Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Intelligo Master Services Agreement (the “Agreement”) entered by and between you, the Customer (as defined in the Agreement) (collectively, you, your, “Customer”) and Intelligo Group USA Corp., having its principal place of business at 261 Madison Ave., New York, NY 10016 (“Intelligo”) to reflect the parties’ agreement with regards to the Processing of Personal Data by Intelligo solely on behalf of the Customer. 

All capitalized terms not defined herein will have the meaning set forth in the Agreement, or under applicable Data Protection Laws and Regulations. All terms under the Agreement apply to this DPA, except that the terms of this DPA will supersede any conflicting terms under the Agreement solely with respect to the Processing of Personal Data. 

In the course of providing the service to Customer pursuant to the Agreement (the “Service”), Intelligo may Process Personal Data on behalf of Customer. In accordance with this DPA, the parties agree to comply with the following provisions with respect to Customer's Personal Data processed by Intelligo on behalf of Customer as part of the Service.  1. DEFINITIONS 1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity. 1.2 “Authorized Affiliate” means any of Customer's Affiliate(s) which is explicitly permitted to use the Service pursuant to the Agreement between Customer and Intelligo but has not signed its own agreement with Intelligo and is not a "Customer" as defined under the Agreement. 1.3 “Data Subject” means the identified or identifiable person to whom the Personal Data relates. 1.4 “Personal Data means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person, which is processed by Intelligo solely on behalf of Customer, under this DPA and the Agreement between Customer and Intelligo. 1.5 “Personal Data Breach means a security breach that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.  1.6 “Personnel means persons authorized by Intelligo to Process Customer's Personal Data.  1.7 “Data Protection Laws and Regulations” means all applicable and binding privacy and data protection laws and regulations, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”), the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (“UK GDPR”), the Swiss Federal Act on Data Protection of 19 June 1992 as revised as of 25 September 2020 (“FADP”) and US Federal and State privacy laws including the California Consumer Privacy Act of 2018 Cal. Civil Code § 1798.100 et seq. and its implementing regulations, as amended by the California Privacy Rights Act (“CCPA”). 1.8 The terms “Controller”, “Member State”, “Processing”, “Processor” and “Supervisory Authority” shall have the same meanings given to them in the GDPR. 1.9 “Sub-Processor” means any third party that Processes Personal Data under the instruction or supervision of Intelligo. 1.10 “Standard Contractual Clauses” means the standard contractual clauses and related annexes and appendices which are hereby incorporated into and form part of this DPA in the form available under  Exhibit A of this DPA (“SCC”). 1.11 “Third Country is a country outside of the European Economic Area (“EEA”), Switzerland or the United Kingdom (“UK”) that has not been acknowledged by the EU Commission, the Swiss Federal Data Protection and Information Commissioner or the UK Secretary of State as providing an adequate level of protection in accordance with Article 45(3) of the GDPR, Article 16(1) FADP or Article 45 of the UK GDPR.  2. DATA PROCESSING  2.1 Scope and Roles. This DPA applies when Personal Data is Processed by Intelligo as part of Intelligo's provision of the Service, as further specified in the Agreement and the applicable order form. In this context, the parties agree and acknowledge that with regard to the Personal Data that Intelligo Processes solely on behalf of the Customer under the Agreement, Customer is the Controller and Intelligo is the Processor.  2.2 Subject Matter, Duration, Nature and Purpose of Processing. To provide the Service, Intelligo processes Customer's Personal Data in accordance with the specifications and for the duration stipulated in the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Exhibit A – Annex 1, Part B (Description of Processing) to this DPA.  2.3 Instructions for Intelligo's Processing of Personal Data. Intelligo will only Process Personal Data on behalf of and in accordance with Customer's documented instructions that, at all times, shall comply with applicable Data Protection Laws and Regulations. Customer instructs Intelligo to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and this DPA and for the purpose of providing the Service to Customer; (ii) Processing to comply with other reasonable and documented instructions provided by Customer where such instructions are consistent with the terms of the Agreement, this DPA, and applicable Data Protection Laws and Regulations, regarding the manner in which the Processing shall be performed; (iii) Processing to render Personal Data fully anonymous, non-identifiable and non-personal in accordance with applicable standards recognized by applicable Data Protection Laws and Regulations and guidance issued thereunder; and (iv) Processing as required to comply with the laws that apply to Intelligo and/or as required by a court of competent jurisdiction or other competent governmental or semi-governmental authority, provided that Processor shall inform Customer of the legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.  2.3.1 In the event that Customer discloses or otherwise makes available to Processor Deidentified Data (as defined by applicable Data Protection Laws), Processor shall (i) take reasonable measures to ensure such data cannot be associated with a natural person, and (ii) maintain and use such data without attempting to re-identify it. 2.3.2 Processing outside the scope of this DPA (if any) will require prior written agreement between Intelligo and Customer on additional instructions for Processing.  2.3.3 As required under applicable Data Protection Laws and Regulations, Intelligo will inform Customer without undue delay, if in Intelligo's opinion an instruction violates any provision under such applicable Data Protection Laws and Regulations and will be under no obligation to follow such instruction. To the extent that Intelligo cannot comply with an instruction from Customer, Intelligo (i) shall inform Customer, providing reasonably relevant details of the issue, (ii) Intelligo may, without liability to Customer, temporarily cease all Processing of the affected Personal Data (other than securely storing such data) and/or suspend Customer’s access to the Service, and (iii) if the parties do not agree on a resolution to the issue in question and the costs thereof, Customer may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Intelligo all the amounts owed to Intelligo or due before the date of termination. Customer will have no further claims against Intelligo (including, without limitation, requesting refunds for Service) pursuant to the termination of the Agreement and the DPA as described in this paragraph.  2.4 Customer Obligations. Customer undertakes to provide all necessary notices to Data Subjects, receive all necessary permissions and consents, or otherwise secure the required lawful ground of Processing and perform any and all other actions, as necessary for Intelligo to lawfully Process Personal Data on Customer's behalf under the terms of the Agreement and this DPA, pursuant to the applicable Data Protection Laws and Regulations. To the extent required under applicable Data Protection Laws and Regulations, Customer will appropriately document and retain adequate records of the Data Subjects' notices and consents, or necessary assessment with other applicable lawful grounds of Processing.  2.5 CCPA Terms. If Customer is a Business under the CCPA, and Intelligo’s Processes Personal Data hereunder that is subject to the CCPA, the terms set forth in Exhibit B (CCPA Terms) hereto shall apply and bind the parties with regards to such Personal Data and the Processing thereof. 3. ASSISTANCE  3.1 Taking into account the nature of the Processing and insofar as this is possible and reasonable, Intelligo will assist Customer using appropriate technical and organizational measures, with the fulfilment of Customer's obligation to respond to requests for exercising the rights of Data Subjects, as required under applicable Data Protection Laws and Regulations. Intelligo shall refer Data Subjects making requests to exercise their rights directly to the Customer for its treatment of such requests.  3.2 Intelligo will further provide reasonable assistance to Customer to ensure that it complies with its obligations regarding the security of Processing, notification of a Personal Data Breach to Supervisory Authorities and affected Data Subjects.  3.3 Upon Customer’s reasonable request, Intelligo shall provide Customer, at Customer’s cost, with reasonable cooperation and assistance needed to fulfil Customer’s obligation under the applicable Data Protection Laws and Regulations to carry out a data protection impact assessment related to Customer’s use of the Service, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Intelligo. Intelligo shall provide, at Customer’s cost, reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section 3.3, to the extent required under the applicable Data Protection Laws and Regulations. 4. INTELLIGO PERSONNEL  4.1 Intelligo will ensure that its access to Personal Data is limited to those Personnel who require such access to provide the Service under the Agreement. Intelligo will impose appropriate contractual obligations upon its Personnel engaged in the Processing of Personal Data, including relevant obligations regarding confidentiality, data protection, and information security. Intelligo will ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training in their responsibilities, and have executed written confidentiality agreements.  5. SUB-PROCESSORS  5.1 Intelligo may engage Sub-Processors to Process Personal Data on behalf of Customer. Customer hereby provides Intelligo with a general authorization to engage the Sub-Processors listed in: https://www.intelligo.ai/subprocessors. All Sub-Processors have entered into written agreements with Intelligo that bind them by the same or materially similar data protection obligations under this DPA.  5.2 Intelligo may engage with a new Sub-Processor to Process Customer Personal Data on Customer's behalf. Intelligo will notify the Customer of the intended engagement with the new Sub-Processor ten (10) days prior to such engagement. Customer may object to the Processing of Customer's Personal Data by the new Sub-Processor, for reasonable and explained grounds relating to the protection of Personal Data, within the aforementioned notice period. If Customer timely sends Intelligo a written objection notice, the parties will make a good-faith effort to resolve Customer's objection. In the absence of a resolution, Intelligo will make commercially reasonable efforts to provide Customers with the same level of Service, without using the new Sub-Processor to Process Customer's Personal Data. If Intelligo is unable to make the same level of Service available, Customer may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those aspects of the Service which cannot be provided by Intelligo without the use of the objected-to new Sub-Processor, by providing written notice to Intelligo. All amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Intelligo. Until a decision is made regarding the new Sub-Processor, Intelligo may temporarily suspend the Processing of the affected Personal Data. Customers will have no further claims against Intelligo due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this Section 5.2. 5.3 Intelligo will: (i) enter into a written agreement with each Sub-Processor containing appropriate safeguards to the protection of Personal Data and the same or substantially similar data protection obligations as set out in this DPA; and (ii) be responsible for the acts and omissions related to the Processing of Personal Data by its Sub-Processors in the performance of the Service to the same extent that Intelligo would be responsible if performing the Service of each Sub-Processor. 6. ONWARD AND TRANS-BORDER TRANSFER  6.1 Personal Data may be transferred from the EEA, Switzerland and the UK to countries that are not Third Countries. For the avoidance of doubt, Personal Data may be transferred to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, Switzerland, and/or the UK as relevant (“Adequacy Decisions”), as applicable, without any further safeguard being necessary. 6.2 Customer's Personal Data that is subject to the GDPR (“EEA Transferred Data”) shall be transferred to a Third Country in accordance with the EU Standard Contractual Clauses (“EU SCCs), pursuant to EU Commission Decision C(2021)3972, of 4 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council giving effect to the module specified in Exhibit A which is attached and incorporated by reference to this DPA, or, where necessary, in accordance with any successor thereof or an alternative lawful data transfer mechanism, and as follows:  6.2.1 Module Two (Controller to Processor) of the EU SCCs shall apply where a transfer for EEA Transferred Data is effectuated by Customer as the Controller of the Personal Data and Intelligo is the Processor of the Personal Data; 6.2.2 In Clause 7, the optional docking clause will not apply;  6.2.3 If applicable - in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-Processor changes will be as set out in Section 5 of this DPA;  6.2.4 In Clause 11, the optional language will not apply;  6.2.5 In Clause 17, Option 1 will apply, and the EU SCCs will be governed by the Irish law;  6.2.6 In clause 18(b), disputes will be resolved before the courts of Ireland;  6.2.7 Annex I of the EU SCCS is deemed completed with the information set out in Annex I of Exhibit A to this DPA, as applicable; and  6.2.8 Annex II of the EU SCCs is deemed completed with the information set out in Annex II of Exhibit A to this DPA. 

6.3 In relation to transfers of Customer's Personal Data that is subject to the UK GDPR (“UK Transferred Data") to a Third Country, the EU SCCs: (i) apply as completed in accordance with this Sections 6.3 above and 6.5 below; and (ii) are deemed amended as specified by the "UK Addendum to the EU Standard Contractual Clauses ("UK Addendum") issued by the UK Information Commissioner's Office under s.119A(1) of the Data Protection Act 2018 (officially published at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf), which is deemed executed by the parties and incorporated into and forming an integral part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum are deemed completed respectively with the information in Section 6.2 above and Annex I and II of Exhibit A; Table 4 in Part 1 is deemed completed by selecting "neither party." Any conflict between the terms of the EU SCCS and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.  6.4 In relation to transfers of Customer's Personal Data that is subject to the FADP (“Swiss Transferred Data") to a Third Country, the EU SCCs: (i) apply as completed in accordance with this Section 6.4 above and Section 6.5 below; (ii) the Swiss Federal Data Protection and Information Commissioner shall be the sole Supervisory Authority for Swiss Transfers exclusively subject to the FADP; (iii) the terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the FADP with respect to Swiss Transferred Data; (iv) references to Regulation (EU) 2018/1725 are removed; (v) Swiss Transferred Data subject to both the FADP and the GDPR, shall be dealt with by the Swiss Federal Data Protection and Information Commissioner, insofar as the Swiss Transfer is governed by the FADP, and by the EU Supervisory Authority named in Exhibit A, Annex I, Part C of this DPA, insofar as the Swiss Transferred Data is governed by the GDPR; (vi) references to the “Union”, “EU” and “EU Member State” shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; (vii) where Swiss Transferred Data is exclusively subject to the FADP, all references to the GDPR in the EU SCCs are to be understood to be references to the FADP; and (viii) where Swiss Transferred Data is subject to both the FADP and the GDPR, all references to the GDPR in the EU SCCs are to be understood to be references to the FADP insofar as the Swiss Transfers are subject to the FADP. 6.5 Intelligo undertakes to implement the following additional organizational and technical safeguards, in addition to the safeguards mandated by the EU SCCs (where relevant as amended for Swiss Transferred Data and the UK Addendum:  6.5.1 Intelligo will implement and maintain the technical measures, as specified in Annex II of Exhibit A, which is attached and incorporated by reference to this DPA, with a purpose to protect the EEA, Swiss or UK Transferred Data (as relevant) from Processing for national security or other governmental purposes that goes beyond what is necessary and proportionate in a democratic society, considering the type of Processing activities under the Agreement and relevant circumstances;  6.5.2 In order to safeguard EEA, Swiss or UK Transferred Data (as relevant), when any government or regulatory agency of a Third Country requests access to such data, such as for bulk surveillance relating to the Personal Data protected under GDPR, the UK GDPR or FADP including under section 702 of the United States Foreign Intelligence Surveillance Act (“FISA”) ("Request"),  unless required by a valid court order or if otherwise Intelligo may face criminal charges for failing to comply with orders or demands to disclose or otherwise provide access to EEA, Swiss or UK Transferred Data, or where the access is requested in the event of imminent threat to lives, Intelligo will:  6.5.2.1 inform the relevant government authority that the Intelligo is a Processor of the Personal Data and that Customer has not authorized Intelligo to disclose the Customer Personal Data to the government authority, and inform the relevant government agency or authority that any and all Requests or demands for access to Personal Data should therefore be notified to or served upon Customer in writing; 6.5.2.2 make commercially reasonable efforts to resist such Request(s) for bulk surveillance relating to the Personal Data protected under GDPR, the UK GDPR and FADP. Notwithstanding the forgoing, (a) Intelligo acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended government authority access, and (b) if, taking into account the nature, scope, context and purposes of the intended government agency or authority access to Customer Personal Data, Intelligo has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this Section 6.5.2.2 shall not apply; 6.5.2.3 not provide the source code or encryption keys to any government agency for the purpose of accessing the EEA, Swiss or UK Transferred Data; and  6.5.2.4 upon Customer's written request, provide reasonable available information about the Requests and other types of binding legal demands for Personal Data by government agencies or authorities that Intelligo has received in the six (6) months preceding to Customer's request. The foregoing information will solely be provided to the extent such demands have actually been received, including national security orders and directives, which shall encompass any process issued under section 702 of FISA.  6.5.3 If Intelligo receives a Request, Intelligo will notify Customer of such request to enable the Customer to take necessary actions, to communicate directly with the relevant agency and to respond to the Request. If Intelligo is prohibited by law to notify the Customer of the Request, Intelligo will make reasonable efforts to challenge such prohibition through judicial action or other means at Customer's expense and, to the extent possible, will provide only the minimum amount of information necessary.

7. INFORMATION SECURITY  7.1 Intelligo will maintain administrative, physical and technical safeguards for the protection of the security, confidentiality and integrity of Customer's Personal Data pursuant to Intelligo 's internal policies and procedures. Intelligo regularly monitors compliance with these safeguards. It is agreed that Intelligo may change, amend and/or revise the safeguards from time to time, provided, however, that such change may not materially reduce the overall security of the Service during the term of the Agreement. Detailed information regarding such safeguards is set forth can be found in Annex II of the Standard Contractual Clauses, as attached hereto as Exhibit A. 

8. AUDIT  8.1 Intelligo will allow for and contribute to audits, conducted by Customer or another auditor mandated by Customer, in relation to Intelligo's obligations under this DPA and applicable Data Protection Laws and Regulations. Intelligo may satisfy the audit obligation under this section by providing Customers with attestations, certifications and summaries of audit reports conducted by accredited third party auditors. Other audits by Customer are subject to the following terms: (i) the audit will be pre-scheduled in writing with Intelligo, at least forty-five (45) days in advance and will be performed not more than once a year; (ii) a third-party auditor shall not be a competitor of Intelligo and will execute a non-disclosure undertaking toward Intelligo; (iv) the auditor will not have access to non-Customer data; (v) Customer will ensure that the audit will not interfere with, damage or otherwise disrupt Intelligo's business activities and information and network systems; (vi) Customer will bear all costs and expenses related to the audit; (vii)  such audits and the results therefrom, including the documents reflecting the outcome of the audit shall only be used by Customer to assess compliance with this DPA and applicable Data Protection Laws and Regulations, and shall not be used for any other purpose or disclosed to any third party without Intelligo’s prior written approval; and (viii) as soon as the purpose of the audit is completed, Customer will permanently and completely dispose of all copies of the audit report. In the event that such an audit uncovers unauthorized Processing of Personal Data, Customer shall have the right to, upon notice, take reasonable and appropriate steps to stop and remediate such unauthorized Processing. 9. SECURITY BREACH MANAGEMENT AND NOTIFICATION 9.1 Intelligo maintains security incident management and breach notification policies and procedures and will notify Customer without undue delay after becoming aware of a Personal Data Breach related to Customer's Personal Data which Intelligo, or any of Intelligo's Sub-Processors, Process. Intelligo's notice will at least: (a) reasonably describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and number of Personal Data records concerned; (b) communicate the name and contact details of the Intelligo 's data protection team, which will be available to provide any additional available information about the Personal Data Breach; (c) if and to the extent known, describe the likely consequences of the Personal Data Breach; (d) describe the measures taken or proposed to be taken by Intelligo to reasonably address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. 9.2 Intelligo will work diligently, pursuant to its security incident management and breach notification policies and procedures to promptly identify and remediate the cause of the Personal Data Breach and will without undue delay inform Customer accordingly. 9.3 The obligations herein shall not apply to incidents that are caused or contributed to by Customer or anyone who uses the Service on Customer’s behalf. Customer will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Personal Data Breach which directly or indirectly identifies Intelligo (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Intelligo’s prior written approval, unless, and solely to the extent that, Customer is compelled to do so pursuant to applicable Data Protection Laws and Regulations. In the latter case, unless prohibited by law, Customer shall provide Intelligo with reasonable prior written notice to provide Intelligo with the opportunity to object to such disclosure and in any case, Customer will limit the disclosure to the minimum scope required.

  10. DELETION AND RETENTION OF PERSONAL DATA  10.1 Within 60 days after the end of the provision of the Service, Intelligo will return Customer's Personal Data to Customer or delete such data. Notwithstanding, Customer acknowledges and agrees that Intelligo may retain copies of Customer Personal Data as necessary in connection with its routine backup and archiving procedures and to ensure compliance with its legal obligations and for the establishment, exercise or defense of legal claims and its continuing obligations under applicable law.  11. AUTHORIZED AFFILIATES 11.1 Contractual Relationship. The parties acknowledge and agree that, by executing the DPA, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, in which case each Authorized Affiliate agrees to be bound by the Customer’s obligations under this DPA, if and to the extent that Processor Processes Personal Data on the behalf of such Authorized Affiliates, thus qualifying them as the “Controller”. All access to and use of the Service by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by Customer. 11.2 Communication. Customer shall remain responsible for coordinating all communication with Processor under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates. 12. MODIFICATION 12.1 Intelligo may by at least forty-five (45) calendar days' prior written notice to Customer, amend this DPA if they are required as a result of any change in, or decision of a competent authority under, any Data Protection Laws and Regulations, to allow Processing of Customer’s Personal Data to be made (or continue to be made) without breach of those Data Protection Laws and Regulations. In the event that the variations result in Customer not being able to comply with applicable law,  Customer may within 30 days of such notice, terminate the Agreement by way of written notice stating in detail the reason Customer cannot comply with a law applicable to it as a result of the variation. Customer shall pay any amounts due to Intelligo and will have no further claims against Intelligo (including, without limitation, requesting refunds for the Service) pursuant to the termination of the Agreement and the DPA as described in this Section. 13. TERM  13.1 This DPA will commence on the same date that the Agreement is effective, or as otherwise provided explicitly under this DPA, and will continue until the Agreement expires or is terminated, pursuant to the terms therein. 


EXHIBIT A

Standard Contractual Clauses

ANNEX to the COMMISSION IMPLEMENTING DECISION on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and 

the Council, as officially published at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914 or official publications of the European Union as updated from time to time: 

MODULE TWO: Transfer Controller to Processor; 

EXHIBIT A - ANNEX I  A. LIST OF PARTIES  Data exporter(s): Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union 

1. Company Name: Customer

Address: As detailed in the Agreement

Contact Name and Title: As detailed in the Agreement

Email: As detailed in the Agreement

Activities relevant to the data transferred under these Clauses: Use of the Intelligo platform, including for due diligence background reports and ongoing monitoring for decision making processes and other internal business purposes 

Signature and Date: By entering into the Agreement and DPA, Data Exporter is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

Role (controller/processor): Controller 

Data importer(s)

1. Company Name: Intelligo Group USA Corp. 

Address: 261 Madison Ave. New York, NY 10016 

Contact Name and Title: As detailed in the Agreement

Email: As detailed in the Agreement 

Activities relevant to the data transferred under these Clauses: Use of the Intelligo platform, including for due diligence background reports and ongoing monitoring for decision making processes and other internal business purposes 

Signature and Date: By entering into the Agreement and DPA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement

Role (controller/processor): Processor 

B. DESCRIPTION OF PROCESSING 

Categories of Data Subjects whose Personal Data is transferred

Customer's applicants, Customer's candidates 

Categories of Personal Data transferred

Name, alias, date of birth, age range, address, email address, phone number, ID number, ID documents, court data, asset information, corporate information, education, and employment history 

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures

Yes 

The frequency of the transfer (e.g. whether the Personal Data is transferred on a one-off or continuous basis)

One-off, per Data Subject. 

Nature of the processing

All operations such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means), etc. 

Purpose(s) of the data transfer and further processing:  1. The provision of the Service in accordance with the Agreement. 2. Acting upon Customer’s instructions, where such instructions are consistent with the terms of the Agreement. 3. Complying with applicable laws and regulations.  4. Processing to render Personal Data fully anonymous, non-identifiable and non-personal in accordance with applicable standards recognized by applicable Data Protection Laws and Regulations and guidance issued thereunder

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period

Personal Data will be retained during the term of the Agreement and will be deleted in accordance with the terms therein. 

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subject matter of the Processing is Customer's Personal Data, the nature of the Processing is the performance of the Service under the Agreement and as detailed above and the duration of the Processing is the term of the Agreement. 

C. COMPETENT SUPERVISORY AUTHORITY 

The competent Supervisory Authority in accordance with Clause 13 is the Supervisory Authority in the Member State stipulated in Section 6.2.6. of the DPA. 


EXHIBIT A - ANNEX II 

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA 

Available upon request. Please contact compliance@intelligo.ai


EXHIBIT B 

CCPA TERMS 1. SCOPE, APPLICATION & INTERPRETATION 1.1 This Exhibit B shall apply and bind the parties if and to the extent that: (i) Customer is a Business under the CCPA (as such terms are defined below); and (ii) Intelligo processes Personal Information (as defined below) that is subject to the CCPA on behalf of Customer in the course of providing the Service pursuant to the Agreement.  1.2 This Exhibit B prevails over any conflicting terms of the Agreement or the DPA, but does not otherwise modify the Agreement or the DPA. 1.3 This Exhibit B shall be interpreted in favor of the parties’ intent to comply with the CCPA, and therefore any ambiguity shall be resolved in favor of a meaning that complies and is consistent with the CCPA. 1.4 Capitalized terms not specifically defined herein shall have the meanings ascribed to them in the DPA, as amended by this Exhibit B. 2. DEFINITIONS

For the purposes of this Exhibit B: 2.1 The terms “Business”, “Collects” (and “collected” and “collection”), “Consumer”, “Business Purpose”, “Sell” (and “selling”, “sale”, and “sold”), “Share” (and “shared”, or “sharing”), and Service Provider” shall each have the same meaning as in the CCPA. 2.2 “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq. (as amended by the California Privacy Rights Act) and its implementing regulations, each as amended or superseded from time to time. 2.3 “Personal Information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable Consumer or household, which is Processed by Intelligo solely on behalf of Customer under this Exhibit B and the Agreement. 3. PROCESSING OF PERSONAL INFORMATION 3.1 Customer hereby appoints Intelligo as a Service Provider to Process Personal Information on behalf of Customer. Customer, in its use of the Service, and Customer’s instructions to Intelligo, shall comply with the CCPA. Customer represents and warrants that it has provided notice consistent with Section 1798.130 of the CCPA, and has obtained consents to the extent required under the CCPA for Intelligo to lawfully Collect and Process the Personal Information in pursuit of the Permitted Purposes (as defined in Section ‎3.2 below). 3.2 Intelligo shall Process Personal Information solely for the purposes set forth in Section 2.3 and Exhibit A, Annex I of the DPA and as necessary to comply with Exhibit B and the CCPA. For the avoidance of doubt, such Processing shall include the pursuit of Business Purposes, including providing Customers with Intelligo’s due diligence, continuous monitoring, and background checks services (collectively: the “Permitted Purposes”).  3.3 Sections 3.1, 4, 5 and 7 through 13 of the DPA shall apply to the Processing of Personal Information hereunder and the following terms shall be replaced as follows: “Data Protection Laws and Regulations” shall mean the CCPA; “DPA” shall mean this Exhibit B; “Personal Data” shall mean “Personal Information”; “Data Subject” shall mean “Consumer”; “Controller” shall mean “Business”; "Processor” shall mean “Service Provider”; and “Sub-processor” shall refer to the concept of Subcontractor engaged by Intelligo to Process Personal Information. 3.4 Intelligo shall Process Personal Information in accordance with the applicable provisions of the CCPA, and in a manner that provides the same level of privacy protection to Personal Information as required of Businesses by the CCPA. Intelligo certifies that it understands the rules, requirements, and definitions of the CCPA and this Exhibit B, and shall comply with them. 3.5 Intelligo acknowledges and confirms that it does not receive or Process any Personal Information as consideration for any services or other items that Intelligo provides to Customer under the Agreement. Intelligo agrees to refrain from Selling and/or Sharing any Personal Information Processed hereunder without Customer’s prior written consent, nor take any action that would cause any transfer of Personal Information to or from Intelligo under the Agreement or this Exhibit B to qualify as Selling and/or Sharing such Personal Information. Intelligo shall not have, derive, or exercise any rights or benefits regarding the Personal Information, and shall not retain, use, or disclose any Personal Information (i) for any purpose, including commercial purposes, other than the Permitted Purposes, and/or (ii) outside of the direct business relationship between the parties.  3.6 Intelligo shall not combine Personal Information with any other data if and to the extent that this would be inconsistent with the limitations on Service Providers under the CCPA. 3.7 Intelligo shall notify Customer in the event Intelligo makes a determination that it can no longer meet its obligations under this Exhibit B and/or the CCPA.