Uniphore Data Processing Addendum

This Data Processing Addendum (“DPA“), forms part of the Agreement (which comprises of the NDA, EULA and POC) between Uniphore Technologies Inc., having its principal place of business at 1001 Page Mill Road, Bldg 4, Suite 100-BPalo Alto, CA 94304 , on behalf of itself and its affiliates (“Uniphore“) and Customer (as defined in the Agreement) and shall be effective on the date both parties execute the Agreement (“Effective Date“). All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

This DPA sets out the terms that apply to the Processing of Personal Data (as defined below) by Uniphore, on behalf of Customer, in the course of providing the Services to Customer under the Agreement. Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates (if and to the extent Uniphore processes Personal Data for which such Authorized Affiliates qualify as the Controller). In providing the Services to Customer pursuant to the Agreement, Uniphore may Process Personal Data on behalf of Customer, and Uniphore and Customer (the “parties”) agree to comply with the following provisions with respect to any such Personal Data. :

1. Definitions

“Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.

“Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the data protection laws and regulations of the United States, Japan, Singapore, Canada, European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Service pursuant to the Agreement between Customer and Uniphore.

“Agreement” means the Master Software and Services Agreement between Customer and Uniphore, which govern the provision of the Services to Customer, as such terms may be updated by Uniphore from time to time.

“Control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term “Controlled” shall be construed accordingly.

“Customer Data” means any electronic data submitted by or on behalf of Customer that Uniphore processes on behalf of Customer as a Data Processor in the course of providing Services, as more particularly described in this DPA. 

“Data Protection Laws” means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.

“Data Controller” means an entity that determines the purposes and means of the processing of Personal Data.

“Data Processor” means an entity that processes Personal Data on behalf of a Data Controller.

“Data Subject” means the identified or identifiable person subject to the Data Protection Laws to whom Personal Data relates.

“EU Data Protection Law” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced). 

“EEA” means, for the purposes of this DPA, the European Economic Area, and Switzerland.

“Group” means any and all Affiliates that are part of an entity’s corporate group.

“Model Clauses” means the Standard Contractual Clauses for Processors as approved by the European Commission found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, or a successor website designated by the EU Commission.

“Personal Data” shall have the meaning assigned to the terms “personal data” or “personal information” under applicable Data Protection Laws, provided such personal data and/or personal information is Customer Data..

“Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” shall be interpreted accordingly.

“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data.

“Security Program” means Uniphore’s written security program that includes administrative, technical and physical safeguards reasonably designed to protect the confidentiality, integrity and availability of Customer Data  (a current version of which can be provided upon request), and which includes Uniphore’s security policies and procedures, its current SOC 2 Type II report and the security measures set forth on Annex II, as may be updated periodically, and made reasonably available by Uniphore.”Services” means any product or service provided by Uniphore to Customer pursuant to the Agreement.

“Sub-processor” means any Data Processor engaged by Uniphore or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA.  Sub-processors may include third parties or members of the Uniphore Group. 

“Supervisory Authority” means an independent public authority which is established by an EU Member State, the UK or Switzerland  pursuant to the applicable European Data Protection Law.

2. Relationship with the Agreement

2.1            The parties agree that this DPA shall replace any existing DPA (including the Model Clauses (as applicable)) the parties may have previously entered into in connection with the Services.

2.2            Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. With respect to the rights and obligation of the parties vis-à-vis each other, if there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent that conflict is regarding the Processing of Personal Data. In the event of a conflict between the terms of the DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.

2.3            Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Uniphore, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ Section 13, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. The foregoing shall not limit a party’s liability with respect to a data subject’s rights to the extent such liability may not be limited under the applicable SCCs.  Any claims against Uniphore or its Authorized Affiliates under this DPA shall be brought solely against the entity that is a party to the Agreement. The parties agree that, by executing the DPA, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliate(s), thereby establishing a separate DPA between Uniphore and each such Authorized Affiliate, subject to the provisions of the Agreement. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement.  An Authorized Affiliate is not and does not become a party to the Agreement and is only a party to the DPA. All access to and use of the Service by Authorized Affiliate(s) must comply with the terms and conditions of the Agreement and any violation thereof by an Authorized Affiliate shall be deemed a violation by Customer.

2.4            Uniphore shall only be liable for regulatory penalties incurred in relation to Customer Data to the extent such penalties are solely a result of Uniphore’s breach of this DPA or applicable Data Protection Laws. Any regulatory penalties incurred by Uniphore in relation to the Customer Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall be borne by Customer.

2.5            No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms. 

2.6            This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

2.7            This DPA and the Model Clauses shall terminate simultaneously and automatically with the termination or expiration of the Agreement.

3. Scope and Applicability of this DPA

3.1            This DPA (excluding Annex A) applies applies when Personal Data is Processed by Uniphore on behalf of Customer, as Data Processor in the course of providing Services pursuant to the Agreement.

3.2            Annex A applies where and only to the extent that Uniphore processes Customer Data that is subject to the California Consumer Privacy Act.

4. Roles and Scope of Processing

4.1            Role of the Parties.  As between Uniphore and Customer, Customer is the Data Controller of Customer Data, and Uniphore shall process Customer Data only as a Data Processor acting on behalf of Customer.

4.2            Customer Processing of Customer Data.  Customer agrees that (i) it shall comply with its obligations as a Data Controller under Data Protection Laws in respect of its processing of Customer Data and any processing instructions it issues to Uniphore; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Uniphore to process Customer Data and provide the Services pursuant to the Agreement and this DPA. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data it submits to Uniphore and the means by which Customer acquired Personal Data.

4.3            Uniphore Processing of Customer Data.  Uniphore shall process Customer Data only for the purposes described in this DPA and only in accordance with Customer’s documented lawful instructions. For the purposes of Clause 8.1(a) of the Standard Contractual Clauses, the following is deemed an instruction by the Customer to process Personal Data: (i) in accordance with the Agreement and applicable Order Form(s); (ii) as initiated by Users in their use of the Service; and (iii) to comply with other documented, reasonable instructions provided by Customer (for example, via email) where such instructions are consistent with the terms of the Agreement.  Uniphore shall not be required to comply with or observe Customer’s instructions if such instructions would violate the applicable Data Privacy Laws, GDPR or other EU law or EU member state data protection provisions. Uniphore will, unless legally prohibited from doing so, inform Customer if it reasonably believes that an instruction from Customer is in conflict with the Data Protection Laws applicable to Uniphore’s processing of Customer’s Personal Data. The parties agree that this DPA and the Agreement set out the Customer’s complete and final instructions to Uniphore in relation to the processing of Customer Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and Uniphore.   

4.4            Details of Data Processing

(a)             Subject matter: The subject matter of the data processing under this DPA is the Customer Data.

(b)            Duration: As between Uniphore and Customer, the duration of the data processing under this DPA is until the termination of processing under the Agreement in accordance with its terms.

(c)             Frequency:  The processing is continuous.

(d)            Purpose: The purpose of the data processing under this DPA is the provision of the Services to the Customer and the performance of Uniphore’s obligations under the Agreement (including this DPA) or as otherwise agreed in writing by the parties.

(e)             Nature of the processing: Uniphore provides AI-powered customer service transcription, analytics, virtual assistant, conversational insight and agent verification platforms and support services for the platforms. Processing will include the development of products and services and delivery of the Services to the Customer in accordance with the Agreement.

(f)              Categories of data subjects: Any individual accessing and/or using the Services through the Customer’s account (“Users”); and any individual whose information is stored on or collected via the Services, including (1) employees, vendors, agents, or contingent workers of the Customer (who are natural persons) and (2) natural persons authorized by the Customer to use the Services (for example, customers, users, and prospective customers of the Customer).

(g)            Types of Customer Data: The categories and types of Personal Data Processed involve information related to the communications between Customer and Customer’s end-users, provided by the Customers representatives or end-users, including but not limited to:

· personal information normally exchanged during a customer service or sales conversation such as name, address, username or email address;

· specific personal information involved in the fulfilment of a customer service request, such as customer or user id, verification information, personal identification information (i.e. passport, driver’s license or tax identification numbers) or other information related to a Customer end-user’s account with Customer;

· financial information (invoices, payment details and receipts);

· device information including IP address, location, device type, operating system, Internet service provider, mobile network, system configuration information,

· employment details (i.e. employer, job title, employee ID);

· order data (documentation of all orders done);

· User usage and behaviour on the Services information;

(h)             Special Categories of Personal Data (as defined by the GDPR) or Sensitive Data: Uniphore does not want to, nor does it intentionally, collect or process any other Special Categories of Personal Data in connection with the provision of the Services and utilizes technical and organizational measures to limit, protect, and redact sensitive personal data that is unintentionally received, but Special Categories of Personal Data may nevertheless be incidentally collected during the course of interactions between the Customer and the Customer’s end users depending on the context of Customer’s implementation of the Services. Customer shall not share any such special categories of personal data or sensitive data without written approval of Uniphore in advance and specifically amending this DPA to describe it. 

(i)              Period of Retention.  The period of retention for Customer Data will depend on the specific Services being used and will be as set forth in the Agreement or other specific product documentation and as outlined in the Uniphore Privacy Policy. 

(j)              Subprocessors. To the extent applicable to the particular subprocessor, the descriptions above also apply to Uniphores transfers to subprocessors.  Uniphore will use commercially reasonable efforts to ensure that its contracts with each subprocessor are at least as protective of Customer Data as this DPA.

4.5            Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that Uniphore shall have a right to use and disclose data relating to the operation, support, and use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing. To the extent any such data is considered Personal Data under Data Protection Laws, Uniphore is the Data Controller of such data and accordingly shall process such data in accordance with the Uniphore Privacy Policy and Data Protection Laws.

5.              Data Subject Requests. To the extent legally permitted, Uniphore shall promptly notify Customer if Uniphore receives a request from a Data Subject related to Personal Data to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Uniphore shall only respond to a Data Subject Request upon written authorization from Customer, except to the extent legally prohibited. Factoring into account the nature of the Processing, Uniphore shall assist Customer by appropriate organizational and technical measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Service, does not have the ability to address a Data Subject Request, Uniphore shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent that Uniphore is legally authorized to do so, and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from Uniphore’s provision of such assistance.

6.              Privacy Notice. Uniphore shall inform Data Subjects in a transparent and easily accessible format on its website of a contact point authorized to handle complaints. Uniphore shall promptly handle any complaints it receives from a Data Subject related to Personal Data.

7.              Uniphore Personnel. Privacy Notice. Uniphore shall inform Data Subjects in a transparent and easily accessible format on its website of a contact point authorized to handle complaints. Uniphore shall promptly handle any complaints it receives from a Data Subject related to Personal Data.

8. Subprocessing

8.1              Customer has instructed or authorized the use of Sub- processors to assist Uniphore with respect to the performance of Uniphore’s obligations under the Agreement and Uniphore agrees to be responsible for the acts or omissions of such Sub-processors to the same extent as Uniphore would be liable if performing the services of the Sub-processors under the terms of the Agreement. All such Sub-processors must agree to maintain the confidentiality of the Personal Data or be under an appropriate statutory or contractual obligation of confidentiality, and enter a written contract with Uniphore that provides for substantially the same data protection obligations between Uniphore and Sub-processor as between Uniphore and Customer herein. Uniphore will regularly review each Sub-processor’s compliance with its obligations. Customer acknowledges and agrees that (a) Uniphore’s Affiliates may be retained as Sub-processors; and (b) Uniphore and Uniphore’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Service. Uniphore current Sub-processors approved by Customer as a condition to entering into this DPA are listed at Uniphore.com/subprocessors. Uniphore will notify Customer via email prior to replacing or appointing new Sub-processors and Customer shall have the right to object, as follows:  In order to exercise its right to object to Uniphore’s use of a new Sub-processor, Customer shall notify Uniphore promptly in writing within ten (10) business days after receipt of Uniphore’s notice. In the event Customer has legitimate objections to the new Sub-Processor, the parties will work together in good faith to resolve the grounds for the objection, which could include recommending a commercially-reasonable change to Customer’s configuration or use of the Service to avoid Processing of Personal Data by the objected-to new Sub-processor, provided that if the parties fail to agree upon a resolution within thirty (30) days, Customer may upon ten (10) days written notice to Uniphore terminate the applicable Order Form(s) with respect to those aspects of the Service performed by Uniphore through the use of the objected-to new Sub-processor.

9. Security

9.1            Security Measures.  Uniphore shall implement and maintain appropriate technical and organizational security measures to protect Customer Data from (including protection against unauthorized or unlawful Processing, and against unlawful or accidental destruction, alteration or damage or loss, unauthorized disclosure of, or access to, Personal Data), confidentiality, and integrity of Personal Data, as set forth in Uniphore’s applicable Security Program. , in accordance with Uniphore’s Security Program and security standards described in Annex A (“Security Measures”). 

9.2            Updates to Security Measures.  Customer is responsible for reviewing the information made available by Uniphore relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws.   Customer acknowledges that the Security Measures are subject to technical progress and development and that Uniphore may update or modify the Security Measures from time to time provided that such updates and modifications do not result in material degradation of the overall security of the Services purchased by the Customer.

9.3            Customer Responsibilities.  Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Services.

10. Security Reports Data Protection Impact Assessments.  

10.1         Uniphore has attained the third-party certifications and audit results set forth in the Security Program. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Uniphore shall make available to Customer a copy of Uniphore’s then most recent third-party certifications or audit results, as applicable.

10.2         Upon Customer’s request, Uniphore agrees to provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Service, where in Customer’s judgement the Processing performed by Uniphore is likely to result in a high risk to the rights and freedoms of natural persons, and to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Uniphore. Uniphore shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks, to the extent required under the GDPR.

8. Audits.

The parties agree that the audits described in Clause 8.9(c) and Clause 13(b) of the Standard Contractual Clauses shall be carried out in accordance with the following specifications: following Customer’s written request, and subject to the confidentiality obligations set forth in the Agreement, Uniphore shall make available to Customer information regarding the Uniphore’s compliance with the obligations set forth in this DPA in the form of the third-party certifications in its then­current SSAE 18 SOC 2 Type I and Type II audit report (or comparable industry-standard successor report), or any summaries thereof,  to the extent that Uniphore makes them generally available to its customers at the time of the request.  In deciding on a review or audit, Customer may take into account relevant certifications held by Uniphore.

9. International Transfers

9.1            Authorization. Customer authorizes Uniphore and its Sub-processors to transfer Customer Data across international borders, including without limitation from the EEA, Switzerland and the UK to the US.  Any cross-border transfer of Customer Data must be supported by an approved adequacy mechanism.  Such measures may include (without limitation) transferring the Customer Data to a recipient in a country that the Supervisory Authority has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorization in accordance with Applicable Data Protection Law, or to a recipient that has executed standard contractual clauses adopted or approved by the Supervisory Authority.

9.2            Data center locations.  Uniphore may transfer and process Customer Data anywhere in the world where Uniphore, its Affiliates or its Sub-processors maintain data processing operations.  Uniphore shall at all times provide an adequate level of protection for the Customer Data processed, in accordance with the requirements of Data Protection Laws.

9.3            Model Clauses: To the extent that Uniphore processes any Customer Data protected by EU Data Protection Law under the Agreement and/or that originates from the EEA, in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Data, the parties acknowledge that Uniphore shall be deemed to provide adequate protection (within the meaning of EU Data Protection Law) for any such Customer Data by complying with the Model Clauses. Customer agrees and acknowledges that it hereby enters into the Model Clauses on behalf of itself and any of its subsidiary or affiliate entities that transfer Customer Data as set forth in this Section 8.2. The below shall apply to the Model Clauses, including the election of specific terms or optional clauses as described in more detail in (a)-(i) below, and any optional clauses not expressly selected are not included below.

1) In relation to transfers of Personal Data protected by the EU GDPR and processed in accordance with this DPA, the EU SCCs shall apply, completed as follows:

(a)             the Module 2 terms shall apply;

(b)             in Clause 7, the optional docking clause will apply;

(c)             for purposes of Clause 9 of the Model Clauses, Option 2 (‘General authorization’) shall apply and the processes and timelines shall be as set forth in this DPA;

(d)             in Clause 11 of the Model Clauses, the optional language shall be deleted;

(e)             for purposes of Clause 13 of the Model Clauses: Where the data exporter is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority;

(f)               in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

(g)             in Clause 18(b), disputes shall be resolved before the courts of Ireland; Annex 1.A (List of Parties), Annex 1.B and Annex 1.C of the Model Clauses shall be as set forth on Appendix 1;

(h)             Annex 2 of the Model Clauses shall be as set forth on Appendix 2;

(i)              supplemental clauses implemented by the Data Importer include those set forth on Appendix III; and

(j)              the parties acknowledge that Clause 2(a) of the Model Clauses permits them to include additional business-related terms provided they do not contradict, directly or indirectly, the Clauses or prejudice the fundamental rights or freedoms of data subjects. Accordingly, the parties’ interpretation of their respective obligations under specific Clauses are as set forth in Appendix IV.

(2)  In relation to transfers of Personal Data protected by the UK GDPR, the EU SCCs will also apply in accordance with paragraph (1) above, with the following modifications:

(a)                                   (i) any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the UK GDPR; references to specific Articles of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK GDPR;

(b)                                   (ii) references to “EU”, “Union” and “Member State law” are all replaced with “UK”; Clause 13(a) and Part C of Annex I of the EU SCCs are not used; references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Information Commissioner and the courts of England and Wales; and

(c)                                   (iii) Clause 17 of the EU SCCs is replaced to state that “The Clauses are governed by the laws of England and Wales” and Clause 18 of the EU SCCs is replaced to state “Any dispute arising from these Clauses shall be resolved by the courts in England. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts,” unless the EU SCCs, implemented as described above, cannot be used to lawfully transfer such Personal Data in compliance with the UK GDPR in which case the UK SCCs shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the UK SCCs shall be populated using the information contained in Annexes I and II of this DPA (as applicable); and if neither the EU SCCs nor the UK SCCs applies, then the parties shall cooperate in good faith to implement appropriate safeguards for transfers of such Personal Data as required to permitted by the UK Data Protection Laws without undue delay;

(3) In relation to transfers of Personal Data protected by the Swiss DPA, the EU SCCs will also apply in accordance with paragraph (1) above, with the following modifications:

(a)             (i) any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA;

(b)             (ii) references to “EU,” “Union,” “Member State,” and “Member State law,” shall be interpreted as references to Switzerland and Swiss law, as the case may be; and

(c)             (iii) references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland,  unless the EU SCCs, implemented as described above, cannot be used to lawfully transfer such  Personal Data in compliance with the Swiss DPA in which case the Swiss SCCS shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the Swiss SCCs shall be populated using the information contained in Annexes I and II to this DPA (as applicable);

9.3.2        It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses shall prevail to the extent of such conflict;

9.4            Alternative Transfer Mechanism. The parties agree that the data export solution identified in Section 8.2 shall not apply if and to the extent that Uniphore adopts an alternative data export solution for the lawful transfer of Personal Data (as recognized under EU Data Protection Laws) outside of the EEA (“Alternative Transfer Mechanism”), in which event, the Alternative Transfer Mechanism shall apply instead (but only to the extent such Alternative Transfer Mechanism extends to the territories to which Personal Data is transferred).  

10. Additional Security

10.1         Confidentiality of processing.  Uniphore shall ensure that any person who is authorized by Uniphore to process Customer Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

10.2         Security Incident Response.  Uniphore shall maintain  reasonable and appropriate security incident management policies and procedures, as specified in the Security Program and shall notify Customer without undue delay after becoming aware of the unlawful or accidental destruction, alteration or damage or loss, unauthorized disclosure of, or access to, Customer Data transmitted, stored or otherwise Processed by Uniphore or its Sub-processors, as required to assist the Customer in ensuring compliance with its obligations to notify the Supervisory Authority in the event of a Customer Data Security Incident, taking into account the nature of Processing and the information available to Uniphore.  Uniphore shall make reasonable efforts to identify the cause of such Customer Data Security Incident, and take those steps as Uniphore deems necessary and reasonable in order to remediate the cause of such a Customer Data Security Incident, to the extent that the remediation is within Uniphore’s reasonable control; provided that Customer shall bear the cost of such remediation to the extent such incidents are caused by either Customer or Customer’s Users. For avoidance of doubt, Customer Data Security Incident does not include unsuccessful attempts or activities that do not compromise the security of personal data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems. Uniphore’s obligation to report or respond to a Customer Data Security Incident under this Section N is not and will not be construed as an acknowledgment by Uniphore of any fault or liability of Uniphore with respect to the Customer Data Security Incident.

11. Return or Deletion of Data 

11.1         Upon termination or expiration of the Agreement, Uniphore shall (at Customer’s election) delete or return to  Customer all Customer Data (including copies) in its possession or control, save that this requirement shall not apply to the extent Uniphore is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data Uniphore shall securely isolate and protect from any further processing, except to the extent required by applicable law. The parties agree that the certification of deletion of Personal Data that is described in Clause 8.5 of the Standard Contractual Clauses shall be provided by Uniphore to Customer only upon Customer’s request.

12. Cooperation

12.1         If a law enforcement agency sends Uniphore a demand for Customer Data (for example, through a subpoena or court order), Uniphore shall attempt to redirect the law enforcement agency to request that data directly from Customer.  As part of this effort, Uniphore may provide Customer’s basic contact information to the law enforcement agency.  If compelled to disclose Customer Data to a law enforcement agency, then Uniphore shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Uniphore is legally prohibited from doing so.

12.2         To the extent Uniphore is required under EU Data Protection Law, Uniphore shall (at Customer’s expense) provide reasonably requested information regarding the Services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

13. LIMITATION OF LIABILITY. EXCEPT IN THE EVENT OF ITS GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, IN NO EVENT WILL EITHER PARTY OR ITS SUPPLIERS BE LIABLE TO THE OTHER PARTY, ITS AFFILIATES, USERS OR ANY OTHER THIRD PARTY FOR ANY LOSS OF PROFITS, LOSS OF USE, LOSS OF REVENUE, LOSS OF GOODWILL, LOSS OF CUSTOMER’S DATA OR CUSTOMER’S SOFTWARE (OR ANY DATA RELATED THERETO) OR ANY INTERRUPTION OF BUSINESS, OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, EXEMPLARY, PUNITIVE OR CONSEQUENTIAL DAMAGES OF ANY KIND ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, POC, NDA OR THE SERVICES, REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, STRICT LIABILITY OR OTHERWISE, EVEN IF A PARTY HAS BEEN ADVISED OR IS OTHERWISE AWARE OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING DISCLAIMER WILL APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. IN NO EVENT WILL UNIPHORE’S AND ITS SUPPLIERS’ TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT, POC, NDA OR THE SERVCIES EXCEED $5,000. MULTIPLE CLAIMS WILL NOT EXPAND THIS LIMITATION. THE FOREGOING DISCLAIMER WILL APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW.

APPENDIX I

ANNEX I TO THE STANDARD CONTRACTUAL CLAUSES

A.   LIST OF PARTIES

Data exporter(s): The data exporter is the entity identified as the “Customer” in the Data Processing Addendum (“DPA”) to which these Clauses are appended, or any of Customer’s Affiliates that transfer Personal Data as set forth in Section 8.2 of the DPA.

Data importer(s):  The data importer is US headquartered company, Uniphore Technologies Inc., or any of its subsidiaries that is located in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Data, as applicable (“Uniphore”).  Uniphore provides an AI-powered customer service transcription and analytics platform and the support services for the platform.

 

B.   DESCRIPTION OF TRANSFER

Please see the details set forth in Section 4.4 of the DPA to which these Clauses are appended.

C.   COMPETENT SUPERVISORY AUTHORITY

Where the data exporter is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.  Otherwise, Ireland shall serve as the supervisory authority.

APPENDIX II

ANNEX II TO THE STANDARD CONTRACTUAL CLAUSES

See Information Security Exhibit

APPENDIX III

Supplemental Clauses

For the purposes of this Appendix, supplemental clauses implemented by the Data Importer include the following.

1. Non-receipt of directives under FISA Section 702 rep: Data importer  represents and warrants that, as of the date of this contract, it has not received any national security orders of the type described in Paragraphs 150-202 of the judgment in the European  Court of Justice Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (“Schrems II”).
 

2. FISA Section 702 ineligibility rep:  Data importer represents that it reasonably believes that it is not eligible to be required to provide information, facilities, or assistance of any type under Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) because: 

1. It does not believe that it qualifies as an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) and is therefore ineligible to receive any process issued under FISA Section 702 for services it provides to its customers.

2. No court has found Data importer to be the type of entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.

3. If Data importer were to be found eligible for Section 702, which it believes it is not, it is nevertheless also not the type of provider that is eligible to be subject to Upstream collection (“bulk” collection) pursuant to FISA Section 702, as described in paragraphs 62 & 179 of the Schrems II judgment.
 

3. Court-review safeguard:  Data importer shall use all reasonable legal mechanisms to challenge any demands for data access through national security process it receives in relation to data exporter’s data as well as any non-disclosure provisions attached thereto.

4. EO 12333 non-cooperation:  Data importer shall take no action pursuant to U.S. Executive Order 12333. 

5. Notice of non-compliance: Data importer shall promptly notify the Data Exporter if Data importer can no longer comply with the Standard Contractual Clauses or these Supplementary Clauses, without being required to identify the specific provision with which it can no longer comply.
 

APPENDIX IV

The parties acknowledge that Clause 2(a) of the Clauses permits them to include additional business-related terms provided they do not contradict, directly or indirectly, the Clauses or prejudice the fundamental rights or freedoms of data subjects.

Accordingly, to the extent permissible and to the extent it does not invalidate the Standard Contractual Clauses, this Appendix sets out the parties’ interpretation of their respective obligations under specific Clauses identified below. Where a party complies with the interpretations set out in this Appendix, that party shall be deemed by the other party to have complied with its commitments under the Clauses.

Clauses 3 and 8.6(d): Disclosure of these Clauses

Data exporter agrees that these Clauses constitute data importer’s Confidential Information (as that term is defined in the Agreement) and may not be disclosed by data exporter to any third party without data importer’s prior written consent unless permitted pursuant to the Agreement. This shall not prevent disclosure of these Clauses to a data subject pursuant to Clause 3 or a supervisory authority pursuant to Clause 8.6(d).

Clause 8.1(a) and Clause 8.1(b): Suspension of data transfers and termination

1. The parties acknowledge that for the purposes of Clause 8.1(a), data importer may process the personal data only on behalf of the data exporter and in compliance with its documented instructions as set out in the DPA and that pursuant to the DPA, these instructions shall be the data exporter’s complete and final instructions and processing outside the scope of such instructions (if any) shall be in writing between the parties.

2. The parties acknowledge that if data importer cannot provide compliance in accordance with Clause 8.1(a) and/or Clause 8.1(b), the data importer agrees to promptly inform the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the affected parts of the Service in accordance with the terms of the Agreement.

3. If the data exporter intends to suspend the transfer of personal data and/or terminate the affected parts of the Service, it shall first provide notice to the data importer and provide data importer with a reasonable period of time to cure the non-compliance (“Cure Period”).

4. In addition, the data exporter and data importer shall reasonably cooperate with each other during the Cure Period to agree what additional safeguards or other measures, if any, may be reasonably required to ensure the data importer’s compliance with the Clauses and applicable data protection law.

5. If, after the Cure Period, the data importer has not or cannot cure the non-compliance in accordance with the paragraphs 3 and 4 above, then the data exporter may suspend and/or terminate the affected part of the Service in accordance with the provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by the data exporter prior to suspension or termination).

Clause 8.9: Audit

Data exporter acknowledges and agrees that it exercises its audit right under Clause 8.9 by instructing data importer to comply with the audit measures described in Section 7.1 (Audits) of the DPA.

Clause 9(c): Disclosure of subprocessor agreements

1.     The parties acknowledge the obligation of the data importer to send promptly upon request a copy of any onward subprocessor agreement it concludes under the Clauses to the data exporter.

2.     The parties further acknowledge that, pursuant to subprocessor confidentiality restrictions, data importer may be restricted from disclosing onward subprocessor agreements to data exporter. Notwithstanding this, data importer shall use reasonable efforts to require any subprocessor it appoints to permit it to disclose the subprocessor agreement to data exporter.

3.     Even where data importer cannot disclose a subprocessor agreement to data exporter, the parties agree that, upon the request of data exporter, data importer shall (on a confidential basis) provide all information it reasonably can in connection with such subprocessing agreement to data exporter.

Clause 12: Liability

To the extent permissible, any claims brought under the Clauses shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement. In no event, shall any party limit its liability with respect to any data subject rights under these Clauses.

Annex A

UNIPHORE CCPA ADDENDUM TO THE Master Software and Services Agreement

This CCPA Addendum is made between Uniphore Technologies Inc., a Delaware corporation whose principal offices are at, 1001 Page Mill Road, Bldg 4, Suite 100-BPalo Alto, CA 94304 (“Uniphore”), and the Customer identified below. This CCPA Addendum forms a part of the Master Software and Services Agreement between Uniphore and Customer or to any other written agreement between Uniphore and Customer that governs Customer’s use of the Uniphore Services (as defined below) (collectively, the “Subscription Agreement”), and is effective as of the date both parties execute the Subsciption Agreement. This CCPA Addendum supplements and is subject to the Subscription Agreement.

BACKGROUND:

(A) Uniphore provides an AI-powered customer service transcription and analytics platform and the support services for the platform (“Uniphore Services”) to Customer under the Master Software and Services Agreement. In connection with the Uniphore Services, Uniphore may process personal information in respect of which Customer or its Affiliates (or their customers), may be a ‘business’ (as such term is defined under the California Consumer Privacy Act of 2018, as amended from time to time (“CCPA”)).

(B) Customer and Uniphore have agreed to enter into this CCPA Addendum to address CCPA requirements.

(C) All capitalized terms used in this CCPA Addendum but not otherwise defined have the meanings ascribed to them in the Subscription Agreement.

For good and valuable consideration, the sufficiency of which is hereby acknowledged, Uniphore and Customer agree to the following if and to the extent CCPA applies.

ADDENDUM:

1. Restrictions on Use and Disclosure.

1.1. Restrictions. The restrictions in this Section 1 apply for purposes of Customer Data that is personal information as defined in and subject to the CCPA.

1.2. As between Customer and Uniphore, for purposes of the CCPA, Customer is a “business” and Uniphore is (if CCPA applies) a “service provider” (each as defined in the CCPA).

1.3. Uniphore shall not retain, use, or disclose personal information obtained in the course of providing the Services except: 

(1) To process or maintain personal information on behalf of or at the direction of Customer and in compliance with Subscription Agreement;

(2) To retain and employ another service provider as a subcontractor, where the subcontractor meets the requirements for a service provider under the CCPA;

(3) For internal use by Uniphore to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source;

(4) To detect data security incidents, or protect against fraudulent or illegal activity; or

(5) For the purposes enumerated in Civil Code section 1798.145, subdivisions (a)(1) through (a)(4).

1.4. Uniphore will not “sell” such personal information to any third party. For these purposes, “sell” has the meaning ascribed to it in the CCPA.

1.5. For clarity, the restrictions in this Section 1 include retention, use or disclosure of such Personal Information by Uniphore outside of the direct business relationship between Uniphore and Customer.

1.6 Uniphore certifies that it understands the restrictions in this Section 1 and will comply with them.

2. In the event of any conflict between the terms of this CCPA Addendum and the terms of the Subscription Agreement, the terms of this CCPA Addendum will prevail so far as the subject matter concerns the processing of personal information under the CCPA. Except as otherwise set forth in this CCPA Addendum, the Subscription Agreement remains unchanged and in full force and effect.

3. This CCPA Addendum may be executed in one or more counterparts, which taken together will constitute a single agreement between the parties.