Privacy and Security Addendum

Updated

1. Definitions

a) “Affiliate” means any person or entity that directly or indirectly through one or more intermediaries, controls or is controlled by, or is under common control with Catalyst.

b) “Controller” means any Person or organization that, alone or jointly with others, determines the purposes and means of the Processing of Personal Information.

c) “Personal Information” means any information relating to an identified or identifiable Person, including, but not limited to name, postal address, email address or other online contact information (such as an online user ID), telephone number, date of birth, social security number (or its equivalent), or any other unique identifier or one or more factors specific to the individual’s physical, physiological, mental, economic or social identity, whether such data is in individual or aggregate form and regardless of the media in which it is contained, that may be (i) disclosed at any time to Contractor or its Personnel by Catalyst or Catalyst’s client or their respective Personnel in connection with the Services; (ii) Processed at any time by Contractor or its Personnel in connection with Services; or (iii) derived by Contractor or its Personnel from the information described in (i) or (ii) above.

d) “Personnel” means employees, agents, consultants or contractors of Contractor or Catalyst, as applicable.

e) “Privacy Shield” means the European Union (EU) -U.S. and Switzerland – U.S. Privacy Shield frameworks.

f) “Processor” means any Person or Entity that Processes Personal Data on behalf of a Controller.

g) “Process” or “Processing” means any operation or set of operations performed upon Personal Information, whether or not by automatic means, such as creating, collecting, procuring, obtaining, accessing, recording, organizing, storing, adapting, altering, retrieving, consulting, using, disclosing or destroying the data.

2. Contractor shall use Personal Information only as expressly authorized under the Agreement or any Service Schedule.

3. Unless Catalyst elsewhere in this agreement recognizes Contractor to be a Controller, Catalyst shall have the exclusive authority to determine the purposes for and means of Processing Personal Information.

4. In Processing Personal Information, Contractor shall comply with all applicable laws in effect and as they become effective relating in any way to the privacy, confidentiality or security of Personal Information.

5. Contractor shall Process Personal Information only on behalf and for the benefit of Catalyst and only for the purposes of Processing Personal Information in connection with this Agreement and/or Service Schedule and will carry out its obligations pursuant to the Agreement and/or Service Schedule and in accordance with Catalyst’s written instructions.

6. Contractor shall limit access to Personal Information to its Personnel who have a need to know the Personal Information as a condition to Contractor’s performance of Services for or on behalf of Catalyst. Contractor will exercise the necessary and appropriate supervision over its relevant Personnel to maintain appropriate privacy, confidentiality and security of Personal Information. Contractor will ensure that Personnel with access to Personal Information are periodically trained regarding privacy and security and the limitations on Processing of Personal Information as provided in this Agreement.

7. Contractor will not transfer Personal Information that was originally delivered to a location inside the EU, outside the EU without the explicit written consent of Catalyst.

8. Contractor shall not share, transfer, disclose or otherwise provide access to any Personal Information to any third party, or contract any of its rights or obligations concerning Personal Information to a third party, unless Catalyst has authorized Contractor to do so in writing, except as required by law. Where Contractor, with the consent of Catalyst, provides a third party access to Personal Information, or contracts such rights or obligations to a third party, Contractor shall enter into a written agreement with each third party that imposes obligations on the third party that are substantially similar to those imposed on Contractor under this clause. Contractor shall retain only third parties that Contractor reasonably can expect to be suitable and capable of performing their delegated obligations in accordance with this Order and Catalyst’s written instructions.

9. To the extent Contractor provides a third-party Processor access to Personal Information received by Catalyst from a Person or Entity in the EU or Switzerland, Contractor shall (i) transfer the Personal Information to the third-party Processor only for the limited and specified purposes instructed by Catalyst, (ii) ascertain that the third-party Processor is obligated to provide at least the same level of privacy protection as is required by the Privacy Shield principles, (iii) take reasonable and appropriate steps to ensure that the third-party Processor effectively Processes the Personal Information transferred in a manner consistent with the Privacy Shield principles, (iv) require the thirdparty Processor to notify Contractor if the third-party Processor determines that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield principles, and (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized Processing.

10. Contractor will immediately inform Catalyst in writing of any requests with respect to Personal Information received from Catalyst’s customers, consumers, employees, or others. Contractor will respond to such requests in accordance with Catalyst’s instructions. Contractor will fully cooperate with Catalyst if an individual requests access to his or her Personal Information for any reason.

11. Contractor shall develop, implement and maintain a comprehensive, written information security program that complies with all applicable laws. Contractor’s information security program will include appropriate administrative, technical, physical, organizational and operational measures designed to (i) ensure the security and confidentiality of Personal Information; (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Information; and (iii) protect against accidental or unlawful destruction, loss or alteration, unauthorized disclosure or access, and any other unlawful forms of Processing (hereinafter “Information Security Incident”).

12. If the Processing involves the transmission of Personal Information over a network, Contractor will implement appropriate measures to protect Personal Information against the specific risks presented by the Processing. Contractor shall ensure a level of security appropriate to the risks associated with such transmission and the nature of the Personal Data Processed.

13. Contractor shall immediately, but in no event later than twenty-four hours after Contractor’s discovery of the Information Security Incident, notify Catalyst in writing of any Information Security Incident. Such notice will summarize in reasonable detail the effect on Catalyst, if known, of the Information Security Incident and the corrective action taken or to be taken by Contractor. Contractor will promptly take all necessary and advisable corrective actions and will cooperate fully with Catalyst in all reasonable and lawful efforts to prevent, mitigate or rectify such Information Security Incident. The content of any filings, communications, notices, press releases or reports related to any Information Security Incident must be approved by Catalyst prior to any publication or communication thereof.

14. Contractor’s obligations under this clause will survive the termination of this Agreement and the completion of all Services subject thereto.