Data Processing Agreement

This Data Processing Agreement (the “DPA”) relates to the processing by Matillion Ltd., a company registered and incorporated in England and Wales with company number 07474948 (“Matillion”) of Personal Data provided by the company or entity that is party (“Customer”) to the applicable subscription or license agreement and ordering documentation between Customer and Matillion (collectively, the “Agreement”) governing Customer’s use of Matillion’s commercial products. This DPA is incorporated into and forms part of, and is subject to the terms and conditions of, the Agreement.

1. Definitions.

“Applicable Law” means, (a) to the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom; and (b) to the extent EU GDPR applies, the law of the European Union or any members state of the European Union to which Matillion is subject.

“Applicable Data Protection Laws” means (a) to the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data; and (b) to the extent EU GDPR applies, the law of the European Union or any member state of the European Union to which Matillion is subject, which relates to the protection of personal data.

“Customer Personal Data” means any personal data which Matillion processes in connection with the Agreement, in the capacity of a processor on behalf of the Customer.

“EU GDPR” means the General Data Protection Regulation.

“Matillion Personal Data” means any personal data which Matillion processes in connection with the Agreement, in the capacity of a controller.

“UK GDPR” has the meaning given to it in the Data Protection Act 2018. For the purposes of this DPA, the terms controller, processor, data subject, personal data, personal data breach and processing shall have the meanings given to them in the UK GDPR.

2. Data Protection.

2.1 Role of the Parties. Both parties will comply with all applicable requirements of Applicable Data Protection Laws. The parties have determined that, for the purposes of Applicable Data Protection Laws: (a) Matillion shall act as controller of the Matillion Personal Data; and (b) Matillion shall process the Customer Personal Data as a processor on behalf of the Customer.

2.2 Customer Obligations. Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Personal Data to the Supplier for the duration and purposes of the Agreement. Customer warrants that any processing of Customer Personal Data which is or may occur in accordance with the Agreement has a lawful basis and may properly be processed in accordance with the terms of the Agreement.

2.3 Matillion Obligations. Matillion shall, in relation to Customer Personal Data:

2.3.1 process that Customer Personal Data only on the documented instructions of the Customer, which shall be to process the Customer Data for the purposes set out in Schedule 1 of this DPA, unless Matillion is required by Applicable Laws to otherwise process that Customer Personal Data;

2.3.2 implement appropriate technical and organizational measures designed to protect against unauthorized or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data;

2.3.3 ensure that any personnel engaged and authorized by Matillion to process Customer Personal Data are obliged to keep the Customer Personal Data confidential;

2.3.4 provide reasonable assistance to Customer in responding to any request from a data subject and ensuring Customer’s compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

2.3.5 notify Customer without undue delay on becoming aware of a personal data breach involving Customer Personal Data;

2.3.6 at the written direction of Customer, delete or return Customer Personal Data on termination of the Agreement unless Matillion is required by Applicable Law to continue to process such Customer Personal Data (for purposes of this section, Customer Personal Data shall be considered deleted where it is put beyond further use by Matillion); and 2.3.7 maintain records to demonstrate its compliance with this DPA.

2.4 General Authorization. Customer hereby provides its prior, general authorization for Matillion to:

2.4.1 appoint processors to process the Customer Personal Data (provided that Matillion shall remain liable for the performance of its sub-processors’ obligations); and 2.4.2 transfer Customer Personal Data outside of the UK as required for the Purpose, provided that Matillion shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws.

3. Miscellaneous.

3.1 Each party’s liability arising out of or related to this DPA, including any exhibits, schedules, and attachments, is subject to the limitation of liability provisions as set forth in the Agreement and any reference to such limitation of liability of a party means the aggregate liability of the party under the Agreement and this DPA.

3.2 Except as specifically set forth in this DPA, the terms and provisions of the underlying Agreement shall remain unmodified and in full force and effect. In the event of a conflict between the terms and conditions of the Agreement and this DPA, the conflict shall be resolved in the following order of precedence: (1) DPA, and (2) the Agreement.

3.3 This DPA shall remain in effect until, and automatically expire upon, deletion of all Customer Personal Data.

3.4 If an amendment to this DPA is required in order to comply with Applicable Data Protection Laws, both parties will work together in good faith to promptly execute a mutually agreeable amendment reflecting such requirements.