This Data Processing Addendum (“DPA”), by and between Customer and P6 TECHNOLOGIES, INC. (“Provider”) (together the “Parties”), shall reflect the Parties’ agreement with respect to the processing of personal data in connection with the Software Services Agreement by and between Customer and Provider (“Agreement”).  This DPA is supplemental to, and forms apart of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement.  

1. DEFINITIONS.

1.1 Controller means the party which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Where Customer makes Personal Data available to Provider pursuant to the Agreement, Customer is the Controller.  Where Provider makes Personal Data available to Customer pursuant to the Agreement, Provider is the Controller.

1.2 Data Privacy Laws means all laws and regulations related to the collection, use, disclosure, or protection of personal information applicable to the Parties in connection with the Services or the Agreement, which may include, withoutlimitation, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation or GDPR) and other laws and regulations of the European Union (EU), the European Economic Area (EEA), and their member states relating to data protection; the UK GDPR; and the California Consumer Protection Act of 2018 as amended by the California Privacy Rights Act of 2020, and implementing regulations (CCPA).

1.3 Data Subject means the individual to whom Personal Data relates, and shall include Customer’s representatives and employees or Provider’s representatives or employees.

1.4 Data Subject Request means a Data Subject’s request to exercise any rights that person has under Data Privacy Laws in respect of that person’s Personal Data, including any right to access, delete, correct, rectify, restrict or limit the use of such Personal Data.

1.5 Deidentified Data means data that cannot reasonably identify, relate to, describe, or be linked, directly or indirectly to, a particular individual.

1.6 Aggregated Data means data that relates to a group or category of individuals from which identifying information has been removed such that it is not, and cannot be, linked or reasonably linkable to any particular individual. Aggregated Data includes Aggregated Statistics, as defined in the Agreement.

1.7 Personal Data means any information relating to an identified or identifiable natural person made available to Provider by Customer in connection with the Services. This information includes name, email address, IP address, browser type and version, location, operating system/platform, and usage data.   Personal Data may also, in some circumstances, include information relating to an identified or identifiable natural person made available to Customer by Provider, such as information pertaining to Provider’s employees or representatives.  Personal Data does not include Deidentified Data, Aggregated Data, or data that is publicly available.  

1.8 Process or Processing means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, storage, use, disclosure, dissemination, combination, blocking, or destruction.  

1.9 Processor means the party which Processes Personal Data on behalf of the Controller. Where Customer makes Personal Data available to Provider pursuant to the Agreement, Provider is the Processor.  Where Provider makes Personal Data available to the Customer pursuant to the Agreement, Customer is the Processor.

1.10 Purpose means the purpose of enabling Provider to provide, maintain, and improve the quality of the Services provided to Customer.

1.11 Security Incident means the unauthorized and unlawful loss destruction, or theft,acquisition of, or access to, Personal Data that materially compromises the confidentiality, integrity, or availability of Personal Data.  Security Incidents do not include attempted, but unsuccessful, acquisition or access to Provider’s systems or Personal Data.

1.12 Services means the services provided by Provider to Customer as set forth in the Agreement, which shall include software services to assist Customer’s creation of life cycle assessments (LCA).

1.13 Subcontractor means a third-party that will Process Personal Data in connection with the Services.
 
2. CONFLICT. IN THE EVENT OF A CONFLICT BETWEEN THE TERMS OF THIS DPA AND THE AGREEMENT, THE TERMS OF THIS DPA SHALL GOVERN.
 
3. PROCESSOR AND CONTROLLER; RIGHTS AND OBLIGATIONS.
3.1 Controller shall make Personal Data available to Processor only for the limited and specified Purpose.  
 
3.2 Processor agrees that it will use the Personal Data only for the Purposes or in accordance with the instructions of Controller.
 
3.3 Unless permitted by law or this DPA, Processor will not (a) retain, use or disclose the Personal Data outside the Parties’ business relationship; (b) retain, use or disclose the Personal Data for any other commercial purpose; (c) sell the Personal Data for valuable consideration; or (d) share the Personal Data for cross-context behavioural advertising purposes.  
 
3.4 Processor agrees to comply with applicable Data Privacy Laws and will notify Controller after it makes a determination in its reasonable opinion that it can no longer meet the obligations under applicable Data Privacy Laws.
 
3.5 Controller shall have the right to take reasonable and appropriate steps (i) to ensure that Processor uses the Personal Data in a manner consistent with its obligations under the Data Privacy Laws, including requiring that Processor make available to theController all information necessary to demonstrate compliance with its obligations with respect to the Personal Data, and (ii) to stop and remediate any unauthorized use of Personal Data.
 
3.6 Processor agrees that it is subject to a duty of confidentiality with respect to the Personal Data, and all Subcontractors and persons employed by Processor shall be subject to the same duty of confidentiality with respect to the Personal Data.
 
3.7 At Controller’s request, Processor shall delete or return all Personal Data to Controller at the end of the provision of the Services, unless retention of the Personal Data is required under applicable law.
 
3.8 Processor shall notify Controller upon receipt of a Data Subject Request and Processorshall cooperate with Controller in relation to Data Subject Requests as may be required to allow Customer to meet its legal obligations under the Data Privacy Laws.
 
3.9 In the event that Processor receives a request, subpoena or other process that would require Processing of Personal Data in a manner not expressly permitted by the Agreement and this DPA, Processor shall (a) to the extent permitted by law, notify Controller in writing as far as possible in advance of such disclosure or Processing to allow Controller to seek protective treatment of such Personal Data; (b) reasonably cooperate with Controller’s efforts to obtain such protective treatment or similar relief; and (c) disclose only that Personal Data required to comply with its legal obligations.
 
4. SUBPROCESSORS
4.1 Customer agrees that Provider may use Subprocessors perform its obligations under this DPA and to perform Services under the Agreement.  
 
4.2 Provider shall ensure that any Subcontractors are subject to a written agreement andobligations substantially equivalent to those which Processor is subject under this DPA.  
 
5. DEIDENTIFIED AND AGGREGATED DATA
5.1 Provider shall be entitled to collect and process Deidentified and/or Aggregated Data in connection with the Services, and it shall further be entitled to deidentify or aggregate Personal Data to create Deidentified or Aggregated Data from the Personal Data.  
 
5.2 For the avoidance of doubt, Deidentified and/or Aggregated Data may be used by Provider, without limitation, to analyze behaviour, trends and needs, to improve, and enhance the Services, for development or creation of new features, and for diagnostic and corrective purposes in connection Provider’s products and services. Providershall own all right, title and interest in and to the Deidentified and Aggregated Data.
 
6. SECURITY; SECURITY INCIDENTS
6.1 Provider agrees that it has implemented and will maintain reasonable and appropriatephysical, technical, and administrative safeguards to ensure the confidentiality, integrity, availability of the Personal Data and Provider’s systems used to Process the Personal Data. Nothing in this DPA shall prohibit Provider from Processing Personal Data for the purpose of preventing, detecting, or investigating Security Incidents or protecting against malicious, deceptive, fraudulent or illegal activity.
 
6.2 At Customer’s reasonable request, Provider shall provide documentation related to Provider’s Information Security Program, which may be updated from time to time,provided that Customer agrees that it shall be deemed confidential, that it shall not be disclosed to any third-parties unless required by law, and that Customer shall destroy or delete it upon Provider’s request.
 
6.3 Provider uses external auditors to verify the adequacy of its security measures. At Customer’s written request, and provided that the parties have an applicable non-disclosure agreement in place, Provider may provide Customer with a copy of applicable audit reports so that Customer can reasonably verify Provider’s reasonable security measures.
 
6.4 Provider shall notify Customer promptly, but in no case later than seventy-two (72) hours, after learning of a Security Incident.  Provider shall further provide Customerwith the following information as it becomes available: (a) a description of the Security Incident; and (b) a description of the measures taken or proposed to be taken to address the Security Incident.  Provider shall use commercially reasonable efforts to mitigate and remediate a Security Incident
 
6.5 Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s representatives by any means Provider selects, including via email. It is Customer’s sole responsibility to ensure Customer’s representatives maintain accurate contact information with Provider.
 
7. INTERNATIONAL TRANSFERS OF PERSONAL DATA
7.1 The Standard Contractual Clauses will apply to Personal Data that is transferred outside the EEA and the UK, either directly or via onward transfer, unless the country is recognised by the appropriate authority as providing an adequate level of protection for personal data (as described in the GDPR). The Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA. In relation to Personal Data protected by the EU GDPR, the EU SCCs will apply, and in relation to personal data protected by the UK GDPR, the UK SCCs will apply, incorporating the following terms, respectively:
 
7.1.1 EU SCCs. Module Two (Transfer Controller to Processor) will apply; in Clause 7, the optional docking clause will not apply; in Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes will be thirty (60) days; in Clause 11, the optional language will not apply; in Clause 13(a), the data exporter is not established in an EU Member Statewithout having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679; in Clause 17, Option 2 will apply, and the supervisory authority that will act as competent supervisory authority will be determined in accordance with the GDPR.  
 
7.1.2 UK SCCs.  The UK Addendum shall be deemed executed between the parties, and the EU SCCs, shall be deemed amended as specified by the UK Addendum in respect of the transfer of such personal data.
 
7.2 Where requested by Provider, Customer shall enter into further or other applicable Standard Contractual Clauses or similar terms forming part of an applicable certification scheme.
 
8. MODIFICATION.
8.1 Provider may modify any of the terms of this DPA by posting a copy of the updated Terms on its website.  Provider will make commercially reasonable efforts to notify you of such changes prior to or upon implementation; provided, however, that Provider is not responsible for your failure to receive notice of changes, and you agree to review these terms periodically to ensure that you are familiar with the most recent version of this DPA.

Attachment 1

Annexes to European Union Standard Contractual Clauses (MODULE II: Transfer Controller to Processor)

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

Name:  The Customer, as defined in the Agreement.

Address: The Customer’s address, as set forth in the Agreement.

Contact person’s name, position and contact details: The representative of the Customer, as set forth in the applicable order form.

Activities relevant to the data transferred under these Clauses: Processing Personal Data to perform the Services, as set forth in the DPA and the Agreement.

Role: Controller

Data importer(s):

Name: P6 Technologies, Inc.

Address: 1502 Pace Bend Rd S, Spicewood, TX 78669

Contact persons name, position and contact details: Joseph Berti, Chief Executive

Officer, joe@p6technologies.com

Activities relevant to the data transferred under these Clauses: Processing Personal Data to perform the Services, as set forth in the DPA and the Agreement.

Role: Processer

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

The categories of data subjects are set forth in the definition of “Data Subjects” in the DPA.

Categories of personal data transferred:

The categories of personal data are set forth in the definition of “Personal Data” in the DPA.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

The Parties do not anticipate the transfer of sensitive data.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Continuous.

Nature of the processing:

The nature of the processing will be accordance with the Agreement and this DPA, as set forth in the definition of “Processing” in this DPA.

Purpose(s) of the data transfer and further processing:

The purpose of the data transfer and further processing will be in accordance with the Agreement and this DPA, as set forth in the definition of “Purpose” in the DPA.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

Subject to the obligations set forth in this Agreement, personal data will be processed for the duration of the Agreement.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Processor’s technical and organizational measures to ensure the security of the data are set forth in the DPA.

ANNEX III

LIST OF SUB-PROCESSORS

Amazon Web Services (AWS

Attachment 2

Tables to International Data Transfer Addendum to the
EU Commission Standard Contractual Clauses

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

1.1. Part 1: Tables
 
1.1.1. Table 1: Parties
Start date
Agreement effective date
The Parties
Exporter (who sends the Restricted Transfer)
Importer (who receives the Restricted Transfer)
Parties’ details
Full legal name: The representative of the Customer, as set forth in the online order form.
Main address (if a Customerregistered address): Customer’s address.
Official registration number (if any) (Customer number or similar identifier): N/A
Full legal name: P6 Technologies, Inc.
Trading name (if different): N/A

Main address (if a Customerregistered address): 1502 Pace Bend Rd S, Spicewood, TX 78669

Official registration number (if any) (Customer number or similar identifier): N/A
Key Contact
Full Name (optional):
Job Title:
Contact details including email:
Full Name (optional): Joseph Berti
Job Title: Chief Executive Officer
Contact details including email: joe@p6technologies.com
 
1.1.2. Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs
The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:
Date:
Reference (if any):
Other identifier (if any):
Or
The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:
​​Module 2: Controller-to-Processor Transfers

 

Module
Module in operation
Clause 7 (Docking Clause)
Clause 11
(Option)
Clause 9a (Prior Authorisationor General Authorisation)
Clause 9a (Time period)
Is personal data received from the Importer combined with personal data collected by the Exporter?
1
 
 
 
 
 
 
2
X
X
No Independent Dispute Resolution Body
General Authorisation
60 days
 
3
 
 
 
 
 
 
4
 
 
 
 
 
 
 
1.1.3. Table 3: Appendix Information
Annex 1A: List of Parties: See Annex 1A above
Annex 1B: Description of Transfer: See Annex 1B above.
Annex II: See Annex II above.
Annex III: List of Sub processors (Modules 2 and 3 only): See Annex III above.
 
1.1.4. Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes
Which Parties may end this Addendum as set out in Section:
Importer
Exporter
neither Party