Qualtrics Contractor Data Processing Agreement

1. Definitions

1.1. “CCPA” means the California Consumer Privacy Act of 2018, cal. Civ. Code §1798.100 et. seq., as amended by the California Privacy Rights Act of 2020 and as further amended from time to time.

1.2. “CDPA” means this Qualtrics Contractor Data Processing Agreement.

1.3. “Contractor Affiliate” means any current and future entity that is, directly or indirectly, in Control of, Controlled by, or under common Control with the Contractor. For purposes of this CDPA, Control means (i) the ownership, directly or indirectly, of more than fifty percent (50%) of the voting equity interest in an entity, or (ii) the ability, directly or indirectly, to direct or cause the direction of the management and policies of that entity, whether through ownership of voting securities, by contract, or otherwise.

1.4. “Controller” means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data which is processed by Contractor and/or Subprocessor in connection with the Service. Controllers may include Qualtrics, Qualtrics Affiliates, and/or Qualtrics Customers and Partners who, as the case may be, determine alone or jointly the purposes and means of the processing of Personal Data in connection with the Service. For the purposes of this CDPA, where Qualtrics and/or Qualtrics Affiliates act as Processors for other Controllers, they shall, in relation to Contractor, be granted all rights under this CDPA and Data Protection Law towards Contractor and Subprocessors as if they were Controllers (in addition to the Controllers determined in accordance with sentence 1 of this definition).

1.5. “Data Protection Law” means the applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of Personal Data in connection with the Service (and includes, as far as it concerns the obligations of Contractor and Subprocessors regarding the processing of Personal Data for Qualtrics and other Controllers under this CDPA, the GDPR as a minimum standard, irrespective of whether the Personal Data is subject to GDPR or not).

1.6. “Data Subject” means any individual or other person who is protected by Data Protection Law and whose data is processed by Contractor or a Subprocessor in connection with the Service.

1.7. “EEA” means the European Economic Area, namely the European Union Member States along with Iceland, Liechtenstein and Norway.

1.8. “GDPR” means the European Union’s General Data Protection Regulation 2016/679 as amended from time to time.

1.9. “Instructions” means any instructions given by Qualtrics or the applicable Controller with respect to the processing of Personal Data in accordance with Data Protection Law. Instructions may include, without limitation, the correction, erasure and/or the blocking of Personal Data in the legal responsibility of the respective Controller.

1.10. “Personal Data” means any information relating to a Data Subject which is protected under Data Protection Law, and in particular includes any information relating to an identified or identifiable natural or legal person; an identifiable person includes any person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to such person’s physical, physiological, mental, economic, cultural or social identity that is processed in relation to the Service.

1.11. “Personal Data Breach” means an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or unauthorized access to Personal Data.

1.12. “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, whether directly as processor of a Controller or indirectly as Subprocessor of a Processor which processes Personal Data on behalf of the Controller.

1.13. “Qualtrics Affiliates” means Qualtrics, LLC’s current and future affiliates and subsidiaries, meaning a corporation or other entity that is in Control of, Controlled by, or under common Control with Qualtrics, LLC.

1.14. “Qualtrics Customers and Partners” means (i) Qualtrics Affiliates, (ii) Qualtrics resellers, (iii) direct and indirect customers of Qualtrics or Qualtrics resellers, and/or (iv) any other commercial end users of Qualtrics products.

1.15. “SCC Relevant Transfer” means a transfer (or an onward transfer) to a Third Country of Personal Data that is either subject to GDPR or to applicable Data Protection Law and where any required adequacy means under GDPR or applicable Data Protection Law can be met by entering into the Standard Contractual Clauses.

1.16. “Service” means any work or service which Contractor provides to Qualtrics and/or Qualtrics Customers and Partners under a Service Agreement which may or may not expressly incorporate the terms of this CDPA by reference.

1.17. “Service Agreement” means any contract, work order, purchase order or other agreement between Contractor and Qualtrics relating to the provision of the Service.

1.18. “Standard Contractual Clauses” means the unchanged standard contractual clauses, published by the European Commission, reference 2021/914 https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international or any subsequent final version thereof (which will automatically apply). For the avoidance of doubt, Modules 2 and 3 shall apply as set out in Section 7.

1.19. “Subprocessor” or “sub-processor” means any third party (including Contractor Affiliates notwithstanding they are a party to this CDPA) that is directly or indirectly engaged by Contractor in connection with the Service and that processes Personal Data.

1.20. “Third Country” means any country, organization or territory outside the EEA and not acknowledged by the European Union under Article 45 of GDPR as a safe country with an adequate level of data protection.

1.21. “TOMs” has the meaning defined in Section 3.4 (Technical and Organizational Measures; Security).

1.22. Any terms not defined in this CDPA but defined in the GDPR, CCPA or the Standard Contractual Clauses shall have the meaning assigned to them in the GDPR, CCPA or the Standard Contractual Clauses, as applicable. The term “processing” in particular includes any kind of disclosure of Personal Data, including the enablement of potential onsite and remote access irrespective of whether the access to Personal Data is actually exercised. For the avoidance of doubt, any reference to days shall mean calendar days.

2. Background

2.1. Application and Interpretation. This CDPA and the attached Exhibits set out Contractor’s obligations when processing Personal Data on behalf of Qualtrics or another Controller in connection with the Service and form an integral part of the Service Agreement, the terms of which are hereby incorporated by reference. Capitalized terms have the meanings assigned in Section 1 (Definitions). If the Service Agreement references the Qualtrics Contractor Agreement on the Commissioned Processing of Personal Data, the Parties agree that this CDPA is such agreement.

2.2. Governance. Contractor (for the Subprocessors) and Qualtrics (for the Controllers) act as central points of contact. All communication in connection with this CDPA and the processing of Personal Data under it shall be between the applicable Qualtrics Affiliate which entered into a Service Agreement and Contractor, unless a Controller is required by Data Protection Law to provide Instructions to Contractor directly, and such instructions deviate from Qualtrics’ Instructions. Contractor shall inform its Subprocessors appropriately where required, and Qualtrics shall inform the other Controllers appropriately where required. This Section 2.2 shall not, however, limit any rights of Controllers under this CDPA, the Standard Contractual Clauses, or Data Protection Law.

2.3. Qualtrics Affiliates. Qualtrics, LLC enters into this CDPA also on behalf of itself and the Qualtrics Affiliates and this CDPA shall apply correspondingly between Qualtrics Affiliates and Contractor when Contractor provides any Service to or for the benefit of Qualtrics Affiliates.

3. Contractor Obligations

3.1. Contractor’s Purpose of Processing; Restrictions on Use. Contractor shall process the Personal Data (including transfers of Personal Data to a Third Country or international organization) only on documented Instructions from Qualtrics (or with Qualtrics’ permission or, to the extent required by Data Protection Law, other Controllers), unless required by Data Protection Law, in which case Contractor shall inform Qualtrics of such legal requirement before processing unless prohibited by law from doing so on important grounds of public interest. Contractor shall not process Personal Data for its own purposes or retain, use or disclose Personal Data for any purpose other than the permitted processing activities detailed in Annex I of Exhibit 1. Contractor is prohibited from sharing Personal Data with any unauthorized third party, or from selling Personal Data for any reason.

3.2. Instructions. This CDPA and the Service Agreement constitute the initial documented Instructions. Where Qualtrics provides any further Instruction in relation to Personal Data, Contractor will promptly fulfill such request. Instructions shall come from Qualtrics, except where Section 3.11 (Other Controllers) applies, in which case the other Controller’s Instructions must prevail in case of conflict.

3.3. Restricted Access to Personal Data. Contractor shall require Personal Data to be kept strictly confidential (such confidentiality obligations must survive the employment relationship between Contractor and its employees) and disclosed only on a need-to know basis to personnel who are authorized to have access to Personal Data and who are regularly trained in applicable data security and data privacy measures.

3.4. Technical and Organizational Measures; Security. Contractor shall implement and apply the technical and organizational measures as posted at https://www.qualtrics.com/supplier-toms/ (“TOMs”). Contractor will conduct an audit at least once per year to verify its compliance with the TOMs. Contractor will affirm its compliance with the TOMs upon Qualtrics’ request, which may be in the form of a questionnaire, attestation or other means as determined by Qualtrics.

3.5. Return or Destruction of Personal Data. Any Personal Data stored by Contractor or Subprocessors shall be promptly returned to Qualtrics upon the earliest of the following events: (i) Qualtrics’ request; (ii) completion of all tasks for which the respective Personal Data was transferred to Contractor; (iii) termination of this CDPA; or (iv) expiry or termination of a Service Agreement. Alternatively, where such data cannot be returned, or if Qualtrics so elects, Contractor shall destroy — and certify to Qualtrics in writing that it has destroyed — all such Personal Data within a time period considered reasonable under Data Protection Law (in any case not to exceed three months), unless retention of the Personal Data is required by applicable law and permitted under Data Protection Law.

3.6. Assistance on Inquiries from Data Subjects and Authorities. For the avoidance of doubt, this Section 3.6 is without prejudice to the Parties’, authorities’ and Data Subjects’ rights and obligations under the Standard Contractual Clauses. If Qualtrics receives inquiries or requests from Data Subjects, other Controllers, supervisory authorities, law enforcement authorities or other competent authorities and courts, Contractor shall assist Qualtrics in providing information regarding Contractor’s or Subprocessor’s processing of Personal Data. If a Data Subject contacts Contractor or a Subprocessor to exercise its Data Subject rights directly with regard to Personal Data processed within the Service, Contractor shall promptly relay the request to Qualtrics at privacy@qualtrics.com or such other location as designated by Qualtrics in writing. Contractor shall not disclose any information to the requesting Data Subject in the absence of an express instruction from Qualtrics or the Controller unless required under applicable law. If there is a dispute with a Data Subject in relation to the processing, the Parties will use their best efforts to timely inform each other (information to Qualtrics to be directed to privacy@qualtrics.com) about such a dispute and to cooperate in order to amicably resolve the dispute. Contractor must ensure that Qualtrics and other Controllers can enable Data Subjects to access their Personal Data at any time during the Service by providing the ability to Qualtrics and other Controllers to export and retrieve Personal Data that Contractor controls in a standard format upon request.

3.7. Third-Party Requests. In the event that any third party, including a regulatory authority, government agency, supervisory authority or court sends a request to, or otherwise contacts, Contractor or Subprocessors regarding the disclosure or other processing of Personal Data within the Service, Contractor shall inform Qualtrics without undue delay to privacy@qualtrics.com, unless prohibited under applicable law or competent court order. Qualtrics and Contractor shall discuss in good faith and agree on a response to the request that allows the Controller to assert any relevant objections, exclusions, exemptions, or protective measures. Contractor or Subprocessor shall not disclose any Personal Data without Qualtrics’ prior written consent unless (i) Contractor is required to do so under applicable law, (ii) Contractor has exercised all legal remedies to avoid fulfilling the request (without Qualtrics’ consent), and (iii) the fulfillment of the request is permissible under Data Protection Law.

3.8. Assistance on Data Protection Impact Assessments. If Qualtrics is required to perform a data protection impact assessment (or a similar assessment pursuant to Data Protection Law) or to have a prior consultation with a competent regulator, Contractor shall, at Qualtrics’ request, promptly provide all required information and documents available to Contractor and its Subprocessors relating to the processing of Personal Data in the context of the Service.

3.9. Documentation. Contractor shall maintain comprehensive documentation about the processing of Personal Data in line with its responsibilities under Data Protection Law and shall provide such documentation to Qualtrics upon request. Such documentation shall enable Qualtrics to verify Contractor’s compliance with Data Protection Law, including Contractor’s use of Subprocessors. Contractor shall further promptly provide to Qualtrics all information about the Service that concerns (i) Contractor, (ii) the Subprocessors, (iii) the processing of Personal Data, to the extent it is necessary for Qualtrics to maintain its register of processing activities according to Data Protection Law, and (iv) notwithstanding Section 5.2 (Audits), any enquiries from Qualtrics that relate to the processing of Personal Data under this CDPA.

3.10. Provision of Information on Data Processing. Notwithstanding anything to the contrary in a Service Agreement, Contractor must, upon Qualtrics’ request, provide to Qualtrics the agreements with its Subprocessors (including, where applicable the Standard Contractual Clauses) to the extent that they contain information relevant to the processing of Personal Data on behalf of the Controller (“Information“). Additionally, Qualtrics may disclose to any other Controller or competent data protection authority: (i) this CDPA, (ii) all or any part of a Service Agreement relevant to the processing of Personal Data on behalf of Controller, (iii) the Information, (iv) Contractor’s and Subprocessors’ audit reports, (v) reports on Personal Data Breaches and other data protection violations, and (vi) any of Qualtrics’ own findings with respect to Contractor’s and Subprocessors’ processing of Personal Data on behalf of the Controller. Any disclosures to another Controller shall be subject to reasonable protections for confidential information.

3.11. Other Controllers. Contractor agrees that where Personal Data is controlled by a Controller different from Qualtrics (e.g., Qualtrics Customers and Partners), and to the extent that such other Controller’s Personal Data is processed, such other Controller shall benefit from the same rights as Qualtrics under this CDPA, except for Section 2.2 (Governance).

4. Personal Data Breach Reporting

In the event that Contractor becomes aware of (i) any Personal Data Breach (by itself or a Subprocessor), (ii) any inability to perform under this CDPA, or (iii) any failure by a Subprocessor to fulfill its processing related obligations under its contracts with Contractor, Contractor must report the same to Qualtrics without undue delay and if possible within 24 hours. Personal Data Breaches must be reported to notice@qualtrics.com. Contractor shall provide, at a minimum, the following information to Qualtrics: (i) the details of a contact point where more information can be obtained, (ii) a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), and (iii) likely consequences of the breach and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Notwithstanding the foregoing, Contractor shall provide to Qualtrics any information necessary for Qualtrics to comply with its obligations pursuant to Data Protection Laws regarding the Personal Data Breach. Where it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

5. Audits

5.1. Compliance Verification. Notwithstanding any rights of Controller under Module 3 of the Standard Contractual Clauses, Contractor agrees that Qualtrics may request at any time, and Contractor will provide, evidence of Contractor’s compliance with the terms of this CDPA, including the TOMs and any other information that is required for Qualtrics to use Contractor as its (Sub-)Processor under applicable Data Protection Laws (such as information required by Qualtrics to fulfill its transparency obligations regarding international processing) in a form deemed acceptable to Qualtrics. The Parties will use reasonable efforts to leverage current certifications or other audit reports to avoid or minimize repetitive standard audits.

5.2. Standard Audit. Qualtrics or its independent third-party auditor reasonably acceptable to Contractor may conduct an audit to confirm Contractor’s compliance with the terms of this CDPA where:

1. Contractor has not provided sufficient evidence of its compliance by responding to Qualtrics’ requests for information;
2. an audit is formally requested by a competent data protection authority;
3. Qualtrics has indications of noncompliance, e.g., to the extent that a Personal Data Breach has occurred, or Contractor is not able to perform its obligations under this CDPA; or
4. mandatory Data Protection Law provides Qualtrics with a direct audit right, provided that Qualtrics shall only audit Contractor once in any twelve-month period unless mandatory Data Protection Law requires more frequent audits.

5.3. Scope of Audit. All audits will be subject to the following restrictions: (i) audits will be conducted upon reasonable notice (no fewer than thirty (30) calendar days unless shorter notice is required by a competent data protection authority or Data Protection Law), during regular business hours and without interrupting Contractor’s business operations; and (ii) the confidentiality terms of a Service Agreement with Contractor shall apply to Contractor’s confidential information accessed by Qualtrics or third-party auditors; provided that Qualtrics may disclose such information pursuant to Section 3.10 (Provision of Information on Data Processing).

5.4. Exceptional Audit. Notwithstanding the foregoing, Qualtrics may conduct additional audits on shortened notice (no fewer than five (5) business days) where: (i) a Personal Data Breach has occurred, provided that the Parties will mutually agree on a timing that does not disrupt ongoing breach response, or (ii) Qualtrics has reasonable grounds to suspect that Contractor is not in compliance with its obligations under this CDPA.

5.5. Cost of Audit. Each Party shall bear its own costs of any audit unless such audit reveals a breach by Contractor or Subprocessor of this CDPA in which case Contractor must reimburse Qualtrics (or Controller) for all reasonable fees and expenses charged by any external auditor or incurred in the course of an audit. If an audit determines that Contractor (or a Subprocessor) has breached its obligations under this CDPA, Contractor (or a Subprocessor) will promptly remedy the breach at its own cost.

6. Contractor’s Subprocessors

6.1. Permission for Subprocessing. Unless otherwise agreed in a Service Agreement, Contractor is permitted to use Subprocessors in processing the Personal Data, subject to compliance with Subprocessor requirements in this CDPA.

6.2. Subprocessor Engagement. Contractor shall evaluate the security, privacy, and confidentiality practices of each Subprocessor prior to selection and on a regular basis thereafter (at least annually) to establish and maintain that it is capable of providing the level of protection of Personal Data required by this CDPA and Data Protection Law. Contractor shall impose on its Subprocessors at least the same protections for Personal Data required by this CDPA, including in particular the TOMs (for the avoidance of doubt, content-wise but not verbatim). The foregoing obligations apply to all Sections of this CDPA, irrespective of whether or not the application to Subprocessors is expressly mentioned. Contractor remains at all times responsible for its Subprocessors’ compliance with the relevant subprocessing agreements and Data Protection Law. Contractor shall allow Controllers to audit Subprocessors and ensure Controllers receive relevant subprocessing agreements upon request.

6.3. Subprocessor Changes and Replacement. As of the Effective Date of this CDPA, Contractor is permitted to use the Subprocessors listed in the relevant Service Agreement. Contractor may add a new Subprocessor or replace a Subprocessor in the relevant Service Agreement by providing notice to Qualtrics at least forty-five (45) days in advance of using the new or replacement Subprocessor.

6.4. Objections to a Subprocessor. Qualtrics may object to the use of a new or replacement Subprocessor on reasonable grounds, including insufficient reliability in Qualtrics’ reasonable discretion or status as a competitor of Qualtrics. If Qualtrics objects to the use within forty-five (45) calendar days after being notified, Contractor must ensure that the Subprocessor is not used for the provision of the Service.

7. International Processing

7.1. Standard Contractual Clauses.
Qualtrics and Contractor agree that the Standard Contractual Clauses govern the transfer of Personal Data to a Third Country, as specified in this Section 7. Exhibit 1 identifies the data exporter, the data importer, Data Subjects, categories of data, special categories of data and processing operations for a given Service. A description of the TOMs implemented by Contractor as the data importer in accordance with the Standard Contractual Clauses is detailed in Annex II of Exhibit 1.

7.2. Applicability of Standard Contractual Clauses.
The following shall apply in respect of SCC Relevant Transfers:

1. Where Contractor is not located in a Third Country, Contractor as the data exporter enters into Module 3 of the Standard Contractual Clauses with each Subprocessor as the data importer. Further, Contractor will oblige its Subprocessors to include Module 3 of the Standard Contractual Clauses in any Subprocessor agreement in case the Subprocessor or further Subprocessors are acting as the data exporters.
2. Where Qualtrics is not located in a Third Country, otherwise subject to the GDPR or in a country that requires the Standard Contractual Clauses as a means to allow for international Personal Data transfers, Qualtrics hereby enters into the Standard Contractual Clauses with Contractor as the data importer and Qualtrics as the data exporter and which shall apply to such SCC Relevant Transfers as follows:
   • (a) Module 2 (Controller to Processor) shall apply where Qualtrics is a Controller;
   • (b) Module 3 (Processor to Processor) shall apply where Qualtrics is a Processor. Where Qualtrics acts as Processor under Module 3 (Processor to Processor), Contractor acknowledges that Qualtrics acts as Processor under the instructions of its Controller(s); and
   • (c) With respect to a SCC Relevant Transfer, on request from a Data Subject to Qualtrics, Qualtrics may make a copy of Module 2 or 3 of the Standard Contractual Clauses entered into between Qualtrics and Contractor (including the relevant Schedules), available to Data Subjects.
3. Onward transfers and third-party beneficiary rights under the Standard Contractual Clauses:
   • (a) Any onward transfers must follow the rules set forth in the Module of the Standard Contractual Clauses applicable to the data importer and establish a third-party beneficiary clause in line with Clause 9(e) of the Standard Contractual Clauses with all relevant Subprocessors in the processing chain; and
   • (b) Where a Qualtrics Affiliate is located in a Third Country and acting as a data importer under Module 2 or Module 3 of the Standard Contractual Clauses and Contractor is acting as Qualtrics’ sub-processor under the applicable Module(s), the respective data exporter shall have the following third party beneficiary right: in the event that Qualtrics has factually disappeared, ceased to exist in law, or has become insolvent (in all cases without a successor entity that has assumed the legal obligations of Qualtrics by contract or by operation of law), the respective data exporter shall have the right to terminate the affected Service solely to the extent that the data exporter’s Personal Data is processed. In such event, the respective data exporter also instructs Contractor to return or erase the Personal Data within a time-period considered reasonable under Data Protection Law (in any case not to exceed three months in case of an erasure), unless a retention of the Personal Data is required by applicable law and permitted under Data Protection Law.

7.3. Applicability of Standard Contractual Clauses if applicable Data Protection Law requires a variation to the Standard Contractual Clauses.
Subject to Sections 7.2.2 and 7.2.3, if Data Protection Law requires a variation to the Standard Contractual Clauses, then the Standard Contractual Clauses are interpreted as follows:

1. Switzerland. In relation to the Swiss Data Protection Act (“FADP“):
   • (a) the references to a “Member State” in the Standard Contractual Clauses will be deemed to include Switzerland;
   • (b) references to the law of the European Union or of a Member State in the Standard Contractual Clauses shall be deemed to be a reference to the FADP;
   • (c) the Swiss Federal Data Protection and Information Commissioner will be the sole or, where both the FADP and the GDPR apply to such transfer, one of the competent data protection authorities, under the Standard Contractual Clauses;
   • (d) the terms used in the Standard Contractual Clauses that are defined in the FADP will be construed to have the meaning of the FADP; and
   • (e) where the FADP protects legal entities as data subjects, the Standard Contractual Clauses will apply to data relating to identified or identifiable legal entities.
2. United Kingdom. In relation to Personal Data that is protected by the GDPR as incorporated into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018, the EU Standard Contractual Clauses are interpreted as follows:
   • (a) “Third Country” will be interpreted as any country, organization, or territory that is not acknowledged as providing an adequate level of protection of personal data pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and
   • (b) the “Standard Contractual Clauses” will be interpreted to include the “International Data Transfer Addendum to the Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (“UK Addendum“) and will apply completed as follows:
     • i. the Standard Contractual Clauses, completed as set out above in Sections 7.1, 7.2.2 and 7.2.3 (as applicable), will also apply to transfers of such Personal Data, subject to (ii) below; and
     • ii. Tables 1 to 3 of the UK Addendum will be deemed completed with the relevant information from the Standard Contractual Clauses, completed as set out above in Sections 7.1, 7.2.2 and 7.2.3 (as applicable), and the option “Exporter (Qualtrics)” will be deemed selected in Table 4. The start date of the UK Addendum (as set out in Table 1) will be the effective date of this CDPA or a Service Agreement, whichever is earlier, provided the start date shall be no earlier than 21 September 2022.

7.4. Relation of the Standard Contractual Clauses to this CDPA.
Nothing in this CDPA shall be construed to prevail over any conflicting clause of the Standard Contractual Clauses. For the avoidance of doubt, where this CDPA further specifies audit and Subprocessor rules in Sections 5 and 6, such specifications also apply in relation to the Standard Contractual Clauses.

8. California Consumer Privacy Act

8.1. Applicability of the CCPA. Qualtrics and Contractor agree that this Section 8.1 applies where the processing of Personal Data is subject to the CCPA:

1. The Parties agree that Contractor is a Service Provider as defined under the CCPA with respect to any Personal Data. Contractor shall: (i) comply with applicable provisions of the CCPA, including providing the same level of privacy protection as is required of businesses by the CCPA; and (ii) notify Qualtrics if Contractor makes a determination that it can no longer meet its obligations under the CCPA.
2. Contractor shall not (i) sell or share Personal Data, in each case as those terms are defined under the CCPA; (ii) retain, use or disclose Personal Data for any purpose other than to provide the Service in under a Service Agreement or as otherwise permitted by the CCPA; (iii) retain, use or disclose Personal Data with other personal data received outside of the direct business relationship between Qualtrics and Contractor; and (iv) combine Personal Data with other personal data received from a third party or other sources, except to provide the Service under a Service Agreement or as otherwise permitted by the CCPA. In the event of any future amendments to the CCPA, the Parties will discuss in good faith any changes that may be required in order for the Parties to comply with their respective obligations.
3. Qualtrics may take reasonable and appropriate steps to ensure Contractor uses the Personal Data in a manner consistent with Qualtrics’ obligations under the CCPA, and Qualtrics may take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data in accordance with this CDPA.
4. To the extent that Contractor receives from Qualtrics and/or Qualtrics Customers and Partners deidentified data as defined under this CDPA, Contractor shall: (i) ensure that the data cannot be associated with an identified or identifiable individual; (ii) maintain and use the data only in a de-identified fashion; and (iii) not attempt to re-identify the data.

9. Miscellaneous

9.1. Interpretation. If any provision of this CDPA is held to be wholly or in part invalid or unenforceable, the invalidity or unenforceability will not affect the other provisions of the Agreement. The section headings of this CDPA are for convenience only and have no interpretive value.

9.2. Waiver; Modifications. A waiver of any breach of this CDPA is not deemed a waiver of any other breach. This CDPA may be modified solely in writing signed by the Parties, except as permitted under this CDPA.

9.3. Order of Precedence. This CDPA prevails over any additional, conflicting, or inconsistent terms and conditions appearing on any document submitted by either Party regarding the subject of this CDPA. Any existing data protection or processing agreement between Qualtrics and Contractor (if any) is terminated and replaced with this CDPA.

9.4. Assignments. Notwithstanding anything to the contrary, Contractor shall not assign this CDPA or any parts of it to any third party without the express written consent of Qualtrics. Qualtrics shall not assign this CDPA or any part of it to any third party without Contractor’s written consent, except nothing will prevent Qualtrics from making an assignment to a Qualtrics Affiliate or to a Qualtrics successor in interest. This CDPA shall inure to the benefit of and shall be binding upon Contractor and Qualtrics and their respective permitted successors and assigns.

9.5. Termination. In addition to the termination rights set out in Clause 16 of the Standard Contractual Clauses, this CDPA may be terminated by either Party, if no contractual relationship between the Parties exists any longer where the processing of Personal Data is in scope. The Parties may also agree to replace this CDPA in writing signed by both Parties.

9.6. Governing Law and Venue. This CDPA shall be governed by Utah law and the venue for any disputes related to this CDPA shall be Salt Lake City, Utah.

Exhibit 1: New Standard Contractual Clauses

The Parties agree to the following specifications of the Standard Contractual Clauses, including the attached Annexes I – III:

CLAUSE 7 – OPTIONAL – DOCKING CLAUSE
[The Parties agree to not include this optional Clause]

CLAUSE 9 a – USE OF SUB-PROCESSORS
MODULE TWO: Transfer controller to processor
(a) GENERAL WRITTEN AUTHORISATION. The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 45 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
MODULE THREE: Transfer processor to processor
(a) GENERAL WRITTEN AUTHORISATION. The data importer has the controller’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of sub-processors at least 45 days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the controller with the information necessary to enable the controller to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s).

CLAUSE 11 – REDRESS
(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

CLAUSE 17 – GOVERNING LAW
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

CLAUSE 18 – CHOICE OF FORUM AND JURISDICTION
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
(b) The Parties agree that those shall be the courts of Ireland.
(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
(d) The Parties agree to submit themselves to the jurisdiction of such courts.

Annex I

A. LIST OF PARTIES
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
Data exporter(s): Qualtrics, LLC, and its affiliates, which provides an experience management solution – the Experience Management Platform®. The Qualtrics data protection officer can be reached at privacy@qualtrics.com.
Data importer(s): Contractor (as defined in this CDPA), on behalf of itself and its affiliates, which processes Personal Data in connection with the Service pursuant to a Service Agreement. The contact details of Contractor are set out in a Service Agreement.

B. DESCRIPTION OF TRANSFER
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
Categories of data subjects whose personal data is transferred
The data exporter may submit personal data to data importer and its affiliates, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to, personal data relating to the following categories of data subjects:
– prospective customers, customers, resellers, referrers, business partners, and vendors of the data exporter (who are natural persons);
– employees or contact persons of the data exporter’s prospective customers, customers, resellers, referrers, subcontractors, business partners, and vendors (who are natural persons);
– employees, agents, advisors, and freelancers of the data exporter (who are natural persons); and/or
– natural persons authorized by the data exporter to use the Service provided by data importer to the data exporter.

Categories of personal data transferred
The data exporter may submit personal data to the data importer and its affiliates, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to, the following categories of personal data:
– names, titles, position, employer, contact information (email, phone, fax, physical address etc.), identification data, professional life data, personal life data, connection data, or localization data (including IP addresses).

Sensitive personal data transferred (if applicable)
The data exporter may submit sensitive personal data to the data importer and its affiliates, the extent of which is determined and controlled by the data exporter in its sole discretion. Data importer shall apply restrictions and safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Such special categories of data include, but may not be limited to, Personal Data with information revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning an individual’s health or sex life.
At a minimum, Contractor will implement the following additional technical and organizational measures for special categories of data or sensitive data:
Limiting access to staff that has completed specialized training;
Encryption of data at rest; and/or
System access logging and general data access logging.

The frequency of the transfer
Continuous transfer

Nature of the processing
Processing necessary to provide the Service as set forth in a Service Agreement between Qualtrics and Contractor.

Purpose(s) of the data transfer and further processing
Purpose of the data transfer is providing the Service in accordance with a Service Agreement concluded between Qualtrics and Contractor. In order to provide these Service, it becomes necessary to transfer Personal Data.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Defined in Section 3.5 of this CDPA (Return or Destruction of Personal Data).

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Same as set forth above.

C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority/ies in accordance with Clause 13 is:
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland

Annex II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d)and 5(c) (or document/legislation attached): https://www.qualtrics.com/supplier-toms/