This Data Processing Addendum (this “Addendum”) forms part of the services or purchase agreement referencing this Addendum (the “Agreement”) between Choice Digital, Corp. (“CDCO”) and the client referenced in the Agreement (“Client”). 
Capitalized terms used in this Addendum shall have the meanings set forth in this Addendum.  Capitalized terms used but not otherwise defined herein shall have the meanings given to them in the Agreement.  Except as expressly modified below, the terms of the Agreement shall remain in full force and effect.
The parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement.  The following obligations shall only apply to the extent required by Data Protection Laws with regard to the relevant Client Personal Data, if applicable.

1.1 “Controller” means an entity that determines the purposes and means of the Processing of Personal Data.

1.2 “Client Personal Data” means Personal Data Processed by CDCO on behalf of Client to perform the Services under the Agreement. 

1.3 “Data Protection Laws” means the data privacy and security laws and regulations of the United States applicable to the Processing of Client Personal Data, including, in each case to the extent applicable, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations (collectively, “CCPA”).

1.4 “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.

1.5 “Personal Data” means information that constitutes “personal information,” “personal data,” “personally identifiable information,” or similar term under Data Protection Laws.

1.6 “Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.

1.7 “Processor” means an entity that Processes Personal Data on behalf of a Controller.

1.8 “Security Incident” means a breach of CDCO’s security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data in CDCO’s possession, custody, or control.  “Security Incident” does not include unsuccessful attempts or activities that do not compromise the security of Client Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

1.9 “Subprocessor” means any Processor appointed by CDCO to Process Client Personal Data on behalf of Client under the Agreement.

2.1 Roles of the Parties; Compliance.  The parties acknowledge and agree that, as between the parties, with regard to the Processing of Client Personal Data under the Agreement, Client is a Controller and CDCO is a Processor.  In some circumstances, the parties acknowledge that Client may be acting as a Processor to a third-party Controller in respect of Client Personal Data, in which case CDCO will remain a Processor with respect to the Client in such event.  Each party will comply with the obligations applicable to it in such role under Data Protection Laws with respect to the Processing of Client Personal Data.

2.2 Client Instructions.  CDCO will Process Client Personal Data only in accordance with Client’s documented instructions unless otherwise required by applicable law, in which case CDCO will inform Client of such Processing unless notification is prohibited by applicable law.  Client hereby instructs CDCO to Process Client Personal Data: (a) to provide the Services to Client; (b) to perform its obligations and exercise its rights under the Agreement and this Addendum; and (c) as necessary to prevent or address technical problems with the Services.  CDCO will notify Client if, in its opinion, an instruction of Client infringes upon Data Protection Laws.  Client’s instructions for the Processing of Client Personal Data shall comply with Data Protection Laws.  Client shall be responsible for: (i) giving adequate notice and making all appropriate disclosures to Data Subjects regarding Client’s use and disclosure and CDCO’s Processing of Client Personal Data; and (ii) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Client Personal Data to CDCO to permit the Processing of such Client Personal Data by CDCO for the purposes of performing CDCO’s obligations under the Agreement or as may be required by Data Protection Laws.  Client shall notify CDCO of any changes in, or revocation of, the permission to use, disclose, or otherwise Process Client Personal Data that would impact CDCO’s ability to comply with the Agreement, this Addendum, or Data Protection Laws.  

2.3 Details of Processing.  The parties acknowledge and agree that the nature and purpose of the Processing of Client Personal Data, the types of Client Personal Data Processed, and the categories of Data Subjects are as set forth in Appendix 1.

2.4 Processing Subject to the CCPA.  As used in this Section 2.4, the terms “Sell,” “Share,” “Business Purpose,” and “Commercial Purpose” shall have the meanings given in the CCPA and “Personal Information” shall mean any personal information (as defined in the CCPA) contained in Client Personal Data.  CDCO will not: (a) Sell or Share any Personal Information; (b) retain, use, or disclose any Personal Information (i) for any purpose other than for the Business Purposes specified in the Agreement, including for any Commercial Purpose other than the Business Purposes specified in the Agreement, or as otherwise permitted by the CCPA, or (ii) outside of the direct business relationship between Client and CDCO; or (c) combine Personal Information received from, or on behalf of, Client with Personal Data received from or on behalf of any third party, or collected from CDCO’s own interaction with Data Subjects, except to perform any Business Purpose permitted by the CCPA.  CDCO hereby certifies that it understands the foregoing restrictions under this Section 2.4 and will comply with them.  The parties acknowledge that the Personal Information disclosed by Client to CDCO is provided to CDCO only for the limited and specified purposes set forth in Appendix 1.  CDCO will comply with applicable obligations under the CCPA and provide the same level of privacy protection to Personal Information as is required by the CCPA.  Client has the right to take reasonable and appropriate steps to help ensure that CDCO uses the Personal Information transferred in a manner consistent with Client’s obligations under the CCPA by exercising Client’s audit rights in Section 8.  CDCO will notify Client if it makes a determination that CDCO can no longer meet its obligations under the CCPA.  If CDCO notifies Client of unauthorized use of Personal Information, including under the foregoing sentence, Client will have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use by limiting the Personal Information shared with CDCO, terminating the portion of the Agreement relevant to such unauthorized use, or such other steps mutually agreed between the parties in writing. 

2.5 De-identified Data. With respect to any de-identified data created by CDCO from Client Personal Data, CDCO will: (i) take any necessary measures to ensure that such de-identified data cannot be associated with a Data Subject; (ii) publicly commit to maintaining and using de-identified data without attempting to re-identify the data; (iii) comply with the requirements of Data Protection Laws with respect to the creation of such de-identified data; and (iv) contractually obligate any recipients of the de-identified data to comply with restrictions substantially similar to those set forth in this Section 2.5.

CDCO shall take reasonable steps to ensure that CDCO personnel who Process Client Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality with respect to such Client Personal Data.

4.1 Security Measures.  Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, CDCO shall implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk.

4.2 Security Incidents.  Upon becoming aware of a confirmed Security Incident, CDCO will notify Client to the extent required by Data Protection Laws. CDCO’s notification of or response to a Security Incident under this Section 4.2 will not be construed as an acknowledgement by CDCO of any fault or liability with respect to the Security Incident.

4.3 Client Responsibilities.  Client agrees that, without limitation of CDCO’s obligations under this Section 4, Client is solely responsible for its use of the Services, including: (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Client Personal Data; and (b) securing any account authentication credentials, systems, and devices Client uses to access or connect to the Services, where applicable.  Without limiting CDCO’s obligations hereunder, Client is responsible for reviewing the information made available by CDCO relating to data security and making an independent determination as to whether the Services meet Client’s requirements and legal obligations under Data Protection Laws.

Client generally authorizes CDCO to engage Subprocessors.  A list of CDCO’s Subprocessors is available upon Client’s request and may be updated by CDCO from time to time.  CDCO will notify Client of the addition or replacement of any Subprocessor and provide Client with an opportunity to object.  CDCO will enter into a written contract with such Subprocessor containing data protection obligations substantially similar to those in this Addendum. 

CDCO will, taking into account the nature of the Processing of Client Personal Data and the functionality of the Services, provide reasonable assistance to Client in responding to requests by Data Subjects to exercise their rights under Data Protection Laws, to the extent required by Data Protection Laws. CDCO reserves the right to charge Client on a time and materials basis in the event that CDCO considers that such assistance is onerous, complex, frequent, or time consuming

7.1 Review of Information and Records.  Upon Client’s reasonable written request, CDCO will make available to Client all information in CDCO’s possession reasonably necessary to demonstrate CDCO’s compliance with Data Protection Laws.  Such information will be made available to Client no more than once per calendar year and subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement.

7.2 Audits.  If Client requires information for its compliance with Data Protection Laws in addition to the information provided under Section 8.1, at Client’s sole expense and to the extent Client is unable to access the additional information on its own, CDCO will allow for, cooperate with, and contribute to reasonable assessments and audits, including inspections, by Client or an auditor mandated by Client (“Mandated Auditor”), provided that (a) Client provides CDCO with reasonable advance written notice including the anticipated date of the audit, the proposed scope of the audit, and the identity of any Mandated Auditor, which shall not be a competitor of CDCO; (b) CDCO approves the Mandated Auditor in writing, with such approval not to be unreasonably withheld; (c) the audit is conducted during normal business hours and in a manner that does not have any adverse impact on CDCO’s normal business operations; (d) Client or any Mandated Auditor complies with CDCO’s standard safety, confidentiality, and security policies or procedures in conducting any such audits; (e) any records, data, or information accessed by Client or any Mandated Auditor in the performance of any such audit, or any results of any such audit, will be deemed to be the Confidential Information of CDCO and subject to a nondisclosure agreement to be provided by CDCO; and (f) Client may initiate such audit not more than once per calendar year unless otherwise required by a Supervisory Authority or Data Protection Laws.

Following termination or expiration of the Agreement, CDCO shall, at Client’s option, delete or return Client Personal Data and all copies to Client, except as required by applicable law.  If CDCO retains Client Personal Data pursuant to applicable law, CDCO agrees that all such Client Personal Data will continue to be protected in accordance with this Addendum.

This Addendum will, notwithstanding the expiration or termination of the Agreement, remain in effect until, and automatically expire upon, CDCO’s deletion or return of all Client Personal Data.  Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force.  The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible; or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.  To the extent of any conflict or inconsistency between this Addendum and the other terms of the Agreement in relation to the Processing of Client Personal Data, this Addendum will govern.  Unless otherwise expressly stated herein, the parties will provide notices under this Addendum in accordance with the Agreement, provided that all such notices may be sent via email.  Any liabilities arising in respect of this Addendum are subject to the limitations of liability under the Agreement.  This Addendum will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.