Endgame Data Processing Agreement

1. DEFINITIONS

   Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. 
   “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means ownership (directly or indirectly) of more than 50% of the voting rights in the applicable entity;
   “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq.;
   “Customer Group Member” means Customer or any Customer Affiliate;
   “Customer Personal Information” means any Personal Information that is provided by Customer to Company or any Subprocessor and Processed by Company or a Subprocessor on behalf of Customer pursuant to the Agreement; 
   “Data Protection Laws” means all foreign and domestic laws and regulations, including without limitation, all laws and regulations of the European Union (“EU”), the European Economic Area (“EEA”) and their Member States, Switzerland and the United Kingdom (“UK”), and CCPA, in each case, if and to the extent applicable to the Processing of Personal Information under the Agreement;
   “GDPR” means EU General Data Protection Regulation 2016/679;
   “Personal Information” means information that constitutes “personal information” or “personal data” as such terms are defined by applicable Data Protection Laws; 
   “Subprocessor” means any third party appointed by Company to Process Customer Personal Information under the instruction or supervision of Company on behalf of Customer in connection with the Agreement;
   "UK GDPR" means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419);
   The terms, “Aggregated”, “Business”, “Controller”, “Data Subject”, “Deidentified”, “Member State”, “Processing”, “Sale”, “Service Provider” and “Supervisory Authority” shall have the same meaning as in the GDPR or the CCPA, as applicable, and their cognate terms shall be construed accordingly.

   
   

2. PROCESSING OF PERSONAL INFORMATION
   
   

   1. Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Customer Personal Information, Customer is the Controller or Business (as applicable), Company is the Processor or Service Provider (as applicable), and that Company will engage Subprocessors pursuant to the requirements set forth in Section 5 below. The parties acknowledge and agree that neither of them has reason to believe that the other party is unable to comply with the provisions of this DPA or otherwise that such party is in violation of any Data Protection Law. Each party will comply with the obligations applicable to it under the Data Protection Laws, including with respect to the Processing of Customer Personal Information. Company shall notify Customer if it determines that it cannot meet its obligations under Data Protection Law. Upon receiving written notice from Customer that Company has Processed Customer Personal Information without authorization, Company will take reasonable and appropriate steps to stop and remediate such Processing.
   2. Customer’s Processing of Personal Information. Customer shall not provide Personal Information to Company except as is necessary for Company’s performance of Services and unless, to the extent required under Data Protection Laws applicable to Customer, Customer shall have given the necessary notices and obtained the necessary consents, in each case, from the applicable Data Subjects whose Personal Information is Processed by Company for the Permitted Purposes (defined below).  Customer shall not provide Company with any Personal Information defined or treated as sensitive or special categories of personal data under Data Protection Laws without Company’s prior written consent.  Customer shall, in its use of the Services, Process Customer Personal Information in accordance with the requirements of Data Protection Laws and shall without undue delay notify Company if Customer is in breach of any Data Protection Law. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Information shall comply with Data Protection Laws. Company shall notify the Customer without undue delay if, in Company’s reasonable opinion, an instruction for the Processing of Customer Personal Information given by the Customer infringes applicable Data Protection Laws. As between the parties, Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Information and the means by which Customer acquired Customer Personal Information. 
   3. Company’s Processing of Personal Information. Except as required by applicable law, Customer instructs and Company shall Process Customer Personal Information only as necessary to (A) perform its obligations on behalf of and in accordance with Customer’s documented instructions, (B) exercise its rights under the Agreement (C) if initiated by Data Subjects in their use of the Services; and (D) to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement and applicable Data Protection Laws (collectively, the “Permitted Purposes”). If Company will be required to process Customer Personal Information for any other purpose by the applicable laws to which Company is subject, Company shall inform the Customer of this requirement without undue delay and in any event before it Processes such Personal Information, unless prohibited by applicable laws. Company shall inform the relevant government authority that Company is a processor of the Personal Information and that the Customer has not authorized Company to disclose the Personal Information to the government authority and inform the relevant government authority that any and all requests or demands for access to the Personal Information should therefore be notified to or served upon the Customer in writing.
   4. No Selling.  Company shall not: (a) Sell Customer Personal Information; (b) retain, use or disclose Customer Personal Information for any purpose other than for the Permitted Purposes; (c) retain, use, or disclose the information outside of the direct business relationship between Service Provider and Customer; or (d) combine Customer Personal Information with Personal Information Company receives from individuals or other customers, except as permitted by Data Protection Laws. Company may Process Customer Personal Information to derive aggregated or Deidentified data in connection with Company’s ordinary business practices.
   5. Details of the Processing. The duration of the Processing, the nature and purpose of the Processing, the types of Customer Personal Information and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 attached hereto.

      
      

3. RIGHTS OF DATA SUBJECTS
   
   

   1. Data Subject Request. Company shall, to the extent legally permitted, promptly notify Customer if Company receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of or objection to Processing and/or the Sale of information, erasure (“right to be forgotten”), data portability or any other request with respect to Personal Information of the applicable Data Subject as set forth under applicable Data Protection Laws (“Data Subject Request”). Taking into account the nature of the Processing and the Customer Personal Information, Company shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request directly, Company shall, upon Customer’s written request, exercise reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Company is legally permitted to do so. To the extent legally permitted, Customer shall be responsible for any out-of-pocket costs, including outside counsel fees and expenses, arising from Company’s provision of such assistance.

      
      

4. AGENCY PERSONNEL
   
   

   1. Confidentiality. Company shall inform its personnel engaged in the Processing of Customer Personal Information of the confidential nature of the Customer Personal Information and bind them by confidentiality obligations and provide training regarding the Processing of Customer Personal Information. 
   2. Limitation of Access. Company shall take reasonable steps designed to limit access to Customer Personal Information to those personnel performing Services in accordance with the Agreement.  

      
      

5. SUBPROCESSORS
   
   

   1. Appointment of Subprocessors. Company makes available to Customer the current list of Sub-processors used by Company to process Personal Information as detailed in Schedule 3 (the “List”). The List as of the date of first use of the Services by Customer is hereby deemed authorized upon first use of the Services. With respect to the Processing of Customer Personal Information, each Customer Group Member authorizes Company to appoint (and permit each Subprocessor appointed in accordance with this Section 5.1 to appoint) new Subprocessors which are not stated in the List in accordance with this section 5 (“New Subprocessors”). Company may continue to use those Subprocessors already engaged by Company as of the date of this DPA as detailed in the List, subject to Company’s meeting the obligations set out in this section.  Company has entered (or shall enter with respect to New Subprocessors) into a written agreement with each Subprocessor containing data protection obligations similar or substantially similar to those in this Agreement with respect to the protection of Customer Personal Information to the extent applicable to the nature of the Services provided by such Subprocessor.  Where a Subprocessor fails to fulfil its data protection obligations concerning its Processing of Personal Information, Processor shall remain responsible for the performance of the Subprocessor's obligations.
   2. Notification of New Subprocessors and Customer’s Right to Object. Company shall give Customer written notice of the appointment of any New Subprocessor, including details of the Processing to be undertaken by the New Subprocessor. If, within ten (10) business days of receipt of that notice, Customer (acting reasonably and in good faith) notifies Company in writing of any objections to the appointment, Company shall cease disclosing any Customer Personal Information to the proposed New Subprocessor until reasonable steps have been taken to address the objections (including but not limited to, performing reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Information by the New Subprocessor without unreasonably burdening the Customer) raised by any Customer Group Member and Customer has been provided with notice thereof. If Company is unable to make available such change within thirty (30) days, either party may terminate the Agreement and this DPA by providing written notice to the other party. All amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Company.

      
      

6. SECURITY
   
   

   1. Controls for the Protection of Customer Data. Company shall maintain commercially reasonable technical and organizational measures designed to protect the security (including against unauthorized or unlawful Processing of, and against accidental or unlawful destruction, loss or alteration, unauthorized disclosure of, or access to, Customer Personal Information), confidentiality and integrity of Customer Personal Information and provide the level of protection required by Data Protection Laws; and Company shall monitor compliance with these measures in accordance with its internal information security program. Upon the Customer’s request, and if and to the extent applicable, Company will assist Customer in fulfilling its compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the Processing and the information available to Company.
   2. Audit; Data Protection Impact Assessment. 
      1. Upon written request, Company shall provide Customer with a copy of Company’s cybersecurity audit or assessment, for example, its SOC 2 Report, no more than once annually. Company shall reasonably cooperate with Customer in relation to any audit of Company which is necessary to enable Customer to comply with its obligations under applicable Data Protection Law and/or to receive information necessary to demonstrate Company’s compliance with applicable Data Protection Law (“Audit”). Any such Audit shall be (i) at Customer’s expense (except where the Customer suffers a Data Security Incident), (ii) subject to a mutually agreed upon scope, (iii) conducted by the Customer and/or by an independent third party who has signed a nondisclosure agreement with the applicable Company or Subprocessor audited party (“Auditor”), and (iv) subject to the confidentiality obligations set forth in the Agreement and any confidentiality obligations imposed by Company’s Subprocessors. Any information disclosed in connection with such Audit shall be the Confidential Information of Company (and/or Subprocessor, as the case may be). Customer accepts that certain sensitive information in relation to information technology and security will be redacted before being audited and may only be audited in a manner reasonably determined by Company.  Customer shall use reasonable endeavors to minimize any disruption caused to the Company’s business activities as a result of such Audit. 
      2. Upon Customer’s request, Company shall provide Customer with reasonable cooperation and assistance, at Customer’s cost, needed to fulfill Customer’s obligation under the GDPR or any applicable Data Protection Law, to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is reasonably available to Company. Company shall provide reasonable assistance to Customer in the cooperation or prior consultation with the applicable Supervisory Authority in the performance of its tasks relating to this Section of this DPA, to the extent required under the GDPR or any applicable Data Protection Law.

         
         

7. CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION

   Company will without undue delay notify Customer of any actual unauthorized disclosure, loss, destruction, compromise, damage, alteration, access or theft of Customer Personal Information (collectively, a “Security Event”), and provide sufficient information to Customer to enable Customer to meet its obligations under Applicable Data Protection Laws, and take such reasonable and commercial steps as requested by Customer to assist in the investigation, mitigation, and remediation of any Security Event.  The aforementioned notification from Company to Customer will, to the extent possible, include a description of (i) the nature of the Security Event, (ii) the categories of Customer Personal Information affected and approximate number of records of Customer Personal Information affected, (iii) the approximate number of individuals affected by the Security Event, (iv) any potential legal or regulatory consequences of which Company is aware, and (v) the measures taken or proposed to be taken to address the Security Event.  In the event of an actual or a reasonably suspected Security Event, Company will designate a senior employee to serve as Company single point of contact from whom Customer can obtain more information about the Security Event. 

8. RETURN AND DELETION OF CUSTOMER DATA

   Company shall, on the written request of Customer, return all Customer Personal Information to Customer and/or at Customer's request delete the same from its systems, so far as is reasonably practicable and other than any back-up copies which Company or its Affiliates are required to retain for compliance with applicable laws or regulatory requirements or otherwise pursuant to Company’s internal data backup procedures, provided that such copies are kept confidential and secure in accordance with this DPA and the Agreement.

   
   

9. TRANSFER MECHANISMS FOR DATA TRANSFERS.
   
    

   1. EU Standard Contractual Clauses.  To the extent Customer Personal Information originates in the EEA or in Switzerland, and Company is not established in a country which the European Commission has granted an adequacy status, and Company has not obtained Binding Corporate Rules authorization in accordance with Applicable Data Protection Laws, the parties agree to apply the provisions of the EU Standard Contractual Clauses and supplementary measures, where required.  To the extent Customer Personal Information originates outside of the EEA and Switzerland, the parties will also agree to apply the provisions of the EU Standard Contractual Clauses, provided that the EU Standard Contractual Clauses are legally required and sufficient to meet the requirements of the applicable data protection regulations for the transfer of Personal Data.  If the EU Standard Contractual Clauses are applicable between the parties pursuant to this Section 9.1, their provisions will be deemed incorporated by reference into this DPA. To the extent required by Applicable Data Protection Laws, the parties shall enter into and execute the EU Standard Contractual Clauses as a separate document.
      
      
   2. UK Standard Contractual Clauses.  To the extent Customer Personal Information originates in the UK, and Company is not established in the UK, or a country which the UK authorities granted an adequacy status, and Company has not obtained Binding Corporate Rules authorization in accordance with Applicable Data Protection Laws, the parties agree to apply the provisions of the UK Standard Contractual Clauses and hereby incorporate the UK Standard Contractual Clauses (Controller to Processor) by reference into this DPA.  In case the parties can no longer rely on the UK Standard Contractual Clauses as an appropriate data transfer mechanism, the parties will conclude an alternative data transfer mechanism to replace the UK Standard Contractual Clauses.

      
      

10. GOVERNING LAW

    The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and this DPA and is governed by the laws of the country or territory stipulated for this purpose in the Agreement.

Exhibit A
Data Processing Activities