This Data Protection Addendum, including all annexes and appendices attached hereto (“DPA”), forms part of the Master Subscription Agreement between Solve and Licensee, each a “Party” and collectively the “Parties”. This DPA applies to and takes precedence with regard to the Processing of Personal Data to the extent of any conflict. The Parties agree to the following:
- Definitions. Capitalized terms not otherwise defined in the DPA will have the meaning set forth in this Agreement. For purposes of this DPA:
a) “Applicable Privacy Law(s)” means all applicable worldwide data protection and privacy laws and regulations applicable to the Processing of Personal Data, including, without limitation and where applicable, European Data Protection Laws, UK Data Protection Laws, the Swiss FDAP, and U.S. Data Protection Laws, in each case to the extent applicable to Processing of Personal Data carried out pursuant to this DPA.
b) “EU Controller to Processor SCCs” means Module 2 or Module 3, as relevant, of the EU Standard Contractual Clauses, as amended or replaced from time to time by a competent authority under the relevant European Data Protection Laws.
c) “EU Restricted Transfer” means a transfer of Personal Data by Licensee to Solve (or any onward Transfer), in each case, where such Transfer would be restricted by European Data Protection Laws in the absence of the protection for the Transferred Personal Data provided by the EU Standard Contractual Clauses.
d) “EU Standard Contractual Clauses” means the standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time by a competent authority under the relevant European Data Protection Laws.
e) “European Data Protection Laws” means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council and laws implementing or supplementing the GDPR (“GDPR”) and any Member State data protection laws.
f) “Member State” means any relevant member state of the European Union (“EU”) or European Economic Area (“EEA”) from time to time.
g) “Personal Data” means any data that is deemed personal data, personal information, or personally identifiable information under Applicable Privacy Laws that is provided by or on behalf of Licensee to Solve or otherwise Processed by Solve on behalf of Licensee in order to provide the Services, to the extent Applicable Privacy Law applies.
h) “Personal Data Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data occurring on Solve’s systems or otherwise under Solve’s control.
i) “SCCs” means the EU Standard Contractual Clauses and the UK IDTA, as may be amended or replaced from time to time.
j) “Subprocessor” means any third party (other than Solve’s employees) that Solve engages in accordance with the Service and that Processes Personal Data on behalf of Solve in order to provide the Services to Licensee.
k) “Swiss FDAP” means the Swiss Federal Act on Data Protection.
l) “Swiss Restricted Transfer” means a Transfer of Personal Data by Licensee to Solve (or any onward Transfer), in each case, where such Transfer would be restricted by Swiss FDAP in the absence of the protection for the transferred Personal Data provided transfer provisions.
m) “Transfer”, “Transferred” or “Transferring” means, whether by physical or electronic means both (a) the moving of Personal Data from one location or person to another, and (b) the granting of access to Personal Data by one location or person to another.
n) “UK Data Protection Laws” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“UK GDPR“), together with the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) and other data protection or privacy legislation in force from time to time in the United Kingdom.
o) “UK IDTA” means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018.
p) “UK Restricted Transfer” means a Transfer of Personal Data by Licensee to Solve (or any onward Transfer), in each case, where such Transfer would be restricted by UK Data Protection Laws in the absence of the protection for the transferred Personal Data provided by the UK IDTA.
q) “U.S. Data Protection Laws” means United States federal, state and local laws and regulations related to data protection and privacy laws and regulations applicable to the Processing of Personal Data, including, but not limited to, the California Consumer Privacy Act of 2018 as amended and superseded by the California Privacy Rights Act of 2020 (“CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), and the Connecticut Personal Data Privacy and Online Monitoring Act (“CPDPA”).
r) The terms “Business,” “Business Purpose,” “Commercial Purpose,” “Consumer,” “Controller,” “Cross- Context Behavioral Advertising,”Process,” “Processor,” “Sell,” “Service Provider,” and “Share” shall have the same meaning as in Applicable Privacy Laws and in each case their cognate terms shall be construed accordingly.
2. Processing of Personal Data. In accordance with Applicable Privacy Laws, where applicable, Solve will (and will ensure that any Subprocessor acting under Solve authority will):
a) Process Personal Data only (i) as needed to provide the Services; and (ii) in accordance with the specific documented instructions set forth in Annex 1, unless required otherwise to comply with Applicable Privacy Laws (in which case, Solve shall provide prior notice to Licensee of such legal requirement, unless such law prohibits this disclosure);
b) Ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
c) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational security measures to ensure a level of security protection appropriate to the risk;
d) Assist Licensee by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Licensee’s obligation to respond to requests for exercising Data Subjects’ rights as set forth in Applicable Privacy Laws, taking into account the nature of the Processing;
e) Comply with (and shall assist Licensee to comply with) obligations regarding discovered Personal Data Breaches within Solve’s systems or that of a Subprocessor that affect the Processing of Personal Data, data protection impact assessments, and any related prior consultation that involve Personal Data, in all cases, taking into account the nature of Processing, the information available to Solve and in accordance with Applicable Privacy Laws;
f) At Licensee’s discretion and at Licensee’s written request, delete or return to Licensee all the Personal Data after the end of the provision of Services relating to Processing, and delete existing copies unless Applicable Privacy Laws require Solve to continue to store the Personal Data;
g) Provide Licensee with all information necessary to demonstrate compliance with the obligations laid down in this DPA, and if Licensee has a reasonable objection that the information provided is not sufficient to demonstrate Solve’s compliance with this DPA, allow for and contribute to audits, including inspections, conducted by Licensee or another auditor mandated by Licensee; the Parties agree that such audits and inspections will be conducted with at least 14 days’ prior written notice to Solve and not more than once in any 12 month period, unless required by a data protection authority or in connection with a Personal Data Breach within Solve’s system or that of a Subprocessor that involves Personal Data; in no case will Licensee have any right to access by any means whatsoever the information or personal data of a third party or that is otherwise subject to a confidentiality obligation owed to a third party; and
h) Immediately inform Licensee if, in Solve’s opinion, an instruction from Licensee infringes Applicable Privacy Law (to the extent Solve is legally permitted to inform Licensee) or if Solve is unable to comply with Applicable Privacy Law.
3. Subprocessing. Licensee agrees that Solve may engage Subprocessors to Process the Personal Data on Solve’s behalf. Licensee specifically authorizes Solve to engage any Subprocessors listed in Exhibit B. Solve shall impose on such Subprocessors data protection terms that protect the Personal Data that are at least as robust as those provided in this DPA. Solve shall remain fully liable to Licensee for the performance of the Subprocessor’s data protection obligations.
a) Solve may Transfer Personal Data to a Subprocessor for purpose of providing the Services, subject to the following conditions: (i) Solve shall maintain a current list of the Subprocessors to which Solve makes such Transfers and shall provide this list to Licensee upon request; (ii) Solve shall provide to Licensee prior notice of the addition of any Subprocessor to this list and the opportunity to object to such addition(s); and (iii) Licensee has fifteen (15) calendar days from such notice to make an objection on reasonable grounds relating to the protection of the Personal Data, in which case Solve shall have the right to cure the objection through one of the following options (to be selected at Solve’s sole discretion): (A) Solve will cancel its plans to use the Subprocessor with regard to Personal Data or will offer an alternative to provide the Services without such Subprocessor; (B) Solve will take the corrective steps requested by Licensee in its objection (which remove Licensee’s objection) and proceed to use the Subprocessor with regard to Personal Data; or (C) Solve may cease to provide or Licensee may agree not to use (temporarily or permanently) the particular aspect of the Services that would involve the use of such Subprocessor with regard to Personal Data, subject to a mutual agreement of the parties to adjust the remuneration for the Services considering the reduced scope of the Services.
b) Objections to a Subprocessor shall be submitted to Solve by following the directions set forth in the notice. If none of the above options are reasonably available and the objection has not been resolved to the reasonable mutual satisfaction of the Parties within thirty (30) days after Solve’s receipt of Licensee’s objection, Licensee shall have the right to terminate the relevant Processing and Licensee will be entitled to a pro-rata refund for prepaid fees for Services not performed as of the date of termination. Solve may replace a Subprocessor if the reason for the change is beyond Solve’s reasonable control. In such instance, Solve shall notify Licensee of the replacement as soon as reasonably practicable, and Licensee shall retain the right to object to the replacement Subprocessor pursuant to Section 3(a)(iii) above.
4. International Transfers of Personal Data. Licensee, as data exporter, and Solve, as data importer, hereby execute the SCCs incorporated herein by reference, which shall apply to the Personal Data and take effect as from the commencement of a Transfer of Personal Data by Licensee to Solve or any of its Subprocessors, to the extent such Transfer would be restricted by Applicable Privacy Laws in the absence of the SCCs.
a) In respect of any EU Restricted Transfer, Licensee (as “data exporter”) and Solve (as “data importer”) with effect from the commencement of the relevant Transfer hereby enter into the EU Controller to Processor SCCs in respect of any Transfer from Licensee to Solve (or onward Transfer). The EU Controller to Processor SCCs shall apply between Licensee and Solve, and:
i. Clause 7 – Docking clause shall apply;
ii. Clause 9 – Use of Subprocessors, “Option 2” shall apply and the “time period” shall be fifteen (15)
iii. Clause 11(a) – Redress, the optional language shall not apply;
iv. Clause 17 (Governing law) — the Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights). The Parties select the laws of Ireland;
v. Clause 18 (Choice of forum and jurisdiction) — the Parties select the courts of Ireland;
vi. Annex I(A) and I(B) (List of Parties) — shall be deemed to be pre-populated with the relevant sections of Annex 1 to this DPA and the Processing operations are deemed to be those described in the relevant sections of Annex 1 to this DPA;
vii. Annex I(C) (Competent supervisory authority) — the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission;
viii. Annex II (Technical and organizational measures) — is completed with Annex 2 of this DPA; and
ix. Annex III (List of subprocessors) — is not applicable as the Parties have chosen General Authorization under Clause 9, however a list of Solve’s Subprocessors is available in Exhibit B.
b) In respect of any UK Restricted Transfer, the EU Controller to Processor SCCs shall be read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the UK IDTA, and the Parties confirm that the information required for the purposes of Part 1 (Tables) of the UK IDTA is set out in this DPA.
c) In respect of any Swiss Restricted Transfer, the EU Controller to Processor SCCs shall be read in accordance with, and deemed amended as follows:
i. References to the GDPR in the EU Controller to Processor SCCs are to be understood as references to the Swiss FDAP insofar as the data transfers are subject exclusively to the Swiss FADP and not to the GDPR.
ii. The term “member state” in the EU Controller to Processor SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU Controller to Processor SCCs.
iii. Under Annex I(C) of the EU Controller to Processor SCCs (Competent supervisory authority):
1. Where the transfer is subject exclusively to the Swiss FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
2. Where the transfer is subject to both the Swiss FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the Swiss FADP, and the supervisory authority is as set forth in the EU Controller to Processor SCCs insofar as the transfer is governed by the GDPR.
d) If, at any time, a supervisory authority or a court with competent jurisdiction over a Party mandates that Transfers from Controllers in the EEA, in the UK, in Switzerland or in another country, to Processors established outside the EEA, the UK, Switzerland or another country, must be subject to specific additional safeguards in addition to those set out in Annex 2 (including but not limited to specific technical and organizational measures), the Parties shall work together in good faith to implement such safeguards and ensure that any Transfer of Personal Data is conducted with the benefit of such additional safeguards.
6. Personal Data Breach Notification . Solve shall promptly investigate all allegations of unauthorized access to, use or disclosure of the Personal Data. In accordance with Applicable Privacy Laws, Solve will notify Licensee without undue delay (and in no event later than 72 hours) in the event of any Personal Data Breach. Solve shall take steps to eliminate or contain the exposure of Personal Data and keep Licensee informed of the status of the Personal Data Breach and all related matters. Solve further agrees to provide reasonable assistance and cooperation requested by Licensee and/or Licensee’s designated representatives, in the furtherance of any correction or remediation of any Personal Data Breach and/or the mitigation of any potential damage.
7. Records of Processing. To the extent they are applicable to Solve’s Processing activities for Licensee, Solve shall maintain all records required by Applicable Privacy Laws, and where required by Applicable Privacy Laws, Solve shall make them available to Licensee upon written request.
8. Additional Requirements. In accordance with U.S. Data Protection Laws:
a. Solve shall not “Sell” Personal Data or “Share” Personal Data for purposes of “Cross-Context Behavioral Advertising” (as such terms are defined in the CCPA).
b. Solve shall not retain, use, or disclose Personal Data (i) for any purpose other than Business Purposes specified herein and in the Agreement (including retaining, using or disclosing the Personal Data for a Commercial Purpose other than the Business Purpose specified herein) or as otherwise permitted by U.S. Data Protection Laws or (ii) outside of the direct business relationship between Licensee and Solve.
c. Solve certifies that it understands the restrictions described in sections 8(a) and (b) above and will comply with them.
d. Solve will comply with any applicable restrictions under U.S. Data Protection Laws on combining Personal Data with personal data received from, or on behalf of, another person or persons.
9. In the event of a conflict between the terms of this DPA and any other document between the Parties, Solve shall comply with the obligations that provide the most protection for Personal Data, in particular, in terms of security. In the event of any conflict or inconsistency between the terms of this DPA and any other document between the Parties, the terms of this DPA shall control.
10. The obligations pursuant to this DPA shall survive for as long as Solve holds or Processes Personal Data on behalf of any Licensee entity/ies.
ANNEX 1 TO THE EU STANDARD CONTRACTUAL CLAUSES
A. LIST OF PARTIES
Name: Licensee, as provided in the Agreement. Address: As provided in the Agreement.
Contact person’s name, position and contact details: As provided in the Agreement.
Activities relevant to the data transferred under these Clauses: To receive the Services in the Agreement Role (controller/processor): Controller
Name: Solve Advisors, Inc.
Address: 265 Sunrise Hwy, Suite 22, Rockville Centre, NY 11570
Contact person’s name, position and contact details: As provided in the Agreement.
Activities relevant to the data transferred under these Clauses: To provide the Services in the Agreement Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
• Licensee employees/personnel
• Licensee end users
Categories of personal data transferred
• Basic contact details (e.g., name, email, phone number, work address)
• Device and usage information (e.g., IP address, unique device identifiers, service usage data)
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measure:
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
On a continuous basis for as long as Licensee is engaging Solve to provide the Services.
Nature of the processing:
The nature of the Processing is as forth in the Agreement.
Purpose(s) of the data transfer and further processing:
The purposes for the data transfer are to facilitate Solve’s provision of Services pursuant to the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
The data will be retained for the time period needed to accomplish the purposes of Processing, unless otherwise required by applicable law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
Transfers to Subprocessors involve the same subject matter, nature, and duration of processing as transfers to Solve.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13:
Irish Data Protection Commissioner
ANNEX 2 TO THE EU STANDARD CONTRACTUAL CLAUSES
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Solve establishes operational requirements that support the achievement of security commitments, communicated in Solve system policies and procedures, system design documentation, and contracts with customers as follows:
- Information Security Policies and Standards. Solve will maintain written information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data.
- Physical Security. Solve will maintain commercially reasonable security systems at all Solve sites at which an information system that uses or stores Personal Data is located (“Processing Locations”) that include reasonably restricting access to such Processing Locations, and implementing measures to detect, prevent, and respond to intrusions.
- Organizational Security. Solve will maintain information security policies and procedures addressing acceptable data use standards, data classification, and incident response protocols.
- Network Security. Solve maintains commercially reasonable information security policies and procedures addressing network security.
- Access Control. Solve agrees that: (1) only authorized Solve staff can grant, modify, or revoke access to an information system that Processes Personal Data; and (2) it will implement commercially reasonable physical and technical safeguards to create and protect passwords.
- Virus and Malware Controls. Solve protects Personal Data from malicious code and will install and maintain anti- virus and malware protection software on any system that handles Personal Data.
- Personnel. Solve has implemented and maintains a security awareness program to train employees about their security obligations. Data Personnel follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.
- Business Continuity. Solve implements disaster recovery and business resumption plans that are kept up to date and revised on a regular basis. Solve also adjusts its Information Security Program in light of new laws and circumstances, including as Solve’s business and Processing change.
Exhibit B — Solve: List of Subprocessors