Data Processing Addendum

This Data Processing Addendum (“DPA”) is by and between Advisor360°®, LLC with a place of business at 400 First Ave, Needham Heights, MA 02494 (collectively, “Advisor360°”) and the undersigned (“Customer”) and forms part of, and is incorporated into, the terms between Advisor360° and Customer for the provision of services (“Services”) to Customer by Advisor360° (the “Agreement”).  

2. Assistance with requests

1. Advisor360° will notify Customer upon receipt (and in no event later than five (5) days thereafter) of a request, inquiry, complaint or claim from any individual, governmental authority or other person relating to the processing of Personal Information, unless Advisor360° is prohibited from providing such notice under applicable laws. Advisor360° will not respond to any such request without Customer’s prior written instruction, except as required under applicable laws.
2. Advisor360° will provide cooperation and assistance as Customer may reasonably request on reasonable timelines requested by Customer (including assistance by appropriate technical and organizational measures) to allow Customer to respond to any request, inquiry, complaint or claim relating to Personal Information or to perform any privacy or data protection impact assessments required under Applicable Privacy Laws. 

3. Security measures

1. Advisor360° will limit access to Personal Information to Advisor360° employees, contractors or other personnel who in respect of the Personal Information have executed written confidentiality agreements that survive termination of the personnel engagement.
2. Advisor360° will protect the confidentiality, integrity, availability and resilience of Advisor360° systems used for processing Personal Information and protect against the accidental, unauthorized or unlawful disclosure, alteration, acquisition of or access to, or other processing of Personal Information. Such measures will be appropriate to the risks presented by processing the Personal Information and no less protective than accepted industry standards and practices for information security and any minimum requirements under Applicable Privacy Laws. 

4. Subcontractors

1. Prior to permitting an Advisor360° service provider to process Personal Information as part of the Services (a “Subcontractor”), Advisor360° will conduct reasonable due diligence of such Subcontractor to verify that it is capable of maintaining the privacy, confidentiality and security of Personal Information in compliance with this DPA. 
2. Upon request from Customer, Advisor360° will provide Customer with a list of all Subcontractors. Advisor360° will ensure that all processing of Personal Information by any Subcontractor is subject to a written agreement with Advisor360° that imposes on the Subcontractor obligations substantially equivalent to those to which Advisor360° is subject under this DPA. Advisor360° will be responsible and liable for the acts, omissions or defaults of its Subcontractors in the performance of obligations under this DPA as if they were Advisor360°’s own acts, omissions or defaults. 

5. Security Incidents and Incident Response 

1. Advisor360° will notify Customer promptly (and in any event within seventy-two (72) hours) upon learning of a any material security compromise that results in accidental, unauthorized or unlawful disclosure, alteration, acquisition of or access to, or other processing of Personal Information (a “Security Incident”) via the notices requirement set forth in the Agreement. 
2. Advisor360° will without undue delay provide Customer with the following information as it becomes available: (a) a detailed description of the nature of the Security Incident, including where possible the categories and approximate number of individuals and Personal Information records concerned; (b) a description of the measures taken or proposed to be taken to address the Security Incident; and (c) whether any regulatory authority, affected individuals, or the media have been informed or are otherwise aware of the Security Incident.
3. Advisor360° will use best efforts to mitigate and remediate the Security Incident and prevent similar Security Incidents from occurring in the future. Advisor360° agrees to keep Customer informed of the progress of such efforts, and to provide Customer with all facts about the Security Incident as appropriate for Customer to conduct its own assessment of the risk to Personal Information and to Customer’ business.  

6. Audits

1. Advisor360° will maintain and, upon request, provide to Customer all information, materials, assessments and other documentation necessary to demonstrate compliance with this DPA.
2. Subject to reasonable prior written notice of at least thirty (30) days, Customer or its designated third party may audit Advisor360°’s information security and privacy policies, practices, procedures, and processing activities to verify compliance with this DPA. Any such audit conducted by an independent third-party auditor mutually agreed upon by the parties, who shall be bound by written confidentiality obligations no less stringent than those set forth in this DPA. Advisor360° will, at its own expense, provide all information and assistance reasonably requested by Customer in connection with any such audits and inspections. Advisor360° will promptly take such remedial actions as Customer may reasonably require following such inspection. Customer may request such audit up to once per year and additionally any time after a Security Incident.

7. Termination

1. On expiration or termination of the Agreement, or upon written request from Customer at any time, Advisor360° will promptly return or securely delete and destroy all Personal Information in Advisor360°’s possession or control, except as otherwise required by law or by express data retention requirements of the Agreement. Upon request from Customer, Advisor360° will certify such secure deletion in writing within thirty (30) days of Customer’s request. 

8. General

1. This DPA will terminate when Advisor360° ceases to process Personal Information, unless otherwise agreed in writing between the parties.
2. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
3. Advisor360°’s obligations under this DPA are in addition to and not in lieu of its obligations under other provisions of the Agreement. If the terms of the Agreement conflict with the terms of this DPA, the of this DPA will apply.