Data Processing Addendum

BACKGROUND

(A)Customer wishes to receive and Income Analytics wishes to provide goods and/or services under the Master Agreement, which may include the Information, Services and/or Software;(B)Customer may provide Customer Data, which may comprise Personal Data, in connection with its use of the Information, Services and/or Software;(C)Income Analytics may Process Customer Data, including any Personal Data comprised in it, in connection with its provision of the Information, Services and/or Software;(D)Income Analytics may therefore process Personal Data as a consequence of performing its obligations under the Master Agreement;(E)Privacy Law provides that such processing shall be governed by a written agreement;(F)The parties therefore through completion of the Master Agreement enter into this Data Processing Addendum (“DPA”) to satisfy such requirement.

1. DEFINITIONS AND INTERPRETATION

1.1 In this DPA, the following words and phrases shall have the following meanings, unless inconsistent with the context or as otherwise specified:

Controllerany natural or legal person who, alone or jointly with others, determines the purposes and means of the Processing of Personal DataCustomerthe customer identified on an OrderCustomer Dataany information that Customer provides to Income Analytics pursuant to the Master Agreement for the Service Purposes and/or Validation PurposesCustomer Personal Dataany Personal Data comprised in Customer DataCustomer Processing Instructionsthe Customer’s instructions for the Processing of Customer Personal Data as set out in Clause 3.4 and any additional instructions for the Processing of Customer Personal Data provided by the Customer to Income Analytics in writing from time to timeData Subjecta living natural person to whom Customer Personal Data relatesEU GDPRthe General Data Protection Regulation (Regulation (EU) 2016/679)Income Analyticsas defined in the Master AgreementInformationall information supplied by Income Analytics to Customer from time to time via the Services and/or Software pursuant to an OrderMaster Agreementan agreement for the provision by Income Analytics of Information, Services and/or Software between Income Analytics and the CustomerOrdera valid order for Information, Services and/or Software that has been accepted by Income Analytics in accordance with the terms of the Master AgreementPersonal Datainformation that can be used to identify a living natural person, directly or indirectly, such as a name, identification number, location data, an online identifier or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a living natural personPersonal Data Breacha breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal DataPrivacy Lawall laws relating to the Processing of Personal Data that are applicable to the Processing of Customer Personal Data pursuant to the Master Agreement, including the Data Protection Act 2018 and UK GDPR and, if applicable to the Customer’s Processing of Customer Personal Data, the EU GDPRProcessora natural or legal person that Processes Personal Data on behalf of a ControllerProcessingany operation or set of operations performed on Personal Data or sets of Personal Data, whether by automated means or not, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destructionRestricted Transferan international transfer of Personal Data from the Customer to Income Analytics that requires a Transfer Mechanism in order to comply with the EU GDPRServicesthe business information services (which may include the supply of Information and/or Software) supplied to Customer from time to time by Income Analytics pursuant to an OrderService Purposesthe provision of the Information, Services and/or Software by Income Analytics to CustomerSoftwarecomputer programs or applications (including those accessed remotely) in object code only, documentation and media supplied to Customer from time to time by Income Analytics pursuant to an OrderStandard Contractual Clauses(i) the standard contractual clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, adopted by the European Commission pursuant to Decision (2010/87/EU) ("Processor SCCs") in respect of Customer Personal Data Processed for the Service Purposes and (ii) the standard contractual clauses for the transfer of personal data from the Community to third countries (controller to controller transfers), adopted by the European Commission pursuant to Decision (2004/915/EC) ("Controller SCCs") in respect of the Customer Personal Data Processed for the Validation Purposes, completed with the Processing detail relevant to the provision of the Information, Services and Software as set out at Schedule 2, but excluding the optional illustrative indemnification clause in the Processor SCCs and the optional illustrative commercial clauses in the Controller SCCsSub Processora third party contracted by a Processor to Process Personal Data on behalf of a ControllerTransfer Mechanisma condition set out in Chapter V of the EU GDPR for ensuring an adequate level of protection for personal data transferred to a third country, including an adequacy decision under Article 45, an appropriate safeguard under Article 46 or a derogation under Article 49UK GDPRthe EU GDPR as transposed into UK law (including by the Data Protection Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019)Validation Purposesvalidating and/or enhancing Income Analytics’ business information services.

2. SCOPE

2.1 Income Analytics is the Controller of any Personal Data it provides to Customer comprised in Information. The Processing of such Personal Data is outside the scope of this DPA and is covered within the Master Agreement.

2.2 This DPA applies only to Customer Personal Data. It does not apply to any other Personal Data that may be Processed by either party in connection with the Master Agreement.

2.3. The types of Personal Data comprised in Customer Personal Data and the categories of Data Subject to which it relates, the duration of Processing, Sub Processors and international transfers of Customer Personal Data are listed at Schedule 1.

3. COMPLIANCE

3.1. Customer shall comply with its obligations as a Controller under Privacy Law in respect of its Processing of Customer Personal Data for the Service Purposes and/or the Validation Purposes, including, without limitation, only providing such Personal Data as is necessary for the Service Purposes and/or the Validation Purposes (as applicable).

3.2. Income Analytics shall comply with its obligations as a Controller under Privacy Law in respect of its Processing of Customer Personal Data for the Validation Purposes and shall comply with its obligations as a Processor under Privacy Law in respect of its Processing of Customer Personal Data for the Service Purposes.

3.3. In respect of Income Analytics’ Processing of Customer Personal Data for the Service Purposes, Income Analytics (i) shall only Process Customer Personal Data in accordance with the Customer Processing Instructions, including with regard to international transfers of Customer Personal Data, except if applicable laws to which Income Analytics is subject require Income Analytics to Process Customer Personal Data otherwise than in accordance with the Customer Processing Instructions, in which case Income Analytics shall inform Customer of that legal requirement prior to commencing such Processing unless the applicable law prohibits such information, (ii) shall not Process Customer Personal Data for any purposes other than for the Service Purposes, and (iii) shall not disclose Customer Personal Data to any third party unless requested to do so by Customer or required by applicable law. Income Analytics shall notify Customer if it believes that any Customer Processing Instructions infringe Privacy Law.

3.4. In respect of Income Analytics’ Processing of Customer Personal Data for the Service Purposes, Customer hereby instructs Income Analytics to Process Customer Personal Data as reasonably necessary for the Service Purposes.

3.5. Where disclosure of Customer Personal Data is required by applicable law to which Income Analytics is subject, Income Analytics shall (to the extent permitted by such law) inform Customer in advance of making the disclosure and shall co-operate with Customer to limit the scope of the disclosure to what is strictly required by such law.

3.6. Customer represents and warrants that it has all necessary legal rights, title, consents and authority to provide the Customer Personal Data to Income Analytics to Process as described in this DPA.

3.7. The parties acknowledge and agree that in case of conflict between this DPA and the Master Agreement this DPA will prevail.

4. CONFIDENTIALITY AND SECURITY

4.1. Having regard to the state of the art, cost of implementation and the nature, scope, context, purposes and risks of the Processing of Customer Personal Data, Income Analytics shall take appropriate technical measures and organisational measures (including legally-binding confidentiality obligations on all staff that may access or Process Customer Personal Data) to avoid a Personal Data Breach.

4.2. Income Analytics shall take reasonable steps to ensure the reliability of any of personnel who it authorizes to access or Process the Customer Personal Data, including training all such personnel in Privacy Law and imposing legally-binding obligations on such personnel to maintain confidentiality with respect to the Customer Personal Data. Income Analytics shall limit access to the Customer Personal Data (including when in a test environment) to those of its personnel who need to access the Customer Personal Data to perform the Service Purposes and/or Validation Purposes.

4.3. If Income Analytics becomes aware of a Personal Data Breach, Income Analytics shall:

4.3.1. promptly notify Customer of the details of the incident;

4.3.2. promptly initiate an investigation into the circumstances surrounding the incident and make a report of the investigation available to Customer; and

4.3.3. co-operate with Customer's investigation and at Customer’s cost provide such reasonable assistance as may be requested by Customer in order for Customer to comply with its obligations under Privacy Law including any notifications that Customer is required to make as a result of a Personal Data Breach.

4.4. Customer shall implement such appropriate technical and organisational measures to ensure an appropriate level of security for the Customer Personal Data as are within its control, which shall include complying with the terms of use for the Information, Services and Software set out in the Master Agreement and taking reasonable security measures to ensure that no unauthorised person gains access to the Customer Personal Data via Customer’s account.

5. COOPERATION

5.1. Income Analytics shall delete the Customer Personal Data held in Customer’s account if Customer’s account is terminated or not renewed in accordance with the Master Agreement unless applicable law to which Income Analytics is subject requires storage of any Customer Personal Data after such termination or non-renewal. Income Analytics shall, if Customer so requests, provide Customer with a copy of the Customer Personal Data held in Customer’s account before deleting it.

5.2. Income Analytics shall make available to Customer all information necessary to demonstrate its compliance with this DPA and Privacy Law.

5.3. Income Analytics shall implement appropriate measures to assist Customer in complying with the rights of the Data Subjects under Privacy Law in respect of the Customer Personal Data Processed by Income Analytics for the Service Purposes.

5.4. Income Analytics shall notify Customer promptly if Income Analytics receives any enquiry or complaint from a supervisory authority or Data Subject about the Processing of Customer Personal Data. Income Analytics shall co-operate with Customer to permit it to respond to such enquiry or complaint.

5.5. Income Analytics shall also assist Customer to comply with its obligations under Privacy Law in relation to (i) any data protection impact assessment or prior consultation with a supervisory authority that Customer is required to make in relation to Customer Personal Data; and (ii) the implementation of technical and organisational security measures for the Customer Personal Data, in respect of the Customer Personal Data Processed by Income Analytics for the Service Purposes.

5.6. Income Analytics shall permit and contribute to audits carried out by Customer or its mandated auditor to assess compliance by Income Analytics with its obligations under this DPA, including by inspecting Income Analytics’ data processing facilities, procedures and documentation, provided that Customer gives reasonable notice of any inspections, that any inspections are conducted during normal business hours at Customer’s cost and are limited to a maximum of one (1) inspection in any twelve (12) month period, or such further occasions as may be required by Privacy Law. Customer hereby agrees:

5.6.1. to limit any inspection to the extent reasonably necessary to confirm such compliance;

5.6.2. to enter into a confidentiality agreement (in a form reasonably acceptable to Customer) in respect of any information that its or its auditor’s representatives may incidentally be provided access to while carrying out an inspection;

5.6.3. to ensure that Customer's or its auditor’s personnel shall comply with all Income Analytics’ security policies at the relevant Income Analytics locations and shall always be accompanied by a representative of Income Analytics; and

5.6.4. to indemnify Income Analytics against any loss or damage to Income Analytics arising from the negligence of Customer’s or its auditor’s personnel whilst such personnel are carrying out the activities described in this

6. SUB-PROCESSORS

6.1. Income Analytics shall not engage a Sub Processor to Process Customer Personal Data for the Service Purposes without Customer’s prior authorisation. Customer hereby authorises Income Analytics to engage the Sub Processors listed at Schedule 1.

6.2. Customer shall register in accordance with Schedule 3 the relevant email address(es) of its personnel to receive notice of any addition or replacement of a Sub Processor, and Income Analytics shall use such email addresses to notify the relevant personnel of any additional or replacement Sub Processor (including reasonable details of the Processing to be undertaken by the Sub Processor).

6.3. If on receipt of a notification received under clause 6.2 Customer notifies Income Analytics in writing within 5 working days of any objections (on reasonable grounds) to an additional or replacement Sub Processor, Income Analytics shall halt the prospective Processing until reasonable steps have been taken to address the objections raised by Customer. If Income Analytics informs Customer that it is not possible for Income Analytics to continue providing the Information, Services and/or Software without using the objected-to Sub Processor, Customer may terminate the Order or Master Agreement by giving written notice to Income Analytics stating the date on which termination is to take effect.

6.4. Income Analytics shall enter into a written agreement or other binding legal act under applicable law with each Sub Processor that imposes equivalent obligations on each Sub Processor as are imposed on Income Analytics under this DPA and the Master Agreement.

6.5. Income Analytics shall remain liable to Customer for any Sub Processor’s Processing of Customer Personal Data under this DPA and the Master Agreement.

7. INTERNATIONAL DATA TRANSFERS

7.1. In respect of Customer Personal Data Processed for the Service Purposes, Income Analytics shall only transfer Customer Personal Data outside of the United Kingdom in accordance with Customer's instructions regarding international transfers. Customer hereby instructs and authorises Income Analytics to make international transfers of Customer Personal Data in the circumstances, and subject to any applicable Transfer Mechanisms, set out in Schedule 1.

7.2. If the Processing of Customer Personal Data by Income Analytics in the United Kingdom pursuant to the Master Agreement involves a Restricted Transfer, whether at the date of entering the Master Agreement or at any point during the term of the Master Agreement, each party acknowledges and agrees that by entering the Master Agreement:

7.2.1. they agree to be bound by the Standard Contractual Clauses and comply with their respective obligations under the Standard Contractual Clauses; and

7.2.2. the Standard Contractual Clauses shall be incorporated into the Master Agreement by reference, with effect from the date on which the Processing of Customer Personal Data by Income Analytics involves a Restricted Transfer.

7.3. For the purposes of Clause 7.2, no Processing of Customer Personal Data pursuant to the Master Agreement shall be deemed to involve a Restricted Transfer if there is an adequacy decision under Article 45 of the EU GDPR in respect of the United Kingdom that is applicable to the Processing of Customer Personal Data pursuant to the Master Agreement.

7.4. If the Standard Contractual Clauses form part of the Master Agreement pursuant to Clause 7.2, the parties acknowledge and agree that:

7.4.1. the authorisation to engage Sub Processors granted pursuant to Clause 6.1 shall constitute Customer's prior written consent to sub-processing for the purposes of clauses 5(h) and 11(1) of the Processor SCCs;

7.4.2. Income Analytics’ compliance with its obligations under Clause 6.2 shall constitute compliance with its obligations under clauses 5(h) and 11(1) of the Processor SCCs in respect of obtaining Customer's prior written consent to sub-processing;

7.4.3. copies of the sub-processor agreements that must be provided by Income Analytics to Customer pursuant to clause 5(j) of the Processor SCCs may have all commercial and confidential information and clauses unrelated to the Processor SCCs removed by Income Analytics prior to being provided to Customer, and that such copies will be provided by Income Analytics in a format reasonably determined by Income Analytics only upon Customer's request;

7.4.4. for the purposes of clause II(h) of the Controller SCCs, Income Analytics shall Process Customer Personal Data in accordance with the data processing principles in Annex A of the Controller SCCs;

7.4.5. for the purposes of clause II(i) of the Controller SCCs, Customer has received notice of the transfers of Customer Personal Data set out in Schedule 1 and the Transfer Mechanisms set out in Schedule 1 fulfil the requirements of sub-clauses (i) or (ii) of clause II(i) of the Controller SCCs;

7.4.6. in the event of any conflict between a provision of the Standard Contractual Clauses and a provision of this DPA or the Master Agreement, the provision of the Standard Contractual Clauses shall prevail;

7.4.7. subject to Clause 7.4.8 below, the Standard Contractual Clauses shall continue in effect for the term of the Master Agreement unless there is an adequacy decision under Article 45 of the EU GDPR in respect of the United Kingdom that is applicable to the Processing of Customer Personal Data pursuant to the Master Agreement, in which case the Standard Contractual Clauses shall terminate upon the date that the relevant adequacy decision takes effect; and

7.4.8. if the Standard Contractual Clauses are subsequently modified, revoked or held in a court of competent jurisdiction to be invalid, the parties will cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternative Transfer Mechanism that will ensure the relevant Restricted Transfer is lawful.

8. CHANGES IN PRIVACY LAW

8.1. In the event that any:

8.1.1. changes or prospective changes to Privacy Law;

8.1.2. guidelines, decisions or regulations regarding the application of Privacy Law issued by a competent supervisory authority;

8.1.3. judgment regarding the application of Data Protection Regulations made by a court of competent jurisdiction;

8.1.4. modification or revocation of a Transfer Mechanism relied on for a Restricted Transfer, including the Standard Contractual Clauses; or

8.1.5. declaration of invalidity by a court of competent jurisdiction of a Transfer Mechanism relied on for a Restricted Transfer, including the Standard Contractual Clauses, results or will result in one or both Parties not complying with Privacy Law in relation to the Processing of Customer Personal Data under the Master Agreement (a “Change in the Law”), the parties shall use their best endeavours to promptly agree such amendments to this DPA as may be necessary to remedy such non-compliance.

8.2. Notwithstanding Clause 8.1, if a Change in Law results in:

8.2.1. a particular category of Income Analytics’ customers generally not complying with Privacy Law in relation to the Processing of Customer Personal Data; or

8.2.2. Income Analytics not complying with Privacy Law in relation to the Processing of Customer Personal Data with respect to a particular category of Income Analytics’ customers generally, then Income Analytics may vary this DPA to remedy such non-compliance by giving 2 weeks' written notice of such variation to Customer.

9. GENERAL

9.1. This DPA shall be governed by and construed in accordance with the laws of the jurisdiction listed in the Master Agreement and the courts of that jurisdiction shall have exclusive jurisdiction to determine any disputes which may arise out of, under, or in connection with this DPA.

9.2. In the event that any one or more of the provisions of this DPA shall for any reason be held to be invalid, illegal or unenforceable, the remaining provisions of this DPA shall continue in full force and effect and the parties will negotiate in good faith to substitute a provision of like effect and intent to that deemed to be unenforceable.

Schedule 1

Types of Personal Data comprised in Customer Personal Data

The types of Personal Data will be wholly determined by Customer according to its use of the Information, Services and/or Software. Due to the nature and functions of the Information, Services and/or Software the types of Personal Data are likely to include (but are not limited to):

  • email addresses
  • names
  • contact details
  • job titles
  • business addresses

Categories of Data Subject to whom Customer Personal Data relate

The categories of Data Subject will be wholly determined by Customer according to its use of the Information, Services and/or Software. Due to the nature and functions of the Information, Services and/or Software, the categories of Data Subjects are likely to include (but are not limited to):

  • Individuals associated or potentially associated with incorporated and unincorporated organisations
  • Sole trader or partnership owners and tenants of commercial property or mixed use property

Duration of the Processing of Customer Personal Data

Income Analytics will Process Customer Personal Data during the term of the Master Agreement and for a short period after the term of the Master Agreement in accordance with Clause 5.1.

Sub Processors of Customer Personal Data

Income Analytics engages the following Sub Processors in connection with the provision of the Information, Services and Software:

NameServicesLocationOakland Group Services LimitedSoftware development and database maintenanceUKAmazon Web Services EMEA SARLCloud storageUK/IrelandDun & Bradstreet LtdProcessing ServicesUK/Ireland

International transfers of Customer Personal Data

Income Analytics makes the following international transfers in connection with the provision of the Information, Services and Software:

RecipientCountryTransfer mechanism (if applicable)Amazon Web ServicesIrelandSCC

Schedule 2

Capitalised terms used in this Schedule have the meaning given to them in Clause 1.1 of the main body of this DPA.

Identification of the data exporter and data importer for the purposes of the Standard Contractual Clauses:

Name of the data exporting organisation: the entity identified as “Customer” in the Master Agreement (the data exporter)

Name of the data importing organisation: Income Analytics Limited (company number 12298014) whose registered office is at 30 St Giles, Oxford, Oxfordshire, OX1 3LE, UK

Processing detail for the purposes of Appendix 1 to the Processor SCCs and Annex B to the Controller SCCs:

Data exporter activities relevant to the transfer: The data exporter is a customer of the data importer and may provide Customer Personal Data to the data exporter for the Service Purposes and/or Validation Purposes.

Data importer activities relevant to the transfer: The data importer is a provider of the Information, Services and Software, and such provision to the data exporter may involve the Processing of Customer Personal Data.

Data Subjects The Personal Data transferred concern the categories of individuals identified in Schedule 1 as Data Subjects.

Categories of data: The Personal Data transferred concern the types of Personal Data identified in Schedule 1 as being comprised in Customer Personal Data.

Special categories of data (if appropriate): The Personal Data transferred must not include special categories of data – the data exporter is responsible for ensuring this.

Processing operations/purposes of the transfers: The Personal Data transferred will be subject to the following basic processing activities/processed for the following purposes:

  • Customer Personal Data will be Processed by the data importer for the Service Purposes under the Processor SCCs
  • Customer Personal Data will be Processed by the data importer for the Validation Purposes under the Controller SCCs

Recipients: The Personal Data transferred may only be disclosed to the Sub Processors listed in Schedule 1.

Data protection registration information of data exporter (if applicable): As set out in the Order or separately notified in writing by the data exporter to the data importer.

Contact points for data protection enquiries:

  • In respect of the data exporter, the customer contact or data protection officer named in the most recent Order
  • In respect of the data importer, the data protection officer.

Processing detail for the purposes of Appendix 2 to the Processor SCCs:

Description of the technical and organisational security measures implemented by the data importer:Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Personal Data, as described in any security policy of the data importer, as updated from time to time, and made reasonably available by data importer upon request.

Schedule 3

To be notified of any change to the Sub Processors engaged to Process Customer Personal Data, please register any applicable email addresses at dataprotectionofficer@incans.com