Data Privacy Addendum for Customers

September 1, 2023


This Data Privacy Addendum (“DPA”) is incorporated into and forms part of (and if applicable, amends the current version of) the Agreement (as defined below) between Watershed Technology, Inc. (“Watershed”), and the company receiving Services (as defined in the Agreement) from Watershed(“Customer”), each a “Party” and collectively the “Parties”. This DPA applies to and takes precedence over the agreement between the Parties and any associated contractual document between the Parties, such as a Master Services Agreement, order form, statement of work or data protection addendum thereunder (collectively, the “Agreement”), to the extent of any conflict.

Customer and Watershed agree as follows:

  1. Definitions. For purposes of this DPA:
    1. Data Privacy Laws” means all applicable laws and regulations in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of personal data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., including its regulations and the amendments made by the California Privacy Rights Act of 2020 (“CCPA”), privacy laws passed by other U.S. states (together with the CCPA, “U.S. State Privacy Laws”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the United Kingdom Data Protection Act of 2018 (“UK Privacy Act”), and the Swiss Federal Act on Data Protection (“FADP”). For the avoidance of doubt, if Watershed’s Processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this DPA.
    2. Data Subject” means an identified or identifiable natural person to whom Personal Data relates, and includes “consumer” as defined in Data Privacy Laws.
    3. EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, located at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as set forth herein.
    4. Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Privacy Laws, that is Processed in relation to the Agreement.
    5. Process” and its cognates “Processing,” “Processed,” etc. mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
    6. Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
    7. Subprocessor” means any third party or Watershed affiliate that Watershed engages to Process Personal Data.
    8. UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office, located at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-DPA.pdf and completed as set forth herein.
    9. The terms “Business,” “Controller,” “Processor,” and “Service Provider” are defined as in applicable Data Privacy Laws.
  2. Roles of the Parties; Scope and Purposes of Processing.
    1. This DPA applies to all Personal Data that Watershed Processes pursuant to the Agreement.
    2. The Parties agree that where Customer is a Controller or Business, Watershed is its Processor or Service Provider. Where Customer is a Processor or Service Provider, Watershed acts as Customer’s Processor (i.e., its Subprocessor) or Service Provider.
    3. Watershed will Process Personal Data solely: (1) to fulfill its obligations to Customer under the Agreement, including this DPA; (2) on Customer’s behalf; and (3) in compliance with Data Privacy Laws. Watershed will, except as explicitly authorized under applicable law:
      1. not retain, use, or disclose the Personal Data outside of the direct business relationship between Customer and Watershed;
      2. not “sell” or “share” any Personal Data, as such terms are defined in applicable U.S. State Privacy Laws, to any third party;
      3. not attempt to (1) re-identify any pseudonymized, anonymized, aggregate, or de-identified Personal Data, or (2) link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data, without Customer’s express written permission;
      4. comply with any applicable restrictions under Data Privacy Laws on combining the Personal Data with personal data that Watershed receives from, or on behalf of, another person or persons, or that Watershed collects from any interaction between it and any individual; and
      5. not otherwise engage in any Processing of the Personal Data that is prohibited or not permitted by Processors or Service Providers under Data Privacy Laws.
    4. Customer retains the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data, including any use of Personal Data not expressly authorized in this DPA.
  3. Personal Data Processing Requirements. Watershed will:
    1. Provide the same level of privacy protection for the Personal Data as is required under Data Privacy Laws applicable to Customer.
    2. Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
    3. Assist Customer in the fulfilment of Customer’s obligations to respond to verifiable requests by Data Subjects (or their lawful representatives) for exercising their rights under Data Privacy Laws (such as rights to access or delete Personal Data), such as by making available functionality for Customer to honor such requests within the Services.
    4. Provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data, when required by applicable Data Privacy Laws.
    5. Provide reasonable assistance to and cooperation with Customer for Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to Watershed under Data Privacy Laws to consult with a regulatory authority in relation to Watershed’s Processing or proposed Processing of Personal Data.
    6. Notify Customer of (i) any third-party or Data Subject complaints regarding the Processing of Personal Data; or (ii) any government or Data Subject requests for access to or information about Watershed’s Processing of Personal Data on Customer’s behalf, unless prohibited by Data Privacy Laws. If Watershed receives a third-party, Data Subject, or governmental request, Watershed will await written instructions from Customer on how, if at all, to assist in responding to the request. Watershed will provide Customer with reasonable cooperation and assistance in relation to any such request.
    7. Immediately notify Customer if Watershed determines that (a) it can no longer meet its obligations under this DPA or Data Privacy Laws; or (b) it has breached this DPA, and shall cooperate to remediate such breach; or (c) in Watershed’s opinion, an instruction from Customer infringes Data Privacy Laws.
  4. Data Security. Watershed will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data, as set forth in Exhibit B.
  5. Security Breach. Watershed will notify Customer promptly, and in any event within seventy-two (72) hours, of any Security Breach that compromises the availability, security, or integrity of the Personal Data.Notification shall not be deemed to constitute an admission of fault or liability by Watershed for the Security Breach. Watershed will comply with the Security Breach-related obligations directly applicable to it under Data Privacy Laws and will assist Customer in Customer’s compliance with its Security Breach-related obligations, including without limitation by:
    1. At Watershed’s own expense, taking steps to mitigate the effects of the Security Breach and reduce the risk to Data Subjects whose Personal Data was involved; and
    2. Providing Customer with the following information, to the extent known:
      1. The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
      2. The likely consequences of the Security Breach; and
      3. Measures taken or proposed to be taken by Watershed to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
  6. Subprocessors.
    1. Customer acknowledges and agrees that Watershed may use Subprocessors to Process Personal Data in accordance with the provisions within this DPA and Data Privacy Laws. Where Watershed sub-contracts any of its rights or obligations concerning Personal Data to a Subprocessor, Watershed will: (i) take steps to select and retain Subprocessors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with applicable Data Privacy Laws; and (ii) require that each Subprocessor complies with obligations that are no less restrictive than those imposed on Watershed under this DPA.
    2. To the extent Watershed Processes Personal Data subject to applicable Data Privacy Laws in the European Economic Area (“EEA”), Switzerland, or the United Kingdom (“UK”), a current list of Watershed’s Subprocessors is available at https://trust.watershed.com/subprocessors, and Customer hereby consents to Watershed’s use of such Subprocessors. Watershed will maintain an up-to-date list of its Subprocessors available at https://trust.watershed.com/subprocessors. In the event Customer objects to a new Subprocessor, Watershed will not transfer Personal Data to the new Subprocessor unless and until Customer’s objections are resolved. The Parties will cooperate in good faith to resolve the objection, but if they are unable to do so within a reasonable time, Customer may terminate the Agreement. If Customer terminates the Agreement pursuant to this Section 6(b), Customer shall be entitled to a pro-rata refund of any prepaid fees for services not provided by Watershed from the date of termination.
  7. Data Transfers.
    1. Watershed will not engage in any cross-border Processing of Personal Data, or transmit, directly or indirectly, any Personal Data to any country outside of the country from which such Personal Data was collected, without complying with applicable Data Privacy Laws. Where Watershed engages in an onward transfer of Personal Data, Watershed shall ensure that a lawful data transfer mechanism is in place prior to transferring Personal Data from one country to another.
    2. To the extent legally required, by entering into this DPA, Customer and Watershed are deemed to have signed the EU SCCs, which form part of this DPA and (except as described in Sections 7(c) and (d) below) will be deemed completed as follows:
      1. Module 2 of the EU SCCs applies to transfers of Personal Data from Customer (as a Controller) to Watershed (as a Processor) and Module 3 of the EU SCCs applies to transfers of Personal Data from Customer (as a Processor) to Watershed (as a Subprocessor);
      2. Clause 7 of Modules 2 and 3 (the optional docking clause) is not included;
      3. Under Clause 9 of Modules 2 and 3 (Use of sub-processors), the Parties select Option 2 (General written authorization). The initial list of Subprocessors is available at https://trust.watershed.com/ and Watershed shall update that list in accordance with Section 6(b) of this DPA;
      4. Under Clause 11 of Modules 2 and 3 (Redress), the optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
      5. Under Clause 17 of Modules 2 and 3 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights).The Parties select the law of Ireland;
      6. Under Clause 18 of Modules 2 and 3 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;
      7. Annex I(A) and I(B) of Modules 2 and 3 (List of Parties) is completed as set forth in Exhibit A of this DPA;
      8. Under Annex I(C) of Modules 2 and 3 (Competent supervisory authority), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
      9. Annex II of Modules 2 and 3 (Technical and organizational measures) is completed with Exhibit B of this DPA; and
      10. Annex III of Modules 2 and 3 (List of subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9.
    3. To the extent legally required, by entering into this DPA, the Parties are deemed to be signing the UK SCCs, which form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs. The Tables within UK SCCs are deemed completed as follows:
      1. Table 1: The Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer, and the Key Contact shall be the contacts set forth in the Agreement.
      2. Table 2: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties and completed in Section 7(b) of this DPA.
      3. Table 3: Annexes I and II are set forth in Exhibits A and B below, respectively. Annex III is inapplicable.
      4. Table 4: Either Party may end this DPA as set out in Section 19 of the UK SCCs.
      5. By entering into this DPA, the Parties are deemed to be signing the UK SCCs.
    4. For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 7(b) of this DPA, but with the following differences to the extent required by the FADP: (1) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (2) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (3) term “member state” in EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (4) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
  8. Audits. Subject to the conditions set forth herein, Watershed will make available to Customer all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, provided that such audit shall occur not more than once every twelve (12) calendar months, upon thirty (30) days’ prior written notice and during Watershed’s normal business hours.
    1. If the requested audit scope is addressed in an audit report issued by a third-party auditor within the prior twelve (12) months, and Watershed provides such report to Customer confirming there are no known material changes in the controls audited, Customer agrees to accept the findings presented in the third-party audit report in lieu of requesting an audit of the same controls covered by the report.
    2. In the event an audit report is not provided, any audit, whether by Customer or a third party shall (i) be conducted only on an agreed date during normal business hours (9:00 a.m. – 5:00 p.m. local time); (ii) be limited to no more than one business day; and (iii) be conducted subject to Customer’s payment of Watershed’s then-current audit fee (except where an audit is conducted in response to a Security Breach).
    3. If a third party will conduct the audit, the third-party auditor must be mutually agreed to by the parties (without prejudice to any governmental authority’s audit power). Watershed will not unreasonably withhold its consent to a third-party auditor requested by Customer. Any third-party auditor must execute a written confidentiality agreement acceptable by Watershed.
    4. Customer must promptly provide Watershed with the results of any audit, including any third-party audit report. All such results and reports, and any other information obtained during the audit (other than Customer’s Personal Data) is confidential information of Watershed.
    5. Nothing herein shall require Watershed to disclose or make available (i) any data of any other customer of Watershed; (ii) Watershed’s internal accounting or financial information; (iii) any trade secret of Watershed; (iv) any information that, in Watershed’s reasonable opinion, could (1) compromise the security of Watershed systems or premises; or (2) cause Watershed to breach its obligations under applicable law or its security and/or privacy obligations to any third party; or (v) any information sought for any reason other than the good-faith fulfillment of Customer’s obligations under the EU SCCs, UK SCCs, or Data Privacy Laws.
    6. Customer agrees that any audit conducted in accordance with this Section 8 satisfies Watershed’s audit obligations under Data Privacy Laws.
  9. Return or Destruction of Personal Data. Except to the extent required otherwise by Data Privacy Laws, Watershed will, at the choice of Customer, return to Customer and/or securely destroy all Personal Data upon (a) written request of Customer or (b) termination of the Agreement. Except to the extent prohibited by Data Privacy Laws, Watershed will inform Customer if it is not able to return or delete the Personal Data. For the avoidance of doubt, Watershed may retain Personal Data that is included in routine backups, and the provisions of this DPA will apply to such Personal Data for as long as Watershed retains it.
  10. Indemnification and Limitation of Liability. To the extent permitted by Data Privacy Laws, the Parties will indemnify each other and their liability will be limited as provided in the Agreement.
  11. Survival. The provisions of this DPA survive the termination or expiration of the Agreement for so long as Watershed or its Subprocessors Process the Personal Data.

Exhibit A

ANNEX I TO THE EU SCCS


A. LIST OF PARTIES

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Data exporter(s):

Name: Customer, as identified in the Agreement.

Address: As provided in the Agreement.

Contact person’s name, position, and contact details: As provided in the Agreement.

Activities relevant to the data transferred under these Clauses: The data exporter receives the data importer’s Services pursuant to their underlying Agreement.

Signature and date: The Parties agree that execution of the Agreement shall constitute execution of these EU SCCs by both Parties.

Role: Controller or Processor

Data importer(s):

Name: Watershed, as identified in the Agreement.

Address: As provided in the Agreement.

Contact person’s name, position, and contact details: As provided in the Agreement.

Activities relevant to the data transferred under these Clauses: The data importer provides Services to the data exporter and its customers pursuant to their underlying Agreement.

Signature and date: The Parties agree that execution of the Agreement shall constitute execution of these EU SCCs by both parties.

Role: Processor


B. DESCRIPTION OF TRANSFER

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Categories of data subjects whose personal data is transferred:

Watershed does not process Personal Data as part of providing the Services to Customer, but if Customer nonetheless provides Personal Data to Watershed through the Services, Watershed will process that Personal Data in accordance with this DPA.

Categories of personal data transferred:

Watershed does not process Personal Data as part of providing the Services to Customer, but if Customer nonetheless provides Personal Data to Watershed through the Services, Watershed will process that Personal Data in accordance with this DPA.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

Not applicable.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Continuous for the duration of the Agreement.

Nature of the processing:

Data importer’s Processing activities shall be limited to those discussed in the Agreement and the DPA.

Purpose(s) of the data transfer and further processing:

The objective of the transfer and further Processing of Personal Data by Watershed is to provide the Services to the Customer.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

Personal Data will be retained for the period of time necessary to provide the Services to Customer under the Agreement, the DPA, and/or in accordance with applicable legal requirements.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

Same as above to the extent such information is provided to Subprocessors for purposes of providing the Services.

C. COMPETENT SUPERVISORY AUTHORITY

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

To the extent legally permitted, the competent supervisory authority is the Irish Data Protection Commission.


Exhibit B

WATERSHED DATA SECURITY MEASURES

Watershed will implement and maintain the following administrative, technical, physical, and organizational security measures for the Processing of Personal Data:

1. Use Restrictions

Watershed shall only access and use Personal Data in accordance with Data Privacy Laws and the DPA, to fulfill its obligations under the Agreement or as explicitly directed by Customer, and for no other purposes.

2. Information Security Management

Watershed agrees to establish and maintain a written information security and privacy program (“Information Security Program” or “ISP”) containing policies, procedures and controls to manage access to systems and data that are no less rigorous than accepted industry practices, including the following:

  1. Restriction of access to Personal Data to only those personnel, subcontractors or agents (“Data Personnel”) requiring access to fulfill Watershed’s obligations under the Agreement or DPA, consistent with the concepts of least privilege and need-to-know. Additional measures with respect to Data Personnel include:
    1. immediately terminating access privileges to systems and data for any Data Personnel that no longer need such access, and conducting reviews of access lists to ensure that access privileges have been appropriately provisioned and terminated no less than quarterly;
    2. providing ongoing training and awareness materials on the Information Security Program to all Data Personnel, including on the topics of phishing and social engineering; and
    3. applying the concept of separation of duties for all Data Personnel roles with access to Personal Data.
  2. Maintenance of appropriate network security measures, including but not limited to firewalls to segregate internal networks from the internet, risk-based network segmentation, and intrusion prevention or detection systems to alert Watershed to suspicious network activity.
  3. Performance of security testing on any applications or application code provided to or developed on behalf of Watershed to ensure that the application or application code is secure against any vulnerabilities that are identified through industry standard testing, and any vulnerabilities reported to Watershed by any third party.
  4. Performance of regular vulnerability scans and assessments on all systems storing, processing, or transmitting Personal Data to identify all potential vulnerabilities on such systems.
  5. Risk-prioritized remediation of identified vulnerabilities in a timely manner, including timely implementation of all manufacturer- and developer-recommended security updates and patches to operating systems and third-party software storing, processing, or transmitting Personal Data, or otherwise installed on Watershed systems.
  6. Performance of periodic penetration tests as needed.
  7. Installation of antivirus and malware protection software with up-to-date definitions and signatures on all Watershed workstations.
  8. Enforcement of complex password requirements on all Watershed systems.
  9. Use of strong encryption for all authentication credentials to prevent unauthorized account access.
  10. Implementation of secure workstation protection policies for Watershed systems.
  11. Encryption of all Personal Data in transit and at rest using robust encryption algorithms and in accordance with industry standards for secure key and protocol negotiation and key management, including full disk encryption for all Watershed workstations.
  12. Requirement that all remote network and system access to Watershed systems utilize multi-factor authentication.

3. Physical Security

  1. Access to Watershed facilities (including offices and coworking spaces) shall be restricted to personnel with authorized access on a need-to-know basis. Restricted areas of facilities, such as server rooms if applicable, shall be subject to risk-appropriate access controls, such as by requiring key cards and/or PINs for entry. Watershed shall regularly review audit trails of access to these restricted areas.
  2. Watershed shall identify and log all visitors to its facilities and ensure that visitors to restricted areas are escorted by Watershed personnel at all times.
  3. Watershed shall implement and enforce “clean desk” (i.e., prohibiting documents with sensitive data from being left on desks, tables, etc. after work hours or for prolonged periods) policies throughout its facilities.

4. Business Continuity & Disaster Recovery

Watershed shall maintain appropriate business continuity and disaster recovery procedures to ensure prompt resumption and continuation of Watershed services in the event of a disruption. Watershed shall periodically test these procedures and provide information about them to Customer upon request.

5. Subcontracting

  1. Watershed shall implement and maintain a documented vendor risk management program to ensure that:
    1. due diligence is conducted on any prospective subcontractor to ensure that they are capable of meeting the security standards outlined in this Exhibit B; and
    2. the Subcontractor is contractually required to comply with the terms of this Exhibit B.

6. Compliance Monitoring

  1. Watershed shall regularly test and monitor the effectiveness of the security practices and procedures in the ISP, and will evaluate and adjust the ISP and information security safeguards in light of the results of the testing and monitoring, any material changes to its operations or business arrangements, or any other circumstances that Watershed knows or reasonably should know may have a material effect on its ISP and information security safeguards.
  2. Upon request of Customer, Watershed shall provide a copy of its most current third-party information security audit report and/or certification, if any.

7. Security Breach Notification

  1. Watershed will notify Customer promptly, and in any event within seventy-two (72) hours, of any Security Breach that compromises the availability, security, or integrity of the Personal Data.Notification shall not be deemed to constitute an admission of fault or liability by Watershed for the Security Breach. Watershed will comply with the Security Breach-related obligations directly applicable to it under Data Privacy Laws and will assist Customer in Customer’s compliance with its Security Breach-related obligations, including without limitation by:
    1. At Watershed’s own expense, taking steps to mitigate the effects of the Security Breach and reduce the risk to Data Subjects whose Personal Data was involved; and
    2. Providing Customer with the following information, to the extent known:
      1. The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
      2. The likely consequences of the Security Breach; and
      3. Measures taken or proposed to be taken by Watershed to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.

8. Deletion of Data

At Customer’s direction at any time, and in any event upon termination or expiration of the Agreement, except to the extent required by Data Privacy Laws, Watershed shall, and shall cause its representatives to, promptly return to Customer or, if so directed by Customer, securely destroy any and all Personal Data.