This Data Security and Privacy Addendum (Addendum) is supplementary to and forms part of the Omnipredict SAAS Terms and Conditions (Agreement), including as amended from time to time.

By signing the Agreement or otherwise accepting the SAAS Terms and Conditions by Executing the Order Form (including any Supplementary Order Forms) or using or accessing the Products, Goods and Services, the Customer enters into this Addendum on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Authorised Affiliates, if and to the extent Omnipredict processes Personal Data for which such Authorised Affiliates qualify as the Customer. For the purposes of this Addendum only, and except where indicated otherwise, the term “Customer” shall include the Customer and Authorised Affiliates. All capitalised terms that are undefined shall have the meaning set forth in the Agreement.

In the course of providing the Product and Services to the Customer pursuant to the Agreement, Omnipredict may process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

1. Application of this Addendum

This Addendum applies in addition to the Agreement and despite anything to the contrary in the Agreement, overrides and prevails over the terms of the Agreement to the extent of any inconsistency.

2. Definitions

Unless the context otherwise requires, capitalised words in this Addendum have the same meaning as in the Agreement. In addition, the following definitions apply in this Addendum unless the context requires otherwise.

Applicable Data Protection Laws means the DPA, the GDPR and all other applicable Laws, rules and regulations that the Controller is subject to within the United Kingdom and the European Union and, to the extent applicable, the laws of any other country, that relate to the privacy, protection, use or disclosure of Personal Data, provided that to the extent of any inconsistency, the DPA shall prevail.

Attachment means the Attachment to this Addendum.

Auditor is any person which the Controller nominates in writing from time to time.

Authorised Affiliate means any of the Customer’s Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, and/or the United Kingdom, and (b) is permitted to use the Products, Goods and Services pursuant to the Agreement between Customer and Omnipredict, but has not signed or Executed its own Order Form with Omnipredict and is not a “Customer” as defined under the Agreement.

Controller has the meaning given to that term in the DPA and the GDPR.

Data Subject has the meaning given to that term in the DPA and the GDPR.

Personal Data Breach has the same meaning as given to that term in the DPA and the GDPR. Processing has the same meaning as given to that term in the DPA and the GDPR. Processor has the meaning given to that term in the DPA and the GDPR.

Relevant Data means any Personal Data that is received by, accessible by or made available to the Processor by or from the Controller (whether directly or indirectly) under or in connection with the Agreement and/or the Products, Goods and Services.

Sub-processor means any person (including any third party) appointed by or on behalf of the Processor to process Relevant Data on behalf of the Controller in connection with the Agreement.

Supervisory Authority means the UK Information Commissioner.

3. Role of the Parties

The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, Omnipredict is the Processor and that Omnipredict may engage Sub-processors under the procedure in clause 9 of this Addendum.

4. Mutual Privacy Obligations

Without limiting any other provision of this Agreement, each party agrees in respect of any Personal Data it receives or has access to in connection with this Agreement:

      i.to comply at all times with all Applicable Data Protection Laws in respect of all Relevant Data;

      ii.to collect, use and disclose Personal Data only for the purpose for which it was disclosed to that party;

      iii.to provide reasonable cooperation to the other party to resolve any complaint alleging a breach of the Applicable Data Protection Laws or by a third party seeking access to Personal Data in accordance with Applicable Data Protection Laws.

5. Processing of the Relevant Data

 Omnipredict must:

   1. process Relevant Data only as is necessary for the purposes of delivering or performing the Products, Goods and Services under the Agreement and only:

      a. in accordance with the terms contained in the Attachment to this Addendum (which may be amended by the Customer by notice in writing from time to time); or

      b. as otherwise instructed by the Customer in writing,

      c. unless Omnipredict is required to do otherwise by any Law to which Omnipredict is subject, in which case Omnipredict must notify the Customer prior to undertaking such Processing (unless the making of such a notification is prohibited by applicable Law);

   2. immediately inform the Customer, in writing, if Omnipredict considers that any written instructions in accordance with clause 5(a)(i) of this Addendum are or would be inconsistent with Applicable Data Protection Laws; and

   3. except as provided in clause 5(b) of this Addendum, provide the Customer with prior written notice if it intends to hold or transfer the Relevant Data outside the United Kingdom and the European For the avoidance of doubt, such notification should include the transfer mechanism that will be relied upon as a basis on which such a transfer would be permitted under the DPA and the GDPR.

      ii. Despite anything in this Addendum to the contrary, the parties agree that Omnipredict is not required to provide prior written notice of a transfer of the Relevant Data to its cloud service provider and other Sub-processors.

      iii. Except as required by applicable Law, Omnipredict must:

1. 1. not use Relevant Data for any purpose other than directly in relation to the performance of its obligations under the Agreement;
   2. not, and must ensure that its Personnel will not, sell, commercially exploit, let for hire, assign rights in or otherwise dispose of any Relevant Data; and
   3. not make any Relevant Data available to a third party other than an approved Sub- processor and then only to the extent necessary to enable the approved Sub-processor to perform its part of Omnipredict’s obligations under this Addendum and the Agreement.

6. Data Accuracy

 The Customer must assume responsibility for the accuracy, quality and legality of the Relevant Data and the means by which the Customer acquired the Relevant Data.

7. Data Security

  i. Omnipredict must establish and maintain appropriate technical and organisational safeguards against the misuse, interference, destruction, loss or unauthorised access or disclosure or modification of the Relevant Data in the possession or control of Omnipredict that:

      1. are consistent with and no less rigorous than those maintained by organisations similar to Omnipredict engaged in security ‘best practice’ to secure that data (including, but not limited to, a high level of IT security, physical security, and Personnel security); and

      2. comply with all Applicable Data Protection Laws and any procedures notified from time to time to Omnipredict by the Customer concerning the Customer’s data security requirements.

  ii. Omnipredict shall notify the Customer without undue delay should it become aware of a security breach affecting Personal Data.

8. Deletion or return of the Relevant Data

  i. Promptly after the termination or expiry of the Agreement Omnipredict must, at the election of the Customer:

  ii. return all the Relevant Data to the Customer;

  iii. destroy all the Relevant Data, in a manner agreed to by the Customer; and/or iv.de-identify all the Relevant Data, in a manner agreed to by the Customer,

  iv.unless a Law binding on Omnipredict prevents Omnipredict from doing so as requested, in which case Omnipredict agrees that it will continue to observe the terms of this Addendum for as long as it is required to retain the Relevant Data and, once Omnipredict is no longer required to retain the Relevant Data, Omnipredict will perform the action originally requested by the Customer under this clause.

9. Sub-processors

  i. The Customer provides a general authorisation to Omnipredict to engage further Processors to process Personal Data. Omnipredict shall provide the Customer with a list of those Processors on Omnipredict shall give the Customer prior notice of any intended addition to or a replacement of those further Processors so that the Customer may raise any objections that it may have within 10 Business Days of receiving the prior notice; and

  ii. Omnipredict

1. 1. is not relieved of any of its liabilities or obligations under this Addendum and remains liable to the Customer for the acts, defaults and neglect of any Sub-processor or any Personnel of the Sub-processor as if they were the acts, defaults or neglect of Omnipredict; and
   2. is responsible for the performance of each Sub-processor and ensuring the suitability for each Sub-processor for the Processing to be performed by that Sub-processor.

10. Rights of Data Subjects

Omnipredict must:

  i. implement appropriate technical and organisational measures in order to assist the Customer to comply with the Customer’s obligation to respond to requests to exercise Data Subject Rights under any Applicable Data Protection Laws in respect of the Relevant Data (Data Subject Request);

  ii. promptly notify the Customer if Omnipredict receives a Data Subject Request;

  iii. assist the Customer to meet its obligation to respond to a Data Subject Request under Applicable Data Protection Laws

  iv. provide the individual with access to any record of the Relevant Data following a request from an individual where a response is required to be made by Omnipredict under Applicable Data Protection Laws.

  v. If the Customer, in its use of services, does not have the ability to address a Data Subject Request:

  vi. Omnipredict must, upon the Customer’s request, provide commercially reasonable efforts to assist the Customer in responding to such Data Subject Request; and

  vii. the Customer will be responsible for any costs arising from Omnipredict’s provision of such assistance.

11.  Personal Data Breach

  i. If Omnipredict becomes aware, or believes or suspects, that a Personal Data Breach has or may have occurred in relation to any Relevant Data, Omnipredict must:

      1. immediately notify the Customer in writing and provide the Customer with all known details relating to that actual or suspected Personal Data Breach;

      2. cooperate and comply with all reasonable directions of the Customer in relation to that actual or suspected Personal Data Breach;

      3. promptly take all reasonable steps to rectify or remedy that actual or suspected Personal Data Breach where possible; and

      4. cooperate with the Customer in:

        a. the resolution of any complaint alleging a breach of the Applicable Data Protection Laws regarding the Relevant Data;

        b. assisting the Customer to meet their obligation under clause 11(b) of this

Addendum to notify the occurrence of the Personal Data Breach that affects or relates to Relevant Data to the Supervisory Authority and to affected Data Subjects, but only where the Customer determines that such a notification would be required by Applicable Data Protection Laws; and

        c. any investigation by the Customer or the Supervisory Authority or other competent data privacy authorities relating to the Personal Data Breach that affects or relates to Relevant Data.

  ii. If the Customer determines that notification of the Personal Data Breach would be required by Applicable Data Protection Laws, the Customer will prepare a proposed statement in accordance with Applicable Data Protection Laws, obtain Omnipredict’s written approval to that statement and the method of notification for issuing such statement to affected Data Subjects and the Supervisory Authority, and, when such written approval is received, issue the statement to affected individuals and the Supervisory Authority on behalf of itself and Omnipredict.

12. Data Protection Impact Assessments

  i. Omnipredict will provide the Customer with reasonable assistance (including providing any reasonably necessary data or information) in relation to the Customer:

  ii. undertaking any data protection impact assessments that the Customer reasonably considers would be necessary under or required by any Applicable Data Protection Law; and

   iii. engaging in any required consultations with the Supervisory Authority or other competent data privacy authorities that the Customer reasonably considers to be required of the Customer under Applicable Data Protection Laws.

Attachment: Details of Processing of the Relevant Data

Subject matter and duration of the Processing of the Relevant Data

 Data including personal information (as set out in the collection notice and privacy policy) required for the purposes of delivering the Software/Products, Goods and Services.

Nature and purpose of the Processing of the Relevant Data

 Collecting data including personal information and ordering the data for the purposes of identifying and allocating office seating and other related information

Types of Relevant Data to be Processed

   b. Data including but not limited to an individual’s name, birthdate, mobile phone number, office locations, employee or staff number, corporate title, work locations, email address, hours of utilisation, survey data, working hours, desk utilisation and absenteeism including vacations (statutory or otherwise) and sickness, and health data where consented to.

Categories of Data Subjects to whom the Relevant Data relates

Any officer, employee, contractor, servant, agent, or other person under the Customer’s direct or indirect control and includes any subcontractors, who may also be end users of the Products, Goods and Services.

Permitted Sub-processors that can be engaged to process the Relevant Data

 Amazon Web Services