DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) forms part of the Canyon GBS LLC (“Canyon”) –Master Services Agreement (“Agreement”) between Canyon and Customer for the procurement of Services. The DPA shall reflect Canyon’s and Customer’s understanding concerning the Processing of Personal Data. In the course of delivering Services to Customer as per the Agreement, Canyon may Process Personal Data on behalf of Customer subject to the terms outlined herein. The Parties agree to comply with these provisions regarding Personal Data, each acting reasonably and in good faith. Unless explicitly defined otherwise in this DPA, all capitalized terms used herein shall carry the meanings given to them in Section 1 (Definitions) of the Agreement (available here https://canyongbs.com/legal-terms/msa).

1. Definitions

1.1. “Applicable Laws” means the laws and regulations, court orders, and other binding requirements of a relevant government authority that apply to or govern a party.

1.2. “Applicable Data Protection Laws” means the Applicable Laws that govern the Processing of Personal Data under this Agreement, including but not limited to, the Family Educational Rights and Privacy Act (FERPA), the California Consumer Privacy Act (CCPA), and the General Data Protection Regulation (GDPR).

1.3. “Controller” will have the meaning(s) given in the Applicable Data Protection Laws for the entity that determines the purpose and extent of Processing of Personal Data.

1.4. “Customer Personal Data” means Personal Data that Customer uploads or provides to Canyon as part of the Service and that is governed by this DPA.

1.5. “Data Subject” means the identified or identifiable individual who is the subject of Personal Data being processed by a data controller or data processor.

1.6. “EEA SCCs” means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council.

1.7. “European Economic Area” or “EEA” means the member states of the European Union, Norway, Iceland, and Liechtenstein.

1.8. “GDPR” means European Union Regulation 2016/679 as implemented by local law in the relevant EEA member nation.

1.9. “Personal Data” will have the meaning(s) given in the Applicable Data Protection Laws for personal information, personal data, or other similar term.

1.10. “Processing” or “Process” will have the meaning(s) given in the Applicable Data Protection Laws for any use of, or performance of a computer operation on, Personal Data, including by automatic methods.

1.11. “Processor” will have the meaning(s) given in the Applicable Data Protection Laws for the entity that Processes Personal Data on behalf of the Controller.

1.12. “Security Incident” means any event in which Canyon’s security measures are compromised, resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Customer Data.

1.13. “Service” or “Services” means the Cloud Service, Software, and Documentation.

1.14. "Special Category Data” will have the meaning given in Article 9 of the GDPR.

1.15. “Sub-processor” will have the meaning(s) given in the Applicable Data Protection Laws for a entity that, with the approval and acceptance of Controller, assists the Processor in Processing Personal Data on behalf of the Controller.

2. Data Processing

2.1. Processing Details. The data processing under this Data Processing Addendum (DPA) pertains to Customer Data and is initiated by Customer for the provision of Services. The duration of this data processing is determined by Customer. The processing involves compute, storage, and other Services as specified in the Order Form and initiated by Customer. The type of Customer Data involved is the data uploaded to the Services by the Customer. The data subjects may include Customer’s customers, employees, suppliers, and End Users.

2.2. Processing Instructions. Customer instructs Canyon to Process Customer Personal Data: (a) to provide and maintain the Service; (b) as may be further specified through Customer’s use of the Service; (c) as documented in the Agreement; and (d) as documented in any other written instructions given by Customer and acknowledged by Canyon about Processing Customer Personal Data under this DPA. Canyon will abide by these instructions unless prohibited from doing so by Applicable Laws. Canyon will immediately inform Customer if it is unable to follow the Processing instructions.

2.3. Processing by Canyon: Canyon shall regard Personal Data as confidential information and undertake Processing activities solely on behalf of and in accordance with Customer’s documented instructions. Such instructions include, but are not limited to: (i) processing as stipulated in the Agreement and relevant Order Form(s); (ii) processing initiated by Users in the course of utilizing the Services; and (iii) processing to comply with other documented reasonable instructions communicated by Customer (e.g., via email), provided such instructions align with the terms of the Agreement.

2.4. Processing by Customer. Customer acknowledges and agrees that: (i) it will adhere to its obligations under Applicable Data Protection Law when processing Customer Personal Data and issuing processing instructions to Canyon; and (ii) it has provided notice and obtained (or will obtain) all necessary consents and rights under Applicable Data Protection Law for Canyon to process personal data, including any special categories, and provide the Services as outlined in the Agreement (including this DPA).

3. Data Subject

3.1. Data Subject Request. Canyon shall promptly notify Customer of any complaint, dispute, or request received from a Data Subject (e.g. right to access, right to erasure, etc.) to the extent legally permitted. Canyon may not respond to a Data Subject Request, except Customer permits Canyon to redirect the request to enable Customer to respond directly.

3.2. Assistance. Canyon will assist Customer, to the extent feasible, with appropriate technical and organizational measures in fulfilling Customer’s obligation to respond to a Data Subject Request under Applicable Data Protection Law.

4. Confidentiality

4.1. Confidentiality of Customer Data. Canyon shall not access, use, or disclose any Customer Data to any third party except as required for the provision of Services or to comply with applicable law or a valid governmental order. In the event of a governmental demand for Customer Data, Canyon will endeavor to direct the request to Customer and may share Customer’s basic contact information with the governmental body. If compelled to disclose Customer Data, Canyon will provide Customer with reasonable notice unless legally prohibited.

4.2. Confidentiality Responsibilities of Canyon Personnel. Canyon shall:

5. Security, Certifications and Audits

5.1. Security. Canyon shall maintain appropriate technical and organizational measures to safeguard the security, confidentiality, and integrity of Customer Data, preventing unauthorized or unlawful processing, destruction, loss, alteration, disclosure, or access. Canyon shall not significantly diminish the overall security of the Services throughout the Subscription Period.

5.2. ISO Certification and SOC Reports. Canyon has secured third-party certifications and audits for its Service. For Services covered by ISO 27001 certifications and SOC 2 Type II reports, as detailed in the Order Form, Canyon commits to maintaining these certifications or standards, or suitable and comparable successors, throughout the Agreement duration.

5.3. Audits. Canyon conducts annual security audits using external auditors. These audits: (a) adhere to ISO 27001 standards or substantially equivalent alternatives; (b) are conducted by independent third-party security professionals chosen and funded by Canyon; and (c) yield an audit report deemed Canyon’s Confidential Information.

5.4. Audit Reports. Upon Customer's written request, Canyon will furnish Customer with a copy of the audit report to facilitate reasonable verification of Canyon's compliance with its obligations under this DPA. However, Canyon may restrict access to data or information if Customer’s access to the information would negatively impact Canyon’s intellectual property rights, confidentiality obligations, or other obligations under Applicable Laws. Customer acknowledges and agrees that it will only exercise its audit rights under this DPA and any audit rights granted by Applicable Data Protection Laws by instructing Canyon to comply with the reporting and due diligence requirements. Customer understands that audit reports are considered confidential information.

6. Security Incident Notifications

6.1. Security Incident. Upon becoming aware of any Security Incident, Canyon will: (a) notify Customer by any means Canyon selects (e.g. via email) without undue delay when feasible, but no later than 72 hours after becoming aware of the Security Incident; (b) provide timely information about the Security Incident as it becomes known or as is reasonably requested by Customer; and (c) promptly take reasonable steps to contain and investigate the Security Incident. Customer shall that Customer’s contact information is current and accurate. Canyon’s notification of or response to a Security Incident as required by this DPA will not be construed as an acknowledgment by Canyon of any fault or liability for the Security Incident.

6.2. Unsuccessful Security Incident. Customer agrees that any unsuccessful Security Incident will not be subject to this Section 6.1. An unsuccessful Security Incident results when no unauthorized access to Customer Data is determined.

7. Sub-processor

7.1. Appointment of Sub-processors. Customer acknowledges and agrees that Canyon and its Affiliates may engage third-party Sub-processors to deliver the Services. Canyon or its Affiliate has executed a written agreement with each Sub-processor that includes data protection obligations at least as protective as those in the Agreement regarding the safeguarding of Personal Data, to the extent applicable to the Services provided by such Sub-processor.

7.2. Sub-processor obligations. When engaging a Sub-processor,

8. Return or Deletion of Customer Personal Data

8.1. Upon termination of the Services, Canyon will delete or return all Customer Personal Data within 90 days. This obligation does not apply if retention is mandated by applicable Laws, in which case Canyon will securely isolate and protect the data from further processing.

9. Limitation of Liability

9.1. Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party and each party’s affiliates under this DPA is subject to the exclusions and limitations of liability set out in the Agreement.

9.2. Exceptions. This DPA does not limit any liability to an individual about the individual’s data protection rights under Applicable Data Protection Laws. In addition, this DPA does not limit any liability between the parties for violations of the EEA SCCs or UK Addendum.

10. Europe Specific Provisions

10.1. Authorization. Customer agrees that Canyon may transfer Customer Personal Data outside the EEA, the United Kingdom, or other relevant geographic territory as necessary to provide the Service. If Canyon transfers Customer Personal Data to a territory for which the European Commission or other relevant supervisory authority has not issued an adequacy decision, Canyon will implement appropriate safeguards for the transfer of Customer Personal Data to that territory consistent with Applicable Data Protection Laws.

10.2. Ex-EEA Transfers. Customer and Canyon agree that if the GDPR protects the transfer of Customer Personal Data, the transfer is from Customer from within the EEA to Canyon outside of the EEA, and the transfer is not governed by an adequacy decision made by the European Commission, then by entering into this DPA, Customer and Canyon are deemed to have signed the EEA SCCs and their Annexes, which are incorporated by reference. Any such transfer is made pursuant to the EEA SCCs, which are completed as follows:

10.3. Ex-UK Transfers. Customer and Canyon agree that if the UK GDPR protects the transfer of Customer Personal Data, the transfer is from Customer from within the United Kingdom to Canyon outside of the United Kingdom, and the transfer is not governed by an adequacy decision made by the United Kingdom Secretary of State, then by entering into this DPA, Customer and Canyon are deemed to have signed the UK Addendum and their Annexes, which are incorporated by reference. Any such transfer is made pursuant to the UK Addendum.

10.4. Other International Transfers. For Personal Data transfers where Swiss law (and not the law in any EEA member state or the United Kingdom) applies to the international nature of the transfer, references to the GDPR in Clause 4 of the EEA SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority will include the Swiss Federal Data Protection and Information Commissioner.

11. Conflicts Between Documents

11.1. This DPA forms part of and supplements the Agreement. If there is any inconsistency between this DPA, the Agreement, or any of their parts, the part listed earlier will control over the part listed later for that inconsistency: (1) the EEA SCCs or the UK Addendum, (2) this DPA, and then (3) the Agreement.

12. Term of Agreement

12.1. This DPA will start when Customer signs and accepts the Order Form and will continue until the Order Form expires or is terminated. However, Canyon and Customer will each remain subject to the obligations in this DPA and Applicable Data Protection Laws until Customer stops transferring Customer Personal Data to Canyon and Canyon stops Processing Customer Personal Data.

Last Updated: May 10, 2024