Common use of Actions and Access Requests Clause in Contracts

Actions and Access Requests. 8.1. Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance where necessary for Controller to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller does not otherwise have access to the relevant information. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.2. Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance with respect to Controller’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.3. Processor shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Agreement. Controller shall, with reasonable notice to Processor, have the right to review, audit and copy such records at Processor’s offices during regular business hours. 8.4. Upon Controller’s request and at Controller’s choice, Processor shall, no more than once per calendar year, either (i) make available for Controller’s review copies of certifications or reports demonstrating Processor’s compliance with prevailing data security standards applicable to the Processing of Controller’s Personal Data, or (ii) if the provision of such certifications or reports under (i) is not reasonably sufficient under the Data Protection Laws to demonstrate Processor’s compliance, allow Controller or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Processor’s data security infrastructure that is sufficient to demonstrate Processor’s compliance with its obligations under this Addendum, provided that Controller shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Processor’s business. Controller shall be responsible for the costs of any such audits or inspections. 8.5. In the event of a Personal Data Breach, Processor shall, without undue delay, inform Controller of the Personal Data Breach and take such steps as Processor in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Processor’s reasonable control). 8.6. In the event of a Personal Data Breach, Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance necessary for Controller to comply with its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay. 8.7. The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Controller.

Actions and Access Requests. 8.1. Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance assistance, where necessary for Controller to comply with its obligations under the GDPR to Data Protection Laws, conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller does not otherwise have access to the relevant information. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.2. Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance with respect to Controller’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.3. Processor shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Agreement. Controller shall, with reasonable notice to Processor, have the right to review, audit and copy such records at Processor’s offices during regular business hours. 8.4. Upon Processor shall make available for Controller’s review at xxxxx://xxx.x0x.xxx/security (i) copies of Processor’s certifications; and/or (ii) upon Controller’s request and at Controller’s choice, Processor shall, no more than once per calendar year, either (i) make available for Controller’s review copies of certifications or reports demonstrating Processor’s compliance with prevailing data security standards applicable to the Processing of Controller’s Personal Data. Should Controller have serious cause to believe that Processor is in material breach of its obligations hereunder, or (ii) if the provision of such certifications or reports under (i) is not reasonably sufficient under the Data Protection Laws to demonstrate Processor’s compliance, Processor shall allow Controller or its authorized authorised representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Processor’s data security infrastructure that is sufficient to demonstrate Processor’s compliance with its obligations under this Addendum, provided that Controller shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Processor’s business. Controller shall be responsible for the costs of any such audits or inspections. However, if the requested audit scope is addressed in an ISO, SOC, or similar audit report performed by a qualified third-party auditor within twelve (12) months of Controller’s request and Processor confirms there are no known material changes in the controls audited, Controller agrees to accept those findings in lieu of requesting an audit of the controls covered by the report. 8.5. In the event of a Personal Data Breach, Processor shall, without undue delay, inform Controller of the Personal Data Breach and take such steps as Processor in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Processor’s reasonable control). 8.6. In the event of a Personal Data Breach, Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance necessary for Controller to comply with its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay. 8.7. The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Controller. Processor’s obligation to report or respond to a Personal Data Breach under Sections 8.5 and 8.6 will not be construed as an acknowledgement by Processor of any fault or liability with respect to the Personal Data Breach.

Actions and Access Requests. 8.1. 8.1 Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance where necessary for Controller to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller does not otherwise have access to the relevant information. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.2. 8.2 Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance with respect to Controller’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.3. 8.3 Processor shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Agreement. Controller shall, with reasonable notice to Processor, have the right to review, audit and copy such records at Processor’s offices during regular business hours. 8.4. 8.4 Upon Controller’s request and at Controller’s choicerequest, Processor shall, no more than once per calendar year, either (i) make available for Controller’s review copies of certifications or reports demonstrating Processor’s compliance with prevailing data security standards applicable to the Processing of Controller’s Personal DataData , or (ii) if the provision of such reports or certifications or reports under pursuant to (i) is not reasonably sufficient under the Data Protection Laws to demonstrate Processor’s complianceLaws, allow Controller or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Processor’s data security infrastructure and procedures that is sufficient to demonstrate Processor’s compliance with its obligations under this Addendum, provided that Controller shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Processor’s business. Controller shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Processor for any time expended for on- site audits. If Controller and Processor have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), the parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with this Section 8.4. 8.5. 8.5 In the event of a Personal Data Breach, Processor shall, without undue delay, inform Controller of the Personal Data Breach and take such steps as Processor in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Processor’s reasonable control). 8.6. 8.6 In the event of a Personal Data Breach, Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance necessary for Controller to comply with its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay. 8.7. 8.7 The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Controller. Processor’s obligation to report or respond to a Personal Data Breach under Sections 8.5 and 8.6 will not be construed as an acknowledgement by Processor of any fault or liability with respect to the Personal Data Breach.

Actions and Access Requests. 8.1. 8.1 Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance where necessary for Controller to comply with its obligations under the GDPR Applicable Data Protection Law to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller does not otherwise have access to the relevant information. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.2. 8.2 Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance with respect to Controller’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by ProcessorApplicable Data Protection Law. 8.3. 8.3 Processor shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Agreement. Controller shall, with reasonable notice to Processor, have the annual right to review, audit and copy review such records at Processor’s offices during regular business hours. 8.4. 8.4 Upon Controller’s request and at Controller’s choicerequest, Processor shall, no more than once per calendar year, either (i) year make available for Controller’s review copies of certifications or reports demonstrating Processor’s compliance with prevailing data security standards applicable to the Processing of Controller’s Personal Data. (If Controller and Processor have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), or (iithe parties agree that the audits described in Clause 5(f) if and Clause 12(2) of the provision of such certifications or reports under (i) is not reasonably sufficient under the Data Protection Laws to demonstrate Processor’s compliance, allow Controller or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Processor’s data security infrastructure that is sufficient to demonstrate Processor’s compliance with its obligations under this Addendum, provided that Controller shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Processor’s business. Controller Standard Contractual Clauses shall be responsible for the costs of any such audits or inspectionscarried out in accordance with this Section 8.4.) 8.5. 8.5 In the event of a Personal Data Breach, Processor shall, without undue delaydelay but no later than forty-eight (48) hours after confirming that a breach of personal data has occurred, inform Controller of the Personal Data Breach and take such steps as Processor in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Processor’s reasonable control)violation. 8.6. 8.6 In the event of a Personal Data Breach, Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance necessary for Controller to comply with its obligations under the GDPR Applicable Data Protection Law with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay. 8.7. 8.7 The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Controller.. Processor’s obligation to report or respond to a Personal Data Breach under Sections 8.5 and 8.6 will not be construed as an acknowledgement by Processor of any fault or liability with respect to the Personal Data Breach. Signature: Signature: Customer Legal Name: Print Name: Xxxx Xxxx Print Name: Title: DPO Title: Date: Date:

Actions and Access Requests. 8.1. Processor shall, taking into account the nature 8.1 Where Controller is obligated by Data Protection Laws to carry out a data protection impact assessment (“DPIA”) relating to Controller’s use of the Processing and the information available to ProcessorSolutions, Processor shall provide Controller with reasonable cooperation and assistance where necessary to Controller for the DPIA to allow Controller to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller does not otherwise have access to the relevant informationData Protection Laws. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor and Processor shall be entitled to involve Controller at Processor’s then-current rates for any time expended in assisting with the DPIA. 8.2. 8.2 Processor shall, taking into account the nature of the Processing and the information available to Processor, shall provide Controller with reasonable assistance to Controller in cooperation and assistance with respect to Controller’s cooperation and/or or prior consultation with any Supervisory Authority, where necessary and where Authority as may be required by the GDPRData Protection Laws. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor and Processor shall be entitled to involve Controller at Processor’s then-current rates for any time expended in providing such assistance. 8.3. Processor shall maintain records sufficient to demonstrate its 8.3 Where required by Data Protection Laws, Processors will assist Controller in demonstrating compliance with its obligations under this AddendumAddendum by making available at the request of Controller, and retain such records for a period of three (3) years after the termination of the Agreement. Controller shall, with following reasonable notice to Processor, information reasonably necessary to demonstrate such compliance. Controller shall have the right to review, audit and copy such records at Processor’s offices during regular business hours. 8.4. 8.4 Upon Controller’s request and at Controller’s choicerequest, Processor shall, no more than once per calendar year, either (i) make available for Controller’s review copies of certifications or reports demonstrating Processor’s compliance with prevailing data security standards applicable to the Processing of Controller’s Personal Data, or (ii) if the provision of such reports or certifications or reports under pursuant to (i) is not reasonably sufficient under the Data Protection Laws to demonstrate Processor’s complianceLaws, allow Controller or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Processor’s data security infrastructure and procedures that is sufficient to demonstrate Processor’s compliance with its obligations under this Addendum, provided that Controller shall provide reasonable a minimum of thirty (30) days’ prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Processor’s business. Controller shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Processor for any time expended for on-site audits. If Controller and Processor have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), the parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with this Section 8.4. 8.5. In 8.5 Processor shall within forty-eight (48) hours notify Controller if an instruction, in the event of a Personal Data Breach, Processor shall, without undue delay, inform Controller of the Personal Data Breach and take such steps as Processor in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Processor’s reasonable control)opinion, infringes the Data Protection Laws or Supervisory Authority. 8.6. In the event of a Personal Data Breach, Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance necessary for Controller to comply with its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay. 8.7. The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Controller.

Actions and Access Requests. 8.1. 8.1 Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance where necessary for Controller to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller does not otherwise have access to the relevant information. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.2. 8.2 Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance with respect to Controller’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.3. 8.3 Processor shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Agreement. Controller shall, with reasonable notice to Processor, have the right to review, audit and copy such records at Processor’s offices during regular business hours.three 8.4. 8.4 Upon Controller’s request and at Controller’s choice, Processor shall, no more than once per calendar year, either (i) make available for Controller’s review copies of certifications or reports demonstrating Processor’s compliance with prevailing data security standards applicable to the Processing of Controller’s Personal Data, or (ii) if the provision of such certifications or reports under (i) is not reasonably sufficient under the Data Protection Laws to demonstrate Processor’s compliance, allow Controller or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Processor’s data security infrastructure that is sufficient to demonstrate Processor’s compliance with its obligations under this Addendum, provided that Controller shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Processor’s business. Controller shall be responsible for the costs of any such audits or inspections. 8.5. 8.5 In the event of a Personal Data Breach, Processor shall, without undue delay, inform Controller of the Personal Data Breach and take such steps as Processor in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Processor’s reasonable control). 8.6. 8.6 In the event of a Personal Data Breach, Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance necessary for Controller to comply with its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay. 8.7. 8.7 The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Controller.

Actions and Access Requests. 8.1. 4.1 Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance where necessary for Controller to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller does not otherwise have access to the relevant information. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.2. 4.2 Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance with respect to Controller’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.3. 5.1 Processor shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Agreement. Controller shall, with reasonable notice to Processor, have the right to review, audit and copy such records at Processor’s offices during regular business hours. 8.4. 5.2 Upon Controller’s request and at Controller’s choicerequest, Processor shall, no more than once per calendar year, either (i) make available for Controller’s review copies of certifications or reports demonstrating Processor’s compliance with prevailing data security standards applicable to the Processing of Controller’s Personal Data, or (ii) if the provision of such reports or certifications or reports under pursuant to (i) is not reasonably sufficient under the Data Protection Laws to demonstrate Processor’s complianceLaws, allow Controller or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Processor’s data security infrastructure and procedures that is sufficient to demonstrate Processor’s compliance with its obligations under this Addendum, provided that Controller shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Processor’s business. Controller shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Processor for any time expended for on-site audits. If Controller and Processor have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), the parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with this Section 8.4. 8.5. 5.3 Processor shall immediately notify Controller if an instruction, in the Processor’s opinion, infringes the Data Protection Laws or Supervisory Authority. 5.4 In the event of a Personal Data Breach, Processor shall, without undue delay, inform Controller of the Personal Data Breach and take such steps as Processor in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Processor’s reasonable control). 8.6. 5.5 In the event of a Personal Data Breach, Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance necessary for Controller to comply with its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay. 8.7. 5.6 The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Controller. Processor’s obligation to report or respond to a Personal Data Breach under Sections 8.5 and 8.6 will not be construed as an acknowledgement by Processor of any fault or liability with respect to the Personal Data Breach.

Actions and Access Requests. 8.1. Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance where necessary for Controller to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller does not otherwise have access to the relevant information. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.2. Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance with respect to Controller’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.3. Processor shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Agreement. Controller shall, with reasonable notice to Processor, have the right to review, audit and copy such records at Processor’s offices during regular business hours. 8.4. Upon Controller’s request and at Controller’s choice, Processor shall, no more than once per calendar year, either (ieither: a) make Make available for Controller’s review copies of certifications or reports demonstrating Processor’s compliance with prevailing data security standards applicable to the Processing of Controller’s Personal Data, or (ii) if . The Processor may make reasonable charge for the provision collation and distribution of such certifications or reports under (i) is not reasonably sufficient under the Data Protection Laws to demonstrate Processor’s compliance, allow Controller or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Processor’s data security infrastructure that is sufficient to demonstrate Processor’s compliance with its obligations under this Addendum, provided that Controller shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Processor’s businessdata. The Controller shall be responsible for the costs of any such audits or inspections. b) Any data supplied under this Addendum is strictly confidential and between the requesting Controller and Processor. 8.5. In the event of a Personal Data Breach, Processor shall, without undue delay, inform Controller of the Personal Data Breach and take such steps as Processor in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Processor’s reasonable control). 8.6. In the event of a Personal Data Breach, Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance necessary for Controller to comply with its obligations under the GDPR with respect to notifying (inotifying. a) the The relevant Supervisory Authority and (iiAuthority b) Data Subjects affected by such Personal Data Breach without undue delay. 8.7. The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Controller.

Actions and Access Requests. 8.1. 8.1 Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance where necessary for Controller to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller does not otherwise have access to the relevant information. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.2. 8.2 Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance with respect to Controller’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.3. 8.3 Processor shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Agreement. Controller shall, with reasonable notice to Processor, have the right to review, audit and copy such records at Processor’s offices during regular business hours. 8.4. 8.4 Upon Controller’s request and at Controller’s choicerequest, Processor shall, no more than once per calendar year, either (i) make available for Controller’s review copies of certifications or reports demonstrating Processor’s compliance with prevailing data security standards applicable to the Processing of Controller’s Personal Data, or (ii) if the provision of such reports or certifications or reports under pursuant to (i) is not reasonably sufficient under the Data Protection Laws to demonstrate Processor’s complianceLaws, allow Controller or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Processor’s data security infrastructure that is sufficient to demonstrate Processor’s compliance with its obligations under this Addendum, provided that Controller shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Processor’s business. Controller shall be responsible for the costs of any such audits or inspections. 8.5. 8.5 In the event of a Personal Data Breach, Processor shall, without undue delay, inform Controller of the Personal Data Breach and take such steps as Processor in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Processor’s reasonable control). 8.6. 8.6 In the event of a Personal Data Breach, Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance necessary for Controller to comply with its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay. 8.7. 8.7 The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Controller. Processor’s obligation to report or respond to a Personal Data Breach under Sections 8.5 and 8.6 will not be construed as an acknowledgement by Processor of any fault or liability with respect to the Personal Data Breach.

Actions and Access Requests. 8.1. Processor 8.1 Recurly shall, taking into account the nature of the Processing and the information available to ProcessorRecurly, provide Controller Customer with reasonable cooperation and assistance where necessary for Controller Customer to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller Customer does not otherwise have access to the relevant information. Controller Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by ProcessorRecurly. 8.2. Processor 8.2 Recurly shall, taking into account the nature of the Processing and the information available to ProcessorRecurly, provide Controller Customer with reasonable cooperation and assistance with respect to ControllerCustomer’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. Controller Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by ProcessorRecurly. 8.3. Processor 8.3 Recurly shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Agreement. Controller Customer shall, with reasonable notice to ProcessorRecurly, have the right to review, audit and copy such records at ProcessorRecurly’s offices during regular business hours. 8.4. Upon ControllerCustomer’s request and at Controller’s choicerequest, Processor Recurly shall, no more than once per calendar year, either (i) make available for ControllerCustomer’s review copies of certifications or reports demonstrating ProcessorRecurly’s compliance with prevailing data security standards applicable to the Processing of ControllerCustomer’s Personal Data, or (ii) if the provision of such reports or certifications or reports under pursuant to (i) is not reasonably sufficient under the Data Protection Laws to demonstrate Processor’s complianceLaws, allow Controller Customer or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of ProcessorRecurly’s data security infrastructure and procedures that is sufficient to demonstrate ProcessorRecurly’s compliance with its obligations under this Addendum, provided that Controller Customer shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to ProcessorRecurly’s business. Controller Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Recurly for any time expended for on- site audits. If Customer and Recurly have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), the parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with this Section 8.3. 8.5. 8.4 Recurly shall immediately notify Customer if an instruction, in Recurly’s opinion, infringes the Data Protection Laws. 8.5 In the event of a Personal Data Breach, Processor Recurly shall, without undue delay, inform Controller Customer of the Personal Data Breach (including, to the extent available to Recurly, the information required by Article 33(3) of GDPR) and take such steps as Processor Recurly in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within ProcessorRecurly’s reasonable control). 8.6. 8.6 In the event of a Personal Data Breach, Processor Recurly shall, taking into account the nature of the Processing and the information available to ProcessorRecurly, provide Controller Customer with reasonable cooperation and assistance necessary for Controller Customer to comply with its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay. 8.7. 8.7 The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of ControllerCustomer. Recurly’s obligation to report or respond to a Personal Data Breach under Sections 8.5 and 8.6 will not be construed as an acknowledgement by Recurly of any fault or liability with respect to the Personal Data Breach.

Actions and Access Requests. 8.1. Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance where necessary for Controller to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller does not otherwise have access to the relevant information. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.2. Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance with respect to Controller’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.3. Processor shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Agreement. Controller shall, with reasonable notice to Processor, have the right to review, audit and copy such records at Processor’s offices during regular business hours. 8.4. Upon Controller’s request and at Controller’s choicerequest, Processor shall, no more than once per calendar year, either (i) make available for Controller’s review copies of certifications or reports demonstrating Processor’s compliance with prevailing data security standards applicable to the Processing of Controller’s Personal Data, or (ii) if the provision of such reports or certifications or reports under pursuant to (i) is not reasonably sufficient under the Data Protection Laws to demonstrate Processor’s complianceLaws, allow Controller or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Processor’s data security infrastructure and procedures that is sufficient to demonstrate Processor’s compliance with its obligations under this Addendum, provided that Controller shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Processor’s business. Controller shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Processor for any time expended for on-site audits. If Controller and Processor have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), the parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with this Section 8.4. 8.5. Processor shall immediately notify Controller if an instruction, in the Processor’s opinion, infringes the Data Protection Laws or Supervisory Authority. 8.6. In the event of a Personal Data Breach, Processor shall, without undue delay, inform Controller of the Personal Data Breach and take such steps as Processor in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Processor’s reasonable control). 8.68.7. In the event of a Personal Data Breach, Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance necessary for Controller to comply with its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay. 8.78.8. The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Controller. Processor’s obligation to report or respond to a Personal Data Breach under Sections 8.5 and 8.6 will not be construed as an acknowledgement by Processor of any fault or liability with respect to the Personal Data Breach.

Actions and Access Requests. 8.1. 9.1 Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance where necessary for Controller to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller does not otherwise have access to the relevant information. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.2. 9.2 Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance with respect to Controller’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.3. 9.3 Processor shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Agreement. Controller shall, with reasonable notice to Processor, have the right to review, audit and copy such records at Processor’s offices during regular business hours. 8.4. 9.4 Upon Controller’s request and at Controller’s choicerequest, Processor shall, no more than once per calendar year, either (i) make available for Controller’s review copies of certifications or reports demonstrating Processor’s compliance with prevailing data security standards applicable to the Processing of Controller’s Personal Data, or (ii) if the provision of such reports or certifications or reports under pursuant to (i) is not reasonably sufficient under the Data Protection Laws to demonstrate Processor’s complianceLaws, allow Controller or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Processor’s data security infrastructure and procedures that is sufficient to demonstrate Processor’s compliance with its obligations under this Addendum, provided that Controller shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Processor’s business. Controller shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Processor for any time expended for on- site audits. Pursuant to the Standard Contractual Clauses as described in Section 7 (Transfers of Personal Data), the parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with this Section 9.4. 8.5. 9.5 Processor shall immediately notify Controller if an instruction, in the Processor’s opinion, infringes the Data Protection Laws or Supervisory Authority. 9.6 In the event of a Personal Data Breach, Processor shall, without undue delay, inform Controller of the Personal Data Breach and take such steps as Processor in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Processor’s reasonable control). 8.6. 9.7 In the event of a Personal Data Breach, Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance necessary for Controller to comply with its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay. 8.7. 9.8 The obligations described in Sections 8.5 9.5 and 8.6 9.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Controller. Processor’s obligation to report or respond to a Personal Data Breach under Sections 9.5 and 9.6 will not be construed as an acknowledgement by Processor of any fault or liability with respect to the Personal Data Breach.

Actions and Access Requests. 8.1. 8.1 Upon Controller’s request, Processor shall, taking into account the nature of the Processing and the shall make available to Controller all information available to Processor, provide Processor and to Authorized Subprocessors that Controller with reasonable cooperation and assistance where reasonably deems necessary for to demonstrate compliance by Controller to comply with its obligations under Applicable Laws (including in particular the GDPR or CCPA) relating to conduct a data protection impact assessment and/or the Personal Data and the Processing conducted by Processor and Authorized Subprocessors. 8.2 Upon Controller’s request, Processor shall provide all necessary assistance to demonstrate such compliance, provided Controller in connection with any Data Protection Impact Assessment that Controller does not otherwise have access determines (in its discretion) it must conduct or cause to the relevant information. Controller shall be responsible conducted in order to comply with Applicable Laws, to the extent legally permitted for any costs and expenses arising from any that such assistance by ProcessorDPIA(s) relate to the Processing. 8.2. Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance with respect to 8.2.1 Upon Controller’s cooperation and/or prior request, Controller shall provide all necessary assistance to Controller in connection with any consultation with a Supervisory Authority that Controller determines (in its discretion) it must undertake as a result of a DPIA, to the extent that such DPIA relates to the Processing. 8.3 Upon Controller’s request, Processor shall provide all necessary assistance to Controller in the event of any investigation, action, or request made by a Supervisory Authority, where necessary and where required by the GDPR. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any that such assistance by Processorinvestigation, action, or request relates to the Personal Data or the Processing. 8.3. Processor shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Agreement. Controller shall, with reasonable notice to Processor, have the right to review, audit and copy such records at Processor’s offices during regular business hours. 8.4. 8.4 Upon Controller’s request and at Controller’s choicerequest, Processor shallshall provide Controller, no more than once per calendar yearand any Supervisory Authority with whom Controller is consulting or cooperating, either (i) make available with a designated contact for Controller’s review copies of certifications or reports demonstrating Processor’s compliance with prevailing data security standards applicable all queries and requests relating to the Processing of Controller’s Personal Data, . 8.5 In the event Processor determines that any Processing violates Applicable Laws (including the valid exercise of a Data Subject Right) or (ii) if the provision of such certifications or reports under (i) is not reasonably sufficient under the Data Protection Laws to demonstrate Processor’s compliance, allow Controller or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Processor’s data security infrastructure that is sufficient to demonstrate Processor’s compliance with its obligations under this Addendum, provided that it shall immediately inform Controller shall provide reasonable prior notice of any and follow Instructions for stopping such request for an audit and such inspection shall not be unreasonably disruptive to Processor’s business. Controller shall be responsible for Processing and/or remediating the costs of any such audits or inspectionsviolation. 8.5. In 8.6 Without limiting the foregoing, in the event of a Personal Data Breachchange in Applicable Laws affecting this Addendum, Processor shall, without undue delay, inform Controller of the Personal Data Breach and take such steps as Processor agrees to work in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Processor’s reasonable control). 8.6. In the event of a Personal Data Breach, Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller good faith with reasonable cooperation and assistance necessary for Controller to comply make any amendments to this Addendum pursuant to Section 13.2, and further agrees to make any changes to its Technical and Organizational Security Measures as are reasonably necessary to ensure continued compliance with its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delayApplicable Laws. 8.7. The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Controller.

Actions and Access Requests. 8.1. 7.1 Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance where necessary for Controller to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller does not otherwise have access to the relevant information. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.2. 7.2 Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance with respect to Controller’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPRapplicable Data Protection Laws. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.3. 7.3 Processor shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Agreement. Controller shall, with reasonable notice to Processor, have the right to review, audit and copy such records at Processor’s offices during regular business hours. 8.4. 7.4 Upon Controller’s request and at Controller’s choicerequest, Processor shall, no more than once per calendar year, either (i) make available for Controller’s review copies of certifications or reports demonstrating Processor’s compliance with prevailing data security standards applicable to the Processing of Controller’s Personal Data, or (ii) if the provision of such reports or certifications or reports under pursuant to (i) is not reasonably sufficient under the Data Protection Laws to demonstrate Processor’s complianceLaws, allow Controller or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Processor’s data security infrastructure and procedures that is sufficient to demonstrate Processor’s compliance with its obligations under this Addendum, provided that Controller shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Processor’s business. Controller shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Processor for any time expended for on-site audits. If Controller and Processor have entered into Standard Contractual Clauses as described in Section 11 (Transfers of Personal Data), the parties agree that the audits described in Clause 13 of each of the Standard Contractual Clauses shall be carried out in accordance with this Section 7.4. 8.5. 7.5 Processor shall, without delay, notify Controller if an instruction, in the Processor’s opinion, infringes the Data Protection Laws or Supervisory Authority. 7.6 In the event of a Personal Data Breach, Processor shall, without undue delay, inform Controller of the Personal Data Breach and take such steps as Processor in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Processor’s reasonable control). 8.6. 7.7 In the event of a Personal Data Breach, Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance necessary for Controller to comply with its obligations under the GDPR applicable Data Protection Laws with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay. 8.7. 7.8 The obligations described in Sections 8.5 7.6 and 8.6 7.7 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Controller. Processor’s obligation to report or respond to a Personal Data Breach under Sections 7.5 and 7.6 will not be construed as an acknowledgement by Processor of any fault or liability with respect to the Personal Data Breach.

Actions and Access Requests. 8.1. Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance where necessary for Controller to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller does not otherwise have access to the relevant information. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.2. Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance with respect to Controller’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.3. Processor 9.1 Sigma shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three two (32) years after the termination of the Agreement. Controller Customer shall, with reasonable notice to ProcessorSigma, have the right to review, audit and copy such records at ProcessorSigma’s offices during regular business hours. 8.4. 9.2 Upon ControllerCustomer’s request and at Controller’s choicerequest, Processor Sigma shall, no more than once per calendar year, either (i) make available for ControllerCustomer’s review copies of certifications or reports demonstrating ProcessorSigma’s compliance with Data Protection Laws or prevailing data security standards applicable to the Processing processing of Controller’s Personal Customer Data, or (ii) if the provision of such reports or certifications or reports under pursuant to (i) is not reasonably sufficient under the Data Protection Laws to demonstrate Processor’s complianceLaws, allow Controller Customer or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of ProcessorSigma’s data security infrastructure and procedures that is sufficient to demonstrate ProcessorSigma’s compliance with its obligations under this Addendum, provided that Controller Customer shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to ProcessorSigma’s business. Controller Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Sigma for any time expended for on-site audits. Any such audit shall be subject to Sigma's security and confidentiality terms and guidelines. If Sigma declines to follow any instruction requested by Customer regarding audits, Customer is entitled to terminate this DPA and the Agreement. 8.59.3 Sigma shall immediately notify Customer if an instruction, in Sigma’s opinion, infringes the Data Protection Laws or supervisory authority. 9.4 Return or Deletion of Customer Data. In the event of a Personal Data Breach, Processor shall, without undue delay, inform Controller Following termination or expiration of the Personal Agreement, Sigma shall return or delete the Customer Data, unless further storage of Customer Data Breach and is required or authorized by applicable law. If return or destruction is impracticable or prohibited by law, rule or regulation, Sigma shall take measures to block such steps as Processor in its sole discretion deems necessary and reasonable to remediate such violation Customer Data from any further processing (except to the extent that remediation is within Processor’s reasonable control). 8.6. In the event of a Personal Data Breach, Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance necessary for Controller its continued hosting or processing required by law, rule or regulation) and shall continue to comply with appropriately protect the Customer Data remaining in its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delaypossession, custody, or control. 8.7. The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Controller.

Actions and Access Requests. 8.1. Processor shall, taking into account the nature 8.1 Where Controller is obligated by Data Protection Laws to carry out a data protection impact assessment (“DPIA”) relating to Controller’s use of the Processing and the information available to ProcessorSubscription Services, Processor shall provide Controller with reasonable cooperation and assistance where necessary to Controller for the DPIA to allow Controller to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller does not otherwise have access to the relevant informationData Protection Laws. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor and Processor shall be entitled to involve Controller at Processor’s then-current rates for any time expended in assisting with the DPIA. 8.2. 8.2 Processor shall, taking into account the nature of the Processing and the information available to Processor, shall provide Controller with reasonable assistance to Controller in cooperation and assistance with respect to Controller’s cooperation and/or or prior consultation with any Supervisory Authority, where necessary and where Authority as may be required by the GDPRData Protection Laws. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor and Processor shall be entitled to involve Controller at Processor’s then-current rates for any time expended in providing such assistance. 8.3. Processor shall maintain records sufficient to demonstrate its 8.3 Where required by Data Protection Laws, Processors will assist Controller in demonstrating compliance with its obligations under this AddendumAddendum by making available at the request of Controller, and retain such records for a period of three (3) years after the termination of the Agreement. Controller shall, with following reasonable notice to Processor, information reasonably necessary to demonstrate such compliance. Controller shall have the right to review, audit and copy such records at Processor’s offices during regular business hours. 8.4. 8.4 Upon Controller’s request and at Controller’s choicerequest, Processor shall, no more than once per calendar year, either (i) make available for Controller’s review copies of certifications or reports demonstrating Processor’s compliance with prevailing data security standards applicable to the Processing of Controller’s Personal Data, or (ii) if the provision of such reports or certifications or reports under pursuant to (i) is not reasonably sufficient under the Data Protection Laws to demonstrate Processor’s complianceLaws, allow Controller or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Processor’s data security infrastructure and procedures that is sufficient to demonstrate Processor’s compliance with its obligations under this Addendum, provided that Controller shall provide reasonable a minimum of thirty (30) days’ prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Processor’s business. Controller shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Processor for any time expended for on-site audits. If Controller and Processor have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), the parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with this Section 8.4. 8.5. In 8.5 Processor shall immediately notify Controller if an instruction, in the event of a Personal Data Breach, Processor shall, without undue delay, inform Controller of the Personal Data Breach and take such steps as Processor in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Processor’s reasonable control)opinion, infringes the Data Protection Laws or Supervisory Authority. 8.6. In the event of a Personal Data Breach, Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance necessary for Controller to comply with its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay. 8.7. The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Controller.

Actions and Access Requests. 8.1. Processor 8.1 Cyberint shall, taking into account the nature of the Processing and the information available to ProcessorCyberint, provide Controller with reasonable cooperation and assistance where necessary for Controller to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller does not otherwise have access to the relevant information. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by ProcessorCyberint. 8.2. Processor 8.2 Cyberint shall, taking into account the nature of the Processing and the information available to ProcessorCyberint, provide Controller with reasonable cooperation and assistance with respect to Controller’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by ProcessorCyberint. 8.3. Processor 8.3 Cyberint shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Agreement. Controller shall, with reasonable notice to ProcessorCyberint, have the right to review, audit and copy such records at ProcessorCyberint’s offices during regular business hours; provided that the parties shall agree in advance the timing, scope and methodology. 8.4. 8.4 Upon Controller’s request and at Controller’s choicerequest, Processor Cyberint shall, no more than once per calendar year, either (i) year make available for Controller’s review copies of certifications or reports demonstrating ProcessorCyberint’s compliance with prevailing data security standards applicable to the Processing of Controller’s Personal Data, or (ii) if the provision of such certifications or reports under (i) is not reasonably sufficient under the Data Protection Laws to demonstrate Processor’s compliance, allow Controller or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Processor’s data security infrastructure that is sufficient to demonstrate Processor’s compliance with its obligations under this Addendum, ; provided that Controller shall provide reasonable prior notice of any all such request for an audit and such inspection shall not be unreasonably disruptive to Processor’s business. Controller information shall be responsible for the costs of any such audits or inspectionssubject to confidentiality obligations. 8.5. 8.5 In the event of a Personal Data Breach, Processor Cyberint shall, without undue delay, inform Controller of the Personal Data Breach and take such steps as Processor Cyberint in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within ProcessorCyberint’s reasonable control). 8.6. 8.6 In the event of a Personal Data Breach, Processor Cyberint shall, taking into account the nature of the Processing and the information available to ProcessorCyberint, provide Controller with reasonable cooperation and assistance necessary for Controller to comply with its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay. 8.7. 8.7 The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Controller. Cyberint’s obligation to report or respond to a Personal Data Breach under Sections 8.5 and 8.6 will not be construed as an acknowledgement by Cyberint of any fault or liability with respect to the Personal Data Breach.

Actions and Access Requests. 8.1. Processor 8.1 We shall, taking into account the nature of the Processing and the information available to Processorus, provide Controller you with reasonable cooperation and assistance where necessary for Controller you to comply with its our obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller does you do not otherwise have access to the relevant information. Controller You shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processorus. 8.2. Processor 8.2 We shall, taking into account the nature of the Processing and the information available to Processorus, provide Controller you with reasonable cooperation and assistance with respect to Controller’s your cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. Controller You shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processorus. 8.3. Processor 8.3 We shall maintain records sufficient to demonstrate its our compliance with its our obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Agreement. Controller You shall, with reasonable notice to Processorus, have the right to review, audit and copy such records at Processor’s our offices during regular business hours. 8.4. 8.4 Upon Controller’s request and at Controller’s choiceyour request, Processor we shall, no more than once per calendar year, either (i) make available for Controller’s your review copies of certifications or reports demonstrating Processor’s our compliance with prevailing data security standards applicable to the Processing of Controller’s your Personal Data, or (ii) if the provision of such reports or certifications or reports under pursuant to (i) is not reasonably sufficient under the Data Protection Laws to demonstrate Processor’s complianceLaws, allow Controller you or its your authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Processor’s our data security infrastructure and procedures that is sufficient to demonstrate Processor’s our compliance with its our obligations under this Addendum, provided that Controller you shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Processor’s our business. Controller You shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to us for any time expended for on-site audits. If you and SignalWire have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), the parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with this Section 8.4. 8.5. 8.5 We shall immediately notify you if an instruction, in our opinion, infringes the Data Protection Laws or Supervisory Authority. 8.6 In the event of a Personal Data Breach, Processor we shall, without undue delay, inform Controller you of the Personal Data Breach and take such steps as Processor we in its our sole discretion deems deem necessary and reasonable to remediate such violation (to the extent that remediation is within Processor’s our reasonable control). 8.6. 8.7 In the event of a Personal Data Breach, Processor we shall, taking into account the nature of the Processing and the information available to Processorus, provide Controller you with reasonable cooperation and assistance necessary for Controller you to comply with its your obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay. 8.7. 8.8 The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the your actions or omissions omissions. Our obligation to report or respond to a Personal Data Breach under Sections 8.5 and 8.6 will not be construed as an acknowledgement by us of Controllerany fault or liability with respect to the Personal Data Breach.

Actions and Access Requests. 8.1. Processor x. Xxxxx shall, provided that Customer does not otherwise have access to the relevant information, and taking into account the nature of the processing and the availability of the information, provide Customer with reasonable cooperation and assistance where necessary and where required by the GDPR for Customer to comply with its obligations to conduct a data protection impact assessment or to demonstrate such compliance. x. Xxxxx shall, taking into account the nature of the Processing processing and the information available to ProcessorPendo, provide Controller Customer with reasonable cooperation and assistance with respect to Customer’s cooperation and/or prior consultation with any Supervisory Authority, where necessary for Controller to comply with its obligations under and where required by the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller does not otherwise have access to the relevant informationGDPR. Controller Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by ProcessorXxxxx. 8.2. Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance with respect to Controller’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.3. Processor x. Xxxxx shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the AgreementDPA. Controller Customer shall, with reasonable notice to ProcessorPendo, have the right to review, audit and copy such records at ProcessorPendo’s offices during regular business hours. 8.4. d. Upon ControllerCustomer’s written request at reasonable intervals, and at Controller’s choicesubject to reasonable confidentiality controls, Processor Pendo shall, no more than once per calendar year, either (i) make available for ControllerCustomer’s review copies of certifications or reports demonstrating ProcessorPendo’s compliance with prevailing data security standards applicable to the Processing processing of ControllerCustomer’s Personal Data, or (ii) if the provision of such reports or certifications or reports under pursuant to (i) is not reasonably sufficient under the Data Protection Laws to demonstrate Processor’s compliancePrivacy Laws, allow Controller or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, Customer’s independent third party representative to conduct an audit or inspection of ProcessorPendo’s data security infrastructure and procedures that is sufficient to demonstrate ProcessorPendo’s compliance with its obligations under this AddendumData Privacy Laws, provided that Controller shall provide (a) Customer provides reasonable prior written notice (which shall in no event be less than fourteen (14) days’ notice) of any such request for an audit and such inspection shall not be unreasonably disruptive to ProcessorPendo’s business; (b) such audit shall only be performed during business hours and occur no more than once per calendar year; and (c) such audit shall be restricted to data relevant to Customer. Controller Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Pendo for any time expended for on-site audits. If Customer and Pendo have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), the parties agree that the audits described in Clause 8.9 of the EU SCCs shall be carried out in accordance with this Section 8(d). 8.5. x. Xxxxx shall immediately notify Customer if an Instruction, in Xxxxx’x opinion, infringes the Data Privacy Laws or Supervisory Authority. f. In the event of a Personal Data Breach, Processor Pendo shall, without undue delay, inform Controller Customer of the Personal Data Breach and take such steps as Processor in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within ProcessorPendo’s reasonable control). 8.6. g. In the event of a Personal Data Breach, Processor Pendo shall, taking into account the nature of the Processing processing and the information available to Processoravailability of the information, provide Controller Customer with reasonable cooperation and assistance where necessary and where required by the GDPR for Controller Customer to comply with its obligations under the GDPR with respect to notifying notify (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay. 8.7. The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Controller.and

Actions and Access Requests. 8.1. 8.1 Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance assistance, where necessary for Controller to comply with its obligations under the GDPR to GDPR, conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller does not otherwise have access to the relevant information. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.2. 8.2 Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance with respect to Controller’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. 8.3. 8.3 Processor shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Agreement. Controller shall, with reasonable notice to Processor, have the right to review, audit and copy such records at Processor’s offices during regular business hours. 8.4. 8.4 Upon Controller’s request and at Controller’s choicerequest, Processor shall, no more than once per calendar year, either (i) make available for Controller’s review copies of certifications or reports demonstrating Processor’s compliance with prevailing data security standards applicable to the Processing of Controller’s Personal Data, or (ii) if the provision of such certifications or reports under (i) is not reasonably sufficient under the Data Protection Laws to demonstrate Processor’s compliance, allow Controller or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Processor’s data security infrastructure that is sufficient to demonstrate Processor’s compliance with its obligations under this Addendum, provided that Controller shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Processor’s business. Controller shall be responsible for the costs of any such audits or inspections. 8.5. 8.5 In the event of a Personal Data Breach, Processor shall, without undue delay, inform Controller of the Personal Data Breach and take such steps as Processor in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Processor’s reasonable control). 8.6. 8.6 In the event of a Personal Data Breach, Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance necessary for Controller to comply with its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay. 8.7. 8.7 The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Controller. Processor’s obligation to report or respond to a Personal Data Breach under Sections 8.5 and 8.6 will not be construed as an acknowledgement by Processor of any fault or liability with respect to the Personal Data Breach.