Elation - Employee Performance and Wellbeing platform

Elation Customer

Data Processing Addendum

This Elation Customer Data Processing Addendum, including its exhibits and appendices (the “Addendum”) is entered into between It’s Elation, Inc., a corporation incorporated under the laws of Delaware, United States of America (“Elation”), and the counterparty accepting this DPA (“Customer”) (each, a “Party” and, collectively, the “Parties”).

This Addendum is entered into by the Parties by virtue of Customer signing or otherwise entering into an Elation agreement, order form, terms and conditions, or any other similar contractual agreement governing the license or purchase of products or services offered by Elation (the “Agreement”). This DPA amends and is incorporated into and made part of the terms of the Agreement between the Parties but only to the extent such Agreement provides for Elation to access, collect, acquire, receive, transfer, process, and/or use the Customer Personal Data (as defined below) of Customer or its Affiliates. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended or supplemented by, and including, this Addendum.

The Parties agree as follows:

Definitions.
1. For the purpose of interpreting this Addendum, the following terms (and their applicable cognates) shall have the meanings set out below:
  1. “Affiliate” means any entity within a controlled group of companies that directly or indirectly, through one or more intermediaries, is controlling, controlled by, or under common control with one of the Parties.
  2. “Anonymized Data” means Customer Personal Data that Elation has irreversibly anonymized by permanently removing and deleting all information that may reasonably be used to identify Data Subjects. Elation uses Anonymized Data for research, development, analytics, and modelling purposes to improve its Services.
  3. “Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Customer Personal Data, including but not limited to the laws and regulations identified in Exhibit B hereto as may be amended, modified, or supplemented from time to time, as applicable.
  4. “Contracted Processor” means any third party appointed by or on behalf of Elation to Process Customer Personal Data in connection with the Services.
  5. “Customer Personal Data” means any Personal Data Processed by or on behalf of Elation to provide the Services in accordance with the Agreement.
  6. “Data Exporter” and “Data Importer” shall have the same meanings assigned to them in Part A of Exhibit A.
  7. “GDPR” means the EU GDPR and UK GDPR as those terms are defined within Exhibit B, as applicable.
  8. “Jurisdiction Specific Terms” means all terms applicable to the Processing of Personal Data that apply to the extent that Elation Processes Customer Personal Data originating from, or protected by, Applicable Data Protection Laws in one of the jurisdictions identified in these terms. The Jurisdiction Specific Terms are currently available as Exhibit B to this Addendum.
  9. “Restricted Transfer” means any transfer of Customer Personal Data protected by Applicable Data Protection Laws to a Third Country or an international organization in a Third Country (including data storage on foreign servers).
  10. “SCCs” or “Standard Contractual Clauses” are the model clauses for Restricted Transfers adopted from time to time by the relevant authorities of the jurisdictions indicated in Exhibit B, insofar as their use is approved by the relevant authorities as an appropriate mechanism or safeguard for Restricted Transfers.
  11. “Services” means the products, services, and other activities carried out by or on behalf of Elation for Customer pursuant to the Agreement, including, without limitation, providing the Wellbeing Workbench, Elation’s web-based performance optimization software platform.
  12. “Sub-Processor” means a direct Processor of a Processor. For the avoidance of doubt, Contracted Processors are Sub-Processors.
2. The terms “Controller”, “Data Protection Assessment”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, “Rights of the Data Subjects”, "Supervisory Authority”, and “Third Country” shall have the same meanings as under Applicable Data Protection Laws, and their cognate and corresponding terms shall be construed accordingly.
3. Capitalized terms which are used but not defined herein shall have the meanings given to them in the Agreement. Except as modified or supplemented above, the definitions of the Agreement shall remain in full force and effect.
Scope and Applicability.
1. Duration. This Addendum shall take effect on the Effective Date and shall continue concurrently for the duration that Personal Data is Processed by Elation pursuant to the Agreement.
2. Scope. This Addendum will apply to the Processing of all Customer Personal Data, regardless of country of origin, place of Processing, location of Data Subjects, or any other factor. The Processing of Personal Data that does not constitute Customer Personal Data is outside the scope of this Addendum.
3. Exhibits and Appendices. This Addendum includes the following exhibits and appendices:

Exhibit A – Details of Processing;
Appendix I to Exhibit A – Technical and Organizational Security Measures;
Appendix II to Exhibit A – List of Contracted Processors;
Exhibit B – Jurisdiction Specific Terms; and
Appendix I to Exhibit B – Supplemental Clauses to the Standard Contractual Clauses.

Processing of Customer Personal Data.
1. Elation will primarily Process Customer Personal Data on Customer’s documented instructions for the purpose of providing the Services to Customer. When Elation processes Customer Personal Data for this purpose, Customer acts as a Controller and Elation acts as a Processor. If Customer acts as a Processor on behalf of another Controller, then Elation acts as a Sub-Processor on behalf of Customer.
2. Elation shall:
  1. comply with all Applicable Data Protection Laws in the Processing of Customer Personal Data;
  2. not Process Customer Personal Data other than on Customer’s relevant documented instructions (including with regard to Restricted Transfers), unless such Processing is required by Applicable Data Protection Laws, in which case Elation shall, to the extent permitted by Applicable Data Protection Laws, inform Customer of such requirement before Processing that Customer Personal Data; and
  3. immediately inform Customer in the event that, in Elation’s reasonable opinion, a Processing instruction given by Customer may infringe Applicable Data Protection Laws.
3. Customer instructs Elation (and authorizes Elation to instruct each Contracted Processor it engages) to Process Customer Personal Data and, in particular, transfer Customer Personal Data to any country or territory, only as reasonably necessary for the provision of the Services and consistent with the Agreement and this Addendum.
4. Where Customer is acting as a Processor, it warrants that it shall:
  1. Process Customer Personal Data only on behalf of the relevant Controller’s documented instructions and, in turn, only instruct Elation to carry out such Processing activities on behalf of Customer in accordance with said instructions of the Controller; and
  2. obtain prior authorization from the relevant Controller for subcontracting the Processing of Customer Personal Data to Elation and its Contracted Processors.
5. Elation will also Process Customer Personal Data for the purpose of converting it to Anonymized Data. When we Process Customer Personal Data for this purpose, Elation acts as an independent Controller.
6. When Elation Processes Customer Personal Data for conversion into Anonymized Data, Elation agrees to comply with all Applicable Data Protection Laws as it relates to the Processing of such Customer Personal Data as an independent Controller of such Customer Personal Data. To the extent Customer acts as an independent Controller for Customer Personal Data, Customer expressly authorizes Elation’s Processing of Customer Personal Data for this compatible purpose.
7. All necessary information relating to the details of Processing is set out within Exhibit A.
Personnel. Elation shall take reasonable steps to ensure:
1. the reliability of any employee, agent, or contractor who may have access to Customer Personal Data;
2. that access to Customer Personal Data is strictly limited to those individuals who need to know or access it, as strictly necessary to fulfil the documented instructions given to Elation by Customer or to comply with Applicable Data Protection Laws; and
3. that all such individuals are subject to formal confidentiality undertakings, professional obligations of confidentiality, or statutory obligations of confidentiality.
Security of Processing. Elation shall implement and maintain the administrative, technical, and organizational security measures identified within Appendix I to Exhibit A, which ensure a level of security appropriate to the risk of Processing and take into account: the state of the art, costs of implementation, and the nature and purposes of Processing; the risk of varying likelihood and severity to the rights and freedoms of natural persons; and the risks presented by the Processing activities, particularly those risks related to Personal Data Breaches.
Contracted Processors.
1. Authorization for Existing Contracted Processors: Customer authorizes Elation to continue using those Contracted Processors engaged as of the Effective Date and listed in Appendix II to Exhibit A and further authorizes Elation and its Contracted Processors to appoint additional Contracted Processors, provided the obligations of this Section 6 (and the respective obligations of Exhibit B) are met.
2. Authorization for Appointment of Contracted Processors: To appoint an additional Contracted Processor, Elation will provide Customer with written notice, which will include the details of Processing to be undertaken as described within Appendix II to Exhibit A.
3. Objection to Contracted Processors:
  1. Customer will be deemed to have consented to the additional Contracted Processor if no objection is received within fourteen (14) days of Elation’s notice. Customer may object to the appointment of a Contracted Processor by providing a written objection, which shall include the name of the objected-to Contracted Processor and a reasonable statement of objection.
  2. If an objection is received, the Parties will work together in good faith with a view of achieving a commercially reasonable resolution. If no mutually agreeable resolution is available, Customer may terminate the Agreement immediately upon written notice to Elation, with no further fees due, other than what has been accrued up to and including the date of termination. Upon notice of termination, Elation shall cease Processing Customer Personal Data.
4. Requirements for Appointing Contracted Processors: With respect to each Contracted Processor, Elation shall:
  1. conduct due diligence to ensure that the Contracted Processor is capable of providing the level of protection and security for Customer Personal Data required by this Addendum;
  2. disclose, upon request, the results of that due diligence;
  3. restrict the Contracted Processor’s access to Customer Personal Data only to what is necessary to assist Elation in providing the Services, and prohibit the Contracted Processor from accessing Customer Personal Data for any other purpose; and
  4. ensure that the arrangement between Elation and the Contracted Processor is governed by a written contract that includes terms which offer at least the same level of protection for Customer Personal Data as those set out in this Addendum, to the extent applicable to the nature of the services provided by such Contracted Processor.
5. Where any Contracted Processor fails to fulfil its data protection obligations under such written contract (or in the absence thereof, as the case may be), Elation shall remain fully liable to Customer for the performance of the respective Contracted Processors’ data protection obligations under such contract and/or Applicable Data Protection Laws.
Rights of the Data Subjects.
1. Taking into account the nature of the Processing, Elation shall assist Customer by implementing appropriate technical and organizational measures, insofar as possible, to respond to valid requests to exercise Rights of the Data Subjects under Applicable Data Protection Laws.
2. With regard to the Rights of the Data Subjects within the scope of this Section 7, Elation shall:
  1. promptly notify Customer if it or any of its Contracted Processors receive a request from a Data Subject with respect to Customer Personal Data;
  2. not respond to that request, except on the documented instructions of Customer or as required by Applicable Data Protection Laws, in which case Elation shall, to the extent permitted by Applicable Data Protection Laws, inform Customer of such requirement before it responds to the request or directs its Contracted Processors to respond; and
  3. promptly comply with any documented instructions from Customer regarding responding to a request to exercise Rights of a Data Subject.
Personal Data Breaches.
1. Breach Response. If Elation discovers, is notified of, or has reason to suspect a Personal Data Breach affecting Customer Personal Data under its or its Contracted Processors’ control, Elation will (i) immediately implement measures to stop the unauthorized access; (ii) secure the Customer Personal Data; and (iii) notify Customer without undue delay and, in any event, within forty-eight (48) hours of becoming aware of such suspected Personal Data Breach.
2. Breach Obligations. Immediately upon providing notice of a Personal Data Breach, Elation shall:
  1. describe to Customer in as much detail as reasonably possible: (i) the nature of the Personal Data Breach, (ii) where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned, (iii) the impact of such Personal Data Breach upon Customer and the affected Data Subjects, and (iv) the measures taken or proposed by Elation to address the Personal Data Breach;
  2. provide and supplement notifications as and when additional information becomes available;
  3. assist Customer in meeting its respective obligations pursuant to Applicable Data Protection Laws, including any obligations to notify Supervisory Authorities or Data Subjects of a Personal Data Breach; and
  4. use commercially reasonable efforts to investigate, mitigate, and remediate each such Personal Data Breach and prevent a recurrence of such Personal Data Breach.
3. No Acknowledgement of Fault. Elation’s notification of or response to a Personal Data Breach under this Section will not be construed as an acknowledgement by Elation of any fault or liability with respect to the Personal Data Breach.
Data Protection Assessment and Prior Consultation. Elation shall provide Customer with relevant information and documentation, and assist Customer in complying with its obligations with regard to any data protection assessments or prior consultations with Supervisory Authorities when required pursuant to Applicable Data Protection Laws, but in each such case solely with regard to Customer Personal Data Processed by, and taking into account the nature of Processing and information available to, Elation and its Contracted Processors.
Deletion or Return of Personal Data.
1. Elation shall provide Customer with the technical means, consistent with the way the Services are provided, to request the deletion of Customer Personal Data, with the exception of any Customer Personal Data that may be retained pursuant to applicable laws.
2. If requested by Customer and following the cessation of Services, Elation shall promptly delete or return all Customer Personal Data (including copies) to Customer, with the exception of any Customer Personal Data that may be retained pursuant to applicable laws.
3. Elation shall also cause all Contracted Processors that have received Customer Personal Data to delete or return, as applicable, all such Customer Personal Data, with the exception of any Customer Personal Data that may be retained pursuant to applicable laws.
4. This Section 10 does not apply to Customer Personal Data that has been archived on back-up systems, which Elation or its Contracted Processors, as applicable, shall securely isolate and protect from any further Processing, except to the extent required by applicable law.
Audit Rights.
1. Elation shall allow for and contribute to audits, including remote inspections, by Customer or an auditor mandated by Customer (on behalf of itself or its clients) with regard to the Processing of the Customer Personal Data by Elation and its Contracted Processors. To the extent legally permitted, Customer shall reimburse Elation for any time expended for any such audit at Elation’s then-current professional services rates, which shall be made available to Customer upon request and shall not exceed USD $250 per hour.
2. Jurisdiction Specific Terms. To the extent Elation Processes Customer Personal Data originating from or protected by Applicable Data Protection Laws in a jurisdiction listed in Exhibit B, then the terms and definitions specified in Exhibit B with respect to the applicable jurisdiction shall apply in addition to the terms of this Addendum.
Restricted Transfers.
1. Restricted Transfers of Customer Personal Data within the scope of this Addendum shall be conducted in accordance with Exhibit B and Applicable Data Protection Laws.
2. If the relevant authorities adopt a new version of SCCs as a lawful mechanism for Restricted Transfers in a jurisdiction governing the processing of Customer Personal Data, the Parties are deemed to have agreed to the execution of the new version of the SCCs by signing this Addendum, and, if necessary, Elation shall be entitled to update Exhibit A and Exhibit B (and their appendices) accordingly.
3. If an alternative transfer mechanism, such as Binding Corporate Rules, is adopted by Elation during the term of the Agreement (an “Alternative Mechanism”), and Elation notifies Customer that some or all Restricted Transfers can be conducted in compliance with Applicable Data Protection Laws pursuant to the Alternative Mechanism, the Parties will rely on the Alternative Mechanism instead of the transfer mechanisms in Exhibit B for Restricted Transfers to which the Alternative Mechanism applies.
Amendment and Online Hosting.
1. Subject to the conditions specified in this Addendum, Elation may host the content of this Addendum online, and further update the Addendum, provided that prior notice is given to Customer.
  1. If no objection is received within fourteen (14) days of receipt of the notice, Customer will be deemed to have consented to the update. If Customer issues notice of non-acceptance, the Parties will cooperate and negotiate in good faith regarding any required updates.
  2. If no mutually agreeable resolution is available, Customer may terminate the Agreement immediately upon written notice to Elation, with no further fees due, other than what has been accrued up to and including the date of termination. Upon notice of termination, Elation shall cease Processing Customer Personal Data.
2. To the extent that the Addendum is hosted online, the latest version online shall take precedence over this Addendum.
Liability.
1. Subject to Applicable Data Protection Laws, the liability of each Party under this Addendum shall be subject to the exclusions and limitations of liability set out in the Agreement.
2. Elation shall be fully liable to Customer for any breach of the Agreement or this Addendum, and the obligations set out therein (including by means of additional contract, as the case may be), by itself or its Contracted Processors.
General Terms.
1. Notice. The Parties shall use the Data Protection Contact provided in Part A of Exhibit A as contact points for all matters related to this Addendum, including notice of a Personal Data Breach and inquiries pursuant to Rights of the Data Subjects.
2. Prior Existing Agreement. This Addendum supersedes and replaces all prior and contemporaneous proposals, statements, sales materials or presentations, and agreements, oral and written, with regard to the subject matter of this Addendum, including any prior data processing addenda entered into between Elation and Customer in connection with the Agreement. Notwithstanding, all clauses of the Agreement that are not explicitly amended or supplemented by the clauses of this Addendum shall remain in full force and effect, as long as this does not contradict compulsory requirements of Applicable Data Protection Laws.
3. Annual Review. Each Party must review this Addendum (including Exhibit A and its appendices) at regular intervals to ensure that the Addendum remains accurate, up to date, and continues to provide appropriate safeguards to the Personal Data. Each Party will carry out these reviews each time there is a change to the Personal Data, the purposes for Processing, the Data Importer information, or any risk assessments related to the Processing contemplated in this Addendum.
4. Conflicts. In the event of any conflict between the Agreement (including any annexures, exhibits, and appendices thereto) and this Addendum, the provisions of this Addendum will prevail. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this Addendum, the applicable Jurisdiction Specific Terms will prevail.
5. Severability. Should any provision of this Addendum be found legally invalid or unenforceable, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision, and the remainder of this Addendum will continue in effect.
6. Non-Compliance. If Elation determines that it can no longer meet any of its obligations set out within this Addendum, Applicable Data Protection Laws, or the SCCs (where applicable), it shall (i) promptly notify Customer of that determination and (ii) cease the Processing, if requested by Customer, or immediately take other reasonable and appropriate steps to remediate the lack of compliance.
7. Ambiguity. Elation may amend this Addendum without notice to or consent of Customer for the purposes of a) curing any ambiguity, b) curing, correcting or supplementing any defective provision contained herein, or c) making any other provisions with respect to matters or questions arising under this Addendum; provided that such action shall not materially alter the Addendum.
8. Signature. If you are accepting the terms of this Addendum on behalf of Customer, you represent and warrant that you have the authority to bind that Customer and its Affiliates, where applicable, to the terms and conditions of this Addendum.
9. Disclosure to Supervisory Authorities. The Parties acknowledge that either Party may disclose this Addendum and any relevant privacy provisions in the Agreement to Supervisory Authorities, or any other judicial or regulatory body, upon their request.

Exhibit A - Details of Processing

List of Parties

Name and Address:

Elation:

It’s Elation, Inc.

P.O. Box 1567

Cody, WY 82414

Customer:

Customer’s full legal name and address as referenced in the Agreement.

Data Protection Contact:

Elation:

Elation Data Security Team

Email: security@elation.com

Phone Number: +1 (855) 878-2400

Customer:

Customer shall provide the title and contact details of its data protection contact who will receive notices pursuant to this Addendum, including Section 8 (Personal Data Breaches), by sending an email to privacy@elation.com. In the event that the provided identity, title, and contact details change, Customer shall provide the updated information to Elation by sending another email to privacy@elation.com.

Article 27 EU Representative:

Elation:

VeraSafe Czech Republic s.r.o.

Klimentská 46

Prague 1, 11002

Czech Republic

VeraSafe Ireland Ltd

Unit 3D North Point House,

North Point Business Park,

New Mallow Road, Cork T23AT2P

Ireland

VeraSafe Netherlands BV

Keizersgracht 391 A

1016 EJ Amsterdam

The Netherlands

VeraSafe

Plaza de la Solidaridad 12

Fifth Floor

29006, Malaga

Spain

Contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/

Customer:

Customer shall provide the contact details of its data protection representative in the EU (if any) to Elation by sending an email to privacy@elation.com. In the event that the provided identity and contact details change, Customer shall provide the updated information to Elation by sending another email to privacy@elation.com.

Article 27 UK Representative:

The United Kingdom Representative of Elation pursuant to Article 27 of the UK GDPR is:

VeraSafe United Kingdom Ltd.

Albert Embankment

SE1 7TL, London

United Kingdom

Contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/

Customer:

Customer shall provide the contact details of its data protection representative in the UK (if any) to Elation by sending an email to privacy@elation.com. In the event that the provided identity and contact details change, Customer shall provide the updated information to Elation by sending another email to privacy@elation.com.

Data Protection Officer:

Elation:

Elation Data Security Team

Email: ciso@elation.com

Phone Number: +1 (855) 878-2400

Customer:

Customer shall provide the contact details of its Data Protection Officer (if any) to Elation by sending an email to privacy@elation.com. In the event that the provided identity and contact details change, Customer shall provide the updated information to Elation by sending another email to privacy@elation.com.

Activities Relevant to Transferred Data:

Processing activities relating to the provision of the Services, as set forth in the Agreement.

Controllership Role:

As set forth in Sections 3.1 and 16.1 of the Addendum, each Party may serve one or more of the following roles, according to the purposes of the Personal Data being Processed:

Controller and Processor

Customer as the Controller and Elation as the Processor

Customer is the Controller of Customer Personal Data when Customer is procuring the Services for Data Subjects directly, while Elation is Customer’s Processor.

Processor and Sub-Processor

Customer as the Processor and Elation as the (Sub-)Processor

Customer is the Processor of Customer Personal Data when Customer is procuring the Services indirectly on behalf of Customer’s own clients, i.e., Customer’s clients are the respective Controllers, whereas Elation is Customer’s Sub-Processor.
E.g., If a client hires Customer as Processor and Elation acts as its Sub-Processor in assisting Customer to perform the client contract, then Customer’s client largely determines the purposes and means of Processing, to which Customer and Elation are subject.

Independent Controller

Elation as an Independent Controller

Elation is an independent Controller of Customer Personal Data when Elation is Processing Customer Personal Data for the purpose of converting it into Anonymized Data.

Data Transfer Role:

Each Party may serve one or more role, according to the purposes of the Customer Personal Data being Processed:

A Party serves as the Data Exporter when sending (exporting) the Customer Personal Data to another Party.
A Party serves as the Data Importer when receiving (importing) the Customer Personal Data from another Party.

Data Exporter:

The Party sending (exporting) Customer Personal Data to the other Party, as applicable to the factual circumstances of each Restricted Transfer of Personal Data.

Data Importer:

The Party receiving (importing) Customer Personal Data from the other Party, as applicable to the factual circumstances of each Restricted Transfer of Customer Personal Data.

B. Description of Transfer

Subject Matter of the Processing:

The subject matter of the Processing of Customer Personal Data pertains to the provision of Services pursuant to the Agreement.

Nature and Purpose of Processing:

The Processing is related to the provision of Services to Customer, as further detailed within the Agreement, and Elation and its Contracted Processors (if applicable) will perform such acts of Processing of Customer Personal Data as are necessary to provide those Services according to Customer’s instructions, including but not limited to the transmission, storage, and other Processing of Customer Personal Data submitted to the Services.

Elation Processes Customer Personal Data for the purpose of fulfilling the Agreement. The ultimate purpose of Processing is determined by Customer. Elation is data agnostic as to the Customer Personal Data that Customer uploads to the customer instance. Customers decide what, if any, Customer Personal Data to upload to their instance.

Further Processing:

Elation shall not carry out any further Processing of Personal Data beyond the provision of the Services under the Agreement and for the conversion of Customer Personal Data into Anonymized Data.

Retention Criteria (Duration):

(The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period.)

For the duration of the Agreement, and for up to thirty (30) days after the Agreement’s termination.

Categories of Data Subjects:

Customer may submit Customer Personal Data which may include, but is not limited to, Customer Personal Data relating to the following categories of Data Subjects:

Prospective, current, and former employees, independent contractors, officers, directors, volunteers, and interns of Customer (“Staff”);
Current and former employees, independent contractors, officers, directors, volunteers, representatives, associates, participants, users, individuals who receive career coaching or other talent management services, personnel, and interns of Customer’s current, former, and prospective leads, prospects, and customers (who are natural persons) (“Customer Employees”); and

Current and former employees, independent contractors, officers, directors, volunteers, representatives, associates, participants, users, individuals who receive career coaching or other talent management services, personnel, and interns of Customer’s business partners (who are natural persons) (“PartnerEmployees”).

Categories of Personal Data:

Customer may submit Customer Personal Data which may include, but is not limited to the following categories of Personal Data:

Staff:

Biographical information, including but not limited to first name, middle name, last name, and preferred first name

Contact information, including but not limited to email and preferred phone number.

Protected characteristics, including but not limited to information needed for equal opportunities monitoring policy (such as age, race, marital status, sex (including gender, gender identity and gender expression).

Employment information, including but not limited to position, company name, hire date, salaried or hourly, full time or part time status, job title, job location, department name.

Customer Employees:

Biographical information, including but not limited to first name, middle name, last name, and preferred first name

Contact information, including but not limited to email and preferred phone number.

Employment information, including but not limited to position, company name, hire date, salaried or hourly, full time or part time status, job title, job location, department name.

Partner Employees:

Biographical information, including but not limited to first name, middle name, last name, and preferred first name

Contact information, including but not limited to email and preferred phone number.

Employment information, including but not limited to position, company name, hire date, salaried or hourly, full time or part time status, job title, job location, department name.

Special Categories of Personal Data:

(Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.)

Customer may submit special categories of Personal Data which is, for the sake of clarity, Personal Data with information revealing racial or ethnic origin.

Data regarding racial or ethnic origin is decoupled from the Customer or Partner Employee identifying information, and, along with other demographic data, is associated only with the numeric results of the assessment for the duration of the customer contract. It is then further deidentified for use as research data.

Special Categories of Personal Data:

Customer may submit special categories of Personal Data which is, for the sake of clarity, Personal Data with information revealing racial or ethnic origin.

Frequency of the Transfer:

(e.g., whether Personal Data is transferred on a one-off or continuous basis)

Regular and repeating for as long as Customer uses the Services.

Subject Matter, Nature, and Duration of Contracted Processors:

Any transfer to Contracted Processors will be only as strictly required to perform the Services pursuant to the Agreement. Upon request, Elation will provide to Customer a description of Processing for any Contracted Processor(s), including the subject matter, nature, and duration of Processing.

Technical and Organizational Measures of Contracted Processors:

When Elation engages a Contracted Processor under the Addendum, Elation and the Contracted Processor must enter into an agreement with data protection terms substantially similar to those contained in the Addendum. Elation must ensure that the agreement with each Contracted Processor allows Elation to meet its respective obligations with respect to Customer.

In addition to implementing technical and organizational measures to protect Customer Personal Data, Contracted Processors must:

notify Elation in the event of a Personal Data Breach so that Elation may immediately notify Customer;
delete Customer Personal Data when instructed by Elation in accordance with Customer’s instructions to Elation;
not engage additional Contracted Processors without Elation’s authorization; and
not process Customer Personal Data in a manner which conflicts with Customer’s instructions to Elation.

Appendix I to Exhibit A

Technical and Organizational Security Measures

Throughout the term of the Agreement and for so long as Elation has access to any Customer Personal Data, Elation shall implement and maintain at least the following (or superior) technical and organizational security measures (“TOMs”) to safeguard such Customer Personal Data:

Type of TOMs

Description of TOMs

Measures for pseudonymization and encryption of Personal Data:

All Personal Data are encrypted in transit and at rest.

Data for clients under contract are stored separately from Personal Data.
Permanent R&D Records only contain multiple-choice survey response data and the respondent’s ten-year age range, state/province, gender, and industry.
- The questions in Elation’s wellbeing assessment are all broad, and could not be reasonably linked to a particular individual.
- The industry field associated with the R&D Records is broad, ideally limited to five or ten standard categories (e.g., healthcare, manufacturing, technology, etc.).
- Elation deletes all data from which the R&D Records are derived upon creation of the R&D Records.
Elation complies with all applicable aspects of the GDPR, the UK GDPR, and the CCPA as to data other than the R&D Records. In particular, the live data that Elation uses to prepare its products is almost certainly not anonymized or deidentified within the meaning of any of these regulations.
Elation identifies a sufficient basis to process the R&D Records to anonymize them under Article 6 of the GDPR.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services:

Elation employs privacy by design principles by storing the participant’s email address and credentials in Okta’s Auth0 while having all demographic data and assessment responses in a separate AWS RDS MySQL database. The two are only connected in real-time through a token to allow the participant to access their personal wellbeing and performance data.
Data is aggregated by groups of at least 5, individual responses are not accessible, only averages on sufficiently large demographic groups and identified organization hierarchy nodes. Data is retrieved as read-only from AWS RDS MySQL database, accessible via Auth0 token granted authorized Elation employees for client support, authorized users with access to all aggregated data, and authorized users that are designated managers for sufficiently large organization hierarchy nodes. All information is read-only, and encrypted in transit and at rest.

Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident:

Elation uses backup services provided by AWS to restore data in the event of an incident that compromises the integrity of its data.

Implementated and maintained procedures to create and maintain retrievable exact copies of Personal Data that Elation stores or otherwise maintains.

Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of the Processing:

Elation has contracted with VeraSafe to provide regular reviews of security measures and penetration testing of its test and production environments.

Periodic (at least once annually) internal and external vulnerability scans on information technology systems, including software applications and networks that will be used for Processing Personal Data.
Formal patch management process for vulnerabilities
Penetration testing at least once annually.
Maintenance of updated security audit certifications once ISO 27001 certification is complete.

Measures for user identification and authorization:

Elation uses Okta’s Auth0 to manage password creation and participant access individual accounts.

Role-based access authorization policy based on least privilege and need to know.
Configuration of systems and applications to restrict access to only authorized access.
Monitoring of all user access.
Through Okta/Auth0:
- Password policies and password management procedures that require strong passwords.
- Support for Multi-Factor authentication
Periodic audits of active user accounts and associated access capabilities (at least twice annually and when there is a new user or system change)

Measures for the protection of Personal Data during transmission:

Encryption of Personal Data during transmission using the Transport Layer Security (TLS) protocol version 1.2 or higher with a minimum of 128-bit encryption

Encryption of Personal Data during transmission through SSH and VPN, to fulfil DSRR requests.

Measures for the protection of Personal Data during storage:

Encryption of Personal Data during storage (i.e., at rest) using a minimum of AES-256

Secure configuration for network devices, such as firewalls, routers, and switches

Measures for ensuring physical security of locations at which Personal Data are Processed:

Elation does not store Personal Data at any physical location.

Processes are in place for ensuring that Personal Data is only hosted in facilities with the highest guarantees and certifications (ISO 27001:2013, SOC 2 Type II, etc.)

Measures for ensuring events logging:

Elation uses logging tools provided by AWS and Axiom to monitor and report events.

Active monitoring and logging of software application, network, and database security for potential security events at the system, platform, and application levels
Retention of audit logs in accordance with legal requirements

Measures for ensuring system configuration, including default configuration:

Maintenance of documented security baselines for all authorized operating systems, software applications, and network devices

Performing regular manual audits of all systems to ensure compliance with the organization’s security baselines.
Maintenance of secure images or templates for all systems based on the organization’s security baselines.

Measures for internal IT and IT security governance and management:

Elation has an internal IT team providing support that includes:

IT governance
A fractional CISO
Implementation and maintenance of an information security management program based on generally accepted frameworks such as the ISO 27000, NIST Cybersecurity, and CIS Controls, including but not limited to, mobile device policies, incident response management policies, teleworking policies, acceptable use policies, asset management policies, and change management policies.

Measures for certification/assurance of processes and products:

Elation has contracted with VeraSafe to recommend, institute, and audit Elation’s use of appropriate processes and products to ensure data privacy and security.

Elation is currently pursuing ISO 27001 certification

Measures for ensuring data minimization:

Elation maintains an internal review process with relevant to ensure that it is only collecting the minimum amount of Personal Data that it needs to provide the contracted services for its clients.

Ensuring that data minimization is embedded into the system configuration and change management procedure.
Internal processes to remove Personal Data from its systems as soon as that Personal Data is no longer required under the terms of the Agreement.

Measures for ensuring data quality:

Implement and maintain appropriate technical controls to prevent, detect, and correct data integrity violations in IT Systems, including but not limited to data loss prevention (DLP) tools, checksums, mirroring, ECC memory, RAID parity, and file integrity monitoring tools.

Measures for ensuring limited data retention:

Implementation of an internal retention schedule for Personal Data, including backups, based on legal and regulatory requirements.

Ensuring secure disposal of devices that could potentially store Personal Data

Measures for ensuring accountability:

Elation has implemented and maintains a security and awareness program that includes at least an annual privacy and security training for all individuals responsible for Processing Personal Data.

Elation ensures that personnel responsible for Processing Personal Data are bound to confidentiality obligations (e.g., through a non-disclosure agreement).
Appropriate discipline and sanctions are in place when personnel violate security policies, non-disclosure agreements, and other policies relating to Personal Data.
Enforcement of internal IT and IT security governance and management in accordance with the TOMs entitled “Measures for internal IT and IT security governance and management” above

Measures for allowing data portability and ensuring erasure:

Elation maintains of an updated data inventory (i.e., a data map or a record of processing) that identifies all locations where a Data Subject’s Personal Data is stored.

Elation provides a DSRR Form to facilitate requests to port data.
Elation has processes for assuring that Personal Data can be deleted from backup media if legally required

Information about Contracted Processors’ TOMs:

Set forth in Part B of Exhibit A, and Appendix II to Exhibit A.

Appendix II to Exhibit A

List of Contracted Processors

In addition to the information contained in the table below, upon request, Elation will provide to Customer: the contact information for any Contracted Processor(s) and a description of Processing for any Contracted Processor(s), including the subject matter, nature, and duration of Processing.

Below is a list of the Contracted Processors of Elation as of the Effective Date:

Contracted Processor’s Legal Entity Name and Website

Location of Processing

Product(s) or Service(s) Provided

Description of Contracted Processor’s TOMs

Amazon Web Services, Inc. (https://aws.amazon.com/)

USA

Provides the runtime environment to execute the code developed and maintained by PTown. Stores and encrypts all data associated with Elation’s Wellbeing Workbench.

AWS undergoes a SOC 2 Type II audit annually. A summary of AWS’ security measures is available from Elation on request. Refer to https://aws.amazon.com/security/ for further information.

Okta, Inc.

(https://www.okta.com/)

USA

Provides authentication and roles-based login services to ensure that only authorized individuals access the Wellbeing Workbench tools and services.

Okta undergoes various independent security audit reports. A summary of Okta’s security measures is available from Elation on request. Details are available at: https://trust.okta.com/compliance/.

Mailgun Technologies, Inc.

(https://www.mailgun.com/)

USA

Mailgun generates the invitation email messages that are sent to employees who are being requested to take a Wellbeing Workbench assessment.

Mailgun undergoes various independent security audit reports. A summary of Mailgun’s security measures is available from Elation on request. Details are available at: https://security.mailgun.com/.

Vercel, Inc.

(https://vercel.com/)

USA

Axiom provides logging services. As a rule, PII is not logged, but there may be occasions where we have an issue provisioning a user and, in those circumstances, it is possible that we would need to log activity for a specific email address.

Axiom undergoes a SOC 2 Type II audit annually. A summary of Axiom’s security measures is available from Elation on request. Refer to https://axiom.co/security for further information.

Microsoft Corporation

(https://www.office.com/)

USA

Elation uses hosted Exchange email services provided by Microsoft. Email communications contains customer contact information.

Microsoft undergoes a SOC 2 Type II audit annually. A summary of Microsoft’s security measures is available from Elation on request. Refer to https://servicetrust.microsoft.com/ for further information.

Exhibit B - Jurisdiction Specific Terms

Argentina.

Applicability. Wherever the Processing pursuant to the Addendum falls within the scope of Argentina’s Personal Data Protection Law 25,326, Regulatory Decree 1558/2001, and any other corresponding decrees, regulations, or guidance governing the Processing of Personal Data in Argentina (collectively “Argentine Data Protection Laws”), the provisions of the Addendum and this Section shall apply to such Processing.
Restricted Transfers.
1. With regard to any Restricted Transfer subject to Argentine Data Protection Laws between the Parties, one of the following transfer mechanisms shall apply, in the following order of precedence:
  1. a valid adequacy decision adopted by the Argentine National Bureau of Personal Data Protection (“NBPDP”);
  2. the appropriate SCCs adopted by the NBPDP from time to time; or
  3. any other lawful data transfer mechanism, as laid down in Argentine Data Protection Laws.
Standard Contractual Clauses.
1. The Addendum hereby incorporates by reference the SCCs. The Parties are deemed to have accepted, executed, and signed the SCCs where necessary in their entirety (including the annexures thereto).
2. The Parties agree that any references to annexures within this Section shall be deemed to be the same as the cognate and corresponding references within any appropriate, updated SCCs as may be applicable from time to time pursuant to the Addendum.
3. For the purposes of the annexures to Annex II of the SCCs promulgated by the NDPDP in its Provision 60-E/2016 (“Argentine SCCs”) and any substantially similar SCCs which may be adopted by the relevant authorities in the future, the content of Annex A of the Argentine SCCs is set forth in Exhibit A.
4. In cases where the SCCs apply and there is a conflict between the terms of the Addendum and the terms of the SCCs, the terms of the SCCs shall prevail with regard to the Restricted Transfer in question.
Termination. Upon termination of the Agreement, Elation shall destroy all Personal Data it has Processed on behalf of Customer after the end of the provision of Services relating to the Processing and destroy all copies of the Personal Data unless applicable law requires or permits storage of such Personal Data.

Australia. When applicable, the Processing of Customer Personal Data shall be compliant with the Australian Privacy Principles, the Australian Privacy Act (1988), and any other applicable law, regulation, or decree of Australia pertaining to the protection of such information.

Brazil. When applicable, the Processing of Customer Personal Data shall be compliant with Brazil’s Lei Geral de Proteção de Dados (Law No. 13.709 of 14 August 2018) and any other applicable law, regulation, or decree of Brazil pertaining to the protection of such information.

Bulgaria.

Applicability. Wherever the Processing pursuant to the Addendum falls within the scope of Bulgaria’s Personal Data Protection Act (as amended in November 2019), the Electronic Communications Act, and any other corresponding decrees, regulations, or guidance, the provisions of the Addendum and this Section shall apply to such Processing.
General. Elation shall:
1. return to Customer any Personal Data Processed pursuant to the Addendum within a period of one month after having become aware of any Personal Data that has been disclosed (i) without a legal basis pursuant Article 6 (1) of the EU GDPR, or (ii) contrary to the principles under Article 5 of the EU GDPR; or, if this is impossible or would involve disproportionate efforts, erase or destroy the Personal Data; and
2. if the Personal Data is erased or destroyed in accordance with Section 4.2(a) of these Jurisdiction Specific Terms, document such erasure and destruction.

Canada. When applicable, the Processing of Customer Personal Data shall be compliant with the Canadian Federal Personal Information Protection and Electronic Documents Act and any other applicable law, regulation, or decree of Canada pertaining to the protection of such information.

Colombia.

Applicability. Wherever the Processing pursuant to the Addendum falls within the scope of Colombia’s Data Protection Law No. 1581 of 2012 (“Data Protection Law No. 1581”), Data Protection Decree No. 1377 of 2013 (“Data Protection Decree”), and any corresponding decrees, regulations, or guidance (collectively “Colombian Data Protection Laws”), the provisions of the Addendum and this Section shall apply to such Processing.
Definitions.
1. “Information Processing Policy” (“Política de Tratamiento de la información”) shall have the meaning set forth in Article 13 of the Data Protection Decree.
2. “Personal Data Breach” (as used in the Addendum) includes “violations of security codes” [that] “result in risks to the administration of Data Subjects’ information” (“violaciones a los códigos de seguridad y existan riesgos en la administración de la información de los Titulares”), as that phrase is construed under Articles 17(n) and 18(k) of the Data Protection Law No. 1581.
3. “Rights of the Data Subjects” (as used in the Addendum) include such Data Subjects’ hábeas data rights, as that phrase is construed under the Constitution of Colombia and Colombian Data Protection Laws.
4. “Supervisory Authority” (as used in the Addendum) includes Colombia’s Superintendency of Industry and Commerce (Superintendencia de Industria y Comercio).
General. As applicable, Elation shall comply with all requirements applicable to Processors under the Columbian Data Protection Laws, including but not limited to obligations under Article 18 of Data Protection Law No. 1581 and Articles 11, 23, and 25 of the Data Protection Decree. Elation shall also comply with Customer’s Information Processing Policy, if any.

European Economic Area.

Definitions.
1. “EEA” means the European Economic Area, consisting of the EU Member States, and Iceland, Liechtenstein, and Norway.
2. “EEA Data Protection Laws” means the EU GDPR and all laws and regulations of the EU and the EEA countries applicable to the Processing of Customer Personal Data.
3. “EU 2021 SCCs” means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
4. “EU GDPR” (as used in the Addendum) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as may be amended from time to time.
Restricted Transfers.
1. With regard to any Restricted Transfer subject to EEA Data Protection Laws between the Parties, one of the following transfer mechanisms shall apply, in the following order of precedence:
  1. a valid adequacy decision adopted by the European Commission on the basis of Article 45 of the EU GDPR;
  2. the appropriate SCCs adopted by the European Commission from time to time; or
  3. any other lawful data transfer mechanism, as laid down in EEA Data Protection Laws.
Standard Contractual Clauses.

The Addendum hereby incorporates by reference the SCCs. The Parties are deemed to have accepted, executed, and signed the SCCs where necessary in their entirety (including the annexures thereto).
The Parties agree that any references to clauses, annexures, modules and choices within this Section shall be deemed to be the same as the cognate and corresponding references within any appropriate, updated SCCs as may be applicable from time to time pursuant to the Addendum.
For the purposes of the EU 2021 SCCs and any substantially similar SCCs which may be adopted by the relevant authorities in the future:
1. the Parties agree to apply the following modules:
  1. Module One with respect to Controller-to-Controller Restricted Transfers;
  2. Module Two with respect to Controller-to-Processor Restricted Transfers;
  3. Module Three with respect to Processor-to-Sub-Processor Restricted Transfers; and
  4. Module Four with respect to Processor-to-Controller Restricted Transfers;
2. Clause 7: The Parties choose not to include the optional docking clause;
3. Clause 9(a): The Parties choose option 2, “General Written Authorization,” and the time period set forth in Section 6.3 of the Addendum (The procedures for designation and notification of new Contracted Processors are set forth in more detail in Section 6 of the Addendum);
4. Clause 11: The Parties choose not to include the optional language relating to the use of an independent dispute resolution body;
5. Clause 13 (Annex I.C): The competent Supervisory Authority is as follows:
  1. If the Data Exporter is established in an EU member state, the competent Supervisory Authority shall be the Supervisory Authority for that member state.
  2. If the Data Exporter is not established within an EU member state, but the Data Exporter falls within the territorial scope of the GDPR pursuant to Article 3(2) and has appointed a Data Protection Representative, the competent Supervisory Authority shall be the Supervisory Authority in the member state where the Data Exporter’s Data Protection Representative is established.
  3. If the Data Exporter is not established in an EU Member State, but the Data Exporter falls within the territorial scope of the GDPR pursuant to Article 3(2) and has not appointed a Data Protection Representative, the competent Supervisory Authority shall be the Supervisory Authority of one of the Member States in which the Data Subjects whose Personal Data is transferred under the SCCs in relation to the offering of goods or services to them, or whose behaviour is monitored, are located. If one of those Member States is Ireland, then the competent Supervisory Authority is the Irish Data Protection Commission. If one of those Member States is not Ireland, then the Data Exporter shall select the competent Supervisory Authority and provide its selection to the Data Importer by sending an email to the applicable email address as set forth in Exhibit A. The Parties shall then agree on the competent Supervisory Authority.
6. Clause 17: The SCCs shall be governed by the laws of the Republic of Ireland;
7. Clause 18: Any dispute arising from the SCCs shall be resolved by the courts of the Republic of Ireland;
8. Annex I(A and B): The content of Annex I(A) and (B) is set forth in Exhibit A;
9. Annex II: The content of Annex II is set forth in Appendix I to Exhibit A; and
10. Annex III: The content of Annex III is set out in Appendix II to Exhibit A.

The terms contained in Exhibit C to the Addendum supplement the SCCs.
In cases where the SCCs apply and there is a conflict between the terms of the Addendum and the terms of the SCCs, the terms of the SCCs shall prevail with regard to the Restricted Transfer in question.

Israel.

Applicability. Wherever the Processing pursuant to the Addendum falls within the scope of Israel’s Protection of Privacy Law (5741-1981), the Protection of Privacy Regulations (Data Security) 5777-2017, and any corresponding decrees, regulations, or guidance, the provisions of the Addendum and this Section shall apply to such Processing.

Deletion or Return of Personal Data. After returning or deleting Customer Personal Data pursuant to Section 10 of the Addendum, Elation shall provide Customer with written confirmation that it no longer possesses any Customer Personal Data.
General. Elation shall notify Customer, at least once annually (and in a format to be agreed upon by the Parties), on the manner in which Elation has implemented its obligations in the Addendum.

Singapore.

Applicability. Wherever the Processing pursuant to the Addendum falls within the scope of Singapore’s Personal Data Protection Act 2012, Personal Data Protection (Amendment) Bill 2020, Personal Data Protection Regulations 2021, and any corresponding decrees, regulations, or guidance, the provisions of the Addendum and this Section shall apply to such Processing.
Retention of Personal Data. The retention of Customer Personal Data is set forth in Exhibit A.
Deletion or Return of Personal Data. After returning or deleting Customer Personal Data pursuant to Section 10 of the Addendum, Elation shall provide Customer with written confirmation that it no longer possesses any Customer Personal Data.

Switzerland.

Definitions.

“EU 2021 SCCs” means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
“FDPIC” means the Swiss Federal Data Protection and Information Commissioner.
“Swiss Data Protection Laws” includes the Federal Act on Data Protection of 19 June 1992 (“FADP”) and the Ordinance to the Federal Act on Data Protection.

Restricted Transfers.
1. With regard to any Restricted Transfer subject to Swiss Data Protection Laws between the Parties, one of the following transfer mechanisms shall apply, in the following order of precedence:

a valid adequacy decision adopted by the FDPIC on the basis of Article 6 of the FADP;
the appropriate SCCs adopted by the FDPIC from time to time; or
any other lawful transfer mechanism, as laid down in Swiss Data Protection Laws.

Standard Contractual Clauses.

The Addendum hereby incorporates by reference the EU 2021 SCCs, which have been adopted for use by the FDPIC with certain modifications. The Parties are deemed to have accepted, executed, and signed the EU 2021 SCCs where necessary in their entirety (including the annexures thereto).
The Parties incorporate and adopt the EU 2021 SCCs for Restricted Transfers subject to Swiss Data Protection Laws in the same manner set forth in Section 7.3 of these Jurisdiction Specific Terms, subject to the following:
1. Clause 13 (Annex I.C): The competent authority shall be the FDPIC. Nothing about the Parties’ designation of the competent Supervisory Authority shall be interpreted to preclude Data Subjects in Switzerland from applying to the FDPIC for relief;
2. Clause 17: The SCCs shall be governed by the laws of Switzerland;
3. Clause 18: Any dispute arising from the SCCs shall be resolved by the courts of Switzerland. The Parties’ selection of forum may not be construed as forbidding Data Subjects habitually resident in Switzerland from suing for their rights in Switzerland;
4. references to “Regulation (EU) 2016/679” and specific articles therein shall be replaced with references to the FADP and the equivalent articles or sections therein, insofar as there are any Restricted Transfers subject to Swiss Data Protection Laws; and
5. the SCCs also protect the data of legal entities until the entry into force of the revised FADP.

In cases where the SCCs apply and there is a conflict between the terms of the Addendum and the terms of the SCCs, the terms of the SCCs shall prevail with regard to the Restricted Transfer in question.

United Arab Emirates: ADGM.

Definitions.
1. “ADGM Data Protection Laws” includes the Abu Dhabi Global Market (“ADGM”) Data Protection Regulations 2021 (“DPR 2021”), and any corresponding decrees, regulations, or guidance.
2. “ADGM SCCs” means the contractual clauses adopted by the Commissioner of Data Protection effective from 2021-08-14 relating to the transfer of Personal Data outside the ADGM pursuant to DPR 2021.
Personal Data Breach. In addition to those terms contained in Section 8 of the Addendum, immediately upon providing notice of a Personal Data Breach, Elation shall provide to Customer the name and contact details of the contact point where more information can be obtained.
Restricted Transfers.
1. With regard to any Restricted Transfer subject to ADGM Data Protection Laws between the Parties, one of the following transfer mechanisms shall apply, in the following order of precedence:
  1. a valid adequacy decision adopted by the Commissioner of Data Protection on the basis of Article 41 of the DPR 2021;
  2. the appropriate SCCs adopted by the Commissioner of Data Protection from time to time; or
  3. any other lawful data transfer mechanism, as laid down in ADGM Data Protection Laws.
Standard Contractual Clauses.
1. The Addendum hereby incorporates by reference the SCCs. The Parties are deemed to have accepted, executed, and signed the SCCs where necessary in their entirety (including the annexures thereto).
2. The Parties agree that any references to clauses, annexures, modules and choices within this Section shall be deemed to be the same as the cognate and corresponding references within any appropriate, updated SCCs as may be applicable from time to time pursuant to the Addendum.
3. For the purposes of the ADGM SCCs and any substantially similar SCCs which may be adopted by the relevant authorities in the future:
  1. the Parties agree to apply the following modules:
    1. Module One with respect to Controller-to-Controller Restricted Transfers;
    2. Module Two with respect to Controller-to-Processor Restricted Transfers;
    3. Module Three with respect to Processor-to-Sub-Processor Restricted Transfers; and
    4. Module Four with respect to Processor-to-Controller Restricted Transfers;
  2. Clause 7: The Parties choose not to include the optional docking clause;
  3. Clause 9(a): The Parties choose option 2, “General Written Authorization,” and the time period set forth in Section 6.3 of the Addendum (The procedures for designation and notification of new Contracted Processors are set forth in more detail in Section 6 of the Addendum);
  4. Clause 11: The Parties choose not to include the optional language relating to the use of an independent dispute resolution body;
  5. Clause 17: The SCCs shall be governed by the laws of the ADGM;
  6. Clause 18: Any dispute arising from the SCCs shall be resolved by the courts of the ADGM;
  7. Annex I: The content of Annex I is set forth in Exhibit A;
  8. Annex II: The content of Annex II is set forth in Appendix I to Exhibit A; and
  9. Annex III: The content of Annex III is set out in Appendix II to Exhibit A.
4. In cases where the SCCs apply and there is a conflict between the terms of the Addendum and the terms of the SCCs, the terms of the SCCs shall prevail with regard to the Transfer in question.
General. Elation shall fully co-operate, on request, with the ADGM Office of Data Protection in the performance of Elation’s obligations under the ADGM Data Protection Laws.

United Arab Emirates: DIFC.

Definitions.
1. “Commissioner” means the DIFC Commissioner of Data Protection.
2. “DIFC Data Protection Laws” includes the Dubai International Financial Centre (“DIFC”) Data Protection Law No. 5 of 2020, as amended by DIFC Law No. 2 of 2022 (“DP Law 2020”), the DIFC Data Protection Regulations of 2020 (“Regulations”), and any corresponding decrees, regulations, or guidance.
3. “DIFC SCCs” means the contractual clauses adopted by the Commissioner in accordance with regulations relating to the transfer of Personal Data outside the DIFC pursuant to DP Law 2020.
Personal Data Breach. In addition to those terms contained in Section 8 of the Addendum, immediately upon providing notice of a Personal Data Breach, Elation shall provide to Customer the name and contact details of the contact point where more information can be obtained. Elation shall fully co-operate with any investigation of the Commissioner in relation to a Personal Data Breach.
Audit Rights. In addition to those terms contained in Section 11 of the Addendum, Elation shall make available to the Commissioner, upon request, all information necessary to demonstrate compliance with the obligations laid down in this Section 13 of these Jurisdiction Specific Terms and the Addendum, and allow for and contribute to audits, including inspections, conducted by the Commissioner.
Restricted Transfers.
1. With regard to any Restricted Transfer subject to DIFC Data Protection Laws between the Parties, one of the following transfer mechanisms shall apply, in the following order of precedence:
  1. a valid adequacy decision adopted by the Commissioner on the basis of Article 26 of the DP Law 2020;
  2. the appropriate SCCs adopted by the Commissioner from time to time;
  3. any other lawful data transfer mechanism, as laid down in DIFC Data Protection Laws.
Standard Contractual Clauses.
1. The Addendum hereby incorporates by reference the SCCs. The Parties are deemed to have accepted, executed, and signed the SCCs where necessary in their entirety (including the appendices thereto).
2. The Parties agree that any references to clauses, appendices, and choices within this Section shall be deemed to be the same as the cognate and corresponding references within any appropriate, updated SCCs as may be applicable from time to time pursuant to the Addendum.
3. For the purposes of the DIFC SCCs and any substantially similar SCCs which may be adopted by the relevant authorities in the future:
  1. The SCCs shall be effective from the Effective Date. The term of the SCCs shall be three (3) years, at which time the Addendum will be reviewed and updated as needed in order to comply with then-current DIFC Data Protection Laws.
  2. Clause 7: The Parties choose not to include the optional docking clause;
  3. Clause 9: The Parties choose option 2, “General Written Authorization,” and the time period set forth in Section 6.3 of the Addendum (The procedures for designation and notification of new Contracted Processors are set forth in more detail in Section 6 of the Addendum);
  4. Clause 16: The Parties choose to include the optional language relating to terminating the SCCs when circumstances change, including where they are no longer required by providing sixty (60) days written notice to the other Party;
  5. Appendix 1: The content of Appendix 1 of the DIFC SCCs is set forth in Exhibit A;
  6. Appendix 2: The content of Appendix 2 of the DIFC SCCs is set forth in Appendix I to Exhibit A; and
  7. Appendix 3: The content of Appendix 3 of the DIFC SCCs is set out in Appendix II to Exhibit A.
4. In cases where the SCCs apply and there is a conflict between the terms of the Addendum and the terms of the SCCs, the terms of the SCCs shall prevail with regard to the Restricted Transfer in question.

United Arab Emirates: Federal.

Definitions.
1. “Data Office” means the UAE Data Office established by virtue of Decree-Law No. 44 of 2021.
2. “UAE Federal Data Protection Laws” includes the United Arab Emirates (“UAE”) Personal Data Protection Law (Decree-Law No. 45 of 2021), Decree-Law No. 44 of 2021, and any corresponding decrees, regulations, or guidance.
Personal Data Breach. In addition to its obligations pursuant to Section 8 of the Addendum, immediately upon providing notice of a Personal Data Breach, Elation shall describe to Customer in as much detail as reasonably possible: (i) the form and causes of the Personal Data Breach, (ii) the potential and expected impact and consequences of such Personal Data Breach upon Customer and the affected Data Subjects, and (iii) the name and contact details of a contact point where more information can be obtained.
Restricted Transfers.
1. With regard to any Restricted Transfer subject to UAE Federal Data Protection Laws between the Parties, one of the following transfer mechanisms shall apply, in the following order of precedence:
  1. a valid adequacy decision adopted by the Data Office on the basis of Article 22 of Decree-Law No. 45 of 2021;
  2. the appropriate SCCs adopted by the Data Office from time to time; or
  3. any other lawful data transfer mechanism, as laid down in UAE Federal Data Protection Laws.
Standard Contractual Clauses.
1. The Addendum hereby incorporates by reference the SCCs. The Parties are deemed to have accepted, executed, and signed the SCCs where necessary in their entirety (including the appendices thereto).
2. The Parties agree that any references to clauses, appendices, and choices within this Section shall be deemed to be the same as the cognate and corresponding references within any appropriate SCCs as may be applicable from time to time pursuant to the Addendum.
3. For the purposes of the SCCs and any substantially similar SCCs which may be adopted by the relevant authorities in the future:
  1. The SCCs shall be effective from the Effective Date. The term of the SCCs shall be three (3) years, at which time the Addendum will be reviewed and updated as needed in order to comply with then-current UAE Federal Data Protection Laws.
  2. Clause 7: The Parties choose not to include the optional docking clause;
  3. Clause 9(a): The Parties choose option 2, “General Written Authorization,” and the time period set forth in Section 6.3 of the Addendum (The procedures for designation and notification of new Contracted Processors are set forth in more detail in Section 6 of the Addendum);
  4. Clause 16: The Parties choose to include the optional language relating to terminating the SCCs when circumstances change, including where they are no longer required by providing sixty (60) days written notice to the other Party;
  5. Appendix 1: The content of Appendix 1 of the SCCs is set forth in Exhibit A;
  6. Appendix 2: The content of Appendix 2 of the SCCs is set forth in Appendix I to Exhibit A; and
  7. Appendix 3: The content of Appendix 3 of the SCCs is set out in Appendix II to Exhibit A.
4. In cases where the SCCs apply and there is a conflict between the terms of the Addendum and the terms of the SCCs, the terms of the SCCs shall prevail with regard to the Restricted Transfer in question.
General.
1. Elation shall notify Customer if the Processing exceeds the duration set forth in Part B of Exhibit A so that Customer may extend such duration or issue the appropriate directions.
2. Elation shall fully co-operate, on request, with the Data Office in the performance of its obligations under the UAE Federal Data Protection Laws.

United Kingdom.

Definitions.
1. “UK Data Protection Laws” includes the Data Protection Act 2018 and the UK GDPR.

“UK GDPR” (as used in the Addendum) means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
“UK ICO” means the UK Information Commissioner’s Office.
“UK IDTA means the International Data Transfer Agreement issued pursuant to Section 119A(1) of the Data Protection Act 2018 and approved by the UK Parliament.

Restricted Transfers.
1. With regard to any Restricted Transfer subject to UK Data Protection Laws between the Parties, one of the following transfer mechanisms shall apply, in the following order of precedence:

a valid adequacy decision adopted pursuant to Article 45 of the UK GDPR;
the UK IDTA; or
any other lawful data transfer mechanism, as laid down in the UK Data Protection Laws.

UK IDTA.

The Addendum hereby incorporates by reference the UK IDTA. The Parties are deemed to have accepted, executed, and signed the UK IDTA where necessary in its entirety.
For the purposes of the tables to the UK IDTA:
1. Table 1: The content of Table 1 is set forth in Part A of Exhibit A;
2. Table 2:
  1. The UK IDTA, shall be governed by the laws of England and Wales;
  2. Any dispute arising from the UK IDTA shall be resolved by the courts of England and Wales;
  3. The Parties’ controllership and data transfer roles are set out in Part A of Exhibit A;
  4. The UK GDPR applies to the Data Importer’s Processing of the Personal Data;
  5. The Addendum and the Agreement set out the instructions for Processing Personal Data;
  6. The Data Importer shall Process Personal Data for the time period set out in Part B of Exhibit A. The Parties agree that neither Party may terminate the UK IDTA before the end of such time period;
  7. The Data Importer may only transfer Personal Data to authorized Contracted Processors (if applicable), as set out within Section 6 of the Addendum, or to such third parties that the Data Exporter authorizes in writing or within the Agreement;
3. Table 3: The content of Table 3 is set forth in Part B of Exhibit A and may be updated in accordance with Section 14 of the Addendum; and
4. Table 4: The content of Table 4 is set forth in Appendix I to Exhibit A and may be updated in accordance with Section 14 of the Addendum.
Part 2 (Extra Protection Clauses) and Part 3 (Commercial Clauses) of the UK IDTA are noted throughout the Addendum.
The terms contained in Exhibit C to the Addendum supplement the UK IDTA.
In cases where the UK IDTA applies and there is a conflict between the terms of the Addendum and the terms of the UK IDTA, the terms of the UK IDTA shall prevail.

United States of America.

Applicability. Wherever the Processing pursuant to the Addendum falls within the scope of United States Data Protection Laws (defined below), the provisions of the Addendum and this Section shall apply to such Processing.
Definitions.
1. “United States Data Protection Laws” include, individually and collectively, enacted state and federal laws, acts, and regulations of the United States of America that apply to the Processing of Personal Data, as may be amended from time to time. Such laws include, without limitation:
  1. the California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code § 1798.100 et seq.)., and the California Consumer Privacy Act Regulations, together with all implementing regulations;
  2. the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq., together with all implementing regulations;
  3. the Connecticut Act Concerning Data Privacy and Online Monitoring, Pub. Act No. 22015;
  4. the Utah Consumer Privacy Act, Utah Code Ann. S 13-61-101 et seq.; and
  5. the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq.
2. “Personal Data Breach” (as used in the Addendum) includes “Breach of Security” and “Breach of the Security of the System” as defined under applicable United States Data Protection Laws.
3. The terms “Business Purpose”, “Commercial Purpose”, “Sell”, and “Share” shall have the same meanings as under applicable United States Data Protection Laws, and their cognate and corresponding terms shall be construed accordingly.
Processing of Customer Personal Data.
1. Customer discloses Customer Personal Data to Elation solely for: (i) valid Business Purposes; and (ii) to enable Elation to perform the Services.
2. Elation shall not: (i) Sell or Share Customer Personal Data; (ii) retain, use or disclose Customer Personal Data for a Commercial Purpose other than providing the Services specified in the Agreement or as otherwise permitted by United States Data Protection Laws; (iii) retain, use, or disclose Customer Personal Data except where permitted under the Agreement between Customer and Elation; nor (iv) combine Customer Personal Data with other information that Elation Processes on behalf of other persons or that Elation collects directly from the Data Subject, with the exception of Processing for Business Purposes. Elation certifies that it understands these prohibitions and agrees to comply with them.

Termination. Upon termination of the Agreement, Elation shall, as soon as reasonably practicable, destroy all Personal Data it has Processed on behalf of Customer after the end of the provision of Services relating to the Processing and destroy all copies of the Personal Data unless applicable law requires or permits storage of such Personal Data.

Exhibit C - Supplemental Clauses to the Standard Contractual Clauses

By this Exhibit C (this “Exhibit”), the Parties provide additional safeguards and redress to the Data Subjects whose Personal Data is transferred pursuant to SCCs. This Exhibit supplements and is made part of, but is not in variation or modification of, the SCCs that may be applicable to the Restricted Transfer.

Definitions. For the purpose of interpreting this Exhibit, the following terms shall have the meanings set out below:
1. “EO 12333” means the U.S. Executive Order 12333.
2. “FISA” means the U.S. Foreign Intelligence Surveillance Act.
3. “Schrems II Judgment” means the judgment of the European Court of Justice in Case C-311/18, Data Protection Commissioner v. Facebook Ireland Limited and Maximilian Schrems.
Applicability of Surveillance Laws.
1. Data Importer represents and warrants that, as of the Effective Date, it has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II judgment.
2. Data Importer represents that it reasonably believes that it is not eligible to be required to provide information, facilities, or assistance of any type under FISA Section 702 because:

no court has found Data Importer to be an entity eligible to receive legal process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C. § 1881(b)(4); or (ii) an entity belonging to any of the categories of entities described within that definition; and
if Data Importer were to be found eligible for process under FISA Section 702, which it believes it is not, it is nevertheless also not the type of provider that is eligible to be subject to UPSTREAM collection pursuant to FISA Section 702, as described in paragraphs 62 and 179 of the Schrems II judgment.

EO 12333 does not provide the U.S. government the ability to order or demand that Data Importer provide assistance for the bulk collection of information and Data Importer shall take no action pursuant to EO 12333.

Backdoors.
1. Data Importer certifies that:
  1. it has not purposefully created backdoors or similar programming for governmental agencies that could be used to access Data Importer’s systems or Customer Personal Data subject to the SCCs;
  2. it has not purposefully created or changed its business processes in a manner that facilitates governmental access to Customer Personal Data or systems; and
  3. national law or government policy does not require Data Importer to create or maintain back doors or to facilitate access to Customer Personal Data or systems.
2. Data Exporter will be entitled to terminate the contract on short notice in cases in which Data Importer does not reveal the existence of a back door or similar programming or manipulated business processes or any requirement to implement any of these or fails to promptly inform Data Exporter once their existence comes to its knowledge.
Information About Legal Prohibitions. Data Importer will provide Data Exporter information about the legal prohibitions on Data Importer to provide information under this Exhibit. Data Importer may choose the means to provide this information.
Additional Measures to Prevent Access. Notwithstanding the application of the security measures set forth in the Addendum, Data Importer will implement internal policies establishing that:
1. Data Importer must require an official, signed document issued pursuant to the applicable laws of the requesting third party before it will consider a request for access to transferred Customer Personal Data;
2. Data Importer shall be notified upon receipt of each request or order for transferred Customer Personal Data;
3. Data Importer shall scrutinize every request for legal validity and, as part of that procedure, will reject any request Data Importer considers to be invalid;
4. if Data Importer is legally required to comply with an order, it will respond as narrowly as possible to the specific request; and
5. if Data Importer receives a request from public authorities to cooperate on a voluntary basis, Customer Personal Data transmitted in plain text may only be provided to public authorities with the express agreement of Data Exporter.

Termination. This Exhibit shall automatically terminate with respect to the Processing of Customer Personal Data transferred in reliance of the SCCs if the Supervisory Authority or a competent regulator approves a different transfer mechanism that would be applicable to the Restricted Transfers covered by the SCCs (and if such mechanism applies only to some of the data transfers, this Exhibit will terminate only with respect to those transfers) and that does not require the additional safeguards set forth in this Exhibit.

Elation Customer

Data Processing Addendum

Contact us now for a product demo.

Contact us now for a product demo.