Legal

Data Processing Addendum

Last Updated: June 1, 2024

This Data Processing Addendum, including its Schedules, Exhibits, Appendices and Annexes (collectively, the “DPA”), is supplemental to, and forms an integral part of, the Services Agreement or other written or electronic agreement between Customer (or, if and when applicable, its Affiliate(s)) and Symphony Communication Services, LLC (or, if and when applicable, its Affiliate(s)) (“Symphony”). This DPA reflects the parties’ agreement with respect to the processing of Personal Data by Symphony on behalf of Customer. All capitalized terms not defined herein shall have the meaning set forth in the Service Agreement.

1. DEFINITIONS

1.1 For the purposes of the DPA, the capitalized terms will have the meanings set forth below:

“Account Data” means the Personal Data that relates to Customer’s relationship with Symphony, including the names and contact information of individuals authorized by Customer to access Customer’s account, and billing information of individuals that Customer has associated with its account.

“Applicable Data Protection Law” means any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements, or which otherwise relates to Symphony’s Processing of Personal Data under the Service Agreement.

“Annual Security Audit” means a report of the annual assessment of Symphony’s security controls that is conducted by an independent third party.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Customer” means the Customer entity to whom is party to the Service Agreement.

“Customer Audit” means Customer’s supplemental audit request to meet audit requirements under Applicable Data Protection Law.

“Data Subject” means an identified or identifiable natural person, where an “identifiable natural person” is one who can be identified, directly or indirectly, in particular, by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of the natural person.

“Personal Data” means any information received by Symphony (or its Affiliate(s)) from, or created or received by Symphony (or its Affiliate(s)) on behalf of, Customer, relating to a Data Subject.

“Process”, “Processes”, or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, including the collection, recording, organization, storage, updating, modification, retrieval, consultation, use, transfer, dissemination by means of transmission, distribution or otherwise making available, merging, linking as well as blocking, erasure or destruction.

“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

“Regulatory Authority” means any governmental, statutory or regulatory body or other competent authority in any jurisdiction (or persons or entities appointed by or on the direction of such authority or body) which has jurisdiction over Controller’s or Processor’s Processing of Personal Data.

“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Personal Data on systems managed or otherwise controlled by Symphony.

“Sensitive Data” means (a) Personal Data revealing a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, (b) genetic data, biometric, or health information, (c) information about sexual life or sexual orientation, (d) criminal history, or (e) other information that falls within the definition of “special categories of data” under Applicable Data Protection Law.

“Service(s)” refers to the services supplied by Symphony or Affiliates, including but not limited to Cloud9 Technologies LLC, StreetLinx, Inc., and Amenity Analytics, Inc.

“Service Agreement” refers to the contractual agreement made between the parties under which Symphony or its Affiliate(s) provides Services to Customer, inclusive of the both the master service agreement (e.g., Symphony Service Agreement and Cloud9 Master Service Agreement) and any applicable service order(s).

“Sub-processor” means any processor engaged by Symphony or its Affiliates to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA. Sub-processors may include third parties or Affiliates of Symphony but shall exclude Symphony employees, contractors, or consultants.

“Transfer Mechanism” means any model contractual clauses approved by a Regulatory Authority for the cross-border transfer of Personal Data in certain jurisdictions.

“Usage Data” means data collected relating to the use of the Service.

2. ROLES AND RESPONSIBILITIES

2.1 Parties’ roles. As between the parties, Customer may act as Controller and/or Processor of Customer Personal Data and Symphony may act as Processor and/or Sub-processor of Customer Personal Data.

2.2 Purpose limitation. Symphony will Process Personal Data in order to provide the Service in accordance with the Service Agreement. Exhibit B (Processing Details) of this DPA further specifies the nature and purpose of the processing, the processing activities, the duration of the processing, the types of personal data and categories of data subjects.

2.3 Sensitive Data. Customer will not provide (or cause to be provided) any Sensitive Data to Symphony for processing under the Service Agreement, and Symphony shall have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise.

2.4 Customer compliance. Customer is responsible for ensuring that (a) it has complied, and will continue to comply with all applicable laws, including Applicable Data Protection Law, in its use of the Service and its own Processing of Personal Data and (b) it has, and will continue to have, the right to transfer, or provide access to, Personal Data for Symphony for Processing in accordance with the terms of the Service Agreement and the DPA. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired the Personal Data.

2.5 Lawfulness of Customer’s instructions. Customer will ensure that its instructions comply with Applicable Data Protection Law. Customer acknowledges that Symphony is neither responsible for determining which laws or regulations are applicable to Customer’s business nor whether Symphony’s provision of the Services meets or will meet the requirements of such laws or regulations. Customer will ensure that Symphony’s Processing of customer data, when done in accordance with Customer’s instructions, will not violate Applicable Data Protection Law. Symphony will inform Customer if it becomes aware, or reasonably believes, that Customer’s instructions violate any Applicable Data Protection Law.

3. SUBPROCESSING

3.1 Authorized Sub-processors. Customer agrees that Symphony may engage Sub-processors to process Customer Personal Data on Customer’s behalf. The Sub-processors currently engaged by Symphony and authorized by Customer are available here. Symphony will provide Customer with 14 days prior notice on this website if it intends to make any changes to its Sub-processors. Customer may receive notifications on new Sub-processors and updates to existing Sub-processors by subscribing for updates

3.2 Sub-processor’s obligations. Where Symphony authorizes any Sub-processor:

3.2.1 Symphony will restrict the Sub-processors access to Customer Personal Data only to what is necessary to assist Symphony in providing or maintaining the Services, and will prohibit the Sub-processor from accessing Customer Personal Data for any other purpose;

3.2.2 Symphony will enter into a written agreement with each Sub-processor containing data protection obligations that require the Sub-processor to protect the Customer Personal Data to the standard required by Applicable Data Protection Law; and

3.2.3 Symphony will remain liable for any breach of this DPA that is caused by an act, error, or omission of its Sub-processors.

3.3 Objection to Sub-processors. Customer may object to Symphony’s appointment or replacement of a Sub-processor prior to its appointment or replacement, provided such objection is in writing and based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached within ninety (90) days from the date of Symphony’s receipt of Customer’s written objection, Symphony will, at its sole discretion, either not appoint such Sub-processor or permit Customer to suspend or terminate the affected Service in accordance with the termination provisions of the Service Agreement without liability to either party (without prejudice to any fees incurred by Customer prior to suspension or termination). If no objection has been raised prior to Symphony replacing or appointing a new Sub-processor, Symphony will deem Customer to have authorized the new Sub-processor.

4. SECURITY MEASURES AND INCIDENT RESPONSE

4.1 Security measures. Symphony has implemented and will maintain the technical and organisational security measures as set forth in the Service Agreement. The full text of Symphony’s technical and organisational security measures to protect Personal Data is available here.

4.2 Updates to security measures. Customer is responsible for reviewing the information made available by Symphony relating to data security and making an independent determination as to whether the Services meet the Customer’s requirements and legal obligations under Applicable Data Protection Law. Customer acknowledges that security measures are subject to technical progress and development and that Symphony may update or modify the security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Customer.

4.3 Security Incident response. Upon becoming aware of a Security Incident, Symphony will notify Customer without undue delay and will provide updates to Customer. Symphony will reasonably cooperate with Customer as required to fulfill Customer’s obligations under Applicable Data Protection Law.

4.4 Customer responsibilities. Without prejudice to Symphony’s obligations under the Service Agreement and DPA, Customer is responsible for its secure use of the Services, including, among other things, securing its account authentication credentials, protecting the security of data in transit to and from the Service, and ensuring that any systems or devices from which it accesses the Service are free of viruses, worms, or other malicious computer code.

5. AUDITS

5.1 Symphony’s Audit program. At least once annually, Symphony will retain a nationally recognized independent third-party security auditor to verify the adequacy of Symphony’s security measures (“Annual Security Audit”). The Annual Security Audit and related information are Confidential Information of Symphony.

5.2 Customer Audits. Upon Customer’s written request, Symphony will make available to Customer a copy of its then-current Annual Security Audit. To the extent that Customer’s audit requirements under Applicable Data Protection Law cannot be satisfied through the Annual Security Audit, documentation or compliance information Symphony makes generally available to its customers, Symphony will promptly respond to Customer’s additional audit request (“Customer Audit”). Before commencing any Customer Audit, Customer and Symphony must mutually agree upon the scope, timing, duration, and control and evidence requirements. Among other things, any such Customer Audit must be done: (1) upon sufficient written notice to Symphony; (2) by an independent third party; (3) during regular business hours and so designed to minimize disruption to Symphony’s business; and (4) restricted in scope to the facilities, systems, and data related to the Processing of Customer’s Personal Data and does not involve access to data relating to other Symphony customers. Customer is responsible for all costs and expenses related to such audit, including all reasonable costs for any and all time Symphony expends for any such audit. For Symphony Customers, Customer’s additional audit request under this Section 5.2 will be deemed a “Regulatory Audit” under the Symphony Service Agreement.

6. CROSS-BORDER TRANSFERS

6.1 Data Storage and Processing Facilities. Symphony may Process any Customer data (including Personal Data) to and in the United States and anywhere in the world where Symphony, its Affiliates or its Sub-processors maintain data processing operations. Symphony will at all times provide an adequate level of protection of the Customer data processed in accordance with the requirements of Applicable Data Protection Law.

6.2 Jurisdiction-Specific Terms. To the extent Symphony processes Personal Data originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed in Exhibit E (Jurisdiction-Specific Terms) of this DPA, the terms specified in Exhibit E with respect to the applicable jurisdiction(s) apply in addition to the terms of this DPA.

6.3 Cross-Border Data Transfer Mechanisms. To the extent Customer’s use of the Services requires an onward Transfer Mechanism to lawfully transfer Personal Data from a jurisdiction (e.g., the European Economic Area, the United Kingdom, and Switzerland) to Symphony located outside of that jurisdiction, the terms set forth in Exhibit E (Jurisdiction-Specific Terms) of this DPA will apply.

7. DATA SUBJECT RIGHTS AND COOPERATION

7.1 Data subject access requests. In the event that Symphony directly receives any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including the rights of access, correction, erasure, and data portability, as applicable), Symphony will: (1) advise the Data Subject to submit their request to Customer; (2) promptly notify Customer; and (3) not otherwise respond to the Data Subject request without authorization from Customer unless legally compelled to do so. Customer and Symphony agree to cooperate, in good faith, as necessary to respond to any Data Subject request and fulfill their respective obligations under Applicable Data Protection Law.

7.2 Government requests. If Symphony receives a subpoena, court order, warrant or other legal demand from law enforcement or public or judicial authorities seeking the disclosure of Personal Data, Symphony shall, to the extent permitted by law, promptly notify Customer in writing of such request to allow Customer to seek protective order or other protective remedy.

7.3 Legal Compliance. To the extent Customer is required under Applicable Data Protection Law, Symphony will (at Customer’s expense) provide reasonably requested information regarding the Services to enable the Customer to carry out data protection impact assessments and prior consultations with Regulatory Authorities as required by law.

8. TERMINATION AND RETURN OR DELETION OF DATA

8.1 This DPA will terminate upon the cessation of all Processing of Personal Data by Symphony.

8.2 Upon termination of the Service Agreement and subject to the terms thereof, Symphony shall, at Customer’s election, delete or return all Personal Data (including copies) in its possession or control. This requirement shall not apply to the extent Symphony is required by applicable law or regulation to retain some, or all, of the Personal Data, or to Personal Data it has archived on back-up systems, provided such data remains protected according to the terms of the Service Agreement, this DPA, and Applicable Data Protection Law.

9. MISCELLANEOUS

9.1 Relationship with prior agreements. This DPA shall replace any existing data processing addendum, agreement, or similar document that the parties may have previously entered into in connection with the Service.

9.2 Limitation of Liability. Each party and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA shall be subject to the exclusions and limitations of liability set forth in the Service Agreement. Any claims against Symphony or its Affiliates under or in connection with this DPA shall be brought solely by the Customer entity that is a party to the Service Agreement. Notwithstanding the foregoing, in no event shall any party limit its liability with respect to an individual’s data protection rights under this DPA or Applicable Data Protection Law.

9.3 Updates. Symphony may update the terms of this DPA from time to time as the result of: (1) changes to Applicable Data Protection Law or in response to guidance or mandates issued by any court, regulatory body, or supervisory body with jurisdiction over Symphony; (2) merger, acquisition, or other similar transaction; and (3) the release of new products or services, or material changes to any existing services. Symphony will endeavor to provide prior written notice of any such changes to Customer by posting a notice on Symphony’s website and/or by emailing Customer’s designated contact.

9.4 Conflict. In event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms set forth in Exhibit D (Jurisdiction-Specific Terms) of this DPA; (2) the terms of this DPA outside of Exhibit D (Jurisdiction-Specific Terms); (3) the terms of the Service Agreement (including any Annexures, Exhibits, and Appendices thereto); and (4) the Symphony Privacy Policy.

9.5 Severability. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

9.6 Law. This DPA and any dispute or claims (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in all respects in accordance with the governing law and forum clause in the Service Agreement. To the extent that Applicable Data Protection Law identifies different governing law and forum with respect to Symphony’s Processing of certain Personal Data during the Service Agreement, said law and forum will take precedence, but only to the extent of the Jurisdiction-Specific Terms’ applicability to the data at issue.

EXHIBIT A – SYMPHONY ENTITIES

Symphony Communication Services, LLC is an operating company for the provision of Symphony communication services to financial customers worldwide. StreetLinx, Cloud9, and Amenity are wholly owned subsidiaries of Symphony Communication Services, LLC. Below is a list of relevant operating companies.

Symphony
Symphony Communication Services, LLC (U.S.)

StreetLinx
Streetlinx, Inc. (U.S.)

Cloud9
Cloud9 Technologies, LLC (U.S.)
Cloudnimbus Holdings Ltd. (U.K.)
Jetstream Technologies Pte. Ltd. (Singapore)
Jetstream Technologies (HK) Limited (Hong Kong)
Cloud9 Technologies G.K. (Japan)
C9 Technologies Canada ULC (Canada)
C9 Technologies Australia Pty Ltd (Australia)

Amentiy
Amenity Analytics, Inc. (U.S.)
Amenity Analytics LTD (Israel)

EXHIBIT B – PROCESSING DETAILS

A. LIST OF PARTIES

Customer:

Name: Customer entity that signed the Service Agreement, on behalf of itself and applicable Affiliates
Contact details: The email address(es) designated by Customer via its notification preferences in the Service Agreement or order form.
Activities relevant to the data transferred: Performance of the Services pursuant to the Service Agreement and this DPA.
Role: Customer’s role is as set forth in Section 2.1

Symphony:

Name: Symphony Communication Services, LLC, on behalf of itself and applicable Symphony Affiliates
Contact details: Corinna Mitchell, General Counsel, [email protected]
Activities relevant to the data transferred: Performance of the Services pursuant to the Service Agreement and this DPA.
Role: Symphony’s role is as set forth in Section 2.1.

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects whose Personal Data is transferred

  • The categories of Data Subjects whose Personal Data is processing includes those individual end users provided account access to the Service (“Users”) and business contacts at Customer that have interacted with Symphony relating to the Service (“Contacts”).

Categories of Personal Data transferred

  • Customer may upload, submit, or otherwise provide Personal Data to the Service, the extent of which is typically determined by Customer in its sole discretion, and may include the following types of Personal Data.
    • Users: Identification information (e.g., first and last name); employment information (e.g., employer, job title, position, geographic location); contact information (e.g., username and email address); educational information (e.g., university); location information (e.g., IP address); and profile picture.
    • Contacts: Identification information (e.g., first and last name); employment information (e.g., employer, job title, position, geographic location); contact information (e.g., phone, username and email address); and location information (e.g., IP address).

Sensitive data transferred

  • Symphony does not want to, nor does it intentionally, collect or process any Sensitive Data in connection with the provision of the Services.

The frequency of the transfer

  • Continuous and as determined by Customer.

Nature of the Processing

  • The nature of the Processing is as necessary to further the performance of the Services in the Service Agreement and in accordance with this DPA.

Purpose(s) of the data transfer and further Processing

  • Symphony will Process Personal Data as necessary to perform its obligations pursuant to the Service Agreement and the DPA, and as further instructed by Customer in its use of the Services.

The period for which the Personal Data will be retained

  • Personal Data will be retained for the duration specified in the Service Agreement.

Transfers to Sub-processors

  • As necessary to further performance of the Services pursuant to the Service Agreement and in accordance with this DPA.

EXHIBIT C – TECHNICAL AND ORGANISATIONAL MEASURES

The full text of Symphony’s technical and organisational security measures to protect Personal Data is available here.

EXHIBIT D – SUB-PROCESSORS

Exhibit D Symphony maintains an up-to-date list of Sub-processors that may process Personal Data, as necessary for the delivery of the Services contracted in the Service Agreement between Customer and Symphony Communication Services, LLC or applicable Affiliate. The list is available here. Customers may subscribe to receive notifications of any updates.

EXHIBIT E – JURISDICTION-SPECIFIC TERMS

The terms of this Exhibit E only apply where the corresponding law applies to Symphony’s Processing of Personal Data from the named jurisdiction.

1. Alternative Transfer Mechanism

1.1 Symphony complies with the EU-US Data Privacy Framework (EU-US DPF), the UK Extension of the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF) as set forth by the US Department of Commerce. Symphony has certified to the US Department of Commerce that it adheres to the EU-US Data Privacy Framework Principles (EU-US DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-US DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-US DPF. Symphony has certified to the US Department of Commerce that it adheres to the Swiss-US Data Privacy Framework Principles (Swiss-US DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-US DPF. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

2. Australia

2.1 The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles and the Australian Privacy Act (1988), as amended.

2.2 The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.

2.3 The definition of “Sensitive Data” includes “Sensitive Information” as defined under Applicable Data Protection Law.

2.4 To the extent that Symphony is a recipient of Personal Data protected by Australian Privacy Law, the parties acknowledge and agree that Symphony may transfer such Personal Data outside Australia as permitted by the terms agreed upon by the parties and subject to Symphony complying with this DPA and the Applicable Data Protection Law.

3. Brazil

3.1 The definition of “Applicable Data Protection Law” includes the Lei Geral de Proteção, Federal Law 13709/2018 (“LGPD”).

3.2 The definition of “Security Incident” includes a “security incident that may result in any relevant risk or damage to the data subjects.”

4. Canada

4.1 The definition of “Applicable Data Protection Law” includes the Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”).

4.2 Symphony’s Sub-processors, as set forth in Section 3 of this DPA, are third parties under Applicable Data Protection Law, with whom Symphony has entered into a written contract that includes terms substantially similar to this Addendum. Symphony has conducted appropriate due diligence on its Sub-processors.

4.3 Symphony will implement the technical and organisational security measures to protect Personal Data as set forth here.

5. European Economic Area

5.1 The definition of “Applicable Data Protection Law” includes the General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of national persons with respect to the processing of Personal Data (“GDPR”).

5.2EU SCCs” refers to the Standard Contractual Clauses for the transfer of Personal Data to processors in third countries pursuant to the GDPR and approved by the European Commission decision 2021/914, dated 4 June 2021.

5.3 The transfer of Personal Data subject to the GDPR to Symphony in the United States shall be pursuant to the Alternative Transfer Mechanism listed above in Section 1. In the event the Alternative Transfer Mechanism is determined not to constitute an adequate level of data protection under Applicable Data Protection Law, or Symphony has withdrawn from the Alternate Transfer Mechanism, the EU SCCs shall apply as the cross-border transfer mechanism. For transfers involving any other country not recognized as providing an adequate level of protection for personal data, the EU SCCs shall apply.

5.4 Where applicable, the EU SCCs shall be deemed executed by the parties and incorporated into and form an integral part of this DPA. The EU SCCs shall be completed as follows:

5.4.1 Module Two (Controller to Processor) of the EU SCCs will apply where the Customer is a Controller of Personal Data and Symphony is the Processor of Personal Data.

5.4.2 Module Three (Processor to Processor) of the EU SCCs will apply where Customer is a Processor of Personal Data and Symphony is also processing Personal Data.

5.5 For each Module, where applicable:

5.5.1 Clause 7: The optional “Docking clause” shall apply.

5.5.2 Clause 9: Option 2 for “General Written Authorization” shall apply and the time period for such prior written notice of Sub-processor changes will be 14 days.

5.5.3 Clause 11: The optional language for redress shall not apply.

5.5.4 Clause 17: The EU SCCs shall be governed by the law of the Republic of Ireland.

5.5.5 Clause 18(b): Disputes with respect to processing subject to the EU SCCs shall be before the courts in the Republic of Ireland.

5.5.6 Annex I: Part A: Customer is the Data exporter and Symphony is the Data importer. Customer’s and Symphony’s details and key contact information shall be as set forth in Exhibit B of this DPA.

5.5.7 Annex I: Part B: The description of transfer is provided in Exhibit B of the DPA.

5.5.8 Annex I: Part C: The Irish Data Protection Commission will be the competent supervisory authority.

5.5.9 Annex II: The summary of Symphony’s technical and organizational measures is available here.

5.5.10 Annex III: The list of Symphony’s Sub-processors is available here.

6. Singapore

6.1 The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 (“PDPA”).

6.2 Symphony will process personal data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth here and complying with the terms of the Agreement.

7. Switzerland

7.1 The definition of “Applicable Data Protection Law” includes the Swiss Federal Act on Data Protection, as revised (“FDAP”).

7.2 The transfer of Personal Data from Switzerland to Symphony in the United States shall be pursuant to the Alternative Transfer Mechanism listed above in Section 1. In the event the Alternative Transfer Mechanism is determined not to constitute an adequate level of data protection under Applicable Data Protection Law, or Symphony has withdrawn from the Alternate Transfer Mechanism, the EU SCCs as modified shall apply as the cross-border data transfer mechanism. For transfers involving any other country not recognized as providing an adequate level of protection for personal data, the EU SCCs as modified shall apply.

7.3 Where applicable, the EU SCCs shall been deemed executed by the parties and modified as provided: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss FDPA; (ii) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss FDPA; (iii) references to “EU”, “Union” and “Member State” shall be interpreted to include “Switzerland”; (iv) references to the “competent supervisory authority” and “competent courts” shall be replaced with “the Swiss Federal Data Protection and Information Commissioner” and “relevant courts in Switzerland”; (v) Clause 13(a) and Part C of Annex II shall be deleted; (vi) Clause 17 shall be replaced to state “The Clauses are governed by the laws of Switzerland”; and (vii) Clause 18 shall be replaced to state “Any dispute arising from these Clauses shall be resolved by the applicable courts of Switzerland. The parties agree to submit themselves to the jurisdiction of such courts.”

8. United Kingdom

8.1 The definition of “Applicable Data Protection Law” includes the corresponding laws and regulations of the United Kingdom, including without limitation, the UK GDPR and Data Protection Act 2018.

8.2UK IDTA” refers to the UK International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner and effective as of March 21, 2022.

8.3 The transfer of Personal Data from the United Kingdom to Symphony in the United States shall be pursuant to the Alternative Transfer Mechanism listed above in Section 1. In the event the Alternative Transfer Mechanism is determined not to constitute an adequate level of data protection under Applicable Data Protection Law, or Symphony has withdrawn from the Alternate Transfer Mechanism, the EU SCCs shall apply as the cross-border transfer mechanism, as amended as specified by the UK IDTA. For transfers involving any other country not recognized as providing an adequate level of protection for personal data, the UK IDTA shall apply.

8.4 Where applicable, the UK IDTA shall be deemed executed by the parties and incorporated into and form an integral part of this DPA. The IDTA shall be completed as follows:

8.4.1 Table 1: Customer’s and Symphony’s details and key contact information shall be as set forth in Exhibit B of this DPA.

8.4.2 Table 2: Information about the version of the approved EU SCCs, modules, and selected clauses, which the UK IDTA is appended to, are set forth in Section 5.3 of this Exhibit D to the DPA.

8.4.3 Table 3: The list of parties and description of transfer is provided in Exhibit B of the DPA. The summary of Symphony’s technical and organizational measures is available here. The list of Symphony’s Sub-processors is available here.

8.4.4 Table 4: Shall be deemed completed by selecting “neither Party.”

9. United States of America – California

9.1 The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (California Civil Code Sections 1798.100 to 1798.199.100), the security and breach notification obligations set out in California Civil Code Sections 1798.80 to 1798.84, and the California Consumer Privacy Act Regulations (California Code of Regulations Sections 999.300 to 999.337) (collectively “California Data Protection Laws”).

9.2 Capitalized terms in this Section 9 will have the meaning in the given in this DPA, and where applicable, the California Data Protection Laws.

9.3 This Section will apply to the extent Customer is a Business that is subject to the CCPA and submits Personal Information to Symphony in connection with the Service Agreement. Customer appoints Symphony as its Service Provider to collect and process Customer’s Personal Information for the purposes articulated in Exhibit B of this DPA.

9.4 Symphony will not (a) Sell or Share Customer’s Personal Information; (b) retain, use, or disclose Customer’s Personal Information for any purpose other than providing the Services specified in the Services Agreement or as otherwise permitted or required by applicable laws; (c) retain, use, or disclose Customer’s Personal Information outside of the direct business relationship between Symphony and the Customer; (d) combine Personal Information that it receives from, or on behalf of, Customer, with Personal Information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the Consumer, the extent such combination would be inconsistent with the limitations on Services Providers under the CCPA or other laws.

9.5 Symphony shall:

9.5.1 Implement and maintain reasonable security procedures and practices to protect Customer’s Personal Information from unauthorized access, destruction, use, modification, or disclosure;

9.5.2 Cooperate with Customer in responding to Verifiable Consumer Requests, and notify any other Person(s) assisting Symphony in Processing Customer’s Personal Information of the Verifiable Consumer Request. In particular, Symphony will cooperate by:

9.5.2.1 deleting or updating Customer’s Personal Information upon Customer’s instruction, unless Symphony has a statutory or contractual obligation to retain Customer’s Personal Information or an exception under California law applies;

9.5.2.2 promptly informing Customer in writing if Symphony is unable to comply with the instruction and provide the basis for Symphony’s failure to comply; and

9.5.2.3 if Symphony receives a request directly from a Consumer, informing the Consumer that it should submit the request directly to Customer.

9.5.3 Notify Customer in writing if Symphony determines that it can no longer meet its obligations as a Service Provider under the California Data Protection Laws, and permit Customer to, upon notice of non-compliance with the California Data Protection Laws, take reasonable steps to stop and remediate unauthorized use of Customer’s Personal Information;

9.5.4 Use Customer’s Personal Information in a manner consistent with Customer’s legal obligations and in compliance with the Services Agreement, which may include reasonable audit rights;

9.5.5 Notify in writing Customer as soon as is reasonably possible upon Symphony becoming aware of a Breach of the Security of the System affecting Customer’s Personal Information, including, a general description of the breach incident and providing Customer with sufficient other information necessary to allow Customer to meet its obligations under the California Data Protection Laws. The foregoing notice shall comply with the requirements set forth in California Civil Code Section 1798.82;

9.5.6 Notify Customer in writing if Symphony engages any Person(s) to assist Symphony in Processing Customer’s Personal Information and if any Person(s) engaged by Symphony engages another Person to assist Symphony in Processing Customer’s Personal Information, and ensure that such engagements are for the Business Purpose and subject to a written contract obligating Symphony and the such Person(s) to comply with all the requirements set forth for Service Providers in the California Data Protection Laws;

9.5.7 Reasonably carry out adequate due diligence to ensure that any Person that assists Symphony in Processing Customer’s Personal Information is capable of providing the level of protection and security for Customer’s Personal Information required by this DPA, the Service Agreement, and California Data Protection Laws, and that such Person continues to do so for the duration of the Services Agreement; and

9.5.8 Provide the level of privacy protection required under the California Data Protection Laws when providing the Service.

9.6 Symphony certifies that it understands the restrictions on Processing Customer’s Personal Information under California Data Protection Laws and will comply with them.