Effective date 26 October 2023

INTRODUCTION

This data processing agreement (“DPA”) forms part of and is incorporated into the Customer Agreement between the Customer and the Company (the “Agreement”) for the provision and use of BoardOutlook and related services (the “Services”). Any capitalised terms in this DPA which are not otherwise defined shall have the meaning given in the Agreement. In the event of any conflict between any terms of the Agreement and this DPA, this DPA shall take priority. This DPA shall apply to the extent that the Company Processes any Personal Data on behalf of the Customer in relation to the Services.

1. DEFINITIONS

a. In this DPA, the following terms shall have the following meanings:

b. “Business Day” means any day which is not a Saturday, Sunday or public holiday in the UK;

c. “Data Protection Law” any applicable laws relating to the protection of personal data, including without limitation: (i) the EU General Data Protection Regulation 2016/679 (“GDPR”); (ii) the GDPR as it forms part of the law of England and Wales by virtue of the European Union (Withdrawal) Act 2018 ("UK GDPR"); (iii) the Data Protection Act 2018;, all as may be amended or superseded from time to time;

d. “Sub-processor” means any Processor engaged by the Company to Process Personal Data on behalf of the Customer; and

e. The terms “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor” and “Supervisory Authority” shall have the meaning given, or equivalent meaning given, under Data Protection Law (and “Process” and “Processes” shall be construed accordingly).

2. DATA PROTECTION

a. The parties agree that the Customer is the Controller and the Company is the Processor of any Personal Data that the Company Processes on behalf of the Customer in relation to the Services. Each party shall comply with its obligations under Data Protection Law.

b. The Customer warrants and represents that it has the authority, rights and consents necessary to enable the Company to Process the Personal Data in accordance with the Data Protection Law for the purposes of this DPA. The Customer shall ensure that the relevant Data Subjects have been informed of, and (if applicable) have given their consent, and that the Customer has an appropriate legal ground for the Processing of Personal Data for the purposes of this DPA as required by Data Protection Law.

c. The Customer shall ensure that all instructions to the Company comply with Data Protection Laws.

d. Without prejudice to clause 2.a., in respect of any Processing of Personal Data on behalf of the Customer pursuant to the Agreement, the Company will:

i. only Process the Personal Data on the documented instructions from the Customer, unless required to do so by applicable law to which the Company is subject; in such case, the Company shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The Company shall immediately inform the Customer if, in its reasonable opinion, an instruction infringes Data Protection Law. The parties agree that the description of Processing at Schedule 1 of this DPA is an accurate description of the Processing undertaken in relation to the Services;

ii. ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

iii. taking into account the state of technical development and the nature of Processing, implement appropriate technical and organisational measures to protect the Personal Data against accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access;

iv. taking into account the nature of the Processing, assist the Customer, at the Customer’s cost, appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests from any Data Subject for access, rectification or erasure of the Personal Data, or any objection to Processing. In no event shall the Company be obliged to respond directly to any such request unless specifically required to do so by law;

v. provide such assistance, at the Customer’s cost, as the Customer reasonably requires in ensuring compliance with the Customer’s obligations pursuant to Articles 32 to 36 of the UK GDPR and/or GDPR (security of Processing, breach notification; data protection impact assessments and prior consultations) taking into account the nature of the Processing and the information available to the Company;

vi. at the choice of the Customer, securely delete or return the Personal Data to the Customer after the end of the provision of Services relating to Processing, unless applicable law or regulation requires storage of the Personal Data;

vii. at the cost of the Customer and upon reasonable notice, make available to the Customer information necessary to demonstrate compliance with the obligations laid down in this DPA. The Customer acknowledges that the BoardOutlook product is hosted by the Company’s hosting Sub-processors who maintain independently validated security programs (including SOC 2 and ISO 27001) and that the Company’s systems undergo an annual privacy and data review and are tested by independent third party penetration testing firms. Upon request, the Company will supply (on a confidential basis) our privacy and data report and summary copies of the penetration testing report(s) to the Customer to verify the Company’s compliance with this DPA. Further, at the Customer’s written request, the Company will provide written responses (on a confidential basis) to all reasonable requests for information made by the Customer necessary to confirm the Company’s compliance with this DPA, provided that the Customer does not exercise this right more than once per calendar year unless the Customer has reasonable grounds to suspect non-compliance with the DPA. Only if the Customer’s concerns cannot reasonably be satisfied by the privacy and data report and/or replies to further information requests from the Customer the Company will allow for and contribute to an audit, including inspection, conducted by the Customer or another auditor mandated by the Customer. The Customer may only exercise this right once per calendar year and upon reasonable notice. The parties shall discuss and agree in advance on the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any audit and the Customer shall take all necessary steps to minimise the disruption to the Company’s business. Any information obtained pursuant to an audit shall be deemed to be the confidential information of the Company;

viii. only transfer Personal Data outside of the UK and/or EEA in accordance with requirements of Data Protection Law, except where the Company is required to transfer the Personal Data by the laws of the UK, member states of the EU or EU law (and shall inform the Customer of that legal requirement before the transfer, unless those laws prevent it doing so);

ix. notify the Customer without undue delay and in writing if the Company becomes aware of a Personal Data Breach involving the Customer’s Personal Data, together with particulars of the breach to the extent available to the Company; and

x. promptly inform the Customer if the Company receives any request or complaint from a Supervisory Authority relating to the Personal Data

3. SUB-PROCESSORS

a. The Company shall be generally authorised by the Customer to engage the Sub-processors listed here subject to the Company notifying the Customer of any intended changes concerning the addition or replacement of a Sub-processor by updating the webpage and providing the Customer with a mechanism to subscribe to email notifications of such changes at least fifteen (15) days in advance of the change being made. The Customer may object in writing to any such changes within ten (10) Business Days of receiving the email notification on reasonable grounds relating to data protection. If the Customer does not subscribe to receive such notifications or does not raise an objection in accordance with this clause 3.a., the Customer is deemed to have accepted the change and the Company may appoint the Sub-processor.

b. The Company shall remain liable to the Customer for the acts and omissions of each Sub-processor and shall enter into a written agreement with each Sub-processor on substantially similar terms to this DPA.

4. LIABILITY

a. Each party’s liability arising out of or related to this DPA, whether in contract, tort or otherwise, is subject to the limitations and exclusions of liability contained within the Agreement.

GENERAL

a. This DPA shall terminate upon the expiry or termination of the Agreement or, if earlier, the Company ceases to Process Personal Data on behalf of the Customer.

b. Except as set out in this DPA, the Agreement shall continue in full force and effect.

Schedule 1

Data Processing Instruction

Purpose(s) of data Processing

The purpose of the data Processing is to fulfil the objectives of the Agreement between the Company and the Customer, in particular delivery of the Services as contemplated under the Agreement and this DPA.

Subject matter of the Processing

The subject matter of the Processing is to enable the Customer to receive the value of the Services as contemplated under the Agreement and this DPA, including enabling the Company to deliver support, customer success and the Services, including enabling the security of the Services to be provided to the Customer.

Period Personal Data will be retained (if that is not possible, the criteria used to determine that period)

Unless agreed otherwise in writing, personal data will be retained for the duration of the Agreement, subject to clause 2.d.vi. of this DPA.

Categories of data subjects

Individuals about whom data is uploaded to BoardOutlook or the Site by (or at the direction of) the Controller or by Users, Board Administrators, and other participants whom the Controller has granted the right to access BoardOutlook in accordance with the provisions of the Agreement including but not limited to:

Categories of personal data

Data relating to individuals uploaded to BoardOutlook or the Site by, or at the direction of, the Controller or by Users, Board Administrators, and other participants whom the Controller has granted the right to access BoardOutlook in accordance with the provision of the Agreement. The Personal Data includes but is not limited to:

● Title

● Contact details including email and phone

Special categories of data (if applicable)

The Company does not store special category Personal Data. Customers should not provide information that is considered special categories of Personal Data to the Company, including information about racial or ethnic origin, political opinions, religious beliefs, trade union membership, health data, genetic data, biometric data for the purpose of uniquely identifying a natural person, or sexual life or orientation.