SCHEDULE A

Version: 1.0

Effective Date: 2022-10-03     

1. Policy Statement

Schedule A, as referenced in this document, serves as the Data Processing Addendum (“DPA”) to the MSA between Customer and S&E. This DPA outlines the terms and conditions under which the processing of Customer Data, including Personal Data, will be managed. It also contains S&E’s requirements for information security.

1. DEFINITIONS  

   1. For the purpose of this DPA, the terms not otherwise defined herein shall have the meaning ascribed to them in the Agreement.   

      1. “Confidentiality Incident” means (a) the access not authority by law to Personal Data; (b) use not authorized by law of Personal Data; (c) communication not authorized by law of Personal Data; (d) loss of Personal Data or any breach of the protection of such information, including, a privacy breach or a personal data breach under Data Protection Laws, or a confidentiality incident under the Act.  

      2. “Customer Systems” means any information technology (“IT”) systems, applications, networks, platforms, and infrastructure, including but not limited to hardware, software, databases, electronic systems and networks owned, controlled or managed by Customer. This includes, but is not limited to, the Google Admin Console, which is the control center for managing Google Workspace services for Customer, or applications to which Customer provides S&E with access in connection with the Services.   

      3. “Data Protection Laws” means applicable laws currently in effect relating to the Processing of Personal Data including the Personal Information Protection and Electronic Documents Act, Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (the “Act”), and any other laws applicable from time to time.  

      4. “Data Subject Request” means the exercise by a data subject of his or her rights granted under Data Protection Laws regarding his or her Personal Data.  

      5. “Processing” or “Process” means the collection, use, disclosure, communication and otherwise, the processing, of Customer Data, or Personal Data, as applicable.  

      6. “Security Breach” means any actual or reasonably foreseeable (a) Confidentiality Incident; (b) breach of security affecting the confidentiality, integrity or availability of Customer Data or Customer Systems; (c) breach of security affecting the confidentiality, integrity, or availability of S&E Systems, in each case, when caused by either Party, or its Representatives in the provision of the Services, or in relation with this Agreement.  

      7. “S&E Systems” refers to any IT systems, applications, networks, platforms, and infrastructure, including but not limited to hardware, software, databases, electronic systems, and network systems owned, controlled, or managed by S&E, and which are Processing Customer Data. S&E Systems specifically excludes any Customer Systems from this definition, including, but not limited to, Customer’s Google Admin Console.  

      8. “Privacy Violation” means any violation or attempted violation by any person of any obligation concerning the confidentiality of the Personal Data communicated, as set forth in Section 18.3 of the Act.  

2. PROCESSING INSTRUCTIONS  

   1. Processing Instructions. S&E will only process Customer Data as permitted by the Agreement, and in accordance with the instructions provided by the Customer, including the performance of the Services. S&E will not extract Customer Data from Customer Systems, except as explicitly agreed upon under the Agreement, or as required to comply with Customer’s instructions. If S&E becomes aware that these instructions contravene Data Protection Laws, S&E will promptly inform the Customer. S&E reserves the right to refuse processing of Customer Data if it believes that such an instruction is in violation of Data Protection Laws.  

   2. Applicable Laws. If S&E is required to Process the Personal Data to comply with applicable laws, or the administration thereof, S&E will inform Customer of such obligations prior to Processing the Personal Data, unless prevented so under such applicable laws.  

   3. IP Rights. As between the Parties, Customer owns all rights, titles, and interests in the Customer Data. S&E will not use the Customer Data for secondary purposes including any use of Personal Data for marketing purposes without Customer’s prior written authorization.  

   4.  

   5. Data Subjects Rights. Each Party agrees to collaborate with the other Party to respond with Data Subject Rights in accordance with Data Protection Laws. To the extent that S&E receives a request from a data subject, S&E will transfer this request for Customer to respond and will provide all reasonable assistance for Customer to respond. This assistance does not include responding on behalf of Customer, including, by locating or scanning Customer Systems to respond to the Data Subject Rights, unless specifically agreed upon in an SOW.  

   6. Secure Deletion. S&E Cloud Experts will, at Customer’s discretion, securely delete, or securely return any Customer Data Processed on behalf of Customer at the termination of the Agreement, or before, if requested by Customer. Notwithstanding the foregoing, S&E may keep Customer Data longer strictly as required under applicable laws, or for a limited period to ensure business continuity, as encrypted backups. “Secure deletion” and “Securely delete” means that the deleted data cannot be retrieved in a form that identifies Customer or any data subjects.  

   7. Data Processing Location. By default, S&E processes Customer Data in Quebec, Canada unless otherwise specified in an SOW. Notwithstanding the foregoing, (a) Customer acknowledges and accepts that, as part of the Services, it may be necessary for S&E to share Customer Data with Google, which is headquartered in the United States and (b) Customer determines and is responsible for the hosting location of the Customer Systems, and the Transfers inherent to Customer’s instructions. S&E bears no responsibility for establishing this location or for compliance obligations related to the transfer of Personal Data within Customer Systems, or at Customer’s request or instruction. Upon request, S&E will provide Customer will a list of all locations in Processing of Customer Data occurs within S&E’s control or S&E Systems.   

   8. Service Providers. S&E shall ensure that each service provider (a) is subject to an appropriate agreement containing terms and conditions that are compliant with Data Protection Laws; (b) does not use Customer Data for secondary purposes, and complies with the restrictions in this Agreement; (c) is subject to an appropriate due diligence process to ensure that such a service provider complies with Data Protection Laws. Upon request, S&E will make available to Customer a list of service providers with access to Customer Data, their locations, and purposes.  

   9. Changes. Prior for making a material change to the location of the Processing, or the service provider involved in the Processing, including by adding a service provider, S&E will provide a written notice of 15 days to Customer. If Customer does not object during this period, S&E will proceed with the change suggested, subject to the terms and conditions set forth herein, including Sections 2.6 and 2.7. If Customer objects to the change in writing by providing reasonable ground, the Parties will negotiate in good faith a commonly acceptable business outcome. If the Parties cannot find a solution within 30 days, either Party may terminate the affected SOWs upon a 15 days prior written notice, and if applicable, the Fees paid in advance for the Services not rendered will be reimbursed.   

   10. Transfers of Personal Data. If S&E transfers Personal Data outside of Quebec, Canada, including, to a service provider (each a “Transfer”), S&E shall (a) inform Customer of such Transfers at least 30 days before it becomes effective; (b) enter into an agreement with such recipients, which shall be compliant with Data Protection Laws, as applicable; (c) perform a reasonable due diligence of any recipients, and (d) perform a privacy impact assessment or any other risk assessment which S&E is required to perform under Data Protection Laws.  

3. SECURITY MEASURES  

   1. S&E Responsibilities. S&E will implement appropriate technical and organizational measures to prevent, protect and respond to Security Breaches affecting Customer Data in the S&E Systems, or when Customer Data is under its control. These measures shall be based on the risks to Customer Data, and shall minimally include the following measures:  

      1. Confidentiality. S&E will ensure that its personnel engaged in providing the Services are informed of the confidential nature of the Customer Data, have received appropriate training on their responsibilities, and are subject to obligations of confidentiality.  

      2. Criminal Checks. S&E will conduct criminal background checks on all personnel assigned to the performance of the Services prior for their engagement, to the extent permissible under applicable law. The background checks shall include checks for any history of criminal activity that could reasonably compromise the integrity or security of the Customer Data, or any Customer Systems. Such individual will not be authorized to provide any Services to Customer.  

      3. Access Control. S&E will apply the principle of access on a need-to-know basis and implement role-based access control (“RBAC”) for the S&E Systems, whereby access rights and privileges are assigned to individuals based on their role and responsibilities within our organization. All access permissions shall be regularly reviewed and updated to ensure that individuals do not retain access rights once they are no longer required for their role.   

      4. Multi-Factor Authentication and Authentication Protocols. To ensure the security and integrity of the Customer Data, S&E commits to employing robust authentication protocols. This will include implementing Multi-Factor Authentication (“MFA”) as a standard practice for accessing any part of the S&E Systems that hold or process Customer Data.   

      5. Encryption. S&E will utilize industry-standard encryption technologies during the transmission and storage of such data.   

      6. Security Vulnerability Management and Patching. S&E will develop, implement and maintain a security vulnerability management program applicable to the S&E Systems. This includes regular scanning for vulnerabilities, risk assessments, and the timely application of patches and updates as they become available.  

      7. Business Continuity. S&E develops, implements and maintains an effective business continuity plan designed to ensure the availability and rapid recovery of the Customer Data in the possession or under the control of S&E in the event of certain disruptions, such as natural disasters, hardware failures, or significant S&E System breaches. This plan will include disaster recovery measures and regular testing to ensure its effectiveness.  

   2. Customer Responsibilities. Customer is responsible for the management, maintenance and access to its Customer Systems, as further detailed below.  

      1. Customer System. The security, including, the confidentiality, availability, integrity, resilience, robustness, and compliance, of the Customer Systems, such as access controls, authentication protocols, and monitoring practices, falls under the sole responsibility of Customer. S&E does not have, nor will it assume, any responsibility or liability for the foregoing, including, any damages resulting from a Security Breach. This responsibility includes ensuring that all access permissions are correctly assigned and regularly reviewed, that all authentication protocols are robust and secure and that the Customer Systems are appropriately monitored for potential security threats.    

      2. Data Retention. Customer is solely responsible for determining and applying the appropriate retention periods for the Customer Data within the Customer Systems. This includes configuring the Custom Systems’ settings to ensure Personal Data is retained and deleted in line with Data Protection Laws. Unless explicitly agreed upon in an SOW, S&E will not assume any responsibility or liability for configuring the retention settings or deleting data from the Customer Systems.  

      3. Instructions. Customer is solely responsible for ensuring that its instructions for the processing of Customer Data are following Data Protection Laws. This responsibility includes appropriately informing data subjects about the processing of their data and obtaining their consent when necessary for the provision of the Services. S&E has no responsibility or liability for acquiring such consent. Customer must ensure that all necessary permissions and consents have been obtained before instructing S&E to Process any Customer Data.  

      4. Business Continuity. Customer is solely responsible for ensuring business continuity within the Customer Systems, unless we agree otherwise in an SOW. This includes having appropriate backup, disaster recovery, and contingency plans in place to maintain ongoing operations and safeguard Customer Data in the event of any disruptions, outages, or failures.  

4. RESPONDING TO SECURITY BREACHES  

   1. Detection. S&E will implement reasonable technical and organizational measures to detect actual and potential Security Breaches, such as log monitoring. These detection measures include measures such as a Security Information and Event Management (“SIEM”), and an Intrusion Detection System (“IDS”), and other controls judged commercially reasonable. These detection tools will be configured to monitor of signatures and network behavior for signs of attack or compromise, generate automated regular updates to detection signatures based on changing threats, capture of packet headers of traffic. S&E will deploy a commercially reasonable Data Loss Prevention (“DLP”) systems as necessary to prevent the unauthorized disclosure of Customer Data from the S&E Systems.  

   2. Preparation. S&E will implement and maintain an incident response plan (“IRP”) which covers the preparation, detection, analysis, containment, eradication, recovery, and post-incident activities in relation to a Security Breach, the whole substantially in accordance with NIST’s Computer Incident Handling Guide, as modified from time to time.  

   3. Notification. In the event of a Security Breach, each Party will inform the other Party without undue delays, and no later than 48 hours from being aware of the Security Breach. Such notification will include the potential harms to data subjects, the categories and approximate number of data subjects affected, a description of the likely consequences of the Security Breach, and a description of the measures taken or proposed to be taken by the affected Party to address the Security Breach, including measures to mitigate its possible adverse effects. If such information is not available during the initial disclosure, the affected Party will follow up promptly with as such information becomes available.   

   4. Collaboration. The Parties will collaborate, including by assisting with any reasonable investigation, including, by Article 18.3 of the Act, by allowing the person in charge of the protection of Personal Data to conduct any verification relating to confidentiality requirements, and by making available reasonable records and logs, subject to confidentiality obligations with third Parties and attorney-client privilege.   

   5. Investigation. The affected Party will identify the vulnerabilities which gave rise to the Security Breach and provide the other Party with a reasonable remediation plan for addressing these vulnerabilities without undue delays.  

   6. Privacy Violations Reporting. In the event of a Privacy Violation that does not amount to a Security Breach, S&E will report the Privacy Violation to Customer without undue delay, based on the contact information in the MSA, or in an SOW. The notification will occur without undue delays of its discovery by S&E and include details on the nature of the Privacy Violation, risks of harm to data subjects, the category of data subjects involved, and the remedial measures taken or proposed to be taken to rectify the Privacy Violation. This process does not activate the IRP unless deemed necessary by S&E.  

5. COLLABORATION  

   1. PIA. If Customer must perform a privacy impact assessment (“PIA”) pursuant to Data Protection Laws, S&E will provide reasonable collaboration, such as by giving information reasonably requested available in a timely manner. Any additional collaboration will be at Customer’s costs and expenses, as agreed upon in an SOW.  

   2. Right to Audit. If Customer must perform a due diligence exercises, internal audit, or verification (a ’’Compliance Check“) of S&E’s compliance with this DPA, S&E will collaborate in good faith, such as by giving information reasonably requested available on time. The Compliance Check will occur no more than once annually, during Operating Hours, online and through the review of the information made available, including any independent audits. The Compliance Check must be performed by individuals subject to an appropriate confidentiality agreement or a similar legal obligation. In case the Compliance Check uncovers a non-compliance with this DPA, or Data Protection Laws, S&E will adopt a reasonable remediation plan and keep Customer inform of the remediation.   

   3. Interpretation. Nothing in this Agreement shall be construed as relieving either Party from its respective responsibility to regarding Data Protection Laws, including for its own Systems  

   4. Amendments. S&E reserves the right to suggest amendments to this DPA as necessary to ensure compliance with Data Protection Laws. In the event of such suggested amendments, S&E will provide Customer with reasonable written notice. Should Customer not provide reasonable opposition to these amendments within the notice period, the amendments will be deemed accepted and will take effect as required to maintain compliance with Data Protection Laws.  

1. Revision History