Privacy Policy

Effective: February 23, 2021

This Privacy Policy (the “Policy”) explains how WITH CARDINAL, LLC, a South Carolina limited liability company ( “Company,” “we,” or “us”) collects, stores, uses, and discloses personal information from our users (“you”, “user”) in connection with our service and website located at www.withcardinal.com including mobile or localized versions and related domains / sub-domains (the “Platform”).

Please read and make sure you understand this Policy and the Data Protection Addendum (“Addendum”) which forms an inseparable part of the present Policy and the Policy shall be construed in a manner of the provisions of the Addendum. If you do not agree with this Policy, the Addendum or our practices, you may not use our Platform or our services (the "Services"). This Policy and the Addendum may change from time to time and as an inseparable part, incorporated into our Terms of Use. Your continued use of our Platform and Services constitutes your acceptance of those changes. We encourage you to review this Policy periodically.

Please note that the present Policy only applies to the data processing relationship between Company and you either as a natural person, or as a legal entity’s representative. In relation to users as natural persons located within the European Union ( “EU”) member countries, according to the provisions of the GDPR, Company shall be deemed as data processor.

By using the Services of the Company, you or a legal entity you represent as our user shall be deemed as a data controller and the Company shall be considered as a data processor. The rights and obligations regarding to the relationship between you as data controller and the Company as data processor is governed by the Addendum.

The Company may from time to time handle personal data collected from individuals located within the EU member countries. Consistent with the regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ( “General Data Protection Regulation” or “GDPR”) Company grants the enhanced data protection for the individuals located within the EU. Our adherence to the GDPR regarding the personal data collected from individuals located within the EU is detailed in this Policy.

Please note that as of July 16, 2020 the European Court of Justice invalidated the Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield, which means that participants of the Privacy Shield Framework are no longer deemed to provide appropriate safeguards for the personal data of European citizens. In line with this judgement the EU and the US is working together to achieve a complete and effective framework guaranteeing that the level of protection granted to personal data in the US is essentially equivalent to that guaranteed within the EU. In the meantime, our Company stays committed to protecting our customers personal data and uses good faith and commercially reasonable efforts to fully comply with the regulations of the GDPR (effective on July 16, 2020).

In respect of Californian individuals Company complies with the Senate Bill No. 1121 California Consumer Privacy Act of 2018 ( “CCPA”). For Californian individuals, this Policy and Company’s CCPA Notice shall apply.

1. What does this Privacy Policy cover?

This Policy covers Company’s treatment of information that Company gathers when you are accessing Company's Platform as a user and when you use Company’s Services. Also, this Policy covers Company’s treatment of your information that Company shares with Company’s business partners. This Policy does not apply to the practices of third parties that Company does not own or control (such as third-party Platforms that you may access from the Platform), or to individuals that Company does not employ or manage.

2. What information does Company collect?

The information we gather from users enables Company to personalize and improve our Services and to allow our users to set up accounts on the Platform. We collect the following types of information from our users and their customers:

2.1 Information You Provide to Us:

We receive and store any information you as our user enter on our Platform or provide to us in any other way. The types of information collected include, without limitation, your full name, email address, mailing address of billing party, phone number of billing party, password, contact information and content consumed on the Platform. Some of this information is not mandatory but may be necessary to use all of our functions.

In addition, we may collect the following financial data: account holder name, bank name, account number, currency of account. For taxation reasons, we may need to collect Tax ID (US: tin: SSIN/EIN), citizenship, country of residence. In some cases, we’ll need to ask for a government ID, Green Card, or other proof of address or proof of residency status as regulated by taxation law.

2.2 Information Collected Automatically:

We receive and store certain types of information whenever you as our user interact with our Platform or Services. Company automatically receives and records information on our server logs from your browser including your IP address, unique device identifier, browser characteristics, domain and other system settings, search queries, device characteristics, operating system type, language preferences, referring URLs, actions taken on our Platform, page requested, content consumed (e.g., viewed, uploaded, and shared), dates and times of Platform visits, and other information associated with other files stored on your device.

2.3 Information we receive from you regarding your users and from third parties:

By providing our Services we receive and collect certain personal data on the customers of our users that is provided to us by third parties (e.g. Helpdesks, CRMs, Surveys, Email) and we also receive personal data for the purpose of processing directly from our users including, but not limited to the uploaded or shared personal data of our user’s customers, like name, e-mail, phone number, address, gender, age or IP address.

If the provisions of the GDPR shall apply, in that relationship regarding to the personal data of your customers you shall be deemed as data controller, and therefore you as our user are also responsible to comply with the provisions of the GDPR. Please note, that in such case the data processing relationship between the data controller and the data processor shall be governed by a written contract, and such written contract shall satisfy the requirements of Article 28 of the GDPR. In order to facilitate your compliance with the provisions of the GDPR, Company provides you a written contract on data processing, therefore, the data processing relationship between you, as a data controller and Company, as a data processor shall be governed by the Addendum.

3. What About Cookies?

The Company only collects cookies that are necessary for our Platform to function properly, such as session based authentication. Please see our cookie policy by visiting https://www.withcardinal.com/legal/cookies in order to find out how our cookies work.

4. How Does Company Use My Information?

We may use your information, including your personal information, as follows:

4.1 We process the following personal data for the purpose and on the legal basis of the performance of the contract, product and service fulfillment:

The information you provide is used for purposes such as responding to your requests for certain products and services, customizing the content you see, communicating with you about specials, sales offers, and new features, and responding to problems with our Services. It is also used to fulfill and manage payments or requests for information, or to otherwise serve you, provide any requested services and administer contests.

4.2 We process the following personal information based on your consent (as the legal basis of this processing) for marketing purposes, newsletters, receipt messages, e-mails, and mobile messages . We may also send marketing communications and other information regarding services and promotions based on your consent and administer promotions:

You shall always have the right to withdraw your consent at any time.

4.3 We process personal data for the purpose and on the legal basis of compliance with legal obligations to prevent fraudulent transactions, monitor against theft and otherwise protect our customers and our business. We also process personal data for the purpose and on the legal basis of legal compliance and to assist law enforcement and respond to subpoenas.

This means that in some cases the data processing is stipulated by the applicable laws and we have an obligation to process and keep this data for the required time. This includes employment data, billing data, data which is necessary to assist law enforcement etc.

4.4 We process the following personal data for the purpose and on the legal basis of the legitimate interests of the Company, to improve the effectiveness of the Platform, our Services, and marketing efforts, to conduct research and analysis, including focus groups and surveys and to perform other business activities as needed, or as described elsewhere in this Policy:

Where it is feasible, we anonymize personal data or use non-identifiable statistical data. We do not collect personal data in advance and store it for potential future purposes unless required or permitted by the applicable laws.

4.5 Data integrity and purpose limitation: Company will only collect and retain personal data which is relevant to the purposes for which the data is collected, and we will not use it in a way that is incompatible with such purposes unless such use has been subsequently authorized by you. We will take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete and current. We may occasionally contact you to determine that your data is still accurate and current.

5. How Long We Retain Your Personal Data?

We will retain your personal data for so long as it is needed to fulfill the purposes outlined in this Policy or until you withdraw your consent, unless a longer retention period is required or permitted by law (such as tax, accounting or other legal requirements). When we have no longer or no legal basis to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

6. Will Company share any of the information it receives?

Information about our users is an integral part of our business, and we may share such information with our affiliated entities. Except as expressly described below, we neither rent nor sell your information to other people or nonaffiliated companies unless we have your permission.

6.1 Third Party Service Providers:

We may share certain personal information with third party vendors who supply software applications, web hosting and other technologies for the Platform and the Services. We will only provide these third parties with access to information that is reasonably necessary to perform their work or comply with the law. Those third parties will never use such information for any other purpose except to provide services in connection with the Platform and the Services. We may also share aggregated or de-identified information, which cannot reasonably be used to identify you. We may also request data process service for processing the personal data. During the service of data process, the data processor shall abide under the present Policy, relevant legislations in force, furthermore the provisions of the existing contracts of the Company.

6.2 List of Third Party Service Providers

The list of third party service providers can be found at https://www.withcardinal.com/help/third-parties

6.3 Transfer of Personal Data collected from individuals located within the EU:

Our service providers have their registered seat in the United States and they comply with the EU-US and the EU-Swiss Privacy Shield Frameworks, therefore transfer of your personal data to the aforementioned service providers was deemed safe until July 16, 2020. Please note that according to the judgement no. C-311/18 of the Court of Justice of the European Union, these companies no longer considered to provide appropriate safeguards for the personal data of European citizens. For more information, you can read the judgement here .

If we transfer personal data collected from individuals located within the EU to a third-party acting as a data processor, and such third-party agent processes your personal information in a manner inconsistent with the GDPR, we may be responsible under the rules of the GDPR.

We only transfer personal data collected from individuals located within the EU only with the consent of the individuals to a third-party having a registered seat outside the EU or the United States of America acting as a data processor without the appropriate safeguards set out in the GDPR, or when it is necessary for the performance of the contract. Company will make every effort to ensure that the personal data transferred is safe and secure and that the personal data is processed in a manner consistent with the GDPR.

6.4 Company may release your information:

  1. in response to subpoenas, court orders or legal process, to the extent permitted and as restricted by law;
  2. when disclosure is required to maintain the security and integrity of the Platform, or to protect any user’s security or the security of other persons, consistent with applicable laws;
  3. when disclosure is directed or consented to by the user who has input the personal information; or
  4. in the event that we go through a business transition, such as a merger, divestiture, acquisition, liquidation or sale of all or a portion of its assets, your information will, in most instances, be part of the assets transferred.

6.5 Opt-In for Promotions:

We do not share personally identifiable information with other third-party organizations for their marketing or promotional use without your consent or except as part of a specific program or feature for which you will have the ability to opt-in.

6.6 With Your Consent:

Except as set forth above, you will be notified when your information may be shared with third parties and will have the option of preventing the sharing of this information.

6.7 Data retention and aggregated data processing

Please note that we may retain certain personal information after your account has been terminated. We reserve the right to use your information in any aggregated data collection after you have terminated your account, however we will ensure that the use of such information will not identify you personally.

6.8 Accountability for onward transfer:

Company will not transfer personal data originating in the EU or Switzerland to third parties unless such third parties have entered into an agreement in writing with us requiring them to provide at least the same level of privacy protection to your personal data as required by the GDPR. We acknowledge our liability for such data transfers to third parties.

7. Is information about me secure?

We take commercially reasonable measures to protect all collected information from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. Please understand that you can help keep your information secure by choosing and protecting your password appropriately, not sharing your password and preventing others from using your computer. Please understand that no security system is perfect and, as such, we cannot guarantee the security of the Platform, or that your information won’t be intercepted while being transmitted to us. If we learn of a security systems breach, then we may either post a notice, or attempt to notify you by email and will take reasonable steps to remedy the breach.

8. Children's Privacy

Our Platform is not directed to children under 16 and we do not knowingly collect personal information from children under 16. If we learn that we have collected personal information of a child under 16 we will take steps to delete such information from our files as soon as possible. If you are aware of anyone under 16 using the Platform, please contact us at support@withcardinal.com .

9. Links to Third Party Sites and Services

This Platform may contain links to third party Platforms operated by individuals or companies unrelated to us. Please be aware that we are not responsible for the privacy practices of such third party Platforms and services. We provide links to these Platforms for your convenience only and you access them at your own risk. We recommend that you review the privacy policies and terms of use posted on and applicable to such third party Platforms prior to utilizing them.

10. Your Privacy Rights

10.1 Access and Retention:

If you have a Platform account, you can log in to view and update your account information. You have the right to obtain confirmation of whether or not we are processing personal data relating to you, have communicated to you such data so that you could verify its accuracy and the lawfulness of the processing and have the data corrected, amended or deleted where it is inaccurate or processed in violation of the GDPR.

We encourage you to contact us at support@withcardinal.com with your questions or concerns, or to request edits to your personal information, or to have it removed from our database. Requests to access, change or remove your personal data will be handled within 30 days.

10.2 Additional Rights for EU Territory:

If you are from the territory of the EU, you may have the right to exercise additional rights available to you under applicable laws, including:

If you would like to exercise such rights, please contact us at support@withcardinal.com . We will consider your request in accordance with applicable laws. To protect your privacy and security, we may take steps to verify your identity before complying with the request.

You also have the right to complain to the EU Data Protection Authority about our collection and use of your personal data. For more information, please contact your local EU Data Protection Authority.

11. Recourse, Enforcement and Liability

11.1 Company is committed to protecting your personal data as set forth in this Policy. If you think we are not in compliance with our Policy, or if you have any question or if you wish to take any other action concerning this Policy, contact us at support@withcardinal.com . You can also contact us at our mailing address: #317, 4931 SW 76th Ave, Portland, OR 97225. We will investigate your complaint, take the appropriate action and report back to you within 30 days.

In addition, if you are from the territory of the EU, you also have the right to complain to the EU Data Protection Authority about our collection and use of your personal data. For more information, please contact your local EU Data Protection Authority.

11.2 If your personal data in question was transferred from the EU or Switzerland to the United States and you are not satisfied with our response, we have further committed to refer unresolved complaints to the dispute resolution procedures of the EU Data Protection Authorities. Company will cooperate with the appropriate EU Data Protection Authorities during investigation and resolution of complaints concerning personal data that is transferred from the EU to the United States. For complaints involving personal data transferred from Switzerland, we commit to cooperate with the Swiss Federal Data Protection and Information Commissioner ( “FDPIC”) and comply with the advice given by the FDPIC. Complaints regarding processing of personal data pertaining to data subjects located in the EU and Switzerland may be reported by the individual to the relevant Data Protection Authority.

These recourse mechanisms are available at no cost to you. Damages may be awarded in the accordance with the applicable law.

12. Modifications to this Policy

We will modify this Policy if our privacy practices change. We will notify you of such changes by posting the modified version on our Platform and indicating the date it was last modified, and, if the changes are significant, we will provide a more prominent notice (including by email in certain instances). The date this Policy was last modified is at the top of this page. Please periodically review this Policy so that you are familiar with the current Policy and aware of any changes.

13. For users in California

If you are a user in California, the Company's Privacy Notice for California Consumers at https://www.withcardinal.com/legal/ccpa applies to you.

14. Questions

If you have any questions concerning this Policy or the Services, please contact us at support@withcardinal.com . You can also contact us at our mailing address: #317, 4931 SW 76th Ave, Portland, OR 97225.

ATTACHMENT 1: DATA PROCESSING ADDENDUM

This Data Processing Addendum ("Addendum") which also serves as Standard Contractual Clauses according to Article 46 section 2. (c) of GDPR forms an integral part of the Terms of Use of WITH CARDINAL, LLC, a South Carolina limited liability company, having its mailing address at #317, 4931 SW 76th Ave, Portland, OR 97225 ("Data Processor") accepted by its user ("Data Controller") during the registration procedure on the Platform of the Data Processor ( "Principal Agreement") (Data Controller and Data Processor shall collectively be referred to as the: “Parties”).

Preamble

In connection with the personal data collected from individuals located within the European Union (“EU”) member countries, in accordance with the Article 28 (Processor) of the General Data Protection Regulation 2016/679 of the European Union, the Parties decided to record in writing their rights and obligations regarding their data processing relationship.

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an amendment to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.

1. Definitions

1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1.1.1 "Applicable Laws" means European Union or Member State of the European Union laws with respect to any Data Controller Personal Data in respect of which Data Controller is subject to EU Data Protection Laws;

1.1.2 "Contracted Processor" means Data Processor or a Subprocessor;

1.1.3 "Data Controller Personal Data" means any Personal Data Processed by a Contracted Processor on behalf of Data Controller in connection with the Principal Agreement;

1.1.4 "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

1.1.5 "GDPR" means EU General Data Protection Regulation 2016/679;

1.1.6 "Services" means the services and other activities to be supplied to or carried out by or on behalf of Data Processor for Data Controller pursuant to the Principal Agreement;

1.1.7 "Subprocessor" means any person (including any third party, but excluding an employee of Data Processor or any of its sub-contractors) appointed by or on behalf of Data Processor to Process Personal Data in connection with the Principal Agreement.

1.2 The terms, "Data Subject", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly (Extract of the GDPR – see Annex 2 to this Addendum).

1.3 The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

2. Processing of Data Controller Personal Data

2.1 Data Processor shall:

2.1.1 comply with all applicable Data Protection Laws in the Processing of Data Controller Personal Data; and

2.1.2 not process Data Controller Personal Data other than on the Data Controller’s documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Data Processor shall to the extent permitted by Applicable Laws inform the Data Controller of that legal requirement before the relevant Processing of that Personal Data.

2.2 Data Controller shall instruct Data Processor to:

2.2.1 process Data Controller Personal Data and

2.2.2 in particular, transfer Data Controller Personal Data to any country or territory,

2.2.2 in particular, transfer Data Controller Personal Data to any country or territory,

2.3 Annex 1 to this Addendum sets out certain information regarding the Contracted Processors' Processing of the Data Controller Personal Data as required by Article 28(3) of the GDPR. The Parties may make reasonable amendments to Annex 1 by written notice to the other Party from time to time as Party reasonably considers necessary to meet those requirements. Nothing in Annex 1 confers any right or imposes any obligation on the Parties to this Addendum.

3. Data Processor

3.1 Data Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Data Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Data Controller Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Data Processor shall in relation to the Data Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2 In assessing the appropriate level of security, Data Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

5. Subprocessing

5.1 Data Controller authorizes Data Processor to appoint Subprocessors in accordance with this section 5 and any restrictions in the Principal Agreement.

5.2 Data Processor may continue to use those Subprocessors already engaged as at the date of the present Addendum, subject to Data Processor in each case as soon as practicable meeting the obligations set out in section 5.4.

5.3 Data Processor shall give Data Controller prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 3 (three) calendar days of receipt of that notice, Data Controller notifies Data Processor in writing of any objections to the proposed appointment:

5.3.1 Data Processor shall work with Data Controller in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and

5.3.2 where such a change cannot be made within 30 (thirty) calendar days from Data Processor’s receipt of Data Controller’s notice, notwithstanding anything in the Principal Agreement, Data Controller may by written notice to Data Processor with immediate effect terminate the Principal Agreement to the extent that it relates to the Services which require the use of the proposed Subprocessor.

5.4 With respect to each Subprocessor, Data Processor shall:

5.4.1 before the Subprocessor first Processes Data Controller Personal Data (or, where relevant), in accordance with section 5.2., shall ascertain that the Subprocessor is capable of providing the level of protection for Data Controller Personal Data required by the Principal Agreement;

5.4.2 ensure that the arrangement between on the one hand (a) Data Processor, or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Data Controller Personal Data as those set out in this Addendum and meet the requirements of Article 28(3) of the GDPR; and

5.4.3 provide to Data Controller for review such copies of the Contracted Processors" agreements with Subprocessors as Data Controller may request from time to time.

5.5 Data Processor shall ensure that each Subprocessor performs the obligations set out in this Addendum, as they apply to Processing of Data Controller Personal Data carried out by that Subprocessor, as if it were party to this Addendum in place of Data Processor.

6. Data Controller Personal Data

6.1 The Parties state that by providing the Services Data Processor uses personal data of the customers of the Data Controller obtained from third parties. According to Article 12, section (1) of the GDPR the Data Controller is obliged to inform its customers that during the data process of the Data Controller certain personal data are being collected from third parties.

6.2 Having regard to the ascertainments under section 6.1 the Parties agree that Data Controller is solely obliged to inform its customers by providing the necessary information prescribed by section 14 of the GDPR.

6.3 DATA PROCESSOR HEREBY EXCLUDES ANY AND ALL LIABILITY REGARDING THE INFORMATION REGULATED BY THE PRESENT SECTION OF THE CUSTOMERS OF THE DATA CONTROLLER AND EXCLUDES ANY LIABILITY FOR ANY FINANCIAL AND/OR NON-MATERIAL LOSS AND/OR DAMAGE, CONSEQUENTUAL LOSS AND/OR DAMAGES, AND LOSS OF PROFIT MAY OCCUR BECAUSE OF THE FAILURE OF THE DATA CONTROLLER TO PERFORM ITS OBLIGATION TO INFORM ITS CUSTOMERS AND/OR FAILED TO PERFORM ITS OBLIGATION AS REQUIRED BY SECTION 14 OF THE GDPR.

6.4 DATA CONTROLLER IS OBLIGED TO REIMBURSE AND INDEMNIFY DATA PROCESSOR IF ANY FINANCIAL AND/OR NON-MATERIAL LOSS AND/OR DAMAGE, CONSEQUENTUAL LOSS AND/OR DAMAGE, AND LOSS OF PROFIT OCCUR AT THE DATA PROCESSOR DUE TO THE INFRINGEMENT OF ANY OF THE OBLIGATION PRESCRIBED IN THE PRESENT SECTION 6.

6.4 DATA CONTROLLER IS OBLIGED TO REIMBURSE AND INDEMNIFY DATA PROCESSOR IF ANY FINANCIAL AND/OR NON-MATERIAL LOSS AND/OR DAMAGE, CONSEQUENTUAL LOSS AND/OR DAMAGE, AND LOSS OF PROFIT OCCUR AT THE DATA PROCESSOR DUE TO THE INFRINGEMENT OF ANY OF THE OBLIGATION PRESCRIBED IN THE PRESENT SECTION 6.

7. Data Subject Rights

7.1 Taking into account the nature of the Processing, Data Processor shall assist the Data Controller by implementing appropriate technical and organizational measures prior accepted by the Data Controller, insofar as this is possible, for the fulfilment of the Data Controller’s obligations, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

7.2 Data Processor shall:

7.2.1 promptly notify Data Controller if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Data Controller Personal Data; and

7.2.2 ensure that the Contracted Processor does not respond to that request except on the documented instructions of Data Controller or as required by Applicable Laws to which the Contracted Processor is subject, in which case Data Processor shall to the extent permitted by Applicable Laws inform Data Controller of that legal requirement before the Contracted Processor responds to the request.

8. Personal Data Breach

8.1 Data Processor shall notify Data Controller without undue delay upon Data Processor or any Subprocessor becoming aware of a Personal Data Breach affecting Data Controller Personal Data, providing Data Controller with sufficient information to allow Data Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

8.2 Such notification shall as a minimum:

8.2.1 describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;

8.2.2 communicate the name and contact details of Data Processor’s data protection officer or other relevant contact from whom more information may be obtained;

8.2.3 describe the likely consequences of the Personal Data Breach; and

8.2.4 describe the measures taken or proposed to be taken to address the Personal Data Breach.

8.3 Data Processor shall co-operate with Data Controller and take such reasonable commercial steps as are directed by Data Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

9. Data Protection Impact Assessment and Prior Consultation

9.1 Data Processor shall provide assistance to Data Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Data Controller reasonably considers to be required by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Data Controller Personal Data by and taking into account the nature of the Processing and information available to, the Contracted Processors. The Data Controller shall ensure that during such data protection impact assessment the usual session at the Data Processor will not cause any unnecessary inconvenience to the Data Processor.

10. Deletion or return of Data Controller Personal Data

10.1 Subject to sections 10.2 and 10.3 Data Processor shall promptly and in any event within 3 (three) calendar days of the date of cessation of any Services involving the Processing of Data Controller Personal Data (the "Cessation Date"), or by anytime upon written request of the Data Controller, delete and procure the deletion of all copies of those Data Controller Personal Data.

10.2 Subject to section 10.3, Data Controller may in its absolute discretion by written notice to Data Processor within 3 (three) calendar days of the Cessation Date, or by anytime upon written request of the Data Controller require Data Processor to (a) return a complete copy of all Data Controller Personal Data to Data Controller by secure file transfer in such format as is reasonably notified by Data Controller to Data Processor; and (b) delete and procure the deletion of all other copies of Data Controller Personal Data Processed by any Contracted Processor. Data Processor shall comply with any such written request within 3 (three) calendar days of the Cessation Date.

10.3 Each Contracted Processor may retain Data Controller Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Data Processor shall ensure the confidentiality of all such Data Controller Personal Data and shall ensure that such Data Controller Personal Data is only Processed as necessary for the purposes specified in the Applicable Laws requiring its storage and for no other purpose.

11. Audit rights

11.1 Subject to sections 11.2, Data Processor shall make available to Data Controller on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by Data Controller or an auditor mandated by Data Controller in relation to the Processing of the Data Controller Personal Data by the Contracted Processors.

11.2 Data Controller undertaking an audit shall give Data Processor reasonable notice of any audit or inspection to be conducted under section 11.1 and shall make reasonable endeavors to avoid causing or, if it cannot avoid, to minimize any damage, injury or disruption to the Contracted Processors' premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.

12. Indemnification and penalty

12.1 Data Processor shall indemnify Data Controller for any and all loss, damage, payments, deficiencies, fines, judgements, liabilities, costs and expenses resulting from Data Processor’s or a Subprocessor’s incompliance with or infringement of the provisions of this Addendum or the requirements of the GDPR.

12.2 Data Processor shall within 30 (thirty) calendar days of the written notice of the Data Controller indemnify Data Controller for the losses described in section 12.1.

13. General Terms

13.1 Governing law and jurisdiction

13.1.1 Having regard to Article 27(1) of the GDPR, the Parties to this Addendum hereby stipulate the exclusive competence of the competent German court regarding any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity.

13.1.2 This Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by and construed in accordance with the laws of Germany.

13.2 Order of precedence

13.2.1 Nothing in this Addendum reduces Data Processor’s obligations under the Privacy Policy in relation to the protection of Personal Data or permits Data Processor to Process or permit the Processing of Personal Data in a manner which is prohibited by the Privacy Policy.

13.2.2 Subject to section 13.2.1, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the Parties, including the Privacy Policy and including agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.

13.3 Changes in Data Protection Laws, and modification of the Contract

13.3.1 Data Processor is entitled to modify the present Addendum and the Privacy Policy unilaterally in case of the amendment of the Applicable Law or the GDPR or if the protection of the personal data processed by the Data Processor requires so or if unilateral amendment is permitted by the provisions of this Addendum.

13.4 Severance

Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

This Addendum is entered and becomes a binding and inseparable part of the Privacy Policy and the Principal Agreement with effect from the date first set out above.

Annex 1: DETAILS OF PROCESSING OF DATA CONTROLLER PERSONAL DATA

This Annex 1 includes certain details of the Processing of Data Controller Personal Data as required by Article 28(3) GDPR.

1) Subject matter and duration of the Processing of Data Controller Personal Data

The subject matter of the Processing is the personal data of the Data Controller Processed during the use of the Services of the Data Processor available on the Data Processor’s Site.

Data Processor Processes the personal data until the Data Controller deletes its user profile on the Site.

2) The nature and purpose of the Processing of Data Controller Personal Data

To perform the Data Processor obligations to maintain and provide the Services set forth in the Principal Agreement.

3) The types of Data Controller Personal Data to be Processed

The personal data Processed by the Data Controller.

4) The categories of Data Subject to whom the Data Controller Personal Data relates

The categories of the partners and users of the Data Controller.

The categories of the partners and users of the Data Controller.

The obligations and rights of Data Controller are set out in the Principal Agreement and in this Addendum.

Annex 2: Extract of the GDPR

Article 4

Definitions

[...]

‘Personal Data’ means any information relating to an identified or identifiable natural person ( ‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘Personal Data Breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘Supervisory Authority’ means an independent public authority which is established by a Member State pursuant to Article 51 of GDPR.

[...]