INEIGHT INTRODUCTORY ACCESS
DATA PROCESSING ADDENDUM

INEIGHT SUBSCRIPTION AGREEMENT

Data Processing Addendum (v.05Nov2024)

1. This Data Processing Addendum (“Addendum”) is incorporated into the InEight Subscription Agreement (“Agreement”) entered into on Effective Date between Customer and InEight, together referred to as the (“Parties”) and applies where InEight will process Personal Information when providing Services under the Agreement. All capitalized terms not defined in this Addendum shall have the meanings set forth in the Agreement.
2. DEFINITIONS
   
   
   1. “CCPA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations.
   2. “Controller” means the natural or legal person that determines the purposes and means of the Processing of Personal Information and/or “controller,” “business” or like term as defined by applicable Privacy Laws.
   3. “Data Subject” means an identified or identifiable natural person to whom Personal Information relates and/or a “Data Subject,” “consumer,” or like term as defined by applicable Privacy Laws.
   4. “Other Privacy Laws” means the other United States or Canada laws regulating the Processing of Personal Information, together with any applicable final implementing regulations.
   5. “Personal Information” means any information relating to an identified or an identifiable natural person or as otherwise defined under Privacy Laws, including “personal information” or analogous variations of such terminology within the meaning of applicable Other Privacy Laws. For the purposes of this Addendum, Personal Information is limited to such information that is contained in the Customer Data.
   6. “Privacy Laws” means any CCPA and Other Privacy Laws applicable to the Customer and InEight that regulate the Processing of Personal information, including such laws regulating notification in the event of a Security Breach.
   7. “Processing” or “Process” means any operation or set of operations which is performed upon Personal Information, including “processing” or “process” as defined under applicable Privacy Laws.
   8. “Processor” means the natural or legal person that Processes Personal Information on behalf of the Controller and/or “processor,” “service provider” or a like term as defined by applicable Privacy Laws.
   9. “Security Breach” means (a) the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or acquisition of, or access to, Personal Information; or (b) a “security breach” or similar term as defined by applicable law.
   10. “Services” as used in this Addendum means the services or products that are specifically addressed in the Agreement, statement of works or order form entered into between Parties.
   11. “Subprocessor” means the natural or legal person engaged by InEight and to whom InEight delegates a processor activity related to the Processing of Personal Information, including “subcontractor,” “subprocessor” or like terms as defined by applicable Privacy Laws.
3. DESIGNATION OF THE PARTIES
   
   
   1. The parties agree that, for the purposes of compliance with applicable Privacy Laws, all Personal Information that is received by InEight directly from Customer in connection the performance of INEIGHT SUBSCRIPTION AGREEMENT InEight’s obligations under the Agreement and this Addendum, Customer will be the Controller and InEight will be the Processor.
   2. Each party will comply, and will take reasonable steps to ensure that its personnel comply, with applicable Privacy Laws in connection with the Agreement and this Addendum.
4. PROCESSING OF PERSONAL INFORMATION
   
   
   1. Personal Information will be Processed by InEight solely for purposes that are (a) necessary for InEight to perform its obligations under the Agreement; (b) required by law so long as such Processing does not violate applicable Privacy Laws; and (c) other purposes permitted by Customer in writing or otherwise in this Addendum.
   2. InEight may aggregate, deidentify or anonymize Personal Information both to provide the Services and for InEight’s own purposes, if applicable, in a manner required under Privacy Laws, so long as such information is no longer identifiable to Customer in any manner and cannot be reidentified. Such aggregate, deidentified or anonymized Personal Information will not be subject to the terms of this Addendum.
   3. Unless as expressly set forth in the Agreement, Customer is and shall remain the owner of any Personal Information.
   4. Customer is responsible for providing all notices and obtaining all consents for the Processing of Personal Information by InEight in connection with this Addendum and the Agreement. This includes obtaining consent for the Processing of any sensitive Personal Information if required by applicable Privacy Laws.
   5. Solely with respect to any Personal Information that is subject to CCPA (a) InEight will not retain, use, combine or disclose the Personal Information for any purpose other than for the limited and specific purposes outlined in Annex 1, as otherwise agreed to in writing by InEight and Customer or as permitted by CCPA; (b) InEight shall not “sell” or “share” Personal Information, as such terms are defined by CCPA, or retain, use or disclose the Personal Information outside of the direct business relationship with Customer; (c) InEight will only retain, use, or disclose the Personal Information for “business purposes,” as defined by CCPA, as authorized by the Agreement or this Addendum or as otherwise permitted by the CCPA; (d) InEight will not retain, use, or disclose the Personal Information for any “commercial purposes” other than the “business purposes” (as these terms are defined by CCPA) specified in the Agreement, unless expressly permitted by CCPA; (e) InEight will comply with applicable provisions of CCPA and provide the same level of privacy protection for relevant Personal Information as required by CCPA; (f) Customer has the right to take reasonable and appropriate steps to help ensure that InEight uses Personal Information in a manner consistent with Customer’s obligations under CCPA; (g) InEight will notify Customer if InEight makes a determination that it can no longer meet its obligations under CCPA; (h) Customer will have the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information by InEight; and (i) InEight will take actions reasonably necessary for Customer to comply with privacy requests made pursuant to CCPA, including but not limited to, requests to delete, correct or access Personal Information.
   6. Solely respect to any Personal Information that is subject to Other Privacy Laws, InEight and
      Customer agree to the following, to the extent required by such applicable Other Privacy Laws (a) the type of Personal Information subject to Processing in connection with the Services may include the identifiers specified in Annex 1; (b) the duration of the Processing in connection with the Services is specific in Annex 1; (c) InEight shall delete or return all Personal Information once Processing by InEight of any such Personal Information is no longer required for InEight’s performance of its obligations under the Agreement or this Addendum, unless retention of the Personal Information is permitted by law; (d) InEight shall ensure that each person Processing Personal Information in connection with the Services is subject to a duty of confidentiality with respect to the Personal Information; (e) InEight shall make available to Customer such readily accessible information in its possession necessary to demonstrate compliance with the obligations under Other United States Privacy Laws; and (f) InEight shall allow reasonable audits and inspections in connection to its obligations under this Addendum and the Agreement.
5. INFORMATION SECURITY MEASURES
   
   
   1. InEight will implement and maintain, at its own cost and expense, and in accordance with Privacy Laws and commercially reasonable technical, organizational, and physical security measures designed to protect the privacy and security of Personal Information it Processes in connection with the Agreement and this Addendum.
   2. In Processing Personal Information on behalf of Customer, InEight shall take reasonable steps to ensure that InEight’s personnel who Process Personal Information in the Personal Information in connection with the Agreement are subject to appropriate supervision and binding confidentiality obligations in respect of such Processing.
6. AGENTS AND SUBPROCESSORS
   
   
   1. Customer authorizes InEight to engage its Affiliates and its third-party Subprocessors to perform Processing activities involving Personal Information on Customer behalf. Excluding Microsoft (with regard to provision of the Azure platform on which the InEight Products are hosted), InEight will require such Subprocessor to agree in writing to comply with materially similar obligations as those contained in this Addendum. Upon reasonable request, InEight shall provide to Customer a list of InEight’s third party Subprocessors that Process Personal Information.
7. COOPERATION AND AUDITS
   
   
   1. InEight will provide reasonable assistance, information, and cooperation to Customer to help Customer comply with Customer obligations under applicable Privacy Laws with respect to (a) privacy impact assessments, provided such assistance is at Customer’s cost; and/or (b) subject to the terms in this Section 7, audits of InEight with respect to compliance with such Privacy Laws.
   2. If InEight is requested or required (by oral questions, interrogatories, requests for information or documents in legal proceedings, subpoenas, civil investigative demands or similar processes) to disclose any Personal Information to a third party, InEight shall promptly notify Customer of any such disclosure request (except to the extent that InEight is precluded by applicable law or legal process) so that Customer may, at its own expense, exercise such rights as it may have under law to prevent or limit such disclosure.
   3. Except in the event of Customer’s request of an assessment following a Security Breach caused by InEight or its Subprocessor which request shall be granted by InEight on a mutually agreed upon timeline between the Parties (such timeline shall not exceed thirty (30) days from the Customer’s request unless a later date is agreed upon in writing by the Parties), InEight shall permit Customer and its auditors (who shall not be competitors of InEight) to audit and inspect, at Customer’s expense (except as otherwise provided in this Section), no more often than once per year (unless otherwise required by law), subject to InEight controls to maintain the confidentiality and security of InEight’s own security infrastructure, any third-party confidential information and InEight’s own confidential information: (a) InEight’s security practices and procedures, resources, plans and procedures; and (b) all books, notices and administrative records required to be retained by InEight hereunder. Such audit and inspection rights shall be limited to the purpose of verifying InEight’s compliance with this Addendum and, as applicable, confirming any mitigation efforts taken following a Security Breach.
   4. Upon notice to InEight, InEight shall take commercially reasonable steps to assist and support Customer in the event of an investigation by any regulator, including without limitation a data protection regulator or similar authority, if and to the extent that such investigation relates to Personal Information handled by InEight. Such assistance and support shall be at Customer’s sole expense, except where such investigation was required due to InEight’s or its Subprocessors’ acts or omissions, in which case such assistance and support shall be at InEight’s sole expense.
   5. Customer or its auditors, designated audit representatives, and regulators shall (a) execute and deliver confidentiality and non-disclosure agreements acceptable to InEight, (b) observe InEight’s reasonable confidentiality and security arrangements, and (c) conduct any and all audits in a manner that results in minimal inconvenience and disruption to InEight’s business operations. The parties agree that Customer or its auditors, designated audit representatives, and regulators shall not be entitled to audit (w) InEight’s technical systems, (x) data or information of other customers of InEight, (y) any InEight proprietary data, or (z) any other InEight confidential information that is not relevant for the purposes of the audit. All information learned or exchanged in connection with the conduct of an audit, as well as the results of any audit, constitute InEight’s confidential information for the purposes of the Agreement. InEight shall be permitted to reasonably decline the Customer’s choice of an auditor for any reason.
8. SECURITY BREACHES
   
   
   1. InEight shall without undue delay, and in no event longer than seventy-two (72) hours of confirming such Security Breach, notify Customer in writing (which includes email) to the point of contact set forth in the notice provision of the Agreement. Such notice shall include information regarding the Security Breach then available to InEight in order to assist the Customer to comply with its notification requirements under applicable Privacy Laws.
   2. InEight agrees to take commercially reasonable efforts to contain, investigate, mitigate and remediate any Security Breach that impacts Personal Information. InEight also agrees to provide reasonable assistance to Customer in Customer’s provision of notice of the Security Breach to impacted Data Subjects or other third parties, including regulators.
   3. Promptly after Security Breach and on reasonable request of Customer, InEight shall develop and execute a plan or otherwise implement technical measures that are likely to reduce the likelihood of a recurrence of such a Security Breach. Upon Customer’s reasonable request, InEight shall provide a written summary of such measures.
9. DATA SUBJECT RIGHTS
   
   
   1. InEight will reasonably assist Customer, taking into account the nature of the Processing, by appropriate technical and organizational measures, in so far as this is possible, in fulfilling Customer obligations to respond to requests from Data Subjects to access, delete, correct or object to the Processing of Personal Information, or any similar Data Subject right under applicable Privacy Laws (collectively, “Data Subject Request”).
   2. With respect to any Data Subject Requests for which Customer requires InEight’s assistance in processing under Section 9.1, Customer should submit Data Subject Requests to InEight Privacy Officer at Privacy@InEight.com (or 1-602-648-2858) and InEight will respond to Customer within the timeframes outlined in applicable Privacy Laws.
10. INFORMATION MANAGEMENT
    
    
    1. InEight shall, at Customer’s written request either securely delete or securely return any Personal Information to Customer once Processing by InEight of any Personal Information is no longer required for InEight’s performance of its obligations under the Agreement or this Addendum, unless retention of any Personal Information is required by applicable law or is otherwise infeasible, in which case InEight will continue to retain the Personal Information subject to the requirements of this Addendum and may only Process such Personal Information for the purposes that make return or deletion infeasible.
11. INTERPRETATION AND UPDATES
    
    
    1. This Addendum will be interpreted in a manner that allows Customer and InEight to comply with respective obligations under applicable Privacy Laws. In addition, InEight will update this Addendum at its discretion, without notice to Customer, in a manner that complies in all material respects with applicable Privacy Laws and will not otherwise materially lessen the protections to Personal Information as described under the Addendum.

ANNEX 1: PERSONAL INFORMATION PROCESSING TERMS