Data Processing Addendum

This Data Processing Addendum (the “DPA”) forms part of the Terms of Service between the Customer and Thorbis, Inc., a Delaware corporation (“Thorbis,” “we,” “us,” or “our”) and applies wherever Thorbis processes personal data on the Customer's behalf in connection with the Service.

In the event of any conflict between this DPA and the Terms of Service on a data-protection matter, this DPA controls. On all other matters, the Terms of Service control. Terms not defined here have the meaning given in the Terms of Service.

The following terms have the meanings given to them under the applicable data protection laws, and are used here by reference to those laws:

• “Controller,” “processor,” “personal data,” “processing,” and “data subject” have the meanings given under the applicable data protection laws.
• “Sub-processor” means any third party engaged by Thorbis to process personal data on the Customer's behalf in connection with the Service.
• “Data protection laws” means all laws and regulations applicable to the processing of personal data under this DPA, including, where applicable, the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).

The Customer is the controller of the personal data processed under this DPA (or, where the Customer is itself a processor acting on behalf of another controller, the Customer is a processor and Thorbis is a sub-processor). Thorbis is the processor (or sub-processor).

Thorbis processes personal data only on the Customer's documented instructions, including the instructions set out in the Terms of Service and the instructions given through the configuration and use of the Service's features, unless required to process by applicable law (in which case Thorbis will inform the Customer of that legal requirement before processing, unless the law prohibits it).

The subject matter, duration, nature, and purpose of the processing, the types of personal data, and the categories of data subjects are as follows:

Thorbis will:

• process personal data only on the Customer's documented instructions, including as set out in this DPA and the Terms of Service;
• ensure that persons authorized to process the personal data are bound by appropriate confidentiality obligations;
• implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk;
• taking into account the nature of the processing and the information available, assist the Customer — by appropriate technical and organizational measures, insofar as possible — in responding to requests from data subjects and in meeting the Customer's obligations relating to data-protection impact assessments and prior consultations with supervisory authorities;
• make available to the Customer information reasonably necessary to demonstrate compliance with the obligations in this DPA.

Thorbis will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's personal data, and will provide the Customer with information reasonably available to Thorbis to assist the Customer in meeting its own breach-related obligations under the applicable data protection laws. Thorbis's notification is not an acknowledgment of fault or liability.

The Customer provides a general authorization for Thorbis to engage the sub-processors listed at /legal/subprocessors. Thorbis imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for each sub-processor's performance of its obligations.

Thorbis will give the Customer notice of any intended addition or replacement of a sub-processor, and the Customer may object on reasonable data-protection grounds. The mechanism for notice and objection is described at /legal/subprocessors.

Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, the parties incorporate the applicable Standard Contractual Clauses (and, for transfers subject to UK law, the UK International Data Transfer Addendum) by reference. The specific module selection and any additional safeguards are to be confirmed in the final, executed DPA.

To the extent the CCPA/CPRA applies, Thorbis acts as a “service provider.” Thorbis will not sell or share personal information, and will not retain, use, or disclose personal information except as necessary to perform the Service for the Customer or as otherwise permitted by the CCPA. Thorbis certifies that it understands and will comply with these restrictions.

On termination of the Service, at the Customer's choice, Thorbis will delete or return the Customer's personal data, subject to a limited post-termination export window and to any retention required by applicable law. After that window, Thorbis may delete or anonymize the personal data, except to the extent retention is required by law.

Thorbis will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. Audits are subject to reasonable conditions as to confidentiality, scope, frequency, advance notice, and the protection of other customers' data and Thorbis's systems. The detailed audit conditions are being finalized by counsel before execution.

Each party's liability arising out of or relating to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

Privacy and data-protection inquiries: privacy@thorbis.com. Legal notices regarding this DPA: legal@thorbis.com.