Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the subscription agreement, Sana Labs Terms of Service available here or other written or electronic agreement (the "Agreement"), including any written or electronic service orders, purchase orders or other order forms (each a "Service Order") entered into between Sana Labs and Subscriber, pursuant to which Sana Labs provides Services as defined in the Agreement.

The purpose of this DPA is to reflect the parties agreement with regard to the processing of Subscriber Personal Data. The parties agree to comply with this DPA with respect to any Subscriber Personal Data that the Sana Labs Group may process in the course of providing the Services pursuant to the Agreement. This DPA shall not replace  or supersede any data processing addendum or agreement executed by the parties prior to the DPA Effective Date without the prior written consent of the parties (electronically submitted consent acceptable).

This DPA will take effect on the DPA Effective Date and, notwithstanding expiry of the Term, will remain in effect until, and automatically expire upon, deletion of all Subscriber Data by Sana Labs as described in this DPA.

If the Subscriber entity entering into or accepting this DPA is neither a party to a Service Order nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Subscriber entity that is a party to the Agreement executes this DPA.

By signing or accepting the Agreement or this DPA, Subscriber enters into this DPA as of the DPA Effective Date on behalf of itself and in the name and on behalf of its Covered Affiliates if and to the extent Sana Labs processes personal data for which such Covered Affiliates qualify as the controller. For the purposes of this DPA only, and except where indicated otherwise, the term "Subscriber" shall include Subscriber and its Covered Affiliates.

1. Definitions

1.1 Capitalized terms used but not defined in this DPA shall have the meaning given to them in the Agreement or applicable Data Protection Laws.

"Affiliates" of a party is any entity (a) that the party Controls; (b) that the party is Controlled by or (c) with which the party is under common Control, where "Control"means direct or indirect control of fifty percent (50%) or more of an entitys voting interests (including by ownership).

"Sana Labs" means Sana Labs, or any other Sana Labs Affiliate that is a party to the Agreement, as applicable.

"Covered Affiliate" means any of Subscriber's Affiliate(s) which (a) is subject to the Data Protection Laws, and (b) is permitted to use the Services pursuant to the Agreement between Subscriber and Sana Labs, but has not signed its own Service Order with Sana Labs and is not a "Subscriber" as defined under the Agreement.

"Data Incidents" means a breach of Sana Labs security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Subscriber Data transmitted, stored or otherwise processed by Sana Labs. "Data Incidents" will not include unsuccessful attempts or activities that do not compromise the security of Subscriber Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.


"Data Protection Laws" means all applicable data  protection and privacy laws and regulations, including EU Data Protection Laws.

"DPA Effective Date" means, as applicable, (a) 16 September 2018 if Subscriber clicked to accept or the parties otherwise agreed to this DPA prior to or on such date; or (b) the date on which Subscriber clicked to accept or the parties otherwise agreed to this DPA, if such date is after 16 September 2018.

"EEA" means the European Economic Area.

"EU Data Protection Laws" means laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the processing of Personal Data under the Agreement, including European Directives 95/46/EC and any legislation and/or regulation which amends, replaces or re-enacts it (including the GDPR).

"GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC effective as of May 25, 2018 and any legislation and/or regulation which amends, replaces or re-enacts it.

"Security Documentation" means all documents and information made available by Sana Labs to demonstrate compliance by Sana Labs with its obligations under this DPA, including the Security Measures, Additional Security Information and any third-party certifications or audit reports, as applicable.

"Security Measures" means the administrative, technical and physical safeguards adopted by Sana Labs applicable to the Services subscribed by Subscriber as described and made available by Sana Labs.

"Standard Contractual Clauses" means the agreement executed by and between Subscriber and Sana Labs, Inc. attached hereto as Attachment 2, pursuant to the European Commissions decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

"Sub-processor" means any third-party engaged by Sana Labs or a member of the Sana Labs Group which processes Subscriber Data in order to provide parts of the Services.

"Subscriber" means the subscriber entity party to the Agreement. Subscriber may also be referred to as "Customer" in the Agreement from time to time.

"Subscriber Data" has the meaning given to it in the Agreement or, if no such meaning is given, means data submitted by or on behalf of Subscriber to the Services under the Subscribers Sana Labs account for Services. Subscriber Data may also be referred to as "Customer Data" in the Agreement from time to time.

"Subscriber Personal Data" means the personal data contained within Subscriber Data. Subscriber Personal Data may also be referred to as "Customer Personal Data" in the Agreement from time to time.

"Term" means the period from the DPA Effective Date until the end of Sana Labs provision of the  Services, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Sana Labs may continue providing the Services for transitional purposes.

1.2 The terms "personal data", "data subject", "processing", "controller", "processor" and "supervisory authority" as used in this DPA have the meanings given in the GDPR, and the terms "data importer" and "data exporter" have the meanings given in the Standard Contractual Clauses, in each case irrespective of whether other Data Protection Laws apply.

2. Personal Data Processing Terms

2.1.

The parties agree that if the EU Data Protection Laws apply to the processing of Subscriber Personal Data, the parties acknowledge and agree that:

2.1.1.

Subscriber is the controller and Sana Labs are the processor of the Subscriber Personal Data and Sana may engage Sub-processors pursuant to Section 7 (Sub-processors).

2.1.2.

The subject-matter of the data processing covered by this DPA is the provision of the Services and the processing will be carried out for the duration of the Agreement or so long as Sana Labs is providing the Services.

2.1.3.

Each party will comply with the obligations applicable to it under the EU Data Protection Laws, including with respect to the processing of Subscriber Personal Data.

2.1.4.

If the GDPR is applicable, Sana Labs will process Subscriber Personal Data in accordance with the requirements of the GDPR directly applicable to Sana Labs provision of Services. Notwithstanding anything to the contrary set forth in this DPA, in the event of a conflict or clarification of definitions, the GDPR shall apply only as of August 10, 2018.

2.1.5.

If Subscriber is a processor itself, Subscriber warrants to Sana Labs that Subscribers instructions and actions with respect to the Subscriber Personal Data, including its appointment of Sana Labs as another processor, have been authorized by the relevant controller.

2.1.6.

For the avoidance of doubt, Subscribers instructions to Sana Labs for the processing of Subscriber Personal Data shall comply with all applicable laws, including the EU Data Protection Laws. As between Sana Labs and Subscriber, Subscriber shall be responsible for the Subscriber Data and the means by which Subscriber acquired Subscriber Data.

2.1.7.

For the purposes of this DPA, the following is deemed an instruction by Subscriber to process Subscriber Personal Data (a) to provide the Services; (b) as further specified via Subscribers use of the Services (including the Services user interface dashboard and other functionality of  the Services); (c) as documented in the Agreement (including this DPA and any Service Order that requires processing of Subscriber Personal Data); and (d) as further documented in any other written instructions given by Subscriber (which may be specific instructions or instructions of a general nature as set out in this DPA, the Agreement or as otherwise notified by Subscriber to Sana Labs from time to time), where such instructions are consistent with the terms of the Agreement.

2.1.8.

When Sana Labs processes Subscriber Personal Data in the course of providing the Services, Sana Labs will:

2.1.8.1.

Process the Subscriber Personal Data only in accordance with (a) the Agreement and (b) Subscribers instructions as described in Section 2.1.7, unless Sana Labs is required to process Subscriber Personal Data for any other purpose by European Union or member state law to which Sana Labs is subject. Sana Labs shall inform Subscriber of this requirement before processing unless prohibited by applicable laws on important grounds of public interest.

2.1.8.2.

Notify Subscriber without undue delay if, in Sana Labs' opinion, an instruction for the processing of Subscriber Personal Data given by Subscriber infringes applicable EU Data Protection Laws.

2.2.

The parties acknowledge and agree that the parties will comply with all applicable laws with respect to the processing of Subscriber Personal Data.

3. Data Security

3.1. Security Measures

3.1.1.

Sana Labs will implement and maintain appropriate technical and organizational measures designed to protect or secure (i) Subscriber Data, including Subscriber Personal Data, against unauthorized or unlawful processing and against accidental or unlawful loss, destruction or alteration or damage, unauthorized disclosure of, or access to, Subscriber Data, and (ii) the confidentiality and integrity of Subscriber Data, as set forth in the Security Measures. Sana Labs may update or modify the Security Measures from time to time provided that such updates and modifications will not materially decrease the overall security of the Services. A list of the most up to date Security Measures will be made available upon request at [email protected]

3.1.2.

In addition to the Security Measures, Sana Labs will, from time to time, make additional security guidelines available that provide Subscriber with information about, in Sana Labs opinion, best practices for securing, accessing and using Subscriber Data including best practices for password and credentials protection ("Additional Security Information").

3.1.3.

Sana Labs will take reasonable steps to ensure the reliability and competence of Sana Labs personnel engaged in the processing of Subscriber Personal Data.

3.1.4.

Sana Labs will take appropriate steps to ensure that all Sana Labs personnel engaged in the processing of Subscriber Personal Data (i) comply with the Security Measures to the extent applicable to their scope of performance, (ii) are informed of the confidential nature of the Subscriber Personal Data, (iii) have received appropriate training on their responsibilities and (iv) have executed written confidentiality agreements. Sana Labs shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

3.2. Data Incidents

3.2.1.

If Sana Labs becomes aware of a Data Incident, Sana Labs will: (a) notify Subscriber of the Data Incident without undue delay after becoming aware of the Data Incident; and (b) promptly take reasonable steps to minimize harm and secure Subscriber Data.

3.2.2.

Notifications made pursuant to this section will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and, as applicable, steps Sana Labs recommends Subscriber to take to address the Data Incident.

3.2.3.

Notification(s) of any Data Incident(s) will be delivered to Subscriber in accordance with the "Manner of Giving Notices" Section of the Agreement or, at Sana Labs discretion, by direct communication (for example, by phone call or an in-person meeting). Subscriber is solely responsible for ensuring that any contact information, including notification email address, provided to Sana Labs is current and valid.

3.2.4.

Sana Labs will not assess the contents of Subscriber Data in order to identify information subject to any specific legal requirements. Subscriber is solely responsible for complying with incident notification laws applicable to Subscriber and fulfilling any third-party notification obligations related to any Data Incident(s).

3.2.5.

Sana Labs notification of or response to a Data Incident under this Section 3.2 (Data Incidents) will not be construed as an acknowledgement by Sana Labs of any fault or liability with respect to the Data Incident.

3.3. Subscribers Security Responsibilities and Assessment of Sana Labs

3.3.1.

Subscriber agrees that, without prejudice to Sana Labs obligations under Section 3.1 (Security Measures) and Section 3.2 (Data Incidents):

3.3.1.1.

Subscriber is solely responsible for its use of the Services, including: (i) making appropriate use of the Services and any Additional Security Information to ensure a level of security appropriate to the risk in respect of the Subscriber Data; (ii) securing the account  authentication credentials, systems and devices Subscriber uses to access the Services; and (iii) backing up the Subscriber Data; and

3.3.1.2.

Sana Labs has no obligation to protect Subscriber Data that Subscriber elects to store or transfer outside of Sana Labs and its Sub-processors systems (for example, offline or on-premises storage).

3.3.2.

Subscriber is solely responsible for reviewing the Security Measures and evaluating for itself whether the Services, the Security Measures, the Additional Security Information and Sana Labs commitments under this Section 3 (Data Security) will meet Subscribers needs, including with respect to any security obligations of Subscriber under the Data Protection Laws. Subscriber acknowledges and agrees that the Security Measures implemented and maintained by Sana Labs as set out in Section 3.1 (Security Measures) provide a level of security appropriate to the risk in respect of the Subscriber Data.

3.4. Subscriber Assessment and Audit of Sana Labs Compliance

Upon Subscribers written request, at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Sana Labs will make available to Subscriber that is not a competitor of Sana Labs (or Subscribers independent, third-party auditor that is not a competitor of Sana Labs) information regarding Sana Labs compliance with the obligations set forth in this DPA including in the form of independent audit results and/or third-party certifications, as applicable, to the extent Sana Labs makes them generally available to its subscribers. The most recent independent third-party certifications or audits obtained by Sana Labs are set forth in the Security Measures.

3.5. Subscribers Audit Rights

3.5.1.

No more than once per year, Subscriber may contact Sana Labs in accordance with the "Manner of Giving Notices" Section of the Agreement to request an on-site audit of the procedures relevant to the protection of Subscriber Data. Subscriber shall reimburse Sana Labs for any time expended for any such on-site audit. Before the commencement of any such on-site audit, Subscriber and Sana Labs shall mutually agree upon the scope, timing, and duration of the audit, that reasonably does not interfere with normal business operations, in addition to the reimbursement rate for which Subscriber shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Sana Labs. Subscriber shall promptly notify Sana Labs with information regarding any non- compliance discovered during the course of an audit.

3.5.2.

Subscriber may conduct such on-site audit (a) itself, (b) through an Affiliate that is not a competitor of Sana Labs or (c) through an independent, third-party auditor that is not a competitor of Sana Labs.

3.5.3.

Subscriber may also conduct an audit to verify Sana Labs compliance with its obligations under  this DPA by reviewing the Security Documentation.

4. Return or Deletion of Subscriber Data

4.1.

Sana Labs will enable Subscriber to delete during the Term Subscriber Data in a manner consistent with  the functionality of the Services. If Subscriber uses the Services to delete any Subscriber Data during the Term and that Subscriber Data cannot be recovered by Subscriber, this use will constitute an instruction to Sana Labs to delete the relevant Subscriber Data from Sana Labs systems in accordance with  applicable law. Sana Labs will comply with this instruction as soon as reasonably practicable within a maximum of 90 days, unless the European Union or member state law requires storage.

4.2.

Upon expiry of the Term or upon Subscribers written request, subject to the terms of the Agreement,  Sana Labs shall either (a) return (to the extent such data has not been deleted by Subscriber from the Services) or (b) securely delete Subscriber Data, to the extent allowed by applicable law, in accordance  with the timeframes specified in Section 4.3, as applicable.

4.3.

Sana Labs will, after a recovery period of up to 30 days following expiry of the Term, comply with this  instruction as soon as reasonably practicable and within a maximum period of 90 days, unless European Union or member state law requires storage. Without prejudice to Section 5 (Data Subject Rights; Data Export), Subscriber acknowledges and agrees that Subscriber will be responsible for exporting, before the Term expires, any Subscriber Data it wishes to retain afterwards.

5. Data Subject Rights; Data Export

5.1.

As of the DPA Effective Date for the duration of the period Sana Labs provides the Services:

5.1.1

Sana Labs will, in a manner consistent with the functionality of the Services, enable Subscriber to  access, rectify and restrict processing of Subscriber Data, including via the deletion functionality provided by Sana Labs as described in Section 4 (Return or Deletion of Subscriber Data), and to export Subscriber Data;

5.1.2.

Sana Labs will, without undue delay, notify Subscriber, to the extent legally permitted, if Sana Labs  receives a request from a data subject to exercise the data subject's right of access, right to rectification, restriction of processing, erasure, data portability, objection to the processing, or its right not to be subject to an automated individual decision making ("Data Subject Request"); and

5.1.3.

if Sana Labs receives any request from a data subject in relation to Subscriber Personal Data, Sana Labs will advise the data subject to submit his or her request to Subscriber and Subscriber will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.

5.1.4.

Taking into account the nature of the processing, Sana Labs will assist Subscriber by appropriate technical and organizational measures, insofar as it is possible, for the fulfilment of Subscribers obligation to respond to a Data Subject Request under EU Data Protection Laws. In addition, to the extent Subscriber, in its use of the Services, does not have the ability to address a Data Subject Request, Sana Labs shall, upon Subscribers written request, provide Subscriber with reasonable cooperation and assistance to facilitate Subscribers response to such Data Subject Request, to the extent Sana Labs is legally permitted to do so and the response to such Data Subject Request is required under EU Data Protection Laws. To the extent legally permitted, Subscriber shall be responsible for any costs arising from Sana Labs provision of such assistance.

6. Data Protection Impact Assessment

Upon Subscriber's written request, Sana Labs will provide Subscriber with reasonable cooperation and assistance needed to fulfill Subscriber's obligation under the GDPR to carry out a data protection impact assessment related to Subscriber's use of the Services, to the extent Subscriber does not otherwise have access to the relevant information, and to the extent such information is available to Sana Labs. Sana Labs will  provide reasonable assistance to Subscriber in the cooperation or prior consultation with the applicable  data protection authority in the performance of its tasks relating to this Section 6 (Data Protection Impact Assessment) to the extent required under the GDPR.

7. Sub-processors

7.1.

Subscriber specifically authorizes the engagement of Sana Labs Affiliates as Sub-processors. In addition, Subscriber acknowledges and agrees that Sana Labs and Sana Labs Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Sana Labs or a Sana Labs Affiliate has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this Agreement with respect to the protection of Subscriber Data to the extent applicable to the nature of the Services provided by such Sub-processor.

7.2.

Sana Labs will make available to Subscriber the current list of Sub-processors for the Services ("Infrastructure and Sub-processor List"). The Infrastructure and Sub-processor List as of the DPA Effective Date is attached as Appendix 1. Such Sub-processor list will include the identities of those Sub-processors and their corporate location. Subscriber may receive the most current Infrastructure and Sub-processor List upon request at [email protected] Sana Labs shall provide notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to process Subscriber Personal Data in connection with the provision of the Services either by sending an email or via the user interface dashboard of the Services.

7.3.

Subscriber may reasonably object to Sana Labs use of a new Sub-processor by notifying Sana Labs promptly in writing within ten (10) business days after receipt of Sana Labs notice. In the event Subscriber objects to a new Sub-processor, as permitted in the preceding sentence, Sana Labs will use reasonable efforts to make available to Subscriber a change in the Services or recommend a commercially reasonable change to Subscribers configuration or use of the Services to avoid processing of Subscriber Personal Data by the objected-to new Sub-processor without unreasonably burdening the Subscriber. If Sana Labs is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Subscriber may terminate the applicable Service Order(s) with respect to only those Services which cannot be provided by Sana Labs without the use of the objected-to new Sub-processor by providing written notice to Sana Labs. Sana Labs will refund Subscriber any prepaid but unused fees covering the remainder of the term of such Service Order following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Subscriber.

7.4.

Sana Labs shall be liable for the acts and omissions of its Sub-processors to the same extent Sana Labs would be liable if performing the services of each Sub-processor directly under the terms of this DPA subject to the limitations set forth in Section 10 (Limitation of Liability) and the Agreement.

8. Covered Affiliates

8.1.

The parties acknowledge and agree that, by executing the Agreement, the Subscriber enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Covered Affiliates, thereby establishing a separate DPA between Sana Labs and each such Covered Affiliate subject to the provisions  of the Agreement, this Section 8 (Covered Affiliates) and Section 10 (Limitation of Liability). Each Covered Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, a Covered Affiliate is not and does not become a party to the Agreement, and is only a party to the DPA. All access to and use of the Services by Covered Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by a Covered Affiliate shall be deemed a violation by Subscriber.

8.2.

Subscriber that is the contracting party to the Agreement shall remain responsible for coordinating all  communication with Sana Labs under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Covered Affiliates.

8.3.

Where a Covered Affiliate becomes a party to the DPA with Sana Labs, it shall, to the extent required under applicable Data Protection Laws, be entitled to exercise the rights and seek remedies under this DPA, subject to the following:

8.3.1.

Except where applicable Data Protection Laws require the Covered Affiliate to exercise a right or seek any remedy under this DPA against Sana Labs directly by itself, the parties agree that (a) solely Subscriber that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Covered Affiliate, and (b) Subscriber that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Covered Affiliate individually but in a combined manner for all of its Covered Affiliates together (as set forth, for example, in Section 8.3.2, below).

8.3.2.

The parties agree that Subscriber that is the contracting party to the Agreement shall, when carrying out an on- site audit of the procedures relevant to the protection of Subscriber Personal Data, take all reasonable measures to limit any impact on Sana Labs and its Sub-processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of different Covered Affiliates in one single audit.

9. Transfer of Personal Data outside of the EEA

9.1.

Sana Labs makes the Standard Contractual Clauses available as a transfer mechanism for any transfer of  Subscriber Personal Data under this DPA from the European Union, the EEA and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of EU Data Protection Laws of the foregoing territories, to the extent such transfers are subject to such Data Protection Laws.

9.2.

The Standard Contractual Clauses and the additional terms specified in this Section 9 (Transfer of  Personal Data Outside of the EEA) apply to (i) the legal entity that has executed the Standard Contractual Clauses as a data exporter and its Covered Affiliates and (ii) all Affiliates of Subscriber established within the EEA, Switzerland and the United Kingdom, which have signed Service Orders for Services. For the purpose of the Standard Contractual Clauses and this Section 9, all these entities shall be deemed "data exporters".

9.3.

For the purposes of Clause 5(a) of the Standard Contractual Clauses, the following is deemed an instruction by the Subscriber to process Subscriber Personal Data (a) to provide the Services; (b) as further specified via Subscribers use of the Services (including the Services user interface dashboard and other functionality of the Services); (c) as documented in the Agreement (including this DPA and any Service Order that requires processing of Subscriber Personal Data); and (d) as further documented in any other written instructions given by Subscriber (which may be specific instructions or instructions of a general nature as set out in this DPA, the Agreement or as otherwise notified by Subscriber to Sana Labs from time to time), where such instructions are consistent with the terms of the  Agreement.

9.4.

Pursuant to Clause 5(h) of the Standard Contractual Clauses, Subscriber acknowledges and expressly agrees that (a) Sana Labs Affiliates may be retained as Sub-processors; and (b) Sana Labs and Sana Labs Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Sana Labs will make available to Subscriber the current list of Sub-processors in accordance with Section 7 (Sub-processors).

9.5.

Pursuant to Clause 5(h) of the Standard Contractual Clauses, Subscriber acknowledges and expressly agrees that Sana Labs and Sana Labs Affiliates may engage new Sub-processors as described in Sections 7 (Sub-processors).

9.6.

The parties agree that the copies of the Sub-processor agreements that must be provided by Sana Labs  to Subscriber pursuant to Clause 5(j) of the Standard Contractual Clauses may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by  Sana Labs beforehand; and, that such copies will be provided by Sana Labs, in a manner to be determined in its discretion, only upon request by Subscriber.

9.7.

The parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with the following specifications:

9.7.1.

Upon Subscribers written request, at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Sana Labs shall make available to Subscriber that is not a competitor of Sana Labs (or Subscribers independent, third-party auditor that is not a competitor  of Sana Labs) information regarding Sana Labs compliance with the obligations set forth in this DPA in the form of independent audit results and/or third-party certifications, as applicable, to the extent Sana Labs makes them generally available to its subscribers. No more than once per year, Subscriber may contact Sana Labs in accordance with the "Manner of Giving Notices" Section of the Agreement to request an on-site audit of the procedures relevant to the protection of Subscriber Personal Data. Subscriber shall reimburse Sana Labs for any time expended for any such on-site audit. Before the commencement of any such on-site audit, Subscriber and Sana Labs shall mutually agree upon the scope, timing, and duration of the audit, that reasonably does not interfere with normal business operations, in addition to the reimbursement rate for which Subscriber shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Sana Labs. Subscriber shall promptly notify Sana Labs with information regarding any non-compliance discovered during the course of an audit.

9.8.

The parties agree that the certification of deletion of Subscriber Personal Data that is described in  Clause 12(1) of the Standard Contractual Clauses shall be provided by Sana Labs to Subscriber only upon Subscribers written request.

9.9.

In the event of any conflict or inconsistency between the body of this DPA and any of its attachments (not including the Standard Contractual Clauses) and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

9.10.

In the event that the European Commission decision authorizing the Standard Contractual Clauses as  a data transfer mechanism is held to be invalid, or that any supervisory authority requires transfer of Personal Data made pursuant to such decision to be suspended, then Subscriber may, at its discretion,  require Sana Labs to cease processing Subscriber Personal Data to which this Section 9 applies, or cooperate with Sana Labs to facilitate use of an alternative transfer mechanism.

9.11.

Sana Labs agrees to comply with the obligations of a data importer as set out in the Standard Contractual Clauses for the transfer of Subscriber Personal Data to data processors established in third countries under the Standard Contractual Clauses.

9.12.

Subscriber acknowledges that Sana Labs will, as applicable, be a data importer under the Standard Contractual Clauses. In particular, and without limiting the above obligation:

9.12.1.

Sana Labs agrees to grant third-party beneficiary rights to data subjects, as set out in Clause 3 of the Standard Contractual Clauses, provided that Sana Labs' liability shall be limited to Sana Labs' own processing operations only and the limitations set forth in Section 10 (Limitation of Liability) and the Agreement; and

9.12.2.

Sana Labs agrees that Sana Labs' obligations under the Standard Contractual Clauses shall be governed by the law(s) of the EEA member state(s) in which the entity that is the data exporter is established.

10. Limitation of Liability

10.1.

Each partys and all of its Affiliates liability, taken together in the aggregate, arising out of or related to this DPA (including the Standard Contractual Clauses, if the Standard Contractual Clauses have been entered into in accordance with the Agreement or a DPA), and all DPAs (including the Standard Contractual Clauses, if the Standard Contractual Clauses have been entered into in accordance with the Agreement or a DPA) between Covered Affiliates and Sana Labs, whether in contract, tort or under any other theory of liability, is subject to the "Limitation of Liability" section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.

10.2.

For the avoidance of doubt, Sana Labs' and its Affiliates total liability for all claims from the Subscriber and all of its Covered Affiliates arising out of or related to the Agreement and each DPA (including the Standard Contractual Clauses, if the Standard Contractual Clauses have been entered into in accordance with the Agreement or a DPA) shall apply in the aggregate for all claims under both the Agreement and all DPAs (including the Standard Contractual Clauses, if the Standard Contractual Clauses have been entered into in accordance with the Agreement or a DPA) established under this Agreement, including by Subscriber and all Covered Affiliates, and, in particular, shall not be understood to apply individually and severally to Subscriber and/or to any Covered Affiliate that is a contractual party to any such DPA.

10.3.

For the avoidance of doubt, each reference to the DPA in this DPA means this DPA including its Attachments and Appendices (including the Standard Contractual Clauses, if the Standard Contractual Clauses have been entered into in accordance with the Agreement or this DPA).

11. Effect of this DPA

Notwithstanding anything to the contrary in the Agreement, to the extent of any conflict or inconsistency between this DPA and the remaining terms of the Agreement, this DPA will govern.

The parties authorized signatories have duly executed this Data Processing Agreement as of the date set forth below their respective signatures but made effective as of the DPA Effective Date.

Appendix 1

Infrastructure Sub-processors Sana Labs operates worldwide infrastructure in co-location and server hosting facilities of our infrastructure partners together with industry leading cloud service providers. Sana Labs owns and controls logical access to the infrastructure maintained by the entities set forth below, while these entities maintain the physical security of the servers, network and the data center.

    Sana Labs
  • Sana Labs
  • Nybrogatan 8
  • 114 34 Stockholm
  • Sweden