Data Protection Addendum

1.    Data protection legislation in the EU, the UK and many other territories imposes stringent obligations on organizations which obtain and process data that identifies, or can reasonably be used to identify, an individual ("Personal Data"). "Process" (and inflections thereof) means operations performed upon Personal Data, such as collection, storage, recording, organization, structuring, adaption or alteration, retrieval, use, disclosure, dissemination or otherwise making available, alignment or combination, restriction, transmission, erasure, or destruction.


2.    Personal Data we receive about you or your officers or members of staff, or from you about other individuals, may be processed by us for the purposes of providing Services and/or Products to you (collectively "Services"); sending you newsletters, marketing communications, and other information or materials that may interest you; maintaining our lists of contacts; submitting invoices; detecting, preventing, and responding to actual or potential fraud, illegal activities, or intellectual property infringement; complying with our legal obligations; responding to legal process or requests for information issued by government authorities or other third parties; or protecting your, our, or others’ rights.


3.    We may receive Personal Data relating to you or your organization either directly from you or from third parties, in connection with our engagement with you and for the purposes of us performing our Services. This may occur during the normal course of providing the Services, or prior to our acceptance of instructions, when we are carrying out our due diligence procedures.


4.    We may disclose Personal Data to our third-party service providers that perform Services on our behalf, such as web-hosting companies, mailing vendors, analytics providers, event hosting services, and information technology providers; to law enforcement bodies, other government authorities, or third parties (within or outside the jurisdiction in which you reside) as may be permitted or required by the laws of any jurisdiction that may apply to us; as provided for under contract; or as we deem reasonably necessary to provide the Services. In these circumstances, we take reasonable efforts to notify you before we disclose Personal Data that may reasonably identify you or your organization, unless prior notice is prohibited by applicable law or is not possible or reasonable in the circumstances.


5.    We may also need to disclose Personal Data to service providers, advisors, potential transactional partners, or other third parties in connection with the consideration, negotiation, or completion of a transaction in which we are acquired by or merged with another company or in which we sell, liquidate, or transfer all or a portion of our assets.


6.    We may transfer Personal Data outside of your home country. Where we transfer Personal Data from the EEA, Switzerland, or the UK, we will normally do so on the basis of the model clauses approved by the European Commission for transfers from the EU to territories outside the EU, which may be found at the Commission's website at https://ec.europa.eu, or (as applicable) on the basis of the model clauses approved by the UK Information Commissioner for similar transfers from the UK, which may be found on the Information Commissioner’s website at https://ico.org.uk/


7.    Where required by applicable law, the lawful basis on which we primarily rely to process Personal Data is our legitimate interest in performing such processing as may be necessary to provide the Services as well as the support and related Services referred to above. 


8.    We will provide the same level of protection of Personal Data as required by appliable data protection laws. We deploy administrative, technical, and physical safeguards designed to comply with applicable laws and to safeguard the information that we collect. This includes, when required or appropriate and feasible, obtaining written assurances from third parties that may access Personal Data that they will protect the Personal Data with safeguards designed to provide a level of protection equivalent to that adopted by us. However, no information system can be 100% secure, and so we cannot guarantee the absolute security of Personal Data in our possession. Moreover, we are not responsible for the security of information you transmit to us over networks that we do not control, including the internet and wireless networks.


9.    We retain the Personal Data we collect as long as is reasonably necessary to fulfil the purposes for which we collected the Personal Data and to comply with our legal obligations. 


10.    Individuals have certain rights regarding the Personal Data that we have collected and that is related to them. Where we hold Personal Data in the capacity of a data controller, individuals can ask us to see what Personal Data we hold about them, to correct any data that is inaccurate, and in some cases to erase their Personal Data or object to our use of it, in addition to any other rights conferred on individuals by applicable laws. Individuals may also have the right to complain to their local data protection authority. Our data protection officer can be contacted at dpo@eltemate.com.


11.    We will comply with the following provisions when acting as a data processor on your behalf. The terms used in these provisions shall have the meanings set out in applicable law, including without limitation EU Regulation 2016/679 (GDPR) or the California Consumer Privacy Act (CCPA). The expression “your Personal Data” shall mean Personal Data which is processed by us on your behalf. Details of the processing are set out in the agreements between us, including any relevant order forms. We will:

(a)    process your Personal Data:

(i)    only to the extent necessary for the purposes of providing our Services under the Terms of Service and any other agreements with you, and
(ii)    only in accordance with your written instructions, including those contained in the Terms of Service and any such agreements, and we will inform you in advance of any additional legal requirements that requires us to process your Personal Data in different ways unless such law prohibits us from doing so on important grounds of public interest;

(b)    implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk presented by the processing, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, which shall include (where appropriate in each case):

(i)     the pseudonymization and encryption of Personal Data;
(ii)    measures designed to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
(iii)    measures to restore the availability of, and access to, Personal Data in a timely manner in the event of a physical or technical incident; and
(iv)    a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing,
and in assessing the appropriate level of security account shall be taken in particular of the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed;

(c)    not keep the Personal Data for longer than is necessary for the purposes of processing the Personal Data to perform our obligations under the Terms of Service and any other agreements with you;

(d)    take reasonable steps to ensure the reliability of any of our staff who will have access to the Personal Data, ensuring that any such staff are:

(i)    adequately trained in their duties; and
(ii)    obliged to maintain the confidentiality of your Personal Data (either by the terms of their contract with us or under the terms of any statutory obligation of confidentiality);

(e)    inform you immediately if in our opinion an instruction issued by you infringes any applicable data protection law or if we determine that we can no longer comply with applicable data protection law;

(f)    inform you without undue delay if we become aware of any accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure of or access to your Personal Data, and provide you with all reasonable assistance in investigating and mitigating the impact of any such data breach. We will also provide all reasonable assistance to you in relation to your obligations to provide adequate notifications to the relevant data protection authorities and affected data subjects;

(g)    provide you with reasonable and timely assistance for the purposes of fulfilling your obligations in the event that you receive from a data subject a request to exercise any of his/her rights under applicable data protection law. If we receive from a data subject a request to exercise his/her rights in respect of your Personal Data, we will provide notice of this to you without undue delay;

(h)    reasonably assist you to ensure your compliance with any requirements under applicable data protection laws, such as concerning the conduct of data protection impact assessments or cooperation with the relevant supervisory authority;

(i)    not process any of your Personal Data outside the UK and the EEA, nor transfer any of your Personal Data outside the UK and the EEA, without your written consent (save that where such a transfer is necessarily required by the nature of the Services, your agreement to these Terms of Service will constitute that consent);

(j)    allow your representative (or an auditor you appoint) access to any relevant premises owned or controlled by us upon reasonable notice (and no more frequently than once per year), to inspect the measures, programs and procedures adopted in performance of and in compliance with this Addendum. You will be responsible for all reasonable costs we incur in facilitating the audit. We will also make available to you, at your request, all information reasonably necessary to demonstrate compliance with this Addendum, and we acknowledge that applicable data protection law may afford you the right to take measures to stop or prevent any unauthorized processing of your Personal Data;

(k)    upon the termination of our agreements with you for whatever reason, return to you all Personal Data and all copies of the Personal Data or, at your choice, destroy all copies of the same and certify to you that this has been done, unless we are prevented by any legal or regulatory requirement from destroying or returning all or part of such data, in which event the data will be kept confidential and will not be actively processed for any purpose;

(l)    not subcontract any processing of your Personal Data or otherwise disclose your Personal Data to any third party except as expressly permitted by any agreement with you or otherwise permitted by you in writing. Where such a sub-processor is engaged, we will:

(i)    ensure that we have a written contract in place with the relevant sub-processor which imposes on the sub-processor the same obligations in respect of the processing of your Personal Data as are imposed on us under this Addendum (the "Sub-Processing Contract");
(ii)    remain fully liable to you for our obligations under this Addendum; and
(iii)    provide a copy of the Sub-Processing Contract to you upon request, subject to reasonable confidentiality restrictions that may be applicable. We shall ensure that any confidentiality restrictions in the Sub-Processing Contract do not prevent us showing to you those provisions which demonstrate our compliance with our obligations under this Addendum;

(m)    to the extent the CCPA applies, not: 

(i)    “sell” Personal Data, as “sell” (or a derivative thereof) is defined by the CCPA;
(ii)    “share” Personal Data, as “share” (or a derivative thereof) is defined by the CCPA;
(iii)    process Personal Data in a manner outside of the direct business relationship between our companies; or
(iv)    combine Personal Data with other information that we receive from or on behalf of any other third party or our interactions with individuals, provided that we may so combine Personal Data for a specified business purpose if you direct us to do so or as otherwise permitted by applicable law.

12.    You agree that we may use the following sub-processors:

Sub-Processor Service(s) Description Sub-Processor Hosting Country
       
Epiq eDiscovery Solutions eDiscovery services Provision of data processing and hosting infrastructure and services U.S.
 
Lineal Worldwide Holdings, LLC eDiscovery services Provision of data processing and hosting infrastructure and services U.S.
 
Thomson Reuters (Professional) UK Limited* HighQ Collaborate Online database and project management solution United Kingdom
 
Microsoft Inc.* Azure Cloud service for data hosting Germany
 
OpenAI, L.L.C. ChatGPT Chatbot U.S.
 
Litera Corp.* KIRA Automated contract analysis U.S.
 
Okta, Inc. Auth0 Identity management Germany
 
Twilio, Inc.* Twilio & Sendgrid Messaging services (Email and SMS) U.S.
 
Opus 2 International Inc. Opus2 Online database for litigation management U.S.
 
DeepL SE* DeepL Machine translations Germany
 

* Currently relying on the license of Hogan Lovells to process personal data through this sub-processor.

We will inform you if we wish to add to or change any of these sub-processors.

13.    When we de-identify any Personal Data, we shall:

(a)    ensure, through the implementation of reasonable measures, that de-identified data cannot reasonably be used to infer information about, or otherwise be linked to, a particular natural, human person or a household;

(b)    publicly commit to continue to maintain and use de-identified information in a de-identified form and not to attempt to re-identify the de-identified data, except that we may attempt to re-identify the information solely or the purpose of determining whether its de-identification processes satisfy the requirements of applicable data protection laws;

(c)    contractually obligate any recipients of the de-identified data, including all sub-processors, to comply with applicable data protection laws; and

(d)    remain fully liable any failure by us or our sub-processors to comply with this section 13.

14.    In the event of any conflict between the terms of this Addendum and any other agreement between us, the terms of this Addendum shall prevail unless specifically stated otherwise. 

Date: 7 November 2023