Unanet Data Processing Addendum

Effective Date: August 17, 2023

This Data Processing Addendum (“DPA”) is entered into as of the Effective Date (defined below) between Unanet, Inc. (“Unanet” or “Processor”) and Customer (“Customer”). Unanet and Customer may each be referred to as a “Party” and or collectively referred to as the “Parties”. This DPA is incorporated by reference into the Unanet Cloud Terms & Conditions (together with any applicable Order Form, and all exhibits, statements of work, and addenda thereto, the “Agreement”), and shall be effective and binding on the date Customer signs an Order Form with Unanet. This DPA may be amended from time to time by Unanet for purposes of complying with Applicable Laws. The parties agree that for the purposes of this DPA, Customer is a Data Controller or Business and Unanet is a Data Processor or Service Provider.

1. Definitions. In this DPA:
   1. “Applicable Law(s)” means all applicable laws, regulations, and other legally binding requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, as applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”) and the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); the Swiss Federal Act on Data Protection (“FADP”); the United Kingdom Data Protection Act of 2018 (“UK GDPR”). For the avoidance of doubt, if Unanet processes Personal Data that is not governed by or its processing activities are not governed by any Applicable Law, such law is not applicable for purposes of this DPA. Each party is responsible only for the Applicable Law applicable to its processing activities and the Personal Data provided or accessed in connection with the Services set forth in the applicable Order Form.
   2. “EU SCCs” means the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in the “Data Transfers” section below.
   3. “Data Subject” is defined as in the GDPR and include “Consumer” as defined in the CCPA.
   4. “Personal Data Breach” means the accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure or exfiltration of, or access to, Personal Data occurring on Unanet’s systems or otherwise under Unanet’s control.
   5. “Personal Data” means includes “personal data,” “personal information,” and “personally identifiable information,” and such terms shall have the same meaning as defined by Applicable Law, which is provided to Unanet by or on behalf of Customer for processing pursuant to the terms of the Agreement and this DPA.
   6. “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
   7. “Sub-Processor” means any Processor affiliate or subcontractor engaged by Unanet for the Processing of Personal Data.
   8. “UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf), and completed as described in the “Data Transfers” section below.
2. Instructions from the Customer. Unanet will Process the Personal Data only as described in the Agreement, including this DPA, unless otherwise required by applicable law. In such case, Unanet will inform Customer of that legal requirement before the Processing unless legally prohibited from doing so. Customer will not instruct Unanet to Process Personal Data in violation of any applicable law. Unanet has no obligation to monitor the compliance of Customer’s use of the Services with Applicable Laws, though Unanet will promptly inform Customer if, in Unanet’s opinion, an instruction from Customer infringes applicable law. The Agreement, including this DPA, along with Customer’s configuration of any settings or options in the Services (as Customer may be able to modify from time to time), constitute Customer’s complete and final instructions to Unanet regarding the Processing of Personal Data, including for purposes of the EU SCCs and UK SCCs.
3. Personal Data Processing Requirements. Without limiting the foregoing:
   1. Unanet will not Process the Personal Data in a manner inconsistent with Unanet’s role as Customer’s “Service Provider,” as such term is defined in Applicable Laws. Unanet will not “sell” the Personal Data, as such term is defined in Applicable Laws or “share” Personal Data for purposes of “cross-context behavioral advertising” (as such terms are defined in applicable Data Protection Laws), or otherwise Process Personal Data for any purpose other than for the specific purposes set forth in the Agreement or for any purpose outside of the direct business relationship with Customer.
   2. Unanet will comply with any applicable restrictions under Applicable Laws on combining Personal Data with personal data that Unanet receives from, or on behalf of, another person or persons, or that Unanet collects from any interaction between it and a Data Subject.
   3. Unanet hereby certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply with them and the applicable provisions of Applicable Laws as is required under Applicable Laws applicable to Customer.
   4. Unanet will promptly notify Customer if it determines that it can no longer meet its obligations under this DPA or Applicable Laws.
4. Confidentiality. Unanet will restrict access to Personal Data to those authorized persons who need such information to provide the Services. Unanet will ensure such authorized persons are obligated to maintain the confidentiality of any Personal Data.
5. Security. Unanet will implement appropriate technical and organizational measures to ensure a level of security appropriate to the Personal Data provided by Customer and Processed by Unanet. These security measures shall at a minimum comply with applicable law and include the measures identified in Schedule B.
6. Breach Notification. Unanet will comply with the Personal Data Breach-related obligations directly applicable to it under Applicable Law. After becoming aware of a Personal Data Breach related to the Personal Data processed under the Agreement, Unanet will notify Customer without undue delay, to the extent known, of: (a) the nature of the data breach; (b) the number and categories of Data Subjects and data records affected; and (c) the name and contact details for the relevant contact person at Unanet. Unanet will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with legal requirements for notification applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breach. Nothing shall be construed to require Unanet to violate, or delay compliance with, any legal obligation it may have with respect to a Personal Data Breach or other security incidents generally.
7. Sub-Processors. Customer agrees that Unanet may engage its affiliates and other Processors (“Sub-Processors”) to assist in providing the Services consistent with the Agreement. Unanet will maintain a list of such Sub-Processors, available at https://unanet.com/unanet-subprocessors.  Customer may request (by emailing privacy@unanet.com) or subscribe (if available) for notifications of updates to the list of Sub-Processors. When required by Applicable Law, Customer will have 10 calendar days from the date of such notification to object to Unanet’s use of new Sub-Processors, after which time Customer will have been deemed to accept Unanet’s list of Sub-Processors. Customer’s objection will be effective only if it articulates objective, justifiable reasons why it believes new Sub-Processors are not able to adequately protect Personal Data in accordance with the Agreement, this DPA, or Applicable Law. Where Unanet engages a Sub-Processor for carrying out specific Processing activities on behalf of Customer, Unanet will impose contractual obligations on the Sub-Processor that are substantially the same as those imposed on Unanet under this DPA.
8. Data Subject Requests. To the extent legally permitted, Unanet shall promptly notify Customer if Unanet receives any requests from an individual seeking to exercise any rights afforded to them under Applicable Law regarding Personal Data. Unanet has implemented and will maintain appropriate technical and organizational measures needed to enable Customer to respond to requests from Data Subjects to access, correct, transmit, limit processing of, or delete any relevant Personal Data held by Unanet or, if such measures are not sufficient, Unanet will provide reasonable assistance to Customer with respect to such requests.
9. Recordkeeping. Upon a request issued by a supervisory authority for records regarding Personal Data, Unanet will cooperate to provide the supervisory authority with records related to Processing activities performed on Customer’s behalf, unless prohibited by Applicable Laws. To the extent legally permissible, Unanet will inform Customer in writing of such a request and partner with Customer working in good faith to verify the legal basis of the request.
10. Cooperation. To the extent required by Applicable Law, Unanet will cooperate to the extent reasonably necessary in connection with Customer’s requests related to any legally required data protection impact assessments and consultation with supervisory authorities at the Customer’s expense.
11. Third Party Requests. If Unanet receives a request from a third party in connection with any government investigation or court proceeding that Unanet believes would require it to produce any Personal Data processed pursuant to the Agreement, Unanet will inform Customer in writing of such request and cooperate with Customer if Customer wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable law.
12. Transfer of Personal Data; Appointment. Customer authorizes Unanet to transfer, store or Process Personal Data in the United States or, if agreed upon in writing, any other country in which Unanet maintains facilities, and any country in which a Sub-Processor maintains facilities as indicated in the Sub-Processor list. Customer appoints Unanet to perform any such transfer of Personal Data to any such country and to store and Process Personal Data in order to provide the Services. Unanet will conduct all such activity in compliance with the Agreement, this DPA, applicable law and Customer’s instructions.
13. Data Transfers Outside of the EU, UK, or Switzerland. Unanet will not engage in any cross-border Processing of Personal Data, or transmit, directly or indirectly, any Personal Data to any country outside of the country from which such Personal Data was collected, without complying with Applicable Laws. Where Unanet engages in an onward transfer of Personal Data, Unanet shall ensure that a lawful data transfer mechanism is in place prior to transferring Personal Data from one country to another.
    1. To the extent legally required with respect to Personal Data transferred from the EEA, by signing this DPA, Customer and Unanet are deemed to have signed the EU SCCs, which form part of this DPA and (except as described in Section 13(b) and (c) below) will be deemed completed as follows:
       1. Customer acts as exporter and controller and Unanet acts as processor and importer. Module 2 of the EU SCCs applies to transfers of Personal Data from Customer to Unanet;
       2. Clause 7 (the optional docking clause) is not included;
       3. Under Clause 9 (Use of sub-processors), the Parties select Option 2 (General written authorization). The initial list of sub-processors is set forth in Schedule C of this DPA and Unanet shall update that list and provide a notice to Customer in advance of any intended additions or replacements of sub-processors as provided in Section 7.
       4. Under Clause 11 (Redress), the optional language requiring that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply;
       5. Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The Parties select the laws of Ireland;
       6. Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;
       7. Annex I(A) and I(B) (List of Parties) is completed as set forth in Schedule A of this DPA;
       8. Under Annex I(C) (Competent supervisory authority), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
       9. Annex II (Technical and organizational measures) is completed with Schedule B of this DPA; and
       10. Annex III (List of subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9. A list of Unanet’s current subprocessors is available in Schedule C.
    2. With respect to Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction or Switzerland) governs the international nature of the transfer, the UK SCCs form part of this DPA and takes precedence over the rest of this DPA as set forth in the UK SCCs. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. The tables of the UK SCCs, shall be deemed completed as follows:
       1. The Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer;
       2. The Key Contacts shall be the contacts set forth in the Agreement, including this DPA;
       3. The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties;
       4. Annex 1A, 1B, II, and III shall be set forth in Schedules A, B, and C below;
       5. Either Party may end this Addendum as set out in Section 19 of the UK SCCs; and
       6. By entering into this Addendum, the Parties are deemed to be signing the UK SCCs and agree that the Addendum will be governed by the laws of England and Wales and enforced by the courts and relevant supervisory authorities in England and Wales.
    3. For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 12(a) of this DPA, but with the following differences to the extent required by the FADP:
       1. References to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR;
       2. References to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope;
       3. The term “member state” in EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and
       4. The relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
14. Deletion or Return. At the choice of Customer and upon Customer’s written request, Unanet will delete or return all the Personal Data Processed in connection with the Services to Customer at any time or after the end of the provision of such Services and delete existing copies (subject to the terms related to archival or backup copies as described in the Agreement), unless Applicable Laws requires storage of the Personal Data. Unanet will relay Customer’s instructions to all Sub-Processors, as applicable. Notwithstanding the foregoing, this provision will not require Unanet to delete Personal Data from archival and back-up files except as provided by Unanet’s internal data deletion practices and as required by applicable law. Except to the extent prohibited by Applicable Laws, Unanet will inform Customer if it is not able to return or delete the Personal Data.
15. Audits.
    1. To the extent required by Applicable Law, no more than once annually (unless otherwise required by applicable law), Unanet shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, to demonstrate Unanet’s compliance with Applicable Law. For clarity, such audits or inspections are limited to Unanet’s Processing of Personal Data subject to Applicable Law on behalf of Customer only, not any other aspect of Unanet’s business or information systems or other customers. If Customer requires Unanet to contribute to audits or inspections that are necessary to demonstrate compliance, Customer will provide Unanet with written notice at least 60 days in advance of such audit or inspection. Such written notice will specify the things, people, places or documents to be made available. Such written notice, and anything produced in response to it (including any derivative work product such as notes of interviews), will be considered Confidential Information and, notwithstanding anything to the contrary in the Agreement, will remain Confidential Information in perpetuity or the longest time allowable by applicable law after termination of the Agreement. Such materials and derivative work product produced in response to Customer’s request will not be disclosed to anyone without the prior written permission of Unanet unless such disclosure is required by applicable law. If disclosure is required by applicable law, Customer will give Unanet prompt written notice of that requirement and an opportunity to obtain a protective order to prohibit or restrict such disclosure except to the extent such notice is prohibited by applicable law or order of a court or governmental agency. Customer will make every effort to cooperate with Unanet to schedule audits or inspections at times that are convenient to Unanet. To the extent Customer uses a third-party representative to conduct the Audit, Customer shall ensure that such third-party representative is bound by obligations of confidentiality no less protective than those contained in this Agreement. If, after reviewing Unanet’s response to Customer’s audit or inspection request, Customer requires additional audits or inspections, Customer acknowledges and agrees that it will be solely responsible for all costs incurred in relation to such additional audits or inspections.
    2. Customer retains the right to take reasonable and appropriate steps to (i) ensure that Unanet Processes Personal Data in a manner consistent with Applicable Laws, and (ii) upon notice, stop and remediate (to the extent permissible in accordance with this Agreement and Applicable Laws) unauthorized Processing of Personal Data.
16. Survival. The provisions of this DPA survive the termination or expiration of the Agreement for so long as Unanet or its Sub-Processors Process the Personal Data.

Schedule A

1. LIST OF PARTIES

   Data exporter(s):

   Name: The exporter (Controller) is Customer and Customer’s contact details and signature are as provided in the Agreement and the DPA.

   Activities relevant to the data transferred under these SCCs: The data exporter is a user of Unanet’s Services pursuant to their underlying Agreement. The data exporter acts as a controller with respect to its own personal data.

   Signature and date: The Parties agree that execution of the Agreement shall constitute execution of these SCCs by both Parties.

   Data importer(s):

   Name: The importer (Processor) is Unanet and Unanet’s contact details and signature are as provided in the Agreement and the DPA.

   Activities relevant to the data transferred under these SCCs: The data importer is the provider of Services to the data exporter and its customers pursuant to their underlying Agreement. The data importer acts as the data exporter’s processor.

   Signature and date: The Parties agree that execution of the Agreement shall constitute execution of these SCCs by both Parties.

2. DESCRIPTION OF TRANSFER

   Categories of data subjects whose personal data is transferred: Customer’s employees, contractors, Authorized Users, and the employees, contractors, and users of Customer’s end clients.

   Categories of personal data transferred: Any personal data provided by Customer to Unanet for Unanet to perform services under the underlying Agreement and the DPA.

   Sensitive data transferred (if applicable): Any sensitive data that Customer chooses to provide to Unanet for Unanet to perform services under the underlying Agreement and the DPA; provided that any inclusion of sensitive data by Customer shall be subject to Customer’s compliance with applicable law with respect to such data, including but not limited to obtaining legally required consent;

   The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): On a continuous basis as needed to provide the Services to Customer.

   Nature of the processing: The nature of the processing is set out in the Agreement between the parties.

   Purpose(s) of the data transfer and further processing: The purposes of the data transfer is to provide the Services chosen by Customer in connection with the Agreement.

   The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The data will be retained for the time period needed to accomplish the purposes of Processing, unless otherwise required by applicable law.

   For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Same as above to the extent such information is provided to Sub-Processors for purposes of providing the Services.

3. COMPETENT SUPERVISORY AUTHORITY

   Identify the competent supervisory authority/ies in accordance with Clause 13: The data exporter’s competent supervisory authority will be determined in accordance with the GDPR, and where possible, will be the Irish Data Protection Commissioner.

Schedule B

UNANET DATA SECURITY MEASURES

Unanet’s data security measures (“Unanet Security Measures”) are outlined in the Agreement (including the Information Security Exhibit incorporated therein) and at the following link: https://unanet.com/support/unanet-cloud-solution/.

At all times during the term of the Agreement and for as long as Unanet is Processing Personal Data, Unanet will maintain security measures that are at least as robust as those included in the Unanet Security Measures on the date of execution of this DPA.

Schedule C

VENDOR SUBPROCESSORS

The Parties agree that the following list of Sub-Processors are approved: