DATA PROCESSING ADDENDUM

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“Addendum”) forms part of above order form (the “Agreement”) between Client and Fuse (collectively the “Parties”).

1. Subject Matter and Duration.

a) Subject Matter. This Addendum reflects the Parties’ commitment to abide by Applicable Data Protection Laws concerning the Processing of Client Personal Data in connection with Fuse’s execution of the Agreement. All capitalized terms that are not expressly defined in this Data Processing Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of the Exhibit conflicts with the Agreement, this Addendum shall control.

b) Duration and Survival. This Addendum will become legally binding upon the Effective Date of the Agreement or upon the date upon which both Parties have signed this Addendum, if it is completed after the Effective Date of the Agreement. Fuse will Process Client Personal Data until the relationship terminates as specified in the Agreement. Fuse’s obligations and Client’s rights under this Addendum will continue in effect so long as Fuse Processes Client Personal Data.

2. Definitions.

For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.

a) “Applicable Data Protection Law(s)” means the relevant data protection and data privacy laws, rules and regulations to which the Client Personal Data are subject. “Applicable Data Protection Law(s)” shall include, but not be limited to, EU General Data Protection Regulation 2016/679 (“GDPR”) principles and requirements, the United Kingdom Data Protection Act 2018, and the California Consumer Privacy Act of 2018 (“CCPA”), and its implementing regulations.  For the avoidance of doubt, if Fuse’s processing activities involving Client Personal Data are not within the scope of an Applicable Data Protection Law, such law is not applicable for purposes of this Addendum.

b) “Client Personal Data” means Personal Data pertaining to Client’s users or employees Processed by Fuse to provide the Services. The Client Personal Data and the specific uses of the Client Personal Data are detailed in Exhibit 1 attached hereto, as required by the GDPR.

c) “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

d) “Personal Data” shall have the meaning assigned to the terms “personal data” or “personal information” under Applicable Data Protection Law(s).

e) “Process,” “Processes,” “Processing,” “Processed” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

f) “Processor” means a natural or legal person, public authority, agency or other body which Processes Client Personal Data on behalf of Client subject to this Addendum.

g) “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data Processed by Fuse.

  1. h) “Services” means any and all services that Fuse performs under the Agreement.
  2. i) “Standard Contractual Clauses” means the UK Standard Contractual Clauses, and/or the 2021 Standard Contractual Clauses.
  3. j) “Third Party(ies)” means Fuse’s authorized contractors, agents, vendors and third party service providers that Process Client Personal Data.
  4. k) UK Standard Contractual Clauses” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ and completed as described below.
  5. l) 2021 Standard Contractual Clauses" means the Standard Contractual Clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described below.
  1. 3. Data Use and Processing.
  1. a) Compliance with Laws.  Client Personal Data shall be Processed in compliance with the terms of this Addendum and all Applicable Data Protection Law(s).
  2. b) Purpose Limitation.  Fuse will not Process Client Personal Data for any purpose other than for the specific purposes set forth in the Agreement, unless obligated to do otherwise by applicable law.  In such case, Fuse will inform Client of that legal requirement before the Processing unless legally prohibited from doing so.
  3. c) Documented Instructions. Fuse and its Third Parties shall Process Client Personal Data only in accordance with the documented instructions of Client. The Agreement, including this Addendum, along with any applicable statement of work, constitute Client’s complete and final instructions to Fuse regarding the Processing of Client Personal Data, including for purposes of the Standard Contractual Clauses. Fuse will, unless legally prohibited from doing so, inform Client in writing if it reasonably believes that there is a conflict between Client’s instructions and applicable law or otherwise seeks to Process Client Personal Data in a manner that is inconsistent with Client’s instructions.
  4. d) Authorization to Use Third Parties. To the extent necessary to fulfill Fuse’s contractual obligations under the Agreement or any statement of work, Client hereby authorizes (i) Fuse to engage Third Parties and (ii) Third Parties to engage subprocessors.
  5. e) Fuse and Third Party Compliance. Fuse agrees to (i) enter into a written agreement with Third Parties regarding such Third Parties’ Processing of Client Personal Data that imposes on such Third Parties (and their subprocessors) data protection and security requirements for Client Personal Data that are at least as restrictive as the obligations in this Addendum; and (ii) remain responsible to Client for Fuse’s Third Parties’ (and their subprocessors if applicable) failure to perform their obligations  with respect to the Processing of Client Personal Data.
  6. f) Confidentiality. Any person or Third Party authorized to Process Client Personal Data must agree to maintain the confidentiality of such information or be under an appropriate statutory or contractual obligation of confidentiality.
  7. g) Personal Data Inquiries and Requests. Upon written request from Client, Fuse agrees to provide reasonable assistance and comply with all reasonable instructions from Client related to any requests from individuals exercising their rights in Client Personal Data granted to them under Applicable Data Protection Laws (e.g., access, rectification, erasure, data portability, etc.). If a request is sent directly to Fuse, Fuse shall promptly notify Client and shall not respond to the request unless Client has authorized Fuse to do so.
  8. h) Government Access Requests. Unless prohibited by applicable law or a legally-binding request of law enforcement, Fuse shall promptly notify Client of any request by government agency or law enforcement authority for access to or seizure of Client Personal Data, and shall render reasonable assistance to Client, if Client wishes to contest the access or seizure.    
  9. i) Data Protection Impact Assessment and Prior Consultation. Upon written request from Client, Fuse agrees to provide reasonable assistance at Client’s expense to Client where, in Client’s judgment, the type of Processing performed by Fuse is likely to result in a high risk to the rights and freedoms of natural persons (e.g., systematic and extensive profiling, Processing sensitive Personal Data on a large scale and systematic monitoring on a large scale, or where the Processing uses new technologies) and thus requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
  10. j) Sale of Client Personal Data Prohibited.  Fuse shall not sell Client Personal Data as the term "sell" is defined by the CCPA.
  11. k) CCPA Certification.  Fuse hereby certifies that it understands its restrictions and obligations set forth in this Addendum and will comply with them.
  1. 4. Cross-Border Transfers of Personal Data.
  1. a) Cross-Border Transfers of Personal Data. Client authorizes Fuse and its Third Parties to transfer Client Personal Data across international borders, including from the European Economic Area (the “EEA”), the United Kingdom, and Switzerland to the United States of America. Fuse and Client agree to use the Standard Contractual Clauses as the adequacy mechanism supporting the transfer and Processing of Client Personal Data, as further detailed below.
  2. b) 2021 Standard Contractual Clauses. For transfers of Client Personal Data out of the EEA that are subject to Section 4(a) of this DPA, the 2021 Standard Contractual Clauses will apply and are incorporated into this Addendum. For purposes of this Addendum, the 2021 Standard Contractual Clauses will apply as set forth in this Section 4(b). “Module Two: Transfer controller to processor” will apply and all other module options will not apply. Under Annex 1 of the 2021 Standard Contractual Clauses, the “data exporter” is Client and the “data importer” is Fuse and the information required by Annex 1 can be found in Exhibit 1. For the purposes of Annex 2 of the Standard Contractual Clauses, the technical and organizational measures implemented by the data importer are those listed in Section 5 of this Addendum. Clause 7 will not apply. For clause 9, the Parties choose Option 2 and the Parties agree that the time period for prior notice of Third Party changes will be as set forth in 3(f) of this Addendum. For clause 11, the optional language will not apply. For clause 17, the Parties choose Option 1 and the Parties agree that the governing law will be the Republic of Ireland. For clause 18, the Parties agree that the courts of the Republic of Ireland will apply for subsection (b).
  3. c) UK Standard Contractual Clauses. For transfers of Client Personal Data out of the United Kingdom that are subject to Section 4(a) of this Addendum, the UK Standard Contractual Clauses will apply and are incorporated into this Addendum. For purposes of this Addendum, the UK Standard Contractual Clauses will apply as set forth in this Section 4(c).  For Table 1 of the UK Standard Contractual Clauses, (i) the Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in Annex 1 of the 2021 Standard Contractual Clauses and (ii) the Key Contacts shall be the contacts set forth in Annex 1 of the 2021 Standard Contractual Clauses.  The Approved EU SCCs referenced in Table 2 shall be the 2021 Standard Contractual Clauses as executed by the Parties pursuant to this Addendum. For Table 3, Annex 1A, 1B, and II shall be set forth in Annex 1 of the 2021 Standard Contractual Clauses.  For Table 4, either party may end the UK Standard Contractual Clauses as set out in Section 19 of the UK Standard Contractual Clauses.
  4. d) Switzerland Transfers.  For transfers of Client Personal Data out of Switzerland that are subject to Section 4(a) of this DPA, the 2021 Standard Contractual Clauses will apply and will be deemed to have the differences set forth in this Section 4(d), to the extent required by the Swiss Federal Act on Data Protection (“FADP”).  References to the GDPR in the 2021 Standard Contractual Clauses are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.  The term “member state” in the 2021 Standard Contractual Clauses shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the 2021 Standard Contractual Clauses.  References to personal data in the 2021 Standard Contractual Clauses also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.  Under Annex I(C) of the 2021 Standard Contractual Clauses (Competent supervisory authority): where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the 2021 Standard Contractual Clauses insofar as the transfer is governed by the GDPR.
  5. e) Each party’s signature to this Addendum shall be considered a signature to the Standard Contractual Clauses. If required by the laws or regulatory procedures of any jurisdiction, the Parties shall execute or re-execute the Standard Contractual Clauses as separate documents. In case of conflict between the Standard Contractual Clauses and this Addendum, the Standard Contractual Clauses will prevail.

  1. 5. Information Security Program.
  1. a) Fuse agrees to implement appropriate technical and organizational measures designed to protect Client Personal Data as required by Applicable Data Protection Law(s) (the “Information Security Program”). Such measures shall be designed to include:
  1. i) Pseudonymisation of Client Personal Data where appropriate, and encryption of Client Personal Data in transit and at rest;
  2. ii) The ability to ensure the ongoing confidentiality, integrity, availability of Fuse’s Processing and Client Personal Data;
  3. iii) The ability to restore the availability and access to Client Personal Data in the event of a physical or technical incident;
  4. iv) A process for regularly testing, assessing and evaluating the effectiveness of Fuse’s Information Security Program to ensure the security of Client Personal Data from reasonably suspected or actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.  
  1. 6. Security Incidents.

a) Security Incident Procedure. Fuse will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to (i) identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and (ii) restore the availability or access to Client Personal Data in a timely manner.

b) Notice. Fuse agrees to provide prompt written notice without undue delay and within the time frame required under Applicable Data Protection Law(s) (but in no event longer than seventy-two (72) hours) to Client’s Designated POC upon becoming aware that a Security Incident has taken place. Such notice will include all available details required under Applicable Data Protection Law(s) for Client to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.

7. Audits.

a) Right to Audit; Permitted Audits. Fuse shall make available to Client and its regulators all information necessary to demonstrate compliance with Applicable Data Protection Laws and this Addendum. Client and its regulators shall have the right to inspect Fuse’s architecture, systems, and documentation which are relevant to the security and integrity of Client Personal Data, or as otherwise required by a governmental regulator:

        i) Following any notice from Fuse to Client of an actual or reasonably suspected Security Incident involving Client Personal Data;

       ii) Upon Client’s reasonable belief that Fuse is not in compliance with Applicable Data Protection Laws, this Addendum or its security policies and procedures under the Agreement;

        iii) As required by governmental regulators;

       iv)        For any reason, or no reason at all, once annually.

b) Audit Terms. Any audits described in this Section shall be:

       i) Conducted by Client or its regulator, or through a third party independent contractor selected by one of these parties, and to whom Fuse does not reasonably object.

        ii) Conducted during reasonable times.

       iii) Conducted upon reasonable advance notice to Fuse.

       iv) Of reasonable duration and scope and shall not unreasonably interfere with Fuse’s day-to-day operations.

        v) Conducted in such a manner that does not violate any agreement between Fuse and its service providers, including cloud providers, or violate or cause Fuse to violate its reasonable policies related to security and confidentiality.

c) Third Parties. In the event that Client conducts an audit through a third party independent auditor or a third party accompanies Client or participates in such audit, such third party shall be required to enter into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement to protect Fuse’s and Fuse’s Clients’ confidential and proprietary information. For the avoidance of doubt, regulators shall not be required to enter into a non-disclosure agreement.

d) Audit Results. Upon Fuse’s request, after conducting an audit, Client shall notify Fuse of the manner in which Fuse does not comply with any of the applicable security, confidentiality or privacy obligations or Applicable Data Protection Laws herein. Upon such notice, Fuse shall make any necessary changes to ensure compliance with such obligations at its own expense and without unreasonable delay and shall notify Client when such changes are complete. Notwithstanding anything to the contrary in the Agreement, Client may conduct a follow-up audit within six (6) months of Fuse’s notice of completion of any necessary changes. To the extent that a Client audit identifies any material security vulnerabilities, Fuse shall promptly remediate those vulnerabilities.

8. Data Storage and Deletion.

a) Data Storage. Fuse will not store or retain any Client Personal Data except as necessary to perform the Services under the Agreement.

b) Data Deletion. Fuse will abide by the following with respect to deletion of Client Personal Data:

i) Within ninety (90) calendar days of the Agreement’s expiration or termination, Fuse will securely destroy (per subsection (iii) below) all copies of Client Personal Data (including automatically created archival copies).

ii) Upon Client’s request, Fuse will promptly return to Client a copy of all Client Personal Data within thirty (30) calendar days and, if Client also requests deletion of the Client Personal Data, will carry that out as set forth above.

iii) All deletion of Client Personal Data will be conducted in accordance with standard industry practices for deletion of sensitive data.  

iv) Tapes, printed output, optical disks, and other physical media will be physically destroyed by a secure method, such as shredding performed by a bonded provider.

v) Upon Client’s request, Fuse will provide evidence that Fuse has deleted all Client Personal Data. Fuse will provide the “Certificate of Deletion” within thirty (30) calendar days of Client’s request.


By:

Name: Nicolas Libonati

Title: Head of Revenue

Date: 01/23/23



Exhibit 1

1.1  Subject Matter of Processing

The subject matter of Processing is the Services pursuant to the Agreement.

1.2  Duration of Processing

The Processing will continue until the expiration or termination of the Agreement.

1.3  Categories of Data Subjects

Client’s customers, attendees, participants, employees, suppliers, and end users.

1.4  Nature and Purpose of Processing

Collection, analysis, storage, duplication, deletion, and disclosure as necessary to provide the Services and as may be further instructed by Client in writing.

1.5 Types of Personal Information

(i) Contact information, including name, postal or e-mail address, phone number and (ii) Registration number; electronic identification data, username and/or password