This Data Processing Addendum (“Addendum”) is entered into by and between Onit, Inc. (“Company”) and the Customer named in the Order (each, a “Party” as applicable, and collectively, the “Parties”) and is effective as of the Effective Date of the Order by virtue of the Parties accepting and executing the Order, together with the Onit Subscription and Services Agreement referenced in the Order (“Terms”).  The Order, together with the Terms, is collectively referred to in this Addendum as the “Agreement”.  This Addendum amends and is incorporated into the terms of the Agreement between the Parties but only to the extent such Agreement provides for Company to access, collect, acquire, receive, transfer, process, and/or use the customer Personal Data (as defined below) of Customer. All capitalized terms not otherwise defined in this Addendum will have the meaning given to them in the Agreement. If you are accepting these terms, you warrant that: (a) you have full legal authority to bind Customer to this Addendum; (b) you have read and understand this Addendum; and (c) you agree, on behalf of Customer, to this Addendum. Company and Customer agree as follows:

1. Definitions. For purposes of this Addendum:
   1. “Data Privacy Laws” means all applicable laws, regulations, and other legal requirements in the jurisdictions in which Company operates relating to privacy, data protection, data security, communications secrecy, breach notification, or the Processing of Personal Data that are applicable to Company’s provision of its services to its general customer base, without regard for Customer’s specific use of those services, including without limitation, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”) and the United Kingdom of Great Britain and Northern Ireland (“UK”) Data Protection Act of 2018.
   2. “Data Processor” means Company receiving or accessing Personal Data of Customer for purposes of Processing under the Agreement.
   3. “Data Subject” means an identified or identifiable natural person about whom Personal Data relates, as set forth in Annex 1. “Annex 1” is also deemed to be “Annex I” for purposes of the Standard Contractual Clauses.
   4. “Personal Data” means Customer data that identifies an individual or is reasonably capable of being associated with an identified individual or device and includes “personal data,” “personal information,” and “personally identifiable information,” and as such terms will have the same meaning as defined by the applicable Data Privacy Laws.  Any Personal Data which has been de-identified or anonymized will not be considered Personal Data.
   5. “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction within the production environments hosted by Company.
   6. “Security Breach” means any unauthorized and/or accidental destruction, loss, alteration, disclosure of, access to, or unlawful acquisition of Personal Data caused by Company.
   7. “Security Measures” mean appropriate administrative, technical, physical, and organizational measures designed to protect Personal Data, as set forth in Annex 2, as may be modified from time to time by Company provided that any such modifications will be adequate alternative measures and not materially degrade the Security Measures.  “Annex 2” is also deemed to be “Annex II” for purposes of the Standard Contractual Clauses.
   8. “Standard Contractual Clauses” or “SCCs” means the terms under the GDPR setting forth the obligations for the transfer of  Personal  Data  to  Data Processors established in third countries adopted by the European Commission decision of June 4, 2021, attached hereto as Annex 4.
   9. “Subcontractor” means any entity that Company utilizes to fulfill any part of the Agreement with Customer and has access to Customer’s Personal Data, including those set forth in Annex 3. “Annex III” is also deemed to be “Annex 3” for purposes of the Standard Contractual Clauses.
   10. “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses  issued by the UK Information Commissioner’s Office under S119A(1) Data Protection Act 2018 VERSION B1.0, in force 21 March 2022, for Restricted Transfers,  attached hereto as Annex 5.
2. Scope and Purposes of Processing.  Company will:
   1. Process Personal Data as set forth in this Addendum, as outlined in the Agreement, and in compliance with Data Privacy Laws applicable to Company as a Data Processor.
   2. Process Personal Data as may be mutually agreed in writing by Customer and Company from time to time.
   3. Process Personal Data as required by Data Privacy Laws to which Company is subject. In such case, and unless applicable law prohibits Company from doing so, Company will inform Customer of such legal requirement before such Processing.
3. Personal Data Processing Requirements. Company will:
   1. Require that the persons it authorizes to Process the Personal Data are subject to appropriate confidentiality obligations or are under an appropriate statutory obligation of confidentiality. 
   2. Upon written request of Customer, assist Customer in the fulfilment of Customer’s obligations to respond to verifiable requests by Data Subjects (or their representatives) for exercising their rights under Data Privacy Laws (such as rights to access or delete Personal Data). 
   3. Promptly notify Customer of (i) any third-party or Data Subject requests or complaints regarding the Processing of Personal Data; or (ii) any government or Data Subject requests for access to or information about Company’s Processing of Personal Data on Customer’s behalf, unless prohibited by Data Privacy Laws. 
   4. Provide reasonable assistance to and cooperation with Customer for Customer’s consultation with regulatory authorities in relation to the Processing, including complying with any obligation applicable to Company under Data Privacy Laws.
4. Data Security. Company will implement appropriate administrative, technical, physical, and organizational measures designed to protect Personal Data, as set forth in Annex 2. 
5. Security Breach. Company will notify Customer promptly of any Security Breach. Company will comply with the Security Breach-related obligations directly applicable to Data Processors under Data Privacy Laws and will assist Customer in Customer’s compliance with its Security Breach-related obligations, including without limitation, by:
   1. Providing Customer with details of the Security Breach to the extent known, which may include the nature of the Security Breach, the circumstances and the categories and approximate number of Data Subjects and Personal Data records involved; and
   2. Addressing the Security Breach and where appropriate, mitigating possible adverse effects of the Security Breach to reduce the risk to Data Subjects whose Personal Data was involved, at Company’s expense subject to the terms of the Agreement. Data Processor’s liability under this Addendum shall be limited to one times the amount of fees paid by Customer to Company in the previous year.
6. Subcontractors.
   1. Customer acknowledges and agrees that Company may use Company affiliates and other Subcontractors to Process Personal Data in accordance with the provisions of this Addendum and Data Privacy Laws, a copy of such list of Subcontractors which may be provided to Customer upon request. 
   2. Where Company subcontracts any of its rights or obligations concerning Personal Data, Company will (i) take steps to select and retain Subcontractors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with this Addendum; and (ii) enter into a written agreement with each Subcontractor that imposes obligations on the Subcontractor that are no less restrictive than those imposed on Company under this Addendum.
   3. Company will maintain an up-to-date list of its Subcontractors which Company will provide to Customer upon request. In the event Customer objects to a new Subcontractor, Company will use reasonable efforts to make available to Customer a change in the services or recommend a commercially reasonable change to Customer’s use of the services to avoid Processing of Personal Data by the objected-to Subcontractor without unreasonably burdening Customer and Company. Customer may, in its sole discretion, terminate the Agreement at any time and with thirty days’ prior notice in the event that it objects to a Subcontractor and Company is unable to change the services to satisfy Customer.
7. Data Transfers. The Parties agree to be bound by the Standard Contractual Clauses to the extent that Company Processes Personal Data of Data Subjects to processors established in third countries which do not ensure an adequate level of data protection. The Standard Contractual Clauses will not apply with respect to Personal Data that Company Processes in the European Economic Area or in a country that the European Commission has decided provides adequate protection for Personal Data. The transfers of Personal Data of Data Subjects located in the UK to and from the UK and subsequent onward transfers shall be subject to the UK Data Protection Act of 2018 and the UK Addendum.  In the event Standard Contractual Clauses apply, the Standard Contractual Clauses set forth in Annex 4 have be completed for Module Two:  Transfer Controller to Processor as follows:
   1. The Data Exporter is the Customer, and the Data Exporter’s contact information is set forth in the Agreement.
   2. The Data Importer is Company, and Company’s contact information is set forth in the Agreement.
   3. For the purposes of this DPA and the Agreement, Module Two (Transfer Controller to Processor) applies.
   4. Clause 7 (Optional Docking Clause) does not apply.
   5. Clause 8.9 (Documentation and compliance): the Parties agree that audits and requests for audits pursuant to Clause 8.9 shall be done in accordance with Section 8 (Audits) of this DPA.
   6. Clause 9(a) (Use of Sub-processors): the Parties elect Option 2 (General Written Authorisation) with a 10-day notice period. Data Exporter consents to Data Importer’s engagement of Sub-processor(s) in accordance with Section 6 (Subcontractors) of this DPA.
   7. Clause 11(a) (Redress): the optional section does apply.
   8. Clause 13 (Supervision) subclause (a):  the third option shall be applicable.
   9. Clause 17 (Governing Law): the Parties elect Option 2 and agree that the Clauses shall be governed by the law of Belgium.
   10. Clause 18(b) (Choice of Forum and Jurisdiction): the Parties agree that any dispute arising from the Clauses shall be resolved by the courts of Belgium. 
   11. Annex 1 (Description of Processing) will apply to Annex I of the Standard Contractual Clauses.
   12. Annex 2 (Technical and Organizational Security Measures) will apply to Annex II of the Standard Contractual Clauses. 
   13. Annex 3 (Subcontractors) will apply to Annex III of the Standard Contractual Clauses
   14. Annex 5 (UK Addendum) will apply to Processing UK Personal Data.
8. Audits. Upon at least fifteen (15) business days advance notice once per calendar year, Customer may request Company to make available to Customer appropriate information necessary to demonstrate compliance with this Addendum, including to provide Customer with inspections conducted by Customer or its third-party provider, which will be subject to the strictest confidentiality obligations set forth in any of the Agreements and which will survive in accordance with the terms of the applicable Agreement, notwithstanding any termination of this Addendum.  Any such audit will be conducted during regular business hours in such a way that the audit does not disrupt Company’s business. If the scope of the audit has been addressed in a SSAE 18 Type 1 or Type 2 or similar audit report performed by a qualified third party auditor within the prior twelve (12) months, and Company confirms there are no known material changes in the controls audited, Customer agrees to accept those reports in lieu of requesting an additional audit of the controls covered by the report.
9. Return or Destruction of Personal Data. Except to the extent required otherwise by Data Privacy Laws, Company will, at the choice of Customer, return to Customer and/or securely destroy all Personal Data upon (a) written request of Customer (excessive requests will incur reasonable fees for the administrative costs to comply with such request); or (b) in accordance with the terms of the applicable Agreement. Except to the extent prohibited by Data Privacy Laws, Company will inform Customer if it is not able to return or delete the Personal Data. 
10. Term. The Addendum will be effective as of the Effective Date and remain in effect for so long as the Agreement between the Parties remains in effect. Upon expiration or termination of the Agreement then in effect between the parties, the Addendum and the obligations hereunder will automatically terminate.
11. Governing Law. This Addendum will be governed by the law governing the Agreement, provided that if this Addendum is applicable to more than one Agreement with more than one governing law set forth in the various Agreements, the laws of Delaware will apply.
12. Conflicts.  To the extent of any conflict or inconsistency between the Agreement and the terms of this Addendum, then as it relates to data protection or processing, the terms of this Addendum shall govern and control except to the extent that the Order Form specifically modifies this Addendum by reference to this Addendum. 
    
    Download PDF