Rhombus Systems, Inc.

Data Processing Addendum

Updated October 2024

This Data Processing Addendum (the “Data Processing Addendum” or “DPA”) is incorporated by reference into the End User License Agreement ("EULA") between Rhombus Systems, Inc. (“Rhombus”) and the Customer. All capitalized terms used but not otherwise defined herein have the respective meanings ascribed to them in the EULA.

1.         DEFINITIONS

Capitalized terms used and not defined in this DPA have the respective meanings assigned to them in the EULA, Order or Documentation.

1.1       “Applicable Law” means all regional, national, and international laws, rules, regulations, and standards, including those imposed by any governmental or regulatory authority, which apply from time to time to the person or activity in the circumstances in question.

1.2       “Controller” means either: (a) the meaning set forth in the relevant Data Protection Laws; or (b) absent such a definition, the Party that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data by Rhombus.

1.3       “Data Breach” means any Personal Data incident or breach, within the meaning of the applicable Data Privacy Laws.

1.4       “Data Privacy Law” means all applicable privacy, security and data protection laws and regulations, as applicable to the Processing of Personal Data hereunder including, without limitation, the “GDPR” (Regulation (EU) 2016/679), the UK Data Protection Act of 1998 and the “UK GDPR” (the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018), the “FADP” (the Swiss Federal Act on Data Protection of 19 June 1992, as revised as of 25 September 2020), and the “CCPA” (California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020), in each case as respectively amended or replaced from time to time.

1.5       “Data Subject” means either: (a) the meaning set forth in the relevant Data Protection Laws; or (b) absent such a definition, the identified or identifiable individual who is the subject of Personal Data Processed by Rhombus for the Customer, the Processing of which is governed under applicable Data Privacy Law. The term “Data Subject” also includes the term “consumer” as defined under the CCPA and the CPRA.

1.6       “EU Standard Contractual Clauses” or “EU SCCs” means the Standard Contractual Clauses between Controllers and Processors, and between Processors and Processors, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

1.7       “Personal Data” any information Processed by Rhombus on behalf of Customer that: (a) the relevant Data Protection Laws define as “personal information” or “personal data” or such other definition of similar import; or (b) in absence of such a definition in the relevant Data Protection Laws, such information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Data Subject. Without limiting the foregoing, the term “Personal Data” includes any “personal data” as defined under the GDPR and any “personal information” as defined under the CCPA and the CPRA.

1.8       “Process” means either: (a) the meaning set forth in the relevant Data Protection Laws; or (b) absent such a definition, any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether through automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction. “Processing” and “Processed” have correlative meanings.

1.9       “Processor” means either: (a) the meaning set forth in the relevant Data Protection Laws; or (b) absent such a definition, the Party that Processes Personal Data on behalf of a Controller. Without limiting the foregoing, the term “Processor” includes a “service provider” or a “contractor” under the CCPA or CPRA.

1.10     “Services” means the provision of services or other work product by Rhombus as described and set out in the EULA, Order or Documentation.

1.11     “Sub-processor” means a third party engaged by Rhombus to assist with the provision of the Services which involves the Processing of Personal Data.

1.12     “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022, as issued by the Information Commissioner of the United Kingdom.

2.         STATUS OF PARTIES

The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and Rhombus is the Processor of Personal Data that is Processed on behalf of Customer pursuant to the EULA or this DPA.

3.         SCOPE OF DATA PROCESSING

The nature, scope, purpose and duration of Rhombus’s Processing of Personal Data is set forth in Schedule A. The parties agree and acknowledge that the disclosure of Personal Data to Rhombus is for a business purpose (as defined under the CCPA or other Applicable Law) and such disclosure is not made for any monetary or other valuable consideration.

4.         PROCESSOR OBLIGATIONS

4.1       Rhombus agrees and covenants that it shall: (a) not create, collect, receive, access, use, or otherwise Process the Personal Data in violation of any Applicable Law (including Data Protection Laws); (b) Process the Personal Data solely and exclusively for the purposes for which the Personal Data, or access to it, is provided pursuant to the terms and conditions of the EULA and this DPA; and (c) with respect to Personal Data to which the CCPA applies: (i) Rhombus acknowledges and confirms that it will not receive or Process any Personal Data as consideration for the Services; (ii) Rhombus shall not have, derive, or exercise any rights or benefits regarding Personal Data Processed on behalf of Customer; (iii) Rhombus certifies that it understands the rules, requirements and definitions of the CCPA, and will refrain from selling or sharing (as such terms are defined in the CCPA) any Personal Data Processed hereunder without Customer's prior written consent; (iv) Rhombus shall not Process Personal Data for any purpose other than for the business purpose specified in this DPA or outside the business relationship provided in the EULA, or combine Personal Data other than as permitted by the CCPA; and (v) Customer is enabled to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data.

4.2       Notwithstanding the foregoing, unless explicitly prohibited by Customer in writing (including under the EULA or this DPA), Rhombus may use the Personal Data, (a) to the extent required by applicable Data Protection Laws, (b) to detect Data Breach, (c) to protect against fraudulent or illegal activity; and (d) as otherwise explicitly required under Data Protection Law.

4.3       Rhombus will Process the Personal Data only in accordance with any written Customer instructions received by Rhombus with respect to the Processing of such Personal Data and in a manner necessary for the provision of Services by Rhombus, including, without limitation, any Processing in accordance with this DPA and the EULA. Customer’s instructions shall be issued in writing or via e-mail and shall include such instructions set forth in this Section 4.3 of this DPA. Rhombus shall not Process the Personal Data for any other purpose or in a way that does not comply with this DPA without the explicit consent of the Customer. Without limiting the foregoing, Customer hereby instructs Rhombus to Process Personal Data for the following purposes: (a) as necessary for the provision of the Services and in accordance with the EULA; (b) as necessary for Processing initiated by Data Subjects in their use of the Products and Services and only as necessary for the provision of the Services and in accordance with the EULA, this DPA and Customer’s reasonable instructions; and (c) as necessary to comply with the other reasonable instructions provided by Customer to Rhombus (e.g., via email or via support requests) where such instructions are consistent with the terms of the EULA. Customer further instructs Rhombus that it may aggregate, deidentify, or anonymize Personal Data (“Aggregated Data”) such that it is no longer considered Personal Data and use such Aggregated Data for its own purposes.

4.4       In the event Rhombus is required under any Applicable Law to Process Personal Data in excess of Customer’s documented instructions, Rhombus shall immediately notify Customer of such a requirement, unless such Applicable Law prohibits such notification on important grounds of public interest, in which case it will notify Customer as soon as the Applicable Law permits it to do so.

4.5       Rhombus shall promptly notify Customer if Rhombus reasonably believes that an instruction issued by Customer would violate any Data Privacy Laws. Rhombus shall also promptly inform Customer in the event Rhombus cannot reasonably provide compliance with this DPA for whatever reason. In such an event, Customer may immediately suspend any Processing of Personal Data and/or terminate the Services pursuant to the EULA without penalty, and receive a prorated refund of any prepaid Service fees for the period following such termination.

4.6       Taking into account the nature of the Processing, Rhombus shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a request from a Data Subject to exercise the Data Subject’s rights with respect to their Personal Data under applicable Data Protection Laws, including, but not limited to, any rights of access, rectification, restriction of Processing (including rights to not have Personal Data sold, if applicable), erasure, data portability, objection to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). The parties agree and acknowledge that Rhombus may, but is not required to, fulfill its obligations described in the foregoing sentence by providing Customer with access to technological measures such that it can fulfill the Data Subject Request without assistance from Rhombus. To the extent that Customer cannot, through its use of the technological measures available through the Products and Services (if any), or does not have the ability to address the Data Subject Request, Rhombus shall, upon reasonable request from the Customer, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request. Rhombus shall, to the extent legally permitted, promptly notify Customer if Rhombus receives a Data Subject Request. Rhombus shall not respond to a Data Subject Request except on the documented instructions of Customer or as required under Applicable Law. To the extent legally permitted, Customer shall be responsible for any costs arising from Rhombus’s performance under this Section 4.6.

4.7       Rhombus shall, to the extent specifically required under applicable Data Privacy Law, assist Customer in complying with its obligations with respect to Personal Data under applicable Data Privacy Laws, including, without limitation, the obligations set forth in Articles 32 to 36 of the GDPR.

4.8       Rhombus represents and warrants that it complies and will comply with applicable Data Privacy Laws and with its obligations as a Processor. In particular, Rhombus shall keep records of its Processing performed on behalf of Customer, which shall include at least: (a) the details of Processor and of the Controller, their representatives, and data protection officers; (b) the categories of Processing performed; (c) information regarding cross-border data transfers, if any; (d) a description of the technical and organizational security measures implemented in respect of the Processed Personal Data; (e) any other information required by applicable Data Privacy Laws.

4.9       Where permitted by applicable laws, Rhombus shall promptly inform Customer if it receives a legally binding request from a governmental or law enforcement authority, including judicial authorities, relating to the Processing of Personal Data under this DPA, and shall review the legality of such request. If, after careful assessment, Rhombus concludes that there are reasonable grounds to believe that the request is unlawful under applicable Data Privacy Laws or any other applicable laws, Rhombus may, at Customer’s expense, challenge the request and seek interim measures to suspend the effects of the request until the competent judicial authority has decided on its merits. In any event, Rhombus shall not disclose Personal Data requested until required to do so under the applicable procedural rules. When responding to such a request for disclosure, Rhombus shall only provide the minimum amount of Personal Data permissible based on a reasonable interpretation of the request.

4.10     Rhombus will ensure that persons authorized to Process Personal Data on behalf of Rhombus have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Rhombus shall ensure that each Rhombus’s authorized person has access to Personal Data only as necessary for the purpose of providing the Services under the EULA and as strictly required by applicable laws.

5.         CUSTOMER OBLIGATIONS

5.1       Customer Obligations. Customer will, in its configuration and use of the Products and Services, Process Personal Data in accordance with the requirements of applicable Data Privacy Laws. Customer’s instructions to Rhombus for the Processing of Personal Data will comply with Data Privacy Laws and Customer will have sole responsibility for the Processing of any Personal Data Processed by Customer, or by Rhombus on Customer’s behalf where in accordance with this DPA, and for the accuracy, quality, and legality of such Personal Data. Customer shall be solely responsible for determining the means and purposes of the Processing of Personal Data performed by Customer or by Rhombus on Customer’s behalf. Customer shall be solely responsible for the unauthorized Processing of Personal Data under its direct control or possession. Nothing in this clause shall be deemed to limit Rhombus’s liability for any Processing activities performed in breach of the EULA, this DPA and Customer's reasonable instructions.

5.2       Licenses, Consents, and Registrations. Customer shall obtain all material licenses, authorizations, approvals, consents (including consents from Data Subjects), or permits required under applicable Data Protection Laws to Process the Personal Data pursuant to this DPA, the EULA, or as required under Data Protection Laws to perform under this DPA or the EULA.

5.3       Capture of Biometric Information; License Plate Recognition. If required by Applicable Laws, Customer shall disable all features of the Rhombus Products and Services that allow Customer to capture and record (a) biometric information, including without limitation, facial recognition attributes, and (b) license plate identification information.

6.         SECURITY

6.1       Security Measures. Taking into account the state of the art, costs of implementation, and nature, scope, context, and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Rhombus shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as further set forth in the EULA and Schedule B of this DPA.

6.2       Security Breach Notification. Rhombus shall notify Customer of any Data Breach or potential Data Breach of Personal Data Processed by Rhombus (or its Sub-processors) on behalf of Customer, without undue delay and within no later than 36 (thirty-six) hours of becoming aware of the Data Breach or the potential Data Breach. Such notice shall be sent to Customer, and shall include at least: (a) a description of the nature, date and time of the Data Breach, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the contact details of the data protection officer, any other individual or team where more information can be obtained; (c) a description of the likely consequences of the Data Breach; (d) a description of the measures taken or proposed to be taken to address the Data Breach and the measures to mitigate its possible adverse effect. Rhombus shall take all necessary steps to investigate, document, remediate and/or mitigate the causes and the effects of the Data Breach as well as fully cooperate with Customer for these purposes. Upon request, Rhombus shall provide Customer with sufficient information to allow Customer to meet any obligations under applicable Data Privacy Laws, including the obligation to report or inform Data Subjects, supervisory authorities, any other applicable authority or entity. Rhombus will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Data Breach, which directly or indirectly identifies Customer (including in any legal proceeding or, where applicable, in any notification to Data Subjects, supervisory authorities, and/or any other applicable authority or entity), without Customer’s prior written approval, unless, and solely to the extent that, Rhombus is compelled to do so pursuant to applicable Data Privacy Laws. In such a case, unless prohibited by applicable laws, Rhombus shall provide Customer with reasonable prior written notice to give Customer the opportunity to object to such disclosure and, in any case, Rhombus will limit the disclosure to the minimum scope legally required.

7          SUBPROCESSORS

Customer acknowledges and agrees that Rhombus may engage Sub-processors to Process Personal Data in connection with the provision of the Services. A list of Rhombus’s current Sub-processors is provided in Schedule A and is hereby deemed authorized. Rhombus shall notify Customer of any change to the current Sub-processors list at least 30 (thirty) calendar days before authorizing any change. Such notice shall include, at least: (a) the name of the (proposed) Sub-processor, (b) the description of the (new) service provided by the Sub-processor, (c) the type of Personal Data Processed by the Sub-processor, (d) description of the Data Subjects whose Personal Data will be Processed by the Sub-processor, and (e) location of the Processing performed by the Sub-processor. To object, Customer shall notify Rhombus in writing at privacy@rhombussystems.com. In response to the objection, Rhombus will use reasonable efforts to assess and/or make available to Customer a change in the Service to avoid Processing of Personal Data by the objected-to Sub-processor without unreasonably burdening Customer. If Rhombus is unable to accommodate Customer’s request and make available such alternative arrangements within 30 (thirty) calendar days, Customer may suspend or terminate the EULA and this DPA without penalty, and receive a prorated refund of any prepaid Services fees for the period following such termination. In any case of suspension, Rhombus’s obligations to maintain technical and organizational measure as provided in Section 6.1, including securely storing Personal Data, and cooperating for the purposes provided in Sections 4.6 and 4.7, shall survive. Rhombus will enter into written agreements with each Sub-processor containing the same or materially similar data protection obligations as set out in this DPA. Where a Sub-processor fails to fulfill its data protection obligations concerning the Processing of Personal Data, Rhombus shall remain responsible to Customer for the performance of the Sub-processor’s obligations.

8.         INTERNATIONAL DATA TRANSFERS

8.1       Permitted Countries for Processing; Cross-Border Data Transfer Restrictions.

(a)       Transfers by Customer. The Parties agree that if Customer transfers Personal Data to Rhombus within the scope of this DPA from the European Union (the "EU") member states and the three other European Economic Area member countries (Norway, Liechtenstein and Iceland) (collectively, the "EEA"), Switzerland or the United Kingdom (the "UK") to countries which have not been subject to an adequacy decision published by the European Commission or any other relevant data protection authority of the EEA, the EU, the EU member states, Switzerland, and/or the UK ("Adequacy Decisions"): (i) the terms set forth in Part 1 of Schedule C attached hereto shall apply to any such transfer from the EEA ("EEA Transfer"); (ii) the terms set forth in Part 2 of Schedule C attached hereto shall apply to any such transfer from the UK ("UK Transfer"); (iii) the terms set forth in Part 3 of Schedule C attached hereto shall apply to any such transfer from Switzerland ("Swiss Transfer"); and (iv) the terms set forth in Part 4 of Schedule C attached hereto ("Additional Safeguards") shall apply to any EEA Transfer, UK Transfer and/or Swiss Transfer.

(b)       Transfers by Rhombus. Personal Data may be transferred by Rhombus from the EEA, Switzerland or the UK to: (i) countries that offer an adequate level of data protection under or pursuant to an Adequacy Decisions, as applicable, without any further safeguard being necessary; and/or (ii) other countries provided that Rhombus requires and obtain Customer's consent and puts in place an alternative recognized compliance mechanism for the lawful transfer of Personal Data pursuant to applicable Data Protection Laws (e.g., EU SCCs, UK Addendum).

9.         RETURN AND DESTRUCTION

9.1       Without prejudice to any obligations under this Section 9, following termination or expiration of the EULA for whatever reason, Rhombus shall, and shall cause all Sub-processors to, cease Processing Personal Data except as otherwise set forth hereunder.

9.2       Upon termination of the EULA by Customer for cause, Rhombus shall destroy all copies of Personal Data that remain still available within the earlier date of (a) the date Customer provides notice and demand to Rhombus, or (b) thirty (30) days after the effective date of termination, unless otherwise required to retain such Personal Data in accordance with Applicable Laws. Upon expiration of the EULA, or termination of the EULA by Customer without cause or by Rhombus for cause, Rhombus shall destroy all copies of Personal Data and provide notice to Customer, unless otherwise required to retain such Personal Data in accordance with Applicable Laws.

9.3       In the event Rhombus retains Personal Data after the Term, Rhombus’s confidentiality and privacy obligations hereunder shall survive the termination or expiration of this DPA and Rhombus shall continue to comply with such obligations until it is no longer in possession of Personal Data.

10        AUDITS

10.1     Rhombus shall, upon receiving at least thirty (30) days prior written notice from Customer, submit or procure that its Sub-processors submit (as requested, provided such Sub-processor permits such audit), Rhombus’s or Rhombus’s Sub-processors’ data Processing facilities for a reasonable audit of Processing activities carried out under this DPA, where such audit shall be carried out by an independent third-party auditor mutually agreed upon by the parties and bound by a duty of confidentiality (“Auditor”) and, where applicable, approved by the relevant supervisory authority. Any effort as well as internal and external costs of audits requested by Customer pursuant to this Section 10 shall be borne by Customer, unless Rhombus or its Sub-processors are found to be in breach of this DPA.

10.2     Rhombus shall provide Customer or Auditor, at Customer’s cost and expense, with the necessary information and shall keep the necessary records required for an audit of the Processing of Personal Data during the Term, and will, subject to Applicable Law, provide or make available said documents and/or data media to Customer upon written request. Rhombus shall provide reasonable support for any and all audits of Customer or Auditor under this Section 10.2 and shall reasonably contribute to the complete and efficient completion of the audit.

11.       MISCELLANEOUS

11.1.    Changes in Data Protection Legislation. Both Rhombus and Customer may: (a) by providing at least thirty (30) days’ written notice to the other party, from time to time request modifications to this DPA, which are required as a result of any change in, or decision of a competent authority under, that Data Privacy Laws, to allow such Processing to be performed (or continue to be performed) without breach of such Data Privacy Laws; and (b) propose any other variation to this DPA which either party reasonably considers to be necessary to address the requirements of any Data Privacy Laws. The Parties shall negotiate in good faith to reach commercially reasonable terms to accommodate any such requested changes.

11.2.    Interpretation. Unless the contact otherwise requires, references in this DPA to a statute means such statute as amended from time to time and includes any successor legislation thereto and any regulations promulgated thereunder.

###

SCHEDULE A OF THE DPA

1.         Data Processing Purposes and Details.

1.1       Nature of the Processing. Collection, recording, organizing, structuring, storing, adapting and altering, retrieving, consulting, use, disclosing by transmission, disseminating, and making available Personal Data (described below) for the Data Subjects and purposes described below.

1.2       Purposes of the Processing. To provide cloud-based physical security surveillance services to Customer, and alarm monitoring Services only in the territories set forth below:

1.3       Categories of Data Subjects. Personnel of Customer and other individuals in or near Customer's facilities, such as those within an area subject to security surveillance by Customer (Customer solely controls the areas and locations to be under surveillance, and therefore controls the nature and scope of data subjects). In addition, for the purpose of delivering Alarm Monitoring Services, the emergency contacts identified by Customer.

1.4       Categories of Personal Data. Name and contact information for those with access to the platform; video recordings (with image and audio) from camera feeds. For the purpose of providing the Alarm Monitoring Services only, Processor will have limited access to video recordings from camera feeds, contact information for Customer’s Emergency Contacts, phone conversation recordings between Rhombus and the Emergency Contacts, and Emergency Contact's location. To the extent enabled by Customer in the Products and Services, (a) biometric information, including without limitation, facial recognition attributes, and (b) license plate identification information.

1.5       Duration of Processing. For the duration of the EULA and any period for which Rhombus is required to retain Personal Data under Applicable Laws. Customer may set the video recording retention period at the end-point for each camera, subject to any limitations on the storage capacity of each purchased camera, and may configure the backup and retention period of files stored on the platform based on the Services procured in the applicable Order.

1.6       Frequency of Processing (once or continuous). Continuous during the term.

1.7       Sub-processors. Rhombus is authorized to engage the following Sub-processors:

###

SCHEDULE B OF THE DPA

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

1.         DEFINITIONS

Capitalized terms used herein shall have the meanings ascribed to them in the main body of the Agreement to which the Standard Contractual Clauses are attached to, this Appendix 2, or as otherwise defined below.

1.1       “Authorized Representatives” means Rhombus’s Representatives who have a need to know or otherwise access Personal Data to enable Rhombus to perform its obligations under the Agreement and this Exhibit, and who are bound in writing by confidentiality and other obligations sufficient to protect Personal Data in accordance with the terms and conditions of the Agreement and this Exhibit.

1.2       “AWS” has the meaning set forth in Section 2.1.

1.3       “Compliance Resources” has the meaning set forth in Section 2.1.

1.4       “Security Incident” means a breach of security leading to the accidental, unlawful, or unauthorized destruction, loss, alteration, or disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by Rhombus.

2.         STANDARD OF CARE

2.1       Hosting by IaaS Providers. Customer acknowledges and understands that the Hosted Services are hosted by Amazon Web Services, Inc. (“AWS”), and that Customer data may be stored with BackBlaze, Inc. (“BackBlaze”) and/or Wasabi Technologies, Inc. (“Wasabi”), each a third-party service provider. Customer further acknowledge and agrees that Rhombus has no control over the third-party service provider’s environment or how the third-party service provider maintains its environment. Accordingly, the requirements set forth in this Exhibit shall only apply to Rhombus’s internal infrastructure and the subscribed third-party service provider’s service offerings which constitute the cloud infrastructure that hosts the Hosted Services (solely to the extent Rhombus can modify, alter, or otherwise define the configuration of such cloud infrastructure). The Parties acknowledge and agree that the third-party service provider makes certain representations regarding its security processes and procedures (as generally available at https://aws.amazon.com/security, https://www.backblaze.com/cloud-storage/security, and https://wasabi.com/cloud-object-storage/security, respectively), and that Customer has reviewed, understood, and approved of such security processes and procedures. Customer may, at any time, verify each third-party service provider’s compliance by going to the following webpages: https://docs.aws.amazon.com/whitepapers/latest/aws-risk-and-compliance/welcome.html and https://aws.amazon.com/compliance/, https://www.backblaze.com/cloud-storage/compliance and https://help.backblaze.com/hc/en-us/sections/360004095614-Compliance, and/or https://info.wasabi.com/dc_report_request (“Compliance Resources”). The Compliance Resources are available to Customer on a 24/7 basis, and includes the then-current SOC 3 report, ISO 27001 certification and other applicable privacy and security documentation. Customer acknowledges and agrees that the Compliance Resources are provided by AWS, and Rhombus has no control over, and has no liability for, the accuracy or completeness of the contents thereof.

2.2       Personal Data. Rhombus acknowledges and agrees that, in the course of its engagement by Customer, Rhombus may create, receive, or have access to Personal Data. Rhombus shall comply with the terms and conditions set forth in the EULA, the DPA, and Customer’s reasonable instructions in its creation, collection, receipt, transmission, storage, disposal, use, and disclosure of such Personal Data and be responsible for any unauthorized creation, collection, receipt, transmission, access, storage, disposal, use, or disclosure of Personal Data under its control or in its possession by all Authorized Representatives in breach of the EULA, the DPA, or Customer’s reasonable instructions. Rhombus shall be responsible for, and remain liable to, Customer for the actions and omissions of all Authorized Representatives concerning the treatment of Personal Data as if they were Rhombus’s own actions and omissions.

3.         INFORMATION SECURITY

3.1       Compliance with Laws and Regulations. Rhombus represents and warrants that its creation, collection, receipt, access, use, storage, disposal, and disclosure of Personal Data does and will comply with all applicable federal, state, and international privacy and data protection laws, as well as all other applicable regulations and directives, including, to the extent applicable, the EU General Data Protection Regulation 2016/679.

3.2       Written Information Security Policy. Rhombus shall implement and maintain a written information security program including appropriate policies, procedures, and risk assessments that are reviewed at least annually.

3.3       Safeguards. Without limiting Rhombus’s obligations under Section 3.1, Rhombus shall implement commercially reasonable administrative, physical, and technical safeguards to protect Personal Data from unauthorized access, acquisition, or disclosure, destruction, alteration, accidental loss, misuse, or damage that are no less rigorous than generally accepted industry practices and shall otherwise ensure that all such safeguards, including the manner in which Personal Data is created, collected, accessed, received, used, stored, processed, disposed of, and disclosed, comply with applicable data protection and privacy laws, as well as the terms and conditions of the EULA, this DPA, or Customer’s reasonable instructions.

3.4       Minimum Safeguards. At a minimum, Rhombus’s safeguards for the protection of Personal Data shall include: (a) limiting access of Personal Data to Authorized Representatives; (b) securing business facilities, data centers, paper files, servers, backup systems, and computing equipment, including, but not limited to, all mobile devices and other equipment with information storage capability; (c) implementing network, application, database, and platform security; (d) securing information transmission, storage, and disposal; (e) implementing authentication and access controls within media, applications, operating systems, and equipment; (f) encrypting Personal Data stored on any mobile media; (g) encrypting Personal Data transmitted over public or wireless networks; (h) conducting risk assessments, penetration testing, and vulnerability scans and promptly implementing, at Rhombus’s sole cost and expense, a corrective action plan to correct any issues that are reported as a result of the testing; (i) implementing appropriate personnel security and integrity procedures and practices; and (j) providing appropriate privacy and information security training to Rhombus’s employees.

3.5       Compliance by Authorized Representatives. Rhombus shall require each Authorized Representative to be subject to a written obligation to comply with Rhombus’s written information security program and shall maintain a disciplinary process to address any failure to so comply.

4.         SECURITY INCIDENT PROCEDURES

4.1       Incident Response Plan. Rhombus maintains a cyber incident breach response plan in accordance with generally accepted industry standards and will implement the procedures required under such plan on the occurrence of a Security Incident.

4.2       Security Contacts. Rhombus shall: (a) provide Customer with the name and contact information of Rhombus which shall serve as Customer’s primary security contact and shall be available to assist Customer via telephone on Business Days during the hours of 8:00 AM and 5:00 PM Pacific Time and all other times via email as a contact in resolving obligations associated with a Security Incident; and (b) notify Customer via telephone or email of a Security Incident without undue delay in accordance with this DPA.

4.3       Notification of Security Incidents. Promptly following Rhombus’s notification to Customer of a Security Incident, the Parties shall coordinate with each other to investigate the Security Incident. Rhombus agrees to reasonably cooperate with Customer in Customer’s handling of the matter, including, without limitation: (a) assisting with any investigation; and (b) making available all relevant records, logs, files, data reporting, and other materials required to comply with applicable law, regulation, industry standards, or as otherwise reasonably required by Customer.

4.4       Security Incident Containment. Rhombus shall at its own expense take reasonable steps to immediately contain and remedy any Security Incident and prevent any further Security Incident, including, but not limited to taking any and all action necessary to comply with applicable privacy rights, laws, regulations, and standards.

4.5       Notice to Affected Individuals. Rhombus agrees that it shall not inform any third-party of any Security Incident without first obtaining Customer’s prior written consent, other than to inform a complainant that the matter has been forwarded to Customer’s legal counsel. Further, Rhombus agrees that Customer shall have the sole right to determine: (a) whether notice of the Security Incident is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required by law or regulation, or otherwise in Customer’s discretion; and (b) the contents of such notice, whether any type of remediation may be offered to affected persons, and the nature and extent of any such remediation, provided, however, that Customer shall be solely liable for any and all costs of such notifications or other remediation efforts except to the extent that the Security Incident is direct result of Rhombus’s gross negligence or more culpable acts or omissions. Notwithstanding the foregoing, nothing in this Section 4.5 shall prohibit Rhombus from making a statement related to any other customer of Rhombus’s data, to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others.

4.6       Record Maintenance. Rhombus agrees to maintain and preserve all documents, records, and other data related to any Security Incident.

4.7       Cooperation. Rhombus agrees to reasonably cooperate with Customer in any litigation, investigation, or other action deemed reasonably necessary by Customer to protect its rights relating to the use, disclosure, protection, and maintenance of Personal Data.

4.8       Prevention. In the event of any Security Incident, Rhombus shall promptly use its reasonable efforts to prevent a recurrence of any such Security Incident.

5.         OVERSIGHT OF SECURITY COMPLIANCE

Subject to Section 2.1, at least once per year, Rhombus shall conduct a security controls review and/or audit of the Hosted Services by a recognized third-party audit firm based on recognized industry standards. Rhombus will promptly address any exceptions noted by such security controls review and/or audit with the development and implementation of a corrective action plan by Rhombus’s management. Rhombus will make results of such controls review or audit available to Customer upon request and will timely address noted exceptions. Customer shall treat such audit results as Rhombus’s Confidential Information under the Agreement.

###

SCHEDULE C OF THE DPA

PART 1 – EEA TRANSFER

The Parties agree that the terms of the EU SCCs are herein incorporated by reference and shall apply to any EEA Transfer, with the following specifications:

1.         Module Two (Controller to Processor) shall apply where the EEA Transfer is effectuated by Customer as the Controller of the Personal Data and Rhombus is a Processor of the Personal Data.

2.         Clause 7 (Docking Clause): shall not apply.

3.         Clause 9 (Use of sub-processors): Option 2: GENERAL WRITTEN AUTHORISATION shall apply, and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in the DPA.

4.         Clause 11 (Redress): the optional language will not apply.

5.         Clause 17 (Governing law): Option 1 shall apply and the governing law is the law of the Republic of Ireland.

6.         Clause 18 (Choice of forum and jurisdiction), lett. (b): the elected forum is the courts of the Republic of Ireland.

7.         Annex I.A (List of parties) shall be completed as follows:

7.1       Data Exporter: Customer shall provide and complete this as appropriate.

• Name: Customer is the Controller.
• Contact details: Customer’s address for notice pursuant to the EULA.
• Data Exporter Role: Module Two (Controller to Processor): Data Exporter is the Controller.
• Activities relevant to the data transferred: As detailed in Schedule A of the DPA.
• Signature and Date: By entering into the DPA, Data Exporter is deemed to have signed these EU SCCs incorporated herein, including their Annexes, as of the execution date of the DPA.

7.2       Data Importer:

• Name: Rhombus Systems, Inc.
• Contact details: privacy@rhombussystems.com
• Data Importer Role: Module Two (Controller to Processor): Data Importer is a Processor.
• Activities relevant to the data transferred: As detailed in Schedule A of the DPA.
• Signature and Date: By entering into the DPA, Data Importer is deemed to have signed these EU SCCs incorporated herein, including their Annexes, as of the execution date of the DPA.

8.         Annex I.B (Description of the transfer) shall be completed as follows:

• Categories of data subjects whose data is transferred: As detailed in Schedule A of the DPA.
• Categories of personal data transferred: As detailed in Schedule A of the DPA.
• Frequency of the transfer: Continuous.
• Nature of the processing: As detailed in Schedule A of the DPA.
• Purpose of the data transfer and further processing: As detailed in Schedule A of the DPA.
• Period for which the personal data will be retained: As detailed in Schedule A of the DPA.
• For transfers to Sub-processors, the subject matter, nature, and duration of the processing are as set forth in Schedule A of the DPA.

9.         Annex I.C (Competent supervisory authority) shall be completed as follows: The competent supervisory authority in accordance with Clause 13 is the supervisory authority stipulated in Clause 18.

10.       Annex II (Technical and organizational measures): As detailed in Schedule B of the DPA.

11.       To the extent there is any conflict between the EU SCCs and any other terms in this Part 1, the DPA or the Contract, the provisions of the EU SCCs will prevail.

PART 2 – UK TRANSFER

The Parties agree that the terms of the UK Addendum are herein incorporated by reference and shall apply to any UK Transfer, with the following specifications:

1.         Table 1 shall be completed with the Parties, as stipulated in Section 8 of Part 1 of this Schedule C.

2.         Table 2 shall be completed with the EU SCCs, Modules and Selected Clauses, as stipulated in Part 1 of this Schedule C.

3.         Table 3 shall be completed with the EU SCCs Annexes Information (Appendix Information), as stipulated in Part 1 of this Schedule C.

4.         Entering into this Part 2:

4.1       Each Party agrees to be bound by the terms and conditions set out in this Part 2, in exchange for the other Party also agreeing to be bound by this Part 2.

4.2       Although Annex 1A of the EU SCCs require signatures by the Parties, for the purpose of making a UK Transfers, the Parties may enter into this Part 2 in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Part 2. Entering into this Part 2 will have the same effect as signing the EU SCCs and any part of the EU SCCs.

5.         Interpretation of this Part 2:

5.1       Where this Part 2 uses terms that are defined in the EU SCCs, those terms shall have the same meaning as in the EU SCCs. In addition, the following terms have the following meanings:

5.2.      This Part 2 must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfills the Parties’ obligation to provide the Appropriate Safeguards.

5.3       If the provisions included in Part 1 amend the EU SCCs in any way which is not permitted under the EU SCCs or this Part 2, such amendment(s) will not be incorporated by this Part 2 and the equivalent provision of the EU SCCs will take their place.

5.4       If there is any inconsistency or conflict between UK Data Protection Laws and this Part 2, UK Data Protection Laws apply.

5.5       If the meaning of this Part 2 is unclear or there is more than one meaning, the meaning that most closely aligns with UK Data Protection Laws applies.

5.6       Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted, and/or replaced after this Part 2 has been entered into.

6.         Hierarchy:

6.1       Although Clause 5 of the EU SCCs sets out that the EU SCCs prevail over all related agreements between the Parties, the Parties agree that, for any UK Transfer, the hierarchy in Section ‎6.2 below will prevail.

6.2       Where there is any inconsistency or conflict between the UK Addendum and Part 1 (as applicable), this UK Addendum overrides Part 1, except where (and in so far as) the inconsistent or conflicting terms of Part 1 provide greater protection for data subjects, in which case those terms will override the provisions of this UK Addendum.

6.3       Where this Part 2 incorporates Part 1 which has been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Part 2 impacts that Part 1.

7.         Incorporation and changes to the EU SCCs:

7.1       This Part 2 incorporates the EU SCCs which are amended to the extent necessary so that:

a.         Together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;

b.         Section 6 overrides Clause 5 (Hierarchy) of the EU SCCs; and

c.         This Part 2 (including Part 1 incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.

7.2       Unless the Parties have agreed on alternative amendments which meet the requirements of Section 7.1 above, the provisions of Section ‎7.4 below will apply.

7.3       No amendments to the EU SCCs other than to meet the requirements of Section ‎7.1 above may be made.

7.4       The following amendments to the EU SCCs (for the purpose of Section 7.1 above) are made:

a.         References to the “Clauses” means this Part 2, incorporating the EU SCCs;

b.         In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;

c.         Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;

d.         To the extent applicable, Clause 8.7(i) of Module One (Controller to Controller) is replaced with: “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;

e.         Clause 8.8(i) of Modules Two (Controller to Processor) and Three (Processor to Processor) is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”;

f.          References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;

g.         References to Regulation (EU) 2018/1725 are removed;

h.         References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;

i.          To the extent applicable, the reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module One (Controller to Controller), is replaced with “Clause 11(c)(i)”;

j.          Clause 13(a) and Part C of Annex I are not used;

k.         The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;

l.          In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;

m.        Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”;

n.         Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and

o.         The footnotes to the EU SCCs do not form part of this Part 2, except for footnotes 8, 9, 10 and 11.

8.         Amendments to this Part 2:

8.1       The Parties may agree to change Clause 17 and/or 18 of the EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.

8.2       If the Parties wish to change the format of the information included in Tables 1, 2 or 3 of this Part 2, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

8.3       From time to time, the ICO may issue a revised UK Addendum which:

a.         Makes reasonable and proportionate changes to the UK Addendum, including correcting errors in the UK Addendum; and/or

b.         Reflects changes to UK Data Protection Laws.

The revised UK Addendum will specify the start date from which the changes to the UK Addendum are effective and whether the Parties need to review this Part 2 including the Appendix Information. This Part 2 is automatically amended as set out in the revised UK Addendum from the start date specified.

8.4       If the ICO issues a revised UK Addendum under Section ‎8.3 above, if any Party will as a direct result of the changes in the UK Addendum have a substantial, disproportionate and demonstrable increase in:

a.         Its direct costs of performing its obligations under this Part 2; and/or

b.         Its risk under this Part 2,

and in either case, it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Part 2 at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised UK Addendum.

8.5       The Parties do not need the consent of any third party to make changes to this Part 2, but any changes must be made in accordance with its terms.

PART 3 – SWISS TRANSFER

The Parties agree that the EU SCCs as detailed in Part 1 of this Schedule C shall be adjusted as set out below where the FADP applies to Swiss Transfers:

1.         References to the EU SCCs mean the EU SCCs as amended by this Part 3;

2.         The Swiss Federal Data Protection and Information Commissioner shall be the sole Supervisory Authority for Swiss Transfers exclusively subject to the FADP;

3.         The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the FADP with respect to Swiss Transfers;

4.         References to Regulation (EU) 2018/1725 are removed;

5.         Swiss Transfers subject to both the FADP and the GDPR, shall be dealt with by the EU Supervisory Authority named in Part 1 of this Schedule C;

6.         References to the “Union”, “EU” and “EU Member State” shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs;

7.         Where Swiss Transfers are exclusively subject to the FADP, all references to the GDPR in the EU SCCs are to be understood to be references to the FADP; and

8.         Where Swiss Transfers are subject to both the FADP and the GDPR, all references to the GDPR in the EU SCCs are to be understood to be references to the FADP insofar as the Swiss Transfers are subject to the FADP.

PART 4 – ADDITIONAL SAFEGUARDS

In the event of an EEA Transfer, a UK Transfer or a Swiss Transfer, the Parties agree to supplement these with the following safeguards and representations, where appropriate:

1.         Rhombus shall have in place and maintain in accordance with high industry practice measures to protect the Personal Data from interception (including in transit from the Controller to the Processor, from the Processor to the Sub-processors and between different Processor’s systems and services). This includes having in place and maintaining network protection intended to deny attackers the ability to intercept data and encryption of Personal Data whilst in transit and at rest intended to deny attackers the ability to read data.

2.         Rhombus will make all commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under GDPR or UK GDPR, including under section 702 of the United States Foreign Intelligence Surveillance Act (“FISA”).

3.         If Rhombus becomes aware that any governmental authority, including law enforcement, wishes to obtain access to or a copy of some or all of the Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise:

3.1       Rhombus shall inform the relevant governmental authority that the Processor is a Processor of the Personal Data and that the Controller has not authorized the Processor to disclose the Personal Data to the government authority, and that any and all requests or demands for access to the Personal Data should therefore be notified to or served upon the Controller in writing; and

3.2       Rhombus will use all commercially reasonable legal mechanisms, at Customer’s expense, to challenge any such demand for access to Personal Data which is under the Processor’s availability. Notwithstanding the above, (a) Customer acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended government authority access, and (b) if, taking into account the nature, scope, context and purposes of the intended government authority access to Personal Data, Rhombus has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this subsection 3.2 shall not apply. In such an event, Rhombus shall notify Customer promptly following the access by the government authority, and provide Customer with relevant details of the same, unless and to the extent legally prohibited from doing so.

4.         Following the Customer’s written requests, Rhombus will inform Customer of the types of binding legal demands for Personal Data it has received (if any) during the twelve (12)-month period preceding Customer’s inquiry, including national security orders and directives, which shall encompass any process issued under section 702 of FISA.