Data Processing Addendum

This Data Processing Addendum (“DPA“) is incorporated into and, together with the Engagement Letter and Exhibit A, forms the Agreement between Accordion (“Accordion”) and Company (as defined in the Engagement Letter) (the “Agreement“). This DPA sets out the requirements for Accordion’s processing of Personal Data on behalf of Company for the purposes of providing the Services. Solely for the purposes of this DPA, Accordion Partners LLC, and affiliate of Accordion Partners Global Corp. is also party as processor. In this DPA, “Accordion Entities” means each of Accordion Partners Global Corp. and Accordion Partners LLC.

1. Definitions


Adequate Country	means a country or territory recognised as providing an adequate level of protection for Personal Data under an adequacy decision made, from time to time, by (as applicable) (i) the UK Secretary of State and/or under applicable UK law (including the UK GDPR), or (ii) the European Commission under the EU GDPR, or (iii) the Swiss Federal Data Protection Authority under Swiss Data Protection Law.
Data Protection Laws	(a) in the European Union, the General Data Protection Regulation 2016/679 (the "GDPR"), (b) in the UK, the General Data Protection Regulation 2016/679, as implemented by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 (the "UK GDPR") and the Data Protection Act 2018, or (c) Swiss Data Protection Law.
Data Subject Request	means a request from or on behalf of a data subject to exercise any rights in relation to their Personal Data under Data Protection Laws.
EEA	means the European Economic Area.
EU Clauses	means the standard contractual clauses for international transfers of personal data to third countries set out in the European Commission’s Decision 2021/914 of 4 June 2021 (at http://data.europa.eu/eli/dec_impl/2021/914/oj) incorporating Module Two for Controller to Processor transfers and which form part of this DPA in accordance with Schedule 3.
Personal Data	means all personal data which is provided by Company to the Accordion Entities (including for scoping work purposes) and/or accessed, stored or otherwise processed by the Accordion Entities as a processor.
Security Breach	means any breach of security or other action or inaction leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data by any of the Accordion Entities’ staff or sub-processors, or any other identified or unidentified third party;
Services	Means the services provided by Accordion to Company under the Agreement.
Supervisory Authority	means in the UK, the Information Commissioner’s Office (“ICO”) (and, where applicable, the Secretary of State or the government), and in the EEA, an independent public authority established pursuant to the GDPR.
Swiss Data Protection Law	means the Swiss Federal Data Protection Act of 19 June 1992 and, when in force, the Swiss Federal Data Protection Act of 25 September 2020 and its corresponding ordinances as amended, superseded or replaced from time to time
Swiss Addendum	means the addendum set out in Schedule 3.
UK	means the United Kingdom.
UK Approved Addendum	means the template Addendum B.1.0 issued by the UK’s Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 of the UK in force from 21 March 2022.
UK Mandatory Clauses	means the Mandatory Clauses of the UK Approved Addendum, as updated from time to time and/or replaced by any final version published by the Information Commissioner’s Office.
UK GDPR	means the EU GDPR as implemented into the law of the United Kingdom by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 and the Data Protection Act 2018.

1.1 “controller“, “data subject“, “personal data” and “processor“, have the meanings ascribed to them in the Data Protection Laws.

1.2 Any defined terms which are not defined in this DPA are as defined in the Agreement.

2. Roles & compliance with Data Protection Laws.

2.1 In relation to the Personal Data provided to the Accordion Entities by Company to facilitate the provision of the Services under the Agreement (including any scoping of work stage), Company is the controller of Personal Data, and each of the Accordion Entities is the processor of Personal Data. Each party will comply) with Data Protection Laws applicable to such party in the processing of Personal Data. As between the parties, Company shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Personal Data was acquired.

3. Description of Processing

3.1 The Subject matter, nature and purposes of the processing, duration, types of Personal Data and categories of Data Subject are as set out in Schedule 1.

3.2 Processing by Accordion. As a processor, the Accordion Entities will only process Personal Data (i) in order to provide the Services to Company or (ii) per Company’s instructions in writing or via the Services. Accordion will notify Company (unless prohibited by applicable law) if either of the Accordion Entities is required under applicable law to process Personal Data other than pursuant to Company’s instructions. As soon as reasonably practicable upon becoming aware, inform the Company if, in Accordion’s opinion, any instructions provided by the Company infringe applicable Data Protection Laws. Upon written request of the Company, the Accordion Entities shall return or delete the Personal Data, unless required by law or able in compliance with Data Protection Laws to retain the Personal Data.

4. Technical and Organisational Security Measures

4.1 The Accordion Entities will implement appropriate technical and organizational measures of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data as set out in Schedule 4.

4.2 The Accordion Entities will take reasonable steps to ensure that only authorised personnel have access to Personal Data and that any persons whom it authorizes to access the Personal Data are under obligations of confidentiality.

5. Security Breaches, Data Subject Requests & Further Assistance

5.1 Security Breaches. Accordion will notify Company of any Security Breach without undue delay on becoming aware of the Security Breach.

5.2 Data Subject Requests. To the extent legally permitted, Accordion will promptly notify Company if either of the Accordion Entities receives a Data Subject Request. Neither Accordion Entity will respond to a Data Subject Request, provided that Company agrees either Accordion Entity may at its discretion respond to confirm that such request relates to Company. If Company does not have the ability to address a Data Subject Request, the Accordion Entities will, upon Company’s written request, provide reasonable assistance to facilitate Company’s response to the Data Subject Request to the extent such assistance is consistent with applicable law.

5.3 Further Assistance. Taking into account the nature of processing and the information available to them, the Accordion Entities will provide such assistance as Company reasonably requests in relation to Company’s obligations under Data Protection Laws with respect to (i) data protection impact assessments, (ii) notifications to the Supervisory Authority under Data Protection Laws and/or communications to data subjects by the Company in response to a Security Breach, or (iii) Company’s compliance with its obligations under the GDPR or UK GDPR (as applicable) with respect to the security of processing.

6. Sub-processing

6.1 Company grants Accordion a general authorisation to appoint third party sub-processors to support the performance and provision of the Services. Accordion shall carry out appropriate due diligence to ensure that such sub-processors provide sufficient guarantees to implement appropriate technical and organisational measures when processing Personal Data that are equivalent to those set out in Schedule 4.

6.2 Accordion shall maintain a list of sub-processors available here, and shall add the names of new and replacement sub-processors to the list (including details of each sub-processor’s location and services to be undertaken) prior to such sub-processor accessing or otherwise processing Personal Data and send a written communication to Company (by sending an email to Company referring to such intended change no less than thirty (30) days prior to the intended change. The list of sub-processors shall be made available on Accordion’s website at the link set forth above.

6.3 If Company has an objection to any new or replacement sub-processor, it shall notify Accordion of such objections in writing within thirty (30) days of receipt of the communication and the parties shall seek to resolve the matter in good faith. If Accordion requires use of the sub-processor and is unable to satisfy Company as to the suitability of the sub-processor or the documentation and protections in place between Accordion and the sub-processor within [thirty (30)] days from Company’s receipt of Accordion’s notification of objections, then Company may terminate the Services Agreement, this DPA and/or the applicable aspect of the Services with immediate effect on written notice to Accordion.

6.4 Accordion shall ensure that any sub-processor it engages to provide an aspect of the Services on its behalf in connection with this DPA does so only on the basis of a written contract which imposes on such sub-processor equivalent data protection obligations as set out in this DPA. Accordion shall remain fully liable to Company for any such sub-processor’s performance of its obligations under such written contract.

7. International Transfers

7.1 Company agrees that its use of the Services will involve the transfer of Personal Data to, and processing of Personal Data in, countries in which either Accordion Entity is based.

7.2 UK transfers:

7.2.1 To the extent Personal Data is transferred to either Accordion Entity and processed by or on behalf of the Accordion Entities outside the UK (except if in an Adequate Country) in circumstances where such transfer would be prohibited by UK GDPR in the absence of a transfer mechanism, the parties agree that the EU Clauses subject to the UK Approved Addendum will apply. The UK Approved Addendum is incorporated into this DPA.

7.2.2 Schedule 2 references the information required by Tables 1 to 4 inclusive of the UK Approved Addendum.

7.3 EU transfers:

7.3.1 To the extent Personal Data is transferred to the Accordion Entities and processed by or on behalf of the Accordion Entities outside the EEA (except if in an Adequate Country) in circumstances where such transfer would be prohibited by EU GDPR in the absence of a transfer mechanism, the parties agree that the EU Clauses will apply in respect of that processing and are incorporated into this DPA in accordance with Schedule 3.

7.3.2 Schedule 3 contains the information required by the EU Clauses.

7.4 Swiss transfers

7.4.1 To the extent Personal Data is transferred to the Accordion Entities and processed by or on behalf of the Accordion Entities outside Switzerland (except if in an Adequate Country) in circumstances where such transfer would be prohibited by Swiss Data Protection Laws in the absence of a transfer mechanism, the parties agree that the EU Clauses subject to the Swiss Addendum will apply in respect of that processing. The Swiss Addendum is incorporated into this DPA.

7.4.2 Schedule 3 contains the information required by the EU Clauses, including for the purposes of transfers to which this Clause 7.4 applies.

7.5 The Accordion Entities may (i) replace the EU Clauses, the Swiss Addendum and/or the UK Approved Addendum generally or in respect of the EEA, Switzerland and/or the UK (as appropriate) with any alternative or replacement transfer mechanism in compliance with applicable Data Protection Laws, including any further or alternative standard contractual clauses approved from time to time and (ii) make reasonably necessary changes to this DPA by notifying Company of the new transfer mechanism or content of the new standard contractual clauses (provided their content is in compliance with the relevant decision or approval), as applicable.

8. Audit and Records

8.1 The Accordion Entities shall make available to the Company such information in their possession or control as Company may reasonably request with a view to demonstrating their compliance with the obligations of data processors under Data Protection Law in relation to its processing of Personal Data.

9. General

9.1 Conflicts. This DPA is without prejudice to the rights and obligations of the parties under the Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms (including definitions) of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data. This DPA sets out all of the terms that have been agreed between the parties in relation to the subjects covered by it. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA.

9.2 Limitation of Liability. The maximum aggregate liability of the Accordion Entities (taken together) to Company under or in connection with this DPA shall not under any circumstances exceed the maximum aggregate liability of Accordion to the Company, and shall be subject to any exclusions of liability for certain categories of loss, as set out in the Agreement. Nothing in this DPA will limit the Accordion Entities’ liability in respect of personal injury or death in negligence or for any other liability or loss which may not be limited by agreement under applicable law.

9.3 Governing Law; Venue. Without prejudice to the provisions of the EU Clauses, Swiss Addendum and the UK Approved Addendum addressing the law which governs them, this DPA shall be governed by and construed in accordance with the laws which govern the Agreement and the venue(s) for disputes and claims under the Agreement shall also apply to disputes and claims under this DPA.

SCHEDULE 1

Data Processing Details

For the purposes of Clause 3 of the DPA and Schedules 2 and 3, the parties set out below a description of the Personal Data being processed under the Agreement and further details required pursuant to the Data Protection Laws


Subject Matter of the Processing	Accordion’s provision of the Services to Company.
Nature and purpose of Processing	The collection and storage of Personal Data pursuant to providing the Services to Company.
Types of Personal Data	Personal Data that Company in its discretion uploads or shares with the Accordion Entities at the scoping stage or via the Services (including, including but not limited to names, contact details, job titles).
Sensitive Personal Data and applied restrictions	This is at the discretion of the Company and depends on the Personal Data that Company uploads into the Services.
Categories of Data Subject	Data Subjects may include any end users (including without limitation employees, customers, consumers or suppliers) about whom Personal Data is provided to the Accordion Entities via the Services by, or at the direction of, Company.
Duration of Processing	Until the Company requests deletion of the Personal Data.

SCHEDULE 2

UK transfers

For the purposes of the UK Approved Addendum,

the information required for Table 1 is contained in Schedule 1 of this DPA and the start date shall be deemed dated the same date as the EU Clauses;
in relation to Table 2, the version of the EU Clauses to which the UK Approved Addendum applies is Module Two for Controller to Processor;
in relation to Table 3, the list of parties and description of the transfer are as set out in Annex 1 of Schedule 4 of this DPA, the Accordion Entities’ technical and organisational measures are set in Annex II of Schedule 4 of this DPA, and the list of Accordion’s sub-processors shall be provided pursuant to section 6.2 of this DPA; and
in relation to Table 4, neither party will be entitled to terminate the UK Approved Addendum in accordance with Clause 19 of the UK Mandatory Clauses.

SCHEDULE 3

Swiss Addendum

In respect of transfers otherwise prohibited by Swiss Personal Data:

The FDPIC will be the competent supervisory authority;
Data subjects in Switzerland may enforce their rights in Switzerland under Clause 18c of the EU SCCs, and
References in the EU SCCs to the EU GDPR should be understood as references to Swiss Data Protection Law insofar as the data transfers are subject to Swiss Data Protection Law.

SCHEDULE 4

EU Clauses

For the purposes of this Schedule 3, the EU Clauses (Module II), available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN, shall be incorporated by reference to this Schedule and the DPA and shall be considered an integral part thereof, and the Parties’ signatures in the DPA shall be construed as the Parties’ signature to the EU Clauses. In the event of an inconsistency between the DPA and the EU Clauses, the latter will prevail.

For the purposes of the EU Clauses, the following shall apply:

Company shall be the data exporter and the Accordion Entities shall be the data importer. Each Party agrees to be bound by and comply with its obligations in its role as exporter and importer respectively as set out in the EU Clauses.
Clause 7 (Docking clause) shall be deemed as included.
Clause 9 (Use of sub-processors): OPTION 2 – GENERAL WRITTEN AUTHORISATION shall apply. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors as set out in Clause 6 of the DPA.
Clause 11 (Redress): optional clause (optional redress mechanism before an independent dispute resolution body) shall be deemed as not included.
Clause 13 (a) (Supervision):
- The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
Clause 17 (Governing law):
- These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
Clause 18 (b) (Choice of forum and jurisdiction):The Parties agree that any dispute between them arising from the EU Clauses shall be resolved by the courts of Ireland.

3. Any provision in the EU Clauses relating to liability of the parties with respect to each other shall be subject to the limitations and exclusions of the Agreement.

4. Any provision in the EU Clauses relating to the right to audit shall be interpreted in accordance with Clause 5 of the DPA and the Agreement.

ANNEX I TO SCHEDULE 4

A. List of Parties

Name: Company’s name as set forth in the Engagement Letter.

Address: Company’s address as set forth in the Engagement Letter.

Contact person’s name, position and contact details: Company’s primary contact as set forth in the engagement letter.

Activities relevant to the data transferred under these Clauses: data exporter will transfer Personal Data to the data importer as required for the provision of Services by the data importer under the Agreement and as set out in the DPA.

Signature and date: please refer to signature and date in Engagement Letter.

Role (controller/processor):

☒ Controller

☐ Processor

Data importer(s):

Name: Accordion Partners Global Corp. & Accordion Partners LLC

Address: One Vanderbilt Ave, 24^th Floor, New York, New York 10017 United States

Contact person’s name, position and contact details: Penny Tehrani-Littrell, General Counsel, Privacy@Accordion.com

Activities relevant to the data transferred under these Clauses: data importer will process personal data as required for the provision of Services under the Agreement and as set out in the DPA.

Signature and date: please refer to signature and date in Engagement Letter.

Role (controller/processor):

☐ Controller

☒ Processor

B. Description of Transfer

Categories of data subjects whose personal data is transferred
See Schedule I to the DPA

Categories of personal data transferred
See Schedule I to the DPA

Sensitive data transferred (if applicable) and applied restrictions or safeguards
See Schedule I to the DPA

Frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Transfers will occur from time to time as required during the course of the performance of the Services under the Agreement.

Nature of the processing
See Schedule 1 to the DPA

Purpose(s) of the data transfer and further processing
See Schedule 1 to the DPA

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
See Schedule 1 to the DPA

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
N/A

C. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13
The Data Protection Commissioner, Dublin, Ireland

Annex I – Technical and Organisational Measures including Technical and Organisational

See Schedule 4 to the DPA

SCHEDULE 5

Security Measures
Accordion Technical and Organizational Measures (“TOM(s)”)

Accordion has implemented the following set of TOMs to align with the requirements of the Data Protection Laws (including EU). By implementing these Technical and Organizational Measures, we have established a strong foundation for our Data Protection Addendum, ensuring the security and privacy of our data and the data we interact with on behalf of our clients in compliance with the Data Protection Laws.

1. Data Minimization
  Only necessary personal data is collected and processed for the intended purpose. Data Controllers are responsible for only providing the minimum data necessary to perform the tasks outlined in the Agreement, Engagement Letter and /or Statement of Work for the engagement. (Article 5(1)(c))

1. Data Integrity
  Accordion consultants will work with clients to validate the accuracy and integrity of personal data. Data Controllers are responsible for performing data validation and cleansing processes. (Article 5(1)(d))

1. Data Retention
  Clear policies and procedures for the retention and deletion of personal data are established to ensure data is not kept for longer than necessary for the purposes for which it was collected. (Article 5(1)(e))

1. Data Portability
  Data Controllers may request access and transfer of the data provided to Accordion in the original format by which it was provided. (Article 20)

1. Privacy by Design
  Data protection considerations are integrated into the design and development of systems, products, and services from the outset, rather than as an afterthought. (Article 25)

1. Vendor Management
  Due diligence processes are implemented when selecting and managing third-party vendors or processors, ensuring they also adhere to data protection regulations. Accordion will follow requirements outlined in the Agreement, Engagement Letter and /or Statement of Work with respect to sub-processors. (Article 28)

1. Documentation and Record-Keeping
  Documentation of data processing activities, including purposes, categories of data, legal basis, and security measures implemented will be maintained in partnership with the Data Controller. (Article 30)

1. Access Controls
  Access controls have been implemented to ensure that only authorized personnel have access to protected data. This includes role-based access control, multi-factor authentication, and periodic reviews of access rights. (Article 32)

1. Data Encryption
  All personal data, both at rest and in transit, is encrypted using minimum 128-bit AES encryption to prevent unauthorized access in case of a data breach. (Article 32)

1. Audits and Assessments
  Audits and assessments of data processing activities, security measures, and compliance with relevant regulations are conducted to identify and address any gaps or risks. Gaps or risks as identified will be communicated per the provisions in the Agreement, Engagement Letter and/or applicable Statement of Work and remediation plans will be defined and executed within a mutually agreeable timeframe. (Article 32)

1. Incident Response Plan
  An incident response plan has been developed and maintained to promptly respond to and mitigate any data breaches or security incidents that may occur, including communication plans and requirements. (Article 33

1. Privacy Impact Assessments (“PIA(s)”)
  PIAs are conducted for new projects, products, or processes involving the processing of personal data to assess and mitigate privacy risks. (Article 35)

1. Employee Training
  Regular training and awareness programs for employees on data protection policies, procedures, and best practices are provided to ensure compliance and minimize human error. (Article 39)

These measures are implemented in alignment with the Data Protection Laws to ensure compliance and protect the security and privacy of Accordion and Client. Accordion is committed to regularly reviewing, updating, and improving our posture to maintain the effectiveness of these TOMs.