Data Processing Addendum

This Data Processing Addendum (this “Addendum”) is incorporated into and forms part of the Master Services Agreement (the “Agreement”) between Knowledge Architecture (“Knowledge Architecture”) and the client executing the Agreement (“Client”).

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

The parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement. The following obligations shall only apply to the extent required by Data Protection Laws with regard to the relevant Client Personal Data, if applicable.

Knowledge Architecture may modify this Addendum at any time. Knowledge Architecture will notify Client of any such modification at least 10 days prior to the effective date of such modification. If Client objects in writing to such modification within 10 days of being informed thereof on reasonable data protection grounds, the parties will work in good faith to modify this Addendum in a way that is mutually acceptable to both parties. If the parties cannot agree on such modification within 10 days of Knowledge Architecture’s receipt of Client’s notice, Client may, as its sole and exclusive remedy available under the Agreement, terminate the Agreement by providing written notice to Knowledge Architecture.

1. DEFINITIONS.

1.1. “Controller” means the individual or entity that determines the purposes and means of the Processing of Personal Data.

1.2. “Client Personal Data” means Personal Data submitted to the Services by Client or its Users that is covered by Data Protection Laws.

1.3. “Data Protection Laws” means, with respect to a party, the data privacy and security laws applicable to such party’s Processing of Client Personal Data under the Agreement including, in each case to the extent applicable (a) European Data Protection Laws; and (b) the United States Data Protection Laws.

1.4. “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.

1.5. “European Data Protection Laws” means, in each case to the extent applicable to the relevant Client Personal Data or Processing thereof under the Agreement (a) the EU General Data Protection Regulation 2016/679 (“GDPR”); (b) the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), the Data Protection Act of 2018, and all other laws relating to data protection, the processing of personal data, privacy, or electronic communications in force from time to time in the United Kingdom (collectively, “UK Data Protection Laws”); (c) the Swiss Federal Act on Data Protection (“FADP”); and (d) any other applicable law, rule, or regulation related to the protection of Personal Data in the European Economic Area, United Kingdom, or Switzerland that is already in force or that will come into force during the term of this Addendum.

1.6. “Personal Data” means information that constitutes “personally identifiable information,” “personal information,” “personal data,” or other similar term under Data Protection Laws.

1.7. “Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.

1.8. “Processor” means the individual or entity that Processes Personal Data on behalf of a Controller.

1.9. “Security Incident” means a breach of Knowledge Architecture’s security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data in Knowledge Architecture’s possession, custody, or control. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Client Personal Data, including unsuccessful log-in attempts, pings, port scans,denial of service attacks, or other network attacks on firewalls or networked systems.

1.10. “Services” means the services that Knowledge Architecture has agreed to provide to Client under the Agreement.

1.11. “Standard Contractual Clauses” means the European Commission’s decision (C(2021)3972) of 4 June 2021 on Standard Contractual Clauses (Module Two: Transfer controller to processor or Module Three: Transfer processor to processor, as applicable) for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/678 (available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en), as amended from time to time. The parties agree that the details of Exhibits 1 and 2 shall be used to complete the Annexes of the Standard Contractual Clauses.

1.12. “Subprocessor” means any Processor appointed by Knowledge Architecture to Process Client Personal Data on behalf of Client under the Agreement.

1.13. “Supervisory Authority” means an independent competent public authority established or recognized under Data Protection Laws.

1.14. “United States Data Protection Laws” means, in each case to the extent applicable to the relevant Client Personal Data or Processing thereof under the Agreement (a) the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020, when effective, and its implementing regulations (collectively, “CPRA”); (b) the Virginia Consumer Data Protection Act (“VCPDA”), when effective; (c) the Colorado Privacy Act (“CPA”), when effective; (d) the Utah Consumer Privacy Act (“UCPA”), when effective; (e) Connecticut’s SB6, An Act Concerning Personal Data Privacy and Online Monitoring (“CTDPA”); (f) any regulation, guideline, or opinion issued by a competent authority concerning the laws identified in the foregoing subparts (a) – (d) above; and (g) any other applicable law, rule, or regulation related to the protection of Personal Data in the United States that is already in force or that will come into force during the term of this Addendum.

1.15. “User” has the meaning given in the Agreement or, if not defined in the Agreement, meansany person authorized by Client to access or use the Services.

2. PROCESSING OF CLIENT PERSONAL DATA. 

2.1. Roles of the Parties; Compliance. The parties acknowledge and agree that, as between the parties, with regard to the Processing of Client Personal Data under the Agreement (a) Client is a Controller; and (b) Knowledge Architecture is a Processor of Client Personal Data. Each party will comply with the obligations applicable to it in such respective role under Data Protection Laws with respect to the Processing of Client Personal Data. Knowledge Architecture will notify Client if it makes a determination that it can no longer meet its obligations under Data Protection Laws.

2.2. Client Instructions. Knowledge Architecture will Process Client Personal Data only (a) in accordance with Client’s documented instructions, including the instructions set forth in the Agreement (including any Processing reasonably necessary and proportionate to achieve the business purpose outlined in the Agreement) and this Addendum, and any instructions initiated by Users via the Services; (b) as necessary to provide the Services and prevent or address technical problems with the Services or violations of the Agreement or this Addendum; or (c) as required by applicable law. Client’s instructions shall comply with Data Protection Laws. Client shall be responsible for: (i) giving adequate notice and making all appropriate disclosures to Data Subjects regarding Client’s use and disclosure and Knowledge Architecture’s Processing of Client Personal Data; and (ii) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Client Personal Data to Knowledge Architecture to permit the Processing of such Client Personal Data by Knowledge Architecture for the purposes of performing Knowledge Architecture’s obligations under the Agreement or as may be required by Data Protection Laws. Client shall notify Knowledge Architecture of any changes in, or revocation of, the permission to use, disclose, or otherwise process Client Personal Data that would impact Knowledge Architecture’s ability to comply with the Agreement or Data Protection Laws.

2.3. Details of Processing. The parties acknowledge and agree that the purpose of the Processing of Client Personal Data, the types of Client Personal Data Processed, the categories of Data Subjects, and other details regarding the Processing of Client Personal Data are as set forth in Exhibit 1.

2.4. Processing Subject to the CPRA. As used in this Section 2.4, “Sell,” “Share,” “Business Purpose” and “Commercial Purpose” shall have the meanings given in the CPRA. Knowledge Architecture will not (a) Sell or Share any Client Personal Data; (b) retain, use, or disclose any Client Personal Data (i) for any purpose other than for the Business Purposes specified in the Agreement, including for any Commercial Purpose other than the Business Purposes specified in the Agreement, or as otherwise permitted by the CPRA, or (ii) outside of the direct business relationship between Client and Knowledge Architecture; or (c) combine Client Personal Data received from, or on behalf of, Client with Personal Data received from or on behalf of any third party, or collected from Knowledge Architecture’s own interaction with Data Subjects, except to perform any Business Purpose permitted by the CPRA. Knowledge Architecture hereby certifies that it understands the foregoing restrictions under this Section and will comply with them. The parties acknowledge that the Client Personal Data that Client discloses to Knowledge Architecture is provided to Knowledge Architecture only for the limited and specified purposes set forth in the Agreement, and Client does not Sell or Share Personal Data to Knowledge Architecture in connection with the Agreement. Knowledge Architecture will provide the same level of privacy protection to Client Personal Data as is required by the CPRA. Knowledge Architecture will provide the same level of privacy protection to Client Personal Data as is required by the CPRA. Client will notify Client if it makes a determination that it can no longer meet its obligations under the CPRA. Upon written notice to Knowledge Architecture, Client has the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Client Personal Data solely by limiting the Client Personal Data shared with Knowledge Architecture, implementing Client internal controls, or such other steps mutually agreed between the parties in writing to stop and remediate Knowledge Architecture’s unauthorized use. The parties agree that Client has the right to take reasonable and appropriate steps to help ensure that Knowledge Architecture uses Client Personal Data transferred in a manner consistent with Client’s obligations under the CPRA solely by exercising Client’s audit rights in Section 8.

3. CONFIDENTIALITY. Knowledge Architecture shall take reasonable steps to ensure that individuals that process Client Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality.

4. SECURITY.

4.1. Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Knowledge Architecture shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with the security standards in Exhibit 2 (the “Security Measures”). Client acknowledges that the Security Measures may be updated from time to time upon reasonable notice to Client to reflect process improvements or changing practices, provided that the modifications will not materially decrease Knowledge Architecture’s security obligations hereunder.

4.2. Security Incidents. Upon becoming aware of a confirmed Security Incident, Knowledge Architecture will (a) notify Client of the Security Incident without undue delay after becoming aware of the Security Incident and (b) take reasonable steps to identify the cause of such Security Incident, minimize harm, and prevent a recurrence. Knowledge Architecture will take reasonable steps to provide Client with information available to Knowledge Architecture that Client may reasonably require to comply with its obligations as Controller to notify impacted Data Subjects or Supervisory Authorities. Knowledge Architecture’s notification of or response to a Security Incident under this Section will not be construed as an acknowledgement by Knowledge Architecture of any fault or liability with respect to the Security Incident.

4.3. Client Responsibilities. Client agrees that, without limitation of Knowledge Architecture’s obligations under this Section, Client is solely responsible for its and its Users’ use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Client Personal Data; and (b) securing the account authentication credentials, systems, and devices Client uses to access the Services. Client is responsible for reviewing the information made available by Knowledge Architecture relating to data security and making an independent determination as to whether the Services meet Client’s requirements and legal obligations under Data Protection Laws.

5. SUBPROCESSING. Subject to this Section, Client generally authorizes Knowledge Architecture to engage Subprocessors as Knowledge Architecture considers reasonably appropriate for the Processing of Client Personal Data. A list of Knowledge Architecture’s Subprocessors is available at: https://www.knowledge-architecture.com/subprocessors, and may be updated by Knowledge Architecture from time to time in accordance with this Section. Knowledge Architecture will notify Client of the addition or replacement of any Subprocessor at least 10 days prior to such engagement. If Client objects in writing to such changes within 10 days of being informed thereof on reasonable data protection grounds, Knowledge Architecture will use commercially reasonable efforts to (a) work with Client in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; or (b) take corrective steps requested by Client in its objection and proceed to use the new Subprocessor. Where such change or corrective steps cannot be made within 10 days of Knowledge Architecture’s receipt of Client’s notice, Client may, as its sole and exclusive remedy available under this Section, terminate the relevant portion of the Services which require the use of the proposed Subprocessor by providing written notice to Knowledge Architecture. When engaging any Subprocessor, Knowledge Architecture will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this Addendum. Knowledge Architecture shall be liable for the acts and omissions of the Subprocessor to the extent Knowledge Architecture would be liable under the Agreement.

6. DATA SUBJECT RIGHTS. Knowledge Architecture will, taking into account the nature of the Processing of Client Personal Data and the functionality of the Services, provide Client with self-service functionality through the Services or other reasonable assistance as necessary for Client to perform its obligations under Data Protection Laws to fulfill requests by Data Subjects to exercise their rights under Data Protection Laws. Knowledge Architecture reserves the right to charge Client on a time and materials basis in the event that Knowledge Architecture considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming. If Knowledge Architecture receives a request from a Data Subject under any Data Protection Laws with respect to Client Personal Data, Knowledge Architecture will advise the Data Subject to submit the request to Client and Client will be responsible for responding to any such request.\

7. ASSESSMENTS AND PRIOR CONSULTATIONS. In the event that Data Protection Laws require Client to conduct a data protection impact assessment, transfer impact assessment, or prior consultation with a Supervisory Authority in connection with Knowledge Architecture’s Processing of Client Personal Data, following written request from Client, Knowledge Architecture shall use reasonable commercial efforts to provide relevant information and assistance to Client to fulfill such request, taking into account the nature of Knowledge Architecture’s Processing of Client Personal Data and the information available to Knowledge Architecture. Knowledge Architecture reserves the right to charge Client on a time and materials basis in the event that Knowledge Architecture considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.

8. ASSESSMENTS AND PRIOR CONSULTATIONS.

8.1. Review of Information and Records. Knowledge Architecture will make available to Client all information reasonably necessary to demonstrate compliance with the obligations set out in this Addendum and allow for and contribute to reviews of relevant records maintained by Knowledge Architecture. Such information will be made available to Client upon written request no more than annually and subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement.

8.2. Audits. If Client requires information for its compliance with Data Protection Laws in addition to the information provided under Section 8.1, at Client’s sole expense and to the extent Client is unable to access the additional information on its own, Knowledge Architecture will allow for and cooperate with Client or an auditor mandated by Client (“Mandated Auditor”), provided that (a) Client provides Knowledge Architecture with reasonable advance written notice including the identity of any Mandated Auditor, which shall not be a competitor of Knowledge Architecture, and the anticipated date and scope of the audit; (b) Knowledge Architecture approves the Mandated Auditor by notice to Client, with such approval not to be unreasonably withheld; (c) the audit is conducted during normal business hours and in a manner that does not have any adverse impact on Knowledge Architecture’s normal business operations; (d) Client or any Mandated Auditor complies with Knowledge Architecture’s standard safety, confidentiality, and security procedures in conducting any such audits; (e) any records, data, or information accessed by Client or any Mandated Auditor in the performance of any such audit, or any results of any such audit, will be deemed to be the Confidential Information of Knowledge Architecture; (f) Client may initiate such audit not more than once per calendar year unless otherwise required by a Supervisory Authority; and (g) all such audits shall be at Client’s sole expense.

8.3. Results of Audits. Client will promptly notify Knowledge Architecture of any non-compliance discovered during the course of an audit and provide Knowledge Architecture any audit reports generated in connection with any audit under this Section, unless prohibited by Data Protection Laws or otherwise instructed by a Supervisory Authority. Client may use the audit reports only for the purposes of meeting Client’s regulatory audit requirements and confirming that Knowledge Architecture’s Processing of Client Personal Data complies with this Addendum.

9. DATA TRANSFERS.

9.1. Data Processing Facilities. Knowledge Architecture may, subject to Section 9.2, Process Client Personal Data in the United States or anywhere Knowledge Architecture or its Subprocessors maintains facilities. Subject to Knowledge Architecture’s obligations in this Section, Client is responsible for ensuring that its use of the Services comply with any cross- border data transfer restrictions of Data Protection Laws.

9.2. Standard Contractual Clauses. If Client transfers Client Personal Data to Knowledge Architecture that is subject to European Data Protection Laws, and such transfer is not subject to an alternative adequate transfer mechanism under European Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then Client (as “data exporter”) and Knowledge Architecture (as “data importer”) agree that the applicable terms of the Standard Contractual Clauses shall apply to and govern such transfer and are hereby incorporated herein by reference. The Standard Contractual Clauses shall automatically terminate once the Client Personal Data transfer governed thereby becomes lawful under European Data Protection Laws in the absence of such Standard Contractual Clauses on any other basis. In accordance with Clause 2 of the Standard Contractual Clauses, the parties wish to supplement the Standard Contractual Clauses with business-related clauses, which shall neither be interpreted nor applied in such a way as to contradict the Standard Contractual Clauses (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of data subjects. Knowledge Architecture and Client therefore agree that the applicable terms of the Agreement and this Addendum shall apply if, and to the extent that, they are permitted under the Standard Contractual Clauses, including without limitation the following:

a) Instructions. The instructions described in Clause 8.1(a) of the Standard Contractual Clauses are as set forth in Section 2.2 of this Addendum.

b) Copies of Clauses. In the event a Data Subject requests a copy of the Standard Contractual Clauses or this Addendum in accordance with Clause 8.3 of the Standard Contractual Clauses, data exporter shall make all redactions reasonably necessary to protect business secrets or other confidential information of data importer.

c) Certification of Deletion. Certification of deletion of Client Personal Data under Clause 8.5 and Clause 16(d) of the Standard Contractual Clauses shall be provided upon the written request of data exporter.

d) Onward Transfer Implementation. Data importer shall be deemed in compliance with Clause 8.8 of the Standard Contractual Clauses to the extent such onward transfers occur in accordance with Article 4 of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

e) Audits and Certifications. Any information requests or audits provided for in Clause 8.9 of the Standard Contractual Clauses shall be fulfilled in accordance with Section 8 of this Addendum.

f) Engagement of New Subprocessors. Pursuant to Clause 9(a) Option 2 of the Standard Contractual Clauses, data exporter acknowledges and expressly agrees that data importer may engage new Subprocessors as described in Section 5 of this Addendum. With respect to Clause 9 of the Standard Contractual Clauses, the parties select the time period set forth in Section 5 of this Addendum.

g) Liability. The relevant Sections of the Agreement which govern indemnification and limitation of liability, shall apply to data importer’s liability under Clause 12(a), 12(d), and 12(f) of the Standard Contractual Clauses.

h) Supervisory Authority. For purposes of Clause 13 of the Standard Contractual Clauses, the parties agree that the supervisory authority shall be the supervisory authority identified in Exhibit 1, unless otherwise agreed by the parties as mandated by the established rules of selection of the relevant supervisory authority.

i) Governing Law. With respect to Clause 17 of the Standard Contractual Clauses, the parties select the law of the Netherlands.

j) Choice of Forum and Jurisdiction. With respect to Clause 18 of the Standard Contractual Clauses, the parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of the Netherlands.

k) Transfers from the United Kingdom. If Client transfers Client Personal Data to Knowledge Architecture that is subject to the UK GDPR, this Section shall apply to the Standard Contractual Clauses to the extent that the UK GDPR applies to Client’s Processing when making that transfer. As used in this Section, “Approved Addendum” means the template addendum issued by the Information Commissioner’s Office of the United Kingdom and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf), as it is revised under Section ‎18 of such addendum. The parties acknowledge that the information required to be set forth in “Part 1: Tables” of the Approved Addendum shall be completed in accordance with the Exhibits of this Addendum, as modified by this Section 9. “Part 2: Mandatory Clauses” of the Approved Addendum, as it is revised under Section 18 of the Approved Addendum, is hereby incorporated herein by reference. For purposes of Section 19 of the Approved Addendum, either party may end the Approved Addendum in accordance with Section 19 thereof.

l) Transfers from Switzerland. If Client transfers Client Personal Data to Knowledge Architecture that is subject to the FADP, the following modifications shall apply to the Standard Contractual Clauses to the extent that the FADP applies to Client’s Processing when making that transfer: (a) the term “member state” as used in the Standard Contractual Clauses shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from suing for their rights in their place of habitual residence in accordance with Clause 18(c) of the Standard Contractual Clauses; (b) the Standard Contractual Clauses shall also protect the data of legal entities until the entry into force of the revised FADP on or about 1 January 2023; (c) references to the GDPR or other governing law contained in the Standard Contractual Clauses shall also be interpreted to include the FADP; and (d) the parties agree that the supervisory authority as indicated in Annex I.C of the Standard Contractual Clausesshall be the Swiss Federal Data Protection and Information Commissioner.

10. DELETION OR RETURN OF CLIENT PERSONAL DATA. Following termination or expiration of the Agreement, Knowledge Architecture shall, at Client’s option, return or delete Client Personal Data and all copies to Client. Notwithstanding the foregoing, Knowledge Architecture may retain reasonable copies of the Client Personal Data for compliance with applicable law, Knowledge Architecture’s archived backup files, or to establish its rights under the Agreement. Any Client Personal Data that cannot be or is not returned or destroyed shall remain confidential, subject to the terms of the Agreement.

11. GENERAL TERMS. This Addendum will, notwithstanding the expiration or termination of the Agreement, remain in effect until, and automatically expire upon, Knowledge Architecture’s deletion or return of all Client Personal Data. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible; or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein. To the extent of any conflict or inconsistency between this Addendum and the other terms of the Agreement, this Addendum will govern. Unless otherwise expressly stated herein, the parties will provide notices under this Addendum in accordance with the Agreement, provided that all such notices may be sent via email. Any liabilities arising in respect of this Addendum are subject to the limitations of liability under the Agreement. This Addendum will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.

EXHIBIT 1: DETAILS OF PROCESSING OF KNOWLEDGE ARCHITECTURE PERSONAL DATA

This Exhibit 1 includes certain details of the Processing of Client Personal Data as required by Article 28(3) GDPR, similar provisions of Data Protection Laws, and the Standard Contractual Clauses. The contact details of the parties shall be as specified in the Agreement and this Addendum.

The categories of Data Subjects to whom Client Personal Data relates and the categories of Client Personal Data:

The types of Data Subjects and the categories of Client Personal Data shall be as is contemplated or related to the Processing described in any Order that makes reference to, is incorporated under, or is subject to the Agreement and includes:

o User data: Examples include but are not limited to Names, IP addresses, Login Data.

o Data that the Client houses in integrated databases and elects to visualize in the Service: Examples may include but are not limited to:

▪ Employee Data – Employee Number, Status, First Name, Last Name, Preferred Name, Title, Organization, Organization Name, Employee Type, E-mail, Work Phone, Mobile Phone, Billing Category, Hire Date, Home Address, Employee Photo, Birthday, Degrees, Licenses, Accreditations, Certifications, Professional Affiliations, Resume, Skills.

▪ Project Data – Client Name, Project Number, Project Name, Marketing Name, Project Manager, Principal, Status, Organization, Address, Project Type, Description, Start Date, Year Completed, Construction Completion Date, Total Project Cost, Firm Cost, Plan Number, Plan Name, Awards, Descriptions.

▪ Company Data – Name, Number, Status, Website, Address, Phone, Fax, Email, Client/Vendor Type, Discipline, Notes, Relationship Status, Disadvantaged Business, Small Business, Minority Business, HBCU, Woman Owned, Woman Owned Small Business, Disabled Veteran Owned Small Business.

▪ Contact Data – First Name, Last Name, Preferred Name, Status, Title, Contact Type, E-mail, Business Phone, Mobile Phone, Address.

▪ Opportunity Data – Number, Name, Project Manager, Principal, Address, Type, Stage, Description, Estimated Start, Estimated Completion, Estimated Fees, Construction Cost, Revenue, Probability, Weighted Revenue, Close Date, Source, Organization, Status, Primary Client, Primary Contact, Regular Project, Promotional Project Number, Promotional Project Name.

o Data that a user elects to input which may include, but is not limited to personal images, personal interests and stories, personal videos, and family milestones.

The sensitive data included in Client Personal Data

It is not anticipated that Client will provide any sensitive data to Knowledge Architecture.

Frequency of the transfer of Client Personal Data

Continuous basis for the Term.

The nature and purpose of the Processing of Client Personal Data

The nature and purposes of Processing of Client Personal Data is to facilitate the provision of Knowledge Architecture’s Services as described in any Order that makes reference to, is incorporated under, or is subject to the Agreement.

The subject matter and duration of the Processing of Client Personal Data

The subject matter and duration of the Processing of Client Personal Data is the performance of the Services pursuant to the Agreement and any applicable Order. The duration of the Processing of Client Personal Data is for the duration of the Agreement, plus the period following the expiration of the Agreement until Client Personal Data is deleted in accordance with the Agreement.

The period for which the Client Personal Data will be retained

As set forth in the Agreement.

The subject matter and duration of the Processing of Client Personal Data by Subprocessors

The subject matter and duration of the Processing of Client Personal Data by any Subprocessors is as set out in the Agreement and this Addendum.

Supervisory Authority

Netherlands
Autoriteit Persoonsgegevens
Bezuidenhoutseweg 30
P.O. Box 93374
2509 AJ Den Haag/The Hague
Tel. +31 70 888 8500
Fax +31 70 888 8501
Website: https://autoriteitpersoonsgegevens.nl/

The above supervisory authority shall apply unless otherwise agreed by the parties as mandated by the established rules of selection of the relevant supervisory authority, or Sections 9.2(k) and 9.2(l) of this Addendum apply.

EXHIBIT 2: SECURITY MEASURES

With respect to Client Personal Data transferred to or received by Knowledge Architecture under the Agreement, Knowledge Architecture has implemented, and will maintain, a comprehensive written information security program (“Information Security Program”) that includes appropriate administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of Client Personal Data. In particular, the Information Security Program will include the following safeguards where appropriate or necessary to ensure the protection of Client Personal Data:

1  Service Security.

1.1   Service Architecture. The Service is designed with multiple layers of protection, covering data transfer, encryption, network configuration, and application-level controls that are distributed across a scalable, secure infrastructure. End users of the Service can access the Service at any time from the web and mobile clients. All of these clients connect to secure services to provide access to the Service’s functionality. The Service can be utilized and accessed through a number of interfaces. Each has security settings and features that process and protect Client Personal Data while ensuring ease of access.

1.2   Reliability. The Services is developed with multiple layers of redundancy designed to guard against data loss and designed to protect ongoing confidentiality, integrity, and availability of processing systems and services. Knowledge Architecture will be able to restore the availability and access to Client Personal Data in a timely manner in the event of a physical or technical incident. 

1.3   Encryption. To protect Client Personal Data in transit between Client and Knowledge Architecture, Knowledge Architecture uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) for data transfer, creating a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption. Stored Data at rest is encrypted using 256-bit AES encryption. Knowledge Architecture’s encryption key management infrastructure is designed with operational, technical and procedural security controls with very limited direct access to keys. Encryption key generation, exchange, and storage are distributed for decentralized processing.

1.4   Data Centers. Knowledge Architecture’s corporate and production systems are housed at third-party subservice organization data centers located in the United States.

2.  Information Security.

2.1   Policies. Knowledge Architecture has established policies covering areas of information security, physical security, incident response, logical access, physical production access, change management, and support. 

2.2   Personnel Policy and Access. Knowledge Architecture’s internal policies require onboarding procedures that include background checks (as allowed by local laws), security policy training and acknowledgement, communicating updates to security policy, and non-disclosure agreements. All personnel access is promptly removed when an employee or contractor leaves Knowledge Architecture. Knowledge Architecture employs technical access controls and internal policies designed to prohibit employees or contractors from arbitrarily accessing data and designed to restrict access to metadata and other information about end users. In order to protect end user privacy and security, only a small number of employers or contractors have access to the environment where end user data is stored. Where possible Knowledge Architecture employees use two-factor authentication when accessing these resources. 

2.3   Network Security. Knowledge Architecture maintains network security and monitoring techniques that are designed to provide multiple layers of protection and defense. Knowledge Architecture employs industry-standard protection techniques, including firewalls, network security monitoring, segregated networks, and intrusion detection systems designed to ensure only eligible traffic is able to reach Knowledge Architecture’s infrastructure. These techniques and policies are regularly evaluated to ensure effectiveness in ensuring the security of the processing. 

2.4   Change Management. Knowledge Architecture ensures that security-related changes have been authorized prior to implementation into the production environments. Source code changes are initiated by developers that would like to make an enhancement to the Service. Changes to Knowledge Architecture’s infrastructure is restricted to authorized personnel only. Changes to the application level of the Service is required to go through quality assurance (“QA”) testing procedures to verify that security requirements are met. Successful completion of QA procedures leads to implementation of the change.

2.5 Contingency Planning. Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Client Personal Data or systems that contain Client Personal Data, including a data backup plan and a disaster recovery plan.

2.6 Audit Controls. Hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

2.7 Assigned Security Responsibility. Knowledge Architecture will designate a security official responsible for the development, implementation, and maintenance of its Information Security Program. Knowledge Architecture will inform the Client as to the person responsible for security upon request.

2.8 Vendor Management and Oversight. Conduct reasonable due diligence and monitoring to ensure Subprocessors are capable of (a) maintaining the confidentiality, integrity, and availability of Client Personal Data; (b) complying with Data Protection Laws; and (c) assisting Client with complying with requests from data subjects. Regularly assess and monitor Subprocessors to confirm their compliance with applicable privacy and information security requirements and Data Protection Laws. 

2.9 Adjust the Program. Knowledge Architecture will monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or security standards, the sensitivity of the Client Personal Data, internal or external threats to Knowledge Architecture or the Client Personal Data, and Knowledge Architecture’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems. In light of the foregoing, the Information Security Program is subject to change; provided, however, that any such update will not materially diminish the applicable information security protections applicable to Client Personal Data.