Data Protection Addendum

1. Introduction

This Data Protection Addendum (“Addendum”) is agreed upon between Portant PTY LTD., a NSW, Australia company (“Portant”), and the Customer, commencing on the date upon which the Customer duly registered to utilise the services provided by Portant.. This Addendum governs the handling of Customer Personal Data by Portant in accordance with the agreement executed between Portant and the Customer concerning the provision of Portant's services (the “Terms and Conditions”).

2. Terminology

In the context of this Appendix, the definitions below apply. Any capitalised terms used but not defined herein shall have the meanings assigned in the Terms and Conditions.
2.1. “Associated Entity” refers to any entity having direct or indirect control over, being controlled by, or under common control with the referring entity, where “control” signifies the authority to guide or influence the management of the referring entity, either through ownership of voting stocks, by contract, or otherwise.
2.2. “CCPA” denotes the California Consumer Privacy Act of 2018, subject to amendments.
2.3. “Customer Personal Data” encapsulates any Customer Data (as delineated in the Terms and Conditions) that qualifies as Personal Data. Within this Addendum, Customer Personal Data excludes personal details of Customer’s employees or representatives engaged in direct business interactions with Portant.
2.4. “Privacy Legislation” includes, for each party, all privacy, data protection, and information security laws and regulations applicable to the party’s handling of Personal Data, encompassing the EU Privacy Legislation and the CCPA, as applicable.
2.5. “Data Individual” refers to the identified or identifiable natural person to whom the Personal Data pertains.
2.6. “EU Privacy Legislation” refers to the European Union Regulation 2016/679 (“GDPR”) along with any national laws implementing the GDPR, subject to amendments.
2.7. “Processing” denotes any action or set of actions performed on Personal Data or on sets of Personal Data, with or without automated means, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
2.8. “Personal Data” refers to “personal data”, “personal information”, “personally identifiable information”, or analogous information as defined and governed by Privacy Legislation.
2.9. “Security Event” denotes a confirmed unauthorised or unlawful breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data processed by Portant. Security Events do not encompass unsuccessful attempts or activities that do not compromise the security of Personal Data, like unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other attacks on firewalls or networked systems.
2.10. “Subprocessor” refers to any third party authorised by Portant or its Associated Entities to Process any Customer Personal Data.
2.11. “External Subprocessor” denotes any Subprocessor not affiliated with Portant.

3. General; Termination

3.1. This Appendix constitutes an integral part of the Terms and Conditions. Barring explicit mentions within this Appendix, the Terms and Conditions remain unaltered and fully enforceable. In case of discrepancies between this Appendix and the Terms and Conditions, this Appendix shall prevail.
3.2. Any liabilities incurred under this Appendix are subject to the liability limitations stipulated in the Terms and Conditions.
3.3. The governance and interpretation of this Appendix will align with the governing law and jurisdiction provisions within the Terms and Conditions, unless Privacy Legislation mandates otherwise.
3.4. This Appendix will auto-terminate upon the termination or expiration of the Terms and Conditions.

4. Scope of this Addendum

This Addendum governs Portant’s Processing of Customer Personal Data under the Terms and Conditions, albeit Appendix A (EU Appendix) of this Appendix is applicable only to such Processing of Customer Personal Data governed by EU Privacy Legislation and Appendix B (California Appendix) of this Appendix is applicable only to such Processing of Customer Personal Data governed by the CCPA.

5. Role and Extent of Processing

5.1. Portant shall Process Customer Data exclusively in alignment with the Customer’s directives. By entering the Terms and Conditions, the Customer instructs Portant to Process Customer Data for the provision of services and per any other written instructions provided by the Customer and acknowledged in writing by Portant as constituting instructions for the purposes of this Appendix. Customer acknowledges and accepts that such instruction authorises Portant to Process Customer Data (a) to fulfil its responsibilities and exercise its rights under the Terms and Conditions; and (b) to abide by legal obligations and to establish, exercise, or defend legal claims concerning the Terms and Conditions.
5.2. For clarity, nothing in this Appendix restricts Portant from transmitting Customer Data to and among Sources and Destinations as directed by Customer through the services. Both parties agree that neither Sources nor Destinations are Subprocessors of Portant and that, between the parties, Customer solely bears the responsibility for the Processing of Customer Personal Data by, and other acts and omissions of, Sources and Destinations or parties affiliated with them.

6. Subprocessing

6.1. Customer explicitly permits Portant to employ its Associated Entities as Subprocessors, and generally authorises Portant to engage External Subprocessors for Processing Customer Personal Data. Portant:
6.1.1. shall formalise a written agreement with each Subprocessor, mandating data protection obligations substantially akin to those outlined in this Appendix; and
6.1.2. remains accountable for adhering to the obligations of this Appendix and for any actions or omissions by the Subprocessor causing Portant to violate any of its obligations under this Appendix.
6.2. Upon engaging a new External Subprocessor, Portant will notify Customer of such engagement, which may be conveyed by updating the Subprocessor Page and through a message within Customer’s Portant Workspace. Portant will provide such notice at least ten (10) calendar days prior to the new Subprocessor Processing any Customer Personal Data, except if Portant reasonably deems an expedited engagement of a new Subprocessor necessary for safeguarding the confidentiality, integrity, or availability of Customer Personal Data or averting substantial disruption to the services. Portant will provide such notice as soon as feasibly possible in such scenarios. If Customer notifies Portant in writing of its objection to Portant’s appointment of a new External Subprocessor due to justifiable data protection concerns within five (5) calendar days following such notice, both parties will amicably discuss such concerns and their resolution. If a mutual agreement on resolving such concerns is unattainable, Customer may, as its sole and exclusive remedy, terminate the Terms and Conditions for convenience.

7. Security

7.1. Portant shall establish and uphold technical and organisational safeguards aimed at safeguarding Customer Personal Data against Security Incidents, while ensuring the confidentiality and security of the Customer Personal Data, in line with Portant’s security standards outlined in the Privacy and Security page.
7.2. The Customer is tasked with reviewing the data security information provided by Portant and independently determining whether the Services align with Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that Security Measures may be revised periodically upon reasonable notification to ensure continual improvement or adapt to evolving practices, provided such modifications do not materially diminish Portant's obligations as outlined at the Effective Date.
7.3. Upon confirmation of a Security Incident, Portant will inform the Customer promptly unless restricted by applicable law. A delay in notification imposed by law enforcement or to allow for Portant's necessary investigation or remediation actions shall not be considered as undue delay. Notifications will, to the extent possible, detail the Security Incident, steps taken to mitigate potential risks, and recommend actions for the Customer. While Portant fulfils its obligations under this Section 7.c., the Customer remains solely accountable for adhering to applicable laws concerning Security Incident notifications and any third-party notification obligations. Portant’s actions in response to a Security Incident as per Section 7.c. will not be deemed as an acceptance of fault or liability regarding the Security Incident.
7.4. The Customer agrees that, notwithstanding Portant’s obligations under this Section 7, the Customer is solely accountable for its use of the Services, which includes (a) utilising the Services to maintain a security level suitable to the risk concerning Customer Data; (b) securing account authentication credentials, systems, and devices used to access the Services; (c) safeguarding Customer’s systems and devices interfaced with the Services; and (d) conducting its own backups of Customer Data.

8. Data Subject Requests

Portant will, upon Customer's request (and at Customer’s cost), provide the necessary assistance to help Customer fulfil its obligations under Data Protection Laws concerning individuals' rights requests (e.g., rights of data access, rectification, erasure, restriction, portability, and objection), where Customer cannot reasonably address such requests using the Services' self-service features. Should Portant receive a request from a Data Subject regarding their Customer Personal Data, Portant will direct the Data Subject to submit their request to the Customer, with the Customer being responsible for responding to any such request.

9. Return or Deletion of Data

9.1. Upon Customer’s request following the termination or expiration of the Terms and Conditions, Portant will delete all Customer Personal Data from Portant’s systems within sixty (60) days.
9.2. Despite the above, Customer understands that Portant may retain Customer Personal Data if mandated by law, with such data continuing to be governed by the stipulations of this Addendum.

Annex A - EU Annex

1. Definitions; Data Processing

1.1. Definitions. Within the scope of this Annex A, the terms “controller”, “processor”, and “supervisory authority” are as defined under EU Data Protection Law; “Standard Contractual Clauses” refer to the Standard Contractual Clauses for Processors endorsed by the European Commission under the Standard Contractual Clauses (SCC) as provided within the Customer’s Portant Workspace; “data importer” and “data exporter” are as defined in the Standard Contractual Clauses.
1.2. Subject Matter and Processing Details. Both parties acknowledge and agree that (a) the subject matter of the Processing under the Terms and Conditions is the provision of Services by Portant; (b) the Processing duration extends from Portant’s receipt of Customer Personal Data until all Customer Personal Data is deleted by Portant in accordance with the Agreement; (c) the Processing's nature and purpose is to deliver the Services; (d) the Data Subjects of the Processing are the Customer’s clients, end users, or other individuals related to Customer Personal Data; and (e) the categories of Customer Personal Data are as authorised by the Customer to be ingested into the Services under the Agreement.
1.3. Roles and Regulatory Compliance; Authorization. Both parties acknowledge and agree that (a) Portant acts as a processor of the Customer Personal Data under EU Data Protection Law; (b) Customer is a controller of the Customer Personal Data under EU Data Protection Law; and (c) each party shall adhere to the respective obligations under EU Data Protection Law regarding the Processing of Customer Personal Data. To the extent any Usage Data (as defined in the Agreement) is deemed Personal Data, Portant is the controller of such data and shall Process such data in line with its Privacy Policy, which can be accessed at https://www.portant.co/privacy-policy.
1.4. Portant’s Compliance with Instructions. Portant shall only Process Customer Personal Data as per Customer’s instructions in this Addendum, unless EU Data Protection Law mandates otherwise, in which case Portant shall inform the Customer (unless such law bars Portant from doing so).​

2. Data Security

2.1. Portant Security Measures, Controls, and Assistance2.1.1. Portant will (considering the nature of Processing of Customer Personal Data and the information available to Portant) provide the Customer with necessary assistance to comply with its obligations concerning Customer Personal Data under EU Data Protection Law, including Articles 32 to 34 (inclusive) of the GDPR, by (a) implementing and maintaining the Security Measures; (b) adhering to the terms of Section 7 of this Addendum; and (c) complying with this Annex A.2.1.2. Portant will authorise access to Customer Personal Data solely to personnel requiring such access for their job functions, under proper confidentiality obligations. Should a Customer's employee wish to exercise their rights under EU Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability, and objection) concerning any Usage Data that constitutes Personal Data, the Customer commits to notify Portant promptly and direct their employee to contact Portant directly via contact@portant.co.
2.2. Audits and Compliance Reviews. Should applicable Data Protection Laws grant the Customer the right to audit Portant’s Processing of Customer Personal Data, the Customer will exercise such audit right, and Portant will comply with its corresponding obligations, as outlined:
2.2.1. Portant shall provide the Customer with pertinent information regarding Portant’s Processing of Customer Personal Data under this Addendum, in the form of Portant’s most recent audit reports (“Third Party Reports”).
2.2.2. Not exceeding once per calendar year and at the Customer’s expense, the Customer may audit Portant’s Processing of Customer Personal Data for compliance with obligations under this Addendum by submitting reasonable information requests, including security and audit questionnaires. Portant will furnish written responses if the requested information is crucial to confirm Portant’s compliance with this Addendum. Nonetheless, if a Third Party Report issued within the 12-month period preceding the Customer’s request addresses the requested information and Portant confirms no material changes have occurred relevant to the Customer’s request, the Customer agrees to accept such Third Party Report instead of a written response. Any information shared by Portant under this Section 2.b. is deemed Portant’s Confidential Information under the Agreement.
2.2.3. In the event a third party is enlisted to carry out an audit as per this Section 2.b., Portant reserves the right to raise objections towards the auditor if, in Portant’s reasonable judgement, the auditor lacks independence, is a competitor of Portant or is otherwise unqualified. Such objection by Portant will necessitate the Customer to designate a different auditor or undertake the audit internally.
2.2.4. The Customer shall swiftly inform Portant of any non-compliance identified during the audit and supply Portant with any audit reports generated in association with any audit under this Section 2.b., unless prohibited by EU Data Protection Law or as directed by a supervisory authority. The Customer may utilise the audit reports solely for fulfilling its regulatory audit obligations and affirming that Portant’s Processing of Customer Personal Data adheres to this Addendum.
2.2.5. The Customer shall compensate Portant for any time spent by Portant or its Subprocessors in relation to any audits under this Section 2.b. at Portant’s prevailing professional services rates, which will be disclosed to the Customer upon request. The Customer will bear any charges incurred by any auditor appointed by the Customer to conduct such an audit. Nothing in this Addendum obliges Portant to share more information regarding its Third Party Subprocessors during such audits than what these Third Party Subprocessors generally disclose to their clientele. Nothing in this Section 2.b. shall necessitate Portant to violate any confidentiality obligations.​
‍

3. Impact Assessments and Consultations

Portant may, considering the nature of the Processing and the information accessible to Portant, reasonably assist the Customer in fulfilling the Customer’s duties under Articles 35 and 36 of the GDPR, by (a) providing documentation outlining relevant facets of Portant’s information security regimen and the security measures enacted therein; and (b) offering the other information included in the Agreement, comprising this Addendum.

4. Data Transfers

4.1. Data Processing Facilities. Subject to Section 4.b., Portant may store and Process Customer Personal Data in the United States or any location where Portant or its Subprocessors have facilities. Adhering to Portant’s obligations in this Section 4, the Customer is accountable for ensuring that its utilisation of the Services is in compliance with any cross-border data transfer restrictions imposed by EU Data Protection Law.
4.2. Standard Contractual Clauses. Should the Customer, being established in the EU, transfer Customer Personal Data out of the EU to Portant in a nation not recognized by the European Commission as having adequate data protection, and the Privacy Shield ceases to be a valid mechanism for such transfer under Chapter V of the GDPR, with no lawful alternative transfer basis available, such transfer will be governed by the Standard Contractual Clauses, the terms of which are hereby integrated into this DPA. In alignment with the foregoing, the parties concur that:
4.2.1. concerning the Standard Contractual Clauses, (a) the Customer will act as the data exporter and (b) Portant will act as the data importer;
4.2.2. for Appendix 1 to the Standard Contractual Clauses, the Data Subjects, data categories, and processing operations shall be as delineated in Section 1.b. of this Annex A;
4.2.3. for Appendix 2 to the Standard Contractual Clauses, the technical and organisational measures shall be the Security Measures;
4.2.4. upon the data exporter’s request under the Standard Contractual Clauses, data importer will furnish the copies of the Subprocessor agreements which must be dispatched by the data importer to the data exporter as per Clause 5(j) of the Standard Contractual Clauses, with the data importer having the liberty to omit or redact any commercial information or clauses unrelated to the Standard Contractual Clauses or their equivalent beforehand;
4.2.5. the audits as described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be conducted in line with Section 2.b. of this Annex A;
4.2.6. the Customer’s authorizations in Section 6 of this Addendum (Subprocessing) will signify the Customer’s prior written consent to Portant’s subcontracting of the Processing of Customer Personal Data if such consent is mandated under Clause 5(h) of the Standard Contractual Clauses;
4.2.7. certification of deletion of Customer Personal Data as portrayed in Clause 12(1) of the Standard Contractual Clauses shall be furnished only upon the Customer’s request; and
4.2.8. the Standard Contractual Clauses will automatically expire once the transfer of Customer Personal Data governed by them becomes lawful under Chapter V of the GDPR without the need for such Standard Contractual Clauses on any other basis.

Annex B - California Annex

1. For the purposes of this Annex B, the terms “business”, “commercial purpose”, “service provider”, “sell”, and “personal information” carry the meanings ascribed in the CCPA.
2. In relation to Customer Personal Data, Portant acts as a service provider under the CCPA.
3. Portant shall not (a) sell Customer Personal Data; (b) retain, use, or disclose any Customer Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the Customer Personal Data for a commercial purpose other than delivering the Services; or (c) retain, use, or disclose the Customer Personal Data outside of the direct business relationship between Portant and the Customer.
4. The parties recognise and concur that the Processing of Customer Personal Data, as directed by the Customer's instructions outlined in Section 5 of this Addendum, is fundamental to and encompassed within Portant's delivery of the Services and the direct business engagement between the parties.
5. Irrespective of any provisions in the Terms and Conditions or any Order Form associated therewith, the parties recognize and concur that Portant's access to Customer Personal Data is not deemed as part of the consideration exchanged between the parties concerning the Terms and Conditions.a
6. Insofar as any Usage Data (as defined in the Terms and Conditions) is regarded as Personal Data, Portant is the business entity in relation to such data and shall Process such data in adherence to its Privacy Policy, which can be accessed at https://www.portant.co/privacy-policy

Annex C - UK Annex

1. Data Subject Access Requests

1.1 Portant shall assist the Customer in responding to data subject access requests (DSARs) in accordance with Article 15 of the UK GDPR. To this end, Portant shall:
- Provide the Customer with all information necessary to respond to the DSAR, including any personal data processed by Portant on behalf of the Customer.
- Assist the Customer in verifying the identity of the data subject.
- Allow the Customer to access the personal data of the data subject, or to have it transmitted to another controller, as instructed by the Customer.
- Assist the Customer in complying with any other requirements of Article 15 of the UK GDPR.
1.2 The Customer shall be responsible for all costs associated with Portant's assistance in responding to DSARs.

2. Data Subject Deletion Requests

2.1 Portant shall assist the Customer in responding to data subject deletion requests (DSDRs) in accordance with Article 17 of the UK GDPR. To this end, Portant shall:
- Delete all personal data of the data subject processed by Portant on behalf of the Customer, unless Portant is required by law to retain such data.
- Provide the Customer with confirmation that the personal data of the data subject has been deleted.
2.2 The Customer shall be responsible for all costs associated with Portant's assistance in responding to DSDRs.

3. Data Breaches

3.1 Portant shall notify the Customer of any personal data breach affecting the Customer's personal data within 72 hours of becoming aware of the breach.
3.2 Portant shall cooperate with the Customer in investigating and remediating any personal data breach.
3.3 The Customer shall be responsible for all costs associated with Portant's cooperation in investigating and remediating personal data breaches.