Personal Data Processing Terms

(A) The Customer and Expana entered into an Order Form for the provision of Expana services pursuant to Terms and Conditions of Service (“Agreement”) that may require Expana to process Personal Data provided by or collected for the Customer.

(B) These Data Processing Terms (“Data Processing Terms”) sets out the additional terms, requirements, and conditions on which Expana will obtain, handle, process, disclose, transfer, or store Personal Data when providing services under the Agreement.

(C) In consideration of the mutual covenants and agreements hereinafter set forth and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties hereto agree as follows:

1.1 Definitions:

“Applicable Data Protection Laws” means all applicable laws and regulations relating to the processing, protection, or privacy of the Personal Data, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction where these have force of law. This includes, but is not limited to, each to the extent applicable: (i) the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (“CCPA”) and its implementing regulations, and other United States state data protection and privacy laws and regulations similar to or modelled on the California Privacy Law, including the Virginia Consumer Data Protection Act, the Colorado Privacy Act and related regulations, the Utah Consumer Privacy Act, and the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, (ii) the General Data Protection Regulation, Regulation (EU) 2016/679 (“EU GDPR”) and the UK GDPR (collectively, “GDPR”), (iii) the Swiss Federal Act on Data Protection; (iv) the UK Data Protection Act 2018; (v) the Privacy and Electronic Communications (EC Directive) Regulations 2003; and (vi) the Singapore Personal Data Protection Act (“PDPA”); in each case, as updated, amended or replaced from time to time.

“Business Purpose” means the services described in the Agreement, including for providing the Services (as defined within the Agreement), associated support services, and for the direct business relationship between the Customer and Expana.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

“ExpanaIQ” means Expana’s artificial intelligence services made available to customers via the Expana SaaS platform from time to time (further details are available at https://www.expanamarkets.com/why-expana/expana-iq/);

“Data Subject” means an individual who is the subject of the Personal Data and to whom or about whom the Personal Data relates or identifies, directly or indirectly.

“Order Form” has the meaning in the Agreement.

“Personal Data” means any information provided by or on behalf of the Customer that Expana processes for the Customer for the Business Purpose that (i) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in Expana’s possession or control or that Expana is likely to have access to, or (ii) the relevant Applicable Data Protection Laws otherwise define as protected personal data. The Customer’s Personal Data and the specific uses of the Customer’s Personal Data processed by Expana on behalf of the Customer are detailed in Annex A attached hereto.

“Processing, processes, and process” means any activity that involves the use of Personal Data, or as the relevant Applicable Data Protection Laws may otherwise define the terms processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Data to third parties.

“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of Customer.

“Security Breach” means any act or omission that compromises the security, confidentiality, integrity, or availability of Personal Data or that compromises the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or acquisition of Personal Data is a Security Breach. For the avoidance of doubt, Security Breaches will not include immaterial unsuccessful attempts to, or activities that do not, compromise the security of Personal Data including, without limitation, unsuccessful log in attempts, denial of service attacks and other attacks on firewalls or networked systems and no notice of the foregoing shall be required.

“Services” has the meaning as set out in the Agreement.

“Standard Contractual Clauses” means the UK SCCs and/or EU SCCs, as applicable.

“UK SCCs”: means the International Data Transfer Addendum to EU SCCs, issued by the ICO under s119A(1) of the Data Protection Act 2018, version B1.0 and any updates or replacements as may be issued by the ICO from time to time in accordance with S119A(1).

“EU SCCs”: means the EU standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries, as amended or replaced from time to time by a competent authority under the relevant Data Privacy Laws (available at  https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj).

“Third Party(ies)” means Expana’s authorized contractors, agents, vendors and third party service providers that Process Personal Data.

1.2 These Data Processing Terms and any executed Standard Contractual Clauses are subject to the terms of the Agreement and are incorporated into the Agreement. Interpretations and defined terms set forth in the Agreement apply to the interpretation of these Data Processing Terms.

1.3 A reference to writing or written includes email but not faxes.

1.4 In the case of conflict or ambiguity between:

(a) the terms of any accompanying invoice or other documents annexed to these Data Processing Terms and any provision contained in the Annexes, the provision contained in the Annexes will prevail;

(b) any of the provisions of these Data Processing Terms and the provisions of the Agreement, the provisions of these Data Processing Terms will prevail; and

(c) any of the provisions of these Data Processing Terms and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses will prevail.

2.1 The Parties acknowledge that, except as set out below, for the purpose of any Applicable Data Protection Laws, the Customer is the Controller (or, where the Customer acts as a Processor on behalf of any third party controller, Customer is a Processor and Expana acts as Customer’s Sub-Processor) and Expana is the Processor, in each case, of Expana’s processing of Personal Data described in Annex A to the extent processed for the purposes described therein.

2.2 The Customer retains control of the Personal Data and remains responsible for its compliance obligations under the Applicable Data Protection Laws, including providing any required notices and obtaining any required consents, and for the documented processing instructions it gives to Expana.

2.3 To the extent that Expana Processes Personal Data as an independent controller e.g. for (i) service security, logging, fraud detection, or (ii) compliance with law, Expana shall process Personal Data as a Controller in accordance with its privacy policy (available at www.expanamarkets.com/legal).

3.1 Unless obligated to do otherwise by applicable law, and to the extent Expana is a Processor: (i) Expana will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s documented instructions in accordance with Applicable Data Protection Laws; and (ii) Expana will not process the Personal Data for any other purpose or in a way that does not comply with these Data Processing Terms or the Applicable Data Protection Laws. Expana must without undue delay notify the Customer if, in its opinion, the Customer’s instruction would not comply with the Applicable Data Protection Laws.

3.2 Customer warrants it has undertaken due diligence in relation to Expana’s processing operations, and it is satisfied that Expana’s processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage Expana to process Personal Data. The Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Expana by or on behalf of Customer, (ii) the means by which the Customer acquired the Personal Data, and (iii) the instructions it provides to Expana. Customer shall not provide or make available to Expana any Personal Data in violation of either these Data Processing Terms, the Agreement, or the Applicable Data Protection Laws.

3.3 Expana must promptly comply with any Customer request or instruction requiring Expana to amend, transfer, or delete the Personal Data, or to stop, mitigate, or remedy any unauthorized processing.

3.4 Expana will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless the Customer or these Data Processing Terms specifically authorizes the disclosure, or as required by law. If a law requires Expana to process or disclose Personal Data, Expana must first inform the Customer of the legal requirement and give the Customer a reasonable opportunity to object or challenge the requirement, unless the law prohibits such notice.

3.5 At the Customer’s cost, Expana will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Applicable Data Protection Laws, while also considering the nature of Expana’s processing and the information available to Expana.

3.6 To the extent that it becomes aware, Expana shall promptly notify the Customer of any changes to Applicable Data Protection Laws, or its ability to meet those obligations, that may adversely affect Expana’s performance of the Agreement. If any such change to Applicable Data Protection Laws requires any modification to these Data Processing Terms or the processing of Personal Data, the parties shall work together in good faith to promptly amend these Data Processing Terms as necessary to ensure continued compliance. If the parties are unable to agree on such amendment within 30 days, either party may terminate the affected processing activities upon written notice.

3.7 Expana shall, upon written request and to the extent reasonably possible, assist the Customer in conducting Data Protection Impact Assessments (“DPIAs”), and prior consultations with supervisory authorities, as required under Applicable Data Protection Laws. Such assistance shall include providing relevant documentation, system descriptions, and security measures, and facilitating access to personnel knowledgeable about the processing operations.

3.8 Where Expana uses artificial intelligence technologies, including but not limited to ExpanaIQ, in the processing of Personal Data, Expana shall ensure that such processing does not involve automated decision-making or profiling that produces legal effects or similarly significant impacts on Data Subjects, unless explicitly authorized by the Customer and compliant with Applicable Data Protection Laws.

4.1 Expana will ensure that all employees who have access to or are involved in processing Personal Data are informed of the Personal Data’s confidential nature and use restrictions and are obliged to keep the Personal Data confidential.

5.1 Expana must at all times implement appropriate technical and organizational measures designed to safeguard Personal Data against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, unavailability, destruction, or damage as further set out at in Annex A and trust.expanamarkets.com. Expana is entitled to amend such technical and organizational measures at any time in its sole discretion provided that the overall level of protection is not materially reduced. Expana shall maintain an information security management system aligned to, as a minimum, ISO27001 (or successor framework) and provide evidence upon request.

6.1 Either party will, without undue delay (and in any event within 48 hours of becoming aware) notify the other party if it becomes aware of:

(a) any unauthorized or unlawful processing of the Personal Data; or

(b) any Security Breach.

6.2 The notification shall include:

(a) A description of the nature of the breach, including the categories and approximate number of affected Data Subjects and records.

(b) The likely consequences of the breach.

(c) Measures taken or proposed to address the breach and mitigate its possible adverse effects.

(d) Contact details of the Data Protection Officer or relevant contact point.

6.3 Upon becoming aware of a Security Breach, Expana shall take such steps as in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Expana’s reasonable control).

6.4 In the event of a Security Breach, Expana shall, taking into account the nature of the processing and the availability of the information, provide Customer with reasonable cooperation and assistance where necessary and where required by the Applicable Data Protection Laws for Customer to comply with its obligations to notify (i) the relevant supervisory authority and (ii) Data Subjects affected by such Security Breach without undue delay.

6.5 The obligations described above shall not apply in the event that a Security Breach results from the actions or omissions of Customer and Expana is not required to fulfil those obligations under Applicable Data Protection Laws. Expana’s obligation to report or respond to a Security Breach above will not be construed as an acknowledgement or admission by Expana of any fault or liability with respect to the Security Breach.

7.1 Cross-border transfers of Personal Data. Customer authorizes Expana and its Third Parties to transfer Personal Data across international borders, including but not limited to from the European Economic Area (the “EEA”), the United Kingdom, and Switzerland to and from the United States. Expana may transfer Personal data internationally using appropriate safeguards as identified below, together with other lawful mechanisms. Expana and the Customer agree to use the Standard Contractual Clauses as the adequacy mechanism supporting the transfer and Processing of Personal Data between them, as further detailed below. If any valid transfer mechanism referenced in these Data Processing Terms is replaced, updated or invalidated, Expana may implement an alternative valid mechanism and will notify the Customer in advance.

7.2 EU SCCs. For transfers between the parties of Personal Data subject to the EU GDPR to a recipient that, under the EU GDPR, is located in a country that is an inadequate third country for the purposes of the EU GDPR (“Inadequate Country”), the EU SCCs will apply and are deemed incorporated into these Data Processing Terms. For purposes of these Data Processing Terms, the EU SCCs will apply as set forth in this clause 2. Annex B to these Data Processing Terms sets out the relevant details required for the SCCs. The following details shall apply:

(a) Modules 2 and 3 (and Module 1 or 4, where applicable) will apply

(b) Under Annex 1 of EU SCCs, the “data exporter” is the party incorporated in a country that is not an Inadequate Country and the “data importer” is the party incorporated in an Inadequate Country. For the purposes of Annex 2 of the EU SCCs, the technical and organizational measures implemented by the data importer are those listed in clause 5 of these Data Processing Terms or, to the extent the data importer is the Customer, such measures notified to Expana by Customer from time to time (where Customer shall ensure such measures comply with Applicable Data Protection Legislation). If neither party is incorporated in an Inadequate Country, the EU SCCs shall not apply.

(c) Clause 7 of the EU SCCs will not apply.

(d) For clause 9 of the EU SCCs, this will not apply in relation to Module 4 and in all other cases the Parties choose Option 2 and the Parties agree that the time period for prior notice of Third Party changes will be as set forth in clause 8.3 of these Data Processing Terms.

(e) For clause 11 of the EU SCCs, the optional language will not apply.

(f) For clause 13 of the EU SCCs, this will not apply in relation to Module 4.

(g) For clause 17 of the EU SCCs, the Parties choose Option 1 and the Parties agree that the governing law will be the Republic of Ireland.

(h) For clause 18 of the EU SCCs, the Parties agree that the courts of the Republic of Ireland will apply for subsection (b).

7.3 UK SCCs. For transfers between the parties of Personal Data subject to the UK GDPR to a recipient that, under the UK GDPR, is located in an country that is an inadequate third country for the purposes of the UK GDPR, the UK SCCsshall be deemed incorporated into these Data Processing Terms, where applicable and Tables 1 to 4 inclusive shall be deemed completed by reference to the EU SCC Annexes to these Data Processing Terms and the EU SCC options selected in clause 2. If neither party is incorporated in an inadequate third country for the purposes of the UK GDPR, the UK SCCs shall not apply

7.4 Each party’s signature or adherence to these Data Processing Terms shall be considered a signature or adherence to the Standard Contractual Clauses where applicable. If required by the laws or regulatory procedures of any jurisdiction, the parties shall execute or re-execute the Standard Contractual Clauses as separate documents. In case of conflict between the Standard Contractual Clauses and these Data Processing Terms, the Standard Contractual Clauses will prevail.

7.5 Switzerland Transfers. For transfers of Personal Data subject to the FADP to a recipient outside of Switzerland that are subject to clause 1 of these Data Processing Terms, the EU SCCs will apply and will be deemed to have the differences set forth in this clause 1.4, to the extent required by the Swiss Federal Act on Data Protection (“FADP”). References to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR. The term “member state” in the EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs. References to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope. Under Annex I(C) of the EU SCCs (Competent supervisory authority): where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the EU SCCs insofar as the transfer is governed by the GDPR.

7.6 US. State Privacy. To the extent Expana acts as a service provider or a processor under applicable US state privacy laws, Expana shall:

(a) retain, use, Process and disclose the Personal Data only for the Business Purpose;

(b) not sell or share Personal Data outside of the Expana group of companies;

(c) not Process Personal Data for cross-context behavioural advertising;

(d) not combine Personal Data with other data except as permitted for the Business Purpose. Where Expana receives de-identified information, Expana shall maintain and use such information in de-identified form and shall not attempt to re-identify except as necessary to validate de-identification purposes or otherwise as permitted by Applicable Data Protection Laws;

(e) assist the Customer in responding to any consumer rights requests; and

(f) notify the Customer if it determines it can no longer meet its obligations and shall co-operate to remediate or cease processing.

7.7 Singapore PDPA. For transfers of Personal Data from Singapore, Expana shall ensure “comparable protection” under the PDPA s.26 and 2021 Regulations using legally enforceable contractual clauses (which may be based on PDPC/ASEAN model clauses), or binding intra‑group rules meeting PDPA requirements, or other mechanisms recognised under PDPA (including APEC CBPR/PRP where applicable).

8.1 Customer hereby provides a general authorization for (i) Expana to engage Third Parties and (ii) Third Parties to engage sub processors.

8.2 Expana and Third Party Compliance. Expana agrees to (i) enter into a written agreement with Third Parties regarding such Third Parties’ Processing of Personal Data that imposes on such Third Parties (and their sub processors) data protection and security requirements for Personal Data that are materially equivalent to the obligations in these Data Processing Terms that correspond to mandatory terms required under Applicable Data Protection Laws; and (ii) remain responsible to Customer for Expana’s Third Parties’ (and their sub processors if applicable) failure to perform their obligations with respect to the processing of Personal Data described in these Data Processing Terms.

8.3 Right to Object to Third Parties. Expana’s list of Third Parties that Process Personal Data is available at trust.expanamarkets.com. The Customer may subscribe to updates to changes to Expana’s list of Third Party sub processors. The Customer shall have thirty (30) days to object to any such new Third Party sub processors. If Customer has legitimate objections to the appointment of any new Third Party relating to its compliance with Applicable Data Protection Laws, the parties will work together in good faith to resolve the grounds for the objection for no less than thirty (30) days, and failing any such resolution, Expana shall have the option, in its sole discretion to: (i) terminate the part of the service performed under the Agreement that cannot be performed without use of the objectionable Third Party and to provide a reasonable fee adjustment to the Customer or (ii) source an alternative Third Party.

8.4 Complaints and Data Subject Rights Requests

8.5 Expana must notify the Customer without undue delay (and in any event within 3 business days following receipt) if it receives any complaint, notice, or communication that relates directly or indirectly to the processing of the Personal Data in its capacity as a Processor or to either party’s compliance with the Applicable Data Protection Laws in connection with these Data Processing Terms, or if it receives a request from a Data Subject for access to their Personal Data or other request to exercise one of the Data Subject’s personal data rights.

8.6 Expana will provide to the Customer reasonable co-operation and assistance in responding to any complaint, notice, communication, or Data Subject request.

9.1 These Data Processing Terms will remain in full force and effect so long as:

(a) the Agreement or a relevant Order Form (as defined within the Agreement) remains in effect; or

(b) Expana retains any Personal Data related to the Agreement for which it is Customer’s Processor in its possession or control (the “Term”)

9.2 Any provision of these Data Processing Terms that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Personal Data will remain in full force and effect.

10.1 Expana shall retain Personal Data only for as long as necessary to fulfil the Business Purpose. Upon expiry of the applicable retention period, Expana shall either securely delete, return or anonymize the Personal Data, unless otherwise required by law to retain it.

10.2 At the Customer’s written request or promptly following termination or expiry of the applicable Services, Expana will securely destroy or, if directed in writing by the Customer, return and not retain, the Personal Data for which it is Customer’s Processor provided pursuant Agreement in its possession or control, except for one copy that it may retain and use for a reasonable time period for audit and archival purposes as permitted or required by Applicable Data Protection Laws. Any such retention shall be access-restricted, encrypted, and retained only for the minimum period required by Expana, and deleted thereafter.

10.3 If any law, regulation, or government, or regulatory body requires Expana to retain any documents or materials that Expana would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.

11.1 Taking into account the nature of the Processing and the information available to Expana, Expana shall provide reasonable assistance in response to enquiries from the Customer of a competent regulator relating to Expana’s Processing of Personal Data in accordance with Applicable Data Protection Laws.

11.2 Expana shall, upon written request from the Customer, provide the Customer with information necessary to demonstrate compliance with its obligations set forth in these Data Processing Terms. This information shall consist of permitting examination of the most recent reports, certificates and/or extracts prepared by an independent auditor pursuant to Expana’s ISO27001 or similarly-held industry certification. In the event that the information provided is insufficient to demonstrate compliance, Expana shall permit the Customer to inspect Expana’s technical and organizational measures for the purposes of monitoring compliance with Expana’s obligations under these Data Processing Terms. Expana shall be permitted to contribute to such audit and any inspection conducted by the Customer or a third party independent contractor.

11.3 Any audits described in this clause 11 shall be:

(a) conducted by Customer or its regulator, or through a third party independent contractor selected by one of these parties, and to whom Expana does not reasonably object;

(b) conducted during reasonable times;

(c) conducted upon reasonable advance notice to Expana;

(d) limited to no more than once per any twelve (12) calendar month period, except (i) if required by a competent regulator; or (ii) requested within one month of a Security Breach;

(e) of reasonable duration and scope and shall not unreasonably interfere with Expana’s day-to-day operations; and

(f) conducted in such a manner that does not violate any agreement between Expana and its service providers, including but not limited to cloud providers, or violate or cause Expana to violate its reasonable policies related to security and confidentiality.

11.4 Third Parties. In the event that Customer conducts an audit through a third party independent auditor or a third party accompanies Customer or participates in such audit, such third party shall be required to enter into a non-disclosure agreement containing confidentiality acceptable to Expana to protect Expana’s and Expana’s customers’ confidential and proprietary information. For the avoidance of doubt, regulators shall not be required to enter into a non-disclosure agreement. Any audit conducted under this clause 11 shall not be conducted by a third party who is a competitor to Expana or provides services to a competitor of Expana.

11.5 Audit Results. Upon Expana’s request, after conducting an audit, Customer shall notify Expana of the manner in which Expana does not comply with any of the applicable security, confidentiality or privacy obligations or Applicable Data Protection Laws herein. Upon such notice, Expana shall make any necessary changes to ensure compliance with such obligations at its own expense and without unreasonable delay and shall notify Customer when such changes are complete. To the extent that a Customer audit identifies any material security vulnerabilities, Expana shall promptly remediate those vulnerabilities.

12.1 The Customer warrants and represents that Expana’s expected use of the Personal Data for the Business Purpose and as specifically instructed by the Customer will comply with all Applicable Data Protection Laws.

13.1 Any limitation of liability set forth in the Agreement shall apply to these Data Processing Terms, save where such limitation is not permitted by Applicable Data Protection Laws.

14.1 Any notice or other communication given to a party under or in connection with these Data Processing Terms must be in writing and delivered to:

(a) For the Customer: the individual and/or email specified in the Order Form;

(b)For Expana: [email protected]

14.2 Details of Expana’s Data Protection Officer are available upon request.

14.3 Clause 1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.