SysAid Data Processing Addendum (“DPA”)

This Data Processing Addendum (“DPA”) is incorporated into and is subject to SysAid’s Terms and Conditions (“Terms”) entered into by and between the SysAid entity (“SysAid“) listed on Your Order Documents (Order Documents and Terms collectively, “Agreement”) and the party identified as “You” or “Customer” in Your Order Documents and its Affiliates; its purpose is to incorporate the data processing terms below into an Addendum to the underlying agreement. Both parties shall be referred to as the “Parties” and each, a “Party”.

WHEREAS, These data processing terms are required by the laws and regulations of certain jurisdictions, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data (defined below) and on the free movement of such data(General Data Protection Regulation) (“GDPR“), including, as applicable, as adopted under the Data Protection Act 2018 of the United Kingdom (“UK GDPR”) and including California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any subsequent modifications and amendments (“CCPA“) to govern SysAid processing Personal Data of Your data subjects, in the course of providing the Services to You under the Agreement and this DPA applies where and only to that extent. This Addendum shall not impose any obligations beyond those required by applicable laws, including, without limitation the GDPR, the UK GDPR and the CCPA. 

You represent and warrant that you have full authority to bind Your entity to this DPA and that You have read and understood and agree to comply with this DPA. If you cannot, or do not agree to, comply with and be bound by this DPA, or lack the authority to bind Your entity, do not provide Personal Data to us. 

The DPA shall enter into force and become binding upon execution or acceptance of the underlying agreement. 

1. DEFINITIONS

The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. Capitalized terms not defined herein shall have the meaning set forth in the Agreement, the GDPR or the CCPA accordingly.

1.1. “Authorized User” means any individual authorized or otherwise enabled by You to use the Service through Your account.

1.2. “Controller”, “Data Subject” “Personal Data”, “Personal Information“, “Processing”, “Processor”, “Sell“, “Share” along with any other terms specifically defined in the Data Privacy Laws shall have the meanings given in the Data Privacy Laws. For the purposes of this DPA only, and except where indicated otherwise, the term “Controller” shall include You and/or Your authorized affiliates; and “Processor” shall reference SysAid.1.3. “Customer Data” means content and/or data provided to SysAid by or on Your behalf in connection with using SysAid’s Services. 

1.4. “Data Protection Laws” or “Data Privacy Laws” means all applicable laws and regulations relating to the processing of Personal Data, including US Data Protection Laws (including without limitation the CCPA) and the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) and repealing Directive 95/46/EC (General Data Protection Regulation), (“GDPR”) and with respect to the United Kingdom, the Data Protection Act of 2018 as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) (“UK GDPR”), together with the codes of practice, conduct, regulatory guidance and standard contractual clauses and other related legislation resulting from such regulations, as updated from time to time that are applicable to the processing of Your Personal Data under this DPA;

.1.5. “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.

1.6. “Personal Data Breach” means a confirmed breach of security leading to the destruction, loss, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by SysAid on Your behalf under the Agreement.

1.7. “Sensitive Data” means Personal Data that is protected under a special legislation and requires unique treatment, such as “special categories of data”, “sensitive data” or other materially similar terms under applicable Data Protection Laws, which may include any of the following: (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number; (c) financial, credit, genetic, biometric or health information; (d) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses; and/or (e) account passwords in unhashed form.

1.8. “Standard Contractual Clauses”, (hereinafter, “SCCs”) means where the GDPR applies, the standard contractual clauses for the transfer of Personal Data to Data Processors established in third countries set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council and where the UK GDPR, the applicable standard data protection clauses for processors adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR, as amended from time by competent authority under the relevant Data Privacy Laws (available at: https://eur- lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en). This DPA incorporates by reference the EU 2021 SCCs and the Parties are deemed to have accepted and signed the EU 2021 SCCs where necessary in their entirety, including the annexures thereto.

1.9. “Sub-Processor” means any third-party service provider engaged by SysAid and/or SysAid affiliates to process Personal Data on behalf of Customer.

2. Confidentiality. 

2.1. SysAid shall take reasonable steps to ensure that access to Your Personal Data is limited to persons under SysAid authority (including, without limitation, SysAid’s personnel) only on a need to know basis and that all persons authorized to process or otherwise gain access to Your Personal Data, have committed themselves to confidentiality undertakings or are under statutory or professional obligations of confidentiality. 

2.2. SysAid may disclose and Process the Personal Data (a) as permitted hereunder (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable laws or applicable Data Protection Laws and Regulations (in such a case, SysAid shall inform the Customer of the legal requirement before the disclosure, unless that law prohibits such information on grounds of public interest), or (c) on a “need-to-know” basis under an obligation of confidentiality to legal counsel(s), data protection advisor(s), accountant(s), investors or potential acquirers.

2.3. SysAid shall employ commercially reasonable efforts to ensure persons authorized to process Your Personal Data on its behalf, have received appropriate training on their responsibilities, and have executed written confidentiality agreements. SysAid shall treat Your Personal Data as Confidential Information and will not disclose, make it available for transfer to any third party, other than as permitted under this DPA or pursuant to a legal obligation.

3. Term. This DPA will commence and become legally binding on the earlier of the effective date of the Agreement, or the first time SysAid processes Personal Data on Your behalf; and will continue until the Agreement expires or is terminated.
4. DATA PROCESSING

4.1. Scope and Roles. For all purposes hereunder with respect to processing of Personal Data, You shall be and act as the “Controller” of all Personal Data and shall comply with the obligations imposed on You as the Controller (including, without limitation, Article 24 of the GDPR), and SysAid shall be and act as the “Processor” and will comply with the requirements of the Processor as defined in Article 4 of the GDPR (or its equivalent under other applicable Data Privacy Laws). You shall provide documented and/or written instructions for the Processing of Your Personal Data in compliance with Data Privacy Laws and SysAid shall not Process Your Personal Data other than as indicated in Your instructions as expressed in the Agreement, this DPA or otherwise requested by You, unless Processing is required by applicable law to which You or SysAid are subject to. You shall ensure that Your Instructions comply with all laws and regulations applicable thereto and that the Processing of Your Personal Data in accordance with Your instructions shall not cause Processor to be in breach of Data Privacy Laws or any other applicable law. You warrant that You have undertaken due diligence with regards to SysAid’s Processing procedure and technical and organizational measures and that You are satisfied that SysAid’s Processing operations are suitable and appropriate for the purposes for which You propose to use the Services and the Processing of the Customer Data taking into account the state of the art, the costs of implementation, nature, scope, context and purposes of the processing of Personal Data.

4.2 You shall have sole responsibility for the means by which You acquired Personal Data. Without limitation, You shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall at all times have any and all required ongoing legal bases in order to collect, Process and transfer to SysAid the Personal Data and to authorize the Processing by SysAid of the Personal Data which is authorized in this DPA. You shall defend, hold harmless and indemnify SysAid, SysAid’s affiliates and subsidiaries (including without limitation their directors, officers, agents, subcontractors and/or employees) from and against any liability of any kind related to any breach, violation or infringement by You and/or its authorized users of any Data Protection Laws and Regulations and/or this DPA and/or this Section.

4.3. Type of Personal Data and Categories of Data Subjects. You and Your Authorized Users determine what content is uploaded into the Service including the existence of any Personal Data; SysAid shall have no control over what Personal Data is processed on Your behalf. To that end, You shall have sole responsibility for the accuracy, quality, and legality of Personal Data uploaded to the Services and the means by which You acquired Personal Data. You certify that the Personal Data inputted into the System has been collected, processed and transferred in compliance with the laws and regulations applicable to You as a Controller, including, as applicable, where Controller has acquired the required consents from Data Subjects for Processing by SysAid under this DPA and the Agreement. Personal Data may include, without limitation, basic user information, including names, mailing addresses, email addresses, telephone and other contact information, general usage information, including connection data (IP addresses), supplier/vendor information. You may also upload additional types of Personal Data but shall not upload the Special Categories of Personal Data described in Article 9(1) of the GDPR or any other data prohibited by the Agreement or the GDPR.

4.4. Sensitive Data. The Parties agree that the Service is not intended for the processing of Sensitive Data, and that if Customer wishes to use the Services to process Sensitive Data, it must first obtain SysAid’s explicit prior written consent and potentially enter into additional agreements.

4.5. Processing. Where Personal Data is Processed by SysAid under or in connection with this Addendum, SysAid shall only Process, transfer, modify, amend or alter the Personal Data in accordance with Your  reasonable documented instructions (resulting directly from the provisions of the Agreement or that are reasonably required for proper performance by SysAid of its obligations),  including in order to contact You or Your authorized users with registered accounts regarding the use of the services, unless required otherwise by EU or Member State law to which SysAid is subject, in which case SysAid shall inform You of that legal requirement before Processing that Personal Data, unless that law prohibits such information being provided on important grounds of public interest. You shall ensure that Your instructions comply with all laws and regulations applicable thereto and that the Processing of Your Personal Data in accordance with Your instructions shall not cause SysAid to be in breach of Data Privacy Laws or any other applicable law. You warrant that You have undertaken due diligence with regards to SysAid’s Processing procedure and that  You are satisfied that SysAid’s Processing operations are suitable for the purposes for which You propose to use the Services.

4.6 To the extent that SysAid or its Affiliates cannot comply with a request (including, without limitation, any instruction, direction, code of conduct, certification, or change of any kind) from Customer and/or its authorized users relating to Processing of Personal Data or where SysAid considers such a request to be unlawful, SysAid: (i) shall inform You, providing relevant details of the problem (but not legal advice), (ii) SysAid may, without any kind of liability towards You, temporarily cease all Processing of the affected Personal Data (other than securely storing those data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to SysAid all the amounts owed to SysAid or due before the date of termination. You will have no further claims against SysAid (including, without limitation, requesting refunds for Services) due to the termination of the Agreement and/or the DPA in the situation described in this paragraph (excluding the obligations relating to the termination of this DPA set forth below). 

4.7 SysAid will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of SysAid, to the extent that such is a result of Your instructions.

4.8. Cooperation. SysAid shall, and shall procure that its agents, subcontractors and employees, cooperate as reasonably requested by You and to the extent necessary to enable You to comply with any exercise of rights by a Data Subject under the Data Protection Laws in respect of Personal Data processed by SysAid under the Agreement or comply with any assessment, enquiry, notice or investigation under the Data Protection Laws, including by any regulator, subject to reasonable advance notice and without prejudice to SysAid’s right to charge You any reasonable costs for such assistance.

4.9. Storage. Data that SysAid Processes for You will be stored as locally as possible and will otherwise process data in accordance with SysAid’s Privacy Policy; to learn where Your data is stored, see here.

5. Cross Border Data Transfers. 

5.1. Personal Data may be transferred from the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA”), the United Kingdom to countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the Union, the Member States or the European Commission, the UK supervisory authority (“Adequacy Decisions”), without any further safeguard being necessary.

5.2. To the extent that there is Processing of Personal Data which includes transfers from the EEA, the UK to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision (“Other Countries”), the below terms shall apply:

a) With respect to the EU transfers of Personal Data, You as a Data Exporter (as defined in the SCCs) and SysAid as a Data Importer (as defined in the SCCs) hereby enter into the SCC set out in Exhibit B. To the extent that there is any conflict or inconsistency between the terms of the SCC and the terms of this DPA, the terms of the SCCs shall take precedence.

b) With respect to the UK transfers of Personal Data (from the UK to other countries which have not been subject to a relevant Adequacy Decision), You as a Data Exporter (as defined in the UK SCCs) and SysAid as a Data Importer (as defined in the UK SCCs), hereby enter into the UK SCC set out in Exhibit B. To the extent that there is any conflict or inconsistency between the terms of the UK SCC and the terms of this DPA, the terms of the UK SCC shall take precedence

6. Customer’s Processing Instructions. This DPA and the Agreement are Your complete and final instructions at the time of signature of the Agreement to SysAid for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately and in writing. For the purposes of Clause 5(a) of the Standard Contractual Clauses, the following is deemed an instruction by the Customer to process Personal Data: (a) Processing in accordance with the Agreement and applicable Order Form(s); (b) Processing initiated by Users in  their use of the Service and (c) Processing to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.

7. Changes in Data Protection Laws. If any variation is required to this Addendum as a result of a change in Data Protection Law, either Party may provide written notice to the other party of that change in law. The Parties will discuss and negotiate in good faith any necessary variations to this Addendum to address such changes. SysAid shall notify You after it determines that it can no longer meet its obligations under applicable laws, in which case, You may terminate exclusively the portions of the Services that are not in compliance with applicable laws.

8. Sub-Processors. 

8.1 You acknowledge and agree and hereby grant a general authorization for SysAid to engage subcontractors to process Your Personal Data on Your behalf (“Sub-Processors”) in order to provide the Services under a written contract or other legal act under applicable law. SysAid will restrict Sub-Processors’ access to Your Data, unless and to the extent such is necessary to enable or assist SysAid in providing or maintaining the Services. In the event a Sub-Processor fails to fulfill its data protection obligations in connection with the Processing of Your Personal Data under this DPA, SysAid remains liable to You for said Sub-processor’s data protection obligations under this DPA, in accordance with the underlying Agreement’s liability section.

8.2. SysAid performs due diligence on Sub-Processors’ information security standards and data protection compliance. Prior to engaging with a Sub-Processor, SysAid ensures that the Sub-Processor commits to a written obligation regarding their security standards and controls and processes relating to Personal Data protection, including, where applicable safeguards implemented govern international data transfers.

8.3. SysAid’s current Sub-processor list is in Exhibit A and it is hereby approved by You. If You want to be notified before the appointment of new Sub-processors in connection with the provision of the Services, You shall send an email to SysAid’s customer support team with the subject SUBSCRIPTION TO SUB-PROCESSOR NOTIFICATION. 

8.4 You may reasonably object to SysAid’s use of a Sub-processor for reasons related to the GDPR or UK GDPR (as can be demonstrated by Customer) by notifying SysAid promptly in writing within three (3) business days after receipt of SysAid’s notice in accordance with the mechanism set out in Section 8.3. Failure to object to such Sub-processor in writing within three (3) business days following SysAid’s notice shall be deemed as acceptance of the Sub-Processor. In the event Customer reasonably objects to a Sub-processor, as permitted in the preceding sentences, SysAid will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s use of the Services to avoid Processing of Personal Data by the objected-to Sub-processor without unreasonably burdening the Customer. If SysAid is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by SysAid without the use of the objected-to Sub-processor by providing written notice to SysAid provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to SysAid. 

8.5 This Section ‎8 does not refer and shall not apply to subcontractors of SysAid which provide ancillary services to support the performance of the DPA. This includes, for example, telecommunication services, maintenance and user service, cleaning staff, or auditors.

9. Data Subject Rights. Data Controller shall be solely responsible for compliance with any obligations concerning Data Subject requests and rights under Data Protection Laws, such as access to, rectification or deletion of Customer Personal Data. Considering the nature of the Processing, SysAid shall endeavor to assist You insofar as practicable, to comply with Your said obligations with respect to such Data Subject requests at Your sole expense. SysAid shall, to the extent legally permitted,  (i) promptly notify You if it receives a request from a Data Subject under any Data Protection Law with respect to any Customer Personal Data; and (ii) forward such data subject request to You; and (iii) shall not respond to any request except pursuant to Your documented instructions or as required by applicable law to which the Processor is subject, in which case SysAid shall, to the extent permitted by law, inform You of that legal requirement before it responds to the request.
10. Personal Data Breach. 

10.1 SysAid will maintain security incident management policies and procedures and, to the extent required under applicable Data Protection Laws, immediately commence all reasonable efforts to investigate and solve the causes the remediate the breach, and will notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer’s Personal Data, including Customer’s Personal Data, transmitted, stored or otherwise Processed by SysAid  or a SysAid Sub-Processor of which SysAid becomes aware (“Personal Data Breach“). SysAid’s notice will at least: (a) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) communicate the name and contact details of a designated officer on SysAid’s data protection team, which will be available to provide any additionally available information about the Personal Data Breach; (c) describe the likely consequences of the Personal Data Breach; (d) describe the measures taken or proposed to be taken by SysAid to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. Upon Your request, remediation actions and reasonable assurance of resolution of discovered issues shall be provided to Controller, to the extent the remediation is within SysAid’s reasonable control. Customer will be the party responsible for notifying supervisory authorities and/or concerned data subjects (where required by Data Protection Laws and Regulations).

11. Data Protection Impact Assessment and Prior Consultation. If, pursuant to Data Protection Law, You are required to perform a data protection impact assessment or prior consultation with a regulator, at Your request, SysAid will provide such documents as are generally available for the Services (for example Certifications). Any additional assistance shall be mutually agreed between the parties and SysAid has the right to charge You for any reasonable costs for such assistance.
12. Security and Audit. 

12.1 Taking into account the state of the art, the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, SysAid shall implement and maintain industry-standard and otherwise appropriate technical and organizational measures pursuant to Article 32 of the GDPR to ensure a level of security appropriate to the risk presented by the Services. Upon the Customer’s request, SysAid will use commercially reasonable efforts to assist Customer, at Customer’s cost, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing, the state of the art, and the information available to SysAid. Both Parties acknowledge that security measures are subject to progress and change in response to the current situation and that SysAid may alter the security measures from time to time, provided that such modifications do not degrade or diminish the overall level of security appropriate to the risk presented by the Services. SysAid shall ensure that SysAid’s access to Personal Data be limited to those requiring such access to substantially perform its obligations under this Agreement. A description of SysAid’s Data Security Measures can be found here. Upon request at reasonable intervals and subject to confidentiality obligations, SysAid shall make available to You relevant information necessary, to the extent such is not available under the Agreement,  to demonstrate SysAid’s compliance under this Section, provided that such information only be used to assess our compliance hereto and shall not be disclosed to any third party without SysAid’s prior written approval. At Customer’s cost and expense, SysAid shall allow for and may contribute to audits, in no event more than once a year, with prior notification of at least 20 business days, including inspections, conducted by  You or another auditor mandated by You (so long as such auditor is not a direct or indirect competitor of SysAid),  without prejudice to SysAid’s right to charge You for any reasonable costs for such assistance, provided that the Parties shall agree on the scope, methodology and timing of such audits and inspections. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that does not belong to You.

11.2 Nothing in this DPA will require SysAid either to disclose to Customer (and/or its authorized auditors), or provide access to: (i) any data of any other customer of SysAid; (ii) SysAid’s internal accounting or financial information; (iii) any trade secret of SysAid; or (iv) any information that, in SysAid’s sole reasonable discretion, could compromise the security of any of SysAid’s systems or premises or cause SysAid to breach obligations under any applicable law or its obligations to any third party.

12. Limitation of Liability. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates of Customer and SysAid, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. 
13. Return or Deletion of Personal Data. Upon termination or expiration of the Agreement, SysAid shall (at Customer’s election) return or to the fullest extent technically feasible delete all Customer Data in its possession or control. This requirement shall not apply to the extent SysAid is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems (e.g., in the form of audit logs), which Customer Data SysAid shall securely isolate and protect from any further Processing, except to the extent required by applicable law. If the Customer requests the Personal Data to be returned, the Personal Data shall be returned in the format generally available for SysAid’s customers.
14. Termination. SysAid shall, and shall procure that its Sub-Processors, subject to the requirements of any applicable Exit Plan, cease Processing Your Personal Data upon the termination of the Agreement or, if sooner, the Service to which it relates and, either return or delete the Personal Data and any copies of it or of the information it contains, without prejudice to any EU or Member State legal obligations for SysAid to store or archive such Personal Data. Sections 4.2, 9, 12, 13 and 16 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
15. CCPA. To the extent that the Personal Data is subject to the CCPA, SysAid shall not sell or share Customer’s Personal Data. SysAid acknowledges that when processing Personal Data in the context of the provision of the Services, Customer is not selling or sharing Personal Data to SysAid. SysAid agrees not to retain, use or disclose Customer Personal Data: (i) for any purpose other than the Business Purpose (as defined below); (ii) for no other commercial or Business Purpose; or (iii) outside the direct business relationship between SysAid and Customer. Notwithstanding the foregoing, SysAid may use, disclose, or retain Customer Personal Data to: (i) transfer the Personal Data to other SysAid’s entities (including, without limitation, affiliates and subsidiaries), service providers, third parties and vendors, in order to provide the Services to Customer; (ii) to comply with, or as allowed by, applicable laws; (iii) to defend legal claims or comply with a law enforcement investigation; (ii) for internal use by SysAid to build or improve the quality of its services and/or for any other purpose permitted under the CCPA; (iii) to detect data security incidents, or protect against fraudulent or illegal activity; and (iv) collect and analyse anonymous information. SysAid shall use commercially reasonable efforts to comply with its obligations under CCPA. If SysAid becomes aware of any material applicable requirement (to SysAid as a service provider) under CCPA that SysAid cannot comply with, SysAid shall use commercially reasonable efforts to notify Customer. Upon written Customer’s notice, SysAid shall use commercial reasonable and appropriate steps to stop and remediate SysAid alleged unauthorized use of Personal Data; provided that Customer must explain and demonstrate in the written notice which processing activity of Personal Data it considers to be unauthorized and the applicable reasons. SysAid shall use commercially reasonable efforts to enable Customer to comply with consumer requests made pursuant CCPA. Notwithstanding anything to the contrary, Customer shall be fully and solely responsible for complying with its own requirements under CCPA. “Business purpose” means the Processing activities that SysAid will perform to provide Services (as described in the Agreement), this DPA and any other instruction from Customer, as otherwise permitted by applicable law, including, CCPA and the applicable regulations, or as otherwise necessary to provide the Services to Customer.
16. Miscellaneous. This DPA may not be amended or modified except by a written instrument signed by both Parties. This DPA may be executed in counterparts. Either Party may assign this DPA including its rights or obligations hereunder to any affiliate thereof, or to a successor or any affiliate thereof, in connection with a merger, consolidation or acquisition of all or substantially all of its shares, assets or business relating to this DPA or the Agreement. Any SysAid obligation hereunder may be performed (in whole or in part), and any SysAid right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an affiliate of SysAid. In the event of any conflict or inconsistency between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Personal Data. Notwithstanding anything to the contrary in the Agreement and/or in any agreement between the parties and to the maximum extent permitted by law: (A) SysAid’s (including SysAid’s affiliates’) entire, total and aggregate liability, related to personal data or information, privacy, or for breach of, this DPA and/or Data Protection Laws and Regulations, including, without limitation, if any, any indemnification obligation or applicable law regarding data protection or privacy, shall be limited to the amounts paid to SysAid under the Agreement within twelve (12) months preceding the event that gave rise to the claim. This limitation of liability is cumulative and not per incident; (B) In no event will SysAid and/or SysAid affiliates and/or their third-party providers, be liable under, or otherwise in connection with this DPA for: (i) any indirect, exemplary, special, consequential, incidental or punitive damages; (ii) any loss of profits, business, or anticipated savings;  (iii) any loss of, or damage to data, reputation, revenue or goodwill; and/or (iv) the cost of procuring any substitute goods or services; and (C) The foregoing exclusions and limitations on liability set forth in this Section shall apply: (i) even if SysAid, SysAid affiliates or third-party providers, have been advised, or should have been aware, of the possibility of losses or damages; (ii) even if any remedy in this DPA fails of its essential purpose; and (iii) regardless of the form, theory or basis of liability (such as, but not limited to, breach of contract or tort). This DPA supersedes any prior DPA or similar terms between the Parties. The Parties to this DPA submit to the choice of jurisdiction and governing law stipulated to in the Agreement. This DPA shall only become legally binding between Customer and SysAid when the formalities steps set out in the Section “INSTRUCTIONS ON HOW TO EXECUTE THIS DPA” below have been fully completed.
17. SIGNATURE. The Parties represent and warrant that they each have the power to enter into, execute, perform and be bound by this DPA. You, as the signing person on behalf of Customer, represent and warrant that you have, or you were granted, full authority to bind the Customer and, as applicable, its Authorized Affiliates to this DPA. If you cannot, or do not have authority to, bind the Customer and/or its Authorized Affiliates, you shall not supply or provide Personal Data to SysAid. By signing this DPA, Customer enters into this DPA on behalf of itself and, to the extent required or permitted under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent that SysAid processes Personal Data for which such Authorized Affiliates qualify as the/a “data controller”. 

Exhibit A
Sub-processor’s list

Our current list of sub-processors is: