DPA

DATA PROCESSING ADDENDUM

Last updated: April 8, 2025

This Data Processing Addendum ("DPA") forms part of the agreement (“Agreement”) between the Schafer Systems entity or entities (“Schafer”) under which Schafer provides its customer, subscriber, licensee or other partner and any applicable affiliate (“Customer”) certain products or services ("Services") and in which this DPA is referenced.

I. DEFINITIONS

“Data Protection Laws” means all applicable privacy and data protection laws, rules, regulations, decrees, or orders.
The terms “personal data”, “personal data breach”, “processing”, “processor,” and “data subject”, will have the same meanings ascribed to them in the Data Protection Laws, and where the Data Protection Laws use equivalent or corresponding terms, such as “personal information” instead of “personal data,” they will be read herein as the same.

II. SCOPE

This DPA applies to the processing of personal data by Schafer on behalf of Customer and, if applicable, Customer Affiliates under the Agreement.

III. SCOPE OF PROCESSING

a) Processing by Schafer will be governed by this DPA, in particular, Schafer will process the personal data only on documented instructions from Customer, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by applicable law to which Schafer is subject; in such a case, Schafer will inform Customer of that legal requirement before processing, unless that law prohibits Schafer from doing so on important grounds of public interest.

b) The subject matter of the processing is the personal data provided in respect of the Services under this Agreement. The duration of the processing is the duration of the provision of the Services under the Agreement until disposal of the personal data in accordance with the Agreement. The nature and purpose of the processing is in connection with the provision of the Services under the Agreement. The types of personal data processed are those submitted to Schafer by or at the direction of Customer as part of the Services. The categories of data subjects are those whose personal data is submitted to Schafer by or at the direction of Customer as part of the Services.

c) The Agreement, including this DPA, along with Customer use and configuration of the Services, are the complete and final documented instructions to Schafer for the processing of the personal data. Additional or alternate instructions must be agreed upon separately by the parties. Schafer will ensure that its personnel engaged in the processing of the personal data will process such data only on documented instructions provided by Customer, unless required to do so by applicable law.

IV. CONFIDENTIALITY

Schafer will ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

V. SECURITY OF PROCESSING

a) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and Schafer will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in the Agreement and including inter alia as appropriate:

1. the pseudonymization and encryption of personal data;
   
   
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
   
   
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
   
   
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

b) In assessing the appropriate level of security, account will be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

c) Customer and Schafer will take steps to ensure that any natural person acting under the authority of Customer or Schafer who has access to personal data does not process data except on instructions from Customer unless he or she is required to do so by applicable law.

d) Notwithstanding any provision to the contrary, Schafer may modify or update its security measures at its discretion provided that such modification or update does not result in a material degradation in the protection offered by the Agreement.

VI. SUB-PROCESSING

a) Customer hereby provides Schafer with a general authorization to engage other processors for the processing of personal data in accordance with this DPA. Schafer will maintain a list of such processors at SRS-Subprocessor-List-2025.pdf, which Schafer may update from time to time. At least 14 days before authorizing any new such processor to process the personal data, Schafer will update such list on its website. If Customer objects to any changes to Schafer’s sub processors, Schafer will ensure that any new processor is subject to data protection obligations consistent with this DPA. Customer may object to changes in sub processors in accordance with the Agreement’s dispute resolution process or any applicable rights under the Agreement.

b) Where Schafer engages another processor for carrying out specific processing activities on behalf of Customer, commensurate data protection obligations as set out in this DPA will be imposed on that other processor by way of a contract or under the Data Protection Laws. Where that other processor fails to fulfil those data protection obligations, Schafer will (subject to the terms of the Agreement) remain fully liable to Customer for the performance of that other processor's obligations.

VII. DATA SUBJECT RIGHTS

a) Taking into account the nature of the processing, Schafer will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subject's rights.

b) Schafer will, to the extent legally permitted, promptly notify Customer of any data subject requests received by Schafer and reasonably cooperate with Customer to fulfil its obligations under the Data Protection Laws in relation to such requests. Customer will be responsible for any reasonable costs arising from Schafer providing assistance to Customer to fulfil such obligations.

VIII. ASSISTING THE CUSTOMER

Schafer will assist Customer in ensuring compliance with data security, personal breach notification and other obligations as required under the Data Protection Laws, taking into account the nature of processing and the information available to Schafer.

IX. TERMINATION OF PROCESSING

Upon the expiration or termination of Customer’s use of the Services, unless applicable law requires storage of the personal data, Customer instructs Schafer to delete the personal data in accordance with the terms and timelines, if any, for the Services set forth in the Agreement. Where the Agreement provides Customer the choice to delete the personal data and Customer does not make that choice within 30 days following the termination of the Agreement, Customer hereby instructs Schafer to delete the personal data, unless applicable law requires storage of the personal data. In such cases, Schafer will delete the personal data as soon as practicable.

X. AUDITS

The rights for conducting audits are set forth in the Agreement. In the absence of such requirements in the Agreement, where the Data Protection Laws so require, audits will be: (i) subject to the execution of appropriate confidentiality or non-disclosure agreements; (ii) conducted no more than once per year, unless a demonstrated reasonable belief of non-compliance with the Agreement has been made, upon 30 days written notice and having provided a plan for such review; and (iii) be conducted at a mutually agreed upon time, place, and manner.

XI. CROSS-BORDER TRANSFER

Schafer may, in the provision of the Services, transfer or process personal data in a country other than the country of origination of such data. Schafer will ensure that, to the extent that any personal data originating from Customer’s country is transferred by Schafer to another country such transfer will be subject to appropriate safeguards that provide an adequate level of protection in accordance with the Data Protection Laws.

XII. PERSONAL DATA BREACH

Schafer will notify Customer without undue delay after becoming aware of a personal data breach involving personal data processed under this DPA and will reasonably respond to Customer’s request for further information so that Customer may fulfil its obligations under the Data Protection Laws.

XIII. RECORDS OF PROCESSING ACTIVITIES

Schafer will maintain all records required by the Data Protection Laws and, to the extent applicable to the processing of the personal data on behalf of Customer, make them available as required.

XIV. LAWFUL BASIS FOR PROCESSING

Customer warrants that it has the necessary legal basis for processing the personal data as set forth in the Agreement and this DPA.

XV. JURISDICTION-SPECIFIC TERMS

To the extent that Schafer is processing any personal data originating from or otherwise subject to the Data Protection Laws of any of the jurisdictions listed below, the terms specified therein with respect to the applicable jurisdiction(s) apply in addition to the foregoing terms.

a) European Economic Area and United Kingdom
To the extent that Customer transfers personal data from the European Economic Area (“EEA”) or the United Kingdom (“UK”) to Schafer located outside the EEA or UK, unless the parties may rely on an alternative transfer mechanism or basis under the data protection laws, the parties will be deemed to have entered into the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (“Clauses”) in respect of such transfer, whereby:

1. Customer is the “data exporter” and Schafer is the “data importer”;
   
   
2. The footnotes, Clause 9(a) Option 1, and Clause 11(a) Option are omitted, the time period in Clause 9(a) Option 2 is 14 days, and the applicable annexes are completed respectively with the information set out in the DPA and the Agreement;
   
   
3. Customer acts as a controller and Schafer acts as a processor, Module Two applies and Modules One, Three and Four are omitted; and
   
   
4. If there is any conflict between the terms of the Agreement and the Clauses, the Clauses will prevail.
   
   
5. In relation to transfers of personal data from the UK, the Clauses as implemented as above in this section will apply subject to the following modifications:

i. the Clauses are amended as specified by Part 2 of the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses available at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf, as may be amended or superseded from time to time (“UK Addendum”);

ii. tables 1 to 3 in Part 1 of the UK Addendum are completed respectively with the information set out in the DPA and the Agreement (as applicable); and

iii. table 4 in Part 1 of the UK Addendum is completed by selecting “neither party”.

b) United States
To the extent that Schafer processes personal data in scope of Data Privacy Laws in the following jurisdictions, the supplementary US Data Privacy Laws below, shall apply, as applicable:

California

1. To the extent that Schafer is processing on behalf of Customer any personal data in scope of the California Consumer Privacy Act of 2018, as amended, and its regulations (collectively, the “CCPA”):

i. Schafer is prohibited from selling or sharing personal data it collects (as those terms are defined in the CCPA) pursuant to the Agreement;

ii. The specific business purpose (as that term is defined in the CCPA) for which Schafer is processing personal data pursuant to the Agreement is to provide, manage, operate and secure the Services, and Customer is disclosing the personal data to Schafer only for the limited and specified business purpose set forth in the Agreement;

iii. Schafer is prohibited from retaining, using, or disclosing the personal data that it collected pursuant to the Agreement for any purpose other than for the business purpose specified in the Agreement or as otherwise permitted by the CCPA;

iv. Schafer is prohibited from retaining, using, or disclosing the personal data that it collected pursuant to the Agreement for any commercial purpose (as that term is defined in the CCPA) other than the business purposes specified in the Agreement, unless expressly permitted by the CCPA;

v. Schafer is prohibited from retaining, using, or disclosing the personal data that it collected pursuant to the Agreement outside the direct business relationship between Schafer and Customer, unless expressly permitted by the CCPA;

vi. Schafer is required to comply with all applicable sections of the CCPA, including – with respect to the personal data that Schafer collected pursuant to the Agreement – providing the same level of privacy protection as required of businesses by the CCPA;

vii. Schafer grants Customer the right to take reasonable and appropriate steps to ensure that Schafer uses the personal data that it collected pursuant to the Agreement in a manner consistent with Customer’s obligations under the CCPA;

viii. Schafer is required to notify Customer after it makes a determination that it can no longer meet its obligations under the CCPA;

ix. Schafer grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate Schafer’s unauthorized use of personal data; and

x. Schafer is required to enable Customer to comply with consumer requests made pursuant to the CCPA or Customer is required to inform Schafer of any consumer request made pursuant to the CCPA that they must comply with and provide the necessary information to Schafer to comply with the request.

2. To the extent that either party sells to or shares with the other any personal data in scope of the CCPA:

i. The purposes for which the personal data is made available to and by Schafer is to provide, manage, operate and secure the Services under the Agreement subject to the applicable party’s applicable privacy policy;

ii. The personal data is made available to the receiving party only for the limited and specified purposes set forth in the Agreement and is required to be used only for those limited and specified purposes;

iii. The receiving party is required to comply with applicable sections of the CCPA, including – with respect to the personal data that is made available to the receiving party – providing the same level of privacy protection as required of businesses by the CCPA;

iv. The disclosing party is granted the right – with respect to the personal data that is made available to Schafer – to take reasonable and appropriate steps to ensure that the receiving party uses the personal data in a manner consistent with the disclosing party’s obligations under the CCPA;

v. The disclosing party is granted the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal data made available to the receiving party; and

vi. The receiving party is required to notify the other party after it makes a determination that it can no longer meet its obligations under the CCPA.

Colorado, Connecticut, Delaware, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Utah, Virginia or other states adopting commensurate Data Protection Laws:

1. To the extent that Schafer is processing on behalf of Customer any personal data in scope of such Data Protection Laws, Schafer shall:
   
   a. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
   
   b. At Customer’s direction, delete all personal data to Customer as requested at the end of the provision of the Services, unless retention of the personal data is required by law;
   
   c. Upon the reasonable request of Customer, make available to Customer all information in its possession necessary to demonstrate its compliance with the obligations under the foregoing laws;
   
   d. Allow, and cooperate with, reasonable assessments by Customer or Customer’s designated assessor as required by applicable law; and
   
   e. Engage any subcontractor, subject to any applicable right of objection, pursuant to a written contract in accordance with applicable Data Protection Laws that requires the subcontractor to meet the obligations of Schafer with respect to the personal data;
   
   
2. and the parties shall, taking into account the context of the processing, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures.