The Data Protection Addendum

This Data Protection Addendum (“Addendum”) forms part of the Service Agreement between (i)Cognitive-Edge Ltd, including its subsidiaries and brands: Cognitive Edge Pte Ltd, Cognitive Edge USA Inc, The Cynefin CO and The Cynefin Centre; hereby referred to as the “Service Provider” (acting in the capacity of Data Processor “Processor”) and you as a company or natural person that is a “Subscriber” using SenseMaker® software (acting in the capacity as a Data Controller “Controller”)

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Service Agreement Except where the context requires otherwise, references in this Addendum to the Service Agreement are to the Service Agreement as amended by, and including, this Addendum.

Purpose
The Controller wishes to use SenseMaker® software provided by Cognitive-Edge Ltd, which may require the processing of personal data. The Processor is the chosen Service Provider (Cognitive-Edge Ltd) and does so under the current data protection legal framework. Consequently, the parties seek to implement a supplementary and expressly into the service agreement incorporated, data processing agreement that complies with the obligations set out in the General Data Protection Regulation 2016/679 and the UK`s Data Protection Act 2018 (collectively the “GDPR”).

Agreed Terms and Conditions
Interpretation and Definitions
1.1. Clause, Paragraph and Annex headings must not affect the interpretation of this agreement.

1.2. Unless the context otherwise requires, words in the singular must include the plural and, in the plural include the singular.

1.3. Unless otherwise defined, the following terms must have the following meaning:
GDPR: means the General Data Protection Regulation 2016/679 and the UK`s Data Protection Act 2018, subject to which jurisdiction applies;
Personal Data: means the personal data disclosed to the Processor by or on behalf of the Controller;
Data Subject: means an individual that is the subject of any of the Personal Data;
DPA: means this Data Processing Addendum and all Schedules;
Service Agreement: means the primary agreement between the Controller and Processor;
Supervisory Authority: means any relevant independent public authority responsible for monitoring the implementation of the GDPR;
Sub-Processor: means any Data Processor engaged by the Processor;
EU Model Clauses: means the standard contractual clauses implemented by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021, or the UK international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (Addendum) issued 22 March 2022 under Section 119A of the Data Protection Act 2018 (UK).

1.4. In the event of conflict between the definitions used in this DPA and those provided under the GDPR, definitions provided in the GDPR must prevail in respect of such conflict.

Obligations of the Controller
1.5. The Controller is a Data Controller of Personal Data under the GDPR.

1.6. The Controller is with respect to Personal Data and its statutory duties as Data Controller and the transfer of Personal Data responsible for compliance with all applicable data protection legislation.

1.7. The Controller agrees to ensure that any natural person acting on behalf of the Controller and has access to Personal Data, processes Personal Data only in accordance within the written instructions of the Controller.

1.8. The Controller accepts and agrees that some instructions to the Processor, including destruction or return of data, assisting with audits, inspections or DPIAs by the Processor, can result in additional fees. In such circumstances, the Processor is to notify the Controller of its fees in advance.

1.9. The Controller accepts and agrees that the in this DPA mentioned technical and organisational measures are subject to development and review can result in additional fees. In such circumstances, the Processor is to notify the Controller of its fees in advance.

Obligations of the Processor
1.10. The Processor must process the Personal Data supplied by the Controller in accordance with the written instructions of the controller.

1.11. The Processor must comply with all applicable Data Protection Laws and the GDPR when processing Personal Data. And notify the Controller of any potential and actual risk of or breach of applicable data protection law resulting from the processing activities.

1.12. The Processor agrees to assist the Controller when a data protection impact assessment has identified a high-risk for processing of Personal data and a consultation with the relevant supervisory authority is necessary and before processing the Personal data in question.

1.13. The Processor must ensure that the personal data is always treated as confidential and that any employee, agent or contractor who may have access to the Personal Data are subject to legally binding written obligations of confidentiality, which must in each case survive termination of their employment, contract or assignment.

1.14. The Processor must ensure that appropriate technical and organisational measures against unauthorised or unlawful processing of the Personal Data, and against accidental loss or destruction of or damage to the Personal Data are implemented.

1.15. The controller agrees that Cognitive Edge may use sub-processors to fulfil its contractual obligations under this DPA or to provide certain services on its behalf, such as data storage, support services, analytical services and technical maintenance. Cognitive Edge will enter into a written agreement with the sub-processor and, to the extent that the sub-processor is performing the same data processing services that are being provided by Cognitive Edge under this DPA, Cognitive Edge will impose on the subprocessor the same contractual obligations that Cognitive Edge has under this DPA; and (iii) Cognitive Edge will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the sub-processes that cause Cognitive Edge to breach any of Cognitive Edge’s obligations under this DPA.

1.16. Cognitive Edge’s current data sub-processors are:
Amazon Web Services –US, EU (Ireland), UK, Canada, Singapore, or Australia (virtual server location as chosen by client [Controller])
ICatalyst Pte LTD (Singapore)
Korora LTD (UK)

1.17. The Processor will not transfer personal Data outside of the European Economic Area and the UK unless it has taken necessary measures to ensure that the transfer complies with the applicable data protection law. These measures may include transferring the relevant data to a recipient in a country that the European Commission or UK has decided provides adequate protection for personal data or to a recipient that has executed EU Model Clauses (SCC’s) clauses adopted or approved by the European Commission or ICO in the case of the United Kingdom’s jurisdiction.

1.18. The Processor agrees to return or delete all personal data processed, stored and received within 10 days upon the termination of services.

1.19. The Processor agrees to allow the Controller to conduct audits including inspections by the Controller or an authorised representative. And confirms to make available at the Controllers request all information necessary to demonstrate compliance with this DPA.

1.20. The Processor agrees to assist the Controller by implementing appropriate technical and organisational measures to respond to requests concerning the exercise of Data Subject rights.

1.21. The Processor agrees to assist the Controller by implementing appropriate technical and organisational measures to secure and to store and to protect and to lawfully process Personal Data.

Notification of Data Breach
The Processor must notify the Controller within 24 hours of discovering any accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access of any Personal Data.

5. Security
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2 In assessing the appropriate level of security, the Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

6. Confidentiality
The parties agree to keep this Agreement and information received about the other Party in connection with this Agreement confidential. And unless a lawful reason permits to do so must not use or disclose any Information without the prior written consent of the other Party.

7. Notices
All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.

Governing Law and Jurisdiction
1.22. This Agreement is governed by the laws of England and Wales.

1.23. Any dispute arising in connection with this Agreement, must be resolved amicably initially and followed by extrajudicial or Alternative Dispute Resolution processes.

1.24. Any through extrajudicial or Alternative Dispute Resolution processes unsolvable dispute must be submitted to the exclusive jurisdiction of the courts of England and Wales.

This Agreement is entered into with effect from the commencement of the subscription to the service.

The Subscriber approves Service Provider’s use of the following Subprocessors for the potential processing of Personal Information:
Amazon Web Services – EU, UK, CA, ANZ, or USA virtual server as chosen by The Subscriber (data storage)
ICatalyst Pte LTD - (Singapore) provide technical support, account creation, login and user administration for the SenseMaker® platform
Cognitive Edge PTE LTD- (Singapore) provide technical support, account creation, login and user administration for the SenseMaker® platform
Korora LTD- (UK)- Provide analytic support

A. Service Provider has implemented and will maintain reasonable and appropriate technical and organizational measures to protect Personal Information against accidental loss, destruction or alteration, unauthorized disclosure or access, or unlawful destruction, including the policies, and procedures and internal controls set forth in this Schedule 2.

B. More specifically, Service Provider’s security program shall include, at a minimum:
Access Control of Processing Areas
Service Provider has implemented and will maintain reasonable and appropriate measures to prevent unauthorized access to the data processing equipment (namely telephones, database and application servers, and related hardware) where Personal Information is processed or used, including:

• establishing security areas and physical controls;
• protection and restriction of access paths;
• establishing access authorizations for employees and third parties, including the respective documentation;
• all access to the data center where Personal Information are hosted is logged, monitored, and tracked; and
• the data center where Personal Information are hosted is secured by a security alarm system, and other appropriate security measures.

Access Control to Data Processing Systems
Service Provider has implemented and will maintain reasonable and appropriate measures to prevent data processing systems where Personal Information is processed and used from being used by unauthorized persons, including:

• use of industry best encryption technologies, including for data at rest and in-transit;
• identification of the terminal and/or the terminal user to Service Provider and processing systems;
• automatic temporary lock-out of user terminal if left idle, identification and password required to reopen;
• automatic temporary lock-out of the user ID when several erroneous passwords are entered, log file of events, monitoring of break-in-attempts (alerts); and
• all access to data content is logged, monitored, and tracked.

Access Control to Use Specific Areas of Data Processing Systems
Service Provider commits that the persons entitled to use their data processing system are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that Personal Information cannot be read, copied or modified or removed without authorization. This shall be accomplished by various measures including:

• employee policies and training in respect of each employee’s access rights to the Personal Information;
• allocation of individual terminals and /or terminal user, and identification characteristics exclusive to specific functions;
• monitoring capability in respect of individuals who delete, add, or modify the Personal Information;
• release of data only to authorized persons, including allocation of differentiated access rights and roles;
• use of industry standard encryption technologies, including for data at rest and in-transit; and
• control of files, controlled and documented destruction of data.

Availability Control
Service Provider has implemented and will maintain reasonable and appropriate measures to ensure that Personal Information is protected from accidental destruction or loss, including:

• infrastructure redundancy; and
• backup is stored at an alternative site and available for restore in case of failure of the primary system.

Transmission Control
Service Provider has implemented and will maintain reasonable and appropriate measures to prevent Personal Information from being read, copied, altered, or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by various measures including:

• use of industry standard firewall, VPN, and encryption technologies to protect the gateways and pipelines through which the data travels;
• Highly confidential employee data is encrypted within the system;
• providing user alert upon incomplete transfer of data (end to end check); and
• as far as possible, all data transmissions are logged, monitored, and tracked.

Input Control
Service Provider has implemented and will maintain reasonable and appropriate input control measures, including:

• an authorization policy for the input, reading, alteration, and deletion of data;
• authentication of the authorized personnel;
• protective measures for the data input into memory, as well as for the reading, alteration, and deletion of stored data;
• utilization of unique authentication credentials or codes (passwords);
• providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are kept locked;
• automatic log-off of user ID's that have not been used for a substantial period of time;
• proof established within Service Provider’s organization of the input authorization; and
• electronic recording of entries.

Separation of Processing for Different Purposes
Service Provider has implemented and will maintain reasonable and appropriate measures to ensure that data collected for different purposes can be processed separately, including:

• access to data is separated through application security for the appropriate users;
• modules within Service Provider’s data base separate which data is used for which purpose, i.e. by functionality and function;
• at the database level, data is stored in different normalized tables, separated per module, or function they support; and
• interfaces, batch processes and reports are designed for only specific purposes and functions, so data collected for specific purposes is processed separately.

Documentation
Service Provider will keep documentation of technical and organizational measures in case of audits and for the conservation of evidence. Service Provider will ensure that persons employed by it, and other persons at the place of work concerned, are aware of and comply with the technical and organizational measures set forth in this Schedule 2.

Monitoring
Service Provider has implemented and will maintain reasonable and appropriate measures to monitor access restrictions to Service Provider’s system administrators and to ensure that they act in accordance with instructions received. This is accomplished by various measures including:

• individual appointment of system administrators;
• adoption of commercially reasonable and appropriate measures to register system administrators' access logs to the infrastructure and keep them secure, accurate, and unmodified for at least six months;
• yearly audits of system administrators’ activity to assess compliance with assigned tasks, the instructions received by Service Provider, and Applicable Data Protection Law; and
• keeping an updated list with system administrators’ identification details (e.g. name, surname, function or organizational area) and tasks assigned and providing it promptly to data exporter upon request.

Limits on Retention/Destruction
Service Provider will destroy or dispose of records containing Personal Information when there no longer exists any lawful basis for processing. Service Provider has implemented and will maintain reasonable and appropriate measures to securely destroy all Personal Information consistent with Applicable Data Protection Law. Methods of performing these actions may include the use of a third-party disk scrubbing utility or destruction of the drive, such as by degaussing, shredding, or other means of physically destroying data through specialized equipment and services.