audits are at Customer’s expense. Customer shall reimburse OPSWAT for any time expended by OPSWAT or its Sub-processors in connection with any audits under this Section 1.9 (Audits of Compliance) at OPSWAT’s then-current professional services rates. Customer will pay all fees charged by any auditor appointed by Customer to execute any such audit.

1.9.6 The parties agree that this Section 1.9 (Audits of Compliance) shall satisfy OPSWAT’s obligations under the audit requirements of the SCC applied to data importer under Clause 5(f) and to any Sub-processors under Clause 11 and Clause 12(2).

1.10 Transfers of Data Out of the EEA or Switzerland. If the storage and/or Processing of Customer Personal Data involves transfers of Customer Personal Data out of the EEA or Switzerland, and Data Protection Legislation applies to the transfers of such Customer Personal Data, the following shall apply unless the transfer is made to an EEA country for which an adequacy decision of the European Commission exists:

1.10.1 Appendix 4 shall apply and OPSWAT will make such transfers in accordance with the controller-to-processor SCC referenced therein if OPSWAT is a Processor and Customer a Controller of Customer Personal Data under Data Protection Legislation.

1.10.2 Appendix 5 shall apply and OPSWAT will make such transfers in accordance with the processor-to-processor SCC referenced therein if OPSWAT is a Sub-processor and Customer a Processor of Customer Personal Data under Data Protection Legislation.

1.11 Transfers of Data Out of the United Kingdom. If the storage and/or Processing of Customer Personal Data involves transfers of Customer Personal Data out of the United Kingdom, and Data Protection Legislation applies to the transfers of such Customer Personal Data, Appendix 6 shall apply and OPSWAT will make such transfers in accordance with the SCC referenced therein unless the transfer is made to an EEA country or a country for which an adequacy decision of the European Commission exists that is recognized by the UK government.

1.12 Sub-processor Agreements. OPSWAT may redact all confidential business or legal terms in its agreements with Sub-processors prior to responding to Customer’s request for a copy of a Sub-processor agreement pursuant to Clause 9(c) of the SCC.

1.13 Opportunity to Object to Sub-processor Changes. When a new Sub-processor is engaged during the Term, OPSWAT will, at least fifteen (15) days before the new Sub-processor Processes any Customer Personal Data, notify Customer of the engagement in writing by updating its Sub-processor list located at https://www.opswat.com/legal/subprocessors. Customer may object to a new Sub-processor by providing written notice to OPSWAT within five (5) business days of the date on OPSWAT’s notice. In the event Customer objects to a new Sub-processor, Customer and OPSWAT will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the applicable Order Form for Services using the Sub-processor in question by providing written notice to OPSWAT.

1.14 Processing Records. Customer acknowledges that OPSWAT is required under the GDPR to: (a) collect and maintain records of certain information according to Article 30 (2) GDPR, including the name and contact details of each Processor and/or Controller on behalf of which OPSWAT is acting and, where applicable, of such Processor’s or Controller's local representative and data protection officer; and (b) make such information available to the Supervisory Authorities according to Article 30 (4) GDPR. If the GDPR applies to the Processing of Customer Personal Data, Customer will, where requested, provide such information to OPSWAT, and will ensure that all information provided is kept accurate and current.

2. California

2.1 Scope. The following provisions shall apply only with respect to OPSWAT’s Processing of Customer Personal Data subject to the California Consumer Privacy Act of 2018, Cal. Civil Code §1798.100 et seq., as amended by the California Privacy Rights Act, and related regulations, as may be further amended from time to time (collectively, the “CCPA”).

2.2 Definitions. The terms “sell,”“share,” and “service provider” shall have the same meanings as defined under the CCPA.

2.3 Service Provider. OPSWAT is a service provider to Customer. OPSWAT shall only Process Customer Personal Data for the purpose of providing the Services. Unless otherwise permitted under the Agreement or the CCPA:

(a) OPSWAT shall not further collect, retain, use, or disclose Customer Personal Data for a commercial purpose, or any purpose other than to perform the purpose contemplated by the Agreement;

(b) OPSWAT shall not retain, use, or disclose Customer Personal Data outside of the direct business relationship between the Parties; and

(c) OPSWAT shall not combine Customer Personal Data received from, or on behalf of, Customer with Personal Data from other persons or collected from its own interaction with Customer, except as necessary to provide the Services under the Agreement.

2.4 No Selling or Sharing. OPSWAT shall not sell or share Customer Personal Data.

2.5 Compliance with CCPA. OPSWAT shall comply with all applicable sections of the CCPA, including providing the same level of privacy protection as required under the CCPA with respect to Customer Personal Data Processed pursuant to this Agreement.

2.6 CCPA Audits.

2.6.1 Customer may, upon reasonable prior written request with no less than forty-five (45) days’ prior written notice, audit OPSWAT’s compliance with its obligations under this DPA once every twelve (12) months during the term of the Agreement. Customer must perform all audits during regular OPSWAT business hours and may not unreasonably interfere with OPSWAT business activities. To the extent required by the CCPA, including where mandated by the California Privacy Protection Agency, Customer may perform frequent audits.

2.6.2 If a third party is to conduct the audit, OPSWAT may object to the auditor if the auditor is, in OPSWAT’s reasonable opinion, not suitably qualified or independent, or an OPSWAT competitor. Such objection by OPSWAT will require Customer to appoint another auditor or conduct the audit itself.

2.6.3 To request an audit, Customer must submit a detailed proposed audit plan to OPSWAT at least two (2) weeks in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. OPSWAT will review the proposed audit plan and provide Customer with concerns or questions (for example, any request for information that could compromise OPSWAT security, privacy, employment, or other relevant policies). OPSWAT will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 2.6 (CCPA Audits) shall require OPSWAT to breach duties of confidentiality.

2.6.4 If the requested audit scope is addressed in Audit Reports within twelve (12) months of Customer’s audit request and OPSWAT confirms there are no known material changes in the controls audited, Customer agrees to accept the Audit Reports in lieu of requesting an audit of the controls covered by the Audit Reports.

2.6.5 Audits are at Customer’s expense. Customer shall reimburse OPSWAT for any time expended by OPSWAT or its Sub-processors in connection with any audits under this Section 2.6 (CCPA Audits) at OPSWAT’s then-current professional services rates. Customer will pay all fees charged by any auditor appointed by Customer to execute any such audit.

2.6.6 The parties agree that this Section 2.6 (CCPA Audits) shall satisfy OPSWAT’s obligations under the CCPA to provide Customer with the right to take reasonable and appropriate steps to ensure that OPSWAT’s Processing of Customer Personal Data under this Agreement is consistent with OPSWAT’s obligations under the CCPA.

2.7 Notification. OPSWAT shall notify the Customer if OPSWAT determines that it can no longer meet its obligations under the CCPA. Upon OPSWAT’s notification under this Section 2.7, the parties shall negotiate in good faith changes to this Agreement or the Services to allow for OPSWAT to meet its obligations under the CCPA. If such negotiation exceeds thirty (30) days, Customer may terminate the applicable Order Form requiring OPSWAT’s Processing of Personal Data.

2.8 Remediation of Unauthorized Use of Personal Data. At Customer’s written request, OPSWAT shall cease Processing and delete or return Customer Personal Data pursuant to Section 4 of the DPA (Deletion or Return of Data). OPSWAT shall provide Customer a certificate attesting to OPSWAT’s compliance with Customer’s written request. The parties agree that this Section 2.8 shall satisfy OPSWAT’s obligations to provide Customer with the right to take reasonable and appropriate steps to stop and remediate OPSWAT’s unauthorized use of Customer Personal Data.

2.9 Reasonable Security. The parties agree that Section 5 (Data Security) shall satisfy OPSWAT’s obligations with respect to data security under the CCPA.

2.10 CCPA Data Subject Requests. The parties agree that Section 6 of the DPA (Data Subject Rights) shall satisfy OPSWAT’s obligations with respect to Data Subject Requests under the CCPA.

2.11 Sub-processors. The parties agree that Section 8 of the DPA (Sub-processors) shall satisfy OPSWAT’s obligations with respect to Sub-processors under the CCPA.

The Parties hereby agree that they will comply with Module 2 of the SCC, which are incorporated herein by reference, a copy of which can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en. Customer can also request a copy of the relevant clauses from privacy@opswat.com

The Parties agree that the following terms apply:

1. Clause 7: The Parties have chosen to include Clause 7.

2. Clause 9(a): The Parties have chosen to include Option 2 (General written authorisation) with a time period of 15 days.

3. Clause 11(a): The Parties do not incorporate the optional language allowing a data subject to lodge a complaint with an independent dispute resolution body at no cost to the data subject.

4. Clause 17: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Member State in which the data exporter is located. If the data exporter is not located in the EU, the parties agree that this shall be the law of Ireland.

5. Clause 18(b): The Parties agree that those shall be the courts of the EU Member State in which the data exporter is located. If the data exporter is not located in the EU, the parties agree that those shall be the courts of Ireland.

The Parties agree that Module 2 of the SCC take priority over any other agreement between the parties, whether entered into before or after the date these Clauses are entered into. If required by the laws or regulatory procedures of any jurisdiction, the Parties shall execute or re-execute Module 2 of the SCC as a separate document.

Annex 1 to Appendix 4

A. List of parties

Data exporter(s): Customer
Role (controller/processor): Controller
Data importer(s): OPSWAT
Role (controller/processor): Processor

B. Description of transfer

Categories of data subjects: see Appendix 1 of DPA
Categories of Personal Data transferred: see Appendix 1 of DPA
Sensitive/Special Categories of data: none
Frequency of transfer: continuous as needed for the provision of the Services
Nature or processing and purpose(s) of the data transfer: see Appendix 1 of DPA
Period for which Personal Data will be retained: see Appendix 1 of DPA

C. Competent Supervisory Authority

The EU Member State in which the data exporter is located. If the data exporter is not located in the EU, this shall be Ireland.

Annex 2 to Appendix 4

Technical and Organizational Measures Including Technical Organizational Measures to Ensure the Security of the Data

See Appendix 2 of the DPA. For transfers to Sub-processors, OPSWAT shall ensure that such Sub-processors materially comply with the Security Measures listed in Appendix 2 of the DPA.

The Parties hereby agree that they will comply with Module 3 of the SCC, which are incorporated herein by reference, a copy of which can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en. Customer can also request a copy of the relevant clauses from privacy@opswat.com.

The Parties agree that the following terms apply:

1. Clause 7: The Parties have chosen to include Clause 7.

2. Clause 9(a): The Parties have chosen to include Option 2 (General written authorisation) with a time period of 15 days.

3. Clause 11(a): The Parties do not incorporate the optional language allowing a data subject to lodge a complaint with an independent dispute resolution body at no cost to the data subject.

4. Clause 17: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Member State in which the data exporter is located. If the data exporter is not located in the EU, the parties agree that this shall be the law of Ireland.

5. Clause 18(b): The Parties agree that those shall be the courts of the EU Member State in which the data exporter is located. If the data exporter is not located in the EU, the parties agree that those shall be the courts of Ireland.

6. Annex I A. See Annex 1 of Appendix 4 of DPA with Customer and OPSWAT acting both as processor.

7. Annex I B and C: See Annex 1 of Appendix 4 of DPA.

8. Annex II: See Annex 2 of Appendix 4 of DPA.

The Parties agree that Module 3 of the SCC take priority over any other agreement between the parties, whether entered into before or after the date these Clauses are entered into. If required by the laws or regulatory procedures of any jurisdiction, the Parties shall execute or re-execute Module 2 of the SCC as a separate document.

The Parties hereby agree that they will comply with Module 2 or Module 3 of the SCC (as applicable), as completed by Appendix 4 or Appendix 5 (respectively) and amended by the UK Addendum, which is incorporated by reference, a copy of which can be found on the Information Commissioner’s Office’s website (https://ico.org.uk/media/for-organisations/documents/4019535/addendum-international-data-transfer.docx). Customer can also request a copy of the relevant clauses from privacy@opswat.com.

1. Table 1: Parties

Data exporter: Customer
Data importer: OPSWAT

2. Table 2: Selected SCCs, Modules and Selected Clauses

Module 2 or Module 3 of the SCC, as completed by Appendix 4 or Appendix 5

3. Table 3: Appendix Information

Annex 1A: See Annex 1 of Appendix 4 of the DPA
Annex 1B: See Annex 1 of Appendix 4 of the DPA
Annex II: See Annex 2 of Appendix 4 of the DPA
Annex III: The list of OPSWAT’s Sub-processors is available at https://www.opswat.com/legal/subprocessors

4. Table 4: Ending this Addendum when the Approved Addendum Changes

Importer or Exporter
The Parties agree that Module 2 or Module 3 of the SCC (as applicable), as amended by the UK Addendum, take priority over any other agreement between the parties, whether entered into before or after the date these Clauses are entered into. If required by the laws or regulatory procedures of any jurisdiction, the Parties shall execute or re-execute Module 2 or Module 3 of the SCC (as applicable), as amended by the UK Addendum, as a separate document.