Decidr Client Data Processing Addendum

This Data Processing Addendum (“DPA”) is incorporated by reference into the Order Form or Master Agreement between Decidr and the Client (the “Agreement”). By executing an Order Form that references the Agreement, the Client agrees to the terms of this DPA.

By executing an Order Form or Agreement that incorporates this DPA by reference, Client is deemed to have accepted the terms of this DPA on behalf of itself and, to the extent required under applicable law, on behalf of its Data Controller Affiliates (defined below) (collectively, “Client”). For the purposes of this DPA only, and except as otherwise indicated, the term “Client” will include Client and its Data Controller Affiliates.

1. Data Processing
   1. Scope and Roles: This DPA applies when Client Personal Data is processed by Decidr under applicable Data Protection Law. In this context, where the law provides for the roles of “controller” and “processor,” Client is the Controller of the Client Personal Data covered by this DPA, and Decidr will be a Processor processing Client Personal Data on behalf of Client and this DPA will apply accordingly.
   2. Details of Data Processing.
      1. Subject Matter. The subject matter of the data Processing under this DPA is Client Personal Data.
      2. Duration. The duration of the Processing under this DPA is determined by the Agreement. Regardless of whether the Agreement has terminated or expired, this DPA will remain in effect until, and automatically expire when, Decidr deletes or anonymizes all Client Personal Data as described in the Agreement.
      3. Purpose. The purpose of the processing under the DPA is the provision of the Services by Decidr to Client as specified in the Agreement.
      4. Nature of the Processing. Client Personal data is processed by Decidr in connection with the Services under the Agreement and/or any applicable Order.
      5. Categories of Data Subjects. The Data Subjects of Client which may include Clients’ Authorised Users, employees, contractors, suppliers, or other third parties whose Personal Data is uploaded by Client for use in connection with the Services.
      6. Categories of data. Identifiers (contact detail including name, email, phone number, and addresses); Employment Data (professional data, contact details, hours worked, site access) IT Data (IP addresses, browser type, language preferences, cookies data); and other Personal Data that Client or its Authorised Users elect to submit to the Services.
      7. Special categories of data (if appropriate). Decidr and/or its Subprocessors do not intentionally collect or process any special categories of data in connection with the provision of the Services under the Agreements. However, Client or its Affiliates may choose to include this type of data within content that the Client instructs Decidr to process on its behalf.
   3. Compliance with the laws. Each party will comply with all laws, rules, and regulations applicable to it and binding on it in the performance of this DPA.
2. Documented Instructions
   1. Client Instructions. Client will, in its use of the Services, at all times provide documented instructions to Decidr for the Processing of Client Personal Data, in compliance with applicable Law. The Parties agree that this DPA and the Agreement constitute Client’s documented instructions regarding Decidr’s Processing of Client Personal Data (“Documented Instructions”). Decidr will Process Client Personal Data in accordance with Client’s Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Decidr and Client, including agreement on any additional fees payable by Client to Decidr for carrying out such instructions.
   2. Obligations and Indemnity. Client will ensure that its Documented Instructions comply with all laws, rules, and regulations applicable to the Client Personal Data, and that the Processing of Client Personal Data per Client's Documented Instructions will not cause Decidr to be in breach of applicable Data Protection Law. Client is solely responsible for the accuracy, quality, and legality of (a) the Client Personal Data provided to Decidr by or on behalf of Client; (b) how Client acquired any such Client Personal Data (e.g., appropriate notice and/or consent); and (c) the Documented Instructions it provides to Decidr regarding the Processing of such Personal Data. Client will not provide or make available to Decidr any Personal Data in violation of the Agreement, this DPA, or otherwise inappropriate for the nature of the Services and will indemnify Decidr from all claims and losses in connection therewith.
3. Confidentiality of Client Personal Data. Decidr will not access or use, or disclose to any third party, any Client Personal Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law, a Public Authority Request and/or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Decidr a demand for Client Personal Data, Decidr will attempt to redirect the governmental body to request that data directly from Client. As part of this effort, Decidr may provide Client’s basic contact information to the governmental body. If compelled to disclose Client Personal Data to a governmental body, then Decidr will give Client reasonable notice of the demand to allow Client to seek a protective order or other appropriate remedy unless Decidr is legally prohibited from doing so.
4. Authorised persons. Decidr will ensure that all persons Authorised to Process Client Personal Data on behalf of Decidr are made aware of the confidential nature of the Client Personal Data, and have committed themselves to confidentiality (e.g., by confidentiality agreements) or are under an appropriate statutory obligation of confidentiality.
5. Authorised Subprocessors. Client hereby generally authorizes Decidr to engage Subprocessors in accordance with this Section 5. If Client transfers Client Personal Data to Decidr, the above authorization will constitute Client's prior written consent to the subcontracting by Decidr of the Processing of Client Personal Data if such consent is required. Decidr may remove, replace, or appoint suitable and reliable Subprocessors.
   1. Security; Audits; Personal Data Breach; Impact Assessments
      1.  Updates to Decidr Security Controls. Client is responsible for reviewing the information made available by Decidr relating to data security and making an independent determination as to whether Decidr's Security Controls, meet Client’s requirements and legal obligations under applicable law. Client acknowledges that the Security Controls are subject to technical progress and development and that Decidr may update or modify the Security Controls from time to time provided that such updates and modifications do not materially degrade the overall security of the Services during the Subscription Term.
      2. Confidential Security Reports and Audits. For the duration of its processing of Client Personal Data, Decidr will maintain compliance with appropriate security standards for its industry. Upon request, Decidr will, no more than once per calendar year make available for Client’s review, a summary copy of an audit report(s) (“Report”) that reflects such compliance, a request may be made by emailing Decidr at dpareport@decidr.ai. Client acknowledges and agrees that such Reports are Decidr’s Confidential Information. Decidr will also provide a requesting Client with a Report and/or confirmation of Decidr’s own audits and/or a report of third-party auditors’ audits of its Subprocessors that have been provided by those Subprocessors to Decidr, to the extent such reports or evidence may be shared with Client (“Third-party Subprocessor Audit Reports”). Client acknowledges that (a) Reports and Third-party Subprocessor Audit Reports will be considered Confidential Information as well as confidential information of the third-party Subprocessor, and (b) certain third-party Subprocessors to Decidr may require Client to execute a non-disclosure agreement with them in order to view a Third-party Subprocessor Audit Report.
      3. Personal Data Breach. In the event of a Personal Data Breach, except where prohibited by law, Decidr will notify Client without undue delay and otherwise respond as described below. In addition, Decidr will, taking into account the nature of the Processing and the information available to Decidr assist Client in ensuring compliance with its obligations under applicable Data Protection Law to conduct a data protection impact assessment where required.
         1. Practices. Decidr does and will (a) maintain and follow a documented incident response plan and associated procedures consistent with industry standards for Personal Data Breach handling; (b) investigate Personal Data Breach of which Decidr becomes aware, and, within the scope of the Services, and take such steps as Decidr in its sole discretion deems necessary and reasonable to remediate such Personal Data Breach; and (c) notify Client without undue delay upon confirmation of a Personal Data Breach that is known or reasonably suspected by Decidr to affect Client Personal Data, and provide Client with reasonably requested information about such Personal Data Breach and the status of the remediation and restoration activities. The obligations herein will not apply to a Personal Data Breach caused by Client, Client’s Authorised Users or misuse of Client’s Access Credentials. Decidr’s obligation to report or respond to a Personal Data Breach is not and will not be construed as an acknowledgement by Decidr of any fault or liability of Decidr with respect to the Personal Data Breach.
   2. Decidr Assistance with Data Subject Requests. Decidr will inform Client of requests from Data Subjects exercising their Data Subject rights under applicable Data Protection Law (e.g., including but not limited to rectification, deletion and blocking of data) addressed directly to Decidr regarding Client Personal Data. Client will be responsible for handling such requests of Data Subjects. Upon a written request for assistance by Client, Decidr will reasonably assist Client with handling such Data Subject request. Decidr may charge Client no more than a reasonable charge to perform such assistance, and such charges will be set forth in a quote and agreed in writing by the Parties, or as set forth in the Agreement. If Client does not agree to the quote, the Parties agree to reasonably cooperate to find a feasible solution.
   3. International Transfers of Personal Data
      1. U.S. Based Processing; Notification of Changes. Client acknowledges and agrees that Decidr may transfer and process Client Personal Data to and in the United States and anywhere else in the world where Decidr, its Affiliates, or its Subprocessors maintain data processing operations. Decidr will ensure that such transfers are made in compliance with applicable Data Protection Law and this DPA.
   4. Effect of Termination.
      1. Upon termination or expiration of the Agreement, Decidr will (at Client's written request) anonymize all Client Personal Data in its possession or control. This requirement will not apply to the extent Decidr is required by applicable law to retain some or all of the Client Personal Data.
      2. Client acknowledges that the Services are used as a system of record and that data uploaded to the Services is required to be retained under applicable laws for the establishment, exercise, or defense of legal claims. As an equivalent to deletion, Decidr will permanently and securely anonymise Client Personal Data to the extent no individual could be identified.
   5. Indemnification by Client. To the maximum extent permitted by applicable law and in addition to any other remedy that is available, including the indemnities provided in the Agreement, Client agrees to defend, indemnify and hold harmless Decidr, its Affiliates and Decidr’s Subprocessors, including their respective officers, directors, employees, agents, successors, representatives, agents, resellers and assigns (each, a “Decidr Indemnitee”) from and against any and all Losses resulting from Client’s violation of this DPA and/or the infringement or violation by Client, its Authorised Users, or any other user of Client’s Access Credentials, of any privacy or other right of any person under applicable Data Protection Law.
   6. Limitation of Liability
      1. Exclusion of Damages. Under no circumstances and regardless of the nature of any action will the Decidr indemnitees be liable, directly or indirectly, in whole or in part, to client or to any other person or entity for any losses or loss, damage, corruption or recovery of client personal data arising from or relating to client’s breach of its obligations in this DPA.
      2. Limitation of Liability. Each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Client and its Data Controller Affiliates and Decidr, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Agreement and the applicable cap (maximum) for the relevant party set forth in the Agreement. Any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, the Decidr Indemnitees’ total liability for all Actions by Client and all of Clients Affiliates (including Data Controller Affiliates) arising out of or related to the Agreement and all DPAs will apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, and, in particular, will not be understood to apply individually and severally to Client and/or to any Client Affiliate that is a contractual party to any such DPA. To the extent required by applicable law, (a) this Section is not intended to modify or limit the Parties’ liability for Data Subject claims made against a Party where there is joint and several liability under Data Protection Law, or (b) limit either Party’s responsibility to pay penalties imposed on such Party by a regulatory authority.
   7. Survival of the DPA. This DPA will continue in force until the termination of the Agreement (the “Termination Date”), provided that the data protection obligations of this DPA and the SCCs will continue to apply for so long as Decidr processes Client Personal Data.
   8. Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA will remain valid and in force. The invalid or unenforceable provision will be either (a) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.
   9. Entire Agreement; Order of Precedence. Except as supplemented by this DPA, the Agreement will remain in full force and effect. Any conflict between the terms of the Agreement and this DPA related to the processing of Client Personal Data are resolved in the following order of priority: (1) the Standard Contractual Clauses, where applicable; (2) the DPA; and (3) the Agreement.
   10. Definitions. Unless otherwise defined in the Agreement, all capitalized terms used in this DPA will have the meanings given to them below:
       1. “Access Credentials” means any user name, identification number, password, license or security key, security token, PIN, or other security code, method, technology, or device used, alone or in combination, to verify an individual’s identity and authorization to access and use the Services.
       2. “Action” means any claim, action, cause of action, demand, lawsuit, arbitration, inquiry, audit, notice of violation, proceeding, litigation, citation, summons, subpoena, or investigation of any nature, civil, criminal, administrative, regulatory, or other, whether at law, in equity, or otherwise.
       3. “Affiliates”, “Client Data”, “Decidr”, and “Services” will each have the meaning ascribed to it in the Agreement.
       4. “Controller” means the entity that determines as a legal person alone or jointly with others the purposes and means of the Processing of Personal Data. Unless otherwise specified, Controller or "data exporter" refers to Client.
       5. “Client”, as used on this DPA, will include Client (as defined in the Agreement) and its Data Controller Affiliates.
       6. “Client Personal Data” means Client Data submitted to Decidr for Processing in connection with the Services pursuant to the Agreement, which contains Personal Data.
       7. “Data Controller Affiliates” means any of Client’s Affiliates that have not signed or otherwise accepted their own Order with Decidr and therefore would not be a “Client” as defined under the Agreement but is an entity which is: (i) subject to Data Protection Law; and (ii) permitted to use the Decidr Services pursuant to the Agreement between Client and Decidr. For the avoidance of doubt, no third-party beneficiaries are intended.
       8. “Data Protection Law” means any data protection and privacy laws and regulations that are applicable to the processing of Client Personal Data by Decidr, including, where applicable, the laws listed in Decidr’s Jurisdiction Specific Terms, as may be amended, superseded, or replaced from time to time.
       9. “Data Subject” means the identified or identifiable person to whom Client Personal Data relates.
       10. “Documented Instructions” has the meaning ascribed in Subsection 2.1 of this DPA.
       11. “including” and its derivatives mean “including but not limited to.”
       12. “Losses” means any and all losses, damages, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees, expert witness fees, settlement amounts, and the costs of enforcing any right to indemnification hereunder and the cost of pursuing any insurance providers.
       13. “Personal Data” means any data that relates to an identified or identifiable natural person, to the extent that such information is protected under applicable Data Protection Law.
       14. “Personal Data Breach” means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client Personal Data Processed by Decidr or Decidr’s Subprocessors.
       15. “Decidr Indemnitee” will have the meaning ascribed to it in Section 11, above.
       16. “Processing” (unless defined differently under applicable Data Protection Law) means any operation or set of operations which is performed upon Personal Data, manually or automatically, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
       17. “Processor” means an entity which Processes Personal Data on behalf of the Controller pursuant to the Agreement. Processor or "data importer" in this DPA refers to Decidr.
       18. “Public Authority Request” means a government agency or law enforcement authority, including a judicial authority request for information.
       19. “Services” means Decidr’s Services as set forth in the Agreement.
       20. “Subprocessor” means any Processor engaged by Decidr to assist in processing Client Personal Data in connection with the Services per Client’s Documented Instructions under the terms of the Agreement and this DPA. Subprocessors may include Decidr’s Affiliates, but will exclude Decidr employees, contractors, and consultants.