Data Processing Addendum

Definitions  

"Controller", "Data Subject", "Personal Data", "Personal Data Breach" and "Processing" shall have the same meaning as in the Data Protection Law, and their cognate terms shall be construed accordingly. 

Data Protection Law means the General Data Protection Regulation (EU) 2016/679 (GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as applicable) and any other relevant local laws relating to the protection of Personal Data, the privacy of individuals and the privacy of electronic communications. 

1. If ThoughtRiver processes any Personal Data on the Customer's behalf when performing its obligations under the Terms, the parties record their intention that the Customer shall be the Data Controller and ThoughtRiver shall be a Data Processor and in any such case: 

1. 1. the Customer agrees that the Personal Data may be transferred or stored outside the European Economic Area (EEA) or the country or countries where the Customer and the Authorised Users are located so long as there is an adequate safeguard in accordance with the Data Protection Law;
      
      
   2. the Customer shall ensure that the Customer is entitled to transfer the relevant Personal Data to ThoughtRiver so that ThoughtRiver may lawfully use, Process and transfer the Personal Data in accordance with the Terms (including the specification at the Annex);
      
      
   3. ThoughtRiver shall ensure any persons authorised by ThoughtRiver to Process the Personal Data have committed themselves to confidentiality;
      
      
   4. ThoughtRiver shall Process the Personal Data only in accordance with the Terms, the Data Protection Law and any lawful instructions reasonably given by the Customer from time to time (including as set out in the Annex). In the event that ThoughtRiver believes such instructions to be contrary to Data Protection Law then it will immediately notify the Customer;
      
      
   5. in the event Union or Member State law requires ThoughtRiver to Process Personal Data otherwise in accordance with the Customer’s instructions, ThoughtRiver shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest; and
      
      
   6. taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each party shall take appropriate technical and organisational measures against unauthorised or unlawful Processing of the Personal Data or its accidental loss, destruction or damage (including, as appropriate, the measures referred to in Article 32(1) of the GDPR). 

2. ThoughtRiver may use sub-processors for the purposes of data hosting and storage providers in connection with the Processing anticipated in the Terms. Provided that any sub-processor shall be required to adhere to equivalent obligations as set out in this addendum, in particular the sub-processor shall be required to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this addendum. ThoughtRiver shall be liable in accordance with this Terms for the acts and omissions of any such sub-processors. 

3. ThoughtRiver shall notify the Customer without undue delay upon ThoughtRiver or any sub-processor becoming aware of a Personal Data Breach affecting the Customer’s Personal Data, providing the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Data Protection Law. 

4. ThoughtRiver shall co-operate with the Customer and take such reasonable commercial steps as are directed by the Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach. The Customer shall pay ThoughtRiver’s reasonable costs. 

5. ThoughtRiver shall provide all reasonable information necessary to demonstrate compliance with its obligations set out in this Addendum.  In addition and at the expense of the Customer, ThoughtRiver shall allow for and contribute to reasonable audits, including inspections, conducted by the Customer or another auditor mandated by the Customer upon the Customer first providing reasonable notice.  

6. At the cost of the Customer, ThoughtRiver shall provide reasonable assistance to the Customer in responding to requests from Data Subjects exercising their rights under Data Protection Law in relation to the Terms. 

7. On termination of the Terms, ThoughtRiver shall, at its sole discretion, delete or return all Personal Data provided to it by the Customer under the Terms to the Customer and shall delete existing copies unless (i) it has been archived on back-up systems which ThoughtRiver will securely isolate and protect from further Processing; or (ii) ThoughtRiver are required to keep it under Union or Member State law. 

ANNEX: DETAILS OF PROCESSING OF PERSONAL DATA 

1. The Customer’s personal data may include any personal data that is included within any document that is uploaded by the Customer to the Platform. Depending on the document type, this may include individual names (e.g. contract signatories), customer lists (of the Customer or its clients/suppliers) including name, address, date of birth and customer attributes. The Customer does not intend to supply sensitive personal data within the documents it uploads to the Platform.
   
   
2. The processing of personal data by ThoughtRiver (and any sub-processor) is in conjunction with the Customer’s use of the Platform including for the purpose of providing contract risk reviews, extraction of data points, training of properties created within the Platform and user functionality, product feature enhancement and customer success support.  Further details on the way in which ThoughtRiver may use such data is set out in the Privacy and Security Policy.  
   
   
3. Either party may make reasonable amendments to paragraphs 2 and 3 of this Annex 1 by written notice to the other party from time to time to meet its requirements under the applicable Data Protection Law (including the GDPR).