TEK Electronics Data Processing Agreement

Date: August 5, 2021

This Data Processing Agreement (“DPA”) is incorporated into and forms a part of the Archiving Subscription Agreement, Archiving Terms of Service, or other applicable service or subscription agreement between you and TEK Electronics with respect to your use of the Archiving Services (“TEK Electronics Agreement”). This DPA sets out data protection requirements with respect to the processing of Customer Personal Data (as defined below) that is collected, stored, or otherwise processed by TEK Electronics for the purpose of providing the Archiving Services. This DPA is effective on the effective date of the TEK Electronics Agreement, unless this DPA is separately executed in which case it is effective on the date of the last signature.

1. Definitions.

The following terms have the following meanings when used in this DPA. Any capitalized terms that are not defined in this DPA have the meaning provided in your TEK Electronics Agreement.

“California Consumer Privacy Act of 2018” or “CCPA” means the California Consumer Privacy Act of 2018, as may be amended from time to time.

“Customer,” “you” and “your” means the organization that agrees to an Order Form, or uses the Archiving Services subject to the relevant TEK Electronics Agreement.

“Customer Personal Data” means any personal data that Customer uploads into the Archiving Services that is processed by TEK Electronics.

“Data Protection Law” means CCPA, and any other data protection legislation applicable to the respective party in its role in the processing of Customer Personal Data under the TEK Electronics Agreement.

“Data Subject Request” has the meaning given to it in Section 4.1.

“Subprocessor” means any third-party data processor engaged by TEK Electronics to process Customer Personal Data.

“Technical and Organizational Security Measures” has the meaning given to it in Section 3.2.

2. Data Processing.

2.1. Scope and Roles.

This DPA applies when TEK Electronics processes Customer Personal Data in the course of providing the Archiving Services. In this context, TEK Electronics is a “processor” to Customer, who may act as either a “controller” or “processor” with respect to Customer Personal Data.

2.2. Details of the Processing.

2.2.1. Subject Matter.

The subject matter of the data processing under this DPA is Customer Personal Data.

2.2.2. Duration.

The duration of the data processing under this DPA is until the expiration or termination of the TEK Electronics Agreement in accordance with its terms.

2.2.3. Nature and Purpose.

The purpose of the data processing under this DPA is the provision of the Archiving Services to Customer in accordance with the TEK Electronics Agreement.

2.2.4. Types of Customer Personal Data.

The types of Customer Personal Data processed under this DPA include any Customer Personal Data uploaded to the Archiving Services by Customer.

2.2.5. Categories of Data Subjects.

The data subjects may include Customer’s customers, employees, suppliers, and end users, or any other individual whose personal data Customer uploads to the Archiving Services.

2.2.6. Processing Operations.

The objective of the processing of Customer Personal Data by TEK Electronics is the provision of Archiving Services to the Customer in accordance with the TEK Electronics Agreement.

2.3. Compliance with Laws.

Each party will comply with all applicable Data Protection Law in relation to the processing of Customer Personal Data.

2.4. TEK Electronics’s Processing.

TEK Electronics will process Customer Personal Data only for the purposes of: (i) provisioning the Archiving and Cloud Services, (ii) processing initiated by Customer in its use of the Archiving Services, and (iii) processing in accordance with your TEK Electronics Agreement, this DPA, and your other reasonable documented instructions that are consistent with the terms of your TEK Electronics Agreement. Any other processing will require prior written agreement between the parties.

2.5. Customer Obligations.

Customer acknowledges that it controls the nature and contents of the Customer Personal Data. Customer will ensure that it has obtained all necessary and appropriate consents from and provided notices to data subjects where required by Data Protection Law to enable the lawful transfer of any Customer Personal Data to TEK Electronics for the duration and purposes of this DPA and the TEK Electronics Agreement.

3. Security.

3.1. Confidentiality of Personnel.

TEK Electronics will ensure that any of our personnel and any subcontractors who have access to Customer Personal Data are under an appropriate obligation of confidentiality.

3.2. Security Measures.

We will implement appropriate technical and organizational security measures to ensure a level of security appropriate to the risks that are presented by the processing of Customer Personal Data.

3.3. Optional Security Controls.

TEK Electronics makes available a number of security controls, features, and functionalities that Customer may elect to use. Customer is responsible for implementing those measures to ensure a level of security appropriate to the Customer Personal Data.

3.4. Breach Notification.

We will notify you without undue delay if we become aware of a personal data breach affecting Customer Personal Data.

4. Data Subject Requests.

4.1. To assist with your obligations to respond to requests from data subjects, the Archiving Services provide Customer with the ability to retrieve, correct, or delete Customer Personal Data. Customer may use these controls to assist it in connection with its obligations under the relevant privacy laws, including its obligations related to any request from a data subject to exercise their rights under Data Protection Law (each, a “Data Subject Request”).

4.2. If a data subject contacts TEK Electronics with a Data Subject Request that identifies Customer, to the extent legally permitted, we will promptly notify Customer. Solely to the extent that Customer is unable to access Customer Personal Data itself, and TEK Electronics is legally permitted to do so, we will provide commercially reasonable assistance to Customer in responding to the Data Subject Request. To the extent legally permitted, Customer will be responsible for any costs arising from TEK Electronics’ provision of such assistance, including any fees associated with the provision of additional functionality.

5. Requests for Customer Personal Data.

5.1. If we receive a valid and binding legal order (“Request”) from any governmental body (“Requesting Party”) for disclosure of Customer Personal Data, we will use commercially reasonable efforts to redirect the Requesting Party to seek that Customer Personal Data directly from Customer.

5.2. If, despite our efforts, we are compelled to disclose Customer Personal Data to a Requesting Party, we will:

(a) if legally permitted, promptly notify Customer of the Request to allow Customer to seek a protective order or other appropriate remedy. If we are prohibited from notifying Customer, we will use commercially reasonable efforts to obtain a waiver of that prohibition;

(b) challenge any over-broad or inappropriate Request; and,

(c) disclose only the minimum amount of Customer Personal Data necessary to satisfy the Request.

6. Cooperation.

Taking into account the nature of the processing and the information available to us, at your request and cost, TEK Electronics will provide reasonable assistance to ensure compliance with the obligations under applicable Data Protection Law with respect to implementing appropriate security measures, personal data breach notifications, impact assessments and consultations with supervisory authorities or regulators, in each case solely related to processing of Customer Personal Data by TEK Electronics.

7. Customer Audit Rights.

7.1. Upon Customer’s request, and subject to the confidentiality obligations set forth in your TEK Electronics Agreement, TEK Electronics will make available to Customer (or Customer’s independent, third-party auditor) information regarding TEK Electronics’ compliance with the security obligations set forth in this DPA in the form of third-party certifications and audits.

7.2. If that information is not sufficient to demonstrate our compliance with the security obligations in the DPA, you may contact TEK Electronics in accordance with the notice provision of your TEK Electronics Agreement to request an on-site audit of TEK Electronics’ procedures relevant to the protection of Customer Personal Data, but only to the extent required under applicable Data Protection Law. Customer will reimburse TEK Electronics for its reasonable costs associated with any such on-site audit. Before the commencement of any such on-site audit, Customer and TEK Electronics will mutually agree upon the scope, timing, and duration of the audit.

7.3. Customer will promptly notify TEK Electronics with information regarding any non-compliance discovered during the course of an audit, and TEK Electronics will use commercially reasonable efforts to address any confirmed non-compliance.

8. Data Transfers.

8.1. Data Deployment Locations.

Customer Personal Data will only be hosted in the region(s) that Customer chooses to deploy its database clusters in its configuration of the Archiving Services (the “Deployment Region”). Customer is solely responsible for any transfer of Customer Personal Data caused by Customer’s subsequent designation of other Deployment Regions.

9. Return or Deletion of Data.

Customer may retrieve or delete all Customer Personal Data upon expiration or termination of the TEK Electronics Agreement. Upon termination of your TEK Electronics Agreement or upon your request, TEK Electronics will delete any Customer Personal Data not deleted by Customer, unless we are legally required to store the Customer Personal Data.

10. CCPA Obligations.

TEK Electronics is a “service provider” as defined in the CCPA. You have provided notice to your end users that you share Customer Personal Data with your service providers. We will not retain, use, or disclose Customer Personal Data for any purpose other than providing the Archiving Services, and will not sell Customer Personal Data (as the term “sell” is described in the CCPA).