These DATA PROCESSING TERMS AND CONDITIONS (“Terms and Conditions”) govern the processing of Personal Data (defined below) by Audit and Information Services, Inc. (Audit and Information Services, Inc.) and/or its Affiliates (“Audit and Information Services, Inc.”) in connection with the applicable business transaction for the party identified in the working agreement, or Statement of Work (“Client”).

 RECITALS 

WHEREAS, these Terms and Conditions amend and supplement all relevant services, including all terms, conditions and underlying agreements referenced therein, between Audit and Information Services, Inc. (Audit and Information Services, Inc.) and Client (“Agreement(s)”), and shall be incorporated into all such Agreement(s) which reference these Terms and Conditions or to which these Terms and Conditions are attached; and

WHEREAS, these Terms and Conditions contain the mandatory clauses required by the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) under Article 28(3) for contracts between controllers and processors, and under Articles 28(4) and 32(4) for contracts between processors and sub-processors, and will apply to the extent Audit and Information Services, Inc. processes Personal Data on behalf of Client.

NOW, THEREFORE, in consideration of the premises and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree to the following Terms and Conditions:

1. DEFINITIONS. All capitalized terms not expressly defined herein shall have the meanings ascribed to them in the Agreement(s).

“Affiliate(s)” means any entity that, directly or indirectly through one or more intermediaries, controls, is controlled by, or is under common control with a party to these Terms and Conditions.

“Business Purposes” means as needed for Audit and Information Services, Inc. to provide the Products, Services, and/or the Agreement(s); as specified in a Statement of Work (“SOW”), or purchase order; and/or as otherwise agreed upon between the parties in writing from time to time.

“Data Protection Laws” means all applicable privacy and data protection laws, including the GDPR and any applicable national implementing laws, regulations and secondary legislation in any Member State of the European Union relating to the processing of Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive (2002/58/EC).

“Data Subject” means an individual who is the subject of Personal Data.

“Personal Data” means any information relating to an identified or identifiable natural person that is processed by Audit and Information Services, Inc. for Client as a result of, or in connection with, the provision of the Products and Services; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data transmitted, stored or otherwise processed by Audit and Information Services, Inc. under the Agreement(s).

“Process”, “Processes” or “Processing” means any operation or set of operations which involves use of Personal Data, whether or not by automated means, including but not limited to: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2. PROCESSING PURPOSES AND PERSONAL DATA TYPES.

a. Processing. Audit and Information Services, Inc. and Client each acknowledge that for the purposes of the Data Protection Laws, Client is, depending on the data, a controller or a processor of the Personal Data (“Client Personal Data”), and in regards to Client Personal Data, Audit and Information Services, Inc. is the processor or sub-processor thereof.

b. Purposes. The duration, purpose of processing, and the Personal Data categories and Data Subject types that Audit and Information Services, Inc. may process for Client are as follows:

i. DURATION OF PROCESSING. Term of service to the Audit and Information Services, Inc. User.

ii. PERSONAL DATA CATEGORIES.

Client’s employees’ names and contact information, which may include but is not limited to business and home addresses, email addresses, phone numbers, IP addresses, user names, and transaction history Client’s customer names and business contact information, including addresses, email addresses, phone numbers, IP addresses

 3. TERM AND TERMINATION. 

Version 04/15/2019

a. Term. These Terms and Conditions will remain in full force and effect so long as: (a) the Agreement(s) remains in effect; (b) any customer of Audit and Information Services, Inc. is paying for any of the services offered by Audit and Information Services, Inc..

b. Termination for Cause. Either party’s failure to comply with these Terms and Conditions will constitute a material breach of the Agreement(s). In such event, the non-breaching party may terminate the Agreement(s) effective immediately. In addition, if a change in any Data Protection Law prevents either party from fulfilling all or part of its obligations under the Agreement(s), the parties will suspend the processing of Personal Data until that processing complies with the new requirements. If the parties are unable to promptly bring the Personal Data processing into compliance with the Data Protection Laws, either party may terminate the Agreement(s), including any active SOW(s), on written notice to the other party.

 4. REPRESENTATIONS AND WARRANTIES.

 Audit and Information Services, Inc. represents and warrants that it will:

a. process Personal Data only to the extent and in such manner as is necessary for the Business Purposes and that it will not process the Personal Data for any other purpose or in a way that does not comply with the Agreement(s), these Terms and Conditions, or the Data Protection Laws;

b. take appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of, accidental loss or destruction of, or damage to, Client Personal Data in its control or possession, and will ensure a level of security appropriate to: (A) the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction or damage, (B) the nature of the Personal Data protected, and (C) comply with all applicable Data Protection Laws.

c. ensure that all personnel who have access to and/or process Client Personal Data are obliged to keep the Client Personal Data confidential and not to disclose it to third parties unless such disclosure is specifically authorized by Client, or as required by law;

d. promptly comply with any request or instruction of Client requiring Audit and Information Services, Inc. to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorized processing; and

Client represents and warrants that it:

a. will comply with all relevant Data Protection Laws; and

b. in its capacity as a data controller, has obtained necessary consent to collect the personal data provided to Audit and Information Services, Inc. for processing hereunder.

 5. SECURITY STANDARDS. Audit and Information Services, Inc. has implemented and will maintain appropriate technical and organizational measures to protect against unauthorized or unlawful processing, loss, destruction of, or damage to the Client Personal Data in Audit and Information Services, Inc.’s control or possession, appropriate to: (a) the harm that might result there from; and (b) the nature of the Personal Data to be protected, having regard to the state of technological development and the cost of implementing any such measures. Audit and Information Services, Inc. will review its security measures, at least annually, to ensure such measures remain current and complete.

 6. PERSONAL DATA BREACH.

  a. Loss or Destruction. Audit and Information Services, Inc. will promptly and without undue delay notify Client if any Client Personal Data in Audit and Information Services, Inc.’s control or possession is lost or destroyed, or becomes damaged, corrupted, or unusable.

b. Notification. Audit and Information Services, Inc. will, as soon as practicable and without undue delay, notify Client if it becomes aware of any Personal Data Breach of the Client Personal Data in Audit and Information Services, Inc.’s control or possession, and shall provide Client with a description of the nature of the Personal Data Breach, including approximate number of Data Subjects and Personal Data records concerned, likely consequences, and description of measures taken or proposed to mitigate possible adverse effects. Audit and Information Services, Inc. will not inform any third party of any such Personal Data Breach without first obtaining Client’s prior written consent, except when required to do so by law. Audit and Information Services, Inc. agrees that Client, or where Client is acting as a processor on behalf of a controller, that controller, has the sole right to determine: (a) whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or, as applicable, in Client’s or the third-party controller’s discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

c. Remedy and Assistance. Immediately following any Personal Data Breach of the Client Personal Data in Audit and Information Services, Inc.’s control or possession, the parties will coordinate with each other to investigate the matter. Move Wallet will reasonably cooperate with Client, including (i) assisting with any investigation; (ii) facilitating interviews with employees, former employees and others involved in the matter; (iii) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Laws or as otherwise reasonably required by Client; and (iv) taking reasonable and prompt steps to mitigate the effects and to minimize any damage resulting from such Personal Data Breach.

d. Expense. Each party will cover all expenses associated with its performance of its obligations required under this Section.

 7. CROSS-BORDER TRANSFERS OF PERSONAL DATA. Client consents to Audit and Information Services, Inc.’s processing of Personal Data outside the European Economic Area (“EEA”), specifically in the United States of America. In order to comply with the Data Protection Laws, the parties agree to (i) comply with, and execute as necessary, the latest version of the Standard Contractual Clauses/EU Model Clauses, which are hereby incorporated by reference (where Client is the entity exporting Personal Data to Audit and Information Services, Inc. outside the EEA), and (ii) take all other actions required by law to legitimize the transfer.

 8. DATA SUBJECT REQUESTS AND THIRD PARTY RIGHTS.

  a. Data Subject and Supervisory Authority Requests. Audit and Information Services, Inc. will, at no additional cost, take such technical and organizational measures as may be appropriate, and promptly provide such information as may reasonably be required, to enable Client to comply with: (i) the rights of Data Subjects under the Data Protection Laws, including Data Subject access rights, the right to rectify and erase Personal Data, the right to object to the processing and automated processing of Personal Data, and the right to restrict the processing of Personal Data, and (ii) information or assessment notices served on Client by any supervisory authority under the Data Protection Laws. Audit and Information Services, Inc. will notify Client within five (5) business days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Laws.

b. Compliance Notification and Cooperation. Audit and Information Services, Inc. will notify Client as soon as practicable if it receives any complaint, notice or communication that relates directly or indirectly to the processing of Client Personal Data or to Client’s compliance with the Data Protection Laws. Audit and Information Services, Inc. will give Client its reasonable co-operation and assistance in responding to any such complaint, notice, communication or Data Subject request.

c. Disclosure. Audit and Information Services, Inc. shall not disclose the Client Personal Data to any Data Subject or to any third party, other than at Client’s or the relevant data controller’s direct request or instruction, unless otherwise required by law.

 9. RECORDS AND AUDIT.

  a. Records. Audit and Information Services, Inc. will keep detailed, accurate and up-to-date written records regarding any processing of Client Personal Data. Audit and Information Services, Inc. will ensure records are sufficient to enable Client to verify compliance with the obligations under these Terms and Conditions, and Audit and Information Services, Inc. will provide Client with copies of such records upon thirty (30) days prior written request.

 10. INDEMNIFICATION. 

Except to the extent caused by the acts, errors, or omissions of the Indemnified Party (defined below), each party (“Indemnifying Party”) agrees to indemnify and defend at its own expense the other party and, as applicable, the controller of the Personal Data, including their respective directors, officers, employees, subcontractors, and agents (each an “Indemnified Party”) against all costs, claims, damages or expenses incurred by an Indemnified Party due to any material failure by the Indemnifying Party or its employees or agents to comply with (a) any of its material obligations under these Terms and Conditions, or (b) the Data Protection Laws. Notwithstanding the foregoing, (i) in no event shall either party be liable for more than its proportionate share of fault; and (ii) in no event shall ESPO’s aggregate liability for all claims arising from or related to these Terms and Conditions exceed the amount of fees actually paid by Client to ESPO during the twelve (12) months preceding the date of the claim.

 11. GENERAL.

a. Notices. Any notice permitted or required under these Terms and Conditions shall be deemed to have been given if it is in writing and (i) personally served or delivered, (ii) mailed by registered or certified mail (return receipt requested), or (iii) delivered by a national overnight courier service with confirmed receipt, to the parties at the addresses set forth in the relevant Agreement. Each party may change its notice address by giving similar notice.

b. Severability. In the event a court of competent jurisdiction holds any of these Terms and Conditions invalid or unenforceable, the remainder of the Terms and Conditions will continue in full force and effect. The parties shall in good faith negotiate a mutually acceptable and enforceable substitute for the unenforceable provision, which substitute shall be as consistent as possible with the original intent of the parties.

c. No Waiver. The failure by either party to enforce any of these Terms and Conditions shall not be deemed a waiver of such provisions or any subsequent breach thereof.

d. Remedies not Exclusive. No remedy made available under these Terms and Conditions is intended to be exclusive unless expressly stated otherwise herein.

e. Entire Agreement. These Terms and Conditions along with the Agreement(s) and any amendments thereto contain the entire understanding between the parties with respect to the subject matter hereof and may not be changed except by a separate writing signed by both parties. During the term of the Agreement(s), purchase orders, acknowledgment forms, or similar routine documents may be used. The parties agree that any provisions of such routine documents, which purport to add to or change, or which conflict with these Terms and Conditions or the Agreement(s) shall be deemed deleted and have no force or effect.

f. Interpretation and Construction. The section headings in these Terms and Conditions are for reference purposes only and shall not be deemed a part of the Terms and Conditions. The wording herein is the wording chosen by the parties to express their mutual intent, and no rule of strict construction shall be applied against either party.

g. Conflicts. In the event of conflict or ambiguity between any of these Terms and Conditions and the provisions of the Agreement(s), these Terms and Conditions will prevail with regard to the subject matter contained herein. In addition, in the case of conflict or ambiguity between any of the provisions of the Agreement(s) and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses will prevail.