Global Data Processing Addendum (US, EU AND UK)

Definitions

Any capitalized term not defined in this DPA will have the meaning given to it in the Agreement (defined below).

• Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control of a party. "Control" for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interests of a party.
• Agreement means the Terms of Service agreement between Customer and Acclaim for the provision of the Services.
• CCPA means the California Consumer Privacy Act, along with its regulations, as amended from time to time.
• CPA means Colorado Privacy Act, along with its regulations, as amended from time to time.
• CTDPA means Connecticut Data Privacy Act, along with its regulations, as amended from time to time.
• Controller means Customer, the entity which determines the purposes and means of the process of Personal Data.
• Customer Data means data, which may include Personal Data (defined below) and the categories of data submitted, stored, sent, or received via the Services by Customer, its Affiliates, or end users.
• Data Protection Laws means all laws and regulations applicable to the processing of Personal Data under the Agreement, including, but not limited to, the EU GDPR, the UK GDPR, the UK Data Protection Act 2018, the FDPA, the CCPA, the VCDPA, the CPA, the CTDPA, the UCPA, the Privacy and the Electronic Communications Regulations 2003 (SI 2003/2426) as amended, and all other applicable data protection and privacy legislation in force from time to time (as may be applicable depending on the location of Customer, data subjects and processing of the relevant Personal Data).
• Data Subject means: (i) the identified or identifiable person to whom Personal Data relates; or (ii) a "Consumer" as the term is defined in the applicable Data Protection Laws
• DPA means this data processing addendum and its schedules.
• EEA means the European Economic Area.
• EU GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• FDPA means the Swiss Federal Act on Data Protection of 19 June 1992 (SR 235.1; FDPA) as amended from time to time.
• Personal Data means any information relating to: (i) an identified or identifiable natural person and (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws), which is provided as Customer Data.
• Processor means Acclaim, the entity which Processes Personal Data on behalf of Controller, including as applicable any "Service Provider" as that term is defined by the CCPA.
• Restricted Transfer means: (i) where the EU GDPR applies, a transfer of Personal Data via the Services from the EEA either directly or via onward transfer, to any country or recipient outside of the EEA not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of Personal Data via the Services from the United Kingdom either directly or via onward transfer, to any country or recipient outside of the UK not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) a transfer of Personal Data via the Services from Switzerland either directly or via onward transfer, to any country or recipient outside of the EEA and/or Switzerland not subject to an adequacy determination by the European Commission.
• Standard Contractual Clauses means:(i) where the EU GDPR applies, contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries and published at https://eur-lex.europa.eu/legal-content (EU SCCs); (ii) where the UK GDPR applies standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR, using the controller to processor template available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/sccs-after-transition-period/ (UK SCCs); and (iii) where Personal Data is transferred from Switzerland to outside of Switzerland or the EEA, the EU SCCs as amended in accordance with guidance from the Swiss Data Protection Authority (Swiss SCCs).
• Sub-processors mean any person or entity engaged by Acclaim or an Affiliate to process Personal Data in the provision of the Services to Customer.
• Supervisory Authority means a governmental or government-chartered regulatory body having binding legal authority over Customer.
• Services means the web subscription services provided by Acclaim to Customer pursuant to the Agreement.
• UK GDPR means the EU GDPR as it forms part of the laws of the UK by virtue of section 3 of the European Union (Withdrawal) Act 2018.
• UCPA means Utah Consumer Privacy Act, along with its regulations, as amended from time to time.
• VCDPA means the Virginia Consumer Data Protection Act, along with its regulations, as amended from time to time.

1. Purpose

a) Acclaim has agreed to provide the Services to Customer in accordance with the terms of the Agreement. In providing the Services, Acclaim will process Customer Data on behalf of Customer. Customer Data may include Personal Data. Acclaim will process and protect such Personal Data in accordance with the terms of this DPA and the Data Protection Laws.

b) With respect to Customer Data under this DPA, the parties agree that Customer is the 'data controller' and Acclaim is the 'data processor'. Customer will comply with its obligations as a data controller and Acclaim will comply with its obligations as a data processor under this DPA.

c) Where a Customer Affiliate or a Customer client is the Controller with respect to certain Customer Data, Customer represents and warrants to Acclaim that it is authorized to instruct Acclaim and otherwise act on behalf of such Customer Affiliate or Customer client in relation to Customer Data in accordance with the Agreement and this DPA.

2. Scope

a) In providing the Services to Customer pursuant to the Agreement, Acclaim will treat Personal Data as confidential and only process Personal Data on behalf of Customer, and only to the extent reasonably necessary and proportionate to provide insurance payment processing, financial services, and related services, Services and in accordance with Customer's instructions as documented in the Agreement and this DPA.

b) Acclaim and Customer must take steps to ensure that any natural person acting under the authority of Customer or Acclaim who has access to Personal Data does not process them except on the instructions from Customer as specified in the Agreement unless required to do so by Data Protection Laws.

3. Acclaim Obligations

a) Acclaim may collect, process, or use Personal Data only in accordance with the scope of the Agreement, this DPA, and Customer's instructions. This DPA is Customer's complete and final documented instruction to Acclaim in relation to Personal Data. Additional instructions outside the scope of this DPA (if any) require a prior written agreement between Acclaim and Customer, including the agreement on any additional fees payable by Customer to Acclaim for carrying out such instructions.

b) Acclaim will ensure that all employees, agents, officers, and contractors involved in the handling of Personal Data:

• are aware of the confidential nature of the Personal Data and are contractually bound to keep the Personal Data confidential;
• have received appropriate training on their responsibilities as a data processor; and
• are bound by terms materially no less restrictive than the terms of this DPA.

c) Acclaim must maintain appropriate managerial, operational, and technical safeguards designed to preserve the integrity and security of Customer Data while in its possession and control hereunder, while considering the state of the art, costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

d) Acclaim must maintain appropriate measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

• the pseudonymization and encryption of Personal Data;
• the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
• the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
• a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

4. Customer Obligations

Customer is responsible for ensuring that:

• it has all necessary rights and consents to provide Personal Data to Acclaim for processing;
• it complies with all applicable Data Protection Laws in its use of the Services;
• it provides accurate and complete instructions to Acclaim regarding the processing of Personal Data;
• it implements appropriate security measures on its own systems and networks.

5. Sub-Processors

a) Customer acknowledges and agrees that Acclaim may engage Sub-processors to process Personal Data on Customer's behalf. Acclaim will inform Customer of any intended changes concerning the addition or replacement of Sub-processors, thereby giving Customer the opportunity to object to such changes.

b) Acclaim will ensure that Sub-processors are bound by data protection obligations that are substantially similar to those in this DPA, including obligations to implement appropriate technical and organizational measures.

c) Acclaim will remain fully liable for the performance of Sub-processors' obligations under this DPA.

6. Data Subject Rights

Acclaim will assist Customer in responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws, including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Rights related to automated decision-making and profiling

7. Data Breach Notification

In the event of a personal data breach, Acclaim will notify Customer without undue delay after becoming aware of the breach. The notification will include, to the extent possible, details of the nature of the breach, the categories and approximate number of Data Subjects affected, and the measures taken or proposed to address the breach.

8. International Transfers

Where Acclaim transfers Personal Data outside the EEA, UK, or Switzerland in connection with the Services, such transfers will be subject to appropriate safeguards, including:

• Standard Contractual Clauses (EU SCCs, UK SCCs, or Swiss SCCs as applicable)
• Adequacy decisions by relevant data protection authorities
• Other legally recognized transfer mechanisms

9. Audit Rights

Customer has the right to audit Acclaim's compliance with this DPA. Acclaim will:

• Make available to Customer all information necessary to demonstrate compliance with this DPA
• Allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, subject to reasonable notice and confidentiality obligations
• Provide access to relevant documentation and facilities as reasonably requested

10. Data Retention and Deletion

a) Acclaim will process Personal Data only for as long as necessary to provide the Services in accordance with the Agreement and this DPA.

b) Upon termination of the Agreement, Acclaim will, at Customer's option, delete or return all Personal Data to Customer, unless Acclaim is required to retain such data by applicable law.

c) If return or deletion is not possible, Acclaim will continue to protect the Personal Data in accordance with this DPA and will not process it for any purpose other than as required by law.

11. California Consumer Privacy Act (CCPA)

To the extent that the CCPA applies to the processing of Personal Data:

• Acclaim acts as a "Service Provider" as defined under the CCPA
• Acclaim will not sell Personal Data or use Personal Data for any purpose other than providing the Services
• Acclaim will not retain, use, or disclose Personal Data outside of the direct business relationship between Acclaim and Customer

12. Liability

Each party's liability under this DPA will be subject to the limitations and exclusions of liability set forth in the Agreement. Nothing in this DPA will limit either party's liability for breaches of Data Protection Laws or for any matter that cannot be excluded or limited under applicable law.

13. Term and Termination

This DPA will remain in effect for as long as Acclaim processes Personal Data on behalf of Customer under the Agreement. Upon termination of the Agreement, the provisions of this DPA will continue to apply to any Personal Data that Acclaim continues to process, until such time as the Personal Data is deleted or returned in accordance with Section 10.

14. Contact Us

For questions about this Data Processing Addendum, contact us at: