ENVOY DATA PROTECTION ADDENDUM (VENDOR – CONTROLLER)
(EU – GDPR)

Between

  1. Envoy Global, Inc., a Delaware Corporation, with a place of business at 230 West. Monroe St., Suite 2700, Chicago, Illinois 60606 (“Envoy”); and
  2. The Vendor that is party to the Global Vendor Terms and Conditions with Envoy(“Vendor”), each a “Party” and together the “Parties”.

    3. Background

    1. Vendor is providing, or is about to provide, Services to Envoy, and in the provision of the Services, Envoy will share Personal Data with Vendor.
    2. The purpose of this Addendum is to ensure that the processing of Personal Data in the course of providing the Services is compliant with the requirements of the GDPR (including the requirement to put in place appropriate safeguards for the processing of Personal Data outside of the UK and the European Economic Area (EEA)).
    3. This Addendum shall be deemed to take effect on the date Envoy and Vendor entered into an agreement for the provision of the Services.
    4. Except for the changes made by this Addendum, the Agreement remains unchanged and in full force and effect.
      1. Definitions
        “Agreement” means the Global Vendor Terms and Conditions.
        “Customer” means a customer of Envoy’s immigration related services, who may be a controller in respect of the Personal Data processed by the Vendor.

        “Data Protection Laws” means, as and to the extent they apply to that Party, any applicable laws and regulations in relation to the privacy or processing of personal data relating to identifiable individuals, including but not limited to, as may be applicable: (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), (b) national laws implementing, revising or replacing the GDPR; in each case as updated, amended or replaced from time to time, and (c) the California Consumer Privacy Act (“CCPA”).
        “DP Regulator” means any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Data Protection Laws.
        “Enquiry” means any request, complaint, investigation, notice or communication from a Data Subject or a DP Regulator.
        “Personal Data Breach” shall have the meaning set out in Article 4 of the GDPR.
        “Services” means the services provided by the Vendor to Envoy.

        “Standard Contractual Clauses” means the annex found in EU Commission Decision of 27 December 2004 on standard contractual clauses for the transfer of personal data from the Community to third countries (controller to controller transfers) (which is available as of August 14, 2020 at http://data.europa.eu/eli/dec/2004/915/oj ).

        The terms “controller”, “processor”, “Data Subject”, “Personal Data”, “process”, “processing”, “transfer” and “appropriate technical and organisational measures” shall be interpreted in accordance with the applicable Data Protection Laws.

      2. General obligations

        2.1 The Parties acknowledge and agree that the Vendor shall be a controller for the purposes of the Data Protection Laws in respect of the Personal Data processed under this Addendum to provide Envoy or the Customer with the Services.

        2.2 Each Party shall comply with the Data Protection Laws as they apply to it in connection with its obligations under the Agreement.

        2.3 Each Party shall co-operate with the other and the relevant Customer, and promptly provide such information and reasonable assistance as the other or the relevant Customer may reasonably require to enable it or the Customer to comply with its obligations under the Data Protection Laws in respect of the Agreement, and to deal with and respond to all investigations, complaints, and requests for information from any regulator or Data Subject relating to such Personal Data.

        2.4 If a Party receives an Enquiry which relates directly or indirectly to its sharing of Personal Data pursuant to this Addendum, or to the other Party’s compliance with Data Protection Laws, it shall notify the other Party as soon as reasonably practicable. If Vendor receives an Enquiry which relates directly or indirectly to the Customer’s compliance with Data Protection Laws, it shall notify Envoy as soon as reasonably practicable.

        2.5 Subject to clause 2.4, (i) neither party shall take any action in relation to any Enquiry or Personal Data Breach where it relates to the other Party’s processing of Personal Data without prior written notice to the other Party and providing the other Party with a reasonable opportunity to contribute to the response to mitigate the impact of the action on the other Party and (ii) Vendor shall not take any action in relation to any Enquiry or Personal Data Breach where it relates to the Customer’s processing of Personal Data without prior written notice to Envoy and providing Envoy or the Customer with a reasonable opportunity to contribute to the response to mitigate the impact of the action on the Customer.

        2.6 If either Party receives any complaint, notice or communication which relates directly or indirectly to the processing of Personal Data by the other Party or to either Party’s compliance with Data Protection Laws, it shall as soon as reasonably practicable notify the other Party and it shall provide the other Party with reasonable co-operation and assistance in relation to any such complaint, notice or communication. If Vendor receives any complaint, notice or communication which relates directly or indirectly to the processing of Personal Data by the Customer or to the Customer’s compliance with Data Protection Laws, it shall as soon as reasonably practicable notify Envoy and it shall provide the Envoy and the Customer with reasonable co-operation and assistance in relation to any such complaint, notice or communication.

        2.7 The Vendor shall indemnify and keep indemnified at its own expense Envoy against all claims, liabilities, damages, administrative fines, costs or expenses incurred by Envoy or for which Envoy may become liable due to any failure by the Vendor or its sub-processors, subcontractors, agents or personnel to comply with any of its obligations under this Addendum or under the Data Protection Laws.

      3. Data Transfers

        3.1 Envoy confirms that its transfers of GDPR-regulated Personal Data to Vendor in connection with the Services are made pursuant to one or more of the following derogations under GDPR Article 49(1) in cases where Envoy exports the Personal Data to Vendor from the UK, the European Economic Area, or another jurisdiction in which the GDPR is applicable:
        (a) the data subject has provided appropriate consent to the proposed transfer; OR
        (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request; OR
        (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person (such as the contract for immigration services between Envoy and its customers, or between Envoy and Vendor).

        3.2 As an additional layer of protection for the data subjects whose Personal Data is transferred, Envoy and Vendor hereby enter into the Standard Contractual Clauses for data transfers for which this is legally required. The Standard Contractual Clauses will be deemed completed as follows:
        (a) The “exporter” is Envoy, entering into the Standard Contractual Clauses on behalf of each Customer and on behalf of each Envoy entity that is acting in its capacity as a controller on behalf of the Customer, and the exporter’s contact information is set forth in the Agreement.
        (b) The “importer” is Vendor.
        (c) Pursuant to their Clauses 9 and 11(3), the Standard Contractual Clauses, and the provisions relating to data protection aspects for subprocessing, shall be governed by the law of the relevant European jurisdiction in which the data exporter is established.
        (d) Appendices 1 and 2 of the Standard Contractual Clauses are set forth in Exhibit A below.
        (e) By entering into this Addendum, the Parties are deemed to be signing the Standard Contractual Clauses and its applicable Appendices.

        3.3 Vendor certifies to Envoy, and, to the extent legally permissible, Vendor will provide additional certifications when requested periodically by Envoy, that:
        (a) It has not purposefully created back doors or similar programming that could be used by a government to access its systems, Envoy systems, and/or the Personal Data they process (other than for processing and related management of immigration applications);
        (b) It has not purposefully created or changed its business processes in a manner that facilitates governmental access to its systems, Envoy systems, and/or the Personal Data they process (other than for processing and related management of immigration applications); and
        (c) It is not under a specific legal requirement to create or maintain back doors, to facilitate governmental access to its systems, Envoy systems, and/or the Personal Data they process, or to be in possession of or to hand over to a government an encryption key or other credential to such system (other than for processing and related management of immigration applications).

        3.4 Vendor will, to the extent legally permissible, promptly inform Envoy of Vendor’s inability to comply with its commitments under the Standard Contractual Clauses.

        3.5 If Vendor receives an order to disclose Personal Data to a government (other than requests for information for purposes of processing an immigration application), then, to the extent legally permissible:
        (a) Vendor will promptly forward such request to Envoy.
        (b) Vendor will follow Envoy’s instructions regarding the response to the order.
        (c) Where it is legally impermissible to contact Envoy and follow Envoy’s instructions:
        (i) Vendor will review the legality of such order (including whether it is within the powers granted to the requesting public authority) with experienced legal counsel whose practice includes a significant focus on such reviews.
        (ii) Where applicable, Vendor will inform the requesting authority of any incompatibility of the order with applicable data protection law the Agreement and the resulting conflict of obligations for Vendor.
        (iii) Vendor will challenge the order, and any prohibition on notification to Envoy, to the extent there are legal grounds to do so.
        (iv) When challenging the order, Vendor will, where appropriate, seek interim measures to suspend the effects of the order until the relevant court has decided on the merits.
        (v) Vendor will not disclose the Personal Data requested until legally required to do so.
        (vi) Vendor will provide the minimum amount of Personal Data permissible when responding to the order, based on a reasonable interpretation of the order.

        3.6 Vendor will document and record the requests for access received from public authorities (other that requests for processing immigration applications) and the response provided, alongside a summary of the legal reasoning and the actors involved. When and to the extent legally permissible, Vendor will provide these records to Envoy, who may provide them to affected data subjects.

      4. General

        4.1 Subject to clause 4.2 this Addendum is without prejudice to the rights and obligations of the Parties under the Agreement, which shall continue in full force and effect. Once executed by the Parties, this Addendum shall form part of the Agreement and shall be governed and customed accordingly.

        4.2 In the event of any conflict or inconsistency the order of precedence so far as the subject matter concerns the processing of Personal Data is as follows (1) the executed Standard Contractual Clauses; (2) the remaining provisions of this Addendum; and (3) the Agreement.

        4.3 This Addendum shall shall continue in force unless and until the parties agree that it shall be terminated.

        Exhibit A – Annex B to the Standard Contractual Clauses
        DESCRIPTION OF THE TRANSFER
        (To be completed by the parties)

        Data subjects
        The personal data transferred concern the following categories of data subjects:
        Current, former and prospective employees and other categories of workers of Envoy’s customers.

        Purposes of the transfer(s)
        The transfer is made for the following purposes:
        The data importer has entered into an agreement with Envoy for the provision of technology, tools, and administrative support services on immigration matters (“Support Services”).

        Categories of data
        The personal data transferred concern the following categories of data:
        The personal data transferred may concern the following categories of data, as relevant to the Vendor’s services to Envoy:

        • Full name
        • Nationality
        • Title/Position/Department
        • Business contact details (e.g., address, telephone, mobile, and email)
        • Dates of employment or prospective employment
        • Accreditations
        • Personal contact details (e.g., home address, home telephone number and personal mobile number)
        • Date of birth
        • Language preference
        • Education and qualifications
        • Family member information
        • Users’ device information and other technical information relevant to information technology management
        • Some or all of the following other personal data including Government Identification or Social Security number, Driver’s license number, state identification card number, passport number, alien registration number, taxpayer identification number, date of birth, mother’s maiden name, digital or electronic signature, or picture of employee.

        Recipients
        The personal data transferred may be disclosed only to the following recipients or categories of recipients:
        Data importer
        Governmental entities as required for processing of the immigration applications

        Sensitive data (if appropriate)
        The personal data transferred concern the following categories of sensitive data:
        The personal data may include special categories of data where required by applicable immigration law for the relevant immigration application. Depending on each data subject’s personal situation, type of immigration application, place of birth, and applicable jurisdictions, this data may include:

        • Racial or ethnic origin;
        • Political opinions;
        • Religious or philosophical beliefs;
        • Trade union membership;
        • Health data; and
        • Data concerning sex life or sexual orientation.

        Data protection registration information of data exporter (where applicable)

        Additional useful information (storage limits and other relevant information)

        Access Control
        Vendor has (without limitation) implemented the following controls:

        • Controls to specify authorized individuals permitted to access personal data
        • Implemented an access control process to avoid unauthorized access to the company’s premises
        • Implemented an access control process to restrict access to data centres / rooms were data servers are located
        • Utilises video surveillance and alarm devices with reference to access areas
        • Ensured that personnel without access authorization (e.g. technicians, cleaning personnel) are accompanied all times when access data processing areas

        System Access Control
        Vendor has (without limitation) implemented the following controls:

        • Ensured that all systems processing personal data (this includes remote access) are password protected after boot sequences and when left even for a short period
        • to prevent unauthorized persons from accessing any personal data
        • Provides dedicated user IDs for authentication against systems user management for every individual
        • Assigns individual user passwords for authentication
        • Ensured that access control is supported by an authentication system
        • Controls to grant access only to authorized personnel and to assign only the minimum permissions necessary for those personal to access personal data in the performance of their function
        • Implemented a password policy that prohibits the sharing of passwords, outlines processes after a disclosure of a password and requires the regular change of passwords
        • Ensured that passwords are always stored in encrypted form
        • Implemented a proper procedure to deactivate user account, when a user leaves the company or function
        • Implemented a proper process to adjust administrator permissions, when an administrator leaves company or function
        • Implemented a process to log all access to systems and review those logs for security incidents

        Data Access Control
        Vendor has (without limitation) implemented the following controls:

        • Restricted access to files and programs based on a “need-to-know-basis”
        • Stored physical media containing personal data in secured areas
        • Controls to prevent use/installation of unauthorized hardware and/or software
        • Established rules for the safe and permanent destruction of data that are no longer required
        • Controls to grant access only to authorized personnel and to assign only the minimum permissions necessary for those personal to access personal data in the performance of their function

        Data Transmission Control
        Vendor has (without limitation) implemented the following control: encrypt data during any transmission

        Availability Control
        Personal data shall be protected against disclosure, accidental or unauthorized destruction or loss.
        Vendor has (without limitation) implemented the following controls:

        • Arrangements to create back-up copies stored in specially protected environments
        • Arrangements to perform regular restore tests from those backups
        • Contingency plans or business recovery strategies
        • Controls to ensure that personal data is not used for any purpose other than for the purposes it has been contracted to perform
        • Controls to prevent removal of personal data from the data importer’s business computers or premises for any reason (unless data exporter has specifically authorized such removal for business purposes).
        • Controls to ensure that whenever a staff member leaves its desk unattended during the day and prior to leaving the office at the end of the day, he/she places materials containing personal data in a safe and secure environment such as a locked desk drawer, filing cabinet, or other secured storage space. (clean desk)
        • Implemented a process for secure disposal of documents or data carriers containing personal data
        • Implemented network firewalls to prevent unauthorized access to systems and services
        • Ensured that each system used to process personal data runs an up to date antivirus solution

        Organizational Requirements

        Vendor has (without limitation) implemented the following controls:

        • Designated a responsible person for data protection compliance
        • Obtained the written commitment of the employees to maintain confidentiality
        • Trained staff on data privacy and data security
        • Implemented a formal security incident response process that is consistently followed for the management of security incidents

        4839-7902-8187, v. 2