If and to the extent stated in Sunlight.io’s Master Agreement in force from time to time (“Master Agreement”), these Sunlight.io Data Processing Terms (“DPA”) form part of and are hereby incorporated into the Agreement by reference as if expressly set out in them.

1. Definitions.

1.1. “Data Protection Legislation” means all applicable laws and regulations relating to the processing of Personal Data and privacy including the Data Protection Act 2018, the General Data Protection Regulation (EU) 2016/679 and any statutory instrument or regulation made thereunder, as from time to time amended, extended, re-enacted or consolidated and the terms “data controller”, “data processor”, “process” and “personal data” shall have the meanings given to those terms in such Data Protection Legislation;

1.2. “Personal Data Breach” means any breach of security leading to the accidental or unauthorised destruction, loss, alteration, disclosure of, or access to, personal data; and

1.3. all other capitalized terms used in this DPA but not defined in this DPA shall have the meaning given to them in the Master Agreement.

2. Customer acknowledges that, in respect of any personal data that it provides or that is provided on its behalf to Sunlight.io in the course of providing services to the Customer, the Customer is: (i) the data controller or (ii) a data processor, and that in the case of (i), Sunlight.io is the data processor of such personal data; and in the case of (ii), Sunlight.io is the sub-processor of such personal data.

3. Obligations. The parties shall at all times comply with applicable Data Protection Legislation. In the case of 2(i) above, Sunlight.io as the data processor shall, and, in the case of 2(ii) above, Sunlight.io as the sub-processor, shall:

3.1. act only in accordance with this Agreement and with the reasonable written instructions of the Customer in relation to the processing of personal data as part of providing services to the Customer (including instructions in relation to the return or destruction of personal data) and in the event that a legal requirement prevents Sunlight.io from complying with such instructions or requires Sunlight.io to disclose the personal data to a third party, it shall, unless such legal requirement prohibits it from doing so, inform the Customer of the relevant legal requirement before carrying out the relevant processing activities;

3.2. take reasonable steps to ensure: (i) the reliability of staff having access to the personal data processed as part of providing its services; and (ii) that all staff to whom it discloses personal data are made aware that the personal data is confidential information and subject to the obligations set out in this Agreement; (iii) that persons authorised by the data processor to process the personal data are bound by enforceable confidentiality obligations not to disclose it; and (iv) that access is limited to those of its staff who require it in order to meet its obligations under this Agreement and to such part or parts of the personal data as is strictly necessary for performance of each person’s duties;

3.3. ensure that any natural person acting under the authority of Sunlight.io who has access to the personal data does not process them except on instructions from the Customer;

3.4. maintain a process for regular testing, assessment and evaluation of the security measures required by this DPA;

3.5. ensure an appropriate level of security of its systems used for processing the personal data having regard to the nature, scope, context and purposes of the data processing and the likelihood and severity of associated risks and have appropriate technical and organisational measures in place intended to prevent unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to, personal data, and maintain such security measures for as long as it is processing the personal data;

3.6. refrain from disclosing personal data to any third parties other than to sub-contractors in the ordinary course of its business, to whom disclosure is reasonably necessary in order for it to carry out its services, provided that in all such cases:

3.6.1. such disclosure is made subject to written terms as protective of the personal data provided to it by the Customer as the terms contained in this Agreement;

3.6.2. Sunlight.io shall procure that the third party complies with the same obligations as Sunlight.io assumes hereunder;

3.6.3. such disclosure has been approved in writing in advance by the Customer; and

3.6.4. it obtains a statement from any permitted sub-contractor outside the European Economic Area that such sub-contractor has no reason to believe the legislation applicable to him prevents him from complying with the contractual obligations imposed upon him in relation to data protection and that he will promptly inform Sunlight.io if that situation changes, in which case, Sunlight.io shall, as soon as reasonably practical following the request of the Customer, terminate the data processing activities of the relevant sub-contractor in respect of the Customer’s personal data and procure the return or destruction of all personal data of the Customer, at the Customer’s discretion and written request;

3.7. keep a written record of the processing of personal data it carries out under this DPA and the locations at which such processing takes or has taken place and disclose this to the Customer upon its written request;

3.8. upon the written request of the Customer, promptly provide a written description of the technical and organisational measures employed by it so that the Customer can reasonably determine whether or not, in connection with the Customer’s personal data, Sunlight.io is able to comply with its obligations under this DPA. If, the measures employed by Sunlight.io are insufficient to ensure compliance with its obligations under this DPA, the parties shall consult and cooperate to enable Sunlight.io to take such steps as may be reasonably necessary to achieve such compliance;

3.9. on reasonable notice, at reasonable times and with reasonable frequency (not more than once per year), give the Customer access to Sunlight.io’s premises used to process relevant personal data to enable it to determine whether Sunlight.io is in material compliance with its obligations under this DPA;

3.10. promptly refer to the Customer any requests, notices or other communication from data subjects, the Information Commissioner or any other competent law enforcement agency having jurisdiction relating to personal data processing for the Customer to resolve;

3.11. at no additional cost, provide such information and assistance to the Customer as it may reasonably require, and within the timescales reasonably specified by it, to allow it to comply with: (i) rights of data subjects, including subject access, or (ii) notices or other communication from the Information Commissioner or any other competent law enforcement agency having jurisdiction relating to personal data processing; or (iii) the Customer’s obligations under applicable Data Protection Legislation;

3.12. not retain any personal data longer than is necessary to perform its obligations under the Master Agreement and promptly return all personal data of the Customer to it on termination of this DPA; and

3.13. as soon as reasonably practical, notify the Customer of any Personal Data Breach and take measures to address the breach and mitigate its effect as the Customer may reasonably require and provide the data controller with such cooperation and assistance as it may reasonably require in managing that data breach.