1. The Program is open to Participants who meet all of the following criteria:
   1. At least 18 years old;
   2. English proficiency;
   3. Either (A) working in the cybersecurity industry or (B) studying in the fields of cybersecurity or relevant domains like cyber-physical systems, information security, and/or computer science with the aim of pursuing a career in cybersecurity; and
   4. Prepared to complete the Course Package within six (6) months of receiving access to such Course Package.
2. The Program is not open to any employee whose employer's guidelines or regulations do not allow entry in the Program or acceptance of the Course Package. In addition, residents of Balkans, Belarus, Burundi, Central Africa Republic, Ivory Coast, Cuba, Iran, Iraq, Lebanon, Libya, Myanmar (formerly Burma), North Korea, Russia, Somalia, Sudan, South Sudan, Syria, Ukraine, Venezuela, Yemen, and Zimbabwe are not eligible to participate. This Program is void in these countries and where otherwise prohibited or restricted by law.
3. Partners are responsible for ensuring that their Participants meet the requirements of this Section.

If the Partner currently or is planning to engage in business with OPSWAT, such as a customer or channel partner, the Partner certifies that its participation in the Program will not inhibit their objectivity in relation to their connection with OPSWAT and will not pose a conflict of interest, whether actual, potential or perceived.

Subject to applicable law, OPSWAT reserves the right in its discretion, to (i) cancel, terminate, modify, or suspend this Program and these Scholarship Terms, for any reason, at any time, and without any liability, and (ii) limit or restrict participation in the Program.

1. The total value of all Course Packages awarded through the Program shall be up to US $10,000,000 and shall be awarded to up to twenty-five thousand (25,000) participants. Limit of one (1) Course Package per Participant. OPSWAT reserves the right to award Course Packages to less than US $10,000,000 in Course Packages and/or fewer than twenty-five thousand (25,000) selected Candidates based on available resources and as determined by OPSWAT in its sole discretion.
2. Subject to these Scholarship Terms, once selected by Partners, each Participant selected will receive access to the Course Package, consisting of nine (9) certification courses offered through OPSWAT Academy for a period of six (6) months after delivery to the Participant. Course Package materials are in English.
3. No substitution, assignment, transfer, or cash redemption of any Course Package is allowed by Partner. If a Partner’s Participant is unable to participate in or accept the Course Package or any portion of the Course Package for any reason, OPSWAT shall have no further obligation to Partner. OPSWAT will not replace any lost or stolen Course Packages after being awarded by Partner to Participant.
4. Partner will be solely responsible for any local, provincial, country, or any other applicable taxes, and any other costs, expenses, and fees in connection with the Course Packages.
5. All costs and expenses, including support services, not specifically listed above as part of the Course Package, are solely Partner’s responsibility.

The Program is subject to applicable laws and these Scholarship Terms. Partner is solely responsible for compliance with any applicable laws, rules and regulations, contractual limitations, and/or office or company policies, if any, regarding their participation in the Program. By entering this Program, Partner confirms that it is not in violation of any of the foregoing.

Partner acknowledges and agrees that OPSWAT has neither made, nor is in any manner responsible or liable for, any warranty, representation, or guarantee, expressed or implied, in fact or in law, related to the Course Package or the Program. All warranties are hereby disclaimed; and the Program and the Course Package are provided "AS IS." In particular, OPSWAT is not responsible for technical failures of any kind or any other factors beyond OPSWAT’s reasonable control. OPSWAT is not responsible for injury or damage to Partner’s or its Participants’ data or devices related to or resulting from participating in the Program or downloading materials from or use of the Course Package.

PARTNER AGREES THAT OPSWAT, ITS AFFILIATES, RESELLERS, DISTRIBUTORS, AND ALL OF THEIR RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES, CONTRACTORS, REPRESENTATIVES, AND AGENTS (“RELEASED PARTIES”) WILL HAVE NO LIABILITY WHATSOEVER FOR, AND WILL BE RELEASED AND HELD HARMLESS BY PARTNER FOR, ANY CLAIMS, LIABILITIES, OR CAUSES OF ACTION OF ANY KIND OR NATURE FOR ANY INJURY, LOSS, OR DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES TO PERSONS, INCLUDING WITHOUT LIMITATION DISABILITY OR DEATH. WITHOUT LIMITING THE FOREGOING, EVERYTHING ON THE SITE AND IN CONNECTION WITH THE PROGRAM IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. SOME JURISDICTIONS MAY NOT ALLOW THE LIMITATIONS OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES OR EXCLUSION OF IMPLIED WARRANTIES, IN WHICH CASE SUCH LIMITATION OR EXCLUSION SHALL APPLY ONLY TO THE EXTENT PERMITTED BY THE LAW IN THE RELEVANT JURISDICTION.

Partner and OPSWAT acknowledge and agree that either party may use the Program (including any submissions related to the Program) for publicity, advertising, and marketing purposes across all media. Each party may use the other party's name, trademarks, and Program details for such purposes, provided such use complies with the respective party's trademark guidelines. Either party may require the other party to cease using its trademarks in advertising or marketing materials if such use is deemed inappropriate or potentially harmful to its business interests. Upon termination of this Agreement, both parties shall immediately discontinue all use of the other party's trademarks.

All personal information collected by OPSWAT will be used for the administration of the Program and in accordance with OPSWAT's privacy policy located at https://www.opswat.com/legal/privacy-policy (the “Privacy Policy”). By participating in the Program, Partner acknowledges and agrees that OPSWAT shall process Partner’s and its Participants’ personal data in accordance with the Privacy Policy. The Data Processing Addendum attached hereto as Exhibit A is incorporated by reference into these Scholarship Terms if applicable laws require OPSWAT to enter into an agreement with Partner regarding OPSWAT’s processing of Participants’ personal information provided by Partner to OPSWAT.

1. Each party acknowledges that the Scholarship Terms constitutes the entire agreement between the parties in relation to the Program and that it does not rely upon any oral or written representation made to it by the other. OPSWAT may update the terms set forth herein at any time by updating this website.
2. These Scholarship Terms will be construed and enforced in all respects in accordance with the laws of the State of Florida, U.S.A., without reference to its choice of law rules. Any payment disputes, controversy or claim arising under or pursuant to these Scholarship Terms shall be settled, to the extent possible, amicably. That failing, the parties agrees to submit exclusive venue in, and the exclusive jurisdiction of, federal and state courts, as applicable, located in Tampa, Florida, U.S.A.
3. OPSWAT shall not be liable to Partner or its Participants for failure to supply any Course Package or any part thereof, by reason of the Course Package becoming, for reasons beyond the reasonable control of OPSWAT, unavailable or impracticable to award, or for any force majeure event, technical or equipment failure, terrorist acts, labor dispute, or act/omission of any kind (whether legal or illegal), transportation interruption, civil disturbance, or any other cause similar or dissimilar beyond OPSWAT’s control.
4. Nothing in the Scholarship Terms shall create, or be deemed to create, a partnership or joint venture or relationship of employer and employee or principal and agent between the parties.
5. No rights under the Scholarship Terms may be assigned by Partner without the prior written consent of OPSWAT. A person who is not a party to the Scholarship Terms shall have no rights under or in connection with it.
6. Notice given by a party to any other party will be in writing and effective upon confirmed delivery as follows: (i) if to Partner, when sent via email or physical address on record provided by the Participant; and (ii) if to OPSWAT, when sent via email to Legal@OPSWAT.com or 5411 Skycenter Drive, #900, Tampa, FL 33607, Attn: Legal. A notice must specifically reference that it is a notice given under these Scholarship Terms. Emailed notices will be considered given and received when the email is sent. Partner agrees to accept service of process by mail. For the avoidance of doubt notice shall be deemed to be delivered at the time of delivery if delivered by hand or courier, and within two working days if delivered by prepaid first class post.
7. No failure by either party in exercising any right, power or remedy shall operate as a waiver of the same.
8. If any provision of the Scholarship Terms (or any part of any provision) is found by a court or other authority of competent jurisdiction to be invalid, illegal or unenforceable, that provision or part-provision shall, to the extent required, be deemed not to form part of the Scholarship Terms and the validity and enforceability of the other provisions of the Scholarship Terms shall not be affected.

This Data Processing Addendum ("DPA") shall govern OPSWAT’s processing of Participants’ Personal Data (as defined below) received from or on behalf of Partner during the course of Partner’s participation in the Program pursuant to the Scholarship Terms.

Partner and OPSWAT shall each be referred to herein as a "Party" and together as "Parties".

For purposes of this DPA, the terms below shall have the meanings set forth below. Capitalized terms that are used but not otherwise defined in this DPA shall have the meanings set forth in the Scholarship Terms.

“Affiliates” means, with respect to each party, entities that Control, are controlled by, or are under common Control with such party.

“Aggregated Data” means statistics, benchmarks, measures, and other information or data that is anonymized by removing personal or other information so the data cannot be attributable to a specific individual or Partner (using commercially reasonably efforts or as required by Applicable Laws).

“Applicable Laws” means applicable national, federal, state, and local laws, rules, guidelines, court or government agency orders, and regulations.

“Control” means the beneficial ownership of more than fifty percent (50%) of the voting power or equity in an entity.

“Data Protection Legislation” means Applicable Laws, including but not limited to the laws of the EEA and/or member states (such as GDPR), United Kingdom, and Switzerland, applicable to the Processing of Partner Personal Data under the Scholarship Terms (in all cases, as amended, superseded, or replaced).

“Data Subject” means the individual to whom Partner Personal Data relates.

“EEA” means the European Economic Area.

“GDPR” means General Data Protection Regulation EU 2016/679.

“Information Security Incident” means a breach of security leading to accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access to Partner Personal Data in OPSWAT’s possession, custody, or control. “Information Security Incidents” does not include unsuccessful attempts or activities that do not compromise the security of Partner Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

“Partner Personal Data” means information relating to an identified or identifiable natural person protected under Data Protection Legislation that Partner provides or make available to OPSWAT, or that OPSWAT otherwise Processes on Partner’s behalf, in each case, in connection with the Program as set forth in the Scholarship Terms.

"Processing” means any operation or set of operations which is performed on Partner Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Partner Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

“SCC” means the European Commission Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as may be amended, restated or  superseded from time to time.

“Security Measures” means the technical and organizational measures used by OPSWAT to protect Partner Personal Data, as further described in Section 5.1 (OPSWAT’s Security Measures).

“Sub-processors” means third parties, other than OPSWAT, engaged and authorized by OPSWAT, under this DPA to Process Partner Personal Data in relation to the Program.

“Term” shall have the meaning set forth in Section 2.

This DPA will take effect when the Scholarship Terms becomes effective and will automatically expire upon termination of the Scholarship Terms.

3.1 Processing Scope; Partner Instructions; OPSWAT Compliance with Partner Instructions.

By entering into this DPA, Partner instructs OPSWAT to Process Partner Personal Data only in accordance with Data Protection Legislation. OPSWAT will only Process Partner Personal Data in accordance with Partner's instructions: (a) to provide the Program; (b) as authorized by the Scholarship Terms, including this DPA; and (c) as documented in other written instructions provided by Partner and acknowledged in writing by OPSWAT as constituting instructions for purposes of this DPA, unless required to do so otherwise by Applicable Laws. The subject matter and details of Processing are described in Appendix 1 (Details of Processing).

3.2 Partner’s Responsibilities.

Partner represents and warrants that (a) Partner has obtained any necessary authorizations, consents, and permissions under Data Protection Legislation for OPSWAT’s Processing of Partner Personal Data (including the transfer or provision of access to Partner Personal Data to OPSWAT) in accordance with the terms of this DPA; and (b) Partner’s instructions, decisions, and actions regarding the Processing of Partner Personal Data shall comply with Applicable Laws, including Data Protection Legislation. Partner will inform OPSWAT without undue delay if Partner is unable to comply with this Section 3.2 (Partner’s Responsibilities).

3.3 Analytics.

OPSWAT may collect, develop, create, extract, compile, synthesize, analyze, use, commercialize, or share Aggregated Data with third parties for a variety of purposes, including to: (i) maintain, improve, market, and promote the Program; (ii) identify, understand, and anticipate performance and security issues and the factors that affect them; (iii) provide updates, enhancements, and personalized experiences to our customers; and (iv) research and develop new products and services. For the avoidance of doubt, Aggregated Data shall exclude Partner Personal Data or any information identifying Partner.

On the effective termination date of this DPA, or upon Partner’s written request, OPSWAT shall delete, give Partner access, correct, or return Partner Personal Data (including existing copies) from OPSWAT’s systems in accordance with Applicable Laws as soon as reasonably practicable, unless Applicable Laws require or allow OPSWAT to retain Partner Personal Data (e.g., Applicable Laws may allow OPSWAT to retain copies of Partner Personal Data stored electronically on data archives or back-up systems).

OPSWAT shall implement and maintain reasonably appropriate Security Measures to protect Partner Personal Data, as described under Appendix 2 (Security Measures). OPSWAT may update or modify the Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Program.

OPSWAT will grant access to Partner Personal Data only to employees, independent contractors, OPSWAT Affiliates, and Sub-processors who need such access for the scope of their performance, and have confidentiality obligations that are not less restrictive than OPSWAT’s confidentiality obligations in the Scholarship Terms.

1. 5.3.1 Information Security Incident Notification. If OPSWAT becomes aware of an Information Security Incident, OPSWAT will: (a) notify Partner of the Information Security Incident without undue delay, according to Section 13 (Notices), after becoming aware of the Information Security Incident; and (b) take reasonable steps to identify the cause of such Information Security Incident, minimize harm, and prevent a recurrence. Except to the extent required by Applicable Laws, OPSWAT shall not make any notification to third parties of an Information Security Incident explicitly naming Partner without Partner’s prior written consent, other than to approved Sub-Processors, law enforcement, insurance adjusters, and OPSWAT’s Information Security Incident response service providers.
2. 5.3.2 Notification. Partner is solely responsible for complying with incident notification laws applicable to Partner and fulfilling third party notification obligations related to any Information Security Incidents (e.g., Article 33 and 34 of the GDPR). In this case, OPSWAT will provide reasonable assistance to Partner.
3. 5.3.3 No Acknowledgement of Fault by OPSWAT. OPSWAT’s notification of, or response to, an Information Security Incident under this Section 5.3 (Information Security Incidents) will not be construed as an acknowledgement by OPSWAT of any fault or liability with respect to the Information Security Incident.

5.4.1 Partner’s Security Responsibilities.

Partner agrees that, without prejudice to OPSWAT’s obligations under Section 5.1 (OPSWAT’s Security Measures) and Section 5.3 (Information Security Incidents):

1. Partner is solely responsible for its Participants’ use of the Course Packages, including ensuring that Participants: (i) secure the account authentication credentials, systems and devices Participants use to access the Course Packages; and (ii) back up their Personal Data.
2. OPSWAT has no obligation to protect Partner Personal Data that Partner elects to store or transfer outside of OPSWAT’s and its Sub-processors’ systems (for example, offline or on-premises storage).

5.4.2 Partner’s Security Assessment.

1. Partner is solely responsible for reviewing and evaluating for itself whether the Services, the Security Measures, and OPSWAT’s commitments under this Section 5 (Data Security) meet Partner’s needs, including with respect to any security obligations of Partner under Data Protection Legislation.
2. Partner acknowledges and agrees that (taking into account industry standards, the costs of implementation and the nature, scope, context and purposes of the Processing of Partner Personal Data as well as the risks to data subjects) the Security Measures implemented and maintained by OPSWAT as set out in Appendix 2 (OPSWAT’s Security Measures) provide a level of security appropriate to the risk with respect to Partner Personal Data.

If OPSWAT receives any request from a Data Subject in relation to Partner Personal Data, to the extent permitted by Applicable Laws, OPSWAT will promptly notify Partner of any such request. Partner will be responsible for responding to any such request.

OPSWAT will (taking into account the nature of the Processing of Partner Personal Data) provide Partner with reasonable assistance as necessary for Partner to fulfil its obligation under Data Protection Legislation to respond to data subject requests. Partner shall reimburse OPSWAT for any fees or costs incurred in connection with such assistance at OPSWAT’s then-current professional services rates.

OPSWAT may store and Process Partner Personal Data anywhere OPSWAT, its Affiliates, or its Sub-processors maintains operations, as provided in Section 8 below. For international transfers of Partner Personal Data subject to Data Protection Legislation in the EEA, Switzerland, and the United Kingdom, the terms of Appendix 3, Sections 1.10 and/or 1.11 shall apply.

Partner authorizes OPSWAT to engage its Affiliates and other third parties as Sub-processors. The list of OPSWAT’s Sub-processors is available at https://www.opswat.com/legal/subprocessors and Partner may subscribe to updates to this list via RSS feed. If Partner enters into the SCC or other similar agreements, Partner’s signing of those agreements constitute Partner’s prior written authorization to the subcontracting by OPSWAT of the Processing of Partner Personal Data if such authorization is required under the SCC or other similar agreements. OPSWAT shall be liable for all obligations subcontracted to, and all acts and omissions of, its Sub-processors.

By participating in the Program, Partner acknowledges and agrees that it is entering into this DPA on behalf of itself and, to the extent required under applicable Data Protection Legislation, in the name and on behalf of its Data Controller Affiliates, to the extent OPSWAT Processes Partner Personal Data for which such Data Controller Affiliates qualify as the Controller, thereby establishing a DPA between OPSWAT and each Data Controller Affiliate, subject to the provisions of the Scholarship Terms and this DPA. Partner agrees to ensure each Data Controller Affiliate agrees to be bound by the obligations of this DPA. However, a Data Controller Affiliate is not and does not become a party to the Scholarship Terms, and is only a party to this DPA. All access and use of the Services by Data Controller Affiliate must comply with the Scholarship Terms and any violation of the Scholarship Terms by a Data Controller Affiliate shall be deemed a violation by Partner. Partner shall remain responsible for coordinating all communications with OPSWAT under this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Data Controller Affiliated.

In the event a Data Controller Affiliate becomes a party to the DPA with OPSWAT, it shall do so only to the extent required under Data Protection Legislation. Except as expressly required by Data Protection Legislation for a Data Controller Affiliate to exercise a right or seek a remedy under this DPA from OPSWAT by itself directly, the Parties agree that: (a) Partner shall have the sole right to exercise any such right or seek any such remedy on behalf of the Data Controller Affiliate; and (b) Partner shall, to the extent not prohibited by Data Protection Legislation, exercise any such rights under this DPA in a combined manner for all of its Data Controller Affiliates together.

OPSWAT shall respond to any written audit questions submitted to it by the Partner, provided that the Partner shall not exercise this right more than once per year.

If OPSWAT Processes Personal Data from a jurisdiction listed in Appendix 3, the corresponding provisions will apply with respect to such Processing.

Except to the extent prohibited by Applicable Laws, the total combined liability of either Party and its Affiliates (including Data Controller Affiliates) towards the other Party and its Affiliates, whether in contract, tort or any other theory of liability, under or in connection with the Scholarship Terms, this DPA, and the SCC, if entered into, will be limited to limitations on liability or other liability caps agreed by the Parties in the Scholarship Terms. OPSWAT and OPSWAT Affiliates’ total liability for all claims from Partner and all of its Data Controller Affiliates arising out of the Scholarship Terms or the DPA shall apply in aggregate for all claims under both the Scholarship Terms and the DPA and shall not be understood to apply individually and severally to Partner or to any Data Controller Affiliate that is a contractual party to any such DPA.

Except for the changes made by this DPA, the Scholarship Terms, and/or any other agreements related to the Services remain unchanged and in full force and effect. In the event of a conflict between the Scholarship Terms and this DPA, the provisions of this DPA shall control and govern with respect to the subject matter. In the event of a conflict between this DPA and the SCC, the provisions of the SCC shall control and govern with respect to the subject matter of the SCC. This DPA may be amended and/or modified only by a writing signed by OPSWAT and Partner. All other terms and conditions in the Scholarship Terms that are not amended by this DPA remain in full force and effect.

This DPA shall be governed by the law of the same jurisdiction as the Scholarship Terms, except where and to the extent the Data Protection Legislation requires this DPA be governed by the law of another jurisdiction.

1.1 Scope. The following provisions shall apply only with respect to OPSWAT’s Processing of Partner Personal Data subject to Data Protection Legislation in the EEA, Switzerland, and the United Kingdom.

1.2 Definitions.

(a) The terms “Controller”, “Processor”, and “Supervisory Authority” shall have the meanings given in GDPR.

(b) “UK Addendum” means the International Data Transfer Addendum to the SCC, Version B1.0, as issued by the United Kingdom’s Information Commissioner’s Office.

1.3 Processor and Controller Responsibilities. The Parties acknowledge and agree that:

(a) OPSWAT is a Processor or Sub-processor, as applicable, of Partner Personal Data under the Data Protection Legislation;

(b) Partner is a Controller or Processor, as applicable, of Partner Personal Data under Data Protection Legislation;

(c) Partner shall have sole responsibility for the accuracy, quality, and legality of Partner Personal Data and the means by which Partner acquired Partner Personal Data; and

(d) each Party will comply with the obligations applicable to it under Data Protection Legislation with respect to the Processing of Partner Personal Data.

1.4 Authorization by Third Party Controller. If Partner is a Processor, Partner represents and warrants to OPSWAT that Partner’s instructions and actions with respect to Partner Personal Data, including its appointment of OPSWAT as a Processor, have been authorized by the relevant Controller. Partner acknowledges that OPSWAT is not responsible for collecting consent or authorization for Processing of Partner Personal Data.

1.5 Processing by OPSWAT to Comply with Applicable Law. If OPSWAT must Process Partner Personal Data contrary to Partner’s instructions or as authorized by the Scholarship Terms (including this DPA) to comply with Applicable Laws, OPSWAT shall inform Partner of the Applicable Laws before Processing, unless Applicable Laws prohibit such notice on important grounds of public interest.

1.6 Security Measures. OPSWAT shall (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects) implement appropriate Security Measures to ensure a level of security appropriate to the risk, including the Security Measures detailed in Appendix 2, and as appropriate:

(a) the pseudonymisation and encryption of Partner Personal Data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and Services, including the following specific measures and practices;

(c) the ability to restore the availability of and access to Partner Personal Data in a timely manner in the event of a physical or technical incident; and

(d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing of Partner Personal Data.

1.7 Reasonable Assistance. OPSWAT will provide reasonable assistance to Partner, as required by Applicable Laws applicable to OPSWAT’s role as a Processor, for Partner to comply with Partner’s obligations to perform a data protection impact assessment under Article 35 GDPR. In situations where Partner’s Processing of Partner Personal Data results in a high risk to the rights and freedoms of data subjects, OPSWAT will provide reasonable assistance to Partner as it seeks prior consultation from a Supervisory Authority according to Article 36 GDPR.

1.8 Details of Information Security Incident. Notifications made pursuant to Section 5.3 of the DPA (Information Security Incidents) will:

(a) describe the nature of the Information Security Incident including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

(c) describe the likely consequences of the Information Security Incident; and

(d) describe the measures taken or proposed to be taken by OPSWAT to address the Information Security Incident, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

1.9 Audits of Compliance.

1.9.1 Partner may, upon reasonable prior written request with no less than forty-five (45) days’ prior written notice, audit OPSWAT’s compliance with its obligations under this DPA once every twelve (12) months during the term of the Scholarship Terms, to meet the requirements of Data Protection Legislation. Partner must perform all audits during regular OPSWAT business hours and may not unreasonably interfere with OPSWAT business activities. To the extent required by Data Protection Legislation, including where mandated by Partner’s Supervisory Authority, Partner or Partner’s Supervisory Authority may perform frequent audits.

1.9.2 If a third party is to conduct the audit, OPSWAT may object to the auditor if the auditor is, in OPSWAT’s reasonable opinion, not suitably qualified or independent, or an OPSWAT competitor. Such objection by OPSWAT will require Partner to appoint another auditor or conduct the audit itself.

1.9.3 To request an audit, Partner must submit a detailed proposed audit plan to OPSWAT at least two (2) weeks in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. OPSWAT will review the proposed audit plan and provide Partner with concerns or questions (for example, any request for information that could compromise OPSWAT security, privacy, employment, or other relevant policies). OPSWAT will work cooperatively with Partner to agree on a final audit plan. Nothing in this Section 1.9 (Audits of Compliance) shall require OPSWAT to breach duties of confidentiality.

1.9.4 Audits are at Partner’s expense. Partner shall reimburse OPSWAT for any time expended by OPSWAT or its Sub-processors in connection with any audits under this Section 1.9 (Audits of Compliance) at OPSWAT’s then-current professional services rates. Partner will pay all fees charged by any auditor appointed by Partner to execute any such audit.

1.9.5 The parties agree that this Section 1.9 (Audits of Compliance) shall satisfy OPSWAT’s obligations under the audit requirements of the SCC applied to data importer under Clause 5(f) and to any Sub-processors under Clause 11 and Clause 12(2).

1.10 Transfers of Data Out of the EEA or Switzerland. If the storage and/or Processing of Partner Personal Data involves transfers of Partner Personal Data out of the EEA or Switzerland, and Data Protection Legislation applies to the transfers of such Partner Personal Data, Appendix 4 shall apply and OPSWAT will make such transfers in accordance with the controller-to-processor SCC referenced therein unless the transfer is made to a country for which an adequacy decision by the European Commission exists.

1.11 Transfers of Data Out of the United Kingdom. If the storage and/or Processing of Partner Personal Data involves transfers of Partner Personal Data out of the United Kingdom, and Data Protection Legislation applies to the transfers of such Partner Personal Data, Appendix 5 shall apply and OPSWAT will make such transfers in accordance with the SCC referenced therein unless the transfer is made to a country covered by UK adequacy regulations.

1.12 Sub-processor Agreements. OPSWAT may redact all confidential business or legal terms in its agreements with Sub-processors prior to responding to Partner’s request for a copy of a Sub-processor agreement pursuant to Clause 9(c) of the SCC.

1.13 Opportunity to Object to Sub-processor Changes. When a new Sub-processor is engaged during the term of the DPA, OPSWAT will, at least fifteen (15) days before the new Sub-processor Processes any Partner Personal Data, notify Partner of the engagement in writing by updating its Sub-processor list located at https://www.opswat.com/legal/subprocessors. Partner may object to a new Sub-processor by providing written notice to OPSWAT within five (5) business days of the date on OPSWAT’s notice. In the event Partner objects to a new Sub-processor, Partner and OPSWAT will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Partner may, as its sole and exclusive remedy, terminate its participation in the Program by providing written notice to OPSWAT.

1.14 Processing Records. Partner acknowledges that OPSWAT is required under the GDPR to: (a) collect and maintain records of certain information according to Article 30 (2) GDPR, including the name and contact details of each Processor and/or Controller on behalf of which OPSWAT is acting and, where applicable, of such Processor’s or Controller's local representative and data protection officer; and (b) make such information available to the Supervisory Authorities according to Article 30 (4) GDPR. If the GDPR applies to the Processing of Partner Personal Data, Partner will, where requested, provide such information to OPSWAT, and will ensure that all information provided is kept accurate and current.

2.1 Scope. The following provisions shall apply only with respect to OPSWAT’s Processing of Partner Personal Data subject to the California Consumer Privacy Act of 2018, Cal. Civil Code §1798.100 et seq., as amended by the California Privacy Rights Act, and related regulations, as may be further amended from time to time (collectively, the “CCPA”).

2.2 Definitions. The terms “sell”, “share,” and “service provider” shall have the same meanings as defined under the CCPA.

2.3 Service Provider. OPSWAT is a service provider to Partner. OPSWAT shall only Process Partner Personal Data for the purpose of providing the Program. Unless otherwise permitted under the Scholarship Terms or the CCPA:

(a) OPSWAT shall not further collect, retain, use, or disclose Partner Personal Data for a commercial purpose, or any purpose other than to perform the purpose contemplated by the Scholarship Terms;

(b) OPSWAT shall not retain, use, or disclose Partner Personal Data outside of the direct business relationship between the Parties; and

(c) OPSWAT shall not combine Partner Personal Data received from, or on behalf of, Partner with Personal Data from other persons or collected from its own interaction with Partner, except as necessary to provide the Services under the Scholarship Terms.

2.4 No Selling or Sharing. OPSWAT shall not sell or share Partner Personal Data.

2.5 Compliance with CCPA. OPSWAT shall comply with all applicable sections of the CCPA, including providing the same level of privacy protection as required under the CCPA with respect to Partner Personal Data Processed pursuant to this Scholarship Terms.

2.6 CCPA Audits.

2.6.1 Partner may, upon reasonable prior written request with no less than forty-five (45) days’ prior written notice, audit OPSWAT’s compliance with its obligations under this DPA once every twelve (12) months during the term of the Scholarship Terms. Partner must perform all audits during regular OPSWAT business hours and may not unreasonably interfere with OPSWAT business activities. To the extent required by the CCPA, including where mandated by the California Privacy Protection Agency, Partner may perform frequent audits.

2.6.2 If a third party is to conduct the audit, OPSWAT may object to the auditor if the auditor is, in OPSWAT’s reasonable opinion, not suitably qualified or independent, or an OPSWAT competitor. Such objection by OPSWAT will require Partner to appoint another auditor or conduct the audit itself.

2.6.3 To request an audit, Partner must submit a detailed proposed audit plan to OPSWAT at least two (2) weeks in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. OPSWAT will review the proposed audit plan and provide Partner with concerns or questions (for example, any request for information that could compromise OPSWAT security, privacy, employment, or other relevant policies). OPSWAT will work cooperatively with Partner to agree on a final audit plan. Nothing in this Section 2.6 (CCPA Audits) shall require OPSWAT to breach duties of confidentiality.

2.6.4 Audits are at Partner’s expense. Partner shall reimburse OPSWAT for any time expended by OPSWAT or its Sub-processors in connection with any audits under this Section 2.6 (CCPA Audits) at OPSWAT’s then-current professional services rates. Partner will pay all fees charged by any auditor appointed by Partner to execute any such audit.

2.6.5 The parties agree that this Section 2.6 (CCPA Audits) shall satisfy OPSWAT’s obligations under the CCPA to provide Partner with the right to take reasonable and appropriate steps to ensure that OPSWAT’s Processing of Partner Personal Data under this Scholarship Terms is consistent with OPSWAT’s obligations under the CCPA.

2.7 Notification. OPSWAT shall notify the Partner if OPSWAT determines that it can no longer meet its obligations under the CCPA. Upon OPSWAT’s notification under this Section 2.7, Partner may terminate its participation in the Program via written notice to OPSWAT.

2.8 Remediation of Unauthorized Use of Personal Data. At Partner’s written request, OPSWAT shall cease Processing and delete or return Partner Personal Data pursuant to Section 4 of the DPA (Deletion or Return of Data). OPSWAT shall provide Partner a certificate attesting to OPSWAT’s compliance with Partner’s written request. The parties agree that this Section 2.8 shall satisfy OPSWAT’s obligations to provide Partner with the right to take reasonable and appropriate steps to stop and remediate OPSWAT’s unauthorized use of Partner Personal Data.

2.9 Reasonable Security. The parties agree that Section 5 (Data Security) shall satisfy OPSWAT’s obligations with respect to data security under the CCPA.

2.10 CCPA Data Subject Requests. The parties agree that Section 6 of the DPA (Data Subject Rights) shall satisfy OPSWAT’s obligations with respect to Data Subject Requests under the CCPA.

2.11 Sub-processors. The parties agree that Section 8 of the DPA (Sub-processors) shall satisfy OPSWAT’s obligations with respect to Sub-processors under the CCPA.

A. List of parties

Data exporter(s): Partner

Role (controller/processor): Controller

Data importer(s): OPSWAT

Role (controller/processor): Processor

B. Description of transfer

Categories of data subjects: see Appendix 1 of DPA

Categories of Personal Data transferred: see Appendix 1 of DPA

Sensitive/Special Categories of data: none

Frequency of transfer: continuous as needed for the provision of the Services

Nature or processing and purpose(s) of the data transfer: see Appendix 1 of DPA

Period for which Personal Data will be retained: see Appendix 1 of DPA

C. Competent Supervisory Authority

The EU Member State in which the data exporter is located. If the data exporter is not located in the EU, this shall be Ireland.

Technical and Organizational Measures Including Technical Organizational Measures to Ensure the Security of the Data

See Appendix 2 of the DPA. For transfers to Sub-processors, OPSWAT shall ensure that such Sub-processors materially comply with the Security Measures listed in Appendix 2 of the DPA.