essensys’ Processor Binding Corporate Rules for the Processing of Personal Data

1. Introduction

essensys are committed to achieving and maintaining customer trust. Integral to this mission is providing a robust security and privacy program that carefully considers data protection matters. In accordance with the EU Data Protection Directive and implementing national legislation, the essensys Processor BCR is intended to provide an adequate level of protection for Personal Data during international transfers within the essensys Group made on behalf of Customers and under their instructions.

2. Definitions

Controller means controller, as defined in the EU Data Protection Directive. The term “controller” is defined in the EU Data Protection Directive as “the natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law.”

Customer means (i) a legal entity with whom a member of the essensys Group has executed a contract to provide the Services (or a legal entity placing an order under such contract) and such contract incorporates by reference the essensys Processor BCR or (ii) a legal entity with whom a member of the essensys Group has executed a contract under which the legal entity is entitled to resell the Services to its end customers and such contract incorporates by reference the essensys Processor BCR.

Data Subject means an individual to whom Personal Data relates.

essensys Group means essensys Ltd. and its affiliate sub-processors of Personal Data.

essensys Processor BCR means essensys’ Processor Binding Corporate Rules for the Processing of Personal Data.

EU Data Protection Directive means European Union Directive 95/46/EC dated 24 October 1995.

Personal Data means personal data, as defined in the EU Data Protection Directive, when such data is submitted to the Services. The term “personal data” is defined in the EU Data Protection Directive as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.”

Processor means processor, as defined in the EU Data Protection Directive. The term “processor” is defined in the EU Data Protection Directive as “a natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the controller.”

Services means the online services provided to Customer by essensys.

3. Scope and Application

The purpose of the essensys Processor BCR is to govern cross-border transfers of Personal Data to and between members of the essensys Group, and to third-party sub-processors (in accordance with written agreements with any such third-party sub-processors) when acting as Processors and/or sub-processors on behalf and under the instructions of Customers.

The essensys Processor BCR applies to Personal Data submitted to the Services by:

(a) Customers established in EEA member states whose processing activities for the relevant data are governed by the EU Data Protection Directive and implementing national legislation; and

(b) Customers established in non-EEA member states for which the customer has contractually specified that the EU Data Protection Directive and implementing national legislation shall apply.

The essensys Group may update the essensys Processor BCR with approval from the essensys Group’s appointed privacy leader, general counsel and compliance officer. All changes to the essensys Processor BCR shall be communicated to members of the essensys Group.

The essensys Group’s appointed privacy leader shall be responsible for keeping a fully updated list of the members of the essensys Group and third-party sub-processors and making appropriate notifications to Customers in its capacity as lead authority for the essensys Processor BCR.

The essensys Group shall not transfer Personal Data to a new member of the essensys Group until such member is appropriately bound by and complies with the essensys Processor BCR. Significant changes to the essensys Processor BCR and/or the list of members of the essensys Group will be reported (a) in a timely fashion to Customers and (b) once per year to the relevant data protection authorities accompanied by a brief explanation of the changes.

4. Responsibilities Towards Customers

A. General Obligations

essensys and its employees shall comply with the essensys Processor BCR, process Personal Data only upon a Customer’s instruction and shall have a duty to respect the security and confidentiality of Personal Data, pursuant to the measures provided in the contracts executed with Customers.

B. Transparency and Cooperation with Customers

essensys undertakes to be transparent regarding its Personal Data processing activities and to provide Customers with reasonable cooperation within a reasonable period of time to help facilitate their respective data protection obligations regarding Personal Data.

C. Data Subject Rights

Members of essensys act as Processors on behalf of Customers. As between essensys and Customers, Customers have primary responsibility for interacting with Data Subjects, and the role of essensys is generally limited to assisting Customers as needed.

i. Access, Correction, Amendment or Deletion Requests

essensys shall promptly notify a Customer if essensys receives a request from a Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. essensys shall not respond to any such Data Subject request without the Customer’s prior written consent except to confirm that the request relates to that Customer.

essensys shall provide Customers with cooperation and assistance in a reasonable period of time and to the extent reasonably possible in relation to any request regarding Personal Data to the extent Customers do not have access to such Personal Data through their respective uses of the Services.

ii. Handling of Complaints

essensys Privacy department shall be responsible for handling complaints related to compliance with the essensys Processor BCR. Data Subjects may lodge a complaint about processing of their respective Personal Data that is incompatible with the essensys Processor BCR by contacting the relevant Customer or the essensys Group’s Privacy department at the email address privacy@essensys.tech. essensys shall promptly communicate the complaint to the Customer to whom the Personal Data relates.

Customers shall be responsible for responding to all Data Subject complaints forwarded by essensys except in cases where a Customer has disappeared factually or has ceased to exist in law or become insolvent. Where essensys is aware of such a case, it undertakes to respond directly to Data Subjects’ complaints within thirty (30) days, including the consequences of the complaint and further actions Data Subjects may take if they are unsatisfied by the reply (such as lodging a complaint before the relevant data protection authority).

D. Regulatory Inquiries and Complaints

essensys shall, to the extent legally permitted, promptly notify a Customer if essensys receives an inquiry or complaint from a data protection authority in which that Customer is specifically named. Upon a Customer’s request, essensys shall provide the Customer with cooperation and assistance in a reasonable period of time and to the extent reasonably possible in relation to any regulatory inquiry or complaint involving essensys’ processing of Personal Data.

5. Description of Processing Operations and Transfers

A. Purpose Limitation

essensys shall process Personal Data only for the following purposes: (i) processing in accordance with a Customer’s instructions set forth in the Customer’s contract with a member of the essensys Group; and (ii) processing initiated by the Customer in its use of the Services.

B. Data Quality

Customers have access to, and control of, Personal Data in their use of the Services. To the extent a Customer, in its use of the Services, does not have the ability to anonymize, correct, amend or delete Personal Data, as required by applicable laws, essensys shall comply with any request by a Customer in a reasonable period of time and to the extent reasonably possible to facilitate such actions by executing any measures necessary to comply with the law, in a reasonable period of time and to the extent reasonably possible to the extent essensys is legally permitted to do so. essensys will, to the extent reasonably required for this purpose, inform each member of the essensys Group to whom the Personal Data may be stored of any anonymization, rectification, amendment or deletion of such data. If any such anonymization, correction, amendment or deletion request is applicable to a third-party sub-processor’s processing of Personal Data, essensys shall communicate such request to the applicable third-party sub-processor(s).

C. Sub-processing

i. Sub-processing Within the essensys Group

As set forth in applicable contracts with Customers, members of the essensys Group may be retained as sub-processors of Personal Data and depending on the location of the essensys Group member, processing of Personal Data by such sub-processors may involve transfers of Personal Data. The essensys Processor BCR extends to all members of the essensys Group.

ii. Sub-processing by Third Parties

As set forth in applicable contracts with Customers, members of the essensys Group may retain third-party sub-processors and depending on the location of the third-party sub-processor, processing of Personal Data by such sub-processors may involve transfers of Personal Data. Such third-party subprocessors shall process Personal Data only (i) in accordance with the Customer’s instructions set forth in the Customer’s contract with a member of the essensys Group; or (ii) if processing is initiated by the Customer in its use of the Services.

iii. Notification of New Sub-processors and Objection Rights

As set forth in applicable contracts with Customers, essensys shall provide Customers with prior notification before a new sub-processor begins processing Personal Data. Within thirty (30) days of receiving such notice, a Customer may object to the essensys Group’s use of a new sub-processor subject to the following:

It would be unreasonable for a Customer to object to a new sub-processor that is a member of the essensys Group if (a) the sub-processor is subject to the essensys Processor BCR; and (b) has achieved a third-party, internationally-recognized security certification (e.g., ISO 27001) unless the Customer demonstrates reasonable suspicion that the new sub-processor will not be able to comply with its obligations under the essensys Processor BCR.

· Unless a Customer demonstrates reasonable suspicion that a new third-party sub-processor introduces unreasonable risk to the protection of Personal Data (e.g., a history of security breaches), it would be unreasonable for a Customer to object to a new third-party sub-processor if (a) the new third-party sub-processor is located in a country that provides an adequate level of protection per the European Commission or has entered into a contract with a member of the essensys Group containing the applicable requirements of the European Commission’s controller-to-processor standard contractual clauses; and (b) the new third-party sub-processor has passed the essensys Group’s vendor security evaluation based on a third-party, internationally-recognized security framework.

In the event a Customer objects to a new sub-processor, and that objection is not unreasonable under the standards described above, essensys will use reasonable efforts to make available to the Customer a change in the Services or recommend a commercially reasonable change to the Customer’s configuration or use of the Services to avoid processing of Personal Data by the objected-to new subprocessor without unreasonably burdening the Customer.

6. Confidentiality and Security Measures

A. Confidentiality and Training

essensys shall ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the Personal Data, have executed written confidentiality agreements and have received appropriate training on their responsibilities. Additionally, essensys shall ensure that its personnel responsible for the development of tools used to process Personal Data have received appropriate training on their responsibilities. essensys shall also ensure that its personnel engaged in the processing of Personal Data are limited to those personnel who require such access to perform essensys’ obligations under applicable contracts with Customers.

B. Data Security

essensys shall maintain appropriate administrative, technical and physical safeguards for protection of the security, confidentiality and integrity of Personal Data, as set forth in applicable contracts with Customers. essensys regularly monitors compliance with these safeguards. essensys will not materially decrease the overall security of the Services during a Customer’s applicable subscription term.

C. Security Breach Notification

In the event a member of the essensys Group becomes aware of any unauthorized access to or disclosure of Personal Data, essensys will promptly notify affected Customers to the extent such notification is permitted by applicable law.

D. Audits

essensys shall maintain an audit program to help ensure compliance with the essensys Processor BCR.

i. Third-Party Audits and Certifications

essensys are working towards achieving the following third-party audits and certifications.

· ISO 27001:27018 certification: essensys is currently composing an information security management system (ISMS) in accordance with the ISO 27001 international standard.

· SSAE 16 Service Organization Control (SOC) reports: The essensys Group’s information security control environment applicable to the Services will undergo an independent evaluation in the form of SSAE 16 Service Organization Control (SOC) reports.

ii. Internal Verification

essensys has appointed a network of privacy personnel responsible for overseeing and ensuring compliance with the essensys Group’s data protection responsibilities at a local and global level, including compliance with this essensys Processor BCR, advising management on data protection matters, liaising with data protection authorities, and handling data protection-related complaints. Each member of the essensys Group shall be assigned such a member of network of privacy personnel. Such privacy personnel are primarily responsible for privacy-related matters and report to the essensys Group’s appointed privacy leader and benefit from the support of the essensys Group’s top management. The essensys Group’s appointed privacy leader is responsible for the essensys Group’s compliance with applicable privacy and data protection laws and leads the essensys Group’s network of privacy personnel. The essensys Group’s network of privacy personnel have regional responsibility for the essensys Group’s compliance with applicable privacy and data protection laws. The essensys Group’s compliance department shall conduct an annual assessment of the essensys Group’s compliance with the essensys Processor BCR, which is provided to the essensys Group’s appointed privacy leader, compliance officer and essensys’ board of directors. Such an assessment shall include any necessary corrective actions, timeframes for completing such corrective actions, and follow up by essensys’ compliance department to ensure such corrective actions have been completed.

iii. Customer Audits

Upon a Customer’s request, and subject to appropriate confidentiality obligations, essensys shall make available to the Customer (or such Customer’s independent, third-party auditor that is not a competitor of the essensys Group) information regarding the essensys Group’s and third-party subprocessors’ compliance with the data protection controls set forth in this essensys Processor BCR.

7. Liability and Enforcement

essensys’s contracts with Customers shall include a reference to the essensys Processor BCR. In accordance with such contracts, Customers shall have the right to enforce the essensys Processor BCR against the essensys Group. To the extent a Customer (or a Data Subject) demonstrates that a Data Subject has suffered damages and establishes facts showing that it is likely that such damages have occurred because of the essensys Group’s breach of Sections 4-8 of the essensys Processor BCR or a third-party sub-processor’s breach of a contract with a member of the essensys Group, the essensys Group shall be responsible for providing that it – or its third-party sub-processor – was not responsible for the breach giving rise to the damages or that no such breach took place. If essensys can prove that the essensys Group and its third-party sub-processors are not responsible for the act leading to the damages suffered by the Data Subject, essensys may discharge itself from any responsibility.

8. Cooperation with Data Protection Authorities

The essensys Group shall cooperate with member state data protection authorities with jurisdiction over the essensys Group or competent for Customers, reply to any requests they make within a reasonable time frame and abide by the advice and recommendations of the relevant member state data protection authorities regarding the interpretation and application of the essensys Processor BCR. Upon request and subject to duties of confidentiality, the essensys Group shall provide relevant member state data protection authorities with jurisdiction over the essensys Group or competent for Customers (i) a copy of the essensys Group’s annual assessment of compliance with the essensys Processor BCR and/or other documentation reasonably requested; and (ii) the ability to conduct an onsite audit of the essensys Group’s architecture, systems and procedures relevant to the protection of Personal Data.