Common use of DATA PROCESSING OBLIGATIONS Clause in Contracts

DATA PROCESSING OBLIGATIONS. 3.1. Client as Controller appoints JAGGAER as Processor. JAGGAER shall only Process Personal Data on behalf of Client for the purposes set forth in the Agreement, under the Client’s instructions as documented in the Agreement and within the scope thereof or as required to comply with any applicable law. 3.2. Client hereby represents and warrants, throughout the term of the Agreement, that all Personal Data provided or made available by Client to JAGGAER for Processing in connection with the Agreement was collected by Client and transmitted to JAGGAER in accordance with Data Protection Laws and Client has obtained all necessary approvals, consents, authorizations and licenses from each and every Data Subject required under Data Protection Laws to enable JAGGAER to Process the Personal Data pursuant to the Agreement and to exercise its rights and fulfil its obligations under the Agreement. 3.3. Unless restricted by applicable law, JAGGAER shall inform Client if, in JAGGAER’s reasonable opinion, any Processing under the Agreement or an instruction from Client conflicts with JAGGAER’s legal obligations or Data Protection Laws. After JAGGAER so informs Client, JAGGAER shall have no liability for any claim arising from or related to such Processing of Personal Data by JAGGAER. 3.4. JAGGAER shall ensure that all employees, agents and sub-processors authorized by JAGGAER to Process Personal Data are subject to contractual, statutory or common law obligations of confidentiality. 3.5. JAGGAER shall provide Client, at Client’s expense, with reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Client is required to carry out under Data Protection Laws. 3.6. JAGGAER shall implement appropriate technical and organizational measures, as described in Annex II, in relation to the Processing of Personal Data intended to ensure a level of security appropriate to such Processing, including as the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and a procedure for regularly testing, assessing, and evaluating the effectiveness of such technical and organizational measures. 3.7. Without undue delay and within forty eight (48) hours after JAGGAER becomes aware of an accidental or unlawful destruction, loss or alteration of, unauthorized disclosure of, or access to Personal Data Processed by JAGGAER pursuant to this Addendum (“Personal Data Breach”), JAGGAER shall notify Client of the Personal Data Breach via Email Notification, provide such information as Client may reasonably require to meet its obligations under Data Protection Laws with respect to the Personal Data Breach and take steps to remediate the Personal Data Breach. Client understands and agrees that JAGGAER shall have no responsibility for Client’s failure to timely receive any duly-transmitted email about a Personal Data Breach that was not received by Client due to Client’s failure to monitor or maintain as active the email address provided or technical issues outside of JAGGAER’s reasonable control. 3.8. JAGGAER shall (i) timely notify Client via Email Notification if JAGGAER receives any complaint, notice or communication which relates to the Processing of Personal Data under this Addendum and (ii) provide Client with reasonable co-operation and assistance in relation to any such complaint, notice or communication.

DATA PROCESSING OBLIGATIONS. 3.1. (a) Client as Controller appoints JAGGAER as Processor. JAGGAER shall only Process the Personal Data on behalf of Client for the purposes set forth in the Agreement, under the Client’s instructions as documented in the Agreement and within the scope thereof as otherwise instructed by Client in writing or as required to comply with any applicable law. 3.2. (b) Client hereby represents and warrants, on a continuous basis throughout the term of the Agreement, that all Personal Data provided or made available by Client to JAGGAER for Processing in connection with the Agreement was collected by Client and transmitted to JAGGAER in accordance with Data Protection Laws and Client has obtained all necessary approvals, consents, authorizations and licenses from each and every Data Subject required under Data Protection Laws to enable JAGGAER to Process the Personal Data pursuant to the Agreement and to exercise its rights and fulfil its obligations under the Agreement. 3.3. (c) Unless restricted by applicable law, JAGGAER shall inform Client if, in JAGGAER’s reasonable opinion, any Processing under the Agreement or an instruction from Client conflicts with JAGGAER’s legal obligations or Data Protection Laws. After JAGGAER so informs Client, JAGGAER shall have no liability for any claim arising from or related to such Processing of Personal Data under the Agreement by JAGGAERJAGGAER in accordance with Client’s instructions. 3.4. (d) JAGGAER shall ensure that all employees, agents and sub-processors authorized by JAGGAER to Process Personal Data are subject to contractual, statutory or common law obligations of confidentiality. 3.5. (e) JAGGAER shall provide Client, at Client’s expense, Client with reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Client is required to carry out under Data Protection Laws. 3.6. (f) JAGGAER shall implement appropriate technical and organizational measures, as described in Annex II, measures in relation to the Processing of Personal Data intended to ensure a level of security appropriate to such the Personal Data Processing, including as applicable the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and a procedure for regularly testing, assessing, assessing and evaluating the effectiveness of such technical and organizational measures. 3.7. (g) Without undue delay and within no more than forty eight (48) hours after JAGGAER becomes aware of an accidental or unlawful destruction, loss or alteration of, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed by JAGGAER pursuant to this Addendum (“Personal Data Breach”), JAGGAER shall notify Client of the Personal Data Breach via Email Notification, provide such information as Client may reasonably require to meet its obligations under Data Protection Laws applicable law with respect to the Personal Data Breach and take steps to remediate the Personal Data Breach. Client understands and agrees that JAGGAER shall have no responsibility for Client’s failure to timely receive any duly-transmitted email about a Personal Data Breach that was not received by Client due to Client’s failure to monitor or maintain as active the email address provided or technical issues outside of JAGGAER’s reasonable control. 3.8. (h) JAGGAER shall (i) timely notify Client via Email Notification if JAGGAER receives any complaint, notice or communication which relates to the Processing of Personal Data under this Addendum and (ii) provide Client with reasonable co-operation and assistance in relation to any such complaint, notice or communication. (i) To the extent required, JAGGAER shall respond to any information requests, and/or agree to submit to audit or inspection, in each case for the purpose of evidencing its compliance with this Addendum, provided that: (i) Client shall ensure that all information obtained or generated in connection with any information request, audit or inspection is kept strictly confidential (unless disclosure to a competent data protection regulator or as otherwise required by applicable law); (ii) Client shall give JAGGAER at least 30 days’ prior written notice of an information request and/or audit or inspection (unless the competent data protection regulator provides Client with less than 30 days’ notice, in which case Client shall provide JAGGAER with as much notice as possible); (iii) Client shall ensure that any information request, audit or inspection is undertaken within normal business hours (unless such other time is mandated by a competent data protection regulator) with minimal disruption to the businesses of JAGGAER and/or its processors (also known as “sub- processors”); (iv) The scope of such request shall be strictly limited to the Processing of Personal Data under this Addendum and provided, however, that JAGGAER shall not be required to reveal JAGGAER’s confidential information and any confidential information related to third parties (such as JAGGAER’s internal pricing information or information relating to other recipients of services from JAGGAER); (v) Client acknowledges and accepts that any such information request, audit or inspection shall be subject to any reasonable policies, procedures or instructions of JAGGAER or its sub-processors for the purposes of preserving security and confidentiality; (vi) If any information request, audit or inspection relates to systems provided by or on the premises of JAGGAER’s sub-processors, the scope of such information request, audit and/or inspection shall be as permitted under the relevant agreement in place between JAGGAER and the sub-processor; (vii) A maximum of one information request, audit and/or inspection may be requested by Client in any twelve (12) month period unless an additional information request, audit and/or inspection is mandated by a competent data protection regulator in writing; and (viii) Client shall pay JAGGAER’s reasonable costs for any assistance, co- operation, provision of information or facilitation of any audit or inspection or other work undertaken pursuant to JAGGAER’s obligations under this Addendum, unless such costs are incurred due to JAGGAER’s breach of its obligations under this Addendum. (j) Upon expiration or any earlier termination of the Agreement, JAGGAER shall, as set forth in the Agreement or upon Client’s written request, delete or return to Client all Personal Data in JAGGAER’s possession; provided, however, that JAGGAER may retain Personal Data as permitted or required to meet its obligations under applicable law. JAGGAER also shall notify all of its sub-processors of the obligation to delete or return to Client all Personal Data in their possession and take reasonable steps to ensure their compliance. Deletion for the purposes of this sub-section shall include putting Personal Data beyond further use.

DATA PROCESSING OBLIGATIONS. 3.1. Client (a) Customer as Controller appoints JAGGAER as Processor. JAGGAER shall only Process the Personal Data on behalf of Client Customer for the purposes set forth in the Agreement, under the Client’s instructions as documented in the Agreement and within the scope thereof as otherwise instructed by Customer in writing or as required to comply with any applicable law. 3.2. Client (b) Customer hereby represents warrants and warrantsrepresents, on a continuous basis throughout the term Term of the Agreement, that all Personal Data provided or made available by Client Customer to JAGGAER for Processing in connection with the Agreement was collected by Client Customer and transmitted to JAGGAER in accordance with Data Protection Laws and Client Customer has obtained all necessary approvals, consents, authorizations and licenses from each and every Data Subject required under Data Protection Laws to enable JAGGAER to Process the Personal Data pursuant to the Agreement and to exercise its rights and fulfil its obligations under the this Agreement. 3.3. (c) Unless restricted by applicable law, JAGGAER shall inform Client Customer if, in JAGGAER’s reasonable opinion, any Processing under the Agreement or an instruction from Client Customer conflicts with JAGGAER’s legal obligations or Data Protection Laws. After JAGGAER so informs ClientCustomer, JAGGAER shall have no liability for any claim arising from or related to such Processing of Personal Data under this Addendum by JAGGAERJAGGAER in accordance with Customer’s instructions. 3.4. (d) JAGGAER shall ensure that all employees, agents and sub-processors authorized by JAGGAER to Process Personal Data are subject to contractual, statutory or common law obligations of confidentiality. 3.5. (e) JAGGAER shall provide Client, at Client’s expense, Customer with reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Client Customer is required to carry out under Data Protection Laws. 3.6. (f) JAGGAER shall implement appropriate technical and organizational measures, as described in Annex II, measures in relation to the Processing of Personal Data intended to ensure a level of security appropriate to such the Personal Data Processing, including as applicable the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and a procedure for regularly testing, assessing, assessing and evaluating the effectiveness of such technical and organizational measuresorganisational measures for ensuring the security of the Processing of Personal Data. 3.7. (g) Without undue delay and within no more than forty eight (48) hours after JAGGAER becomes aware has a reasonable degree of an certainty about the occurrence of accidental or unlawful destruction, loss or alteration of, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed by JAGGAER pursuant to this Addendum (“Personal Data Breach”), JAGGAER shall notify Client Customer of the Personal Data Breach via Email Notificationemail to the email address in the signature block below, provide such information as Client Customer may reasonably require to meet its obligations under Data Protection Laws applicable law with respect to the Personal Data Breach and take steps to remediate the Personal Data Breach. Client Customer understands and agrees that JAGGAER shall have no responsibility for ClientCustomer’s failure to timely receive any duly-transmitted email about a Personal Data Breach that was not received by Client Customer due to ClientCustomer’s failure to monitor or maintain as active the email address provided by Customer or technical issues outside of JAGGAER’s reasonable control. 3.8. (h) JAGGAER shall (i) timely notify Client Customer via Email Notification email to the email address in the signature block below if JAGGAER receives any complaint, notice or communication which relates to the Processing of Personal Data under this Addendum and (ii) provide Client Customer with reasonable co-operation and assistance in relation to any such complaint, notice or communication. (i) If Customer is subject to an audit or investigation from a competent data protection regulator, JAGGAER shall, when required, respond to any information requests, and/or agree to submit its premises and operations to audits, including inspections by Customer and/or the competent data protection regulator, in each case for the purpose of evidencing its compliance with this Addendum, provided that: (i) Customer shall ensure that all information obtained or generated in connection with any information request, audit or inspection is kept strictly confidential (unless disclosure to a competent data protection regulator or as otherwise required by applicable law); (ii) Customer shall ensure that any information request, audit or inspection is undertaken within normal business hours (unless such other time is mandated by a competent data protection regulator) with minimal disruption to the businesses of JAGGAER and/or its processors (also known as “sub- processors”) and acknowledging that such information request, audit or inspection: (a) shall not oblige JAGGAER to provide or permit access to information concerning JAGGAER’s internal pricing information or relating to other recipients of services from JAGGAER; and (b) shall be subject to any reasonable policies, procedures or instructions of JAGGAER or its sub- processors for the purposes of preserving security and confidentiality; (iii) Customer shall give JAGGAER at least 30 days’ prior written notice of an information request and/or audit or inspection (unless the competent data protection regulator provides Customer with less than 30 days’ notice, in which case Customer shall provide JAGGAER with as much notice as possible); (iv) If any information request, audit or inspection relates to systems provided by or on the premises of JAGGAER’s sub-processors, the scope of such information request, audit and/or inspection shall be as permitted under the relevant agreement in place between JAGGAER and the sub-processor. (v) A maximum of one information request, audit and/or inspection may be requested by Customer in any twelve (12) month period unless an additional information request, audit and/or inspection is mandated by a competent data protection regulator in writing. (vi) Customer shall pay JAGGAER’s reasonable costs for any assistance, contribution, co-operation, provision of information or facilitation of any audit or inspection or other work undertaken pursuant to JAGGAER’s obligations under this Addendum unless such costs are incurred due to JAGGAER’s breach of its obligations under this Addendum. (j) Upon expiration or any earlier termination of the Agreement, JAGGAER shall, as set forth in the Agreement or upon Customer’s written request, delete or return to Customer all Personal Data in JAGGAER’s possession; provided, however, that JAGGAER may retain Personal Data as permitted or required to meet its obligations under applicable law. JAGGAER also shall notify all of its sub-processors of the obligation to delete or return to Customer all Personal Data in their possession and take reasonable steps to ensure their compliance. Deletion for the purposes of this sub-section (j) shall include putting Personal Data beyond further use.

DATA PROCESSING OBLIGATIONS. 3.1. Client as Controller appoints JAGGAER as Processor. JAGGAER shall only Process Personal Data on behalf of Client for the purposes a) The obligations set forth in this clause 4 apply only to the Agreementextent that JTECH is the Processor in relation to User Personal Data, under and without prejudice to the Client’s instructions as documented in the Agreement and within the scope thereof or as required to comply with any applicable lawgenerality of clause 2a). 3.2. Client hereby represents b) JTECH shall ensure that it has in place appropriate technical and warrantsorganizational measures to protect against unauthorized or unlawful processing of User Personal Data and against accidental loss or destruction of, throughout or damage to, User Personal Data ("Personal Data Breach"), appropriate to the term harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the Agreementdata to be protected, that all having regard to the state of technological development and the cost of implementing any measures. c) All JTECH personnel who have access to and/or process User Personal Data provided or made available by Client shall be obliged to JAGGAER for Processing keep User Personal Data confidential. d) JTECH shall assist User in connection with the Agreement was collected by Client and transmitted responding to JAGGAER in accordance with Data Protection Laws and Client has obtained all necessary approvals, consents, authorizations and licenses any request from each and every a Data Subject required under Data Protection Laws to enable JAGGAER to Process the Personal Data pursuant to the Agreement and to exercise its rights and fulfil in ensuring compliance with its obligations under the Agreement. 3.3. Unless restricted by applicable lawData Protection Legislation with respect to security, JAGGAER shall inform Client ifbreach notifications, impact assessments and consultations with supervisory authorities or regulators provided that JTECH may charge User on a time and materials basis in the event that JTECH considers, in JAGGAER’s its reasonable opiniondiscretion, any Processing under the Agreement that such assistance is onerous, complex, frequent, or an instruction from Client conflicts with JAGGAER’s legal obligations or Data Protection Laws. After JAGGAER so informs Client, JAGGAER time-consuming; e) JTECH shall have no liability for any claim arising from or related to such Processing notify User without delay on becoming aware of a Personal Data by JAGGAER. 3.4. JAGGAER shall ensure that all employees, agents Breach and sub-processors authorized by JAGGAER to Process Personal Data are subject to contractual, statutory or common law obligations of confidentiality. 3.5. JAGGAER shall provide Client, at Client’s expense, with reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Client is required to carry out under Data Protection Laws. 3.6. JAGGAER shall implement appropriate technical and organizational measures, as described in Annex II, in relation to the Processing of Personal Data intended to ensure a level of security appropriate to such Processing, including as the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and a procedure for regularly testing, assessing, and evaluating the effectiveness of such technical and organizational measures. 3.7. Without undue delay and within forty eight (48) hours after JAGGAER becomes aware of an accidental or unlawful destruction, loss or alteration of, unauthorized disclosure of, or access to Personal Data Processed by JAGGAER pursuant to this Addendum (“Personal Data Breach”), JAGGAER shall notify Client of further information about the Personal Data Breach via Email Notification, provide to JTECH in phases as such information as Client may reasonably require to meet its obligations under Data Protection Laws with respect to becomes available. f) At the written direction of User, JTECH shall delete or return User Personal Data Breach and take steps copies thereof to remediate User on termination of the Agreement unless required by Applicable Law to store User Personal Data Breach. Client understands and agrees that JAGGAER shall have no responsibility for Client’s failure to timely receive any duly-transmitted email about a Personal Data Breach that was not received by Client due to Client’s failure to monitor or maintain as active the email address provided or technical issues outside of JAGGAER’s reasonable controlData. 3.8. JAGGAER g) JTECH will maintain records and information to demonstrate its compliance with this clause Addendum and, at User's expense and subject to clause5, shall permit User, or its appointed third-party auditors (i) timely notify Client via Email Notification if JAGGAER receives any complaintcollectively, notice or communication which relates "Auditor"), to audit the Processing of Personal Data under architecture, systems and procedures relevant to JTECH's compliance with this Addendum and (ii) provide Client with reasonable co-operation shall make available to the Auditor all information, systems and assistance in relation staff necessary for the Auditor to conduct such audit. To the extent any such complaintaudit incurs in excess of 20 hours of JTECH personnel time, notice or communicationJTECH may charge User on a time and materials basis for any such excess hours.

DATA PROCESSING OBLIGATIONS. 3.1. Client (a) Customer as Controller appoints JAGGAER Vendor as Processor. JAGGAER Vendor shall only Process the Personal Data on behalf of Client for the purposes set forth in the Agreement, under the Client’s instructions as documented in the Agreement and within the scope thereof as otherwise instructed by Customer in writing or as required to comply with any applicable law.law.‌ 3.2. Client (b) Customer hereby represents warrants and warrantsrepresents, on a continuous basis throughout the term of the AgreementTerm, that all Personal Data provided or made available by Client Customer to JAGGAER Vendor for Processing in connection with the this Agreement was has been collected by Client Customer and transmitted to JAGGAER Vendor in accordance with Data Protection Laws and Client Customer has obtained all necessary approvals, consents, authorizations and licenses from each and every Data Subject that may be required under Data Protection Laws to enable JAGGAER Vendor to Process the Personal Data pursuant to the Agreement and to exercise its rights and fulfil its obligations under the this Agreement. 3.3. (c) Unless restricted by applicable law, JAGGAER Vendor shall inform Client Customer if, in JAGGAERVendor’s reasonable opinion, any Processing under the Agreement or an instruction from Client Customer conflicts with JAGGAERVendor’s legal obligations or Data Protection Laws. After JAGGAER Vendor so informs ClientCustomer, JAGGAER Vendor shall have no liability for any claim arising from or related to such Processing of Personal Data under this Addendum by JAGGAERVendor in accordance with Customer’s instructions. 3.4. JAGGAER (d) Vendor shall treat all Personal Data as confidential and ensure that all employees, agents and sub-processors authorized by JAGGAER Vendor to Process Personal Data are subject to contractual, statutory or common law obligations of confidentiality. 3.5. JAGGAER (e) Vendor shall provide Client, at Client’s expense, Customer with reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Client Customer is required to carry out under Data Protection Laws.Laws.‌ 3.6. JAGGAER (f) Vendor shall implement appropriate technical and organizational measures, as described in Annex II, measures in relation to the Processing of Personal Data intended to ensure a level of security appropriate to such the Personal Data Processing, including as applicable the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and a procedure for regularly testing, assessing, assessing and evaluating the effectiveness of such technical and organizational measuresorganisational measures for ensuring the security of the Processing of Personal Data. 3.7. (g) Without undue delay and within forty eight no more than twenty four (4824) hours after JAGGAER becomes aware Vendor has a reasonable degree of an certainty of the occurrence of accidental or unlawful destruction, loss or alteration of, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed by JAGGAER pursuant to Vendor under this Addendum (“Personal Data Breach”), JAGGAER Vendor shall notify Client Customer of the Personal Data Breach via Email Notificationat the email address set forth in the signature block, provide such information as Client Customer may reasonably require to meet its obligations under Data Protection Laws applicable law with respect to the Personal Data Breach and take steps to remediate the Personal Data Breach. Client understands and agrees that JAGGAER shall have no responsibility for Client’s failure to timely receive any duly-transmitted email about a Personal Data Breach that was not received by Client due to Client’s failure to monitor or maintain as active the email address provided or technical issues outside of JAGGAER’s reasonable control. 3.8. JAGGAER (h) Vendor shall (i) timely notify Client via Email Notification Customer if JAGGAER Vendor receives any complaint, notice or communication which relates to the Processing of Personal Data under this Addendum and (ii) provide Client Customer with reasonable co-operation and assistance in relation to any such complaint, notice or communicationcommunication.‌ (i) If Customer is subject to an audit or investigation from a competent data protection regulator, Vendor shall, when required, respond to any information requests, and/or agree to submit its premises and operations to audits, including inspections by Customer and/or the competent data protection regulator, in each case for the purpose of evidencing its compliance with this Addendum, provided that: (ii) Customer shall ensure that all information obtained or generated in connection with any information request, audit or inspection is kept strictly confidential (unless disclosure to a competent data protection regulator or as otherwise required by applicable law); (iii) Customer shall ensure that any information request, audit or inspection is undertaken within normal business hours (unless such other time is mandated by a competent data protection regulator) with minimal disruption to Vendor’s and/or its sub-processors’ businesses, and acknowledging that such information request, audit or inspection: (y) shall not oblige Vendor to provide or permit access to information concerning Vendor’s internal pricing information or relating to other recipients of services from Vendor; and (z) shall be subject to any reasonable policies, procedures or instructions of Vendor or its sub-processors for the purposes of preserving security and confidentiality;‌ (iv) Customer shall give Vendor at least 30 days’ prior written notice of an information request and/or audit or inspection (unless the competent data protection regulator provides Customer with less than 30 days’ notice, in which case Customer shall provide Vendor with as much notice as possible); (v) If any information request, audit or inspection relates to systems provided by or on the premises of Vendor’s sub-processors, the scope of such information request, audit and/or inspection shall be as permitted under the relevant agreement in place between Vendor and the sub-processor. (vi) A maximum of one information request, audit and/or inspection may be requested by Customer in any twelve (12) month period unless an additional information request, audit and/or inspection is mandated by a competent data protection regulator in writing. (vii) Customer shall pay Vendor’s reasonable costs for any assistance, contribution, co-operation, provision of information or facilitation of any audit or inspection or other work undertaken pursuant to Vendor’s obligations under this Addendum unless such costs are incurred due to Vendor’s breach of its obligations under this Addendum.