Data Processing Addendum

This Data Processing Addendum (DPA) applies to L-Soft's processing of Personal Data for the customer where L-Soft International, Inc. and its affiliates (L-SOFT) has no direct contractual relationship with the end user. This DPA is subject to the terms of the existing agreement (capitalized terms, not defined in this addendum, have the meanings given them in the General Data Protection Regulation 2016/679 (GDPR)). In the event of conflict, the DPA prevails over the rest of the agreement except where explicitly set out in the agreement identifying the relevant Section of the DPA over which it prevails.

1. Processing

a. If a customer is processing Personal Data on behalf of a Client as a Processor, the customer has been instructed by and obtained the authorization of the relevant Client to engage L-SOFT as their sub-processor to process Personal Data as set out in this DPA. L-SOFT's customer will maintain an up-to-date record of each Client and, if applicable, each Controller, including name and contact details and, upon L-Soft's request provide such record to L-SOFT without undue delay.

b. L-SOFT will process Personal Data according to customer's written instructions. The scope of the customer's instructions for the processing of Personal Data is defined by the Agreement and this DPA. The customer may provide further instructions that are legally required (Additional Instructions). If L-SOFT believes an Additional Instruction violates the GDPR or other applicable data protection regulations, L-SOFT will notify the customer without undue delay and may suspend the performance until the customer has modified or confirmed the lawfulness of the Additional Instruction in writing. If L-SOFT notifies the customer that an Additional Instruction is not feasible, or the customer notifies L-SOFT that it does not accept the quote for the Additional Instruction prepared in accordance with Section 6(b), the customer may terminate the affected Service by providing L-SOFT with a written termination notice within thirty days after notification. L-SOFT will refund a prorated portion of any prepaid charges for the period after the termination date.

c. The customer is the single point of contact for L-SOFT. As Client(s) or other Controller(s) may have certain direct rights against L-SOFT, the customer will exercise all such rights on their behalf and obtain all necessary permissions from Clients and, if applicable, other Controllers. L-SOFT shall be discharged of its obligation to inform or notify a Client and, if applicable, another Controller when L-SOFT has provided such notice to the customer. L-SOFT will serve as a single point of contact for the customer with respect to its obligations as a Processor.

d. L-SOFT will comply with all European Economic Area (EEA) data protection laws and regulations regarding the services applicable to Processors. L-SOFT is not responsible for determining the requirements of laws applicable to the customer's business or that L-SOFT's provision of the services meet the requirements of such laws. The customer is responsible for the lawfulness of the processing of Personal Data. The customer will not use the services in conjunction with Personal Data to the extent that doing so would violate applicable Data Protection Laws and will oblige its Clients to not do so.

2. Subscriber Rights

a. To the extent permitted by law, L-SOFT will inform the customer of requests directly to L-SOFT from subscribers exercising their data privacy rights (e.g., rectification and deletion of Personal Data). The customer shall be responsible to handle such requests. L-SOFT will reasonably assist the customer in accordance with Section 6(b).

b. If a subscriber brings a claim directly against L-SOFT for a data privacy violation, the customer will indemnify L-SOFT for any damages, expenses or loss arising from such a claim, to the extent that L-SOFT has notified the customer about the claim and given the customer the opportunity to cooperate with L-SOFT in the defense and settlement of the claim. Subject to the terms of the Agreement, the customer may claim from L-SOFT amounts paid to a subscriber for a violation of their data privacy rights caused by L-SOFT's breach of its obligations under the GDPR.

3. Third Party Requests and Confidentiality

a. L-SOFT will not disclose Personal Data to any third party, unless authorized in writing from the customer or required by law. If a government or Supervisory Authority demands access to Personal Data, L-SOFT will notify the customer prior to disclosure, unless prohibited by law.

b. L-SOFT requires all its personnel, authorized to access or process Personal Data, to commit themselves to confidentiality.

c. L-SOFT will protect the confidentiality of subscribers' Personal Data. L-SOFT will process Personal Data only for the explicit purposes instructed by the customer (Additional instructions) per Section 1 (b) or unless required by applicable law.

4. Return or Deletion of Client Personal Data

a. Upon termination or expiration of the Agreement, L-SOFT will delete Personal Data in its possession, unless otherwise required by applicable law.

b. If applicable, the customer shall delete or return subscriber Personal Data upon the subscriber's request or at the expiration of subscriber's use of the Service. L-SOFT will assist the customer to the extent the customer provides necessary information to identify applicable Personal Data and L-SOFT has appropriate access to the Personal Data.

5. Personal Data Breach

L-SOFT will notify the customer without undue delay after becoming aware of a Personal Data Breach with respect to the Services. L-SOFT will promptly investigate the Personal Data Breach if it occurred on L-SOFT infrastructure or in another area L-SOFT is responsible for and will assist the customer as set out in Section 6.

6. Assistance

a. L-SOFT will assist the customer, upon written request, by technical and organizational measures, insofar as possible, for the fulfillment of the customer's obligation to assist Client(s) with its obligation to comply with the rights of subscribers and in ensuring compliance with Client's obligations relating to the security of processing, the notification of a Personal Data Breach and the Data Protection Impact Assessment, considering the information available to L-SOFT.

b. The customer will make a written request for any assistance referred to in this DPA. The request and cost to the customer will be documented in a Statement of Work (SOW) and signed by both parties. L-SOFT will charge the customer no more than a reasonable charge to perform such assistance or Additional Instructions.

LISTSERV is a registered trademark licensed to L-Soft international, Inc.

See Guidelines for Proper Usage of the LISTSERV Trademark for more details.

All other trademarks, both marked and unmarked, are the property of their respective owners.