Global Data Processing Addendum

Aeris Personnel: means all employees, staff, independent contractors, subcontractors, other workers, agents and consultants of Aeris engaged in the provision of the Services from time to time.

Controller: means a natural or legal person or other body which processes, alone or jointly with others determines the purposes and means of the Processing of Personal Data.

Customer Personal Data: means Personal Data Processed by Aeris on behalf of Customer as a result of, or in connection with the obligations under the Agreement.

Data Protection Laws: means all applicable laws, regulations or other binding rules, judicial interpretation, guidance, approved certification mechanisms or codes of practice (as amended, consolidated or re-enacted from time to time) relating to the Processing of Customer Personal Data in and from any relevant jurisdiction.

Data Subject: means any identified or identifiable natural person.

EU Standard Contractual Clauses: means the standard contractual clauses approved by the European Commission by Commission Implementing Decision (EU) 2021/914 on 4 June 2021 as updated or amended (including where applicable, by way of the UK Addendum) from time to time.

Personal Data: means any information relating to a Data Subject, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing: means any operation or set of operations which is performed on Customer Personal Data, whether or not by automated means such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor: means a natural or legal person or other body which Processes Personal Data on behalf of the Controller.

Regulator: means any local, national or international governmental department, regulatory or statutory body which, whether under statute, rules, regulations, codes of practice or otherwise, is entitled to supervise, or investigate matters related to Data Protection Laws.

Security Breach: means any unauthorized, accidental, unlawful destruction, loss, alternation, disclosure of, or access to Customer Personal Data.

Services: means the service provided, or to be provided, under the Agreement.

Special Category Personal Data: means personal data revealing: (i) racial or ethnic origin, (ii) political opinions, (iii) religious or philosophical beliefs, or (iv) trade union membership; OR genetic data; OR data concerning: (i) health, (ii) a person’s sex life, or (iii) a person’s sexual orientation.

Sub-Processor: means another Processor engaged by Aeris for carrying out Processing activities in respect to Customer Personal Data and includes Aeris’ affiliates or other companies within Aeris’ group carrying out Processing activities in respect of Customer Personal Data.

UK Addendum: means the UK Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner’s Office under section 119A(1) Data Protection Act 2018, including any amendment or replacement formally adopted by the UK Information Commissioner’s Office or any other relevant Regulator.

1. 2.1.   Regulatory Status of the Parties. With respect to the rights and obligations of Customer and Aeris under the Agreement, the parties agree that Customer is the Controller and Aeris is the Processor. To the extent that Customer acts as a Processor in relation to a third party, Aeris shall act as a sub-processor in relation to Customer.
2. 2.2.   Compliance with Data Protection Laws. The parties shall at all times comply with their respective rights and obligations under this DPA and Data Protection Laws when Processing Customer Personal Data.
3. 2.3.   Description of Processing. The parties acknowledge that, for the purposes of the Agreement, the description of the Personal Data Processed is set out in Schedule 1 to this DPA (Privacy Particulars) and, notwithstanding anything in the Agreement, may be updated from time to time by written agreement of the parties.
4. 2.4.   Aeris Obligations. Aeris shall:

1. 2.4.1.   only Process Customer Personal Data for and on behalf of the Customer solely for the purposes of performing the Services and in accordance with the documented instructions contained in the Agreement and DPA, or as otherwise mutually agreed between the parties in writing, unless otherwise required to do so by applicable law to which Aeris is subject (the “Purpose”). To the extent Aeris reasonably believes that a specific Processing activity beyond the scope of Customer’s instructions is required to comply with a legal obligation to which Aeris is subject, Aeris shall inform Customer of the legal obligation and seek explicit authorisation from Customer before undertaking such Processing.
2. 2.4.2.   not Process Customer Personal Data contrary to applicable law, and shall promptly inform Customer if, in Aeris’ opinion, a documented instruction of Customer infringes applicable law, including Data Protection Laws.
3. 2.4.3.   at all times implement and comply with all reasonable technical and organisational security measures to protect Customer Personal Data against a Security Breach, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing. The core security standards that Aeris adheres to regarding Customer data is available at https://www.aeris.com/trust-center/security-standards-for-customer-data/.
4. 2.4.4.   ensure that only those Aeris Personnel who strictly need access to Customer Personal Data to fulfil the Purpose are granted access to such data, and all Aeris Personnel required to access such Customer Personal Data have committed them to confidentiality and comply with the obligations set out in this DPA.
5. 2.4.5.   without undue delay after Aeris becomes aware of a Security Breach by Aeris or any of the Sub-Processors in connection with the Agreement, notify the Customer of said breach(es). Aeris shall promptly (i) investigate the incident and provide Customer with all relevant information about the Security Breach and a contact point where more information concerning the Security Breach can be obtained, (ii) take all reasonable steps to mitigate the effects and to minimise the damage resulting from the Security Breach, and (iii) cooperate with Customer to provide information in connection with any notice to be sent out to a third party in connection with such Security Breach, including as required under Data Protection Laws.
6. 2.4.6.   not release or publish any filing, communication, notice, press release or report concerning the Security Breach without the Customer’s prior written consent, unless otherwise required by applicable law.
7. 2.4.7.   without undue delay notify the Customer of any correspondence received by Aeris in relation to Customer Personal Data from a Data Subject, Regulator or other public body (a “Third Party Request”), and shall not, to the extent permitted by applicable law, respond to such correspondence without prior written consent of, and in compliance with any instruction provided by, Customer. To the extent that a Third Party Request relates to disclosure of Customer Personal Data, then Aeris shall, to the extent permitted by applicable law, (i) reject any request for Customer Personal Data, (ii) consult with Customer and action Customer’s reasonable instructions in relation to making any such disclosure of Customer Personal Data, and (iii) accept any contractually agreed requests for Customer Personal Data disclosures that are authorised by Customer.
8. 2.4.8.   provide Customer with all reasonable cooperation in assisting Customer to comply with its obligations under Data Protection Laws, including with any impact assessments, access requests from a Data Subject and Regulator correspondence.
9. 2.4.9.   at Customer’s written request promptly return, delete and/or permanently destroy (at the option of Customer) all Customer Personal Data, together with all copies in Aeris’ possession and control, unless to the extent otherwise required by applicable law.

1. 2.5.   Audit. Aeris shall take all commercially reasonable steps to make available to Customer all information necessary to demonstrate compliance with the obligations in this DPA and allow for and contribute to audits, including inspections conducted by Customer or another auditor mandated by Customer (such audit or inspection, a “Customer Audit”). To the extent Customer wishes to conduct a Customer Audit:

1. 2.5.1.   it may only do so to the extent (i) in the reasonable view of Customer, Aeris has failed at first instance to provide appropriate evidence of compliance with its obligations under this DPA (ii) Aeris has experienced a Security Breach (iii) Customer has reasonable grounds to believe that Aeris has not complied with its obligations under the DPA (iv) such Customer Audit is required under Data Protection Law, or (v) such Customer Audit is formally requested by a Regulator.
2. 2.5.2.   in relation to an Aeris environment, Aeris shall provide all reasonable support to Customer.
3. 2.5.3.   unless otherwise required by Data Protection Law, Customer shall provide advance written notice of no less than ninety (90) days.
4. 2.5.4.   such Customer Audit shall be limited to (i) no more frequently than once every twelve (12) months, and (ii) a scope, time, date and duration as reasonably agreed in advance between the Parties.
5. 2.5.5.   Customer acknowledges that the Parties shall use existing certifications and audit reports at first instance, to mitigate the need for any audit or inspection of an Aeris environment.

1. 2.6.   Customer Obligations. Customer shall ensure:

1. 2.6.1.   it has the appropriate applicable authority, consent and/or license to provide, or make available, the Customer Personal Data to Aeris.
2. 2.6.2.   It minimises the categories of Personal Data provided to Aeris to only that which is strictly required for Aeris to perform its obligations under the Agreement.
3. 2.6.3.   It has identified and documented an appropriate lawful basis under Data Protection Law, as applicable, to provide, or make available, the Customer Personal Data to Aeris.

1. 2.7.   Sub-Processors. In relation to Sub-Processors:

1. 2.7.1.   Customer hereby provides a general authorisation for Aeris to engage Sub-Processors.
2. 2.7.2.   Customer may request the current list of Sub-Processors (“Sub-Processor List”) used in the context of the Agreement, as well as a mechanism to subscribe to notifications of new Sub-Processors by using the contact information provided in Fig. 1 of Schedule 1.
3. 2.7.3.   To the extent that Aeris engages a Sub-Processor not already on the Sub-Processor List (a “Sub-Processor Amendment”) it shall inform Customer no less than 30 days in advance.
4. 2.7.4.   To the extent a Customer objects to a Sub-Processor Amendment, Customer shall notify Aeris in writing within ten (10) business days following receipt of the email notification. In the event Customer reasonably objects to a Sub-Processor Amendment Aeris agrees to engage in good faith discussions with Customer to address Customer’s objections.
5. 2.7.5.   Aeris shall (i) ensure that it has a written agreement in place with all Sub-Processors used under this Agreement with terms seeking to protect personal data no less onerous than those of this DPA, and (ii) remain liable to Customer for any breach of this DPA caused by an act, error, or omission of a Sub-Processor.

1. 2.8.   International Data Transfers. To the extent:

1. 2.8.1.   that Aeris transfers Customer Personal Data to a Sub-Processor, it shall ensure that, to the extent applicable, such transfer is made using the appropriate legal mechanism (including any adequacy mechanism in relation to an international transfer of Customer Personal Data) to ensure compliance with Data Protection Laws.
2. 2.8.2.   a transfer of Customer Personal Data from Customer to Aeris requires that such transfer is made using an appropriate legal mechanism (“Restricted Transfer”), Aeris shall reasonably cooperate in good faith with Customer to validly put such legal mechanism (including any adequacy mechanism in relation to an international transfer of Customer Personal Data) in place in relation to the Restricted Transfer. To the extent applicable, the relevant legal mechanisms shall apply to a Restricted Transfer, and therefore be deemed incorporated into this DPA, in the form provided at https://www.aeris.com/legal/transfer-mechanisms.

1. 2.9.   Further Assurances. The parties shall, in good faith, cooperate with each other to do all things reasonably necessary to ensure that this DPA continues to comply with Data Protection Laws, including:

1. 2.9.1.   The implementation of any additional measures required to protect Customer Personal Data; and
2. 2.9.2.   Updating or amending any legal mechanism for the internal transfer of Customer Personal Data.