Data processing Addendum (On Premise)

Definitions

1. Any defined terms in this Addendum shall be interpreted in accordance with the Customer Terms of Service (“Terms of Service”).

2. The following additional defined terms shall apply in this Addendum:

   Customer Personal Data	any Personal Data within the Customer Data or data relating to an Authorised User which is processed by timeware UK Ltd as a Data Processor on behalf of the Customer in connection with the performance of the Agreement.
   Adequate Jurisdiction	means the UK, EEA, or a country, territory, specified sector or international organisation which ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data, as set out in: with respect to Personal Data relating to Data Subjects in the EEA, a decision of the European Commission. with respect to Personal Data relating to Data Subjects in the UK, the UK Data Protection Act 2018 or regulations made by the UK Secretary of State under the UK Data Protection Act 2018.
   Authorised Sub processor	means any entity appointed by or on behalf of timeware UK Ltd to process Customer Personal Data on behalf of the Customer in accordance with the terms of this Addendum.
   Applicable Data Protection Laws	all national and international data protection and privacy laws and regulations and any national implementing laws, regulations and secondary legislation, each as may be updated, amended or replaced from time to time, as applicable to the Customer or timeware UK Ltd.
   Data Breach	means a confirmed or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorised disclosure of Customer Personal Data.
   Data Controller	the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
   Data Subject	an individual whose personal data is included in the Customer Personal Data. References in this Addendum to a Data Subject includes a “Consumer” as defined under US DP Laws.
   Data Processor	shall be as defined under UK GDPR.
   timeware UK Ltd Personnel	means employees contractors of timeware UK Ltd or its Affiliates.
   Personal Data	means any data which directly or indirectly identifies a natural living individual.
   Process	Process means any operation performed on personal data such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; “processed” shall be construed accordingly.

Applicability and Compliance with Applicable Data Protection Laws

1. Since timeware is downloaded and installed in the Customer's environment and the Customer Data is hosted in the Customer's environment, it is not anticipated that timeware UK Ltd will process Customer Personal Data under the Agreement. timeware UK Ltd can only access Customer Personal Data if explicitly authorised by the Customer. From time-to-time Customer may request Annotate to provide Support Services and whilst in the majority of cases this can be performed without requiring timeware UK Ltd to process Customer Personal Data, processing may occasionally be required. This Addendum applies to Customer Personal Data processed by timeware UK Ltd under the Agreement.

2. Each of timeware UK Ltd and the Customer shall comply with their obligations under Applicable Data Protection Laws.

3. Customer Personal Data: The Customer and timeware UK Ltd acknowledge in respect of Customer Personal Data processed by Annotate the Customer is a Data Controller and Annotate is a “Data Processor”.

Scope and Particulars of Processing

1. timeware UK Ltd shall process Customer Personal Data on behalf of, and in accordance with, Customer's instructions (a) as set forth in the Agreement, and as otherwise necessary to perform its obligations under the Agreement, and (b) as necessary to comply with applicable law; and (c) as otherwise agreed in writing between the Customer and timeware UK Ltd.

2. CCPA: For the avoidance of doubt, and notwithstanding any other term of the Agreement, the Customer discloses Customer Personal Data to timeware UK Ltd solely for a valid business purpose and for use in accordance with the Permitted Purpose. timeware UK Ltd is prohibited from: (i) selling Customer Personal Data; (ii) retaining, using, or disclosing Customer Personal Data for a commercial purpose other than providing the Services; (iii) retaining, using, or disclosing the Customer Personal Data outside of the Agreement between timeware UK Ltd and Customer, (iv) combining the Customer Personal Data with personal data of timeware UK Ltd other customers. timeware UK Ltd understands the prohibitions outlined in this Clause 3.1.

3. The Particulars of Processing set out below specifies the duration of the processing, the nature and purpose of the processing, types of Personal Data and categories of Data Subjects within the scope of the Customer Personal Data. timeware UK Ltd does not inform or control the scope of Customer Personal Data and that this is determined by the Customer. timeware UK Ltd does not actively or routinely monitor, assess, or verify the scope of the Customer Personal Data.

   Duration of Processing	As per the Agreement.
   Nature/purpose of Processing	As per the Agreement.
   Types of Personal Data	This is controlled and determined by the Customer. timeware UK Ltd does not independently have access to Customer Personal Data and Customer's authorisation is required. - Personal Data may include the following and other types of Personal Data: names, dates of birth, postal addresses, email addresses, telephone numbers, online identifiers, contractual details, education details, financial details special categories of Personal Data and other types of Personal Data contained in the Customer Data - Sensitive Personal Data: any Sensitive Personal Data contained in the Customer Data.
   Categories of Data Subjects	is controlled and determined by the Customer and Authorised Users..

4. The Customer is responsible for ensuring it has all rights, consents and permissions necessary to submit the Customer Personal Data to timeware UK Ltd for processing by Annotate in accordance with the terms of the Agreement.

5. timeware UK Ltd shall process the Customer Personal Data as required for Annotate to provide the products and services and perform its obligations within the scope of an Agreement. In addition, timeware UK Ltd may process Customer Personal Data as necessary to comply with timeware UK Ltd’s obligations under Applicable Data Protection Laws, however Annotate shall notify the Customer in advance of the additional grounds and requirements for the processing unless timeware UK Ltd is legally prohibited from doing so.

6. timeware UK Ltd shall process the Customer Personal Data solely in accordance with the Agreement. The Agreement constitutes the Customer’s documented instruction to timeware UK Ltd regarding the processing by timeware UK Ltd of the Customer Personal Data.

7. Taking into account the nature of the processing to be performed by timeware UK Ltd and the information available to timeware UK Ltd, timeware UK Ltd shall notify the Customer if in timeware UK Ltd reasonable opinion, the Customer’s instructions regarding the processing of Customer Personal Data is likely to infringe Applicable Data Protection Laws. timeware UK Ltd reserves the right, without liability and on reasonable notice, to refuse to comply with the Customer's instructions (including, at timeware UK Ltd.'s discretion, suspension or termination of the products and services being supplied under an Agreement) where timeware UK Ltd reasonably believes that compliance with such instructions will cause Customer or timeware UK Ltd to breach Applicable Data Protection Laws.

8. Taking in to account the nature of the processing to be performed by timeware UK Ltd and the information available to timeware UK Ltd, timeware UK Ltd shall provide information and assistance reasonably requested by the Customer as needed for the Customer to comply with its obligations under the UK GDPR.

9. timeware UK Ltd shall, to the extent legally permitted, promptly notify the Customer if timeware UK Ltd receives any request from a Data Subject to exercise that Data Subject's legal data protection and privacy rights afforded to the Data Subject under Applicable Data Protection Laws. Customer is solely responsible for fulfilling a Data Subject request. Since the Customer is hosting the timeware UK Ltd Software in the Customer's environment, the Customer has ultimate control in respect of the timeware UK Ltd installation including but not limited to setting, amending or removing functionality within a Workspace, Topic or Chat (as may be permitted under this Contract), enabling, reinstating, amending or revoking Authorised Users' account access and privileges, and other related matters as set out in the Terms of Service.

Technical and Organisation Security Measures

1. The Customer will be hosting the timeware UK Ltd Software in the Customer's environment and therefore the Customer controls the Customer Personal Data (if any) which the Customer elects to supply or otherwise make available to timeware UK Ltd and timeware UK Ltd does not require access to the Customer Data (including Customer Personal Data) in order for Customer and End Users to access the timeware UK Ltd Software.

2. In assessing the appropriate level of security, timeware UK Ltd will take account of the risks from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Customer Personal Data transmitted, stored or otherwise processed by or on behalf of timeware UK Ltd.

3. timeware UK Ltd will ensure that timeware UK Ltd personnel with access to Customer Personal Data are made aware of their data protection and security obligations and are bound by a duty of confidentiality in respect of the Customer Personal Data.

Sub-Processors

1. The Customer will be hosting the timeware UK Ltd Software in the Customer's environment and therefore the Customer controls the Customer Personal Data (if any) which the Customer elects to supply or otherwise make available to timeware UK Ltd and timeware UK Ltd does not require access to the Customer Data (including Customer Personal Data) in order for Customer and End Users to access the timeware UK Ltd Software. As at today, no Subprocessors are engaged by timeware UK Ltd to process Customer Personal Data.

2. If timeware UK Ltd intends to engage a Subprocessor (or replace a Subprocessor), timeware UK Ltd will notify the Customer via email at least 30 days in advance of the new Subprocessor's engagement.

3. Customer may object to timeware UK Ltd’s appointment or replacement of a Subprocessor prior to its appointment or replacement, provided such objection is in writing and based on reasonable grounds relating to the Subprocessor not being compliant with Applicable Data Protection Laws. In such an event, the Customer and timeware UK Ltd agree to discuss commercial reasonable alternative solutions in good faith. If timeware UK Ltd and the Customer cannot reach a resolution within sixty (60) days, (a) Annotate shall not engage the objected to Subprocessor to process Customer Personal Data or transfer any Customer Personal Data to the objected to Subprocessor and (b) timeware UK Ltd may suspend or terminate the applicable products and services being supplied under the Agreement in which the objected to Subprocessor would be involved without further liability to the Customer; such termination by timeware UK Ltd shall be without prejudice to any Fees payable or incurred by Customer prior to suspension or termination. If no objection has been raised prior to timeware UK Ltd replacing or appointing a new Subprocessor, the Customer will be deemed to have approved the engagement of the new Subprocessor who shall then be an “Authorised Subprocessor”.

4. In respect of any Authorised Subprocessor engaged by timeware UK Ltd:

   1. timeware UK Ltd will ensure that the arrangement between timeware UK Ltd and each Authorised Subprocessor is governed by a written agreement under which the Subprocessor subject to the same or similar obligations as are set out in this Addendum.

   2. timeware UK Ltd will ensure that the Authorised Subprocessor provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of Applicable Data Protection Laws.

5. At the Customer's request, timeware UK Ltd shall provide a copy of the written agreements (including amendments) with an Authorised Subprocessor. To the extent necessary to protect business secret or confidential information or other commercially sensitive information of Annotate or the Authorised Subprocessor, timeware UK Ltd may redact the text of the agreement between Annotate and the Authorised Subprocessor prior to disclosing it to the Customer. All information provided under this Clause shall be considered timeware UK Ltd Confidential Information under the Agreement.

6. timeware UK Ltd will remain liable for any breach of Applicable Data Protection Laws and this Addendum which is caused by an act, error or omission of its Subprocessors.

7. timeware UK Ltd may in the future put in place a mechanism for the Customer to subscribe to notifications about addition or replacements to the Subprocessors engaged by timeware UK Ltd. Once available, this will replace the notification process at Clause 5.2 above. timeware UK Ltd shall provide the Customer with information on how to subscribe to such notifications. Provided timeware UK Ltd has informed Customer on how to subscribe, the Customer shall be responsible for ensuring it subscribes to receive notifications regarding additions or replacements to the Subprocessor List. If the Customer has subscribed to receive notifications regarding the addition or replacement of Subprocessors on the Subprocessor list, timeware UK Ltd will provide notifications to the Customer of any such changes at least 30 days prior to the change.

Data Breach and Notification

1. timeware UK Ltd shall (i) notify the Customer without undue delay, but in no event later than twenty-four (24) hours after becoming aware of a Data Breach and (ii) take appropriate measures to address the Data Breach, including measures to mitigate any adverse effects resulting from the Data Breach. timeware UK Ltd does not have access to the Customer Personal Data without the Customer's explicit authorisation.

2. To enable Customer to notify a Data Breach to supervisory authorities or Data Subjects (as applicable), timeware UK Ltd will cooperate with and assist Customer by including in the notification under Section 6.1 such information about the Data Breach as timeware UK Ltd is able to disclose to Customer, taking into account the nature of the processing, the information available to timeware UK Ltd, and any restrictions on disclosing the information, such as confidentiality.

3. The obligations of timeware UK Ltd under Clause 6.2 shall not apply to a Data Breach which is caused by the Customer, End Users and/or non-Annotate products and services and/or relating to or concerning Customer environment factors such as but not limited to Customer selected or deployed hardware, servers, operating systems, networks and/or any other Customer IT infrastructure (“Customer Environment Incidents”). timeware UK Ltd may, at timeware UK Ltd discretion, and if requested by the Customer, provide commercially reasonable assistance to the Customer in connection Customer Environment Incidents but the Customer shall be responsible for any costs arising from timeware UK Ltd's provision of such assistance including payment of timeware UK Ltd's fees for the assistance supplied.

Return and Deletion of Customer Personal Data

1. On termination of the Agreement all processing of the Customer Personal Data by timeware UK Ltd shall cease unless continued Processing is required under law and in such a case timeware UK Ltd shall inform Customer of the legal grounds mandating continued processing.

2. On termination of the Agreement, if timeware UK Ltd has any Customer Personal Data in its possession (this is not anticipated since the Customer is hosting the timeware UK Ltd Software in its own environment) timeware UK Ltd shall delete the Customer Personal Data in accordance with the terms of the Agreement.

3. On Customer's request, timeware UK Ltd shall provide written certification to Customer that it has complied with this Clause 7.

Location of Processing

1. timeware UK Ltd does not host the Customer Personal Data as the timeware UK Ltd Software is installed in the Customer's own environment. timeware UK Ltd does not have access to Customer Personal Data unless access is explicitly granted by the Customer. timeware UK Ltd will only access the Customer Personal Data if authorised by the Customer and will only use it for the Permitted Purpose.

2. If timeware UK Ltd notifies the Customer about the engagement of an Authorised Subprocessor, and so long as the Customer has not objected to the engagement in accordance with the terms of this Addendum. The Customer authorises Annotate to transfer Customer Personal Data to an Authorised Subprocessors for processing in accordance with the Permitted Purpose and provided that such transfer is always in accordance with the terms of this Addendum and Applicable Data Protection Laws. In the event the Authorised Subprocessor is located in a country outside of the UK or EEA and that country is not deemed to be an Adequate Jurisdiction, timeware UK Ltd will enter into the Standard Contractual Clauses or UK ICO Addendum (as applicable) with the Authorised Subprocessor.