This DPA forms an integral part of the Agreement and sets forth the terms and conditions under which CarbonX, acting as a Processor (or Sub-Processor, where applicable), processes Customer Personal Data on behalf of the Customer in accordance with Applicable Data Protection Laws.

Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used herein shall have the meanings assigned to them in Section 9 (Definitions) of this DPA.

1. Scope and Term

1.1 Roles of the Parties

(a) Customer Personal Data.
CarbonX will process Customer Personal Data solely as the Customer’s Processor, and only in accordance with the Customer’s documented instructions as further described in Section 2.1 (Customer Instructions).

(b) CarbonX Account Data.
CarbonX will process Account Data as an independent Controller for the following legitimate business purposes:

1. To provide, operate, and improve the Products and related services;

2. To manage the Customer relationship, including communicating with Customer and Users in accordance with account preferences, responding to inquiries, and providing technical support;

3. To facilitate security, fraud prevention, performance monitoring, business continuity, and disaster recovery activities; and

4. To perform core business functions, such as accounting, billing, audit, and tax compliance.

(c) CarbonX Usage Data.
CarbonX will process Usage Data as an independent Controller for the following purposes:

1. To provide, optimize, secure, and maintain the Products and related infrastructure;

2. To enhance and personalize the user experience; and

3. To support CarbonX’s internal analytics and business strategy development.

(d) Description of the Processing.
A detailed description of the Processing of Personal Data performed by CarbonX, including categories of data, data subjects, and processing activities, is provided in Schedule 1 (Description of Processing).

1.2 Term of the DPA

The term of this DPA shall commence on the Effective Date of the Agreement and shall remain in effect for as long as CarbonX processes Customer Personal Data on behalf of the Customer.
Upon expiration or termination of the Agreement (or, if later, upon CarbonX’s cessation of all Processing of Customer Personal Data), this DPA will automatically terminate.

1.3 Order of Precedence

In the event of any conflict or inconsistency among the following documents, the order of precedence shall be:

1. The applicable terms stated in Schedule 2 (Data Protection Terms) of this DPA;

2. This DPA; and

3. The main body of the Agreement.

Notwithstanding the above, any conflicting terms in the Agreement that limit or restrict the data protection obligations of CarbonX under this DPA shall be deemed superseded by this DPA to the extent necessary to ensure compliance with Applicable Data Protection Laws.

2. Processing of Personal Data

2.1 Customer Instructions

CarbonX shall process Customer Personal Data only in accordance with the Customer’s documented, lawful instructions as set out in the Agreement (including this DPA) and the applicable Order(s), and solely as necessary to:

1. Provide the Products and related Support and Advisory Services to the Customer, and to enable the functionality, configuration, and use of the Products in accordance with the relevant Documentation (including actions initiated by Users within the Cloud Products);

2. Investigate and remediate security incidents, and to enforce the Acceptable Use Policy, including the prevention and removal of illegal content (such as child sexual abuse material); or

3. Comply with applicable legal obligations, including responses to lawful requests from competent authorities where required by law.

If CarbonX becomes aware of, or reasonably believes that, a Customer instruction violates Applicable Data Protection Law, CarbonX shall promptly notify the Customer (unless prohibited by law) and may suspend the execution of the affected processing activity until the instruction is clarified, modified, or withdrawn by the Customer.

2.2 Confidentiality

CarbonX shall treat Customer Personal Data as Customer Confidential Information in accordance with the Agreement.
CarbonX ensures that all personnel who are authorized to process Customer Personal Data are:

• Bound by written or statutory obligations of confidentiality, and

• Informed of their responsibilities regarding data protection, security, and lawful processing prior to being granted access to Customer Personal Data.

Such confidentiality obligations shall survive the termination of employment or contractual engagement of the relevant personnel.

3. Security

3.1 Security Measures

CarbonX has implemented and will maintain appropriate technical and organizational measures designed to protect the security, confidentiality, integrity, and availability of Customer Data, and to prevent Security Incidents such as unauthorized access, loss, or alteration of data.

The Customer is responsible for configuring the Products and utilizing the security features, settings, and functionalities made available by CarbonX in a manner appropriate to the nature and sensitivity of the Customer Data being processed.

CarbonX’s current Technical and Organisational Security Measures are described in its official documentation.
Customer acknowledges that CarbonX’s Security Measures may evolve with technological advancements and industry standards, and CarbonX may update or modify these measures from time to time, provided that such changes do not materially decrease the overall level of security of the Cloud Products during the applicable Subscription Term.

3.2 Security Incidents

In the event of a Security Incident affecting Customer Personal Data, CarbonX shall:

1. Notify the Customer without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of the Security Incident;

2. Investigate the cause of the Security Incident, mitigate its adverse effects, and remediate the cause to the extent within CarbonX’s reasonable control; and

3. Provide assistance to the Customer, upon request and taking into account the nature of processing and information available, by sharing all information reasonably necessary for the Customer to meet its notification and documentation obligations under Applicable Data Protection Laws.

CarbonX’s notification of a Security Incident shall not be construed as an acknowledgment of fault or liability regarding the incident.

All Security Incident notifications will include, to the extent known and permitted by law:

• A summary of the nature of the incident;

• The categories and approximate number of affected data subjects and records;

• The likely consequences of the incident; and

• The mitigation or remediation measures implemented or proposed by CarbonX.

4. Sub-processing

4.1 General Authorization

By entering into this DPA, the Customer grants general authorization for CarbonX to engage Sub-processors for the Processing of Customer Personal Data.
CarbonX shall:

1. Enter into a written agreement with each Sub-processor that imposes data protection obligations equivalent to those set out in this DPA and as required under Applicable Data Protection Law; and

2. Remain fully liable to the Customer for the performance of each Sub-processor’s data protection obligations related to the relevant Processing activities under the Agreement.

CarbonX shall ensure that all Sub-processors provide a level of protection for Customer Personal Data that is no less protective than that required by this DPA.

4.2 Notice of New Sub-processors

CarbonX maintains an up-to-date list of authorized Sub-processors, available to Customers upon request or through CarbonX’s online Sub-processor registry.
This list includes a mechanism through which Customers may subscribe to receive notifications of changes.

CarbonX will provide at least thirty (30) days’ prior written notice (“Sub-processor Notice Period”) before authorizing any new Sub-processor to Process Customer Personal Data. The notice will include the name, location, and intended Processing activities of the proposed Sub-processor.

4.3 Objection to New Sub-processors

During the Sub-processor Notice Period, the Customer may object in writing to CarbonX’s engagement of a new Sub-processor on reasonable, data-protection-related grounds.

If the Customer objects, CarbonX will make commercially reasonable efforts to address the concern by:

• Providing additional details regarding the Sub-processor’s safeguards;

• Offering to work with the Sub-processor under additional contractual, technical, or organizational protections; or

• Allowing the Customer to suspend or terminate the affected portion of the service.

If the parties cannot reach a mutually acceptable resolution, the Customer’s sole and exclusive remedy shall be to terminate the applicable Order for the affected Cloud Product and any related Support and Advisory Services, in accordance with Section 12.2 (Termination for Convenience) of the Agreement.

5. Assistance and Cooperation Obligations

5.1 Data Subject Rights

Taking into account the nature of the Processing and the information available to CarbonX, CarbonX shall provide reasonable and timely assistance to the Customer in order to enable the Customer to respond to requests from data subjects seeking to exercise their rights under Applicable Data Protection Laws.
Such rights may include (where applicable):

• Access to their personal data,

• Rectification of inaccuracies,

• Erasure (“right to be forgotten”),

• Restriction of processing,

• Objection to processing, and

• Data portability.

CarbonX shall, to the extent permitted by law, promptly notify the Customer if it receives a request directly from a data subject concerning Customer Personal Data and shall not respond to such a request except on the Customer’s documented instructions or as required by law.

5.2 Cooperation Obligations

Upon the Customer’s reasonable written request, and taking into account the nature of the Processing and information available, CarbonX shall provide reasonable assistance to the Customer in fulfilling its obligations under Applicable Data Protection Laws, including:

1. Conducting and documenting Data Protection Impact Assessments (DPIAs);

2. Engaging in prior consultations with data protection authorities where required; and

3. Implementing necessary technical and organizational measures to ensure ongoing compliance.

This assistance shall be provided only to the extent that the Customer cannot reasonably fulfill such obligations independently using the information or tools already made available through CarbonX’s documentation or Products.

5.3 Third-Party and Government Requests

Unless prohibited by law, CarbonX shall promptly notify the Customer upon receiving any valid and enforceable subpoena, warrant, court order, or other binding request from a law enforcement or public authority compelling the disclosure of Customer Personal Data.
CarbonX will follow its Law Enforcement Request Guidelines in responding to such requests and will limit disclosure to the minimum amount of information required by law.

If CarbonX receives an inquiry or request for information from any third party (including regulators, data protection authorities, or data subjects) relating to the Processing of Customer Personal Data, CarbonX shall:

• Redirect the request to the Customer, and

• Refrain from responding unless required to do so under applicable law.

In such cases, CarbonX will provide reasonable support and cooperation to the Customer in responding to the request, where appropriate and legally permissible.

6. Deletion and Return of Customer Personal Data

6.1 During the Subscription Term

During the Subscription Term, the Customer and its authorized Users may, through the features and functionalities of the Cloud Products, access, retrieve, export, or delete Customer Personal Data at any time in accordance with the Product’s technical capabilities and associated Documentation.
CarbonX shall ensure that such features are implemented in a secure and auditable manner consistent with the principles of data integrity and availability.

6.2 Post-Termination

Upon the expiration or termination of the Agreement, CarbonX shall, in accordance with the applicable Documentation and Customer’s written instructions, delete all Customer Personal Data processed on behalf of the Customer.

Notwithstanding the foregoing, CarbonX may retain Customer Personal Data:

1. As required by Applicable Data Protection Laws, or

2. In accordance with CarbonX’s standard backup, archival, or record retention policies, to the extent retention is strictly necessary for legitimate business, legal, or regulatory purposes.

In either case, CarbonX shall:

• Maintain the confidentiality and security of all retained Customer Personal Data;

• Ensure that such data is isolated from further active Processing; and

• Process the retained data only as necessary to comply with its legal or contractual obligations.

Following the conclusion of the retention period, CarbonX shall ensure that all Customer Personal Data is securely deleted or rendered permanently irretrievable, in accordance with recognized industry standards for data sanitization.

7. Audit

7.1 Audit Reports

CarbonX undergoes regular independent third-party audits and internal compliance assessments covering its security, privacy, and operational controls, as described in its official compliance documentation.

Upon the Customer’s written request, and subject to the execution of an applicable non-disclosure agreement (NDA) between the parties, CarbonX shall provide the Customer with a summary copy of the relevant audit report(s) (“Report”).
These Reports are intended to enable the Customer to reasonably verify CarbonX’s compliance with the applicable audit standards, security certifications, and this DPA.

If the information contained in such Reports does not reasonably enable the Customer to verify CarbonX’s compliance with this DPA, CarbonX will provide written responses (on a confidential basis) to all reasonable requests for additional information related to its processing of Customer Personal Data.
This right may be exercised no more than once every twelve (12) months, unless otherwise required by Applicable Data Protection Law.

7.2 On-Site Audits

Only to the extent that the Customer cannot reasonably verify CarbonX’s compliance through the provisions of Section 7.1, or where required by Applicable Data Protection Law or a competent regulatory authority, the Customer (or its authorized representative) may, at its own expense, conduct an on-site audit or inspection of CarbonX’s facilities and data processing systems.

Any such audit shall:

1. Be conducted during CarbonX’s regular business hours and subject to reasonable advance written notice of at least sixty (60) calendar days, unless a shorter notice period is required by Applicable Data Protection Law or a regulatory authority;

2. Be subject to reasonable confidentiality obligations, including NDAs, ensuring that all proprietary or confidential information disclosed by CarbonX remains protected;

3. Be limited to once every twelve (12) months, unless otherwise required by Applicable Data Protection Law; and

4. Be narrowly scoped to information necessary to verify compliance with this DPA and limited to Customer-related processing activities.

Audits shall be conducted in a manner that minimizes disruption to CarbonX’s business operations and to the security or confidentiality of its systems and other customers’ data.
CarbonX reserves the right to charge a reasonable fee for the time and resources expended in connection with such audits, particularly where the Customer requests audits beyond those required by law.

8. International Provisions

To the extent that CarbonX processes Personal Data protected by Applicable Data Protection Laws in one or more of the regions listed in Schedule 2 (Region-Specific Terms), the region-specific provisions set forth therein shall apply in addition to the terms of this DPA.

These provisions may include, without limitation, requirements and safeguards relating to the international transfer of Personal Data (whether through direct transfers or onward transfers) to jurisdictions outside the originating region.

Where applicable, such transfers shall be conducted in compliance with the relevant cross-border transfer mechanisms, including but not limited to:

• The EU Standard Contractual Clauses (SCCs) adopted by the European Commission;

• The UK International Data Transfer Addendum (IDTA) issued by the UK Information Commissioner’s Office;

• The Swiss Federal Data Protection and Information Commissioner (FDPIC) transfer provisions; and/or

• Any other valid transfer mechanism recognized under Applicable Data Protection Laws.

CarbonX shall implement and maintain all necessary technical, contractual, and organizational measures to ensure that such international data transfers afford a level of protection for Customer Personal Data that is consistent with the requirements of the originating jurisdiction.

9. Definitions

“Applicable Data Protection Law” means all data protection, privacy, and security laws and regulations applicable to the Processing of Personal Data under the Agreement, including, where applicable, the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP), the UK GDPR, and other similar laws governing the protection of Personal Data.

“CarbonX Account Data” means Personal Data relating to the Customer’s relationship with CarbonX, including, without limitation:

1. Users’ account information (e.g., name, email address, or CarbonX Account ID (AAID));

2. Billing and contact information of individuals associated with the Customer’s CarbonX account (e.g., billing address, email address, or name);

3. Users’ device and connection information (e.g., IP address, browser type, or system logs); and

4. The content or description of technical support requests (excluding attachments) together with any associated Support Entitlement Number (SEN).

“CarbonX Usage Data” means Personal Data related to, or obtained in connection with, the use, performance, operation, or support of the Products, including integrations with Third-Party Products.
CarbonX Usage Data may include event names (e.g., actions performed by Users), event timestamps, diagnostic data, browser information, file sizes, metadata, and other telemetry or analytical information generated through the Customer’s use of the Products and connected Third-Party Products.
For clarity, CarbonX Usage Data does not include Customer Personal Data.

“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Customer Personal Data” means any Personal Data contained in Customer Data and/or Customer Materials that CarbonX processes under the Agreement solely on behalf of the Customer and in accordance with the Customer’s documented instructions.
For clarity, Customer Personal Data includes any Personal Data submitted by the Customer or its Users within Product environments or attachments provided in technical support requests.

“Personal Data” means any information relating to an identified or identifiable natural person, or any information otherwise defined as “personal data,” “personal information,” “personally identifiable information,” or similar terms under Applicable Data Protection Law.

“Processing” (and “Process”) means any operation or set of operations performed on Personal Data, whether or not by automated means, including but not limited to collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination, alignment or combination, restriction, erasure, or destruction.

“Processor” means the entity that Processes Personal Data on behalf of the Controller.

“Security Incident” means any confirmed or reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data Processed by CarbonX or its Sub-processors.

“Sub-processor” means any third party (including CarbonX Affiliates) engaged by CarbonX to Process Customer Personal Data on behalf of the Customer in connection with the Agreement.

Schedule 1 – Description of Processing

This Schedule forms part of the Data Processing Addendum (DPA) between CarbonX and the Customer, and describes the categories of data subjects, types of Personal Data, and purposes for which Personal Data is processed under the Agreement.

1. Categories of Data Subjects

The categories of data subjects whose Personal Data may be processed include:

• The Customer and its authorized Users, including employees, contractors, consultants, or other individuals authorized to access or use the Products on the Customer’s behalf.

2. Categories of Personal Data Processed

The Personal Data processed may include the following categories:

• CarbonX Account Data

• CarbonX Usage Data

• Customer Personal Data

as each term is defined in Section 9 (Definitions) of this DPA.

3. Sensitive Data

• CarbonX Account Data and CarbonX Usage Data do not include any data revealing:
  (i) racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;
  (ii) genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a person’s sex life or sexual orientation; or
  (iii) data relating to criminal convictions and offences (collectively, “Sensitive Data”).

• Subject to Section 6.3 of the Agreement (Sensitive Health Information and HIPAA), the Customer or its Users may upload content to the Cloud Products that contains Sensitive Data, the extent and nature of which are determined and controlled solely by the Customer.

4. Frequency of the Transfer

• The transfer of Personal Data occurs on a continuous and ongoing basis during the Subscription Term.

5. Nature of the Processing

CarbonX processes Personal Data as necessary to:

• Provide and operate the Products and related Support and Advisory Services in accordance with the Agreement;

• Enable Product functionality, configuration, and integrations as described in the applicable Documentation; and

• Perform technical operations such as collection, structuring, storage, retrieval, transmission, and other automated processing activities required for Product performance.

Further details regarding the nature and scope of processing are described in the relevant Orders and Product Documentation.

6. Purposes of the Processing

6.1 Customer Personal Data
CarbonX processes Customer Personal Data as a Processor, in accordance with the Customer’s documented instructions as set out in Section 2.1 (Customer Instructions) of the DPA.

6.2 CarbonX Account Data and CarbonX Usage Data
CarbonX processes CarbonX Account Data and CarbonX Usage Data as a Controller for the limited and specified purposes outlined in Section 1.1 (Roles of the Parties), including service provision, performance optimization, analytics, and business operations.

7. Duration of Processing

7.1 Customer Personal Data
CarbonX processes Customer Personal Data for the term of the Agreement, as described in Section 6 (Deletion and Return of Customer Personal Data).

7.2 CarbonX Account Data and CarbonX Usage Data
CarbonX processes Account Data and Usage Data only for as long as necessary:
(a) to provide the Products and related Support and Advisory Services in accordance with the Agreement;
(b) to support CarbonX’s legitimate business purposes outlined in Section 1.1 (Roles of the Parties); or
(c) as required by Applicable Data Protection Law.

8. Transfers to Sub-processors

CarbonX may transfer Customer Personal Data to Sub-processors as permitted under Section 4 (Sub-processing) of this DPA.
All such transfers shall be governed by written agreements imposing data protection obligations equivalent to those contained in this DPA and consistent with Applicable Data Protection Law.