Legal — Data Processing Addendum

DATA PROCESSING ADDENDUM – KAGR LLC

Last updated and effective as of 09/13/2023 (the “DPA Effective Date”).

This Data Processing Addendum (“DPA”), forms part of the Master Client Agreement (as applicable, the “Agreement”) between KAGR LLC (“Provider” or “KAGR”) and the entity that has engaged Provider to provide the Services including the Platform (“Client”). Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the Agreement. Each of Provider and Client is referred to in this DPA individually as a “party”, collectively the “parties”.  By entering into the Agreement, the parties are deemed to have signed all Exhibits, Attachments, Annexes, Schedules, and Appendices, including those incorporated by reference, to this DPA where applicable.

1. 1. Definitions.
   • 1.1. “Controller” is the entity that determines the purposes for which and the means by which personal data or personal information is Processed and includes without limitation a business as defined in the CCPA and a controller as defined in the European Data Protection Laws or the State Data Protection Laws as applicable.
   • 1.2. “CCPA” means (to the extent applicable) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, together with any regulations promulgated thereunder.
   • 1.3. “Data Protection Laws” means all Applicable Laws that relate to the protection, privacy, Processing, or security of Personal Data.
   • 1.4. “Deidentified Data” means data that cannot reasonably be used to infer information about, and that cannot reasonably be linked to, an identified individual or an identifiable individual, or to a device linked to such individual.
   • 1.5. “European Data Protection Laws” means, collectively, the GDPR and the UK Data Protection Laws, as applicable.
   • 1.6. “GDPR” means the General Data Protection Regulation (EU) 2016/679.
   • 1.7. “Personal Data” means any Client Data relating to any identified or identifiable individual or household.
   • 1.8. “Regulated Data” means any Personal Data that is regulated by any State Data Protection Laws.
   • 1.9. “Sensitive Data” means any of the following: (i) any “special categories of personal data” as defined in the European Data Protection Laws; (ii) Social Security number or other third-party issued identifier (including taxpayer-identification number, driver’s license number, passport number, any other federal- or state-issued number, and employee identification number), credit or debit card number or other financial information (including bank account information and credit report information) with or without any required security question, security code, access code, personal identification number or password that would permit access to an individual’s financial account, and any data that is subject to or regulated by Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999 (as amended, and together with any regulations promulgated thereunder); (iii) biometric data, health information (including, without limitation, health insurance information), and any data subject to or regulated by (A) the Health Insurance Portability and Accountability Act of 1996 (as amended, and together with any regulations promulgated thereunder, including without limitation the Health Insurance Reform: Security Standards (Security Rule)); and/or (B) the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (as amended); and (iv) data collected from children under the age of 16 and any data subject to or regulated by the Children’s Online Privacy Protection Act of 1998.
   • 1.10. “State Data Protection Laws” means (in each case to the extent effective and applicable) (i) the Colorado Privacy Act, together with any regulations promulgated thereunder, (ii) the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, together with any regulations promulgated thereunder, (iii) the Utah Consumer Privacy Act, together with any regulations promulgated thereunder, and/or (iv) the Virginia Consumer Data Protection Act, together with any regulations promulgated thereunder.
   • 1.11. “UK” means the United Kingdom.
   • 1.12. “UK Data Protection Laws” means UK GDPR and the UK’s Data Protection Act 2018 (“UK DPA 2018”).
   • 1.13. “UK GDPR” means the UK equivalent of the GDPR, as defined in section 3(10) (and as supplemented by section 205(4)) of the UK DPA 2018.
2. 2. Applicability of DPA. This DPA will apply to the extent that KAGR Processes Personal Data falling within the scope of the Data Protection Laws.
3. 3. Roles and Responsibilities.
   • 3.1. Roles of the Parties. As between KAGR and Client, Client is the entity that determines the purposes for which and the means by which Personal Data is Processed under the Agreement and this DPA and KAGR shall Process the Personal Data on behalf of Client and at Client’s direction.
   • 3.2. Client Processing of Personal Data.
     • (a) Client shall comply with all Data Protection Laws in respect of its use of the KAGR Services, its Processing of the Personal Data, and any Processing instructions it issues to KAGR;
     • (b) Without limitation of any other provision herein, Client represents, warrants, and covenants that: (i) it has (and will have) collected and disclosed all Client Data in compliance with all Applicable Laws and provided any notice and obtained all consents and rights required by Applicable Law to enable Provider to lawfully Process Client Data as permitted by the Agreement and/or this DPA; (ii) it has (and will continue to have) full right and authority to make the Client Data available to Provider  under the Agreement and this DPA; and (iii) Provider’s Processing of the Client Data in accordance with the Agreement, this DPA, and/or Client’s instructions do and will not infringe upon or violate any Applicable Law or any rights of any third party; and
     • (c) Without limitation of Section 6.3 of the Agreement, the parties acknowledge and agree that neither the Agreement nor this DPA contemplate that any Sensitive Data will be disclosed or made available or accessible to Provider by or on behalf of Client. If Client intends to disclose Sensitive Data under the Agreement, Client will provide prior written notice to Provider.  To the extent Provider, in its sole discretion, agrees to accept such disclosure, the parties will negotiate a written amendment to the Agreement that includes additional terms (including without limitation any terms required by Applicable Law) governing such Sensitive Data (a “Data Amendment”). For the avoidance of doubt, Client shall not disclose or provide access to Provider to any Sensitive Data unless and until the parties have entered into a Data Amendment.
   • 3.3. KAGR’s Processing of Personal Data. KAGR shall retain, use, disclose and otherwise Process the Personal Data only for the purposes described in the Agreement and/or applicable SOW between KAGR and Client, and in accordance with any additional lawful, documented instructions provided by Client to KAGR in writing.
4. 4. Sub-processing.
   • 4.1. Client agrees that KAGR may engage KAGR affiliates and third parties to Process Personal Data on KAGR’s behalf (“Sub-processors“) provided that:
     • (a) KAGR imposes on such Sub-processors data protection terms that require it to protect the Personal Data to the standard required by Data Protection Laws;
     • (b) Between KAGR and Client, KAGR shall be responsible for any breach of this DPA caused by a Sub-processor; and
     • (c) KAGR shall make available to Client in the applicable SOW a link to the current list of Sub-processors for the Services as updated by KAGR from time to time (the “Sub-processor list”). KAGR shall provide notice to Client, which may be by email or by pop-up in Client’s account, notifying of a new Sub-processor(s) at least 10 days before authorizing any new Sub-processor(s) to Process Client’s Personal Data in connection with the provision of the Services. Client may object to KAGR’s use of a new Sub-processor by notifying KAGR in writing within 10 business days after receipt of KAGR’s notice in accordance with the mechanism set out in the preceding sentence. In the event Client objects to a new Sub-processor, KAGR will use commercially reasonable efforts to make available to Client a change in the Services, if practicable, to avoid Processing of Personal Data by the objected-to new Sub-processor.
5. 5. International Transfers.  Client shall not request or instruct KAGR, and KAGR shall have no obligation, to transfer Personal Data from any jurisdiction to any other jurisdiction (the EEA constituting a single jurisdiction for this purpose), without Client confirming in writing to KAGR that such request complies with Data Protection Laws; provided that KAGR may transfer Personal Data from the EEA or United Kingdom to the United States (or any other jurisdiction in which KAGR or its Sub-processors have operations or personnel) and Client hereby confirms to KAGR that any such transfer complies with Data Protection Laws. Client hereby consents to the Processing of Personal Data in the United States or any other jurisdiction in which KAGR or its Sub-processors have operations or personnel.
6. 6. Cooperation.
   • 6.1. KAGR shall provide reasonable assistance to Client, where possible, to enable Client to respond to requests from individuals seeking to exercise their rights under Data Protection Laws. In the event that an individual’s request is made directly to KAGR, KAGR shall promptly inform Client of the same.
   • 6.2. KAGR shall, taking into account the nature of the Processing and the information available to it, provide reasonable assistance needed for Client to fulfil Client’s obligations under the Data Protection Laws.
7. 7. Return/Deletion of Personal Data. Within 90 days of termination or expiration of the Agreement, KAGR shall delete the Personal Data in KAGR’s possession, or return the Personal Data to Client upon written request. This requirement shall not apply (a) to the extent that KAGR is required by Applicable Law, to retain some or all of the Personal Dataor (b) to the extent that KAGR is allowed by Applicable Law (including Data Protection Laws) to retain Personal Data archived on backup systems.
8. 8. EU Personal Data – Controller to Processor Transfers. To the extent Provider Processes Personal Data regulated by the GDPR (“EU Personal Data”), and to the extent Client is a controller (as defined in the GDPR) and the Provider is a processor (as defined in the GDPR) on behalf of Client with regard to such EU Personal Data, then to the extent required by the GDPR, Module 2 of the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (the “Controller to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Client to Provider and to Provider’s Processing of such EU Personal Data and the parties hereby agree to comply with such Controller to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety, as set forth in this Section 8. In the event of a conflict between the Agreement and the Controller to Processor Standard Contractual Clauses, the Controller to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.
   • 8.1. For the purposes of the Controller to Processor Standard Contractual Clauses:
     • (a) Clause 7. The parties agree that the optional language in Clause 7 is included.
     • (b) Clause 9(a). The parties agree that under Option 2, Provider has Client’s general authorization to subcontract its processing activities to the list of sub-processors set out in the Sub-processor list. Provider will inform Client in writing of any intended changes to the Sub-processor list at least 10 days prior to engaging with any other sub-processor.
     • (c) Clause 11. The parties agree that the optional language in Clause 11 is excluded.
     • (d) Clause 13. The parties agree that the brackets are removed in the provisions in Clause 13(a) such that the appropriate provision will apply as applicable.
     • (e) Clause 17. The Controller to Processor Standard Contractual Clauses shall be governed by the laws of Ireland.
     • (f) Clause 18. The parties agree that any dispute arising from the Controller to Processor Standard Contractual Clauses shall be resolved by the courts of Ireland.
     • (g) Annex I.A.
       • (i) The name and address of Client, and the name, position, and contact details of the contact person of Client (which is the data exporter) are as set forth in the applicable Statement of Work under the Agreement.
       • (ii) The name and address of Provider, and the name, position, and contact details of the contact person of Provider (which is the data importer) are set forth in Schedule 1 to this DPA.
       • (iii) The activities relevant to the data transferred are the provision and receipt of the Services as described in the Agreement.
       • (iv) The signature and date are the signature and date set forth in the Agreement.
       • (v) The roles of the parties are as follows: Provider is a processor and Client is a controller.
     • (h) Annex I.B.
       • (i) The categories of data subject are set forth in Schedule 1 to this DPA.
       • (ii) The categories of personal data transferred are set forth in Schedule 1 to this DPA.
       • (iii) The transfer of sensitive data is not presently contemplated by this arrangement.
       • (iv) The frequency of the transfer shall be on a continuous basis.
       • (v) The nature of the processing is set forth on Schedule 1 to this DPA.
       • (vi) The purpose of the data transfer and further processing is provision of the Services by data importer to data exporter.
       • (vii) The duration of the processing under these Controller to Processor Standard Contractual Clauses shall continue as long as data importer carries out personal data processing operations on behalf of data exporter or until the termination of the Agreement (and all personal data has been returned or deleted in accordance with these Controller to Processor Standard Contractual Clauses).
       • (viii) For transfers to sub-processors, personal data will be transferred to sub-processors in order for the data importer to provide the Services to the data exporter. The nature of the processing by such sub-processors will be as follows: the personal data will be subject to basic processing, which may include without limitation collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services to the data exporter in accordance with the terms of the Agreement. The duration of the processing by such sub-processors shall continue as long as such sub-processors carry out personal data processing operations on behalf of the data importer.
     • (i) Annex I.C.
       • The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
     • (j) Annex II.
       • The data importer employs a number of technical and organisational measures as further specified in KAGR’s Security Policy located at kagr.com/legal-data-security-policy/.
     • (k) Annex III.
       • Client has authorized the use of the sub-processors listed in the Sub-processor list.
9. 9. EU Personal Data – Processor to Processor Transfers. To the extent Provider Processes EU Personal Data, and to the extent Client is a processor (as defined in the GDPR) on behalf of a third party with respect to EU Personal Data and Provider is a processor on behalf of Client with regard to such EU Personal Data, then to the extent required by the GDPR, Module 3 of the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (the “Processor to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Client to Provider and to Provider’s Processing of such EU Personal Data and the parties hereby agree to comply with such Processor to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety, as set forth in this Section 9. In the event of a conflict between the Agreement and the Processor to Processor Standard Contractual Clauses, the Processor to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.
   • 9.1. For the purposes of the Processor to Processor Standard Contractual Clauses:
     • (a) Clause 7. The parties agree that the optional language in Clause 7 is included.
     • (b) Clause 9(a). The parties agree that under Option 2, Provider has Client’s general authorization to subcontract its processing activities to the Sub-processor list. Provider will inform Client in writing of any intended changes to the Sub-processor list at least 10 days prior to engaging with any other sub-processor.
     • (c) Clause 11. The parties agree that the optional language in Clause 11 is excluded.
     • (d) Clause 13. The parties agree that the brackets are removed in the provisions in Clause 13(a) such that the appropriate provision will apply as applicable.
     • (e) Clause 17. The Processor to Processor Standard Contractual Clauses shall be governed by the laws of Ireland.
     • (f) Clause 18. The parties agree that any dispute arising from the Processor to Processor Standard Contractual Clauses shall be resolved by the courts of Ireland.
     • (g) Annex I.A.
       • (i) The name and address of Client, and the name, position, and contact details of the contact person of Client (which is the data exporter) are as set forth in applicable Statement of Work under the Agreement.
       • (ii) The name and address of Provider, and the name, position, and contact details of the contact person of Provider (which is the data importer) are as set forth in Schedule 1 to the DPA.
       • (iii) The activities relevant to the data transferred are the provision and receipt of the Services as described in the Agreement.
       • (iv) The signature and date are the signature and date set forth in the Agreement.
       • (v) The roles of the parties are as follows: Provider is a processor and Client is a processor.
     • (h) Annex I.B.
       • (i) The categories of data subject are set forth in Schedule 1 to the DPA.
       • (ii) The categories of personal data transferred are set forth in Schedule 1 to the DPA.
       • (iii) The transfer of sensitive data is not presently contemplated by this arrangement.
       • (iv) The frequency of the transfer shall be on a continuous basis.
       • (v) The nature of the processing is of personal data is set forth in Schedule 1 to the DPA.
       • (vi) The purpose of the data transfer and further processing is provision of the Services by data importer to data exporter.
       • (vii) The duration of the processing under these Processor to Processor Standard Contractual Clauses shall continue as long as data importer carries out personal data processing operations on behalf of data exporter or until the termination of the Agreement (and all personal data has been returned or deleted in accordance with these Processor to Processor Standard Contractual Clauses).
       • (viii) For transfers to sub-processors, personal data will be transferred to sub-processors in order for the data importer to provide the Services to the data exporter. The nature of the processing by such sub-processors will be as follows: the personal data will be subject to basic processing, which may include without limitation collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services to the data exporter in accordance with the terms of the Agreement. The duration of the processing by such sub-processors shall continue as long as such sub-processors carry out personal data processing operations on behalf of the data importer.
     • (i) Annex I.C.
       • The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
     • (j) Annex II.
       • The data importer employs a number of technical and organisational measures as further specified in KAGR’s Security Policy located at kagr.com/legal-data-security-policy/.
     • (k) Annex III.
       • Client has authorized the use of the sub-processors listed in the Sub-processor list.
10. 10. UK Personal Data. To the extent Provider Processes Personal Data regulated by the UK Data Protection Laws solely on behalf of Client (“UK Personal Data”), then to the extent required by the UK Data Protection Laws, the UK’s ‘International Data Transfer Addendum to the EU Commission Standard Contractual Clauses’, Version B1.0, in force from March 21, 2022, available at https://ico.org.uk/media/for-organisations/documents/4019535/addendum-international-data-transfer.docx (the “UK DTA”) will apply to the transfer of such UK Personal Data by Client to Provider and to the Provider’s Processing of such UK Personal Data and the parties hereby agree to comply with such UK DTA, which is hereby incorporated into the Agreement in its entirety and as set forth in this Section 10. In the event of a conflict between the Agreement and the UK DTA, the UK DTA will control to the extent applicable to the UK Personal Data.
    • 10.1. For the purposes of the UK DTA:
      • (a) For the purposes of Table 1 of the UK DTA, the start date shall be the later of the DPA Effective Date or the Effective Date as defined in the Agreement, and the names of the parties, their roles and their details shall be as set out in Section 8.1(g)(i) and (ii) of the DPA and  Section 9.1(g)(i) and (ii) of the DPA, respectively;
      • (b) For the purposes of Tables 2 and 3 of the UK DTA, the Controller to Processor Standard Contractual Clauses and the Processor to Processor Standard Contractual Clauses, including the information set out in Section 8.1(h), 8.1(j), and 8.1(k) of the DPA and Section 9.1(h), 9.1(j), and 9.1(k) of the DPA, respectively, shall apply; and
      • (c) For the purposes of Table 4 of the UK DTA, either party may end the UK DTA.
11. 11. California Personal Data.  To the extent Client makes available to Provider Personal Data regulated by the CCPA for a business purpose pursuant to the Agreement and/or to the extent Provider Processes Personal Data regulated by the CCPA solely on behalf of Client (collectively, “California Personal Data”), then to the extent required by the CCPA, the provisions of this Section 11will apply to the Provider’s Processing of such California Personal Data and the parties hereby agree to comply with such provisions. In the event of a conflict between the Agreement and this Section 11, this Section 11 will control to the extent applicable to the California Personal Data.
    • 11.1. In this Section 11, the following terms have the meanings given in the CCPA: “business purpose”, “personal information”, “processing”, “service provider”, “contractor”, “person”, “share”, “sharing”, “shared”, “sell”, “selling”, “sale” and “sold”.
    • 11.2. Except as otherwise required by Applicable Law or as otherwise permitted by the CCPA, Provider shall:
      • (a) not sell or share California Personal Data;
      • (b) not retain, use, or disclose California Personal Data for any purpose other than for the business purposes of Provider’s provision of the Services specified in the Agreement for the Client, nor retain, use, or disclose California Personal Data for a commercial purpose other than the business purposes specified in the Agreement, or as otherwise permitted by the CCPA;
      • (c) not retain, use, or disclose California Personal Data outside of the direct business relationship between the parties;
      • (d) not combine California Personal Data, which Provider receives pursuant to the Agreement or from or on behalf of Client, with personal information which it receives from or on behalf of another person or persons, or collects from its own interaction with the individual to whom such California Personal Data relates, except as otherwise expressly permitted by the CCPA;
      • (e) reasonably cooperate with Client in responding to any requests from any individual regarding California Personal Data relating to such individual, including reasonably assisting Client in deletion, correction, or limitation of the use of such California Personal Data where required under the CCPA, and including instructing Provider’s service providers and/or contractors (if any) to so reasonably cooperate in such response;
      • (f) reasonably assist Client through appropriate technical and organizational measures in Client’s complying with the requirements of subdivisions (d) to (f), inclusive, of Section 1798.100 of the CCPA, taking into account the nature of the California Personal Data processing by Provider;
      • (g) implement and maintain commercially reasonable security procedures and practices appropriate to the nature of the California Personal Data intended to protect such California Personal Data from unauthorized access, destruction, use, modification, or disclosure;
      • (h) comply with all applicable obligations under the CCPA and provide the same level of privacy protection with respect to California Personal Data as required by the CCPA;
      • (i) notify Client if Provider determines it can no longer meet its obligations under the CCPA; and
      • (j) comply with Section 1798.140(m) the CCPA with respect to deidentified data (as defined in the CPRA) received by Provider from Client.
    • To the extent Provider is a contractor, Provider certifies that Provider understands the restrictions provided in Sections 11.2(a), (b), (c) and (d) and will comply with them.
    • 11.3. Provider acknowledges and agrees that the California Personal Data has been disclosed to it for the limited and specified purposes set forth in the Agreement and Provider further acknowledges and agrees Client shall have the right: (i) to take reasonable and appropriate steps to ensure that Provider uses California Personal Data in a manner consistent with Client’s obligations under the CCPA; and (ii) upon notice from Client to Provider, to take reasonable and appropriate steps to stop and remediate unauthorized use of California Personal Data.
    • 11.4. To the extent required by the CCPA and to the extent Provider is a contractor, Provider shall permit, subject to agreement of the parties, Client to monitor Provider’s compliance with this Section 11 through measures, including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing once every twelve (12) months (each, a “California Audit”), upon reasonable prior notice from Client, provided that no third-party auditor (each a “California Auditor”) shall be a competitor of Provider, nor shall any California Auditor be compensated on a contingency basis, and provided further that in no event shall Client or any California Auditor have access to the information of any other client of Provider and the disclosures made pursuant to this Section 11.4 (“California Audit Information”) shall be held in confidence as Provider’s Confidential Information and subject to any confidentiality obligations in the Agreement, and provided further that no California Audit shall be undertaken unless or until Client has requested, and Provider has provided, information about Provider’s data protection practices and Client reasonably determines that a California Audit remains necessary to demonstrate material compliance with the obligations laid down in this Section 11. Without limiting the generality of any provision in the Agreement, Client shall employ the same degree of care to safeguard California Audit Information that it uses to protect its own confidential and proprietary information and in any event, not less than a reasonable degree of care under the circumstances, and Client shall be liable for any improper disclosure or use of California Audit Information by Client or its agents.
    • 11.5. If Provider engages any other person to assist Provider in processing California Personal Data for a business purpose on behalf of Client, Provider shall notify Client of such engagement, and the engagement shall be pursuant to a written contract binding the other person to observe substantially similar requirements to those set forth in this Section 11. Provider hereby notifies Client that Provider may engage the persons listed on the Sub-processor list to assist Provider in processing California Personal Data for a business purpose on behalf of Client.
12. 12. State Data Protection Laws. To the extent Provider Processes Regulated Data, then to the extent required by one or more of the State Data Protection Laws, the provisions of this Section 12 will apply to the Provider’s Processing of such Regulated Data and the parties hereby agree to comply with such provisions. In the event of a conflict between the Agreement and this Section 12, this Section 12 will control to the extent applicable to the Regulated Data.
    • 12.1. Instructions. Client hereby instructs Provider to Process Regulated Data to the extent necessary to provide the Services.
    • 12.2. Nature of the Processing; Purpose of the Processing.  The nature of the Processing of Personal Data is set forth on Schedule 1 to this DPA. The purpose of the Processing of Regulated Data hereunder is the provision of the Services by Provider to Client.
    • 12.3. Types of Regulated Data. The types of Regulated Data subject to Processing hereunder are set forth on Schedule 1 to the DPA.
    • 12.4. Duration of Processing.  The duration of the Regulated Data Processing shall continue as long as Provider carries out Regulated Data Processing operations on behalf of Client or until the termination of the Agreement (and all Regulated Data has been returned or deleted).
    • 12.5. Obligations.  Except as otherwise required or permitted by Applicable Law, Provider shall:
      • (a) Ensure that each person Processing Regulated Data on behalf of Provider is subject to a duty of confidentiality with respect to such Regulated Data;
      • (b) At Client’s choice and direction, delete or return all Regulated Data to Client as requested at the end of the provision of the Services, unless retention of such Regulated Data is required by Applicable Law;
      • (c) Make available to Client all information necessary to demonstrate Provider’s compliance with the obligations in the State Data Protection Laws;
      • (d) Taking into account the context of Processing, Provider shall implement appropriate technical and organizational measures designed to ensure a level of security with respect to the Regulated Data appropriate to the risk in accordance with the Agreement and this DPA;
      • (e) Allow for, contribute to, and cooperate with reasonable audits, inspections, and/or assessments (each a “State Audit”) by Client or Client’s designated third-party representative (each, a “State Auditor”), provided that, as an alternative, Provider may arrange for a qualified and independent auditor or assessor to conduct (at least annually and at Client’s expense (unless otherwise required by applicable law)) a State Audit of Provider’s policies and technical and organizational measures in support of the obligations under the State Data Protection Laws using an appropriate and accepted control standard or framework and State Audit procedure for the State Audits as applicable and Provider shall provide a report of such State Audit to Client upon request. No third-party State Auditor appointed by Client shall be a competitor of Provider, nor shall any such State Auditor be compensated on a contingency basis. In no event shall Client or any State Auditor have access to the information of any other client of Provider and the disclosures made pursuant to this Section 12.5(e) (“State Audit Information”) shall be held in confidence as Provider’s Confidential Information and subject to any confidentiality obligations in the Agreement, and provided further that no State Audit under this Section 12.5(e) shall be undertaken unless or until Client has requested, and Provider has provided, information about Provider’s data protection practices and Client reasonably determines that such a State Audit remains necessary to demonstrate material compliance with the obligations laid down in the State Data Protection Laws. Without limiting the generality of any provision in the Agreement, Client shall employ the same degree of care to safeguard State Audit Information that it uses to protect its own confidential and proprietary information and in any event, not less than a reasonable degree of care under the circumstances, and Client shall be liable for any improper disclosure or use of State Audit Information by Client or its agents; and
      • (f) Engage a subcontractor to Process Regulated Data on behalf of Provider only after providing Client with an opportunity to object, and bind each such subcontractor to a written contract in accordance with State Data Protection Laws that requires such subcontractor to comply with obligations of processors (as defined in the State Data Protection Laws) under the State Data Protection Laws and to meet equivalent obligations with respect to such Regulated Data as are set forth in this Section 12. Client hereby consents to Provider’s engagement of the subcontractors listed on the Sub-processor list to Process Regulated Data.
    • 12.6. Deidentified Data. With respect to Deidentified Data received by Provider from Client, Provider shall: (A) take reasonable measures to ensure that such data cannot be associated with an individual; (B) publicly commit to process such Deidentified Data only in a de-identified fashion and not attempt to re-identify such Deidentified Data; and (C) comply with the State Data Protection Laws.
13. 13. Notwithstanding anything to the contrary in the Agreement (including this DPA), Client acknowledges that Provider shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as product development and sales and marketing. To the extent any such data is considered personal data or personal information (each, as defined in and regulated by one or more Applicable Laws), then, to the extent Provider is subject to an Applicable Law as a Controller, Provider is the Controller with respect to such data and accordingly shall Process such data in accordance with the Applicable Law.

SCHEDULE 1- DATA PROTECTION SCHEDULE

1. 1. Categories of Personal Data: Personal Data including without limitation email addresses, phone numbers, device IDs, ticket purchases, first and/or last names, signatures, dates of birth, home or other physical addresses, fax numbers and online identifiers (including IP addresses, cookie information, other browser or device data, and other unique identifiers).    
2. 2. Categories of Data Subject: Fans and ticket holders and any other individuals to whom Personal Data relates.  
3. 3. Nature of the Processing:  The Personal Data will be subject to basic processing, including but not limited to collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure (including by transmission), analysis, deletion, modification, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction for the purpose of providing the Services by Provider (data importer) to Client (data exporter) in accordance with the terms of the Agreement.
4.  4. Contact Information:
   • a. The name and address of Client, and the name, position, and contact details of the contact person of Client is set forth in the applicable Statement of Work under the Agreement.  
   • b.  The name and address of Provider, and the name, position, and contact details of the contact person of Provider are as follows:
   • Name: KAGR LLC
   • Address: 200 Patriot Place, Suite 200, Foxborough, MA 02035
   • Contact person’s name, position and contact details: Emily Keane, Senior Director of Operations, Strategic Planning & Initiatives security@kagr.com