Data Processing Addendum

This Data Processing Addendum (DPA) and its Schedule 1 apply to the Processing of Personal Data by Polar Security on behalf of Customer (Customer Personal Data) subject to the General Data Protection Regulation 2016/679 (GDPR) or any other data protection laws identified at https://www.polar.security/legal/dpl (together ‘Data Protection Laws’) in order to provide services (Services) pursuant to the Agreement between Customer and Polar Security. Schedule 1This DPA is incorporated into the Agreement. Capitalized terms used and not defined herein have the meanings given them in the applicable Data Protection Laws. In the event of conflict, the Schedule 1Schedule 1 prevails over the DPA which prevails over the rest of the Agreement.
1. Processing
1.1. Customer is: (a) a Controller of Customer Personal Data; or (b) acting as Processor on behalf of other Controllers and has been instructed by and obtained the authorization of the relevant Controller(s) to agree to the Processing of Customer Personal Data by Polar Security as Customer’s subprocessor as set out in this DPA. Customer appoints Polar Security as Processor to Process Customer Personal Data. If there are other Controllers, Customer will identify and inform Polar Security of any such other Controllers prior to providing their Personal Data, in accordance with the Schedule 1.
1.2. A list of categories of Data Subjects, types of Customer Personal Data, Special Categories of Personal Data and the processing activities is set out in Schedule 1. The duration of the Processing corresponds to the duration of the Service, unless otherwise stated in the Schedule 1. The purpose and subject matter of the Processing is the provision of the Service as described in the Agreement.
1.3. Polar Security will Process Customer Personal Data according to Customer’s documented instructions. The scope of Customer’s instructions for the Processing of Customer Personal Data is defined by the Agreement, and, if applicable, Customer’s and its authorized users’ use and configuration of the features of the Service. Customer may provide further legally required instructions regarding the Processing of Customer Personal Data (Additional Instructions) as described in Section 10.2. If Polar Security notifies Customer that an Additional Instruction is not feasible, the parties shall work together to find an alternative. If Polar Security notifies the Customer that neither the Additional Instruction nor an alternative is feasible, Customer may terminate the affected Service, in accordance with any applicable terms of the Agreement. If Polar Security believes an instruction violates the Data Protection Laws, Polar Security will immediately inform Customer, and may suspend the performance of such instruction until Customer has modified or confirmed its lawfulness in documented form.
1.4. Customer shall serve as a single point of contact for Polar Security. As other Controllers may have certain direct rights against Polar Security, Customer undertakes to exercise all such rights on their behalf and to obtain all necessary permissions from the other Controllers. Polar Security shall be discharged of its obligation to inform or notify another Controller when Polar Security has provided such information or notice to Customer. Similarly, Polar Security will serve as a single point of contact for Customer with respect to its obligations as a Processor under this DPA.
1.5. Polar Security will comply with all Data Protection Laws in respect of the Services applicable to Polar Security as Processor. Polar Security is not responsible for determining the requirements of laws or regulations applicable to Customer’s business, or that a Service meets the requirements of any such applicable laws or regulations. As between the parties, Customer is responsible for the lawfulness of the Processing of the Customer Personal Data. Customer will not use the Services in a manner that would violate applicable Data Protection Laws.
2. Technical and organizational measures
2.1. Customer and Polar Security agree that Polar Security will implement and maintain the technical and organizational measures set forth in Schedule 1 (TOMs) which ensure a level of security appropriate to the risk for Polar Security’s scope of responsibility. TOMs are subject to technical progress and further development. Accordingly, Polar Security reserves the right to modify the TOMs provided that the functionality and security of the Services are not degraded.  
3. Data Subject Rights and Requests
3.1. Polar Security will inform Customer of requests from Data Subjects exercising their Data Subject rights (e.g., including but not limited to rectification, deletion and blocking of data) addressed directly to Polar Security regarding Customer Personal Data. Customer shall be responsible to handle such requests of Data Subjects. Polar Security will reasonably assist Customer in handling such Data Subject requests in accordance with Section 10.2.
3.2. If a Data Subject brings a claim directly against Polar Security for a violation of their Data Subject rights, Customer will reimburse Polar Security for any cost, charge, damages, expenses or loss arising from such a claim, to the extent that Polar Security has notified Customer about the claim and given Customer the opportunity to cooperate with Polar Security in the defense and settlement of the claim. Subject to the terms of the Agreement, Customer may claim from Polar Security damages resulting from Data Subject claims for a violation of their Data Subject rights caused by Polar Security’s breach of its obligations under this DPA and Schedule 1.
4. Third Party Requests and Confidentiality
4.1. Polar Security will not disclose Customer Personal Data to any third party, unless authorized by the Customer or required by law. If a government or Supervisory Authority demands access to Customer Personal Data, Polar Security will notify Customer prior to disclosure, unless such notification is prohibited by law.
4.2. Polar Security requires all of its personnel authorized to Process Customer Personal Data to commit themselves to confidentiality and not Process such Customer Personal Data for any other purposes, except on instructions from Customer or unless required by applicable law.
5. Audit
5.1. Polar Security shall allow for, and contribute to, audits, including inspections, conducted by the Customer or another auditor mandated by the Customer in accordance with the following procedures:
a. Upon Customer’s written request, Polar Security will provide Customer or its mandated auditor with the most recent certifications and/or summary audit report(s), which Polar Security has procured to regularly test, assess and evaluate the effectiveness of the TOMs, to the extent set out in Schedule 1.
b. Polar Security will reasonably cooperate with Customer by providing available additional information concerning the TOMs, to help Customer better understand such TOMs.
c. If further information is needed by Customer to comply with its own or other Controllers audit obligations or a competent Supervisory Authority’s request, Customer will inform Polar Security in writing to enable Polar Security to provide such information or to grant access to it.
d. To the extent it is not possible to otherwise satisfy an audit right mandated by applicable law or expressly agreed by the Parties, only legally mandated entities (such as a governmental regulatory agency having oversight of Customer's operations), the Customer or its mandated auditor may conduct an onsite visit of the Polar Security facilities used to provide the Service, during normal business hours and only in a manner that causes minimal disruption to Polar Security’s business, subject to coordinating the timing of such visit and in accordance with any audit procedures described in Schedule 1 in order to reduce any risk to Polar Security’s other customers.
Any other auditor mandated by the Customer shall not be a direct competitor of Polar Security with regard to the Services and shall be bound to an obligation of confidentiality.
5.2. Each party will bear its own costs in respect of paragraphs a. and b. of Section 5.1, otherwise Section 10.2 applies accordingly.
6. Return or Deletion of Customer Personal Data
6.1. Upon termination or expiration of the Agreement Polar Security will either delete or return Customer Personal Data in its possession as set out in Schedule 1, unless otherwise required by applicable law.
7. Subprocessors
7.1. Customer authorizes the engagement of other Processors to Process Customer Personal Data (Subprocessors). A list of the current Subprocessors is set out in Schedule 2. Polar Security will notify Customer in advance of any addition or replacement of the Subprocessors as set out in the respective Schedule 1. Within 30 days after Polar Security’s notification of the intended change, Customer can object to the addition of a Subprocessor on the basis that such addition would cause Customer to violate applicable legal requirements. Customer’s objection shall be in writing and include Customer’s specific reasons for its objection and options to mitigate, if any. If Customer does not object within such period, the respective Subprocessor may be commissioned to Process Customer Personal Data. Polar Security shall impose substantially similar but no less protective data protection obligations as set out in this DPA on any approved Subprocessor prior to the Subprocessor initiating any Processing of Customer Personal Data.
7.2. If Customer legitimately objects to the addition of a Subprocessor and Polar Security cannot reasonably accommodate Customer’s objection, Polar Security will notify Customer. Customer may terminate the affected Services as set out in the Agreement, otherwise the parties shall cooperate to find a feasible solution in accordance with the dispute resolution process.
8. Transborder Data Processing
8.1. In the case of a transfer of Customer Personal Data to a country not providing an adequate level of protection pursuant to the Data Protection Laws (Non-Adequate Country), the parties shall cooperate to ensure compliance with the applicable Data Protection Laws as set out in the following Sections or at the Data Protection Laws at https://www.polar.security/legal/dpl. If Customer believes the measures are not sufficient to satisfy the legal requirements, Customer shall notify Polar Security and the parties shall work together to find an alternative.
8.2. By entering into the Agreement, Customer and Polar Security are entering into EU Standard Contractual Clauses as set out in Schedule 1 (EU SCC) if Customer, Polar Security, or both are located in a Non-Adequate Country. If the EU SCC are not required because both parties are located in a country considered adequate by the Data Protection Laws, but during the Service the country where Polar Security or Customer is located becomes a Non-Adequate Country, the EU SCC will apply.
The parties acknowledge that the applicable module of the EU SCC will be determined by their role as Controller and/or Processor under the circumstances of each case and are responsible for determining the correct role undertaken in order to fulfil the appropriate obligations under the applicable module.
8.3. Customer agrees that the EU SCC, including any claims arising from them, are subject to the terms set forth in the Agreement, including the limitations of liability. In case of conflict, the EU SCC shall prevail.  
8.4. Polar Security will enter into the EU SCC with each Subprocessor located in a Non-Adequate Country as listed in the respective Schedule 1.
9. Personal Data Breach
9.1. Polar Security will notify Customer without undue delay after becoming aware of a Personal Data Breach with respect to the Services. Polar Security will promptly investigate the Personal Data Breach if it occurred on Polar Security infrastructure or in another area Polar Security is responsible for and will assist Customer as set out in Section 10.
10. Assistance
10.1. Polar Security will assist Customer by technical and organizational measures for the fulfillment of Customer’s obligation to comply with the rights of Data Subjects and in ensuring compliance with Customers obligations relating to the security of Processing, the notification and communication of a Personal Data Breach and the Data Protection Impact Assessment, including prior consultation with the responsible Supervisory Authority, if required, taking into account the nature of the processing and the information available to Polar Security.
10.2. Customer will make a written request for any assistance referred to in this DPA. Polar Security may charge Customer no more than a reasonable charge to perform such assistance or an Additional Instruction, such charges to be set forth in a quote and agreed in writing by the parties, or as set forth in an applicable change control provision of the Agreement. If Customer does not agree to the quote, the parties agree to reasonably cooperate to find a feasible solution in accordance with the dispute resolution process.

SCHEDULE 1 - DETAILS OF THE PROCESSING
Subject matter. Polar Security will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing
1. Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the Service(s) to Customer, and providing support and technical maintenance, if agreed in the Agreement
2. For Polar Security to comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
Duration of Processing. Subject to any Section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Polar Security will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Type of Personal Data. Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
• Email addresses
• Names
• Any other Personal Data or information that the Customer decides to provide to the Polar Security or the Services.
The Customer and the Data Subjects shall provide the Personal Data to Polar Security by supplying the Personal Data to Polar Security’s Service.
In some limited circumstances Personal Data may also come from others sources, for example, in the case of anti-money laundering research, fraud detection or as required by applicable law. For clarity, Customer shall always be deemed the “Data Controller” and Polar Security shall always be deemed the “Data Processor” (as such terms are defined in the GDPR).
The Customer, Customer’s vendors and/or Customer’s business partners and the Data Subjects shall provide the Personal Data to Polar Security by supplying the Personal Data to Polar Security’s Service. For the avoidance of doubt, the log-in details to Polar Security’s platform are subject to Polar Security’s privacy policy available here: https://www.polar.security/privacy and not to this DPA.
Notwithstanding anything to the contrary, Customer acknowledges that the same personal information or Personal Data provided by Customer or processed on behalf of Customer may have already been (or will be) provided by other customers or Customers to Polar Security, or may have already been (or will be) collected by Polar Security independently or from other customers or Customers, or may be available on public sources. For avoidance of doubt, this data and information may be collected, used and processed by Polar Security and/or disclosed by Polar Security to third parties and other customers or Customers without this being deemed a breach of this DPA and/or the Agreement.    
Categories of Data Subjects. Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
• Customer’s customers and/or Customers
• Customer’s users authorized by Customer to use the Services.

The frequency of the transfer. Continuous basis.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
As described in this DPA and/or the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. As detailed in Schedule 2.

The technical and operational measures (TOMs).   Polar Security's foundational TOMs for data security and protection within its Service are as described in Polar Security’s Data Security and Privacy Principles https://www.polar.security/legal/dsp.

Certifications.  This Service maintains the following industry recognized compliance, certifications, attestations, or reports as one measure of this Service's implementation of the TOMs:
• ISO 27001
• SOC2 Type 2
Transborder Data Processing:

References to IBM in the links below apply mutatis mutandis to Polar Security.

EU Standard Contractual Clauses.  By entering into the Agreement, Polar Security and Customer are entering into the EU Standard Contractual Clauses (EU SCC) available at [http://www.ibm.com/terms?id=Z126-8005], unless both Polar Security and Customer are located in a country considered to have an adequate level of protection under the Data Protection Laws, in which case the EU SCC are not required between Polar Security and Customer.  Where the EU SCC are required between Polar Security and Customer, the parties acknowledge that the applicable module of the EU SCC will be determined by their role as Controller and/or Processor under the circumstances of each case and are responsible for determining the correct role undertaken in order to fulfil the appropriate obligations under the applicable module.

UK Standard Contractual Clauses. By entering into the Agreement, in addition to the EU SCC referenced above, Polar Security and Customer are entering into the United Kingdom's International Data Transfer Addendum to the EU SCC (together, the UK SCC) available at [http://www.ibm.com/terms?id=Z126-8005], unless both Polar Security and Customer are located in a country providing an adequate level of protection under the UK data protection law. With reference to the list of Sub-processors above, where applicable, Polar Security will enter into the UK SCC with each Sub-processor located in a Non-Adequate Country.  Where the UK SCC are required between Polar Security and Customer, the parties acknowledge that the applicable module of the UK SCC will be determined by their role as Controller and/or Processor under the circumstances of each case and are responsible for determining the correct role undertaken in order to fulfill the appropriate obligations under the relevant module.

Transparency Report.  Polar Security publishes information regarding/about government requests for client data in the Polar Security Cloud Law Enforcement Access Request Transparency Report available at: http://ibm.biz/IBMTransparencyReport