MONTPAC DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) sets forth the terms and conditions governing the privacy, security and Processing of
Client’s Personal Data. This DPA is incorporated into and forms a part of the service agreement (the “Agreement”) entered into
between Montgomery Pacific Corporation (“MontPac”) and Client (defined below) (collectively, the “Parties”). Except as modified
below, the Agreement’s terms shall remain in full force and effect.
HOW AND WHEN THIS DPA APPLIES
This DPA applies only if and to the extent Applicable Data Protection Laws govern MontPac’s Processing of Client Personal Data in
performance of the service(s) as a ‘processor’, ‘service provider’ or similar role defined under Applicable Data Protection Laws.
Accordingly, this DPA does not apply to MontPac’s Processing of any Personal Data for its own business/customer relationship
administration purposes, its own marketing or service analytics, its own information and systems security purposes supporting the
operation of the service, nor its own legal, regulatory or compliance purposes.
1. INTERPRETATION
1.1. In this DPA (including the explanatory notes above) the following terms shall have the meanings set out in this Section 1 ,
unless expressly stated otherwise:
(a). “Applicable Data Protection Laws” means the privacy, data protection and data security laws and regulations of any
jurisdiction directly applicable to MontPac’s Processing of Client Personal Data under the Agreement (including, as and where
applicable, GDPR and State Privacy Laws).
(b) “Client” means the person or entity that has entered into the Agreement with MontPac.
(c). “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others,
determines the purposes and means of the Processing of Personal Data.
(d). “Data Subject” means the identified or identifiable natural person to whom Client Personal Data relates.
(e). “Data Subject Request” means the exercise by a Data Subject of its rights in accordance with Applicable Data Protection
Laws in respect of Client Personal Data and the Processing thereof.
(f). “Client Personal Data” means any Personal Data Processed by MontPac or its SubProcessor on behalf of Client to
perform the service under the Agreement.
(g). “EEA” means the European Economic Area.
(h). “GDPR” means, as and where applicable to Processing concerned: (i) the General Data Protection Regulation (Regulation
(EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law (as amended from time to time) (“UK GDPR”).
(i). “Personal Data” means “personal data,” “personal information,” “personally identifiable information” or similar term
defined in Applicable Data Protection Laws (including as may be comprised in any Client Data or any other Client Content).
(j). “Personal Data Breach” means a breach of MontPac’s security leading to the accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to, Client Personal Data in MontPac’s possession, custody or control. For clarity,
Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Client Personal
Data.
(k). “Personnel” means a person’s employees, agents, consultants, contractors or other staff.
(l). “Process” and inflections thereof means any operation or set of operations which is performed on Personal Data or on
sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure or destruction.
(m). “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on
behalf of the Controller, including, as applicable, a “service provider” as that term may be defined by Applicable Data Protection
Laws.
(n). “Restricted Transfer” means the disclosure, grant of access or other transfer of Client Personal Data to any person
located in: (i) in the context of the EU GDPR, any country or territory outside the EEA which does not benefit from an adequacy
decision from the European Commission (an “EEA Restricted Transfer”); and (ii) in the context of the UK GDPR, any country or
territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted
Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.
(o) “SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing
Decision (EU) 2021/914.
(p). “State Privacy Laws” means the California Consumer Privacy Act of 2018 (“CCPA”), the Colorado Privacy Act, the Virginia
Consumer Data Protection Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act, in each case only if and to the
extent applicable to MontPac’s Processing of Client Personal Data under the Agreement.
(q). “Sub-Processor” means any third party appointed by or on behalf of MontPac to Process Client Personal Data.
(r). “Supervisory Authority” means any governmental or regulatory body with competent authority to enforce any
Applicable Data Protection Laws, including: (i) in the context of the EEA and the EU GDPR, a “supervisory authority” within the
meaning given to that term in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, the UK Information Commissioner’s
Office.
(s). “UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in
accordance with section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the UK
Mandatory Clauses included in Part 2 thereof (the “UK Mandatory Clauses”).
1.2. Unless otherwise defined in this DPA, all capitalized terms in this DPA shall have the meaning given to them in the
Agreement.
2. APPLICATION OF THIS DATA PROCESSING ADDENDUM
2.1 The front-end of this DPA applies generally to MontPac’s Processing of Client Personal Data under the Agreement.
2.2 Annex 2 (European Annex) applies only if and to the extent MontPac’s Processing of Client Personal Data under the
Agreement is subject to the GDPR.
2.3 Annex 3 (State Privacy Laws Annex) applies only if and to the extent MontPac’s Processing of Client Personal Data on
behalf of Client under the Agreement is subject to the State Privacy Laws.
2.4 Section 9 of this DPA applies to MontPac’s Processing of Client Personal Data to the extent required under Applicable Data
Protection Laws for contracts with Processors, and in such cases, only in respect of Processing of Client Personal Data subject to
such laws.
3. PROCESSING OF CLIENT PERSONAL DATA
3.1. The Parties acknowledge and agree to the details of MontPac’s Processing of Client Personal Data (including the
respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to the DPA.
3.2 MontPac shall not Process Client Personal Data other than: (a) on Client’s instructions; or (b) as required by applicable laws provided that, in such circumstances, MontPac shall inform Client in advance of the relevant legal requirement requiring such Processing if and to the extent MontPac is: (i) required to do so by Applicable Data Protection Laws; and (ii) permitted to do so in the circumstances. Client instructs MontPac to Process Client Personal Data to provide the service to Client and in accordance with the Agreement. The Agreement is a complete expression of such instructions, and Client’s additional instructions will be binding on MontPac only pursuant to any written amendment to this DPA signed by both Parties. Where required by Applicable Data Protection Laws, if MontPac receives an instruction from Client that, in its reasonable opinion, infringes Applicable Data Protection Laws, MontPac shall notify Client.
4. MONTPAC PERSONNEL
MontPac shall take commercially reasonable steps designed to ascertain the reliability of any MontPac Personnel who
Process Client Personal Data, and shall enter into written confidentiality agreements with all MontPac Personnel who
Process Client Personal Data that are not subject to professional or statutory obligations of confidentiality.
5. SECURITY
5.1. MontPac shall implement and maintain technical and organizational measures in relation to Client Personal Data
designed to protect Client Personal Data against Personal Data Breaches as described in Annex 4 (Security Measures) (the
“Security Measures”).
5.2. MontPac may update the Security Measures from time to time, provided the updated measures do not materially decrease
the overall protection of Client Personal Data.
6. DATA SUBJECT RIGHTS
6.1. MontPac, taking into account the nature of the Processing of Client Personal Data, shall provide Client with such
assistance as may be reasonably necessary and technically feasible to assist Client in fulfilling its obligations to respond to Data Subject Requests. If MontPac receives a Data Subject Request, Client will be responsible for responding to any such request.
6.2. MontPac shall: (a) promptly notify Client if it receives a Data Subject Request; and (b) not respond to any Data Subject
Request, other than to advise the Data Subject to submit the request to Client, except as required by Applicable Data Protection
Laws.
7. PERSONAL DATA BREACH
7.1. MontPac shall notify Client without undue delay upon MontPac’s confirmation of a Personal Data Breach affecting Client
Personal Data. MontPac shall provide Client with information (insofar as such information is within MontPac’s possession and
knowledge and does not otherwise compromise the security of any Personal Data Processed by MontPac) to allow Client to meet its
obligations under the Applicable Data Protection Laws to report the Personal Data Breach. MontPac’s notification of or response to
a Personal Data Breach shall not be construed as MontPac’s acknowledgement of any fault or liability with respect to the Personal
Data Breach.
7.2. Client is solely responsible for complying with notification laws applicable to Client and fulfilling any third-party
notification obligations related to any Personal Data Breaches.
7.3. If Client determines that a Personal Data Breach must be notified to any Supervisory Authority, any other governmental
authority, any Data Subject(s), the public or others under Applicable Data Protection Laws, to the extent such notice directly or
indirectly refers to or identifies MontPac, where permitted by applicable laws, Client agrees to: (a) notify MontPac in advance; and
(b) in good faith, consult with MontPac and consider any clarifications or corrections MontPac may reasonably recommend or
request to any such notification, which: (i) relate to MontPac’s involvement in or relevance to such Personal Data Breach; and (ii)
are consistent with applicable laws.
8. SUB-PROCESSING
8.1. Client generally authorizes MontPac to appoint Sub-Processors in accordance with this Section 8 . Without limitation,
Client authorizes MontPac engagement of the Sub-Processors listed on the Sub-Processor List as of the effective date of the
Agreement at the URL specified in Section 8.2.
8.2. Information about Sub-Processors, including their functions and locations, is available at: https://montpac.com/subprocessors
may be updated by MontPac from time to time or such other website address as MontPac may provide to Client (the “Sub-
Processor List”).
8.3. MontPac shall give Client prior written notice of the appointment of any proposed Sub-Processor after the effective date
of the Agreement, including reasonable details of the Processing to be undertaken by the SubProcessor. If, within fourteen (14)
days of receipt of that notice, Client notifies MontPac in writing of any objections (on reasonable grounds) to the proposed
appointment: (a) MontPac shall use reasonable efforts to make available a commercially reasonable change in the provision of the
service, which avoids the use of that proposed Sub-Processor; and (b) where: (i) such a change cannot be made within fourteen
(14) days from MontPac’s receipt of Client’s notice; (ii) no commercially reasonable change is available; and/or (iii) Client declines
to bear the cost of the proposed change, then Client may terminate the Agreement by written notice to MontPac as its sole and
exclusive remedy.
8.4. If Client does not object to MontPac’s appointment of a Sub-Processor during the objection period referred to in Section 8.3, Client shall be deemed to have approved the engagement and ongoing use of that Sub-Processor.
8.5. With respect to each Sub-Processor, MontPac shall maintain a written contract between MontPac and the Sub-Processor
that includes terms which offer at least an equivalent level of protection for Client Personal Data as those set out in this DPA
(including the Security Measures). MontPac shall remain liable for any breach of this DPA caused by a Sub-Processor.
9. AUDITS
9.1. MontPac shall make available to Client on request, such information as MontPac (acting reasonably) considers
appropriate in the circumstances to demonstrate its compliance with this DPA.
9.2. Subject to Sections 9.3 to 9.6 , in the event that Client (acting reasonably) is able to provide documentary evidence that the
information made available by MontPac pursuant to Section 9.1 is not sufficient in the circumstances to demonstrate MontPac’s
compliance with this DPA, MontPac shall allow for and contribute to audits, including onpremise inspections, by Client or an
auditor mandated by Client in relation to the Processing of Client Personal Data by MontPac.
9.3. Client shall give MontPac reasonable notice of any audit or inspection to be conducted under Section 9.2 (which shall in
no event be less than fourteen (14) days’ notice) and shall use its best efforts (and ensure that each of its mandated auditors uses
its best efforts) to avoid causing any destruction, damage, injury or disruption to MontPac’s premises, equipment, Personnel, data,
and business (including any interference with the confidentiality or security of the data of MontPac’s other clients or the
availability of MontPac’s services to such other clients).
9.4. Prior to conducting any audit, Client must submit a detailed proposed audit plan providing for the confidential treatment
of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed
audit plan must describe the proposed scope, duration, and start date of the audit. MontPac will review the proposed audit plan
and provide Client with any feedback, concerns or questions (for example, any request for information that could compromise
MontPac security, privacy, employment or other relevant policies). MontPac will work cooperatively with Client to agree on a final
audit plan.
9.5. If the controls or measures to be assessed in the requested audit are assessed in a SOC 2 Type 2, ISO, NIST or similar audit
report performed by a qualified third-party auditor within twelve (12) months of Client’s audit request (“Audit Report”) and
MontPac has confirmed in writing that there have been no known material changes in the controls audited and covered by such
Audit Report(s), Client agrees to accept provision of such Audit Report(s) in lieu of requesting an audit of such controls or
measures. MontPac shall provide copies of any such Audit Reports to Client upon request; provided that they shall constitute the
confidential information of MontPac, which Client shall use only for the purposes of confirming compliance with the requirements
of this DPA or meeting Client’s obligations under Applicable Data Protection Laws.
9.6. MontPac need not give access to its premises for the purposes of such an audit or inspection: (a)where an Audit Report is
accepted in lieu of such controls or measures in accordance with Section 9.5 ; (b) to any individual unless they produce reasonable
evidence of their identity; (c) to any auditor whom MontPac has not approved in advance (acting reasonably); (d) to any individual
who has not entered into a non-disclosure agreement with MontPac on terms acceptable to MontPac; (e) outside normal business
hours at those premises; or (f) on more than one occasion in any calendar year during the term of the Agreement, except for any
audits or inspections which Client is required to carry out under the GDPR or by a Supervisory Authority. Nothing in this DPA shall
require MontPac to furnish more information about its Sub-Processors in connection with such audits than such Sub-Processors
make generally available to their clients. Nothing in this Section 9 shall be construed to obligate MontPac to breach any duty of
confidentiality.
10. RETURN AND DELETION
10.1. Upon expiration or earlier termination of the Agreement, MontPac shall return and/or delete all Client Personal Data in
MontPac’s care, custody or control in accordance Client’s instructions as to the post-termination return and deletion of Client
Personal Data expressed in the Agreement. To the extent that deletion of any Client Personal Data contained in any back-ups’
maintained by or on behalf of MontPac is not technically feasible within the timeframe set out in Client’s instructions, MontPac
shall (a) securely delete such Client Personal Data in accordance with any relevant scheduled back-up deletion routines (e.g., those
contained within MontPac’s relevant business continuity and disaster recovery procedures); and (b) pending such deletion, put
such Client Personal Data beyond use.
10.2. Notwithstanding the foregoing, MontPac may retain Client Personal Data where required by applicable laws, provided
that MontPac shall (a) maintain the confidentiality of all such Client Personal Data and (b) Process the Client Personal Data only as
necessary for the purpose(s) and duration specified in the applicable law requiring such retention.
11. CLIENT’S RESPONSIBILITIES
11.1. Client agrees that, without limiting MontPac’s obligations under Section 5 (Security), Client is solely responsible for its use
of the service, including (a) making appropriate use of the service to maintain a level of security appropriate to the risk in respect
of the Client Personal Data; (b) securing the account authentication credentials, systems and devices Client uses to access the
service; (c) securing Client’s systems and devices that MontPac uses to provide the service; and (d) backing up Client Personal Data.
11.2. Client shall ensure: (a) that there is, and will be throughout the term of the Agreement, a valid legal basis for the
Processing by MontPac of Client Personal Data in accordance with this DPA and the Agreement (including, any and all instructions
issued by Client from time to time in respect of such Processing) for the purposes of all Applicable Data Protection Laws; (b) that all
Data Subjects have (i) been presented with all required notices and statements; and (ii) provided all required consents, in each case
(i) and (ii) relating to the Processing by MontPac of Client Personal Data; and (c) it does not use, and does not permit any other
person to use, the service (including any ‘risk scores’ generated thereby) to make decisions about Data Subjects that are based
solely on automated processing (i.e., without appropriate human input, oversight and review) which would, or may reasonably be
expected to, produce legal effects concerning, or otherwise similarly significantly affect, Data Subjects.
11.3. Client agrees that the service, the Security Measures, and MontPac’s commitments under this DPA are adequate to meet
Client’s needs, including with respect to any security obligations of Client under Applicable Data Protection Laws, and provide a
level of security appropriate to the risk in respect of the Client Personal Data.
11.4. Except to the extent prohibited by Applicable Data Protection Laws, Client shall compensate MontPac at MontPac’s then-
current professional services rates for, and reimburse any costs reasonably incurred by MontPac in the course of providing,
cooperation, information, or assistance requested by Client in respect of this DPA (including pursuant to Sections 6 , 7 and 9 of this
DPA and Paragraph 1 of Annex 2 (European Annex)), beyond providing self-service features included as part of the service.
12. MISCELLANEOUS
12.1. MontPac may on notice vary this DPA to the extent that (acting reasonably) it considers necessary to address the
requirements of Applicable Data Protection Laws from time to time (including to apply a new transfer mechanism, which complies
with relevant requirements of the GDPR, to replace the SCCs should it see fit).
12.2. This DPA shall be incorporated into and form part of the Agreement with effect on and from the Effective Date.
12.3. In the event of any conflict or inconsistency between: (a) this DPA and the Agreement, this DPA shall prevail; or (b) any
SCCs entered into pursuant to Paragraph 2 of Annex 2 (European Annex) and this DPA and/or the Agreement, the SCCs shall
prevail in respect of the Restricted Transfer to which they apply.
Annex 1
Data Processing Details
MONTPAC / ‘DATA IMPORTER’ DETAILS
Name: | Montgomery Pacific Corporation ("MontPac"), a California corporation. |
Address: | As set out in the preamble to the DPA |
Contact Details for Data Protection: |
Role: Data Protection Officer (DPO) Email: [email protected] |
MontPac Activities: |
MontPac's primary objective is to provide companies with a professional accounting and finance function that allows them to focus on the activities that are critical to the successful management of their business. MontPac service allows clients to make fact-based decisions oriented toward enhancing profitable growth and professionally managing the assets of their company. MontPac service is through the use of accounting and finance solutions, which allows MontPac to perform the financial and account functions for clients while also providing clients updated financial information and visibility into their current financial situation. |
Role: | Processor |
CLIENT / ‘DATA IMPORTER’ DETAILS
Name: | Client, being the entity or other person who is a counterparty to the Agreement |
Address: | Client’s address is the address shown in or determined by the Agreement; or if no such address is contained within the Agreement, Client’s principal business trading address – unless otherwise notified to MontPac’s contact point noted above. |
Contact Details for Data Protection: | Relevant contact details shall be those of MontPac’s primary point of contact with Client; or any other contact details notified by Client for the purpose of providing it with financial communications or analysis. Client agrees that it is solely responsible for ensuring that such email addresses are valid and up to date, and direct relevant communications to the appropriate individual within its organization. |
Client Activities: | Client's activities relevant to this DPA are the use and receipt of the service as part of its ongoing business operations under and in accordance with Agreement. |
Role: |
|
DETAILS OF PROCESSING
Categories of Data Subjects: | Any individuals whose Personal Data is comprised within data submitted to the service by or on behalf of Client under the Agreement, which will be as determined by Client through its use of the service – which may include:
|
Categories of Personal Data: | Any Personal Data comprised within data submitted to service by or on behalf of Client under the Agreement, which will be as determined by Client through its use of the service – which may include:
|
Sensitive Categories of Data, and associated additional restrictions/safeguards: | Categories of sensitive data:
Client acknowledges that MontPac is unable to distinguish between the various categories of data Additional safeguards for sensitive data: See Section 5 of the DPA and Annex 4 (Security Measures) to the DPA. |
Frequency of transfer: | Ongoing for the duration of the engagement of MontPacs service – as initiated by Client in and through its use, or use on its behalf, of the service.. |
Nature of the Processing: | Processing operations required in order to provide the service in accordance with the Agreement. |
Purpose of the Processing: | Client Personal Data will be processed: (i) as necessary to provide the service as initiated by Client in its use thereof, and (ii) to comply with any other reasonable instructions provided by Client in accordance with the terms of this DPA.. |
Duration of Processing / Retention Period: | For the period determined in accordance with the Agreement and DPA, including Section 10 of the DPA. |
Transfers to (sub) processors: | Transfers to Sub-Processors are as, and for the purposes, described from time to time in the Sub-Processor List (as may be updated from time to time in accordance with Section 8 of the DPA). |
Annex 2
European Annex
1. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
MontPac, taking into account the nature of the Processing and the information available to MontPac, shall provide reasonable assistance to Client, at Client’s cost, with any data protection impact assessments and prior consultations with Supervisory Authorities which Client reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Client Personal Data by MontPac.
2. RESTRICTED TRANSFERS
2.1 Entry into Transfer Mechanisms
(a) EEA Restricted Transfers. To the extent that any Processing of Client Personal Data under this DPA involves an EEA Restricted
Transfer from Client to MontPac, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to
be (i) populated in accordance with Section 2.2 of this Annex 2 (European Annex); and (ii) entered into by the Parties and incorporated by
reference into this DPA.
(b) UK Restricted Transfers. To the extent that any Processing of Client Personal Data under this DPA involves a UK Restricted Transfer
from Client to MontPac, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be: (i)
varied to address the requirements of the UK GDPR in accordance with the UK Transfer Addendum and populated in accordance with
Sections 2.2 and 2.3 of this Annex 2 (European Annex); and (ii) entered into by the Parties and incorporated by reference into this DPA.
2.2 Population of SCCs
(a) Signature of SCCs. Where the SCCs apply in accordance with Paragraph 2.1(a) and/or Paragraph 2.1(b) of this Annex 2 (European
Annex), each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs.
(b) Modules of SCCs. As and where relevant: Module Two of the SCCs applies to any EEA Restricted Transfer involving Processing of
Personal Data in respect of which Client is a controller in its own right; and/or Module Three of the SCCs applies to any EEA Restricted
Transfer involving Processing of Personal Data in respect of which Client is a processor.
(c) Population of body of SCCs. As and where applicable to the relevant Module and the Clauses thereof: (i) in Clause 7: the ‘Docking
Clause’ is not used; (ii) in Clause 9: ‘Option 2: General Written Authorizations applies, and the minimum time period for advance notice of
the addition or replacement of Sub-Processors shall be the advance notice period set out in Section 8.2 of the DPA; (iii) in Clause 11: the
optional language is not used; (iv) in Clause 13: all square brackets are removed and all text therein is retained; (v) in Clause 17: ‘OPTION 1’
applies, and the Parties agree that the SCCs shall be governed by the law of Ireland in relation to any EEA Restricted Transfer; and (vi) in
Clause 18(b): the Parties agree that any dispute arising from the SCCs in relation to any EEA Restricted Transfer shall be resolved by the
courts of Ireland.
(d) Population of Appendix to SCCs. Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in
Annex 1 (Data Processing Details) to the DPA, with: Client being ‘data exporter’; and MontPac being ‘data importer’, and Part C to that Annex
I is populated with: the competent Supervisory Authority shall be determined as follows: (i) where Client is established in an EU Member
State: the competent Supervisory Authority shall be the Supervisory Authority of that EU Member State in which Client is established; and
(ii) where Client is not established in an EU Member State, Article 3(2) of the GDPR applies and Client has appointed an EEA Representative
under Article 27 of the GDPR: the competent Supervisory Authority shall be the Supervisory Authority of the EU Member State in which
Client’s EEA Representative relevant to the Processing hereunder is based (from time-to-time), which Client shall notify to MontPac in
writing – Client agrees that it is solely responsible for making such notification and its accuracy. Annex II shall be populated with reference
to the information contained in or determined by Section 2.3 of the DPA (including the Security Measures).
2.3 UK Restricted Transfers
(a) UK Transfer Addendum. Where relevant in accordance with Section 2.1(b) of this Annex 2 (European Annex), the SCCs apply to any
UK Restricted Transfers as varied by the UK Transfer Addendum in the following manner: (i) ‘Part 1 to the UK Transfer Addendum’: (A) the
Parties agree: Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data
Processing Details) to the DPA and Section 2.2 of this Annex 2 (European Annex); and (B) Table 4 to the UK Transfer Addendum is
completed with ‘Data Importer’ only; and (ii) ‘Part 2 to the UK Transfer Addendum’: the Parties agree to be bound by the UK Mandatory
Clauses of the UK Transfer Addendum and that the SCCs shall apply to any UK Restricted Transfers as varied in accordance with those
Mandatory Clauses.
(b) Interpretation. As permitted by section 17 of the UK Mandatory Clauses, the Parties agree to the presentation of the information
required by ‘Part 1: Tables’ of the UK Transfer Addendum in the manner determined by 2.3(a) of this Annex 2 (European Annex); provided
that the Parties further agree that nothing in the manner of that presentation shall operate or be construed so as to reduce the Appropriate
Safeguards (as defined in section 3 of the UK Mandatory Clauses). In relation to any UK Restricted Transfer to which they apply, where the
context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out
in this Section 2.3 of this Annex 2 (European Annex).
2.4 Operational Clarifications
(a) When complying with its transparency obligations under Clause 8.3 of the SCCs, Client agrees that it shall not provide or otherwise
make available, and shall take all appropriate steps to protect MontPac’s and its licensors’ trade secrets, business secrets, confidential
information and/or other commercially sensitive information.
(b) Where applicable, for the purposes of Clause 10(a) of Module Three of the SCCs, Client acknowledges and agrees that there are no
circumstances in which it would be appropriate for MontPac to notify any third-party controller of any Data Subject Request and that any
such notification shall be the sole responsibility of Client.
(c) For the purposes of Clause 15.1(a) of the SCCs, except to the extent prohibited by applicable law and/or the relevant public
authority, as between the Parties, Client agrees that it shall be solely responsible for making any notifications to relevant Data Subject(s) if
and as required.
(d) The terms and conditions of Section 8 of the DPA apply in relation to MontPac’s appointment and use of Sub-Processors under the
SCCs. Any approval by Client of MontPac’s appointment of a Sub-Processor that is given expressly or deemed given pursuant to that Section
8 constitutes Client’s documented instructions to effect disclosures and onward transfers to any relevant Sub-Processors if and as required
under Clause 8.8 of the SCCs.
(e) The audits described in Clauses 8.9(c) and 8.9(d) of the SCCs shall be subject to any relevant terms and conditions detailed in
Section 9 of the DPA.
(f) Certification of deletion of Personal Data as described in Clauses 8.5 and 16(d) of the SCCs shall be provided only upon Client’s
written request.
(g) In respect of any given Restricted Transfer, if requested of Client by a Supervisory Authority, Data Subject or further Controller
(where applicable) – on specific written request; accompanied by suitable supporting evidence of the relevant request), MontPac shall
provide Client with an executed version of the relevant set(s) of SCCs responsive to the request made of Client (amended and populated in
accordance with relevant provisions of this DPA in respect of the relevant Restricted Transfer) for countersignature by Client, onward
provision to the relevant requestor and/or storage to evidence Client’s compliance with Applicable Data Protection Laws.
Annex 3
State Privacy Laws Annex
- In this Annex 3 , the terms “business,” “business purpose,” “commercial purpose,” “consumer,” “sell,” “share,” and “service
provider” shall have the respective meanings given thereto in the CCPA; and “personal information” shall mean Client Personal
Data that constitutes “personal information” as defined in and that is subject to the State Privacy Laws. - The business purposes and services for which MontPac is Processing personal information are for MontPac to provide the service
to and on behalf of Client as set forth in the Agreement, as described in more detail in Annex 1 (Data Processing Details) to the DPA. - It is the Parties’ intent that with respect to any personal information, MontPac is a service provider. MontPac (a) acknowledges that
personal information is disclosed by Client only for limited and specific purposes described in the Agreement; (b) shall comply with
applicable obligations under the State Privacy Laws and shall provide the same level of privacy protection to personal information
as is required by the State Privacy Laws; (c) agrees that Client has the right to take reasonable and appropriate steps under and
subject to Section 9 (Audits) of the DPA to help ensure that MontPac’s use of personal information is consistent with Client’s
obligations under the State Privacy Laws; (d) shall notify Client in writing of any determination made by MontPac that it can no
longer meet its obligations under the State Privacy Laws; and (e) agrees that Client has the right, upon notice, including pursuant to
the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information. - MontPac shall not (a) sell or share any personal information; (b) retain, use or disclose any personal information for any purpose
other than for the business purposes specified in the Agreement, including retaining, using, or disclosing the personal information
for a commercial purpose other than the business purpose specified in the Agreement, or as otherwise permitted by State Privacy
Laws; (c) retain, use or disclose the personal information outside of the direct business relationship between MontPac and Client;
or (d) combine personal information received pursuant to the Agreement with personal information (i) received from or on behalf
of another person, or (ii) collected from MontPac’s own interaction with any consumer to whom such personal information
pertains except as and to the extent necessary as a part of MontPac’s provision of the service. MontPac hereby certifies that it
understands its obligations under this Section 4 and will comply with them. - MontPac shall implement reasonable security procedures and practices appropriate to the nature of the personal information
received from, or on behalf of, Client, in accordance with Section 5 (Security Measures) of the DPA. - When MontPac engages any Sub-Processor, MontPac shall notify Client of such Sub-Processor engagements in accordance with
Section 8 (Sub-Processing) of the DPA and that such notice shall satisfy MontPac’s obligation under the State Privacy Laws to give
notice of and an opportunity to object to such engagements. - MontPac agrees that Client may conduct audits, in accordance with Section 9 of the DPA, to help ensure that MontPac’s use of
personal information is consistent with MontPac’s obligations under the State Privacy Laws. - The parties acknowledge that MontPac’s retention, use and disclosure of personal information authorized by Client’s instructions
documented in the Agreement and DPA are integral to MontPac’s provision of the service and the business relationship between
the Parties.
Annex 4
Security Measures
As from the Effective Date, MontPac will implement and maintain the Security Measures as set out in this Annex 4 .
1. Organizational management and staff responsible for the development, implementation and maintenance of MontPac’s information security program.
2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to MontPac’s organization,
monitoring and maintaining compliance with MontPac’s policies and procedures, and reporting the condition of its information security and
compliance to internal senior management.
3. Data security controls which include at a minimum logical segregation of data, restricted (e.g., role-based) access and monitoring,
and utilization of commercially available and industry standard encryption technologies for Client Personal Data.
5. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job
functions.
6. Password controls designed to manage and control password strength, expiration and usage.
7. System audit or event logging and related monitoring procedures to proactively record user access and system activity.
8. Physical and environmental security of production resources relevant to the service is maintained by the relevant Sub-Processor(s)
(and their vendors) engaged from time-to-time by MontPac to host those resources. MontPac takes steps to ensure that such SubProcessors
provide appropriate assurances and certifications that evidence such physical and environmental security – including security of data
center, server room facilities and other areas containing Client Personal Data designed to:
(a) protect information assets from unauthorized physical access,
(b) manage, monitor and log movement into and out of Sub-Processor facilities, and
(c) guard against environmental hazards such as heat, fire and water damage.
9. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information
systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or
unrecoverable prior to final disposal or release from MontPac’s possession.
10. Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to
MontPac’s technology and information assets.
11. Incident management procedures designed to allow MontPac to investigate, respond to, mitigate and notify of events related to
MontPac’s technology and information assets.
12. Network security controls that provide for the use of enterprise firewalls and intrusion detection systems designed to protect
systems from intrusion and limit the scope of any successful attack.
13. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess,
mitigate and protect against identified security threats, viruses and other malicious code.
14. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters. MontPac may freely update or modify these Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of service and/or relevant Client Personal Data.