Data Processing Addendum

2.1

Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data solely on behalf of Customer, (i) Customer is the Controllerof Personal Data and Opti is the Processor of such Personal Data, or (ii) Customer is a Processor of Personal Data and Opti is a Sub-Processor of such Personal Data; as applicable.

2.2

Customer’s Processing of Personal Data. Customer, in its use of the Services, and Customer’s instructions to Opti, shall comply with Data Protection Laws. Customer shall establish and have any and all required legal bases for Opti’s Processing activities on Customer’s behalf, including the pursuit of ‘business purposes’ as defined under the CCPA.

2.3

Opti’s Processing of Personal Data. When Processing on Customer’s behalf under the Agreement, Opti shall Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and this DPA; (ii) Processing for Customer as part of its provision of the Services; (iii) Processing to comply with Customer’s reasonable and documented instructions, where such instructions are consistent with the terms of the Agreement; (iv) rendering Personal Data fully anonymous, non-identifiable and non-personal in accordance with applicable standards recognized by Data Protection Laws and guidance issued thereunder; (v) Processing as required under the laws applicable to Opti, and/or as required by a court of competent jurisdiction or other competent governmental or semi-governmental authority, provided that Opti shall inform Customer of the legal requirement before Processing, unless such law or order prohibit such information on important grounds of public interest. 

2.4

In the event that Customer discloses or otherwise makes available to Opti Deidentified Data (as defined by applicable Data Protection Laws), Opti shall (i) take reasonable measures to ensure such data cannot be associated with a natural person, and (ii) maintain and use such data without attempting to re-identify it.

2.5

Opti shall inform Customer without undue delay if, in Opti’s opinion, an instruction for the Processing of Personal Data given by Customer infringes applicable Data Protection Laws. To the extent that Opti cannot comply with an instruction from Customer, Opti (i) shall inform Customer, providing relevant details of the issue, (ii) Opti may, without liability to Customer, temporarily cease all Processing of the affected Personal Data (other than securely storing such data) and/or suspend Customer’s access to the Services, and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, Customer may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Opti all the amounts owed to Opti or due before the date of termination. Customer will have no further claims against Opti (including, without limitation, requesting refunds for Services) pursuant to the termination of the Agreement and the DPA as described in this paragraph.

2.6

Details of the Processing. The subject-matter of Processing of Personal Data by Opti is the performance of the Services pursuant to the Agreement and the purposes set forth in this DPA. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of Processing) to this DPA.

2.7

CCPA Terms. If Customer is a Business under the CCPA and Opti Processes Personal Data hereunder that is subject to the CCPA, the terms set forth in Schedule 3 (CCPA Terms) hereto shall apply and bind the Parties with regard to such Personal Data and the Processing thereof. 

Opti shall, to the extent legally permitted, notify Customer or refer Data Subjects to Customer, if Opti receives a request from a Data Subject to exercise their rights under Data Protection Laws concerning the Personal Data (“Data Subject Request”). Taking into account the nature of the Processing, Opti shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible and reasonable, for the fulfilment of Customer’s obligation to respond to a Data Subject Requests under Data Protection Laws.

Opti shall ensure that its personnel and advisors engaged in the Processing of Personal Data have committed themselves to confidentiality and appropriate privacy and security trainings.

5.1

Appointment of Sub-processors. Customer acknowledges and agrees that (a) Opti may engage Sub-processors to Process Personal Data on behalf of Customer; (b) Opti’s Affiliates may be engaged as Sub-processors; and (c) Opti and Opti’s Affiliates on behalf of Opti may each engage third-party Sub-processors in connection with the provision of the Services. A list of Sub-processors currently used by Opti is provided in Schedule 4 (“Sub-Processor List”). The Sub-Processor List as of the date of first use of the Services by Customer is hereby deemed authorized upon first use of the Services.

5.2

Agreements with Sub-processors. Opti or Opti’s Affiliate on behalf of Opti has entered into a written agreement with each Sub-processor containing appropriate safeguards to the protection of Personal Data. Where Opti engages a Sub-processor for carrying out specific Processing activities on behalf of the Customer, the same or materially similar data protection obligations as set out in this DPA shall be imposed on such new Sub-processor by way of a contract, in particular obligations to implement appropriate technical and organizational measures in such as a manner that the Processing will meet the requirements of the relevant Data Protection Laws. Where a Sub-processor fails to fulfil its data protection obligations concerning its Processing of Personal Data, Opti shall remain responsible for the performance of the Sub-processor's obligations. 

5.3

Notification and Objection to New Sub-processors. Opti may engage with a new Sub-processor ("New Sub-processor") to Process Personal Data on Customer's behalf and shall give notice of the planned appointment of any new Sub-processor(s) through an email. Opti shall provide notification of any new Sub-processor(s) engaged to Process Personal Data in connection with the provision of the Services. Customer may object to the Processing of Personal Data by the New Sub-processor, for reasonable and explained grounds relating to the protection of Personal Data, by providing a written objection to privacy@opti.ai  within 10 days following notification to Customer of the engagement with the New Sub-processor. [If Customer sends Opti a written objection notice in a timely manner, the parties will make a good-faith effort to resolve Customer's objection. In the absence of a resolution, Opti will make commercially reasonable efforts to provide Customer with the same level of Services, without using the New Sub-processor to Process Personal Data.] 

6.1

Controls for the Protection of Personal Data. Opti shall maintain industry-standard technical and organizational measures for protection of Personal Data, including those measures set forth in the Security Documentation.

6.2

Audits and Inspections. Upon Customer’s 14 days prior written request at reasonable intervals (no more than once every 12 months), and subject to strict confidentiality undertakings by Customer, Opti shall make available to Customer that is not a competitor of Opti (or Customer’s independent, reputable, third-party auditor that is not a competitor of Opti and not in conflict with Opti, subject to their confidentiality and non-compete undertakings) information necessary to demonstrate that Personal Data is Processed in a manner consistent with Opti’s obligations under this DPA, and allow for and contribute to audits, including inspections, conducted by them (provided, however, that such information, audits, inspections and the results therefrom, including the documents reflecting the outcome of the audit and/or the inspections, shall only be used by Customer to assess Opti’s compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Opti’s prior written approval. Upon Opti's first request, Customer shall return all records or documentation in Customer's possession or control provided by Opti in the context of the audit and/or the inspection). If and to the extent that the SCC apply, nothing in this Section 6.2 varies or modifies the SCC nor affects any Supervisory Authority’s or Data Subject’s rights under the SCC.

6.3

In the event of an audit or inspections as set forth above, Customer shall ensure that it (and each of its mandated auditors) will not cause (or, if it cannot avoid, minimize) any damage, injury or disruption to Opti’s premises, equipment, personnel and business while conducting such audit or inspection. 

6.4

In the event that such audit or inspection uncovers unauthorized Processing of Personal Data, Customer shall have the right to, upon notice, take reasonable and appropriate steps to stop and remediate such unauthorized Processing.

6.5

The audit rights set forth in Section ‎6.2 above shall only apply to the extent that the Agreement does not otherwise provide Customer with audit rights that meet the relevant requirements of Data Protection Laws.

Opti maintains security incident management policies and procedures and shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by Opti on behalf of the Customer (a “Data Incident”), or data incident or breach as otherwise defined in applicable Data Protection Laws involving Personal Data Processed by Opti on behalf of the Customer. Opti shall make reasonable efforts to identify and take those steps as Opti deems necessary and reasonable in order to remediate and/or mitigate the cause of such Data Incident. The obligations herein shall not apply to incidents that are caused by Customer or anyone who uses the Services on Customer’s behalf. Customer will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Data Incident which directly or indirectly identifies Opti (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Opti’s prior written approval, unless, and solely to the extent that, Customer is compelled to do so pursuant to applicable Data Protection Laws. In the latter case, unless prohibited by such laws, Customer shall provide Opti with reasonable prior written notice to provide Opti with the opportunity to object to such disclosure and in any case, Customer will limit the disclosure to the minimum scope required.

Within 60 days following termination of the Agreement and subject thereto, Opti shall delete all the Personal Data it Processes solely on behalf of the Customer unless Data Protection Laws require otherwise. To the extent authorized or required by applicable law, Opti may also retain one copy of the Personal Data solely for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or for compliance with legal obligations.

9.1

Applicable Data Protection Laws in certain jurisdictions may require additional/different safeguards or transfer mechanism to facilitate cross-border transfers. In such a case, the Parties agree to cooperate and implement such additional safeguards or adopt such transfer mechanisms, as appropriate and necessary.

9.2

In the event of any Onward Transfer by Opti, it shall procure that the Sub-processor, to which the Personal Data is transferred, provides sufficient guarantees to protect the Personal Data, and observes no less onerous obligations as those imposed on the Opti under the original relevant transfer and adopts the necessary transfer mechanism.

9.3

Personal Data may be transferred from the EEA, Switzerland or UK, to a destination outside of these jurisdictions, provided that such transfer complies with applicable provisions regarding the transfer of Personal Data to countries outside of the EEA, Switzerland or UK under Data Protection Laws (such as where the transfer of Personal Data is to an approved jurisdiction, subject to an adequacy decision made by the European Commission) or through the use of SCC (including as incorporated by reference in Schedule 2 when the transfer is between the Parties), or other applicable frameworks).

10.1

Contractual Relationship. The Parties acknowledge and agree that, by executing the DPA, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, in which case each Authorized Affiliate agrees to be bound by the Customer’s obligations under this DPA, if and to the extent that Opti Processes Personal Data on the behalf of such Authorized Affiliates as described in Section 2.1 of this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by Customer.

10.2

Communication. Customer shall remain responsible for coordinating all communication with Opti under the Agreement and this DPA, including for Authorized Affiliates, and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.

Upon Customer’s reasonable request, Opti shall provide Customer, at Customer’s cost, with reasonable cooperation and assistance needed to fulfil Customer’s obligation under Data Protection Laws to carry out a data protection impact assessment or data protection assessment (as applicable) related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Opti. Opti shall provide, at Customer’s cost, reasonable assistance to Customer in the cooperation or prior consultation with Supervisory Authorities in the performance of its tasks relating to this Section 11, to the extent required under the applicable Data Protection Laws.

To the maximum extent permitted by law, this DPA shall be governed by the laws governing the Agreement, except for those provisions of clauses which dictate the application of another law for particular purposes.

Each Party may request in writing variations to this DPA if they are required as a result of any change in, or decision of a competent authority under Data Protection Laws, to allow Processing of Personal Data to be made (or continue to be made) in accordance with the Agreement or this DPA without breach of those Data Protection Laws. The Parties shall make commercially reasonable efforts to accommodate such modification request that the other Party believes is necessary.

Nature and Purpose of Processing

‍As detailed in clause 2.3 of this DPA. 

‍Duration of Processing

‍Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Opti will Process Personal Data pursuant to the DPA and Agreement for the duration of the Agreement, unless otherwise agreed upon in writing. 

‍Type of Personal Data

‍Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion.

‍Categories of Data Subjects

‍Customer may submit Personal Data to the Services regarding various categories of Data Subjects, determined and controlled by the Customer in its sole discretion.