Singlewire Software, LLC
Data Processing Addendum

This Data Processing Addendum (“DPA“) is incorporated into, and supplements, the applicable Agreement(s)s between Singlewire Software, LLC (“Singlewire“) and Customer governing Singlewire’s provision, and Customer’s receipt of the Services (collectively, the “Agreement“).

This DPA is an agreement between Singlewire and the entity who receives the Services from Singlewire pursuant to an Agreement that incorporates this DPA (“Customer“) and is effective as of the date this DPA is incorporated into such Agreement (the “DPA Effective Date“). Customer and Singlewire are each referred to herein as a “Party” and collectively as the “Parties”.

1.          DEFINITIONS

For purposes of this DPA, the following capitalized terms shall have the meanings ascribed thereto. Other capitalized terms used in this DPA are defined in the context in which they are used and shall have the meanings indicated. Capitalized terms which are not defined herein shall have the meanings ascribed to them in the applicable Agreement(s).

1.1        “Adequate Country” means: (1) for Personal Data Processed subject to the EU GDPR: (a) a member state of the EEA; or (b) a country or territory that is the subject of an adequacy decision by the Commission under Article 45(1) of the EU GDPR (“EU Adequate Countries“); (2) for Personal Data Processed subject to the UK GDPR: (a) the UK; or (b) a country or territory that is the subject of the adequacy regulations under Article 45(1) of the UK GDPR and Section 17A of the UK DPA (“UK Adequate Countries“); or (3) for Personal Data Processed subject to the Swiss FADP: (a) Switzerland; or (b) a country or territory that: (i) is included in the list of the states whose legislation ensures an adequate level of protection as published by the Swiss Federal Data Protection and Information Commissioner; or (ii) is the subject of an adequacy decision by the Swiss Federal Council under the Swiss FADP (“Swiss Adequate Countries“).

1.2        “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et. seq. and its implementing regulations, each as amended from time to time, including, without limitation, as amended by the California Privacy Rights Act of 2020.

1.3        “Controller” means the natural or legal person or entity who determines the purposes and means of the Processing of Personal Data.

1.4        “CPA” means the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et. seq. and its implementing regulations, each as amended from time to time.

1.5        “CTDPA” means the Connecticut Data Privacy Act, Conn. Gen. Stat. § 45-151 et. seq., as amended from time to time.

1.6        “Customer Instructions” means Customer’s instructions to Singlewire to Process Customer Personal Data on Customer’s behalf: (1) as necessary to provide the Services to Customer; (2) as documented in the applicable Agreement(s) and this DPA; and (3) as otherwise instructed by Customer in writing and acknowledged and agreed by Singlewire.

1.7        “Customer Personal Data” means any Personal Data Processed by Singlewire on behalf of Customer via Singlewire’s provision  of the Services. Notwithstanding anything to the contrary herein, Customer Personal Data does not include any Operational Data.

1.8        “Data Protection Law” means all laws, rules, regulations, and orders issued thereunder relating in any way to data protection, breach notification, privacy, or electronic marketing of any country, state, principality, or other territory that are applicable to the Processing of Customer Data under the Agreement, which may include, where applicable and without limitation, CCPA, CPA, CTDPA, the European Privacy Laws, FERPA, PIPEDA, and/or VCDPA.

1.9        “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

1.10     “Data Subject Request” means a request from an individual seeking to exercise rights granted to individuals under the Data Protection Laws.

1.11     “Europe” means, for the purposes of this DPA, the European Union, the European Economic Area (“EEA”), and/or their respective member states; the United Kingdom; and Switzerland.

1.12     “European Privacy Laws” means all data protection laws and regulations applicable to Europe, each as amended from time to time, including: (1) with respect to the European Union, the EEA, and/or their respective member states: (a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (“EU GDPR”); (b) Directive 2002/58/EC concerning the Processing of Personal Data and protection of privacy in the electronic communications sector (the “E-Privacy Directive“); and/or (c) applicable national implementations of the EU GDPR and the E-Privacy Directive; (2) with respect to Switzerland, the Federal Act on Data Protection of June 19, 1992 (“Swiss FADP“); and (3) with respect to the United Kingdom: (a) the Data Protection Act of 2018 (“UK DPA“); and (b) the retained EU law version of the General Data Protection Regulation as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019 (SI 2019/419) (“UK GDPR“).

1.13     “FERPA” means the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g) and the Family Educational Rights and Privacy Act Regulations (34 CFR Part 99), as amended or otherwise modified from time to time.

1.14     “Operational Data” means any Customer Personal Data and any other data or information related to Customer’s use of the Services that is aggregated and deidentified by or on behalf of Singlewire in a manner that complies with any requirements under applicable law relating to the nature and effect of such aggregation and deidentification, and, in all cases, does not, as applicable, identify the source of such Customer Personal Data or other data or information, or with respect to any Customer Personal Data, any individual to whom such Customer Personal Data relates. For clarity, Operational Data includes, without limitation, aggregated and deidentified statistical and performance information and data created, derived, or otherwise generated in connection with Singlewire’s provision and operation, and Customer’s use of the Services.

1.15     “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable Data Subject.

1.16     “PIPEDA” means the Canadian Information Protection and Documents Act, as amended from time to time.

1.17     “Processing” (including corollary terms) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, including, without limitation, collection, recording, organization, structuring, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1.18     “Processor” means the entity which Processes Personal Data on behalf of the Controller, or, as applicable, on behalf of a Processor.

1.19     “Restricted Transfer” means: (1) for Personal Data subject to the EU GDPR, the transfer of such Personal Data to, or making such Personal Data available for Processing in, any country, territory, or other jurisdiction that is not an EU Adequate Country (an “EU Restricted Transfer”); (2) for Personal Data subject to the UK GDPR, the transfer of such Personal Data to, or making such Personal Data available for Processing in, any country, territory, or other jurisdiction that is not a UK Adequate Country (a “UK Restricted Transfer”); and/or (3) for Personal Data subject to the Swiss FADP, the transfer of such Personal Data to, or making such Personal Data available for Processing in, any country, territory, or other jurisdiction that is not a Swiss Adequate Country (a “Swiss Restricted Transfer”).

1.20     “Security Breach” means a breach of Singlewire’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data on systems managed or otherwise controlled by Singlewire.

1.21     “Security Documentation” means the security documents applicable to the specific Services provided to Customer, as updated from time to time and as made reasonably available to Customer by Singlewire.

1.22     “Services” means those services provided by Singlewire to Customer pursuant to an Agreement where, in the performance of such services, Singlewire Processes Customer Personal Data on behalf of Customer as a Processor.

1.23     “Standard Contractual Clauses” means, generally or as context otherwise dictates: (1) where the EU GDPR or the Swiss FADP applies, the contractual clauses annexed to the Commission’s implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“); and (2) where the UK GDPR applies, the “UK Addendum to EU Standard Contractual Clauses” issued by the Information Commissioner’s Office under the UK DPA (“UK Addendum“).

1.24     “Sub-Processor” means a Processor engaged by Singlewire to Process Customer Personal Data on Customer’s behalf under the applicable Agreement(s) and this DPA. Sub-Processors may include third parties or Singlewire’s Affiliates but will not include any Singlewire employee or consultant. For clarity, any independent Processor to whom Customer instructs Singlewire to provide Customer Personal Data shall not be considered a Sub-Processor under this DPA.

1.25     “Supervisory Authority” means any applicable federal, state, or local government within the United States, or any departmental or other political subdivision thereof, or any entity, body, or authority within the United States having or asserting executive, legislative, judicial, regulatory, administrative, or other governmental functions of any court, department, commission, board, bureau, agency, or instrumentality of any of the foregoing, responsible for or involved in the enforcement and/or oversight of the Data Protection Laws.

1.26     “VCDPA” means the Virginia Consumer Data Protection Act, Va. Code § 59.1-575 et. seq., as amended from time to time.

2.          SCOPE OF DPA

2.1        Role of the Parties. As between Singlewire and Customer, Customer shall be the Controller and Singlewire shall be the Processor with respect to Customer Personal Data Processed by Singlewire on Customer’s behalf in connection with Singlewire’s provision of the Services and the Customer Instructions.

2.2        Purpose of Processing. The specific business purpose for which Singlewire Processes Customer Personal Data on Customer’s behalf pursuant to the applicable Agreement(s) and this DPA is to enable Singlewire’s provision and operation, and Customer’s use, of the Services during the term of the applicable Agreement(s). Customer’s disclosure of Customer Personal Data to Singlewire is only for the limited and specified business purpose(s) set forth in the applicable Agreement(s) and this DPA.

2.3        Limitation of Obligations. Notwithstanding anything to the contrary in the applicable Agreement(s) or this DPA, Customer acknowledges and agrees that Singlewire has no obligation to assess Customer Personal Data in order to identify information subject to any legal requirements. Customer further acknowledges and agrees that this DPA, and Singlewire’s actions under this DPA, do not, and shall not be interpreted to, relieve Customer of its obligations under the Data Protection Laws and Customer shall be solely responsible for its compliance therewith.

2.4        Exclusions. Customer expressly agrees that any Personal Data Processed by or on behalf of Singlewire in its role as a Controller is not subject to this DPA. Further, the Parties agree that with respect to any Personal Data to which each party is a Controller, the Parties are independent Controllers with respect to such Personal Data.

2.5        Operational Data. Notwithstanding anything to the contrary in the applicable Agreement(s) or this DPA, Customer acknowledges and agrees that Singlewire is permitted, subject to compliance with applicable Data Protection Laws, to create, collect, generate, or otherwise obtain Operational Data through or in connection with Singlewire’s provision and operation, and Customer’s use, of the Services. Customer further acknowledges and agrees that Customer shall not acquire any right, title, or interest in or to any Operational Data.

3.          CUSTOMER OBLIGATIONS

3.1        Compliance. Customer shall comply with the applicable Agreement(s), this DPA, and the Data Protection Laws in connection with the Processing of Personal Data applicable to Customer as a Controller, including, without limitation:

(a)   providing legally-compliant privacy notices to, and obtaining all necessary consents and permissions from, Data Subjects with respect to the Processing of such Data Subjects’ Personal Data included within the Customer Personal Data;

(b)   responding to and fulfilling Data Subject Requests in accordance with applicable Data Protection Laws; and

(c)    ensuring Customer has the right to disclose to Singlewire, or provide Singlewire with access to, Customer Personal Data for the purpose of Singlewire Processing the Customer Personal Data on Customer’s behalf as contemplated under the applicable Agreement(s), this DPA, and the Customer Instructions.

3.2        Accuracy and Quality of Customer Personal Data. Customer shall have the sole responsibility for the accuracy and quality of the Customer Personal Data provided by Customer to Singlewire for Processing through or in connection with the Services and complying with all applicable laws, including, without limitation, the Data Protection Laws, with respect to the means by which Customer acquired such Customer Personal Data.

3.3        Customer Instructions. Customer shall be solely responsible for ensuring that all Customer Instructions comply with all applicable laws, including, without limitation, the Data Protection Laws.

3.4        Data Localization Requirements. Without limiting anything set forth in the applicable Agreement(s) or this DPA, Customer shall notify Singlewire of any data localization requirement or restriction on the transfer of Customer Personal Data to the extent that such requirement or restriction may affect Singlewire’s Processing of such Customer Personal Data in accordance with the applicable Agreement(s), this DPA, or the Customer Instructions.

3.5        Additional Obligations for Student Information. Without limiting anything otherwise set forth in the applicable Agreement(s)s or this DPA, in the event Customer Personal Data includes information that is protected under, or otherwise subject to, FERPA and/or other similar federal or state laws pertaining to the privacy and security of student information (such information is collectively referred to herein as “Student Information” and such laws are collectively referred to herein as “Student Privacy Laws“), Customer shall notify Singlewire thereof. Further, in addition to, and not in lieu of, any other applicable obligations or requirements under the applicable Agreement(s) or this DPA, Customer’s obligations with respect to the Processing of any such Student Information shall include the following:

(a)   Customer shall comply with all applicable Student Privacy Laws. Without limiting the foregoing, Customer represents, warrants and covenants to Singlewire that, as applicable, Customer has:

(1)   complied with the Directory Information (as defined under FERPA) or similar exemption under the applicable Student Privacy Laws, including, without limitation, informing, as applicable, students or parents what information Customer deems to be Directory Information and that such Directory Information may be disclosed, and allowing, as applicable, students or parents a reasonable amount of time to request Customer not disclose Directory Information about such student, and, if applicable, Customer shall not provide Singlewire any Directory Information for any student that has opted out of the disclosure of such student’s Directory Information;

(2)   complied with the School Official (as defined under FERPA) exemption or similar exemption under the applicable Student Privacy Laws, including, without limitation, in Customer’s annual notification of FERPA rights, defining “school official” to include service providers and defining “legitimate educational interest” to include services such as the type provided by Singlewire; and

(3)   obtained all necessary written consent from, as applicable, students or parents to provide Student Information to Singlewire to enable Singlewire to provide the applicable Services.

(b)   Customer shall employ administrative, physical and technical safeguards consistent with industry standards designed to protect usernames, passwords and any other means of gaining access to the Services and/or hosted data from unauthorized access, disclosure or acquisition by an unauthorized person.

(c)    Without limiting anything set forth in the applicable Agreement(s) or this DPA, except as otherwise agreed by the Parties, Customer will only provide Student Information to Singlewire where, and solely to the extent, necessary to enable Singlewire to provide the applicable Services.

4.          SINGLEWIRE OBLIGATIONS

4.1        Compliance.

(a)   Singlewire shall comply with the applicable Agreement(s), this DPA, the Customer Instructions and the applicable provisions of the Data Protection Laws, including, without respect to any Customer Personal Data collected by Singlewire pursuant to the applicable Agreement(s) or this DPA, providing the same level of privacy protection required of Customer as a Controller under the applicable Data Protection Laws.

(b)   Singlewire shall only Process Customer Personal Data as specified in the applicable Agreement(s), this DPA and the Customer Instructions or as otherwise permitted under applicable Data Protection Laws. In the event applicable law to which Singlewire is subject requires Singlewire to undertake other Processing of Customer Personal Data, Singlewire will notify Customer (unless otherwise prohibited by such applicable law) before undertaking such other Processing.

4.2        Restrictions. Without limiting anything set forth in the applicable Agreement(s) or this DPA, Singlewire shall not:

(a)   sell or share (as and to the extent such term is defined in the Data Protection Laws) Customer Personal Data;

(b)   retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the applicable Agreement(s) or this DPA, including, retaining, using, or disclosing Customer Personal Data for a commercial purpose other than the applicable business purposes or as otherwise permitted under the Data Protection Laws;

(c)    retain, use, or disclose Customer Personal Data outside of the direct relationship between Singlewire and Customer except as necessary to perform the Services under the applicable Agreement(s) or otherwise pursuant to the Customer Instructions; and/or

(d)   combine the Customer Personal Data Singlewire receives from or on behalf of Customer with Personal Data Singlewire receives from or on behalf of any third party or collects through Singlewire’s own interactions with Data Subjects, provided that Singlewire may combine Customer Personal Data with other Personal Data to perform any business purpose as defined or permitted under the Data Protection Laws where applicable.

4.3        Certification. Singlewire certifies to Customer that Singlewire:

(a)   understands and will comply with the foregoing restrictions placed on Singlewire’s Processing of Customer Personal Data, including complying with applicable obligations under the Data Protection Laws; and

(b)   will notify Customer without undue delay if Singlewire is or is likely to become unable to substantially comply with any of Singlewire’s material obligations under this DPA or applicable Data Protection Laws.

4.4        Student Information. In addition to, and not in lieu of, any other applicable obligations or requirements under the applicable Agreement(s) or this DPA, Singlewire’s obligations with respect to any Processing of Student Information undertaken by Singlewire through or in connection with the Services shall include the following:

(a)   Singlewire will comply with all applicable Student Privacy Laws.

(b)   Singlewire will not:

(1)   collect, retain, use, or disclose Student Information for any purpose other than the specific purpose of performing the Services specified in the applicable Agreement(s), provided that, subject to Singlewire’s compliance with applicable Student Privacy Laws, Singlewire may aggregate, de-identify or otherwise anonymize any Student Information (“Operational Student Information“) and shall own any such Operational Student Information;

(2)   engage in targeted advertising or retargeting to students or parents using the Student Information;

(3)   use Student Information, including persistent unique identifiers, created or gathered by the Services to amass a profile about a student;

(4)   sell Student Information; or

(5)   disclose Student Information, unless required by law, for legitimate research purposes or as part of the maintenance, development, support, operation or improvement of the Services in accordance with applicable law.

For clarity, the foregoing shall not prohibit Singlewire from using Student Information to provide the Services or as otherwise permitted under the applicable Agreement(s) or this DPA.

(c)    As soon as reasonably practicable, and in any event, except as otherwise required under applicable laws or as otherwise provided under the applicable Agreement(s), within ninety (90) days, after the expiration or termination of the applicable Agreement(s) or any applicable Service provided under the applicable Agreement(s), Singlewire will delete all applicable Student Information (including existing copies) in Singlewire’s possession or under its reasonable control in accordance with applicable law; provided, however, Customer acknowledges and agrees that Singlewire will security erase or destroy any Student Information stored on Singlewire’s backup or archive systems within six (6) months after the expiration or earlier termination of the applicable Agreement. For clarity, the foregoing shall not apply, without limitation, to Operational Student Information.

(d)   For parent or eligible student requests regarding Student Information:

(1)   Singlewire will provide commercially reasonable assistance to Customer for the fulfillment of Customer’s obligations to respond to student requests regarding Student Information, including requests related to access, correction or deletion of such Student Information. For clarity, Customer acknowledges that Singlewire may, but is not required to, comply with its obligations to provide such commercially reasonable assistance to Customer by making appropriate features and functionalities available to Customer through the Services that enable Customer to engage in or facilitate Customer’s response to the foregoing requests. Without limiting the foregoing: (1) Customer shall establish reasonable procedures by which a parent or eligible student may access, correct, or delete Student Information; and (2) Singlewire may, but has no obligation to, enable parents or eligible students to access (but not correct or delete) Student Information based on a direct request received by Singlewire from a parent or eligible student, provided, with respect to any requests provided by a parent, the foregoing shall only apply to a verified parent.

(2)   Except as otherwise provided herein, should a third party (other than a Sub-Processor), including, but not limited to, law enforcement or other government entities (a “Requesting Party“) contact Singlewire with a request for Student Information, Singlewire will advise the Requesting Party to request the Student Information directly from Customer and will not provide the requested Student Information to the Requesting Party, unless and to the extent Singlewire reasonably believes it is compelled to grant such access to the Requesting Party because the disclosure is necessary: (1) pursuant to a court order or legal process; (2) to comply with statutes or regulations; (3) enforce the applicable Agreement(s); or (4) to protect the rights, property, or personal safety of Singlewire’s users, employees or others. Singlewire will notify Customer in advance of a compelled disclosure to a Requesting Party unless Singlewire is lawfully directed by the Requesting Party not to inform Customer of the request or as otherwise prohibited under applicable laws.

(e) Customer agrees to utilize administrative, physical and technical safeguards designed to protect Student Information from unauthorized access, disclosure, acquisition, destruction, use or modification.

(f)    Where required by law, Student Information shall be stored within the United States. Upon Customer’s request, Singlewire will provide Customer a list of the locations where Student Information is stored.

(g)   Customer acknowledges and agrees that Singlewire may engage Sub-Processors to perform the Services. Where Singlewire engages any such Sub-Processor to Process Student Information, Singlewire will:

(1)   impose data protection terms on such Sub-Processor that provide the same level of protection for Student Information as those specified in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processor;

(2)   Singlewire will remain responsible for all obligations assigned to, and all acts and omissions of, each Sub-Processor with respect to such Sub-Processor’s Processing of Student Information; and

(3)   upon Customer’s reasonable written request, provide relevant information to Customer about each such Sub-Processor’s Processing of Student Information.

5.          RIGHTS OF DATA SUBJECTS

5.1        Notification of Requests. In the event Singlewire receives a Data Subject Request in relation to Customer Personal Data and the request identifies Customer as the Controller, to the extent reasonably possible, Singlewire will, subject to compliance with applicable Data Protection Laws, at its option and in its discretion, advise the Data Subject to submit their request to Customer or notify Customer of such Data Subject Request. Customer will be responsible for responding to and fulfilling any Data Subject Request.

5.2        Singlewire’s Assistance. Taking into account the nature of the Processing of Customer Personal Data undertaken by Singlewire, Singlewire will provide reasonable assistance to Customer, through Singlewire’s appropriate technical and organizational measures, insofar as this is possible, in the fulfillment of Customer’s obligations to respond to a Data Subject Request under the Data Protection Laws as a Controller.

5.3        Data Subject Requests Seeking Deletion. Except as otherwise provided in the applicable Agreement(s) or this DPA, Singlewire will promptly delete, or subject to Singlewire’s compliance with applicable Data Protection Laws, aggregate, anonymize or de-identify Customer Personal Data upon Customer’s request in connection with an applicable Data Subject Request, unless applicable law, including, without limitation, any applicable Data Protection Laws, requires Singlewire to retain such Customer Personal Data.

6.          DISCLOSURES OF CUSTOMER PERSONAL DATA BY SINGLEWIRE

6.1        Singlewire Personnel. Singlewire shall take reasonable steps to ensure the reliability and confidentiality of any employee, agent, or contractor who Singlewire provides access to Customer Personal Data, ensuring that access is strictly limited to those individuals who need to access the relevant Customer Personal Data for the purposes of providing the Services and as otherwise necessary to comply with Singlewire’s obligations under the applicable Agreement(s), this DPA, the Customer Instructions, and applicable laws.

6.2        Third Parties. Singlewire may disclose Customer Personal Data to third parties: (1) as permitted under the applicable Agreement(s), this DPA, and in accordance with Customer Instructions or as otherwise necessary to perform the Services; (2) to the extent required by applicable law (subject to compliance with the Data Protection Laws); (3) to a Supervisory Authority and/or as otherwise required by the Data Protection Laws; and (4) on a “need-to-know” basis under an obligation of confidentiality or professional secrecy to its legal counsel(s), data protection advisor(s), and accountant(s).

7.          SUB-PROCESSORS

7.1        Consent to Sub-Processor Engagement. Customer specifically authorizes Singlewire to engage as Sub-Processors: (1) those entities listed for the applicable Service at https://www.singlewire.com/legal-terms; and (2) all Singlewire Affiliates. Without prejudice to Section 7.4 below, Customer generally authorizes Singlewire to engage any other third party as a Sub-Processor at any time during the term of this DPA (“New Third Party Sub-Processor“).

7.2        Sub-Processor Information. To the extent required under the Data Protection Laws, Singlewire will make available to Customer information about Sub-Processors engaged by Singlewire, including their respective functions and locations.

7.3        Sub-Processor Engagement Requirements. In connection with its engagement of any Sub-Processor, Singlewire will:

(a)   ensure via written contract that the Sub-Processor only accesses and uses Customer Personal Data to the extent required to perform the obligations assigned to it, and does so in accordance with a binding written agreement that imposes the same or greater obligations as Singlewire’s obligations set forth in this DPA; and

(b)   remain fully liable for all obligations assigned to, and all acts and omissions of, the Sub-Processor in connection with such Sub-Processor’s Processing of Customer Personal Data.

7.4        Right to Object to Sub-Processor Changes.

(a)   In the event Singlewire engages any New Third Party Sub-Processor during the term of an applicable Agreement, Singlewire will, at least thirty (30) days before the New Third Party Sub-Processor starts Processing any Customer Personal Data, notify Customer of the engagement (including the name and location of the relevant New Third Party Sub-Processor and the activities it will perform).

(b)   Customer may, within fifteen (15) days after being notified of the engagement of a New Third Party Sub-Processor, reasonably object to such New Third Party Sub-Processor. In the event Customer reasonably objects to such New Third Party Sub-Processor, Singlewire will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s use of the Services to avoid Processing of Customer Personal Data by the objected-to New Third Party Sub-Processor without unreasonably burdening Customer. If Singlewire is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as its sole remedy, terminate the applicable Agreement(s) by providing written notice to Singlewire provided that all undisputed amounts due under the applicable Agreement(s) before the termination date shall be duly paid to Singlewire. Until a decision is made regarding the objected-to New Third Party Sub-Processor, Singlewire may temporarily suspend the Processing of the affected Customer Personal Data. Customer will have no further claims against Singlewire due to Services performed by Singlewire or Sub-Processors before the date of objection.

8.          SECURITY AND ADDITIONAL ASSISTANCE

8.1        Security Measures. Taking into account the nature of the Processing of Customer Personal Data undertaken by Singlewire for or on behalf of Customer, Singlewire shall, in relation to its Processing of Customer Personal Data, implement and maintain appropriate technical, physical, and organizational measures as described in the Security Documentation, provided that such measures shall provide appropriate protections for Customer Personal Data and include appropriate and commercially reasonable technical and organizational security controls designed to prevent reasonably foreseeable accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access to Customer Personal Data in Singlewire’s possession or otherwise under Singlewire’s reasonable control and other security controls required under the Data Protection Laws (the “Security Measures”).

8.2        Review of Security Documentation. Upon Customer’s written request at reasonable intervals, but no more frequently than annually, and subject to the confidentiality obligations set forth in the applicable Agreement(s) and this DPA, Singlewire will make available to Customer a copy of applicable Security Documentation, which may include, based on the Services provided under the applicable Agreement(s), Singlewire’s most recent third party audits or certifications; provided, however, that such Security Documentation shall only be used by Customer to assess Singlewire’s compliance with this DPA and/or the Data Protection Laws, and Customer shall not use such Security Documentation for any other purpose or disclose such Security Documentation to any third party without Singlewire’s prior written approval and, upon Singlewire’s request, Customer shall return to Singlewire all such Security Documentation in Customer’s possession or under its control.

8.3        Audits.

(a)   Solely to the extent required under the Data Protection Laws and subject to this Section 8.3, Singlewire will allow Customer, no more frequently than annually, to conduct audits (including inspections) to verify Singlewire’s compliance with Singlewire’s obligations under this DPA and/or the Data Protection Laws (“Customer Audit”); provided, however, any such Customer Audit, including, without limitation, any observations, conclusions, or other results of any such Customer Audit and any documents reflecting the foregoing (collectively, “Customer Audit Results”), shall only be used by Customer to assess Singlewire’s compliance with this DPA and/or the Data Protection Laws, and shall not be used for any other purpose or disclosed to any third party without Singlewire’s prior written approval and, subject to express requirements under the Data Protection Laws to the contrary, upon Singlewire’s request, Customer shall return to Singlewire all such Customer Audit Results in Customer’s possession or under its control.

(b)   Customer must send any requests to conduct a Customer Audit of Singlewire to [email protected]. Following Singlewire’s receipt of such request, Singlewire and Customer will discuss and agree in advance on the reasonable start date and duration of such Customer Audit and the scope of Singlewire’s technical and organizational measures in scope for such Customer Audit. Notwithstanding the foregoing, unless otherwise agreed by Singlewire in writing, any Customer Audit: (1) involving inspection of Singlewire’s business offices or data centers shall be limited to such business offices or data centers where Singlewire Processes Customer Personal Data for or on behalf of Customer and shall expressly exclude inspection of or access to any premises and systems containing Personal Data Singlewire Processes for or on behalf of itself or any third party that is logically but not physically separated from Customer Personal Data; (2) shall only occur during Singlewire’s normal business hours; (3) shall be conducted in a manner that minimizes any disruptions to Singlewire’s business operations; and (4) shall be subject to all confidentiality obligations set forth in the applicable Agreement(s) and this DPA and security measures in effect at the applicable business office or data center. For the avoidance of doubt, Customer shall not have access to any information, including, without limitation, any Personal Data, of or relating to any other Singlewire customer or client.

(c)    Except as otherwise expressly prohibited under the Data Protection Laws, Singlewire may charge a fee (based on Singlewire’s reasonable costs) for any Customer Audit conducted pursuant to this Section 8.3. Upon Customer’s written request, Singlewire will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of the applicable Customer Audit. Without limiting the foregoing, Customer will be responsible for any fees charged by any auditor appointed by Customer to conduct any such Customer Audit.

(d)   Singlewire may object in writing to any auditor appointed by Customer to conduct any Customer Audit if the auditor is, in Singlewire’s reasonable opinion, not suitably qualified or independent, a competitor of Singlewire, or otherwise manifestly unsuitable. Any such objection by Singlewire will require Customer to appoint another auditor or conduct the Customer Audit itself.

(e)   Without limiting the foregoing, prior to conducting any Customer Audit, Customer shall undertake reasonable efforts to conduct any such Customer Audit through a review of the Security Documentation in accordance with the procedures described in Section 8.2.

8.4        Additional Reviews Under CCPA.

(a)   Solely to the extent required under the CCPA and solely with respect to Singlewire’s Processing of Customer Personal Data subject to the CCPA (“CCPA Data“):

(1)  Singlewire grants Customer the right, upon 14 days’ prior written notice, to: (1) take reasonable and appropriate steps to help ensure that Singlewire uses CCPA Data Singlewire receives from the Customer in a manner consistent with Customer’s obligations under the CCPA; and (2) take reasonable and appropriate steps to stop and remediate Singlewire’s unauthorized use of Customer Personal Data; and

(2)   subject to Singlewire’s agreement, in Singlewire’s sole and absolute discretion, no more frequently than annually, Customer may monitor Singlewire’s compliance with this DPA with respect to Singlewire’s Processing of CCPA Data through additional measures that may include, without limitation, ongoing manual reviews, automated scans or other technical and operational testing.

(b)   For clarity, except where prohibited under the CCPA:

(1)   The rights set forth in Section 8.4(a) shall be subject to any applicable limitations or requirements set forth in the applicable Agreement(s) or this DPA, including, without limitation, all confidentiality obligations set forth in the applicable Agreement(s) and exceptions to Singlewire’s obligations to provide the Services in accordance with any service level agreement or other service level commitment; and

(2)   under no circumstances shall Section 8.4(a)(2) prohibit or otherwise preclude Singlewire from: (1) declining to agree to permit Customer to perform any particular additional measures; or (2) conditioning Singlewire’s agreement to permit Customer to perform any particular additional measure on Customer’s agreement to comply with any restrictions or requirements specified by Singlewire.

8.5        Security Breach. In the event of a Security Breach, Singlewire will notify Customer promptly and without undue delay after Singlewire discovers such Security Breach. Such notification of a Security Breach will be delivered to the notice address for Customer provided in the applicable Agreement(s), or, at Singlewire’s discretion, by telephone or other direct communication. Singlewire will provide reasonable assistance to Customer to investigate, remediate, and mitigate the effects of a Security Breach and to comply with any requirements to notify affected Data Subjects, applicable Supervisory Authorities, or other third parties, all as and to the extent required under the Data Protection Laws.

9.          RESTRICTED TRANSFERS

9.1        EU Restricted Transfers and Swiss Restricted Transfers. For any transfer of Customer Personal Data that is an EU Restricted Transfer or a Swiss Restricted Transfer, the Parties agree that such transfer shall be subject to the EU SCCs, completed as follows:

(a)   the appropriate Module will apply based on the nature of the transfer, including, without limitation, the nature and role of the data exporter and data importer;

(b)   in Clause 7, the optional docking clause will apply;

(c)    for EU SCCs utilizing Modules Two or Three, in Clause 9(a), Option 2 will apply, and the time period for prior notice of Sub-Processor changes shall be as set forth in Section 7.4 of this DPA;

(d)   in Clause 11(a), the optional language shall not apply;

(e)   for EU SCCs utilizing Modules One, Two or Three:

(1)   in Clause 17, Option 1 will apply and the governing laws shall be the laws of EEA member state where Customer’s main business operations are located; and

(2)   in Clause 18(b), disputes shall be resolved before the courts of the EEA member state where Customer’s main business operations are located.

(f)    for EU SCCs utilizing Module Four:

(1)   in Clause 17, the EU SCCs shall be governed by the laws of the United States of America; and

(2)   in Clause 18(b), disputes shall be resolved before the United States District Court for the Eastern District of Wisconsin or, in the event such jurisdiction is not available, any of the appropriate courts of the State of Wisconsin;

(g)   Annex I of the EU SCCs shall be deemed completed with the information set out for the applicable Service at https://www.singlewire.com/legal-terms;

(h)   Annex II of the EU SCCs shall be deemed completed with the information set out for the applicable Service at https://www.singlewire.com/legal-terms; and

(i)     for EU SCCs utilizing Modules Two or Three, Annex III of the EU SCCs shall be deemed completed with the information set out for the applicable Service at https://www.singlewire.com/legal-terms.

10.        RETENTION AND DESTRUCTION OF CUSTOMER PERSONAL DATA

10.1     Return and Destruction During DPA Term. Subject to the terms of the applicable Agreement(s) and this DPA, Singlewire will, at the choice of Customer, delete or return the applicable Customer Personal Data upon Singlewire’s receipt of an applicable Customer Instruction to do so. Without limiting the generality of the foregoing, in the event Customer uses functionalities available via the Services (if any) to delete any Customer Personal Data during the term of this DPA and such Customer Personal Data cannot be recovered by Customer, this will constitute a Customer Instruction to Singlewire to delete the relevant Customer Personal Data from the applicable Singlewire systems in accordance with applicable law, including, without limitation, the Data Protection Laws. Singlewire will comply with such Customer Instruction as soon as reasonably practicable and, in any event, unless applicable law requires Singlewire to retain such Customer Personal Data for a longer period, within ninety (90) days (or, if shorter, the maximum period permitted under the applicable Data Protection Laws); provided, however, Customer acknowledges and agrees that Singlewire will securely erase or destroy any Customer Personal Data stored on Singlewire’s backup or archive systems within six (6) months after Singlewire’s receipt of the applicable Customer Instruction.

10.2     Return and Deletion Upon Expiration or Termination of Agreement or Service(s). Subject to the terms of the applicable Agreement(s) and this DPA, following the expiration or earlier termination of an Agreement, Singlewire will, at the choice of Customer (as indicated through the Services or in a written notification to Singlewire), delete or return to Customer all applicable Customer Personal Data Processed solely on behalf of Customer in Singlewire’s possession or under its reasonable control as of the date of such expiration or earlier termination, and Singlewire will delete existing copies of such Customer Personal Data from the applicable Singlewire systems unless otherwise required under applicable laws, including, without limitation, applicable Data Protection Laws. Singlewire will comply with such Customer Instruction as soon as reasonably practicable and, in any event, unless applicable law requires Singlewire to retain such Customer Personal Data for a longer period, within ninety (90) days (or, if shorter, the maximum period permitted under the applicable Data Protection Laws) after the expiration or earlier termination of the applicable Agreement(s). For clarity, except as expressly required under applicable law or the applicable Agreement(s), in no event shall Singlewire be required or otherwise obligated to retain any applicable Customer Personal Data more than ninety (90) days after the expiration or termination of the applicable Agreement(s); provided, however, Customer acknowledges and agrees that Singlewire will securely erase or destroy any Customer Personal Data stored on Singlewire’s backup or archive systems within six (6) months after the expiration or earlier termination of the Applicable Agreement(s).

10.3     Retention of Customer Personal Data. Notwithstanding anything to the contrary in the applicable Agreement(s) or this DPA and without limiting any rights provided to Singlewire under the applicable Agreement(s), this DPA, or applicable Data Protection Laws, to the extent authorized or required by applicable law, Singlewire may retain one copy of Customer Personal Data solely for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or for compliance with legal obligations.

11.        ADDITIONAL TERMS

11.1     Liability and Indemnification. With respect to any claim, loss, or liability based upon, arising out of, resulting from, or in any way connected with a Party’s performance or breach of this DPA: (1) such Party shall only be obligated to indemnify, defend, and hold the other Party harmless to the extent such obligation exists pursuant to such Party’s indemnification, defense, and hold harmless obligations set forth in the applicable Agreement(s) (if any); and (ii) each Party’s total liability to the other Party is limited in accordance with the applicable limitations of liability set forth in the applicable Agreement(s).

11.2     Term. This DPA shall be effective as of the DPA Effective Date and continue in full force and effect until Singlewire ceases providing all Services to Customer under and in accordance with the applicable Agreement(s). The provisions of this DPA which by their nature are intended to survive the expiration or earlier termination of this DPA shall continue as valid and enforceable obligations of the Parties notwithstanding any such termination or expiration. Without limitation, the provisions regarding confidentiality, compliance with applicable laws, and restrictions on the processing of Customer Personal Data shall survive the expiration or earlier termination of this DPA.

11.3     Relationship to Agreement(s). This DPA shall be governed by and construed in accordance with the terms set forth in the applicable Agreement(s) as if fully set forth herein. Without limiting anything set forth herein, the Parties acknowledge and agree that they have taken all actions (if any) required under the applicable Agreement(s) to incorporate this DPA therein. Any dispute arising out of this DPA shall be resolved as set out in the applicable Agreement(s). The requirements set forth in this DPA are in addition to, and not in lieu of, any similar requirements set forth in the applicable Agreement(s). Notwithstanding anything to the contrary in the applicable Agreement(s), to the extent any conflict or inconsistency between the terms of this DPA and any Agreement, this DPA shall control. Except as set forth in this DPA, each and every Agreement remains in full force and effect, as amended, and are hereby ratified and confirmed in all respects.

11.4     Invalidity. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either: (1) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as completely as possible; or (2) if (1) is not possible, construed in a manner as if the invalid or unenforceable part had never been contained in this DPA.

11.5     Amendments. Singlewire may update or modify this DPA from time to time by, without limitation, posting a revised version of this DPA on Singlewire’s website and publishing a general notice of such changes via the Singlewire website or, as applicable and feasible, through the Services. Subject to compliance with applicable laws, Customer’s access to or use of the Services after receiving notice of changes to this DPA, whether by general notice or direct notice provided by Singlewire to Customer, shall constitute Customer’s acceptance of such updates or modifications.