Data Processing Addendum

This Data Processing Addendum (“Addendum”) is entered into by and between a OpenComp, Inc. a Delaware corporation with its primary place of business at 2590 Welton St, Suite 200 #1070, Denver, CO 80205 (“OpenComp”), and the legal entity using OpenComp’s platform (“Customer”) pursuant to the OpenComp Terms of Service executed concurrently herewith, available at https://www.opencomp.com/terms, as updated from time to time, or any other agreement between Client and OpenComp governing Client’s use of the Services (defined below), as applicable (the “Agreement”). OpenComp and Client are hereinafter referred to from time to time individually as “party” and collectively as “parties.”

The parties acknowledge that the terms of this Addendum, including the Appendices, are incorporated into and form part of the Agreement. Capitalized terms have the meaning given to them in the Agreement unless defined elsewhere in this Addendum. Where this Addendum uses terms that are defined in Applicable Data Protection Law (defined below), those terms shall have the same meaning as given to those terms (or an equivalent term) in the applicable law.

In the event and to the extent of a conflict between the provisions of the Agreement and this Addendum, this Addendum will prevail. Except as expressly set forth in this Addendum, all other provisions of the Agreement will remain in full force and effect. To the extent that the EU SCCs (defined below) or the UK International Data Transfer Agreement (defined below) are incorporated herein, such terms therein shall take precedence over both this Addendum and the Agreement to the extent necessary to resolve the conflict or inconsistency. For the avoidance of doubt, execution of the Agreement shall be deemed to constitute signature and acceptance of this Addendum and any SCCS or UK International Data Transfer Agreement incorporated herein.

Section 1: Definitions:

1. “Affiliate(s)” means any business entity that, directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control with a party to the Agreement. For purposes of this definition, “control” means an ownership, voting, or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question.
2. “Analytics” means any data relating to Client’s use, support, and/or operation of the Services which is used by OpenComp in an aggregated and anonymous manner.
3. “Applicable Data Protection Law” means all laws and regulations applicable to the processing of personal data under the Agreement. For the sake of clarity, Applicable Data Protection Law includes, without limitation (1) data protection laws and regulations of the European Union, the European Economic Area and their member states, and Switzerland; (2) data protection laws and regulations of the United Kingdom; and (3) data protection laws and regulations of the United States and its individual states.
4. “Authorized Users” means individuals who have created an account to access the Services pursuant to the Agreement. Authorized Users include employees and contractors designated by Client to receive access to the Services as well as employees and contractors of any Affiliates authorized to access the Services under the Agreement.
5. “Client” means the Client entities or Affiliates that are party to the Agreement.
6. “Client Account Data” means personal data that relates to Client’s relationship with OpenComp and for which OpenComp determines the means and purposes of processing.
7. “Client Data” means any personal data that is (i) provided or made available or accessible to OpenComp or its Sub-processors by or on behalf of Client or a controller for whom Client acts as a processor; and/or (ii) generated by OpenComp or its Sub-processors in the performance of the Agreement.
8. “Controller-to-Processor Clauses” means the standard contractual clauses between controllers and processors for Data Transfers (module 2), as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
9. “Data Protection Supervisory Authority” means a supervisory authority or other government body responsible for the administration, implementation, and/or enforcement of Applicable Data Protection Law and includes, without limitation, competent supervisory authorities of the European Union (“EU”) and its member states, the Swiss Federal Data Protection Authority, and the United Kingdom (“UK”) Information Commissioner’s Office.
10. “Data Transfer” means any situation in which Client Data is transferred, either directly or via onward transfer to a Third Country.
11. “Elections” means, with respect to the EU SCCs, (i) for purposes of clause 9(a), option 2 applies and the specified time period is the time period required under Section 5 (Sub-processing) of this Addendum for notice of change of a Sub-processor; (ii) for purposes of clause 11, the independent dispute resolution option does not apply; (iii) for purposes of clause 17, option 2 is selected, provided if the EU member state in which the data exporter is established does not allow for third-party beneficiary rights, then the law of Ireland shall govern; and (iv) as pertains to clause 18(b), the courts of the EU member state in which the data exporter is established shall be the choice of forum and jurisdiction.
12. “EU SCCs” means (i) the Controller-to-Processor Clauses, or (ii) the Processor-to-Processor Clauses, as applicable in accordance with Section 2.1 (Scope and Role of the Parties), including the Elections and on the basis that Appendix 1 of this Addendum operates as Annex I to the EU SCCs and Appendix 2 of this Addendum operates and Annex II to the EU SCCs.
13. “European and UK Data Protection Law” means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, or “GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); and (iii) in respect of the United Kingdom (“UK”) any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union.
14. “Europe” means, for the purposes of this Addendum, the European Union (“EU”), the European Economic Area (“EEA”), and/or their member states, Switzerland, and the United Kingdom (“UK”).
15. “Processor-to-Processor Clauses” means the standard contractual clauses between processors for Data Transfers (module 3), as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
16. “Security Incident” means any confirmed or reasonably suspected unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Client Data on systems managed or otherwise controlled by OpenComp.
17. “Sensitive Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, data relating to criminal convictions or offenses, or other information that falls within the definition of “special categories of data” (or an equivalent term) under Applicable Data Protection Law.
18. “Services” means the services OpenComp is providing pursuant to the Agreement.
19. “Sub-processor(s)” means any person or entity engaged by OpenComp or its Affiliates to perform OpenComp’s obligations under the Agreement.
20. “Third Country” means a country outside of Europe o the UK not recognized by the European Commission or the competent UK regulatory authority as providing an adequate level of protection for personal data under European and UK Data Protection Law.
21. “UK International Data Transfer Agreement” means the UK International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner, Version B1.0, effective as of 21 March 2022, and on the following basis: (i) with respect to Table 1 of the UK International Data Transfer Agreement, the parties’ details and key contact information is located in Appendix 1 of this Addendum; (ii) with respect to Table 2, information about the version of the EU SCCs, modules, and selected clauses are located in the Elections, and (iii) with respect to Table 3, information about the parties and a description of the transfer is set forth in Appendix I to this Addendum, a description of OpenComp’s technical and organizational security measures is located in Appendix II, and OpenComp’s list of sub-processors is set forth in Section 5.1 (Authorized Sub-processors).
22. “UK Personal Data” means Client Data, the processing of which is within the territorial scope of the data protection, privacy, or security laws of the UK.

Section 2: Processing of Personal Data

• Scope and Roles of the Parties. The parties acknowledge and agree that with regard to the processing of Client Data, OpenComp will act as processor to Customer, who may act as either a controller or a processor. Each party shall comply with its obligations under Applicable Data Protection Law, and this Addendum, when processing Client Data. When Client is acting as a controller, the Controller-to-Processor Clauses will apply to any Data Transfer that occurs pursuant to the Agreement. When Client is acting as a processor, the Processor-to-Processor Clauses will apply to any Data Transfer that occurs pursuant to the Agreement. Client agrees that it is unlikely that OpenComp will know the identity of Client controllers, if any, because OpenComp has no direct relationship with Client’s controllers. Therefore, Client agrees that it will fulfil OpenComp’s obligations to Client’s controllers under the Processor-to-Processor Clauses. For the avoidance of doubt, this Addendum does not apply to Analytics or Client Account Data.
  
  
• Client Instructions. OpenComp shall process Client Data only in accordance with Client’s documented lawful instructions as set forth in (i) the Agreement, including this Addendum and any applicable order forms; (ii) as necessary to comply with applicable law; (ii) or as otherwise agreed in writing or as initiated by Authorized Users in their use of the Services (including via any configuration tools and APIs made available through the Services (“Permitted Purposes”). Client may give additional instructions throughout the term of the Agreement. OpenComp shall immediately inform Client if it is unable to follow those instructions.
  
  
• Client Obligations. Client represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Applicable Data Protection Law, in respect of its processing of Client Data and any processing instructions it issues to OpenComp; and (ii) it has, and will continue to have, the right to transfer, or provide access to, the personal data to OpenComp for processing in accordance with the terms of the Agreement and this Addendum. Client shall have the sole responsibility for the accuracy, quality, and legality of Client Data and the means by which Client acquired Client Data. Without prejudice to the generality of the foregoing, Client agrees that it shall be responsible for complying with all laws (including Applicable Data Protection Law) applicable to any content created, sent, or managed through the Services. Client specifically acknowledges and agrees that its use of the Services will not violate the rights of any data subject that has opted-out from the sale or other disclosure of his or her personal data.
  
  
• Lawfulness of Instructions. Client acknowledges that OpenComp is neither responsible for determining which laws or regulations are applicable to Client’s business nor whether OpenComp’s provision of the Services meets or will meet the requirements of such laws or regulations. Client will ensure that its instructions comply with Applicable Data Protection Law and OpenComp’s processing of the Client Data in accordance with Client’s instructions will not cause OpenComp to violate any applicable law, regulation, or rule, including without limitation Applicable Data Protection Law. OpenComp will inform Client if it becomes aware or reasonably believes that Client’s data processing instructions violate Applicable Data Protection Law.
  
  
• OpenComp Personnel. OpenComp shall grant access to Client Data to members of its personnel only to the extent strictly necessary for the implementation, management, and monitoring of the Agreement. It will further ensure that any person it authorizes to process the Client Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
  
  
• Accuracy. Client agrees that it is unlikely that OpenComp would become aware that Client Data it has received is inaccurate or outdated. Nonetheless, if OpenComp does become aware that Client Data it has received is inaccurate, or has become outdated, it shall inform Client without undue delay and shall cooperate with Client to erase or rectify the data.
  
  
• Return or Deletion of Client Data. OpenComp shall only process Client Data for the duration specified in Appendix 1.B. Upon Client's request or upon termination or expiration of the Agreement, OpenComp agrees, at Client’s option, exercised by delivery to OpenComp in writing of its instruction, to either deliver to Client or destroy in a manner that prevents Client Data from being reconstructed any Client Data and any copies thereof in OpenComp's control or possession, except that this requirement shall not apply to the extent OpenComp is required by applicable law to retain some or all of the Client Data or to Client Data it has archived on back-up systems, which Client Data OpenComp shall securely isolate, protect from any further processing, and eventually delete in accordance with OpenComp’s deletion policies, except to the extent required by applicable law.
  
  
• No Sale of Information. OpenComp will not sell Client Data, nor retain, use, or disclose Client Data for any commercial purpose other than providing the Services. OpenComp will not disclose Client Data outside the scope of the Agreement. OpenComp understands its obligations under Applicable Data Protection Law and will comply with them.

Section 3: Responding to Data Subjects and Other Requests

• Assistance Provided to Customer. To the extent Customer, in its ordinary use of the Services, does not have the ability to address a data subject request to exercise their rights under Applicable Data Protection Law, OpenComp shall, upon Client’s written request, provide commercially reasonable assistance to Client in responding to such data subject request. If complying with Client’s request for assistance will require OpenComp to expend significant resources, such assistance shall be at Client’s expense (scoped in advance).
  
  
• Handling Requests Made Directly to OpenComp. In the event that any request, correspondence, enquiry or complaint from a data subject, regulator, or third party, including, but not limited to law enforcement, is made directly to OpenComp in connection with OpenComp’s processing of Client Data, OpenComp shall promptly inform Client providing details of the same, to the extent legally permitted. Unless legally obligated to do so, OpenComp shall not respond to any such request, inquiry, or complaint without Client’s prior written consent. In the case of a legal demand for disclosure of Client Data in the form of a subpoena, search warrant, court order or other compulsory disclosure request, OpenComp shall attempt to redirect the requesting party or agency to request disclosure from Customer. Client agrees that OpenComp may provide Client’s basic contact information for this purpose. If OpenComp is unable to redirect the requesting party or agency, OpenComp shall act in accordance with its obligations under the EU SCCs or UK International Data Transfer Agreement, as applicable, incorporated herein. For the avoidance of doubt, nothing in the Agreement, including this Addendum shall restrict or prevent OpenComp from responding to any data subject request or other requests in relation to personal data for which OpenComp is a controller.
  
  
• Data Protection Impact Assessments. If OpenComp believes or becomes aware that its processing of Client personal data is likely to result in a high risk to the data protection rights and freedoms of data subjects, OpenComp shall inform Client and (taking into account the nature of the processing and the information available to OpenComp) provide commercially reasonable cooperation to Client in connection with any data protection impact assessment or consultations with Data Protection Supervisory Authorities that may be required under Applicable Data Protection Law. OpenComp shall comply with the foregoing by: (i) complying with Section 4.7 (Audits); (ii) providing the information contained in the Agreement, including this Addendum; and (iii) if the foregoing sub-sections (i) and (ii) are insufficient for Client to comply with such obligations, upon request, providing additional reasonable assistance at Client’s expense (scoped in advance).

Section 4: Security

• Technical and Organizational Measures. OpenComp has implemented and will maintain appropriate  technical  and  organizational  security  measures designed  to  preserve  the  security  and confidentiality of Client Data in accordance with OpenComp’s security standards described in Appendix 2 (“Security Measures”).
  
  
• Updates to Security Measures. Client is responsible for reviewing the information OpenComp makes available regarding its data security and making an independent determination as to whether the Services meets Client’s requirements and legal obligations, including its legal obligations under Applicable Data Protection Law. Client acknowledges that the Security Measures are subject to technical progress and development and that OpenComp may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Services provided to Customer.
  
  
• Security Incident Response. OpenComp shall, to the extent permitted by law, notify Client without undue delay of any reasonably suspected or actual Security Incident which affects Client Data. Such notification will be delivered to one or more of Client’s business or administrative contacts by any means OpenComp selects, including via email. It is Client’s sole responsibility to ensure it maintains accurate contact information in the Services and under the Agreement at all times. The notice shall summarize in reasonable detail the nature and scope of the Security Incident, to the extent known, and the corrective action already taken or to be taken by OpenComp. Furthermore, OpenComp shall provide timely information relating to the Security Incident as it becomes known or as reasonably requested by Client and shall promptly take reasonable steps to remedy or mitigate the effect of any Security Incident. OpenComp’s notification of or response to a Security Incident shall not be construed as an acknowledgement by OpenComp of any fault or liability with respect to the Security Incident. The parties will collaborate on whether any notice of breach is required to be given to any person, and if so, the content of that notice. Unless prohibited by an applicable statute or court order, OpenComp shall also notify Client of any third-party legal process relating to any Security Incident, including, but not limited to, any legal process initiated by any governmental entity.
  
  
• Unsuccessful Security Incidents. Client agrees that an unsuccessful Security Incident will not be subject to Section 4.3 (Security Incident Response). An unsuccessful Security Incident is one that results in no unauthorized access to Client Data or to any of OpenComp’s equipment or facilities storing Client Data and could include, without limitation, pings and other broadcast attacks on firewalls, port scans, unsuccessful log-in attempts or invalid URLs, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents.
  
  
• Client Responsibilities. Notwithstanding the above, Client agrees that except as provided in this Addendum, Client is responsible for its secure use of the Services, including securing its account authentication credentials, using the Services strictly as permitted under the Agreement, and using features and functionalities made available by OpenComp to maintain appropriate security in light of the nature of the data processed.
  
  
• Documentation and Compliance. The parties acknowledge that Client must be able to assess OpenComp’s compliance with its obligations under Applicable Data Protection Law and this Addendum. To facilitate such assessment, OpenComp will keep appropriate documentation on the processing activities carried out on behalf of Client under the Agreement, and upon written request, make available to Client all information reasonably necessary to demonstrate compliance with the obligations set out in this Addendum.
  
  
• Audits. To the extent that OpenComp is unable to demonstrate its compliance with Applicable Data Protection Laws and this Addendum through appropriate documentation as described in Section 4.6 (Documentation and Compliance) above, then, upon Client’s written request and subject to the confidentiality obligations set forth in the Agreement, OpenComp shall allow for and contribute to audits and inspections conducted by Client(or Client’s independent, third-party auditor that is not a competitor of OpenComp). Audits shall occur at most annually or more frequently (i) in response to a demand from a Data Protection Supervisory Authority, (ii) following notice of a Security Incident, or (iii) as a follow-up to a duly conducted annual audit. Audits must be preceded by thirty (30) days advance written notice, must be conducted during OpenComp’s normal business hours, and must be limited to systems and procedures within OpenComp’s control and relevant to OpenComp’s processing of Client Data. OpenComp will make its personnel, records, and similar items available upon fewer than thirty (30) days advance notice, but no less than reasonable notice if (i) requested by a Data Protection Supervisory Authority pursuant to an audit of Client or (ii) following notice of a Security Incident. In lieu of such an audit, in the event that OpenComp independently obtains third-party annual audits of its privacy and security program, Client agrees that OpenComp may satisfy its obligations under this Section 4.7 (Audits), by making available to Client a copy of OpenComp’s then most recent third-party audit report. Such audit reports will be made available to Client upon Client’s written request, at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement. If any audit reveals any material vulnerability, OpenComp shall take commercially reasonable steps to correct such vulnerability.

Section 5: Sub-processing

• Authorized Sub-processors. OpenComp has Client’s general authorization to engage third-party Sub-processors to fulfill its contractual obligations under this Addendum or to provide certain services on its behalf. The Sub-processors OpenComp currently engages to carry out processing activities can be found here: https://trust.opencomp.com. At least ten (10) business days prior to engaging or removing any Sub- processor, OpenComp will update this list and provide Client with a mechanism to obtain notice of that update. Client may object to in writing to OpenComp's appointment or replacement of a Sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach resolution, OpenComp will, in its sole discretion, either not appoint such Sub-processor, direct such Sub-processor to not process Client Data, or permit Client to suspend or terminate the Agreement without liability to either party, in which case, however, and notwithstanding anything to the contrary in this Addendum, the EU SCCs or UK International Data Transfer Agreement (as applicable), or the Agreement, OpenComp shall refund Client any prepaid fees covering the remainder of the Term of the Agreement from the date of suspension/termination of the Agreement as per the foregoing.
  
  
• Sub-processor obligations. OpenComp shall: (i) conduct appropriate due diligence on each Sub-processor it engages to perform services on its behalf; (ii) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Client Data as those in this Addendum, to the extent applicable to the nature of the service provided by such Sub-processor; and (iii) remain responsible for such Sub-processor’s compliance with the obligations of this Addendum and for any acts or omissions of such Sub-processor that cause OpenComp to breach any of its obligations under this Agreement.

Section 6: International Data Transfers

• Data Center Locations. Client understands and acknowledges that Client Data may be transferred to and processed in the United States or in any country in which OpenComp or its Sub-processors have operations. OpenComp shall notify Client at least ten (10) business days prior to adding or replacing a Sub-processor in the same manner provided for notification under Section 5.1 (Authorized Sub-processors) above. Client may object in writing to OpenComp’s changes as per the above, provided such objection is based on reasonable grounds relating to data protection (including, but not limited to, changes of location for processing (including access) from within Europe to the United States or another non-Europe country). In such event, the parties shall discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach resolution, OpenComp will, in its sole discretion, either not proceed with the change, or permit Client to suspend or terminate the Agreement without liability to either party in which case, however, and notwithstanding anything to the contrary in this Addendum, the EU SCCs or UK International Data Transfer Agreement (as applicable), or the Agreement, OpenComp shall refund Client any prepaid fees covering the remainder of the term of the Agreement from the date of suspension/termination of the Agreement as per the foregoing. OpenComp shall ensure that such transfers comply with the requirements of Applicable Data Protection Law.
  
  
• European and UK Data Transfers. To the extent that OpenComp receives Client Data protected by European and UK Data Protection Laws, OpenComp agrees to abide by and process such data in compliance with the EU SCCs and UK International Data Transfer Agreement( as applicable), which are incorporated herein in full and form an integral part of this Addendum. For the purposes of the EU SCCs and UK International Data Transfer Agreement (as applicable): (i) OpenComp is the “data importer” and Client is the “data exporter” (notwithstanding that Client may be an entity located outside of Europe or the UK); (ii) Appendixes 1 and 2 of this Addendum shall replace Annexes I and II of the EU SCCs and Tables 1 and 2 of the UK International Data Transfer Agreement (as applicable) and (iii) the EU SCCs shall be applied giving effect to the Elections. For the avoidance of doubt, the UK International Data Transfer Agreement shall apply to any Data Transfer pursuant to the Agreement that involves UK Personal Data.

Section 7: Limitation of Liability

• Liability Cap. Each party and all of its Affiliates’ liability to the other party and its Affiliates, taken together arising out of or related this this Addendum, including the EU SCCs and UK International Data Transfer Agreement (as applicable), shall be subject to the exclusions and limitations of liability set forth in the Agreement. For the avoidance of doubt, OpenComp and its Affiliates’ total liability for all claims from Client arising out of or relating to the Agreement or this Addendum shall apply in aggregate.
  
  
• Liability to Data Subjects. Nothing in Section 7.1 (Liability Cap) shall alter the parties’ liability to data subjects as provided for in either the EU SCCs or UK International Data Transfer Agreement  (as applicable). Each party agrees that it will be liable to data subjects for the entire damage resulting from a violation by it of Applicable Data Protection Law. If one party paid full compensation for the damage suffered, it is entitled to claim back from the other party that part of the compensation corresponding to the other party’s part of the responsibility for the damage. Notwithstanding the foregoing, with respect to processing of personal data subject to either the EU SCCs or UK International Data Transfer Agreement as provided herein, the allocation of liability to data subjects as between the parties shall be governed by the applicable terms therein taking into consideration that both parties agree that Client will be liable to data subjects for the entire damage resulting from a violation of European or UK Data Protection Law with regard to processing of personal data for which it is a controller, and that OpenComp will only be liable to data subjects for the damage resulting from a violation of the obligations of European or UK Data Protection Law directed to processors where it has acted outside of or contrary to Client’s lawful instructions or violated this Addendum. OpenComp will be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

Section 8: Modification and Termination of this Addendum
This Addendum shall remain in effect until the later of (i) termination of the Agreement or (ii) such time as OpenComp no longer processes any Client Data on behalf of Client. Failure to comply with any of the material provisions of this Addendum is considered a material breach of the Agreement. In the event of termination, OpenComp will return or destroy data pursuant to Section 2.7 (Return or Deletion of Client Data). OpenComp may update the terms of this Addendum from time to time; provided, however, OpenComp will provide at least thirty (30) days prior written notice to Client of any proposed update. The then-current terms of this Addendum are available at https://www.opencomp.com/gdpr.

Section 9: Entire Agreement; Conflict
This Addendum supersedes and replaces all prior and contemporaneous agreements, oral and written, with regard to the subject matter of this Addendum, including any prior data processing addenda entered into between Client and OpenComp. If there is any conflict between this Addendum and any agreement, including the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) the EU SCCs and their Annexes and/or the UK International Data Transfer Agreement and its Tables (as applicable); then (b) this Addendum and its Appendices; then (c) the Agreement.

Section 10: Invalidity and Severability

10.1 General. If any provision of this Addendum is found by any court or administrative body of competent jurisdiction to be invalid and unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this Addendum and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

10.2 Invalidity of the EU SCCs and/or UK International Data Transfer Agreement. If the EU SCCs and/or UK International Data Transfer Agreement (as applicable) cease to or do not (including due to insufficient supplementary measures) meet the requirements under European and UK Data Protection Law or otherwise cease to or do not provide a valid legal basis to transfer personal data outside the EEA, EU, UK, or Switzerland, OpenComp shall (i) promptly notify Client using the email address on file; (ii) upon request (whether or not OpenComp has provided notice to Customer) immediately stop and, as applicable procure the cessation of the processing by its Sub-processors of the affected personal data promptly after the occurrence of any such notifiable event outside the relevant countries (except to the extent directed otherwise by Customer), and as soon as possible put in place commercially reasonable measures to mitigate the impact of such; and (iii) discuss with Client commercially reasonable alternative measures in order to ensure an adequate level of protection with respect to the privacy rights of individuals and the lawful transfer of, or access to, personal data outside the relevant countries whilst continuing the provision of the Services with minimum disruption to Customer. If the parties cannot reach resolution, Client may suspend or terminate the Agreement without liability to either party, in which case, notwithstanding anything to the contrary in this Addendum or the Agreement, OpenComp shall refund Client any prepaid fees covering the remainder of the term of the Agreement from the date of suspension/termination of the Agreement as per the foregoing.

APPENDIX 1

• LIST OF PARTIES

Data exporter(s):

The data exporter is the legal entity identified as “Customer” in the Agreement. Client may be a controller or a processor with respect to Client Data.

Data importer(s):

The data importer is OpenComp, Inc. located at 2590 Welton St, Suite 200 #1070, Denver, CO 80205.

Justin Byers, VP Engineering, is OpenComp’s contact person with responsibility for data protection and can be reached at justin@opencomp.com or 310-403-4726.

OpenComp provides a cloud-based compensation benchmarking platform. OpenComp is either a processor or a sub-processor with respect to Client Data processed pursuant to the Agreement.

• DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Client may upload, submit, or otherwise provide personal data concerning the following categories of data subjects:

• Client and its Authorized Users
• Client’s current and former employees, independent contractors, and job applicants

Categories of personal data transferred

Client may upload, submit, or otherwise provider certain personal data to OpenComp, the extent of which is typically determined and controlled by Client in its sole discretion, and may include the following types of personal data:

• First Name and Last Name
• Job Title
• Contact information (E-mail address, physical business address)
• Compensation: Salary, incentive, equity
• Gender
• Ethnicity
• Any other personal data uploaded, submitted, or otherwise provided to OpenComp by Client in its sole discretion.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance, strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

• Ethnicity

To the extent collected, OpenComp shall apply strict purpose limitation to the processing of such data.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis)

Client Data will be transferred on a continuous basis for the duration of the Agreement. As between Client and OpenComp, the duration of the processing under this Addendum is determined by Client; provided that, generally the duration of the processing of Client Data shall be for the duration of the Agreement and for the minimum period thereafter required to wind-down the parties’ relationship under the Agreement and properly return or dispose of Client Data pursuant to Section 2.7 (Return or Deletion of Client Data).

Nature of the processing

Client Data will be processed in accordance with the Agreement (including this Addendum) and may be subject to the following processing activities:

• Storage and other processing necessary to provide, maintain, and improve the service provided to Client pursuant to the Agreement; and/or
• Disclosures in accordance with the Agreement, Client’s instructions, and/or as compelled by applicable law.  

Purpose(s) of the data transfer and further processing

OpenComp shall only process Client Data for the Permitted Purposes outlined in Section 2.2 (Client Instructions).

The period for which the personal data will be retained, or if that is not possible, the criteria used to determine that period

Client Data will be retained for the duration of the Agreement plus thirty (30) days after expiration or termination unless expressly instructed by Client to delete or destroy Client Data sooner or as otherwise required or permitted by law.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

For all transfers to Sub-processors the subject matter, nature, and duration of the processing are as follows:

• Subject matter: The subject matter of the transfer and processing is the Client Data.
• Nature of processing: The nature of the processing varies by Sub-processor. Detailed information for each Sub-processor can be found at https://trust.opencomp.com.

Duration of the processing: The duration of the processing is for so long as is necessary for the purpose for which the information was transferred to the Sub-processor and in any event, for no longer than the duration of the agreement between OpenComp and the relevant Sub-processor.

DATA PROTECTION SUPERVISORY AUTHORITY

The applicable Data Protection Supervisory Authority for purposes of this Addendum shall be established in accordance with the EU SCCs or UK International Data Transfer Agreement (as applicable) incorporated herein, or if neither are incorporated, the applicable Data Protection Supervisory Authority shall be any such entity with authority over the parties involved.

APPENDIX 2 - SECURITY MEASURES

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

OpenComp, at a minimum, has implemented the following types of security measures:

https://trust.opencomp.com/

‍