Cloud Data Processing Addendum (Customers)

This Cloud Data Processing Addendum (including its appendices, the “Addendum”) is incorporated into the Agreement(s) (as defined below) between Skysize and Customer.

1. Overview

This Addendum describes the parties’ obligations, including under applicable privacy, data security, and data protection laws, with respect to the processing and security of Customer Data (as defined below). This Addendum will be effective on the Addendum Effective Date (as defined below), and will replace any terms previously applicable to the processing and security of Customer Data. Capitalized terms used but not defined in this Addendum have the meaning given to them in the Agreement.

2. Definitions

2.1 In this Addendum:

• “Addendum Effective Date” means the date on which Customer accepted, or the parties otherwise agreed to, this Addendum.

• “Additional Security Controls” means security resources, features, functionality, and controls that Customer may use at its option and as it determines, including encryption, logging and monitoring, identity and access management, security scanning, and firewalls.

• “Agreement” means the contract under which Skysize has agreed to provide the applicable Services to Customer.

• “Applicable Privacy Law” means, as applicable to the processing of Customer Personal Data, any national, federal, European Union, state, provincial or other privacy, data security, or data protection law or regulation.

• “Customer Data”, if not defined in the Agreement, has the meaning given in Appendix 4 (Specific Products).

• “Customer Personal Data” means the personal data contained within the Customer Data, including any special categories of personal data or sensitive data defined under Applicable Privacy Law.

• “Data Incident” means a breach of Skysize’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by Skysize.

• “EMEA” means Europe, the Middle East and Africa.

• “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

• “European Data Protection Law” means, as applicable: (a) the GDPR; or (b) the Swiss FADP.

• “European Law” means, as applicable: (a) EU or EU Member State law (if the EU GDPR applies to the processing of Customer Personal Data); (b) the law of the UK or a part of the UK (if the UK GDPR applies to the processing of Customer Personal Data); or (c) the law of Switzerland (if the Swiss FADP applies to the processing of Customer Personal Data).

• “GDPR” means, as applicable: (a) the EU GDPR; or (b) the UK GDPR.

• “Skysize’s Third-Party Auditor” means a Skysize-appointed, qualified and independent third-party auditor, whose then-current identity Skysize will disclose to Customer.

• “Instructions” has the meaning given in Section 5.2 (Compliance with Customer’s Instructions).

• “Notification Email Address” means the email address(es) designated by Customer in the Admin Console or Order Form to receive certain notifications from Skysize.

• “Security Documentation” means the Compliance Certifications and the SOC Reports.

• “Security Measures” has the meaning given in Section 7.1.1 (Skysize’s Security Measures).

• “Services” means the applicable services described in Appendix 4 (Specific Products).

• “Supervisory Authority” means, as applicable: (a) a “supervisory authority” as defined in the EU GDPR; or (b) the “Commissioner” as defined in the UK GDPR or the Swiss FADP.

• “Swiss FADP” means, as applicable, the Federal Act on Data Protection of 19 June 1992 (Switzerland) (with the Ordinance to the Federal Act on Data Protection of 14 June 1993) or the revised Federal Act on Data Protection of 25 September 2020 (Switzerland) (with the Ordinance to the Federal Act on Data Protection of 31 August 2022).

• “Term” means the period from the Addendum Effective Date until the end of Skysize’s provision of the Services, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Skysize may continue providing the Services for transitional purposes.

• “UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.

2.2 The terms “personal data”, “data subject”, “processing”, “controller”, and “processor” as used in this Addendum have the meanings given by Applicable Privacy Law or, absent any such meaning or law, by the EU GDPR.

2.3 The terms “data subject”, “controller” and “processor” include “consumer”, “business”, and “service provider”, respectively, as required by Applicable Privacy Law.

3. Duration

Regardless of whether the applicable Agreement has terminated or expired, this Addendum will remain in effect until, and automatically expire when, Skysize deletes all Customer Data as described in this Addendum.

4. Roles; Legal Compliance

4.1 Roles of Parties. Skysize is a processor and Customer is a controller or processor, as applicable, of Customer Personal Data.

4.2 Processing Summary. The subject matter and details of the processing of Customer Personal Data are described in Appendix 1 (Subject Matter and Details of Data Processing).

4.3 Compliance with Law. Each party will comply with its obligations related to the processing of Customer Personal Data under Applicable Privacy Law.

4.4 Additional Legal Terms. To the extent the processing of Customer Personal Data is subject to an Applicable Privacy Law described in Appendix 3 (Specific Privacy Laws), the corresponding terms in Appendix 3 will apply in addition to these General Terms and prevail as described in Section 14.1 (Precedence).

5. Data Deletion

5.1 Deletion by Customer. Skysize will enable Customer to delete Customer Data during the Term in a manner consistent with the functionality of the Services. If Customer uses the Services to delete any Customer Data during the Term and that Customer Data cannot be recovered by Customer, this use will constitute an Instruction to Skysize to delete the relevant Customer Data from Skysize’s systems in accordance with applicable law. Skysize will comply with this Instruction as soon as reasonably practicable and within a maximum period of 180 days, unless European Law requires storage, where European Data Protection Law applies, or applicable law requires storage, where any other Applicable Privacy Law applies.

5.2 Return or Deletion When Term Ends. If Customer wishes to retain any Customer Data after the end of the Term, it may instruct Skysize in accordance with Section 9.1 (Access; Rectification; Restricted Processing; Portability) to return that data during the Term. Subject to Section 5.3 (Deferred Deletion Instruction), Customer instructs Skysize to delete all remaining Customer Data (including existing copies) from Skysize’s systems at the end of the Term in accordance with applicable law. After a recovery period of up to 30 days from that date, Skysize will comply with this Instruction as soon as reasonably practicable and within a maximum period of 180 days, unless European Law requires storage, where European Data Protection Law applies, or applicable law requires storage, where any other Applicable Privacy Law applies.

5.3. Deferred Deletion Instruction. To the extent any Customer Data covered by the deletion instruction described in Section 5.2 (Return or Deletion When Term Ends) is also processed, when the applicable Term under Section 5.2 expires, in relation to an Agreement with a continuing Term, such deletion instruction will take effect with respect to such Customer Data only when the continuing Term expires. For clarity, this Addendum will continue to apply to such Customer Data until its deletion by Skysize.

6. Data Security

6.1 Skysize’s Security Measures, Controls and Assistance.

6.1.1 Skysize’s Security Measures. Skysize will implement and maintain technical, organizational, and physical measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (Security Measures) (the “Security Measures”). The Security Measures include measures to encrypt Customer Data; to help ensure ongoing confidentiality, integrity, availability and resilience of Skysize’s systems and services; to help restore timely access to Customer Data following an incident; and for regular testing of effectiveness. Skysize may update the Security Measures from time to time provided that such updates do not result in a material reduction of the security of the Services.

6.1.2 Access and Compliance. Skysize will:

a. authorize its employees, contractors and Subprocessors to access Customer Data only as strictly necessary to comply with Instructions;

b. take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance; and

c. ensure that all persons authorized to process Customer Data are under an obligation of confidentiality.

6.1.3 Additional Security Controls. Skysize will make Additional Security Controls available to:

a. allow Customer to take steps to secure Customer Data; and

b. provide Customer with information about securing, accessing and using Customer Data.

6.1.4 Skysize’s Security Assistance. Skysize will (taking into account the nature of the processing of Customer Personal Data and the information available to Skysize) assist Customer in ensuring compliance with its (or, where Customer is a processor, the relevant controller’s) obligations relating to security and personal data breaches under Applicable Privacy Law, by:

a. implementing and maintaining the Security Measures in accordance with Section 6.1.1 (Skysize’s Security Measures);

b. making Additional Security Controls available in accordance with Section 6.1.3 (Additional Security Controls);

c. complying with the terms of Section 7.2 (Data Incidents);

d. making the Security Documentation available in accordance with Section 6.5.1 (Reviews of Security Documentation) and providing the information contained in the applicable Agreement (including this Addendum); and

e. if subsections (a)-(d) above are insufficient for Customer (or the relevant controller) to comply with such obligations, upon Customer’s request, providing Customer with additional reasonable cooperation and assistance.

6.2 Data Incidents.

6.2.1 Incident Notification. Skysize will notify Customer promptly and without undue delay after becoming aware of a Data Incident, and promptly take reasonable steps to minimize harm and secure Customer Data.

6.2.2 Details of Data Incident. Skysize’s notification of a Data Incident will describe: the nature of the Data Incident including the Customer resources impacted; the measures Skysize has taken, or plans to take, to address the Data Incident and mitigate its potential risk; the measures, if any, Skysize recommends that Customer take to address the Data Incident; and details of a contact point where more information can be obtained. If it is not possible to provide all such information at the same time, Skysize’s initial notification will contain the information then available and further information will be provided without undue delay as it becomes available.

6.2.3 No Assessment of Customer Data by Skysize. Skysize has no obligation to assess Customer Data in order to identify information subject to any specific legal requirements.

6.2.4 No Acknowledgement of Fault by Skysize. Skysize’s notification of or response to a Data Incident under this Section 6.2 (Data Incidents) will not be construed as an acknowledgement by Skysize of any fault or liability with respect to the Data Incident.

6.3 Customer’s Security Responsibilities and Assessment.

6.3.1 Customer’s Security Responsibilities. Without prejudice to Skysize’s obligations under Sections 6.1 (Skysize’s Security Measures, Controls and Assistance) and 7.2 (Data Incidents), and elsewhere in the applicable Agreement, Customer is responsible for its use of the Services and its storage of any copies of Customer Data outside Skysize’s or Skysize’s Subprocessors’ systems, including:

a. using the Services and Additional Security Controls to ensure a level of security appropriate to the risk to the Customer Data;

b. securing the account authentication credentials, systems and devices Customer uses to access the Services; and

c. backing up or retaining copies of its Customer Data as appropriate.

6.3.2 Customer’s Security Assessment. Customer agrees that the Services, Security Measures, Additional Security Controls, and Skysize’s commitments under this Section 7 (Data Security) provide a level of security appropriate to the risk to Customer Data (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Data as well as the risks to individuals).

7. Access; Data Subject Rights; Data Export

7.1 Access; Rectification; Restricted Processing; Portability. During the Term, Skysize will enable Customer, in a manner consistent with the functionality of the Services, to access, rectify and restrict processing of Customer Data, including via the deletion functionality provided by Skysize as described in Section 6.1 (Deletion by Customer), and to export Customer Data. If Customer becomes aware that any Customer Personal Data is inaccurate or outdated, Customer will be responsible for using such functionality to rectify or delete that data if required by Applicable Privacy Law.

7.2 Data Subject Requests.

7.2.1 Responsibility for Requests. During the Term, if Skysize’s Cloud Data Protection Team receives a request from a data subject that relates to Customer Personal Data and identifies Customer, Skysize will:

a. advise the data subject to submit their request to Customer;

b. promptly notify Customer; and

c. not otherwise respond to that data subject’s request without authorization from Customer.

Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.

7.2.2 Skysize’s Data Subject Request Assistance. Skysize will (taking into account the nature of the processing of Customer Personal Data) assist Customer in fulfilling its (or, where Customer is a processor, the relevant controller’s) obligations under Applicable Privacy Law to respond to requests for exercising the data subject’s rights by:

a. making Additional Security Controls available in accordance with Section 6.1.3 (Additional Security Controls);

b. complying with Sections 9.1 (Access; Rectification; Restricted Processing; Portability) and 7.2.1 (Responsibility for Requests); and

c. if subsections (a) and (b) above are insufficient for Customer (or the relevant controller) to comply with such obligations, upon Customer’s request, providing Customer with additional reasonable cooperation and assistance.