DATA PROCESSING ADDENDUM

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“Addendum”) forms part of the Software Terms and Conditions (“Agreement”) between LayerX Security Inc and LayerX Security Ltd. (“LayerX”) and the user of the Software as defined in the Agreement (“Customer”) and shall apply only to the extent that LayerX Processes Personal Data (as defined below) on behalf of Customer.

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.   

In consideration of the mutual obligations set out herein, the parties agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended, and including, this Addendum.

In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1. 1. “Applicable Laws” means any applicable law in respect of which LayerX or Customer is subject to;
   2. “California Privacy Laws” means the California Consumer Privacy Act of 2018 (“CCPA”), including as modified by the California Privacy Rights Act of 2020 (“CPRA”), as amended or superseded from time to time.
   3. “Customer Personal Data” means any Personal Data which may be processed by LayerX or a Sub-processor on behalf of LayerX, pursuant to or in connection with the Agreement;
   4. “Data Protection Legislation” any data protection and privacy law applicable to LayerX when providing its Services to Customer.
   5. “EU” means the European Union;
   6. “EEA” means the European Economic Area which includes all EU countries as well as Iceland, Liechtenstein and Norway;
   7. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) as amended from time to time or any regulation replacing the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, and the relevant applicable data protection law;
   8. “SCC” means the applicable module of the standard clauses for the transfer of Personal Data pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN and as applicable, supplemented by the UK addendum (“UK Addendum”) to the European Commission’s Standard Contractual Clauses for international data transfers available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf
   9. “UK GDPR” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
   10. “Services” means the provision of LayerX’s digital cloud-based browser security platform, designed to turn Customer’s browser into protected & manageable workspace software and all, as defined in the Agreement.
   11. “Sub-processor” means any person (excluding an employee of LayerX) appointed by or on behalf of LayerX to Process Personal Data on behalf of Customer in connection with the Agreement;
   12. “Supervisory Authority” means (a) an independent public authority which is established by a member state of the European Union pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Legislation;
   13. “Term” means the term of the Agreement, as defined therein.
   14. The terms “Controller“, “Processor“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, and “Processing” shall have the same meaning as in the GDPR, or, where applicable, their equivalent terms under Applicable Data Protection Legislation, and their cognate terms shall be construed accordingly.
   15. The parties acknowledge that Customer is the Controller and shall comply with the obligations of a Controller under the Data Protection Legislation and that LayerX is acting in the capacity of a Processor. Customer will comply with all obligations applicable to a Controller pursuant to the Data Protection Legislation.
   16. LayerX shall Process Customer Personal Data on the documented instructions of Customer, unless otherwise required by an Applicable Law to which LayerX is subject. In which case, LayerX shall notify Customer if, in its opinion, any instruction infringes the Data Protection Legislation or other Applicable Law, unless that law prohibits such notification. Such notification will not constitute a general obligation on the part of LayerX to monitor or interpret the laws applicable to Customer, and such notification will not constitute legal advice to Customer.
   17. Customer warrants that it has all the necessary rights to provide the Personal Data to LayerX for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in the Data Protection Legislation support the lawfulness of the Processing. To the extent required by the Data Protection Legislation, Customer is responsible for ensuring that all necessary privacy notices are provided to Data Subjects, and unless another legal basis set forth in the Data Protection Legislation supports the lawfulness of the Processing, that any necessary Data Subject consents to the Processing are obtained, and for ensuring that a record of such consent is maintained. Should such consent be revoked by a Data Subject, Customer is responsible for communicating the fact of such revocation to LayerX, and LayerX will act pursuant to Customer’s instructions as seems appropriate.
   18. Annex 1 to this Addendum sets out certain information and describes the manner in which Personal Data may be processed by LayerX. Customer warrants it is an accurate reflection of the Processing activities pursuant to this Addendum and the Agreement. The nature of the Processing operations will depend on the scope of the Services and the nature of the Personal Data that Customer provides in its sole discretion, in a manner by which LayerX finds appropriate to provide the required Services.
   19. In case Customer determines that any the California Privacy Laws are applicable to LayerX in relation to the Services provided under the Agreement and requires to impose on LayerX requirements that are beyond such that are set forth in this Addendum, Customer shall notify LayerX accordingly of such requirements.
   20. In case Customer is subject to the California Privacy Laws, LayerX certifies that it understands the rules, requirements and definitions of the California Privacy Laws and agrees to refrain from selling (as such term is defined in the California Privacy Laws) any Customer Personal Data Processed hereunder, nor take any action that would cause any disclosure of Customer Personal Data to or from LayerX under the Agreement or this DPA to qualify as “selling” such Customer Personal Data under the California Privacy Laws. LayerX will reasonably cooperate and assist Customer with meeting Customer’s California Privacy Laws compliance obligations and responding to California Privacy Laws related inquiries, including responding to verifiable consumer requests, taking into account the nature of LayerX’s Processing and the information available to LayerX.
   21. Without prejudice to any existing contractual arrangements between the parties, LayerX shall ensure that any person that it authorises to Process the Personal Data on its behalf, shall be subject to a duty of confidentiality.
   22. Taken into account the measures required by the Data Protection Legislation, and the state of the art, the costs of implementation and nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural person, LayerX shall implement appropriate technical and organizational measures to ensure a level of security of the Processing of Personal Data appropriate to the risk. Such measures are detailed in Annex 2, may be updated by LayerX from time to time, provided that such updates shall not materially decrease the protection of Personal Data for Data Subjects.
   23. Customer acknowledges that the security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. Customer will therefore evaluate the measures implemented in accordance with section 4 on an on-going basis in order to maintain compliance with the requirements set forth in this section. The parties will negotiate in good faith, the cost, if any, to implement changes required by specific updated security requirements set forth in Data Protection Legislation or by data protection authorities of competent jurisdiction.
   24. Customer generally authorizes LayerX to engage Sub-processors in accordance with this Section 4 and approves LayerX’s use of the processors listed in the processors list available at https://layerxsecurity.com/sub-processors/ (“Sub-processors List”). LayerX will update the Sub-processors List at least 30 days before appointing a new Sub-processor and will provide Customer with a mechanism to subscribe to notifications of new Sub-processors, and if Customer subscribes, LayerX shall provide notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to Process Personal Data (a “Change Notice”).
   25. Customer may object to a new Sub-processor on reasonable grounds related to the protection of Customer Personal Data by sending an email to LayerX describing its legitimate, good-faith objection within 15 days of a Change Notice (an “Objection Notice”), in which case LayerX may satisfy the objection by (a) not using the new Sub-processor to Process Customer Personal Data; (b) taking corrective steps requested by Customer in its Objection Notice; or (c) ceasing to provide the parts of the Services that involve the new Sub-processor Processing Customer Personal Data, subject to a mutual agreement of the Parties to adjust the remuneration for the Services considering their reduced scope. Where the parties are unable to resolve the issues within such time frame, Customer’s sole remedy will be to terminate the Agreement. If Customer does not provide a timely Objection Notice, Customer will be deemed to have authorized LayerX’s use of the Sub-processor and to have waived its right to object. With respect to each Sub-processors, LayerX shall ensure that the Sub-processor is bound by data protection obligations compatible with those of the Data Processor under this Addendum.
   26. Customer shall comply with requests received from Data Subjects to exercise their rights pursuant to the Data Protection Legislation.
   27. When Customer is unable to perform according to section 6.1, and therefore requires LayerX’s assistance, while taking into account the nature of the Processing, LayerX shall assist Customer, upon Customer’s request and at the Customer’s cost, by using appropriate technical and organisational measures, insofar as this is possible to comply with requests to exercise data protection rights, under the Data Protection Legislation.
   28. When LayerX becomes aware of an incident that has a material impact on the Processing of Customer Personal Data that is the subject to the Agreement, it shall notify Customer about the incident. LayerX shall cooperate with Customer and follow Customer’s instructions with regard to such incident, to enable Customer to perform an investigation into the incident, formulate a correct response and take suitable further steps in respect to the incident.
   29. Where the incident is reasonably likely to require a data breach notification by Customer under the Data Protection Legislation, LayerX will assist Customer, at the Customer’s cost with the notification process.
   30. On the basis of such notification, where applicable Customer shall notify the Personal Data Breach to the competent Supervisory Authority in case required under the Data Protection Legislation and to the extent required, shall communicate the required information regarding the Personal Data Breach to the relevant Data Subject.
   31. LayerX shall, at Customer’s cost, cooperate with Customer and take the reasonable commercial steps which shall reasonably be instructed by Customer, to assist in the investigation and mitigation of every occurring Personal Data Breach.
   32. During the Term, LayerX will retain Personal Data for up to twelve (12) months, unless otherwise agreed upon by the parties in writing.
   33. Upon the termination of this Addendum (“Cessation Date”), the Company may, at its discretion, retain Personal Data for up to twelve (12) months from the Cessation Date, unless otherwise requested by the Customer in accordance with section 7.3. However, LayerX reserves the right to delete Personal Data immediately on Cessation Date.
   34. Customer may in its discretion by written notice to LayerX within 30 calendar days of the Cessation Date, require LayerX to (a) return a complete copy of all Customer Personal Data to Customer; and (b) delete all other copies of Customer Personal Data Processed by Processor. LayerX shall comply with any such written request within 60 calendar days of the Cessation Date.
   35. Notwithstanding to the above, LayerX may retain Customer Personal Data to the extent and for such period as required by Applicable Laws.
   36. LayerX is not responsible for the storage or backup of any Personal Data. The Customer is strongly advised to conduct its own backup of Personal Data and ensure that all necessary Personal Data is stored within its systems.
   37. Subject to section ‎9.2 and ‎9.3, LayerX shall make available to Customer upon a reasonable request, information which is reasonably necessary to demonstrate compliance with this Addendum.
   38. Where applicable, if Customer is not otherwise satisfied by its audit rights pursuant to the Agreement, LayerX shall, at the Customer’s costs, allow for audits, including inspections, by an auditor mandated by Customer (subject to section ‎9.3 where auditor shall be subject to written confidentiality obligations in relation to such information) in relation to the Processing of Customer Personal Data by LayerX, provided that Customer shall give LayerX a reasonable notice of any audit or inspection to be conducted and Customer shall take reasonable steps to ensure (and shall procure that each of its mandated auditors) to minimize disruption to the Processor’s business, in the course of such audit or inspection, while such audits or inspections shall be conducted during normal working hours.
   39. LayerX may object to an auditor mandated by Customer if the auditor is, in LayerX’s opinion, not suitably qualified or independent, a competitor of LayerX, or otherwise manifestly unsuitable. In the event of such an objection, Customer shall appoint another auditor or conduct the audit itself.
   40. Information may be transferred to third party companies and individuals to facilitate LayerX’s Services, who are located in a country outside of Customer’s jurisdiction. To the extent that an international transfer mechanism is required to be implemented under the Data Protection Legislation, such as in the case that Personal Data is to be Processed in countries that do not provide an adequate level of data protection, as determined by the European Commission or other adequate authority, the applicable module of the SCC shall apply and shall be incorporated herein upon execution of this Agreement by the parties or LayerX shall otherwise ensure that the continuity of protection of Personal Data shall be maintained for any respective onward transfers. With respect to each such data transfer, LayerX shall implement appropriate technical and organizational measures to ensure a level of security, appropriate to the risk, while taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of processing as well as the likelihood of a risk to the rights and freedoms of natural persons.
   41. To the extent that LayerX or Customer are relying on a specific statutory mechanism to normalize international data transfers and that mechanism is subsequently modified, revoked, or held in a court of a competent jurisdiction to be invalid, LayerX and Customer agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.

Order of Precedence

With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement, the provisions of this Addendum shall prevail.

Changes in Data Protection Legislation

If any variation is required to this Addendum as a result of a change in Data Protection Legislation, then either party may provide written notice to the other party of that change of law. The parties shall discuss the change in Data Protection Legislation and negotiate in good faith with a view to agreeing on any necessary variations to this Addendum to address such changes, including any resulting charges.

Severance

Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

ANNEX 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.

Subject Matter and Duration of the Processing of Customer’s Personal Data

The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement and this Addendum.

The nature and purpose of the Processing of Customer’s Personal Data

LayerX offers a browser extension that enables Customer to secure its systems and platforms. Layerx’s extension enhances data security by analysing web sessions to prevent malicious activities and reduce risks to the Customer’s resources. In the course of providing the Services, LayerX Processes the Customer’s authorized Data Subject’s (“End User”) Personal Data which is considered Customer’s Personal Data under this Addendum.

The types of Customer Personal Data to be Processed

The Customer Personal Data to be Processed are subject to the Customer discretion and include by default the following:

1. Identity Management: Personal Data related to users, groups, organizational units.
2. Deployment: device IDs, hostnames and account usernames.
3. Browser Data: browser profile, and user agent data.
4. Browsing activities:  domains accessed, installed extensions, uploaded and downloaded files, user names provided.

In addition to above, the processing of End User’s Personal Data described below is optional and will be processed only upon the Customer’s request:

1. Browsed activities: URL params, file name, file path.

The Categories of Data Subject to whom the Customer’s Personal Data Relates

The categories of Data Subjects will be determined by Customer, and such may include Customer’s employees, representatives and end-users.

The Obligations and Rights of Customer

The obligations and rights of Customer are set out in the Agreement and this Addendum.