Data Protection Agreement

DATA PROTECTION AGREEMENT ("DPA")

1. BACKGROUND

   1. This DPA applies as set out in clause 7.1 of the Agreement. In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.

2. DEFINITIONS

   1. Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement and the following capitalised terms used in this DPA shall be defined as follows:

      "Customer Personal Data" means any personal data contained in the Customer Materials, including (personal data uploaded by the Customer to the Platform that Ravio Processes on behalf of the Customer or one of its Affiliates for the duration of the Agreement in connection with the Customer's use of and access to the Platform;

      For the avoidance of doubt, Customer Personal Data shall not include any personal data which is anonymised or deidentified whether by the Customer at the time of its supply to Ravio or anonymised or deidentified by Ravio after which the identifiable data is destroyed.

      "Controller" means “controller” or “business” as defined by any applicable Data Protection Laws.

      "Data Protection Laws" means:

      1. to the extent that UK GDPR applies, the law of the United Kingdom or a part thereof which relates to the protection of personal data; or

      2. to the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which Ravio is subject, which relates to the protection of personal data; or

      3. to the extent applicable, the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), together with any amending or replacement legislation, including the California Privacy Rights Act of 2020 and any regulations promulgated thereunder, and all other equivalent or similar laws and regulations in any relevant jurisdiction relating to Personal Data and privacy, as each may be amended, extended or re-enacted from time to time.

      "Data Subject" means “data subject” or “consumer” as defined by any applicable Data Protection Laws

      "European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;

      "EU GDPR" means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council;

      "Personal Data" means “personal data”, “personal information” or “personally identifiable information” as defined by any applicable Data Protection Laws.

      "Processor" means “processor” or “service provider” as defined by any applicable Data Protection Laws.

      "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Personal Data;

      "Standard Contractual Clauses" means the appropriate standard contractual clauses annexed to the Commission Implementing Decision C/2021/3972 or such other clauses as are approved by the European Commission from time to time (where EU GDPR applies) or adopted by the United Kingdom Information Commissioner (where UK GDPR applies);

      "Subprocessor" means any Processor engaged by Ravio who agrees to receive from Ravio Customer Personal Data; and

      " UK GDPR" as it forms part of the law of England and Wales, Scotland and Northern Ireland has the meaning given by the European Union (Withdrawal) Act 2018.

      The terms "Process" and "Supervisory Authority" shall have the same meaning as set out in applicable Data Protection Laws.

3. DATA PROCESSING

   1. In this Agreement Ravio shall act as a Processor for Customer Personal Data of which the Customer or its Affiliates is a Controller.

   2. Ravio will only Process Customer Personal Data in accordance with:

      1. the Agreement, to the extent necessary to provide the Services to the Customer; and

      2. the Customer's written instructions,

      unless Processing is required by European Union, Member State or other Data Protection Laws to which Ravio is subject, in which case Ravio shall, to the extent permitted by applicable law, inform the Customer of that legal requirement before Processing that Customer Personal Data.

   3. Ravio shall implement the technical and organisational measures referred to in paragraph 6.1 to protect against unauthorised or unlawful processing and against loss or destruction or damage to the Customer Personal Data.

   4. The Agreement (subject to any changes to the Services) and this DPA shall be the Customer's instructions to Ravio in relation to the Processing of Customer Personal Data.

   5. To the extent that any of the Customer's instructions require Processing of Customer Personal Data in a manner that falls outside the scope of the Services, Ravio may:

      1. make the performance of any such instructions subject to the payment by the Customer of any costs and expenses incurred by Ravio or such additional charges as Ravio may reasonably determine; or

      2. terminate the Agreement and the Services.

   6. The Customer shall provide all applicable notices to Data Subjects required under applicable Data Protection Laws for the lawful Processing of Customer Personal Data by Ravio in accordance with this Agreement.

   7. The Customer warrants that it has obtained and will obtain any necessary consents required under applicable Data Protection Laws for the lawful transfer to and Processing of Customer Personal Data by Ravio in accordance with this Agreement.

   8. Data Processing Particulars - the scope, nature and purpose of and the duration of the Processing together with the types of personal data and categories of Data Subject are set out in Data Processing Particulars

   9. To the extent the CCPA applies, Ravio shall (i) not sell or share (as defined by the CCPA) Customer Personal Data, (ii) not retain, use, or disclose the Customer Personal Data outside the direct business relationship between Ravio and Customer, unless expressly permitted by the CCPA, (iii) comply with all applicable sections of the CCPA and the regulations, including with respect to the Customer Personal Data that it collected pursuant to the Agreement, providing the same level of privacy protection as required of businesses by the CCPA and the regulations, (iv) take reasonable and appropriate steps to ensure that Ravio uses the Customer Personal Data that it collected pursuant to the Agreement in a manner consistent with Customer’s obligations under the CCPA and the regulations and (v) grant Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate Ravio’s unauthorized use of the Customer Personal Data.

4. SUBPROCESSORS

   1. The Customer agrees that Ravio may from time to time use Subprocessors (including Google Cloud, Merge, Kombo and Auth0) to Process Customer Personal Data, provided it enters into, in accordance with Data Protection Laws, a written agreement with the Subprocessor which imposes the same obligations on the Subprocessor with regard to their Processing of Customer Personal Data as are imposed on Ravio.

   2. Ravio shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to the Customer for the acts and omissions of any Subprocessor as if they were the acts and omissions of Ravio

   3. Ravio shall provide the Customer with notice of any proposed changes to the Subprocessors it uses to Process Customer Personal Data (including any addition or replacement of any Subprocessors).

   4. If the Customer wishes to object (acting reasonably) on the grounds that sub-processing will or is likely to lead to a breach of Data Protection Laws then it shall provide written notice to Ravio within seven (7) days of notification by Ravio under paragraph 4.3 (an "Objection"). In the event of an Objection, Ravio will discuss the same with the Customer in good faith. Unless an actual or likely breach of Data Protection Laws is demonstrated Ravio is under no obligation to accommodate an Objection. Subject thereto, Ravio may, at its discretion change the Services to accommodate the Objection. Such a change may involve a change to the Fees. If Ravio is not prepared to change the Services or if the Customer does not accept the proposal within seven (7) days then the Customer may terminate the Agreement by providing not less than thirty (30) days' written notice to Ravio. No pre-paid Fees shall be refundable if the Agreement is terminated by the Customer in accordance with this paragraph 4.4.

5. INTERNATIONAL TRANSFERS

   1. Ravio shall not transfer or otherwise process the Customer Personal Data outside the UK or EEA unless:

      1. the recipient, or the country or territory in which it processes or accesses the Customer Personal Data, ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of Customer Personal Data as set out in a decision of the European Commission or the United Kingdom's Information Commissioner's Office; or

      2. the transfer is based on the appropriate module of the Standard Contractual Clauses; or

      3. the transfer is otherwise lawful under applicable Data Protection Laws.

6. DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS

   1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Ravio shall at all relevant times implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including (as appropriate) any measures listed in Article 32(1) of the UK GDPR. Such measures include those which can be found at Technical and Organisational Measures and shall be at least equivalent to those published at the Commencement Date.

   2. The Customer may, upon reasonable notice, at reasonable times and at its own cost, audit (either by itself or using independent third party auditors) Ravio's compliance with the Processing of Customer Personal Data under this DPA including by conducting audits of Ravio's data processing facilities. Ravio shall assist with any audits conducted in accordance with this paragraph 6.2, provided that:

      1. such audits are carried out in a manner that does not disrupt Ravio's business and are not carried out more than annually;

      2. the Customer reimburses Ravio any costs incurred by Ravio in facilitating such audits, including arranging access to any of Ravio's or its Subprocessors' processing facilities.

      The Customer acknowledges that in relation to Subprocessors that rights of audit may be subject to additional requirements of the Subprocessor including the right to tender in the first instance assurance reports in order to satisfy Customer concerns.

   3. Where required under Article 28(3)(h) of the UK GDPR, or other Data Protection Laws, Ravio shall immediately notify the Customer in the event that Ravio believes the Customer's instructions conflict with the requirements of applicable Data Protection Laws or other EU, Member State or UK laws.

   4. If Ravio or any Subprocessor becomes aware of a Security Incident, Ravio will (i) notify the Customer of the Security Incident promptly and in any event within forty eight (48) hours after becoming aware of the Security Incident, (ii) investigate the Security Incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the Security Incident, and (iii) take steps to remedy any non-compliance with this DPA.

   5. Ravio shall treat the Customer Personal Data as the Customer's Confidential Information and shall ensure that any employees or other personnel that have access to the Customer Personal Data have agreed in writing to protect the confidentiality and security of the Customer Personal Data and do not Process such Customer Personal Data other than in accordance with this DPA.

7. ACCESS REQUESTS AND DATA SUBJECT RIGHTS

   1. Save as required (or where prohibited) under applicable law, Ravio shall promptly notify the Customer of any request received by Ravio from a Data Subject, whether directly or through a Subprocessor, in respect of their personal data included in the Customer Personal Data and shall not respond to the Data Subject.

   2. Ravio shall provide the Customer with the ability to correct, delete, block, access or copy the Customer Personal Data in accordance with the functionality of the Platform.

   3. Ravio shall notify the Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection Supervisory Authority) unless otherwise prohibited by law or a legally binding order of such body or agency.

8. ASSISTANCE

   1. Where applicable, taking into account the nature of the Processing, and to the extent required under applicable Data Protection Laws, Ravio shall:

      1. use all reasonable endeavours to assist Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising Data Subject rights laid down by applicable Data Protection Laws; and

      2. provide reasonable assistance to the Customer (at the Customer's expense unless the same is due to any breach by Ravio) with any data protection impact assessments and with any prior consultations to any Supervisory Authority of the Customer, in each case solely in relation to Processing of Customer Personal Data and taking into account the information available to Ravio.

9. DURATION AND TERMINATION

   1. Ravio shall, within thirty (30) days of the date of expiry or termination of the Agreement:

      1. if requested to do so by the Customer, return a complete copy of all Customer Personal Data by secure file transfer; and

      2. delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data Processed by Ravio or any Subprocessors. Customer Personal Data shall be considered deleted where it is put beyond further use by Ravio or its Subprocessors. The Customer acknowledges that its Subprocessors may have their own timescales for the return or destruction of Customer Personal Data.

   2. Ravio and its Subprocessors may retain Customer Personal Data to the extent required by applicable law, or as Ravio may deem necessary to prosecute or defend any legal claim, provided that such Customer Personal Data is retained only to the extent and for such period as required by applicable laws or pending resolution of any issue, and always provided that Ravio shall ensure the confidentiality of all such Customer Personal Data.