Learn

Get a Demo

Learn

Get a Demo

Data Processing Addendum

Last Modified: February 17th, 2025

This Data Processing Addendum, including the Standard Contractual Clauses referenced herein and the Annex appended hereto (collectively, the “Addendum” or “DPA”), is incorporated into any executed and currently valid Terms of Sale and Order Form (the “Principal Agreement”) either previously or concurrently made between the organization entering into an applicable Principal Agreement (together, with any subsidiaries and affiliated entities, collectively, “Customer”) and Elvex, Inc. ("Vendor”) and sets forth additional terms that apply to the extent any information you provide to Vendor pursuant to the Agreement includes Personal Data (as defined below). This DPA is effective as set forth in the Principal Agreement.

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the applicable Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.

Definitions
1. In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

"Customer Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Customer, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
"Customer Personal Information" means any Personal Data Processed by Vendor on behalf of a Customer pursuant to or in connection with the Principal Agreement and according to Customer instructions.
"Data Protection Laws" means all applicable federal, state, and foreign laws and regulations relating to the processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. This includes, but is not limited to, the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).
"EEA" means the European Economic Area.
"EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
"GDPR" means EU General Data Protection Regulation 2016/679.
"Personal Information" means any information defined as “personal information” or “personal data” under Data Protection Laws including data (i) relating to an identified or identifiable natural person; or (ii) that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, regardless of the media in which it is maintained, that may be:
1. processed at any time by Vendor in anticipation of, in connection with or incidental to the performance of the Services under the Principal Agreement and this DPA; or
2. derived by Vendor from such information.
"Restricted Transfer" means:
1. a transfer of Customer Personal Data from Customer to Vendor; or
2. an onward transfer of Customer Personal Data from Vendor to a Subprocessor, or between two establishments of Vendor and Subprocessor,

in each case, where such transfer would be prohibited by Data Protection Laws defined above (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses to be established under Schedule 1 below or, on a case by case basis, such other lawful transfer mechanism referred to in Article 46 of the GDPR or derogation referred to in Article 49 of the GDPR as may apply.

"Services" means the services and other activities to be supplied to or carried out by or on behalf of Vendor for Customer pursuant to the Principal Agreement.
"Standard Contractual Clauses" means the model clauses for the transfer of Personal Information to processors established in third countries approved by the European Commission, the approved version of which is set out in the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 and at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=e, which clauses are incorporated herein by this reference.
"Subprocessor" means any person (including any third party, but excluding an employee of Vendor) appointed by or on behalf of Vendor to Process Personal Information on behalf of Customer in connection with the Principal Agreement.
“UK Data Protection Laws" means (a) the UK Data Protection Act 2018 incorporating the GDPR (as may be amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019); (b) the GDPR, read in conjunction with and subject to any Member State law that provides for specifications or restrictions of its rules; and (c) any other applicable UK or EU data protection or privacy law to the extent that such law applies to a Customer, Vendor Affiliate or Vendor, in each case as amended, replaced or superseded from time to time.

The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

Processing of Customer Personal Information
1. Vendor shall:
  1. comply with all applicable Data Protection Laws in the Processing of Customer Personal Information;
  2. not Process Customer Personal Information other than on Customer’s documented instructions unless Processing is required by Data Protection Laws to which the Vendor is subject, in which case Vendor shall to the extent permitted by Data Protection Laws inform the Customer of that legal requirement before the relevant Processing of that Personal Information.
  3. maintain the confidentiality of all Personal Information, will not sell it to anyone, and will not disclose it to third parties unless the Customer or this DPA specifically authorizes the disclosure, or as required by law. If a law requires the Vendor to process or disclose Personal Information, the Vendor must first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
  4. reasonably assist the Customer with meeting the Customer's compliance obligations under the Data Protection Laws, taking into account the nature of the Vendor's processing and the information available to the Vendor.
  5. promptly notify the Customer of any changes to Data Protection Laws that may adversely affect the Vendor's performance of the Principal Agreement.
  6. if additional Processing requirements are necessary for any specific jurisdiction in order for the Processing by Vendor or its authorized Subprocessors to be compliant with Data Protection Laws, Vendor and Customer shall negotiate in good faith to amend this Addendum to include such requirements and implement these provisions accordingly.
2. Customer:
  1. instructs Vendor (and authorizes Vendor to instruct each Subprocessor) to:
    1. Process Customer Personal Information; and
    2. in particular, transfer Customer Personal Information to any country or territory, provided it is to a country that provides an adequate level of protection as determined by the standard defined by applicable Data Protection Laws or safeguards are in place to provide an adequate level of protection such as standard contractual clauses approved by the relevant government or commissioned bodies or the transfer is otherwise permitted under Data Protection Law,

to the extent and in such a manner as is reasonably necessary for the provision of the Services and consistent with the Principal Agreement; and

warrants and represents that it is and, unless it provides written notice to the Vendor to the contrary, will remain duly and effectively authorized to give the instruction set out in section 2.2.1 on behalf of each relevant Customer Affiliate.
retains control of the Customer Personal Information and remains responsible for its compliance obligations under the applicable Data Protection Laws, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Vendor.

Vendor Personnel

Vendor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of Vendor who may have access to the Customer Personal Information, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Information, as strictly necessary for the purposes of the Principal Agreement, and to comply with Data Protection Laws in the context of that individual's duties to the Vendor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

Security
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vendor shall in relation to the Customer Personal Information implement appropriate physical, technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
2. In assessing the appropriate level of security, Vendor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Information Breach.
Subprocessing
1. Customer authorizes Vendor to appoint (and permit each Subprocessor appointed in accordance with this section 5 to appoint) Subprocessors in accordance with this section 5 and any restrictions in the Principal Agreement.
2. Vendor may continue to use those Subprocessors already engaged by Vendor as at the date of this Addendum and add new Subprocessors, subject to in each case as soon as practicable meeting the obligations set out in section 5.3 and 5.4.
3. Vendor shall ensure that each Subprocessor performs the obligations under the applicable sections of this DPA, as they apply to Processing of Customer Personal Information carried out by that Subprocessor, as if it were party to this Addendum in place of Vendor.
4. Before replacing or adding a new Subprocessor, Vendor shall give Customer reasonable notice of such replacement or addition, giving Customer an opportunity to object.
Data Subject Rights
1. Taking into account the nature of the Processing, Vendor shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customers' obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
2. Vendor shall:
  1. promptly notify Customer if Vendor receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Information; and
  2. ensure that Vendor does not respond to that request except on the documented instructions of Customer or the relevant Customer Affiliate or as required by applicable Data Protection Laws to which Vendor is subject, in which case Vendor shall to the extent permitted by applicable Data Protection Laws inform Customer of that legal requirement before the Vendor responds to the request.
3. Customer Shall:
  1. Promptly notify Vendor if Customer receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Information;
  2. Assist Vendor as necessary to fulfill Data Subject requests.
Personal Information Breach
1. Vendor shall notify Customer without undue delay upon Vendor or any Subprocessor becoming aware of a Personal Information Breach affecting Customer Personal Information, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Information Breach under the Data Protection Laws.
2. Vendor shall cooperate with Customer and Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Information Breach.
3. Customer shall cooperate with Vendor and take such reasonable commercial steps as are directed by Vendor to assist in the investigation, mitigation, and remediation of each such Personal Information Breach as necessary.
Data Protection Impact Assessment and Prior Consultation
1. Upon request, Vendor shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required of any Customer by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Information by, and taking into account the nature of the Processing and information available to, Vendor.
Deletion or return of Customer Personal Information
1. Subject to sections 9.2 and 9.3, Vendor shall promptly after the date of cessation of any Services involving the Processing of Customer Personal Information (the "Cessation Date"), delete and procure the deletion of all copies of those Customer Personal Information unless otherwise required by applicable Data Protection Laws or other regulations.
2. Subject to section 9.3, Customer may in its absolute discretion by written notice to Vendor within 30 days of the Cessation Date require Vendor to (a) return a complete copy of all Customer Personal Information to Customer by secure file transfer in such format as is reasonably notified by Customer to Vendor; and (b) delete and procure the deletion of all other copies of Customer Personal Information Processed by Vendor. Vendor shall comply with any such written request within 30 days of the Cessation Date unless otherwise required by applicable Data Protection Laws or other regulations.
3. Vendor may retain Customer Personal Information to the extent required by applicable Data Protection Laws and only to the extent and for such period as required by applicable Data Protection Laws and always provided that Vendor shall ensure the confidentiality of all such Customer Personal Information and shall ensure that such Customer Personal Information is only Processed as necessary for the purpose(s) specified in the applicable Data Protection Laws requiring its storage and for no other purpose.
4. Vendor shall, if requested in writing by Customer, provide written certification to Customer that it has fully complied with this section 9 within 30 days of the Cessation Date.
Audit rights
1. Within thirty (30) days of Customer’s written request, and no more than once annually and subject to the confidentiality obligations set forth in the Agreement, Vendor shall make available to Customer (or a mutually agreed upon third-party auditor) information reasonably necessary to demonstrate Vendor’s compliance with the obligations set forth in this Addendum. Any such audit shall be limited to a written security assessment for Vendor to answer.
Restricted Transfers
1. Subject to section 11.3, Customer (as "data exporter") and Vendor, as appropriate, (as "data importer") hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from that Customer to Vendor.
2. The Standard Contractual Clauses shall come into effect under section 11.1 on the later of:
  1. the data exporter becoming a party to them;
  2. the data importer becoming a party to them; and
  3. commencement of the relevant Restricted Transfer.
3. Section 11.1 shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Laws.
General Terms

Governing law and jurisdiction

Without prejudice to Clause 17 of the Standard Contractual Clauses:
1. the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
2. this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.

Order of precedence

Nothing in this Addendum reduces Vendor's obligations under the Principal Agreement in relation to the protection of Personal Information or permits Vendor to Process (or permit the Processing of) Personal Information in a manner which is prohibited by the Principal Agreement. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
Subject to section 12.2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.

Changes in Data Protection Laws, etc.

Customer may:
1. by at least 60 (sixty) calendar days' written notice to Vendor from time to time make any variations to the Standard Contractual Clauses (including any Standard Contractual Clauses entered into under section 11.1), as they apply to Restricted Transfers which are subject to a particular Data Protection Law, which are required, as a result of any change in, or decision of a competent authority under, that Data Protection Law, to allow those Restricted Transfers to be made (or continue to be made) without breach of that Data Protection Law; and
2. propose any other variations to this Addendum which Customer reasonably considers to be necessary to address the requirements of any Data Protection Law.
If Customer gives notice under section 12.4.1:
1. Vendor shall promptly co-operate (and ensure that any affected Subprocessors promptly co-operate) to ensure that equivalent variations are made to any agreement put in place under section 5.3; and
2. Customer shall not unreasonably withhold or delay agreement to any consequential variations to this Addendum proposed by Vendor to protect the Vendor against additional risks associated with the variations made under section 12.4.1 or 12.5.1.
If Customer gives notice under this section, the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Customer's notice as soon as is reasonably practicable.
Neither Customer nor Vendor shall require the consent or approval of any Customer Affiliate to amend this Addendum pursuant to this section or otherwise.

Severance

Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

Term and Termination
1. This DPA will remain in full force and effect so long as:
  1. the Principal Agreement remains in effect; or
  2. Vendor retains any Personal Information related to the Principal Agreement in its possession or control (the "Term").
2. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Principal Agreement in order to protect Personal Information will remain in full force and effect.
3. If a change in any Data Protection Laws prevents either party from fulfilling all or part of its Principal Agreement obligations, the parties will suspend the processing of Personal Information until that processing complies with the new requirements. If the parties are unable to bring the Personal Information processing into compliance with the Data Protection Laws, they may terminate the Principal Agreement upon written notice to the other party.

SCHEDULE I – Standard Contractual Clauses

To the extent legally required, the signatories to the Agreement are deemed to have signed the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=e (the “2021 Standard Contractual Clauses”), which form part of this DPA and will be deemed completed as follows:
1. Module 2 of the 2021 Standard Contractual Clauses applies to transfers of Personal Data from Customer to Vendor and Module 4 of the 2021 Standard Contractual Clauses applies to transfers of Personal Data from Vendor to Customer;
2. Clause 7 of Modules 2 and 4 (the optional docking clause) is not included;
3. Under Clause 9 of Module 2 (Use of sub-processors). the parties select Option 2 (general authorization). The contents of Annex III (the list of sub-processors already authorized by Customer) are attached hereto as Schedule 3 to this DPA;
4. Under Clause 11 of Modules 2 and 4 (Redress). the optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
5. Under Clause 17 of Modules 2 and 4 (Governing law). the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the laws of Ireland;
6. Under Clause 18 of Modules 2 and 4 (Choice of forum and jurisdiction). the parties select the courts of Ireland.

This Annex forms part of the Standard Contractual Clauses

Annex I

Data exporter
Data exporter is Customer.
Address: the Customer’s address set out in the Principal Agreement.
Contact person’s name, position, and contact details: the Customer’s contact details as set out in the Principal Agreement or order form.

Activities relevant to the data transferred under these Clauses: activities necessary to provide the Services described in the Principal Agreement.

Data importer
The data importer is Elvex, Inc.
Address: 228 Park Ave South, PMB 85864, New York, NY 10003-1502

Contact person’s name, position, and contact details:
Mike Sukmanowsky, Chief Technology Officer

Email privacy@elvex.ai

Activities relevant to the data transferred under these Clauses: activities necessary to provide the Services described in the Principal Agreement.

Categories of data subjects whose personal data is transferred

Categories of data subjects whose personal data may be transferred include, but are not limited to:

Customers / Users
Any other individual whose personal data is provided to Vendor by Users via their us of the Services

Categories of personal data transferred

Categories of personal data transferred may include, but are not limited to:

Basic personal identifiers (name, email address, job title, etc.)
Any other type of data that is Account / profile data (username, passwords, preferences, etc.)
Employment/professional data (job title, employer, qualifications, etc.)
Platform usage data (prompts, requests, uploaded data, etc.)
Device/online identifiers (IP addresses, cookie IDs, device IDs, etc.)ided to Vendor by Users via their use of the Services

Sensitive data transferred (if applicable)

Users have the ability to transfer sensitive data to Vendor's platform at their own discretion. Vendor has no control over what sensitive data Users may choose to transfer, but does not actively or intentionally collect such sensitive data categories itself.

Users are solely responsible for ensuring a valid legal basis for the processing of any sensitive data they opt to transfer, and must comply with all applicable requirements for processing such data.

The Frequency of the Transfer

The frequency of personal data transfers from Users to Vendor's platform will vary and be determined by the Users' individual usage patterns and needs for processing personal data through the platform's services. Data transfers may occur on a regular, continuous or ad-hoc basis as Users see fit to utilize the platform.

Nature of the processing

The nature of the processing includes the collection, storage, organization, use, disclosure by transmission, and deletion of personal data as initiated and controlled by Users through their use of Vendor’s platform and services. This may involve operations such as uploading, accessing, retrieving, modifying, analyzing and managing personal data within the platform environment as required to fulfill the Users' intended purposes.

Purpose(s) if the data transfer and further processing

The purposes of the data transfers and further processing include enabling Users to leverage Vendor’s platform and services for their own intended processing needs and purposes related to their use of the platform.

Users shall be solely responsible for ensuring their transfer and processing of personal data complies with applicable data protection laws for their specific purposes.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.

Vendor will retain each User's personal data processed through the platform until Customer requests deletion of their data, or in accordance with Vendor’s then current agreement with Customer.

In the event a User's account is terminated or canceled, Vendor may, but is not obligated to unless stipulated in the then current agreement, retain the personal data to allow for the possibility of Customer reactivating their account.

Customer may also request deletion of their personal data from the platform at any time during the Term, in which case Vendor will promptly delete the data as requested.

Notwithstanding the foregoing, Vendor may retain certain personal data as necessary to comply with legal obligations.

Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13

Irish Data Protection Commission

Annex II: Technical And Organizational Measures Including Technical And Organizational Measures To Ensure The Security Of The Data

The description of the technical and organizational security measures implemented by the data importer are as follows:

Technical and Organizational Security Measure | Evidence of Technical and Organizational Security Measure

Measures of encryption of personal data

All data sent to or from elvex is encrypted in-transit using TLS 1.3.

Customer Personal Data is encrypted at rest using servers that employ Linux Unified Key Setup (LUKS) which encrypts all data using the AES-256 standard.

All elvex databases used to process Customer data are configured and patched using commercially reasonable methods according to industry-recognized system-hardening standards

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

All Customer Data is permanently stored in the USA and is backed up for disaster recovery.

elvex relies on Amazon Web Services, a reputable Infrastructure-as-a-Service provider. elvex leverages their portfolio of globally redundant services to ensure Services run reliably. elvex benefits from the ability to dynamically scale up, or completely re-provision its infrastructure resources on an as-needed basis, across multiple geographical areas, using the same vendor, tools, and APIs. This allows elvex to respond to increased demands for the Service and achieve high availability.

elvex has no direct reliance on specific office locations to sustain operations. All operational access to production resources can be exercised at any location on the Internet. elvex leverages a range of technologies and tools to deliver uninterrupted remote work for all employees.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
For production databases, elvex performs backups twice daily and retains the last 14 backups.

Restoration of production backups is tested at least once annually to ensure reliability of the Service.

Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

Dependency vulnerability scans. elvex employs multiple services that regularly scan for dependencies used in our software which have been flagged for vulnerabilities. When found, appropriate measures are taken to address the vulnerability (e.g. upgrading the dependency, applying a manual patch) on a risk weighted basis.

Third-party penetration tests. elvex employs an independent third-party vendor to conduct periodic penetration tests on web applications.

Measures for user identification and authorization

Single Sign-on (SSO).

All access to systems processing Customer Data is protected via Multi-Factor Authentication (MFA).

elvex restricts access to Customer Data to only those people with a “need-to-know” following a “principle of least privilege” principle.

elvex’s Identity Provider mandates and ensures the use of system-enforced “strong passwords” in accordance with the best practices (described below) on all systems hosting, storing, processing, or that have or control access to Customer Data and will require that all passwords and access credentials are kept confidential and not shared among personnel.

Password best practices implemented by elvex’s Identity Provider. Passwords must meet the following criteria: a. contain at least 8 characters; b. must contain lowercase and uppercase letters, numbers, and a special character

elvex maintains and enforces “account lockout” by disabling accounts with access to Customer Data when an account encounters consecutive incorrect password attempts.

elvex does not operate any internal corporate network. All access to elvex resources is protected by strong passwords and MFA.

Measures for the protection of data during storage

Intrusion Prevention. elvex implements and maintains an application firewall to protect data accessible via the Internet and will keep all Customer Data protected by the firewall at all times.

elvex keeps its systems and software up to date with the latest upgrades, updates, bug fixes, new versions, and other modifications necessary to ensure security of the Customer Data.

System inputs recorded via log files.

Multi-factor Authentication (MFA).

Measures for ensuring physical security of locations at which personal data are processed

Physical Access Control. elvex’s services and data are hosted in Amazon Web Services facilities in the USA and protected by Amazon Web Services in accordance with their security protocols.

Access only to approved personnel.

Measures for ensuring events logging

elvex maintains logging across our Identity Provider, critical infrastructure (e.g. Amazon Web Services) and applications that provide the Service.

Measures for ensuring system configuration, including default configuration

Change and Configuration Management. elvex uses continuous automation for application and operating systems deployment for new releases. Integration testing and unit testing are done upon every build with safeguards in place for availability and reliability. elvex has a process for critical emergency fixes that can be deployed to Customers within minutes. As such elvex can roll out security updates as required based on criticality.

Measures for ensuring data minimization

Data collection is limited to the purposes of processing (or the data that the Customer chooses to provide).Security measures are in place to provide only the minimum amount of access (least privilege) necessary to perform required functions.

Upon termination or expiry of this Agreement, elvex will (at Customer's election) delete or return to Customer all Customer Data (including copies) in its possession or control as soon as reasonably practicable and within a maximum period of 30 days of termination or expiry of the Agreement, save that this requirement will not apply to the extent that elvex is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data elvex will securely isolate and protect from any further processing, except to the extent required by applicable law.

Measures for ensuring limited data retention

See “Measures for ensuring data minimization” above.

Measures for ensuring accountability

elvex has implemented data protection policies.

elvex follows a compliance by design approach.

elvex has appointed a data protection officer.

Measures for allowing data portability and ensuring erasure

Secure Disposal. Return or Deletion. elvex will permanently and securely delete all live (online or network accessible) instances of the Customer Data within 90 days upon Customer’s deletion request.

elvex has a process that allows data subjects to exercise their privacy rights (including a right to amend and update their Personal Data), as described in elvex’s Privacy Policy.

Annex III: Processor’s Sub-Processors

The Customer has authorized the use of the -processors effective as of the date of this DPA listed on the following link, as updated from time to time.:

https://elvex.notion.site/Subprocessors-b6ca9a99bb1f489b8c52df565891222a

Schedule II: UK Addendum to the EU Standard Contractual Clauses

Entering into this Addendum

1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.

2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

Interpretation of this Addendum

3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:

Addendum This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.

Addendum EU SCCs The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.

Appendix Information As set out in Table ‎3.

Appropriate Safeguards The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.

Approved Addendum The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 28 January 2022, as it is revised under Section 18.

Approved EU SCCs The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

ICO The Information Commissioner.

Restricted Transfer A transfer which is covered by Chapter V of the UK GDPR.UKThe United Kingdom of Great Britain and Northern Ireland.

UK Data Protection Laws All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.

UK GDPR As defined in section 3 of the Data Protection Act 2018.

4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.

5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.

6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.

7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.

8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

Hierarchy

9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.

10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.

11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

Incorporation of and changes to the EU SCCs

12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:

a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;

b. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and

c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.

13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.

14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.

15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:

a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;

b. In Clause 2, delete the words:

“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;

c. Clause 6 (Description of the transfer(s)) is replaced with:

“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;

d. Clause 8.7(i) of Module 1 is replaced with:

“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;

e. Clause 8.8(i) of Modules 2 and 3 is replaced with:

“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”

f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;

g. References to Regulation (EU) 2018/1725 are removed;

h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;

i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;

j. Clause 13(a) and Part C of Annex I are not used;

k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;

l. In Clause 16(e), subsection (i) is replaced with:

“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;

m. Clause 17 is replaced with:

“These Clauses are governed by the laws of England and Wales.”;

n. Clause 18 is replaced with:

“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and

o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.

Amendments to this Addendum

16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.

17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

18. From time to time, the ICO may issue a revised Approved Addendum which:

a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or

b. reflects changes to UK Data Protection Laws;

The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.

19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:

a its direct costs of performing its obligations under the Addendum; and/or

b its risk under the Addendum,

and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.

Schedule III: US STATES PRIVACY LAWS SERVICE PROVIDER/PROCESSOR

The Parties acknowledge and agree that information provided to the Vendor in connection with the Agreement may constitute Personal Data as defined under US State Privacy Laws as applicable and that any such Personal Data is disclosed by Customer only for the limited and specified purposes stated herein.
The Vendor has agreed to provide the Services to Customer according to the Agreement. In support of the Services, Customer will provide and the Vendor will receive, store and/or process certain Personal Data on behalf of Customer as described below:

To provide access to Vendor’s software-as-a-service solution in accordance with the Principal Agreement

The Personal Data shall be disclosed to the Vendor only for the limited and specified Business Purposes described below:

As described in Annex I.

The Vendor shall:

4.1 process the Personal Data only on behalf of Customer.

4.2 not: (i) Sell or share the Personal Data; (ii) retain, use, or disclose the Personal Data for any commercial purpose other than for Business Purposes specified in this Agreement, including retaining, using, or disclosing the Personal Data for a commercial purpose other than Business Purposes specified in the contract, or as otherwise permitted by the CCPA; (iii) retain, use, or disclose the information outside of the direct business relationship between the Vendor and Customer; and (iv) combine the Personal Data that the Vendor receives pursuant to a written contract with Customer with Personal Data that it receives from or on behalf of another person or persons, or collects from its own interaction with the Consumer, provided that the Vendor as Service Provider may combine Personal Data to perform any Business Purpose as defined in the CCPA.

4.3 implement and maintain technical and organizational security measures as required by US State Privacy Laws as applicable.

4.4 ensure that its personnel who are authorized to Process the Personal Data are under appropriate obligations of confidentiality and shall comply with the terms of this Agreement. The Vendor shall not disclose trade secrets of Customer.

4.5 not use for any other purpose Sensitive Personal Data received pursuant to a written contract with Customer after it has received instructions from Customer and to the extent it has actual knowledge that the Personal Data is Sensitive Personal Data.

4.6 notify Customer promptly upon receipt of a request from an individual seeking to exercise any of their rights under US States Privacy Laws as applicable.

4.7 assist Customer in accordance with Customer’ instructions by appropriate technical and organizational measures, for the fulfillment of Customer’s obligation to respond to requests by or on behalf of Consumers under US States Privacy Laws as applicable.

4.8 carry out a request from Customer to amend, correct or delete any of the Personal Data to the extent necessary to allow Customer to comply with its responsibilities under US States Privacy Laws as applicable.

4.9 also notify any other parties (“Other Parties”) who may have accessed such Personal Data from or through the Vendor as Service Provider, unless the information was accessed at the direction of Customer, to carry out the request unless that proves impossible or involves disproportionate effort. Further, the carry out a request from Customer to block, transfer or delete any of the Personal Data to the extent necessary to allow Customer to comply with its responsibilities under US States Privacy Laws as applicable and so direct the Other Parties.

4.10 insofar as possible, assist Customer in carrying out its obligations under US States Privacy Laws as applicable with respect to security, breach notifications, impact assessments, ensuring proper use of Personal Data, remediating improper use and consultations with regulators.

4.11 promptly notify Customer about any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data or any accidental or unauthorized access or any other event affecting the integrity, availability, or confidentiality of Personal Data, as required by US States Privacy Laws as applicable.

5. The Vendor agrees to comply with applicable obligations under the US State Privacy Laws as applicable and provide at least the level of privacy protection as is required of the Vendor by US State Privacy Laws as applicable.

6. The Vendor grants Customer the right to take reasonable and appropriate steps to help ensure that the Vendor uses the Personal Data transferred in a manner consistent with Customer’s obligations under US State Privacy Laws as applicable, through measures, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits or other technical and operational testing at least once every 12 months and including the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

7. The Vendor agrees to notify Customer if the Vendor determines that it can no longer meet its obligations under US State Privacy Laws as applicable.

8. The Vendor is not required to delete Personal Data when the exceptions enumerated under CCPA §1798.105(d) apply.

9. Upon termination of the Processing of Personal Data by the Vendor and at the choice of Customer, the Vendor shall either delete all Personal Data or return all Personal Data to Customer and delete existing copies unless otherwise permitted or required by US States Privacy Laws as applicable.

10. Customer acknowledges and agrees that the Vendor relies solely on Customer for direction as to the extent to which the Vendor is entitled to access, use and process Personal Information. Consequently, the Vendor is not liable for any claim brought by Customer or a Data Subject arising from any action or omission by the Vendor to the extent that such action or omission resulted from following Customer’s instructions.

11. The Vendor acknowledges and agrees that Customer is not liable for any claim brought against the Vendor as Service Provider to the extent that such action or omission was caused by its failure to follow Customer’ instructions.

12. If the Vendor must process Personal Data as otherwise required by applicable law, the Vendor as Service Provider shall inform Customer of that legal requirement before processing Personal Data, unless that law prohibits such disclosure.

13. If the Vendor engages any other person to assist it in processing Personal Data for a Business Purpose on behalf of Customer, or if any other person engaged by the Vendor engages another person to assist in processing Personal Data, it shall notify Customer of that engagement, and the engagement shall be pursuant to a written contract binding the other person to observe all the requirements of this Agreement and of US States Privacy Laws as applicable.

14. Notwithstanding the above, to the extent any Personal Data is “deidentified” or “aggregated” as those terms are defined under US States Privacy Laws as applicable, the Vendor may Process retain, use, disclose, Sell and/or Share such “deidentified” or “aggregated” information for any commercial purpose in accordance with the US States Privacy Laws as applicable, including but not limited to developing analytics, and may retain, use and disclose such “deidentified” or “aggregated” information for such purpose, without restriction, so long as in accordance with the US States Privacy Laws as applicable and not reidentified or disaggregated.