Josi | AI assistant for Accounting and Auditing

This Data Processing Addendum (this “Addendum”) is an integral part of, and incorporated into, the Josi Terms of Use (the “Agreement”). In the event of a conflict between this Addendum and any other provision in the Agreement, this Addendum shall control. Capitalized terms used but not defined in this Addendum shall have the meanings ascribed to such terms in the Agreement.

1. The following terms shall have the following meanings:

(a) “Data Protection Legislation” means all applicable legislation and regulations relating to the processing of personal data and privacy in force from time to time including United States federal or state laws or regulations, the UK Data Protection Act 2018, the European Union General Data Protection Regulation 2016/679 (GDPR), the retained EU law version of the GDPR (UK GDPR) and/or any corresponding or equivalent national laws or regulations and the Privacy and Electronic Communications (EC Directive) Regulations 2003, in each case as may be amended or updated from time to time.

(b) “Personal Data” means any information that constitutes “personal data” or “personal information” under Data Protection Legislation that is Processed by the Association or its Sub-Processors in the Association’s provision of the Tool to Customer.

(c) “Sub-Processor” means a third party engaged by a processor (or any other Sub-processor) to carry out processing activities on behalf of the relevant Controller;

(d) “Data Subject”, “Personal Data Breach”, “Processing”, “Controller” and “Processor” shall have the meanings set out in the GDPR. “Process” and “Processed” shall be construed in accordance with the meaning of Processing. “Controller” shall include equivalent terms, such as “Business” under Data Protection Legislation, and “Processor” shall include equivalent terms, such as “Service Provider” under Data Protection Legislation.

2. The parties shall comply with their respective obligations under the Data Protection Legislation in relation to Personal Data disclosed, received and/or Processed in connection with this Agreement.

3.Where the Association Processes Personal Data of an individual purchasing the Tool on behalf of Customer, the Association is acting as a Controller and has the sole and exclusive authority to determine the purposes and means of Processing Personal Data.

4. To the extent the Customer discloses, or otherwise provides access to, Personal Data of the Users to the Association (User Personal Data) for the purpose of registering the Users or inviting the Users to register, as applicable, to access and or use the Tool, the Customer shall be the Controller and the Association shall be a Processor in respect of such Personal Data.

5. Where the Association is acting as a Processor the following shall apply in relation to User Personal Data processed by the Association under this Agreement:

(a) the Association shall only process User Personal Data as set out in the Agreement, including Appendix 1 to this Addendum (Description of Processing) and otherwise in accordance with the documented instructions of the Customer, unless otherwise required by law in which case the Association shall (to the extent permitted by law) inform the Customer of that legal requirement before the relevant Processing. Appendix 1 to this Addendum (Description of Data Processing) sets out the subject matter, duration, nature and purpose of the processing, the categories of Personal Data and Data Subjects and the instructions from the Customer to the Association;

(b) the Association shall require Association personnel who have access to and/or process User Personal Data to have committed themselves to keep such User Personal Data confidential;

(c) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the harm that might result from any unauthorised or unlawful processing or accidental loss, destruction or damage of the User Personal Data, the Association shall ensure that it has in place appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, if applicable, the measures referred to in Article 32(1) of the UK GDPR and GDPR;

(d) the Association shall notify the Customer without undue delay upon becoming aware of a Personal Data Breach affecting User Personal Data;

(e) the Association shall, at the Customer’s cost and written request, provide reasonable assistance to the Customer in responding to requests from Data Subjects to exercise their rights under Data Protection Legislation in relation to User Personal Data;

(f) taking into account the nature of the processing of User Personal Data by the Association and the information available to the Association, the Association shall provide reasonable assistance to the Customer in relation to the Customer’s compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with the Association authorities or regulators;

(g) the Association shall: (a) upon the Customer’s reasonable request, make available to the Customer all information necessary to demonstrate compliance with this Clause 5; and (b) to the extent required by Data Protection Legislation, permit the Customer (or an independent third party acting on the Purchaser’s behalf), on one occasion in any twelve (12) month period only, to perform an audit strictly limited to the Association's arrangements for complying with this Clause 5(g), provided that such audit is carried out during the Association’s normal business hours and that the Customer (or the relevant third party conducting such an audit) is subject to appropriate confidentiality obligations regarding the audit and gives the Association a reasonable period of prior notice before carrying out the audit;

(h) the Association shall notify the Customer if, in the Association 's opinion, any instruction from the Customer infringes Data Protection Legislation;

(i) at the written instruction of the Customer, the Association shall delete or return User Personal Data to the Customer after the termination or expiry of this Agreement. Where the Association is instructed to delete or return User Personal Data under this Clause 5(i), the Association shall delete or return such User Personal Data within sixty (60) days of receipt of the written instruction do so. This time period shall also apply to the written instruction of the Customer to the Association to delete or return User Personal Data to the Customer after the end of the User’s access to the Tool in accordance with Clause 4.2 of the terms and conditions of this Agreement. The Association may retain User Personal Data if required or permitted by law for such period as required or permitted by those laws;

(j) the Customer agrees that the Association may transfer User Personal Data to jurisdictions outside of the United Kingdom and European Economic Area, as required for the purpose of the performance by the Association of its obligations under this Agreement, provided Customer and the Association shall ensure that all such transfers are effected in accordance with applicable Data Protection Legislation;

(k) the Customer provides its prior, general authorization for the Association to appoint third party Processors (Sub-Processors) to Process User Personal Data, provided that the Association:

(i) will enter into a written agreement with such Sub-Processors which comply with requirements of the Data Protection Legislation, and contain terms for the protection of Personal Data which are no less protective than the terms set out in this Addendum;

(ii) shall remain responsible for the Sub-Processors’ performance of such data protection obligations; and

(iii) shall inform the Customer of any intended changes concerning the addition or replacement of the Sub-Processors, thereby giving the Customer the opportunity to object to such changes.

(l) For the purposes of this subsection (l), “CCPA” means the California Consumer Privacy Act of 2018 as amended, including by the California Privacy Rights Act of 2020, and any regulations promulgated thereunder; and the terms “Consumer” and “Personal Information” will have the meanings ascribed to such term in the CCPA. The following terms and conditions apply solely to User Personal Data Processed by the Association in the provision of the Tool that is Personal Information subject to the CCPA:

(i) Customer is making the Personal Information of Consumers available to the Association for the limited and specified purposes set forth in Appendix 1 to this Addendum (Description of Processing) and other permitted purposes under the CCPA (the “Business Purposes”);

(ii) The Association will not: (A) retain, use or disclose the Personal Information (1) for any purpose other than the Business Purposes, or (2) outside of the direct business relationship between Customer and the Association; (B) sell or share (as such terms are defined in the CCPA) the Personal Information; or (C) combine the Personal Information with personal information received from or on behalf of another person, or collected from the Association’s own interactions with such individuals, unless permitted by the CCPA;

(iii) The Association will provide the same level of privacy protection to the Personal Information as is required by the CCPA and notify Customer if it determines that it can no longer meet applicable obligations under the CCPA;

(iv) Customer may, upon reasonable notice, take reasonable and appropriate steps to (i) ensure that the Association uses the Personal Information in a manner consistent with Customer’s obligations under the CCPA, and (ii) stop and remediate the unauthorized use of the Personal Information; and

(v) The Association will notify Customer if it makes a determination that it can no longer meet applicable obligations under the CCPA with respect to the Personal Information.

(6) The Customer shall be responsible for providing any necessary notices to Users and obtaining any necessary User consents including notices and consents as may be required under the Data Protection Legislation to provide User Personal Data to the Association to be Processed in connection with the Agreement. Customer shall indemnify and hold the Association, its affiliates and its and their officers, directors, employees, agents, affiliates, successors and assigns (“Association Indemnitees”) harmless from and against any damages and other losses incurred with respect to any claims relating to or arising from Customer’s breach of this Section 6, and shall defend the Association Indemnitees against such claims.

(7) The Customer shall only transfer User Personal Data to the Association in accordance with the applicable Data Protection Legislation, including, without limitation, complying with the legal requirements in relation to the international transfer of Personal Data (“Cross-Border Personal Data Transfers”). The parties shall, where necessary, arrange for the execution by Customer and the Association of standard contractual data protection clauses published or adopted by the relevant data protection authorities or regulators for Cross-Border Personal Data Transfers, including, where applicable, clauses published from time to time by the United Kingdom Information Commissioner (where the UK GDPR applies to such transfer) and/or adopted by the European Commission (where the GDPR applies to such transfer).

(8) For the avoidance of doubt, the parties agree that the obligations set out in Clauses 4 to 5 of this Addendum do not apply where the Association is Processing Personal Data of Users as a Controller, including without limitation, where the Association Processes personal data of Users who are registered as members, students or customers with the Association pursuant to and in connection with such relationships.

Appendix 1 Description of Data Processing - Users

Categories of Data Subjects

Users

Subject-Matter of the Processing

The subject matter is the Processing of Personal Data for the purpose of providing Users access to the Tool. providing support to the Users and/or Customer, and Processing that is otherwise permitted under Data Protection Legislation, including without limitation, for purposes of security, auditing and measurement.

Nature and purpose of the Processing

Nature of Processing: Nature of Processing of User Personal Data may include receiving, collection, organization, storage, access, adaptation, retrieval, consultation, use, disclosure, transmission, dissemination, making available, alignment, combination, blocking, deleting, erasure, or destruction of User Personal Data.

Purpose of Processing: The User Personal Data described below shall be Processed by the Association for the purpose of:

Provisioning access to the Tool in accordance with the Agreement, providing support to the Users and/or Customer, and Processing that is otherwise permitted under Data Protection Legislation, including without limitation, for purposes of security, auditing and measurement.

Providing usage statistics to the Customer.

Type of Personal Data: Name, email address, usage statistics of Users

Duration of Processing

The Association Processes the User Personal Data for the duration set forth in Section 5(i) of this Addendum.