Data Protection Addendum

Updated February 2022

This Data Protection Addendum ("Addendum") forms part of the applicable Eagle Point Software Corporation TERMS AND CONDITIONS (where Licensee has purchased a License to one or more Eagle Point Services defined therein) and/or part of the Eagle Point Software Corporation TERMS AND CONDITIONS – PINNACLE LITE SERVICES (where Licensee has purchased a License to the Pinnacle Lite Services) (each, the “Terms and Conditions”), where and to the extent that Licensee or any of its Permitted Users (as defined in the applicable Terms and Conditions) are citizens or residents of the European Union.

Licensee and Eagle Point are hereinafter referred to jointly as the “Parties” and each individually as a “Party.”

I. Definitions

“Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and any European Union Member State data protection laws implementing or supplementing the GDPR applicable to Licensee, Eagle Point, or the Services.

“Data processor” or “processor”, “data controller” or “controller”, “data subject”, “personal data”, “personal data breach”, “processing”, and “supervisory authority” shall have the meanings given to such terms in the GDPR. “Licensee personal data” means all personal data subject to Data Protection Law that Eagle Point may process on Licensee’s behalf.

“Data Subject Request” means a communication from a data subject regarding the exercise of rights pursuant to applicable Data Protection Law, including rights to access, rectification, restriction of processing, erasure, and portability of personal data.

“Information Security Incident” means any actual or reasonably suspected personal data breach, security breach, or other unauthorised access, misappropriation, loss, damage, or other compromise of the security, confidentiality, or integrity of any Licensee personal data processed by Eagle Point or a Subprocessor.

“Model Clauses” means the Standard Contractual Clauses for the Transfer of Personal Data to Third Countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council and the Standard Contractual Clauses for the Transfer of Personal Data between Controllers and Processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council, approved by EC Commission Decision of 4 June 2021 as applicable and as may be found at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1639413653623.

“Services” means the services and other activities that Eagle Point shall provide or carry out for Licensee as set forth in the applicable Terms and Conditions.

“Subprocessor” means another processor engaged by Eagle Point to process Licensee personal data on behalf of Licensee, in accordance with Licensee’s instructions.

II. Relationship of the Parties

2.1 The Parties agree that with respect to the provision of the Services, Licensee is the data controller of the personal data and, to the extent that Eagle Point’s performance of the Services in the relevant instance are in such capacity, Eagle Point is the data processor of such personal data.

2.2 In accordance with GDPR Article 28(3)(a), Eagle Point and any Subprocessor acting under its authority shall only process Licensee personal data upon Licensee’s documented instructions, as evidenced by the applicable Terms and Conditions.

III. Scope and Operation

3.1 This Addendum applies solely to Eagle Point’s processing of Licensee personal data that is subject to Data Protection Law in providing Services to Licensee in accordance with the applicable Terms and Conditions.

3.2 As required by Article 28(3) of the GDPR, the subject matter, nature and purpose of the processing, type of Licensee personal data, and the categories of data subjects associated with Eagle Point’s processing of personal data in the provision of the Services, shall be as set forth in, and in accordance with, the applicable Terms and Conditions and Annex 1 of this Addendum.

3.3 The duration of the processing is the term of the applicable Terms and Conditions and until all Licensee personal data has been deleted or returned by Eagle Point in accordance with Section 10 and Annex 1 of this Addendum.

IV. Security Measures

In performing the Services, Eagle Point shall:

4.1 Implement appropriate technical and organizational measures to provide a level of security appropriate to the risk associated with the processing activity, including the measures referred to in Article 32(1) of the GDPR;

4.2 Implement appropriate security measures in accordance with good industry practice in the United States and in accordance with the requirements of all applicable Data Protection Law; and

4.3 Regularly monitor compliance with such security safeguards to avoid material decrease in the level of security afforded to Licensee personal data during the duration of the processing.

Annex 2 to this Addendum further describes the technical and organization security measures that Eagle Point has implemented with respect to its personal data processing activities, as required by Article 28(3) of the GDPR.

V. Confidentiality

5.1 Eagle Point shall treat all personal data processed on behalf of Licensee in accordance with the applicable Terms and Conditions as confidential information. Except as is necessary for its granting of consent set forth in Section 6.1 below, Licensee shall not use or disclose any nonpublic information provided it by Eagle Point, including without limitation the identities of Subprocessors, without the express prior written approval of Eagle Point in each instance.

5.2 Eagle Point shall provide persons authorized by Eagle Point to process Licensee personal data with appropriate training on their responsibilities and require them to have executed written confidentiality agreements that endure through the duration of the processing and after termination or conclusion of processing.

5.3 Eagle Point shall limit access to Licensee personal data to Eagle Point’s personnel who require such access in order to perform the Services. Any such access to Licensee personal data shall be granted on a “need to know” basis.

5.4 The parties acknowledge that any breach of this Section 5 by either of them will result in irreparable harm to the other of them; that money damages will be an incomplete remedy for such breach; and that the nonbreaching party will be entitled to an injunction or other equitable remedies awarded by a court of competent jurisdiction to prevent or restrain such breach and harm. This Section 5 shall survive the termination or expiration of this Agreement or the applicable Terms and Conditions.

VI. Subprocessing

6.1 By its use of the Services Licensee consents to the use by Eagle Point of Subprocessors, provided that each Subprocessor is bound by a written agreement requiring it to adhere to the same data protection obligations as those applicable to Eagle Point under this Addendum and applicable Data Protection Law. Licensee expressly consents to the use by Eagle Point of the Subprocessors named in the Eagle Point Privacy Policy.

6.2 Eagle Point shall respect the conditions imposed by Article 28(2) and (4) of the GDPR regarding the engagement of Subprocessors.

6.3 Eagle Point shall remain fully liable for any Licensee personal data processing by Subprocessors.

VII. Data Subject Requests

7.1 Eagle Point shall, without undue delay, and in any event within ten (10) business days, notify Licensee if it receives a Data Subject Request. Eagle Point shall not respond to any Data Subject Request unless and until expressly instructed to do so by Licensee.

7.2 Eagle Point shall provide all reasonable assistance to Licensee to enable Licensee to comply with its obligation to respond to Data Subject Requests under applicable Data Protection Law, at Eagle Point’s standard rates and terms. If authorized by Licensee, such assistance may include complying with a Data Subject Request in accordance with applicable Data Protection Law and Licensee’s instructions.

7.3 If Licensee requests information from Eagle Point to fulfill its obligation to respond to a Data Subject Request, Eagle Point shall provide the requested information without undue delay, and in any event within ten (10) business days of Licensee’s request for assistance. Eagle Point shall notify Licensee as soon as is reasonably practicable under the circumstances if Eagle Point is unable to comply with the request for assistance within this ten (10) business day period. Such notification shall provide a reasonably detailed explanation as to why Eagle Point considers compliance with such request for assistance to be impossible.

7.4 Eagle Point shall provide Licensee with any personal data that it processes on Licensee’s behalf in a structured, commonly used, electronic, and machine-readable format or in such format as otherwise requested by Licensee.

VIII. Information Security Incident

8.1 Eagle Point shall notify Licensee without undue delay after becoming aware of an Information Security Incident affecting Licensee personal data. Eagle Point shall take action to contain such Information Security Incident and mitigate potential risks to affected data subjects.

8.2 Eagle Point shall provide all reasonable assistance to Licensee to assist Licensee in complying with its obligations regarding any Information Security Incident under applicable Data Protection Law. Eagle Point shall not communicate with any third party (including any affected data subjects or regulatory authorities) regarding any Information Security Incident, except for its attorneys or financial advisors, or its representatives whose duties on behalf of Eagle Point include work related to data security incidents, unless and until expressly instructed to do so by Licensee or required by compulsory process.

IX. Audits and Inspections

Subject to Section 5 and attorney-client privilege, Eagle Point shall make available to Licensee any information of Eagle Point that Licensee may require for purposes of demonstrating compliance with Licensee’s obligations under applicable Data Protection Law.

X. Deletion or Return of Licensee Personal Data

10.1 Eagle Point shall, upon receipt of Licensee’s written request, securely delete or return Licensee personal data to Licensee and delete existing copies, unless EU law or EU Member State law requires storage of Licensee personal data, or unless otherwise prohibited by applicable law.

10.2 Eagle Point shall return all Licensee personal data in a commonly used, structured, electronic, and machine-readable format or in such format as otherwise requested by Licensee.

10.3 Immediately after deleting the Licensee personal data, Eagle Point shall provide to Licensee certified written confirmation of such secure deletion.

XI. Data Transfers

11.1 Eagle Point has self-certified to the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework for the transfer of non-HR personal data.

11.2 The Model Clauses are incorporated in this Addendum by this reference and, in the event of any inconsistency between the provisions of this Addendum and the Model Clauses, the Model Clauses shall govern.

XII. Data Protection Officer

Eagle Point’s Data Protection Officer is its CEO.

XIII. Claims

If Licensee faces an actual or potential claim arising out of or related to an alleged violation of any Data Protection Law, Eagle Point shall promptly provide all materials and information requested by Licensee that are relevant to the defense of such claim and the underlying circumstances concerning the claim to the extent not privileged.

XIV. Recordkeeping

In accordance with the requirements of Article 30(2) of the GDPR, Eagle Point shall maintain a record of all processing activities carried out on Licensee’s behalf. Eagle Point shall make such record available to Licensee and the applicable supervisory authority upon request. As of the Effective Date, however, the Parties stipulate that the requirements of Article 30(2) do not apply to Eagle Point, and at such time as when they do, Eagle Point shall comply with those requirements.

ANNEX 1: DESCRIPTION OF LICENSEE PERSONAL DATA PROCESSING

This Annex 1 includes certain details of the Processing of Company Personal Data as required by Article 28(3) GDPR.

The subject matter and duration of the Processing of Licensee Personal Data are set out in the applicable Terms and Conditions and the Data Processing Addendum of which this Annex 1 forms a part.
The nature and purposes of the Processing of Licensee Personal Data as well as the types of Licensee Personal Data to be processed are set out in the Eagle Point Privacy Policy.
The category of Data Subject to whom Licensee Personal Data relates consists of Permitted Users (as defined in the applicable Terms and Conditions) that have registered to make use of the Services described in the applicable Terms and Conditions.
The obligations and rights of Licensee are set out in the applicable Terms and Conditions and this Addendum.

ANNEX 2: DESCRIPTION OF EAGLE POINT’S SECURITY MEASURES

This Annex 2 describes the technical and organizational security measures that Eagle Point has implemented in accordance with Section 4 of this Addendum and applicable Data Protection Law.

Eagle Point undertakes the pseudonymisation, encryption, and security of personal data as follows:

Eagle Point may collect relevant personal information from employees or customers or data subjects for equal opportunities monitoring purposes. Where such information is collected, the organization will anonymize it unless the purpose to which the information is put requires the full use of the individual's personal information.

Eagle Point will ensure that personal information about a data subject, including information in personnel files, is securely retained. The organization will keep hard copies of information in a locked filing cabinet. Information stored electronically will be subject to access controls, and passwords and encryption software will be used where necessary.

Eagle Point ensures the ongoing confidentiality, integrity, availability and resilience of its processing systems and services, and has a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing, as follows:

Information Security Objective

The objective of Eagle Point information security is to ensure that its core and supporting business operations continue to operate by preventing and minimizing the impact of security incidents. Eagle Point endeavors to ensure that all information that is disbursed or produced by Eagle Point has integrity and that all relevant information is managed and stored with appropriate confidentiality procedures. In deploying the Eagle Point information security systems, the Information Security Team aims to maintain known risks at their current low level and ensure that new and changing risks are managed in an equally consistent and professional manner.

Roles and Responsibilities

The Information Security Team is responsible for defining the organization’s vision and objectives related to information security and for enforcing this policy.
Information Security Team is responsible;
- To ensure that the policy is communicated to all stakeholders and implemented within the organization.
- To review this policy at a periodic interval.
- For maintaining the policy and providing support and advice during its implementation.
Respective process owners or managers are directly responsible for implementing Eagle Point’s Information security policy within their units, and for adherence by their staff.
Employees and non-employees of Eagle Point are responsible and/or accountable to ensure adherence to the terms of this policy in the course of their job duties.

Policy Statements

Set up an Information Security Management System (ISMS) framework that includes the appointment of the Information Security Team.
ISMS Policies, Procedures and Guidelines shall be made available to staff and relevant stakeholders.
Information and information processing systems shall be used in a secure manner that supports the strategic goals and objectives of Eagle Point.
A formal ISMS process shall be established to implement, operate, maintain, monitor and improve the security controls to safeguard the information.
Information shall be handled in a secure manner to avoid any loss of confidentiality, integrity, and availability during its creation, storage, processing, transmission and disposal.
There shall be designated owners to classify information based on requirements for confidentiality, integrity and availability and protect against internal and external threats.
All risks related to information and information processing systems shall be identified and mitigated on a timely basis.
Employees and non-employees shall be adequately trained and made aware of their roles and responsibilities towards information security and exercise discretion, common sense, and reasonable judgment towards use of Eagle Point’s Information.
Information and information processing systems shall be accessible to the authorized users as per their business needs.
Personnel, Information and information processing systems shall be physically secured from physical and environmental threats.
There shall be a formal process to ensure the risk related to third party vendors or suppliers shall be identified, controlled and monitored regularly.
All information security incidents shall be reported and managed in a timely manner.
All applicable legal and/or regulatory requirements pertaining to information security shall be met.
Establish levels of risk acceptance, identify levels of risk acceptability, and establish appropriate management objectives and management measures based on systematic risk assessments and risk management.
Information security shall be continuously reviewed and improved to ensure continuous adherence to this policy.
Employees and non-employees shall take appropriate measures to protect confidential information that is within the scope of their professional activities.
Employees and non-employees shall adhere to the information security policies, procedures, standards, guidelines etc. approved by the Information Security Team.
Employees and non-employees of Eagle Point shall not attempt to circumvent or subvert any of the information security controls.
Business Continuity Management Framework is made available and Business Continuity plans are developed to counteract interruptions to business activities and to protect critical processes from the effects of major failures or disasters.
All breaches of information security are reported to, and investigated by the relevant authorities.

Maintenance of the policy

The compliance to this policy and supporting policies shall be audited on a yearly basis.

This security policy shall be reviewed annually unless there is a major change in the organization or the environment affecting the organization, in which case it shall be done on a need basis.

This security policy shall be reviewed and revised whenever a major security risk or an incident is identified.

Enforcement of policy

All employees of Eagle Point, contractors, vendors and partners who require access to information and associated assets are responsible for ensuring that this policy is adhered to. The Information Security Team is responsible for ensuring that the users are aware of, and adhere to, this policy.

Violation of information security policy shall result in corrective action. Disciplinary action shall be taken in accordance with the severity of the violation, as determined by an investigation, and may include, but not limited to:

Revocation of access privileges to information assets
Termination of employment
Termination of contract
Other actions as deemed appropriate by the Information Security Team or as per law

Violation or deviation of the policy shall be reported to the Information Security Team and a security incident record shall be created for the further investigation of the incident.

Policy Exception

Any exception to the information security policy or supporting policies shall be assessed and approved by the Information Security Team. All the exceptions requests and approvals shall be formally documented.

Eagle Point will implement the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident as follows:

Once it’s established that a breach has happened, Eagle Point should not only try to contain the incident, but should also perform a risk analysis. This will help Eagle Point in taking appropriate measures to contain and address the breach and to determine whether notification is required to the Supervisory Authority and to Data Subjects.

The following factors can be taken into consideration while performing a Risk Assessment.

Type of Breach – Is it a Confidentiality, Integrity or Availability Breach?
Nature, Sensitivity and Volume of Personal Data affected
Ease of identification of individuals
Severity of consequences for individuals
Number of affected individuals

When assessing the risk that is likely to result from a breach, Eagle Point should consider the severity of the impact on the rights and freedoms of individuals and the likelihood of the breach occurring. When the consequences of a breach or the likelihood of these occurrences are severe or higher, the risk is higher.

Should the breach cause a disruption in Eagle Point’s services or operations, Eagle Point has adopted a policy to facilitate business continuity through the development of contingency plans as follows:

1.1 Business Impact Analysis

Information Security Team shall identify and document the following

Critical business services and the activities required to sustain operations of Eagle Point
Maximum acceptable outage time for the critical services
Resources - personnel, equipment, software, data files - needed to operate critical services
External dependencies for the successful recovery of critical services
Information security requirements
Priority in which critical services should be recovered

1.2 Development of contingency plan

All possible threats and risks to the availability of services to legitimate users should be identified and documented.
Preventive controls and Contingency plans shall be developed based on the result of risk assessment.
Contingency plans and continuity strategies shall be developed by taking into consideration the following aspects
Cost of the proposed strategy
Maximum allowable downtime and system uptime requirements
Remediation of risks related to business continuity
Compatibility with current systems
Information backup plan (including data, system software, configuration files, license keys, device drivers, system documentation etc.) shall be formulated depending on the maximum tolerable data loss for each business process.
Work from home option shall be provided to ensure continuity of operations when the main office site is not reachable due to a natural or man-made disaster.
Redundant hardware and configuration that supports high availability shall be included in the system design.
Alternate communication links and redundant network devices shall be maintained to avoid single points of failure.
Contingency clauses shall be included in the contracts signed with telecommunications provider and internet service provider.
Contracts and service level agreements shall be made with suppliers for equipment repair and replacement.
Manual fallback procedures and temporary operational procedures shall be developed as an alternative until the technical systems can be fully recovered and restarted.
Crisis communication plan (which describes who to reach out to and how, in the event of a disaster) shall be documented and tested.
System restart procedures shall be documented, and recovery steps shall be prioritized, keeping in mind the internal dependencies and connected systems and applications.

1.3 Testing the contingency plan

Contingency plans shall be reviewed on an annual basis to determine the effectiveness of the plan and Eagle Point’s readiness to execute the plan.

The following areas should be addressed in a contingency plan review, as applicable:

Contingency notification procedures and communication channels to be used during a disaster scenario;
System recovery on an alternate platform from backup media;
Internal and external connectivity;
System performance using alternate equipment;
Restoration of normal operations
Effectiveness of security controls while the system is operating under stress

Information Security Team along with representatives from all departments shall coordinate the review activity.

Results of the review shall be documented for analysis and continual improvement of the business continuity plan.

1.4 Increasing awareness about emergency response

Training related to contingency procedures shall be given to Eagle Point staff and contractors at least once a year.

Training shall be customized according to the roles and responsibilities of the personnel.

1.5 Contingency Management Roles and Responsibilities

A crisis management team shall be formed with members from senior management, IT team or outsourced IT contractor and the Information Security Team.
Criteria for invoking the contingency plan shall be defined and the invocation shall be authorized by the Chief Operating officer.
Criteria for returning to normal operating mode after a disaster event shall be defined by the Chief Operating officer.

Budget for the procurement of additional resources during contingency shall be approved by the senior management.

1.6 Ensuring information security in contingency scenarios

Eagle Point shall ensure that existing information security controls shall not be compromised during an adverse situation.
Compensating controls should be designed for information security controls that cannot be maintained during an adverse situation, or while operating from an alternate work site.
The Information Security Team shall have the authority to take decisions related to security controls while operating in a crisis scenario. The Information Security Team shall authorize internal and external communication related to information security.
Security controls shall be considered during the routing business continuity and disaster recovery reviews conducted in the organization.