Data Processing Addendum

1. Definitions
   1. “Applicable EU Law” means any applicable law of the European Union (or the law of one or more of the Member States of the European Union).
   2. “California Privacy Law” means, as applicable, the California Consumer Privacy Act and related regulations and, when effective, the California Privacy Rights Act and related regulations.
   3. “CPA” means, when effective, the Colorado Privacy Act and related regulations.
   4. “Personal Information” means any information relating to an identified or identifiable natural person.
   5. “PIPEDA” means the Personal Information Protection and Electronic Documents Act, SC 2000, c.5.
   6. “Privacy Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, theft, or unauthorized access to or disclosure of Personal Information.
   7. “Privacy Laws” means any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation or other binding restriction (as amended, consolidated or re-enacted from time to time) governing the Processing or protection of Personal Information, including for example, and without limitation, EU GDPR and Directive 2002/58/EC, UK GDPR, PIPEDA, California Privacy Law, the VCDPA, and the CPA.
   8. “Processing”, “Processed” or “Process” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as but not limited to collection, use, modification, retrieval, disclosure, retention, storage, deletion and/or management of Personal Information.
   9. “Standard Contractual Clauses” or the “SCCs” means (i) where the GDPR applies, the standard contractual clauses adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021 (the “EU SCCs”); or (ii) where UK Privacy Laws apply, the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (the “UK SCCs”).
   10. “UK GDPR” means the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)) and the UK Data Protection Act 2018 (as amended).
   11. “VCDPA” means, when effective, the Virginia Consumer Data Protection Act.
2. Data Processing and Security Responsibilities
   1. Customer and CFI shall each comply with all Privacy Laws that apply to it in relation to any Personal Information Processed in connection with this Addendum, as set out in Annex A to this Addendum. The Parties acknowledge and agree that Customer is a controller or business (as applicable) of the Personal Information covered by this Addendum, CFI shall be a processor or service provider (as applicable) processing Personal Information on behalf of the Customer.
   2. Customer agrees that it has:
      1. obtained and shall continue to obtain all consents necessary, and provided all necessary notices and otherwise has and continues to have all necessary authority to permit CFI to perform its obligations and exercise its rights under this Addendum, and shall inform CFI immediately if any such consents are withdrawn;
      2. except as provided by this Addendum, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Personal Information when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Personal Information processed in connection with the Services.
      3. ensured and shall continue to ensure that all Personal Information Processed by CFI is adequate, relevant, accurate and up-to-date, and limited to what is necessary to permit CFI to perform its obligations and exercise its rights under this Addendum;
      4. its processing instructions will not cause CFI to be in breach of Privacy Laws.
   3. In the course of Processing Personal Information on behalf of Customer as detailed in Annex A to this Addendum, CFI shall:
      1. except as otherwise permitted in this Addendum, only use, disclose, transfer, retain, and otherwise Process Personal Information as reasonably necessary for the purposes of rendering the Services and as otherwise instructed by Customer in writing from time to time or as otherwise required or permitted by applicable Privacy Law, and not Process any Personal Information in any other manner without the express prior written authorization of Customer unless required to do so by applicable law;
      2. as soon as reasonably practicable, inform the Customer if, in CFI’s opinion, any instruction received from the Customer infringes Applicable EU Law;
      3. not disclose any Personal Information to any third party without the prior written authorization of Customer (under this Addendum or otherwise) unless required to do so under applicable law (in which case clause e) below shall apply);
      4. not “sell” the Personal Information within the meaning of California Privacy Law, the VCDPA, or the CPA, and not “share” the Personal Information within the meaning of the California Consumer Rights Act;
      5. where any disclosure, transfer or other Processing of Personal Information is required by applicable law, promptly notify Customer in writing before complying with any such requirement;
      6. promptly notify Customer in writing of any:
         1. enquiry received from individuals relating to the individual’s rights under Privacy Laws, and provide reasonable assistance to Customer with respect to any obligations Customer has to respond to such requests;
         2. complaint received by CFI either from an individual or an independent public authority that is established by an EU Member State or the United Kingdom to monitor the application of the EU GDPR or UK GDPR, respectively, relating to the Processing of Personal Information; and
         3. order, demand or warrant purporting to compel the production of any Personal Information;
      7. implement reasonable and appropriate physical, technical, administrative and organizational security procedures and practices appropriate to the sensitivity of the Personal Information, to protect the Personal Information against loss, theft, destruction, alteration and unauthorized or unlawful access, use or disclosure, as would allow CFI to ensure the ongoing confidentiality, integrity and availability of Processing systems and services (the “Security Measures”) which are set out in Annex B. Customer acknowledges that the Security Measures are subject to technical progress and development and that CFI may update and/or modify the Security Measures from time to time, provided that such updates and/or modifications do not result in the degradation of the overall security of the Products purchased by the Customer.
      8. limit access to Personal Information only to those employees and authorized agents of CFI who need to have access to the Personal Information and solely for the purposes set out in this Addendum;
      9. ensure or cause each of the employees and permitted contractors of CFI to agree to protect the confidentiality and security of the Personal Information in accordance with the terms of this Addendum;
      10. provide reasonable assistance, at Customer’s cost and request, to Customer in connection with Customer’s obligations under Privacy Laws;
      11. aggregate and/or de-identify the Personal Information in order to use such information for its own purposes, provided that such information is non-identifiable and otherwise no longer constitutes Personal Information under applicable Privacy Laws; and
      12. notify Customer if CFI determines it can no longer meet its obligations under applicable Privacy Laws.
3. Third-Party Certifications CFI shall provide, and Customer agrees to accept, CFI’s most current third-party certifications as may be relevant and available in respect of the Services.
4. Sub-processing Subject to Clause 6, Customer acknowledges and agrees that CFI shall use sub-processors (including CFI affiliates) to provide the Services, including the Processing activities set out in Annex A. CFI shall enter into a written contract with each such sub-processor that imposes obligations on the sub-processor that are sufficient to permit CFI to comply with its obligations under this Addendum. Prior to appointing any new sub-processor, CFI shall notify Customer of such sub-processors, whereupon Customer shall have ten (10) days to object to such appointment by providing detailed reasons in writing for such objection to CFI, at which point Customer will be deemed to have given written consent to appoint and use such sub-processor if CFI has not received an objection from Customer. If Customer objects in writing to the proposed appointment, the Parties shall work together in good faith to resolve Customer’s reasonable concerns.
5. Security Breaches
   1. CFI shall notify Customer without undue delay upon CFI becoming aware of a Privacy Breach and shall provide timely information relating to the Privacy Breach as it becomes known or as is reasonably requested by Customer. CFI’s notification of or response to a Privacy Breach in accordance with this section will not be construed as an acknowledgment by CFI of any fault or liability with respect to the Privacy Breach.
   2. On written request from Customer, CFI will provide written responses to all reasonable requests for information made by Customer related to its processing of Personal Information necessary to confirm CFI’s compliance with this Addendum, provided that Customer shall not exercise this right more than once in any 12 month rolling period. Additionally, Customer may also exercise such audit right if CFI has experienced a Privacy Breach, or on another reasonably similar basis. Nothing shall be construed to require CFI to provide:
      1. trade secrets or any proprietary information;
      2. any information that would violate CFI’s confidentiality obligations, contractual obligations, or applicable law; or
      3. any information, the disclosure of which could threaten, compromise, or otherwise put at risk the security, confidentiality, or integrity of CFI’s infrastructure, networks, systems, or data.
6. Data Transfers
   1. Customer acknowledges and agrees that in the course of providing the Services to Customer, CFI may transfer Personal Information that is subject to Applicable EU Law to sub-processors in countries outside of the European Economic Area. Subject to Section 4 of this Addendum, CFI shall ensure that appropriate transfer mechanisms are in place within the meaning of Applicable EU Law.
   2. Where Customer transfers (directly or via onward transfer) Personal Information that originated from Europe to CFI located in a country that does not provide an adequate level of protection for Personal Information (as described in European Data Protection Law), the parties agree to be subject to the SCCs, which shall be incorporated by reference (if applicable), considered to be affirmatively executed when incorporated, and form an integral part of this Addendum, as follows:
      1. Transfers outside of the EU. Personal Information that is protected by the EU GDPR shall have the EU SCCs apply as follows:
         1. Module Two will apply;
         2. in Clause 7, the optional docking clause will apply;
         3. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes is identified in Section 4. above;
         4. in Clause 11, the optional language will not apply;
         5. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the law of the data exporter’s Member State;
         6. in Clause 18(b), disputes shall be resolved before the courts of the law of the data exporter’s Member State;
         7. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 of this DPA; and
         8. Subject to Sections 2 and 5 of this Addendum, Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this Addendum;
      2. Transfers relating to the UK. Subject to paragraph c. below, in relation to Personal Data that is protected by the UK GDPR, the EU SCCs as implemented under sub-paragraphs (i) and (ii) above will apply with the following modifications:
         1. references to “Regulation (EU) 2016/679” shall be interpreted as references to UK Privacy Laws;
         2. references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of UK Privacy Laws;
         3. references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to the “UK” or “UK law” (as applicable);
         4. the term “member state” shall not be interpreted in such a way as to exclude data subjects in the UK from the possibility of suing for their rights in their place of habitual residence (i.e., the UK);
         5. Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the United Kingdom Information Commissioner;
         6. references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Information Commissioner” and the “courts of England and Wales”;
         7. in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales; and
         8. with respect to transfers to which UK Privacy Laws apply, Clause 18 shall be amended to state “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts”.
      3. UK Standard Contractual Clauses. Only to the extent that and for so long as the EU SCCs as implemented in accordance with paragraphs a. and b. above cannot be used to lawfully transfer Personal Information protected by the UK GDPR to CFI, the UK SCCs shall be incorporated into and form an integral part of this Addendum and shall apply to transfers governed by the UK GDPR. For the purposes of the UK SCCs, the relevant Annexes of the UK SCCs shall be populated using the information contained in Annex 1 and 2 of this Addendum.
      4. Conflicts. It is not the intention of either party to contradict or restrict any of the provisions set forth in the SCCs and, accordingly, if and to the extent the SCCs conflict with any provision of the Agreement (including this Addendum), the SCCs shall prevail to the extent of such conflict.
7. Termination
   1. This Addendum shall come into force on the Effective Date and shall remain in force until the termination or expiry of the MSA.
   2. Upon the termination of the MSA or at such other times as instructed by Customer in writing, CFI shall either return or securely dispose of the Personal Information and all existing copies, subject to CFI’s requirements to retain certain Personal Information in order to comply with its legal and regulatory obligations and applicable law or as otherwise necessary in the context of any disputes or litigation. In the event applicable law does not permit CFI to comply with the delivery or destruction of the Personal Information, CFI shall ensure the confidentiality of the Personal Information in accordance with applicable law.
8. Governing Law and Jurisdiction of Addendum
   1. This Addendum and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws specified in the MSA.
   2. The Customer and CFI agree that the courts specified in the MSA shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Addendum or its subject matter or formation (including non-contractual disputes or claims).

ANNEX A
DATA PROCESSING DESCRIPTION

Subject-matter and duration of the Processing.

The Services are intended to provide personnel of Customer with courses to assist in improving financial analyst skills.

The duration of the Processing is the duration of the Agreement, as further permitted by the Agreement or as otherwise necessary to fulfill obligations under the Agreement.

Nature and purposes of the Processing.

The nature of the Processing is collection and use for the purpose of performing the Services, including to:

• Facilitate subscription payment processing;
• Facilitate subscription management; and
• Deliver examination reports and certificates to corporate end users of CFI’s web applications and services.

Data Categories.

The following categories of Data Subjects are involved:

• Corporate end-users of CFI’s web applications and services.

The following types of Personal Information will be Processed:

• Name
• Company name
• Business email
• Business phone number
• Business address
• Company-held bank account details
• Company-held credit card details (where relevant)
• IP address
• Exam scores

ANNEX B
SECURITY MEASURES

CFI has implemented the following administrative, technical and physical measures to safeguard the Personal Information it Processes:

• administrative safeguards:
  • user accounts permissioned based on principle of least privilege
  • employees authorized to only access data required for their duties
  • access is reviewed at least quarterly
• technical safeguards:
  • web application firewalls
  • intrusion protection systems
  • static application security testing
  • disaster management backup processes
  • long password requirements
  • two-factor authentication requirements
  • encryption of data at rest and in transit
  • hashing of data where appropriate
• physical safeguards:
  • secure data centre – AWS, GCP, and Microsoft Azure SOC 2 compliant data centres