Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements Section 7 of the Agreement and further describesthe requirements applicable to Personal Data Processed by Graphite in connection with the Services. In the eventof a conflict between Section 7 of the Agreement and this DPA, this DPA shall control. In the event of a conflict between the Agreement and/or DPA and the SCC’s, the SCC’s shall control.

1. Definitions. In this DPA, the following terms shall have the meanings set out below.
   ‍
   
   1. "Customer Personal Data” any Personal Data provided by or made available by Customer to Graphite or collected by Graphite on behalf of Customer, which Graphite Processes to perform the Services.
      ‍
   2. “Data Protection Law” means any local, state, or national law regarding the processing of Personal Data applicable to Graphite in the jurisdictions in which the Services are provided to Customer, including, without limitation, privacy, security, and data protection law.
      ‍
   3. “EU Area” means European Union, European Economic Area, United Kingdom, and Switzerland.
      ‍
   4. “EU Area Law” means the
      
      
      1. EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”);
         ‍
      2. the GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications(Addendums etc.) (EU Exit) Regulations 2019 (SI 2019/419) (the “UK GDPR”); or
         ‍
      3. the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”);
         ‍
      4. any other law relating to the data protection, security, or privacy of individuals that applies in the European Area; or
         ‍
      5. any successor or amendments thereto (including without limitation implementation of GDPR by Member States into their national law).
         ‍
   5. “Personal Data” means any information deemed “personal data” or “personal information” (or analogous variations of such terms) under applicable Data Protection Laws, including any information relating to an identified or identifiable natural person.
      ‍
   6. “Personal Data Breach” means the breach of security leading to the unauthorized destruction, loss, alteration, disclosure of or access to Customer Personal Data Processed in connection with the Services.
      ‍
   7. “Process” or “Processing” means any operation or set of operations which is performed on Customer Data or on sets of Customer Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
      ‍
   8. “Standard Contractual Clauses” or “SCC’s” means
      ‍
      
      1. the standard contractual clauses for cross-border transfers published by the European Commission on June 4, 2021 governing the transfer of European Area Personal Data to Third Countries as adopted by the European Commission, the Swiss Federal Data Protection and Information Commissioner (“Swiss FDPIC”) relating to data transfers to Third Countries(collectively “EU SCCs”);
         ‍
      2. the international data transfer addendum (“UK Transfer Addendum”)adopted by the UK Information Commissioner’s Office (“UK ICO”) for data transfers from the UK to Third Countries; or
         ‍
      3. any similar such clauses adopted by a data protection regulator relating to Personal Data transfers to Third Countries, including without limitation any successor clauses thereto.
         ‍
   9. “Third Country” means countries that, where required by applicable Data Protection Laws, have not received an adequacy decision from an applicable authority relating to cross-border data transfers of Personal Data, including regulators such as the European Commission, UK ICO, or Swiss FDPIC.
      ‍
   10. Except as otherwise provided in the DPA, the terms “Business”, “Business Purpose”, “commercial purpose”, “Contractor”, “Data Subject”, “Processor”, “Sell”, “Service Provider”, “Share”, “Subprocessor”, and “Third Party” shall have the same meaning as in applicable Data Protection Law.
       ‍
   11. All other capitalized terms shall have the same meaning as in the Agreement, including without limitation “Customer Data” and “Services”.
       ‍
2. Role of the Parties. As between Customer and Graphite, for purposes of the applicable law, Customer is a “Business”, “Controller”, or “Processor” and Graphite is a “Service Provider”, “Processor”, or “Subprocessor”(each as defined under Data Protection Law). This DPA shall apply solely to the Processing of Customer Personal Data by Graphite acting as a Processor, Subprocessor, or Third Party (as specified in Addendum 1 to this DPA) to provide the Services.
   ‍
3. Compliance with Data Protection Laws. Each party will comply with its obligations under applicable Data Protection Laws in connection with Processing of Customer Personal Data. In connection with its access to and use of the Services, Customer shall Process Customer Personal Data within such Services and provide Graphite with instructions in accordance with applicable Data Protection Law.
   ‍
4. Purpose of Processing. The purpose of Processing under this DPA is the provision of the Services pursuant to the Agreement and related order forms. Addendum 1 (Description of Processing and Transfer Details) describes the subject matter and details of the Processing of Customer Personal Data.
   ‍
5. Confidentiality. Graphite will implement and maintain measures designed to ensure that Graphite personnel authorized to Process Customer Personal Data have committed in writing to maintain the confidentiality of such Customer Personal Data (or are under an appropriate statutory obligation of confidentiality) unless disclosure is required by law or professional regulations.
   ‍
6. Customer Instructions. Where Graphite is acting as a Processor, the following Customer instructions will apply:
   ‍
   
   1. Instruction and Direction. Graphite shall use, retain, disclose, or otherwise Process Customer Personal Data only on behalf of Customer and for the specific business purpose of providing the Services and in accordance with Customer’s instructions, including as described in the Agreement. Graphite shall not Sell or Share Customer Personal Data, nor use, retain, disclose, or otherwise Process Customer Personal Data outside of its business relationship with Customer or for any other purpose (including Graphite’s commercial purpose) except as required or permitted by law. Graphite will inform Customer if, Graphite determines that it is no longer able to meet its obligations under Data Protection Laws or where in Graphite’s reasonable opinion, any of Customer’s instructions infringes any Data Protection Laws. Customer reserves the right to take reasonable and appropriate steps to ensure Graphite’s Processing of Customer Personal Data is consistent with Customer’s obligations under Data Protection Law and discontinue and remediate unauthorized use of Customer Personal Data.
      ‍
   2. Limitation on Use. Graphite shall have rights to process Customer Personal Data solely
      ‍
      
      1. to the extent necessary to
         ‍
         
         1. (a) perform the Business Purposes and its obligations under this Agreement;
            ‍
         2. (b) operate,manage, test, maintain and enhance the Services including as part of its business operations; (c) todisclose aggregate statistics about the Services in a manner that prevents individual identification or re-identification of Customer Personal Data, including without limitation any individual device orindividual person; and/or (d) protect the Services from a threat to the Services or Customer PersonalData; or (ii) if required by court order of a court or authorized governmental agency, provided that priornotice first be given to Customer; (iii) as otherwise expressly authorized by Customer.