Data Processing Addendum

This Data Processing Addendum (the “DPA”) forms an integral part of, and is bound by, the Terms into which this DPA is incorporated by reference. In the event of a conflict between this DPA and the main body of the Terms, the terms and conditions that are more protective of Client Personal Data shall supersede and control to the extent of such conflict. Any capitalized term used but not defined herein shall be ascribed the meaning set forth in the Terms.

DEFINITIONS

1.1.

The following terms have the meanings given to them below:

California Consumer Privacy Act (“CCPA”): means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 and any other applicable amendments (codified at § Cal. Civ. Code 1798.100 et seq.), and includes any and all implementing regulations.
Client Personal Data: means the Personal Data that Harbor Processes on behalf of Client.
Data Controller: means an entity that determines the purpose and means of Processing Personal Data.
Data Processor: means an entity that Processes Personal Data on behalf of a Data Controller.
Data Protection Law: means all laws, statutes, and regulations applicable to the Processing of Client Personal Data under the Agreement, including, without limitation, if and to the extent applicable, the CCPA, the GDPR, UK Data Protection Legislation, the Swiss Federal Act on Data Protection (“FADP”), and Australia’s Privacy Act 1988 (Cth).
Data Subject: means an identified or identifiable individual whose Personal Data is being Processed by Harbor on behalf of Client.
Data Subject Request: means a request from a Data Subject seeking to exercise a data protection right or privilege.
General Data Protection Regulation (“GDPR”): means the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC and all applicable European Union (EU) Member State legislation implementing the same.
Information Security Program: means commercially reasonable technical and organizational controls to protect Client Personal Data, including written policies describing its security controls and measures.
IRP: means a written response plan to identify, remediate, respond to, and recover from a Security Event.
Personal Data: means any information or data that, alone or in combination with other information or data, can be used to reasonably identify a particular individual, household, or device, and is subject to, or otherwise afforded protection under, an applicable Data Protection Law.
Process, Processing, or Processes: means any action performed on Client Personal Data, including collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transfer or otherwise making available, alignment or combination, restriction, deletion, or destruction.
Security Event: means unauthorized access, use, acquisition, exfiltration, or disclosure of Client Personal Data, but excludes an Unsuccessful Security Event.
Sub-processor: means Harbor’s Affiliates and any third-party organization engaged by Harbor to Process Client Personal Data on its behalf.
Standard Contractual Clauses: means standard contractual clauses adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to the GDPR.
Supervisory Authority Request: means a request from a government or regulatory authority regarding the Processing of Client Personal Data.
Terms: means the terms and conditions available at https://harborglobal.com/business-terms/
UK Addendum: means the International Data Transfer Addendum to the Standard Contractual Clauses (B.1.0) issued by the United Kingdom (“UK”) Information Commissioner’s Office under S119A(1) of the Data Protection Act 2018, in force 21 March 2022, and as may be amended or replaced by the UK Information Commissioner’s Office and/or UK Secretary of State.
UK Data Protection Legislation: means all laws applicable to data protection, the Processing of Personal Data, privacy, and/or electronic communications in the UK, including, without limitation, the Data Protection Act 2018, and the UK GDPR (having the meaning given to it in section 3(10), as supplemented by section 205(4), of the Data Protection Act 2018).
Unsuccessful Security Event: means an unsuccessful attempt or activity that does not compromise the security of Client Personal Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.

APPLICATION; COMPLIANCE

2.1.

Application. This DPA applies only to the extent Harbor Processes Client Personal Data in connection with the Agreement. Notwithstanding anything else, it remains in effect until, and automatically expires on, deletion or return by Harbor of all Client Personal Data.

2.2.

Compliance. Each Party shall comply with Data Protection Laws.

2.3.

Client’s Authority. Client shall: (i) have the legal authority and appropriate business purpose to provide Harbor with the Client Personal Data; (ii) ensure that its instructions to Harbor comply with Data Protection Laws; and (iii) be solely responsible for transparency and other requirements applicable to the collection and use of Client Personal Data and/or the use of cookies or similar mechanisms (such as obtaining any necessary consents and authorizations from Data Subjects or otherwise).

NATURE AND PURPOSE OF PROCESSING

3.1.

Roles. Client shall be a Data Controller or, to the extent Client is acting on behalf of a third-party Data Controller, a Data Processor. Harbor shall be a Data Processor and, to the extent Client is acting on behalf of a third-party Data Controller, a sub-processor to Client.

3.2.

Client as Data Processor. Where Client is acting as Data Processor on behalf of a third-party Data Controller, Client represents and warrants to Harbor: (i) Client’s instructions reflect the instructions of the applicable Data Controller; and (ii) such Data Controller has authorized the appointment of Harbor as sub-processor and the provision to Harbor of such Data Controller’s instructions.

3.3.

Legal Requirements. If Harbor is required by applicable law to Process Client Personal Data other than in accordance with the Agreement, unless prohibited by applicable law, Harbor shall notify Client of such legal requirement prior to such Processing.

3.4.

Right to Process. Client grants Harbor a non-exclusive, worldwide, royalty-free license to access, use, copy, modify, process, store, transmit, and display Client Personal Data solely as necessary to provide and maintain the Services and Vendor Software.

3.5.

Details of Processing. Client is solely responsible for determining the Client Personal Data Processed in connection with the Services and Vendor Software. The purpose, duration, subject-matter, and nature of the Processing, the types of Client Personal Data, and the categories of Data Subjects covered by this DPA are specified in the Agreement, including Exhibits A and B to this DPA.

CCPA

4.1.

CCPA Disclaimer. For purposes of the CCPA, if applicable, Client shall be considered a “Business,” and Harbor shall be considered a “Service Provider.” With regard to any Personal Information provided by Client to Harbor pursuant to the Agreement, Harbor hereby acknowledges and agrees that it shall not (i) “Sell” or “Share” the Personal Information, (ii) retain, use, or disclose the Personal Information for any purpose other than for the specific purpose of performance under the Agreement, or (iii) retain, use, or disclose Personal Information outside of the direct business relationship with Client. Without limiting the foregoing, each Party acknowledges and agrees that: (i) the provision of Personal Information from Client to Harbor does not constitute, and it is not the intent of either Party for such provision of Personal Information to constitute, a “Sale” of Personal Information; and (ii) if valuable consideration, monetary or otherwise, is being provided by Client pursuant to the Agreement, such valuable consideration is being provided for the Services or Vendor Software and not for the provision of Personal Information. For purposes of this Section 4 only, the terms “Business,” “Service Provider,” “Personal Information,” “Sale,” “Sell,” and “Share” shall have the same definitions as in the CCPA.

OBLIGATIONS

5.1.

If either Party is unable to comply with applicable Data Protection Law, such Party shall notify the other Party in writing without undue delay (and in any event, within seventy-two (72) hours of discovery). If Harbor believes that Client’s instructions infringe applicable Data Protection Law, Harbor shall notify Client in writing without undue delay (and in any event, within seventy-two (72) hours of discovery). In either of the foregoing cases in this Section 5.1, without being in breach of the Agreement, either Party may, on written notice to the other Party: (i) cease the applicable Processing; or (ii) terminate all or part of the Agreement.

SECURITY

6.1.

Information Security. Harbor shall implement and maintain an Information Security Program, which shall include the controls specified in Exhibit C to this DPA. Harbor shall designate a senior individual to be responsible for the overall management of Harbor’s Information Security Program. Harbor may update, amend, or otherwise alter its Information Security Program at any time and without notice to Client, provided that any such update, amendment, or alteration does not reduce the level of security in the Information Security Program.

REQUESTS; COOPERATION

7.1.

Requests. Harbor shall promptly notify Client if Harbor receives a Supervisory Authority Request or a Data Subject Request (each a “Request”). To the extent practicable, Harbor shall seek to direct the requestor to Client. Taking into account the nature of the Processing, Harbor shall assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Client’s obligation to respond to a Request. On request by Client, to the extent that Client in its use of the Services does not have the ability to address a Request, Harbor shall use commercially reasonable efforts to assist Client in responding to such Request. Client shall be fully responsible for timely and appropriately responding to a Request. Client shall be responsible for the cost of Harbor’s assistance, unless otherwise required by Data Protections Laws.

7.2.

Impact Assessments; Consultation. On request by Client, Harbor shall provide Client with commercially reasonable cooperation and assistance: (i) to the extent the relevant information is available to Harbor and Client does not otherwise have access to such information, to fulfil Client’s obligation under Data Protection Law to undertake a data protection impact assessment related to Client’s use of the Services; and (ii) with respect to a government or regulatory authority consultation. Client shall be responsible for the cost of Harbor’s assistance, unless otherwise required by Data Protection Laws.

7.3.

Recordkeeping and Disclosures. On reasonable request by Harbor, Client shall provide all information required for Harbor’s compliance with applicable Data Protection Law, including the name and contact information for each Data Controller.

SECURITY EVENT PROCEDURES

8.1.

Response Plans. Harbor shall establish, implement, and maintain an IRP.

8.2.

Report to Client. Harbor shall: (i) notify Client of a Security Event within seventy-two (72) hours of confirmation of such Security Event; (ii) provide timely information to Client relating to the Security Event as it becomes known or as is reasonably requested by Client; and (iii) promptly take reasonable steps to contain, investigate, mitigate, and remediate any Security Event.

8.3.

Incident Notification. Client acknowledges that Harbor will not assess the contents of Client Personal Data in order to identify information subject to any specific legal requirements. Client is solely responsible for compliance with incident notification laws applicable to Client and for fulfillment of any third-party notification obligations related to any Security Event. Unless otherwise required by Data Protection Law, the Parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected Data Subjects and/or notices to the relevant supervisory authorities.

SECURITY REPORTS; AUDITS AND INSPECTIONS

9.1.

Security Reports. Upon request, if and to the extent available, Harbor shall provide to Client (on a confidential basis) evidence of a certification applicable to the Services ("Report"). If a Report is not available or Client reasonably believes that the Report is insufficient to demonstrate compliance with this DPA, Harbor shall also provide written responses (on a confidential basis) to Client’s reasonable requests for information regarding the Processing of Client Personal Data. Client shall not exercise the foregoing rights more than once in any twelve (12) month period.

9.2.

Audits; Inspections. If Client reasonably believes that the information provided by Harbor pursuant to Section 9.1 is insufficient to demonstrate compliance with this DPA, Harbor will allow, at the sole cost and expense of Client, on at least thirty (30) days’ prior written notice to Harbor, an audit (including an inspection) by Client, or a third-party auditor appointed by Client and reasonably acceptable to Harbor, in relation to Harbor’s Processing of Client Personal Data. Any such audit or inspection shall occur only during normal business hours and be subject to Harbor’s reasonable security and confidentiality requirements. Client shall not exercise its rights under this Section 9.2 more than once in any twelve (12) month period.

10.

SUB-PROCESSORS

10.1.

Authorized Sub-processors. Client agrees that Harbor may engage Sub-processors to Process Client Personal Data on Client's behalf and hereby approves the following as Sub-processors: (i) Harbor’s Affiliates; (ii) the Sub-processors specified in the Agreement; (iii) the Sub-processors listed at https://harborglobal.com/sub-processors/; and (iv) any other Sub-processor in respect of which Client receives notice and an opportunity to object in accordance with this DPA.

10.2.

Sub-processor Obligations. Harbor shall: (i) ensure that each Sub-processor is subject to binding obligations that require the Sub-processor to protect the Client Personal Data to the same standard as the Agreement; and (ii) remain responsible for such Sub-processor’s performance and compliance with the Agreement.

10.3.

Changes to Sub-processors. Harbor will provide Client notice of any new Sub-processor (which may include via https://harborglobal.com/sub-processors/), and will allow Client ten (10) business days (the “Notice Period”), beginning on the date of Harbor’s notice, to object to such appointment. If Client does not advise Harbor of any objection within the Notice Period, then Client shall be deemed to have approved such Sub-processor. If Client advises Harbor of objections to such Sub-processor within the Notice Period, and such objections cannot be resolved, then Harbor shall either: (i) agree to proceed without such Sub-processor for the applicable Order; or (ii) allow Client to terminate the applicable Order for convenience on thirty (30) days’ prior written notice to Harbor. On such termination by Client, Harbor shall refund to Client all applicable prepaid, unused Fees relating to the period after the effective date of such termination.

11.

INTERNATIONAL DATA TRANSFERS

11.1.

EU Standard Contractual Clauses. To the extent (i) the Processing of Client Personal Data by or on behalf of the Client is subject to GDPR, and (ii) such Client Personal Data will be Processed in a country outside of the European Economic Area (EEA) and to which the European Commission has not granted adequacy status, the Parties undertake to apply the provisions of the Standard Contractual Clauses. If the Standard Contractual Clauses are applicable between the Parties pursuant to this Section 11.1, their provisions will be deemed incorporated by reference into this DPA. If the Parties apply and incorporate the Standard Contractual Clauses pursuant to this Section 11.1, then the following shall apply:

11.1.1.

Module Two or Three. The Standard Contractual Clauses shall be governed by: (i) the Module Two (Controller to Processor) clauses where Client is the Data Controller; or (ii) the Module Three (Processor to Processor) clauses where Client is a Data Processor on behalf of a third-party Data Controller. Client shall be data exporter, and Harbor shall be data importer.

11.1.2.

Docking Clause. Each Party acknowledges and agrees that Clause 7 (Optional – Docking Clause) of the Standard Contractual Clauses shall be deemed incorporated.

11.1.3.

Sub-processing Clause. For the purposes of Clause 9(a) (Use of sub-processors) of the Standard Contractual Clauses, the Parties agree that Option 2 (General Written Authorization) shall apply to the Parties and shall be enforced in accordance with this DPA.

11.1.4.

Redress Clause. For the purposes of Clause 11 (Redress) of the Standard Contractual Clauses, the Parties agree that the optional wording shall not be incorporated and shall not be applicable to the Parties.

11.1.5.

Governing Law and Choice of Forum Clauses. Exhibit A to this DPA shall be incorporated, as appropriate and applicable, into Clauses 13, 17, and 18 of the Standard Contractual Clauses.

11.1.6.

Transfer Details (Annex 1). Exhibits A and B to this DPA shall be incorporated into Annex I of the Appendix to the Standard Contractual Clauses.

11.1.7.

Security Controls (Annex II). For purposes of Annex II of the Appendix to the Standard Contractual Clauses, Harbor shall implement and maintain the technical and organizational security measures set forth in this DPA, including Exhibit C to this DPA.

11.1.8.

Sub-processing List (Annex III). The Sub-processors authorized pursuant to Section 10.1 shall be incorporated into Annex III (List of Sub-processors) of the Standard Contractual Clauses and additional and replacement Sub-processors shall be engaged in accordance with this DPA. Harbor shall not transfer Client Personal Data received under the Standard Contractual Clauses (nor permit such Client Personal Data to be transferred) to a Sub-processor outside the EEA, unless: (i) the Sub-processor is established in a country which the European Commission has granted adequacy status; or (ii) if the Sub-processor is not established in such a country, Harbor takes such measures as are necessary to ensure the transfer is in compliance with Data Protection Law, which measures may include, without limitation, execution by the Sub-processor and Harbor of a document incorporating the Standard Contractual Clauses, Module 3 (Processor to Processor).

11.2.

UK Addendum. To the extent (i) the Processing of Client Personal Data by or on behalf of the Client is subject to UK GDPR, and (ii) such Client Personal Data will be Processed in a country outside of the UK and to which the appropriate UK authorities have not granted adequacy status, the Parties undertake to apply the provisions of the Standard Contractual Clauses, as updated and amended by the UK Addendum, to the transfer and Processing of such Client Personal Data and hereby incorporate the UK Addendum by reference into this DPA, provided the UK Addendum shall be supplemented and completed, as appropriate, with the descriptions and party responsibilities, clause options, and similar criteria specified in this DPA. For the avoidance of doubt, with respect to UK data transfers, in the event of a conflict between the Standard Contractual Clauses and the UK Addendum, the terms and hierarchy set forth in the UK Addendum shall supersede and control solely with respect to such UK data transfers. If the Parties apply and incorporate the UK Addendum pursuant to this Section 11.2, then the following shall apply:

11.2.1.

For the purposes of the UK Addendum, Client shall be data exporter, and Harbor shall be data importer.

11.2.2.

The Parties agree that the UK Addendum shall be governed by the law of England and Wales.

11.2.3.

Part 1 (Tables) of the UK Addendum shall be deemed completed with the information set out in Section 11.1 and Exhibits A and B to this DPA.

11.3.

Harbor shall not transfer any Client Personal Data received under the UK Addendum (nor permit such Client Personal Data to be transferred) to a Sub-processor outside the UK, unless: (i) the Sub-processor is established in a country to which the UK authorities have granted adequacy status; or (ii) if the Sub-processor is not established in such a country, Harbor takes such measures as are necessary to ensure the transfer is in compliance with Data Protection Law, which measures may include, without limitation, execution by the Sub-processor and Harbor of a document incorporating the Standard Contractual Clauses, Module 3 (Processor to Processor) and the UK Addendum thereto.

11.4.

Swiss FADP. To the extent (i) the Processing of Client Personal Data by or on behalf of the Client is subject to the FADP, and (ii) such Client Personal Data will be Processed outside Switzerland in a country to which Switzerland has not granted adequacy status, the Parties undertake to apply the provisions of the Standard Contractual Clauses as set forth in Section 11.1. If the Standard Contractual Clauses are applicable pursuant to this Section 11.4, their provisions will be deemed incorporated by reference into this DPA. If the Parties apply and incorporate the Standard Contractual Clauses pursuant to this Section 11.4, then the following shall apply where required by the FADP:

11.4.1.

References to the GDPR or to a particular article, section or term of the GDPR in the Standard Contractual Clauses shall be references to the FADP and/or the relevant article, section or term of the FADP insofar as the data transfers are subject exclusively to the FADP and not the GDPR.

11.4.2.

The term “member state” in the Standard Contractual Clauses shall not be interpreted in such a manner as to exclude Data Subjects in Switzerland from enforcing their rights in Switzerland in accordance with Clause 18(c) of the Standard Contractual Clauses, provided Switzerland is their habitual residence.

11.4.3.

For the purposes of Annex I(C) of the Standard Contractual Clauses,

11.4.3.1.

where the data transfer is subject exclusively to the FADP (and not GDPR), the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and

11.4.3.2.

where the transfer is subject to both the FADP and GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority set forth in Exhibit A to this DPA insofar as the transfer is governed by GDPR.

11.5.

Other Transfers. To the extent Client Personal Data originates outside of the EEA, Switzerland or the UK, and the Parties seek to transfer and Process such Client Personal Data across national borders, the Parties shall also undertake to apply, as appropriate and consistent with Section 11.1, the provisions of the Standard Contractual Clauses to such transfer and Processing, provided that the Standard Contractual Clauses are legally required and sufficient to meet the requirements of the applicable Data Protection Law for the transfer and Processing of Client Personal Data across such national borders.

11.6.

Changes to the Law. If and to the extent this DPA, the Standard Contractual Clauses or the UK Addendum are no longer recognized by the applicable privacy authorities as an adequate mechanism for the transfer of Client Personal Data from, as applicable, the EEA, Switzerland, United Kingdom or elsewhere to the applicable other country, then the Parties shall abide by another adequate transfer mechanism. If after using commercially reasonable efforts, Harbor is unable to comply with another adequate transfer mechanism, Client or Harbor may, upon prior advance written notice to the other party, terminate the Services, in which case Client shall receive a pro rata refund of any prepaid, unused Fees applicable to the terminated Services as Client’s exclusive remedy for and in connection with such termination.

Exhibit A

Details of Parties

For the purposes of Clause 13 (Supervision) of the Standard Contractual Clauses, the competent supervisory authority is the supervisory authority of Ireland.

For the purposes of Clause 17 (Governing law) of the Standard Contractual Clauses, the Parties agree that the Standard Contractual Clauses shall be governed by the law of Ireland and select Clause 17, “Option 1” to this effect.

For the purposes of Clause 18 (Choice of forum and jurisdiction) of the Standard Contractual Clauses, the Parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of Ireland.

Transfer Details

List of Parties:

Name (Data Exporter)	Client
Address	As specified in the Agreement
Contact	As specified in the Agreement
Activities	As specified in Exhibit B to this DPA and otherwise in the Agreement
Role (controller / processor)	Data Controller / Data Processor

Name (Data Importer)	Harbor
Address	As specified in the Agreement
Contact	Vice President of Infrastructure; [email protected]
Activities	As specified in Exhibit B to this DPA and otherwise in the Agreement
Role (controller / processor)	Data Processor / Data sub-processor

Description of Transfer: Unless otherwise specified in the Agreement, the description of the Personal Data transferred is as follows:

i.
Categories of Data Subjects: As specified in Exhibit B to this DPA and otherwise in the Agreement
ii.
Categories of Personal Data: As specified in Exhibit B to this DPA and otherwise in the Agreement
iii.
Sensitive data: As specified in Exhibit B to this DPA and otherwise in the Agreement
iv.
Frequency of transfer: As specified in Exhibit B to this DPA and otherwise in the Agreement
v.
Nature of Processing: To provide Services and Vendor Software to Client
vi.
Purpose of Transfer/Processing: To provide Services and Vendor Software to Client; the collection and storage of Personal Data pursuant to providing the Services to Client
vii.
Retention period: For the duration of the Agreement and for any subsequent termination and transition period specified in the Agreement
viii.
Sub-processor transfers: As specified in this DPA and otherwise in the Agreement

Competent Supervisory Authority: As specified in Section 1 of this Exhibit A.

Exhibit B

(Data Processing Activities)

Data Processing Activities.

The purpose of the Processing under this DPA is the provision of the Services and Vendor Software to Client and performance under the Agreement.

Data Subjects. Harbor may Process the following categories of Data Subjects:

Employees (current)
Employees (former)
Client’s vendors (current)
Other (specify below):

To the extent determined by Client in its sole discretion, Harbor may Process Client Personal Data with respect to the foregoing categories of Data Subjects and to the categories of Data Subjects as otherwise specified in the Agreement.

Categories of Personal Data: Harbor may Process the following categories of Personal Data:

Name
Telephone Number
Addresses
Email Address
Other (specify below):

To the extent determined by Client in its sole discretion, Harbor may Process Client Personal Data with respect to the foregoing categories of Personal Data and to the categories of Personal Data as otherwise specified in the Agreement.

Special Categories/Sensitive Personal Data:

Not Applicable

Frequency of Transfer:

Continuous and as often as Client uses the Services and Vendor Software.

Exhibit C

(Security Controls)

Harbor shall apply the following security measures to safeguard Client Personal Data:

General Obligations. Harbor shall have reasonable security measures in place to protect Client Personal Data against unauthorized access, use, acquisition, exfiltration, or disclosure. These measures include firewall, anti-virus software, malware protection and similar protections installed and kept up-to-date on all information systems used to Process the Client Personal Data. Harbor shall evaluate and, where necessary to meet industry standards, improve the effectiveness of such safeguards.

Access Control. Harbor shall restrict access to the Client Personal Data to Personnel on a need-to-know basis and shall revoke access where appropriate, including from any employee whose employment is terminated.

Physical Security. Harbor shall ensure that third-party datacenters prevent any unauthorized persons from gaining access to data processing systems that Process Client Personal Data by implementing a physical access control system (ID reader, magnetic card, chip card), keys, door locking (electric door openers, etc.), security staff, janitors, and surveillance facilities (alarm system, monitoring).

IT System Access Controls. Harbor shall prevent systems Processing Client Personal Data from being used without authorization by implementing password procedures (e.g., special characters, minimum length, change of passwords), automatic blocking (e.g., password or timeout), creation of unique credentials per user, differentiated access rights (profiles, roles, transactions and objects), reports, access, change, deletion, and encryption of backup production data.

Transmission Control. Harbor shall ensure that Client Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check the recipient addressee to which the Client Personal Data will be transferred by using data transmission facilities.

Input Control and Integrity. Harbor shall employ measures to ensure the integrity of the Client Personal Data, including without limitation, monitoring systems able to ascertain whether Client Personal Data has been accessed, altered or removed from data processing systems, and if so, by whom. Harbor shall employ measures that allow Client Personal Data to be updated or completed pursuant to a Data Subject Request.

Availability control. Harbor shall ensure Harbor’s data processing systems are protected against accidental destruction or loss of Client Personal Data by implementing backup procedures, mirroring of hard disks, uninterruptible power supply, anti-virus and firewall systems, and disaster recovery plans.

Separation Control. Harbor shall ensure that data collected for different purposes can be processed separately by implementing “internal client” concept / limitation of use, segregation of functions production / testing, logical or physical data separation, and multitenancy.

Job Control and Training. Harbor shall ensure that its employees and contractors Processing Client Personal Data have undergone reasonably adequate training on information security and the protection of Client Personal Data, the care, handling and processing of the Client Personal Data, and the requirements of applicable Data Protection Law. Harbor Personnel having access or otherwise Processing Client Personal Data will be subject to confidentiality obligations, which will survive termination of the relationship with Harbor.

10.

Data Security Officer. Harbor has appointed one or more employees to be in charge of: data security; data protection matters, including receiving the complaints due to any violation or non-compliance with the applicable Data Protection Law; and any amendment to Client Personal Data for accuracy/completeness.