Data Processing Addendum

This data processing addendum (“DPA”) is incorporated into the Agreement, and is entered into as of the date of entering into the Agreement. For the purposes of this DPA, the Customer is the Controller and Meltwater the Processor (or Service Provider, as applicable).

1. Interpretation

The terms and expressions set out in this DPA shall have the following meanings:

“Agreement” means the agreement between Meltwater and the Customer the parties for subscriptions to purchase of the Platform;

“Data Controller”, “Data Processor” and “processing” shall have the meanings given to them in the Applicable Privacy Law;

“Personal Data” means all data relating to individuals which is processed by the Data Processor on behalf of the Data Controller in accordance with this DPA;

“Applicable Privacy Law” means all privacy, data security, and data protection laws, directives, regulations, and rules in any jurisdiction; applicable to the Personal Data processed under this DPA including, without limitation to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the UK GDPR from December 31 st 2020 and the United Kingdom Data Protection Act of 2018 (together “UK Privacy Law”), the Swiss Federal Act on Data Protection, the US States Data Laws (as defined herein);

“data controller”, “data processor" and “processing” shall have the meanings given to them in Applicable Privacy Law;

“DPF” means the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and Swiss-U.S. Data Privacy Framework;

“Personal Data” means all data relating to individuals which is processed by the Processor on behalf of the Controller in accordance with this DPA;

“Platform” has the meaning given to it or Meltwater Services in the Agreement;

“SCCs”means the Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021; and

“Sub-processor” means any third party that Processor engages to Process Personal Data on behalf of Processor to provide the Platform.

All other defined terms shall have the meaning given to them in the Agreement.

2. Categories of Personal Data covered by the DPA

2.1. Should the Controller use the Media Intelligence (Meltwater) platform: Contact details (including name, email address and possibly telephone number) and the IP-address used to login to the Platform, of the Controller’s employees who are added as Authorized Users to the Platform.

2.2. Should the Controller use any of the following Meltwater services: newsletter, media relations services from the Processor, the categories of Personal Data processed also include the following: name, email address, possibly telephone number, title, employer and social handle, of the data subjects whose information the Controller uploads to the Platform.

2.3 Should the Controller use Meltwater Engage, the categories of Personal Data processed may also include the following (i) name, email address, possibly telephone number, and social handle, of the data subjects in the Controller’s Salesforce instance which the Controller syncs with to the Platform and (ii) any Personal Data included in the direct messages managed through Meltwater Engage. The Controller shall not upload sensitive personal data, as defined by Applicable Privacy Law, requiring further protection measures compared to Personal Data.

2.4. Should the Controller use the Influencers Marketing platform: Controller’s employees’ contact details (including but not limited to name or email address) and signup/login information, any other Personal data (such as notes, contracts, etc.) related to influencers or the Controller’s customers the Controller adds to and stores on the Platform, as well as conversion data and information obtained via pixels the Controller places on its website.

2.5. Should the Controller use Consumer Insights or Content Curation platform: Contact details (including name, email address and possibly telephone number), the IP-address used to login to the Platform, social network information, and a potential profile picture of the Controller’s employees who are added as Authorized Users to the Platform.

2.6. Should the Controller use the Sales Intelligence platform: Email address, role and the name of the employer.

3. Processing and use of Personal Data

3.1. Processor is to process Personal Data received from the Controller (a) in compliance with instructions provided by the Controller as set out in this DPA (b) exclusively for the purpose of providing the Platform established in the Agreement or (c) as otherwise notified in writing in accordance with the notice provisions in the Agreement by the Controller to the Processor during the term of the Agreement.

3.2. The Processor shall at all times comply with Applicable Privacy Law and shall not perform its obligations under this DPA, or the Agreement, in such a way as to cause the Controller to breach any of its applicable obligations under Applicable Privacy Law.

3.3. The Processor agrees to comply with any reasonable measures required by the Controller to ensure that its obligations under this DPA are satisfactorily performed in accordance with Applicable Privacy Law from time to time in force.

4. Security of Personal Data

4.1. Processors agrees to implement and maintain an appropriate information security program with technical and organisational measures to protect the security of Personal Data to a level of security appropriate to the risk; in particular, against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. Details of such measures are included in Annex II.

4.2. Processor, if so requested by the Controller, shall supply details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access.

4.3. All Personal Data provided to the Processor by the Controller or obtained by the Processor in the course of its work with the Controller is confidential and may not be copied, disclosed or processed in any way without the express authority of the Controller.

5. Sub-processors and employees

5.1. Where the Processor processes Personal Data (whether stored in the form of physical or electronic records) on behalf of the Controller it shall take reasonable steps to ensure the reliability of all employees and Sub-processors.

5.2. Processor will take reasonable measures to inform and train its employees about relevant privacy legislation and data security and ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and ensure that all employees and Sub-processors are informed of the confidential nature of the Personal Data and are aware of Processor’s duties under this DPA and their personal duties and obligations under Applicable Privacy Law;

5.3. Controller approves the use of the Sub-processors listed at https://www.meltwater.com/en/privacy/subprocessors. The Processor shall notify the Controller in writing of any new Sub-processors prior to the Sub-processor having access to Personal Data, subject to the Controller subscribing to such notifications at https://www.meltwater.com/en/privacy/subprocessors. Controller may with reasonable grounds object to an appointment of a new Sub-processor within 10 business days from receiving the above mentioned notification if it considers the appointment is not in compliance with Applicable Privacy Law.

5.4. Processor shall not disclose, transfer and/or grant access to Personal Data to a Sub-processor unless Processor: (i) executes a written agreement with such Sub-processor that contains substantially similar data protection obligations imposed on Processor by this DPA, including implementing appropriate technical and organizational measures; and (ii) remains liable for subcontractor’s failure to fulfil its obligations with respect to the processing of Personal Data as if Processor had failed to fulfil such obligations.

6. Audit

Audit. Processor agrees that, on reasonable, a minimum 30 days, prior notice and maximum once per calendar year, permit persons authorised by the Controller to access Processor’s premises on which Personal Data provided by the Controller to the Processor is processed and to inspect the Processor’s systems comply with this Agreement. The annual restriction on the audit right does not apply if the Personal Data has been subject to a security incident described in section 7. Controller acknowledges that Processor’s obligations under this section may be satisfied in whole or part by the provision to Controller of appropriate information; records; and certifications and audit reports issued by reputable independent third parties provided that there have been no material changes to the controls used by Processor since the certification or audit report was issued.

7. Access to Personal Data and Security Incident

7.1. Processor shall notify the Controller if it receives a request from a data subject to have access to that person’s Personal Data or a complaint or request relating to the Controller’s obligations under Applicable Privacy Law.

7.2. Processor shall provide the Controller with full co-operation and assistance in relation to any complaint or request made, including by providing the Controller with full details of the complaint or request and complying with a data access request within the relevant timescale set out in Applicable Privacy Law and in accordance with the Controller’s instructions;

7.3. If the Processor becomes aware of any unauthorised or unlawful processing of any Personal Data or that any Personal Data is lost or destroyed or has become damaged, corrupted or unusable or becomes aware of any security breach, the Processor shall, at its own expense, without undue delay notify (and in any event within 48 hours) Controller (“Notice”) and fully co-operate with the Controller and assist the Controller, in dealing with a security breach and in ensuring compliance with its obligations under Applicable Privacy Law with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators as soon as reasonably practicable.

7.4. The Notice shall include, to the extent available to the Processor at the time, a) a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned, b) a description of the likely consequences of the incident and c) a description of the measures taken or proposed to be taken by the Processor to address the incident.

8. International data transfer

8.1. To the extent any Personal Data is accessed by Processor, or transferred to Processor outside of the country of the Controller, the transfer(s) shall occur according to the requirements of the Applicable Privacy Law, including the DPF and other mechanisms provided by GDPR chapter V.

8.2. Meltwater News US Inc. (“Meltwater US”) participates in and certifies compliance with the DPF. As required by the DPF, Meltwater will (i) provide at least the same level of privacy protection as is required by the DPF principles; and (ii) take reasonable and appropriate steps to remediate the processing for example by relying on the SCCs, if it makes a determination it no longer participates in the DPF or meets its obligation to provide the same level of protection as is required by the DPF principles.

8.3 To the extent Personal Data includes personal data from the EU and EEA to a third country without adequate protection, by entering into the Agreement and this DPA, the Parties are deemed to have signed the SCCs, including their annexes, attached hereto.

8.3.1. To the extent the SCCs are entered into, the following options for Module 2 of the SCCs shall be used:

8.3.1.1 Clause 7. The optional docking does not apply.

8.3.1.2. Clause 9. Use of sub-processors Option 2: General written authorization is selected and the minimum time period for prior notice of sub-processor changes shall be minimum 30 days, subject to the Controller subscribing to such notifications at https://www.meltwater.com/en/privacy/subprocessors.

8.3.1.3. Clause 11. The optional language does not apply.

8.3.1.4. Clause 17. Option 2 is selected and the Parties agree that this shall be the law of the Agreement.

8.3.1.5. Clause 18 (b). The Parties agree that any dispute arising from these Clauses shall be resolved by the courts of the country as agreed in the Agreement.

8.3.1.6. Clause 13. All square brackets in are hereby removed;

8.3.1.7. Annex I to this DPA contains the information required in Annex I of the SCCs;

8.3.1.8. Annex II to this DPA contains the information required in Annex II of the SCCs; and

8.3.1.9. Annex III to this DPA contains the information required in Annex III of the SCCs.

8.4. To the extent Personal data includes personal data from Switzerland clause 8.3 and, for the purposes of localizing the SCCs to Swiss law the following applies:

8.4.1. The parties adopt the GDPR standard for all data transfers, or the standard under Swiss law where higher.

8.4.2. The parties agree that the references to provisions of the GDPR in the SCCs are to be understood as references to the corresponding provisions of the Swiss Federal Data Protection Act in the version applicable at the moment of initiation of any dispute.

8.4.3. The term Member State where used in the SCCs also applies to Switzerland. In particular, this shall ensure that data subjects are not excluded from the possibility to sue for their rights in their place of habitual residence.

8.4.4. Clause 13 and Annex I(C): The competent authorities under Clause 13, and in Annex I(C), are the Federal Data Protection and Information Commissioner and, concurrently, the EEA member state authority identified above.

8.4.5. Clause 17: The Parties agree that the governing jurisdiction is the Member State in which the data exporter is established for claims under the GDPR and the substantive laws of Switzerland for claims under the Swiss Federal Data Protection Act.

8.4.6. Clause 18: Any dispute arising from these Clauses shall be resolved by the courts of Zurich, Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts.

8.4.7. The parties agree to interpret the SCCs so that “data subjects” includes legal entities until the revised Swiss Federal Act on Data Protection enters into force.

8.5. To the extent Personal Data includes personal data from the UK and for the purposes of localizing the SCCs to United Kingdom law, the parties agree to the following:

8.5.1. The parties agree that the SCCs are deemed amended to the extent necessary that they operate for transfers from the United Kingdom to a third country and provide appropriate safeguards for transfers according to Article 46 of the UK GDPR. Such amendments include changing references to the GDPR to the UK GDPR and changing references to EU Member States to the United Kingdom.

8.5.2. The UK Addendum will apply to transfers of UK Personal Data protected by the UK GDPR and will be completed as follows:

(a) Table 1 will be completed with the relevant information in Annex I of this DPA;

(b) Table 2 will be completed with the selected modules and clauses the EU SCCs as identified in Section 8.3 of this DPA;

(d) In Table 4, both the data exporter and data importer may end the UK Addendum in accordance with the terms of the UK Addendum.

8.6. US States Privacy Laws. If Controller or their data subjects are residents of California, Virginia, Colorado, Connecticut or Utah, please review our US States Privacy Laws Addendum for information regarding your privacy rights.

9. Return or disposal

The Processor shall destroy or transfer all Personal Data to the Controller on the Controller’s request in the formats, at the times and in compliance with the requirements notified in writing by the Controller to the Processor. The Personal Data of the Controller shall be destroyed at the latest six (6) months after the expiry or termination of the Agreement. For the Sales Intelligence platform, the Authorized User has the option to remain a freemium user after the end of the Agreement.

10. General

10.1. Separate controllers and anonymised data. Meltwater may process personal data related to the customer as a data controller outside of the scope of this DPA, for example for customer management purposes, and use personal data in anonymised format for product development purposes.

10.2 Conflict. If there is a conflict between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail.

10.3. Governing law and dispute resolution. This DPA shall be governed by the laws governing the Agreement. All disputes arising out of or in connection with this DPA shall be finally settled by the dispute resolution body agreed in the Agreement.

10.4. Validity. This DPA shall be valid as long as the Agreement is in force.

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

Name: The Customer as defined in the Agreement

Address: The address for the Customer as defined in the Agreement

Contact person’s name, position and contact details: The contact person for the Customer as defined in the Agreement

Activities relevant to the data transferred under these Clauses: The use of Platform as defined in the Agreement

Role (controller/processor): Controller

Data importer(s):

Name: The Meltwater contracting entity as defined in the Agreement

Address: The address for the Meltwater contracting entity as defined in the Agreement

Contact person’s name, position and contact details: The contact person for the Meltwater contracting entity as defined in the Agreement

Activities relevant to the data transferred under these Clauses: The provision of Platform as defined in the Agreement

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred: Controller's employees authorized to use the Platform and data subjects whose Personal Data the Controller uploads to the Platform.

Categories of personal data transferred: As defined in section 2 of the DPA.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: No sensitive data is transferred.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous basis.

Nature of the processing: Transfer, copying, use, deletion, correction, adjustment.

Purpose(s) of the data transfer and further processing: Personal data will be transferred from Controller to Data Processor for Data Processor to provide media monitoring SaaS-service.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The Data Processor’s main establishment is in the Netherlands. Dutch Supervisory Authority is the competent authority.

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES

ANNEX III

LIST OF SUB-PROCESSORS

The Data Controller has authorised the use of the Sub-processors listed at: https://www.meltwater.com/en/privacy/subprocessors.

Previous Versions

Below are previous versions of our Terms. They are effective as they correspond to the signature date of your Agreement.