Skip to Main Content
WELCOME TO CREX, THE COLLABORATIVE RESEARCH EXCHANGE FOR THE NIH INTRAMURAL RESEARCH PROGRAM

Welcome, Guest.

Go to Main Navigation

Scientist.com Global Data Processing Addendum

Last edited: 14 October, 2021

The Parties have entered into a marketplace agreement regarding the use by the Client of the Platform (the "Agreement").

Capitalized terms in this DP Addendum have the same meanings set forth in the Agreement unless specified or the context requires otherwise.

This DP Addendum ("Addendum") forms part of the Agreement to reflect the Parties’ agreement with regard to the Processing of Service Data and Account Data, including Personal Data, in accordance with the requirements of Data Protection Laws (each as defined below), in all cases in relation thereto.

This Addendum solely relates to the Account Data and Service Data, which Scientist may Process for the purposes of the Agreement, which are anticipated to be business to business contact details only. Any Personal Data being shared directly between the Client and the Supplier is outside the scope of the Agreement and additional terms should be agreed between the Client and Supplier (including in respect of any sharing of Personal Data to a Restricted Country and the sharing of Service Data, including where such Service Data is provided to Supplier by Scientist in accordance with this Agreement). It is strictly prohibited for the Client and/or the Supplier to upload or share any sensitive/ special categories of Personal Data onto/ through the Platform.

IT IS AGREED:

1.

DEFINITIONS AND INTERPRETATION

1.1

The Parties agree to amend the Agreement by inserting the definitions set out above and below:

"Account Data"

means together the Client Account Data and the Scientist Account Data;

"Applicable Law"

means all applicable laws, statutes, enactments, regulations, declarations decree, directive, legislative enactment, order, binding decisions of a competent Court or Tribunal, regulation, rule, regulatory policies, guidelines, codes, other binding restriction, regulatory permits and licences applicable under law which are in force from time to time during the term of this Agreement, including the rules, codes of conduct, codes of practice, practice requirements and accreditation terms stipulated by any regulatory authority or body to which a Party is subject as from time to time amended, consolidated, modified, re-enacted or replaced;

"Client Account Data"

means the Personal Data of the Client's Authorised Users and other Employees Processed by Scientist under, or in connection with, the Agreement, to establish and maintain an account on the Platform and otherwise as provided for in clause 3.2 (and as may be more particularly described in the Data Protection Particulars);

"Controller"

means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;

"Data Exporter"

means the Client being the Controller of the Account Data or Service Data which is subject to a Restricted Transfer;

"Data Importer"

means Scientist or any of its Group or any Sub-Processor which receives Account or Service Data as a result of a Restricted Transfer;

"Data Protection Impact Assessment"

means an assessment of the impact of the envisaged Processing operations on the protection of Personal Data, as required by Article 35 of the GDPR;

"Data Protection Laws"

means any Applicable Law worldwide which applies to each Party in any territory in which they Process Personal Data and which relates to the protection of individuals with regards to the Processing of Personal Data and privacy rights, including without limitation the data protection laws in California, European Economic Area, United Kingdom, Australia, Singapore, Japan, Brazil, in each case as amended, repealed, consolidated or replaced from time to time;

"Data Protection Particulars"

in relation to any Processing under the Agreement: (a) the subject matter and duration of the Processing; (b) the nature and purpose of the Processing; (c) the type of Personal Data being Processed; and (d) the categories of Data Subjects (as set out in Schedule 1);

"Data Protection Particulars"

in relation to any Processing under the Agreement: (a) the subject matter and duration of the Processing; (b) the nature and purpose of the Processing; (c) the type of Personal Data being Processed; and (d) the categories of Data Subjects (as set out in Schedule 1);

"Data Subject"

means an identified or identifiable natural person to whom Personal Data relates, regardless of whether the person can be identified directly or indirectly;

"Data Subject Request"

an actual or purported subject access request or notice or complaint from (or on behalf of) a Data Subject exercising his/her rights under the Data Protection Laws;

"EEA"

means the European Economic Area;

"Employees"

means all staff, including directors, officers and employees, as well as the agents and workers (including self-employed contractors) of either Party together with the directors, officers and employees of such Party's sub- contractors or suppliers and further down any contractual chain, and "Employee" shall mean any one of them individually as the context dictates;

"GDPR"

means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1, 4.5.2016;

"Government Access"

means: (a) a request for disclosure of Service Data or Account Data transferred in accordance with Clause 8 by a public authority under the laws of the country of destination; or (b) where the Data Importer is aware, direct access to Service Data or Account Data transferred in accordance with Clause 8 by a public authority under the laws of the country of destination;

"Losses"

means losses, liabilities, damages, compensation, awards, payments made under settlement arrangements, claims, proceedings, reasonable costs and other expenses including fines, interest and penalties, whether arising in contract, tort (including negligence), breach of statutory duty or otherwise, legal and other professional fees and expenses;

"Personal Data Breach"

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed under and in accordance with the terms of the Agreement and this Addendum and, for the avoidance of doubt, includes a breach of clause 6.1.4 of this Addendum;

"Personal Data"

means any information relating to a Data Subject, including but not limited to any Special Category Personal Data and data relating to criminal convictions and offences;

"Policies"

means collectively the Scientist Global Privacy Policy and any other Scientist privacy policy made available from time to time and which apply to the Platform and the services provided by Scientist from time to time;

"Process"

means any operation or set of operations which is performed on Personal Data or on sets of Personal Data under and in accordance with the terms of the Agreement and this Addendum, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction; and "Processed" and "Processing" shall be construed accordingly;

"Processor"

means a natural or legal person, public authority, agency or other body which Processes Personal Data under and in accordance with the terms of the Agreement and this Addendum on behalf of the Controller;

"Regulator Correspondence"

means any correspondence from the Regulator in relation to the Processing of the Service Data;

"Regulator"

means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws;

"Restricted Country"

means a country, territory or jurisdiction (i) which is not covered by an adequacy determination by a competent authority with jurisdiction over the Data Exporter or (ii) otherwise in relation to which a transfer restriction applies under the Applicable Laws of the Data Exporter;

"Restricted Transfer"

means (i) a transfer of Account Data and/or Service Data to a Restricted Country; or (ii) an onward transfer from a Data Importer to a third Party, in each case where such transfer would be prohibited by Data Protection Laws in the absence of a legal transfer mechanism permitted by the Data Protection Laws;

"Scientist.com Account Data"

means the Personal Data of Scientist's Employees Processed by the Client under, or in connection with, the Agreement, to administer the Client's account on the Platform and otherwise as provided for in clause 3.2 (and as may be more particularly described in the Data Protection Particulars);

"Service Data"

means the Personal Data Processed by Scientist where Client Account Data and/or other Personal Data (excluding always Special Category Personal Data) provided to Scientist by Client is exchanged on the Platform between the Client and a Supplier (as may be more particularly described in the Data Protection Particulars);

"SOW"

has the meaning set forth in the Supplier Agreement;

"Special Category Personal Data"

means information which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, and data concerning health or a person's sex life or sexual orientation and any data relating to criminal convictions and offences;

"Supplier Agreement"

means the agreement between Scientist and Supplier for the Supplier to provide relevant Supplier goods and/or services to Clients and under which Clients have rights as third Party beneficiaries;

"Supplier"

those that register to use the Platform and who may enter into contracts to provide goods and services to the Client via the Platform;

"Third Party Request"

means a request from any third Party for disclosure of (or access to) Service Data or Account Data, including a Government Access request or otherwise, where compliance with such request is required or purported to be required by Applicable Law.

1.2

Unless otherwise provided:

1.2.1

a reference to a defined term which is not defined in this Addendum, shall have the meaning given to it in the Agreement; and

1.2.2

unless otherwise provided the words and expressions defined in, and the rules of interpretation of, the Agreement shall have the same meaning in this Addendum.

2.

GENERAL

2.1

This Addendum comprises a variation to and is supplemental to the Agreement.

2.2

It is acknowledged and agreed by the Parties that the Agreement relates to the provision of the Platform and the ability for the Client to procure goods/services from Suppliers. The arrangement is a business to business transaction and the Personal Data shared between the Parties is of a basic level limited to contact details pertaining to the Account Data and Service Data. Only Account Data and Service Data may be shared by the Client with Scientist and the Client:

2.2.1

shall ensure no further Personal Data, including Special Category Data or data relating to criminal offences or convictions is provided to Scientist or to a Supplier via the Platform; and

2.2.2

acknowledges and agrees in accordance with Clause 9.3 Scientist shall have no liability whatsoever in relation to any Special Category Personal Data or data relating to criminal convictions and offences placed on or shared via the Platform by the Client or Supplier.

2.3

Client retains control of the Personal Data shared with Scientist and remains responsible for its compliance obligations under the applicable Data Protection Laws, including, without limiting the the terms of this Addendum or otherwise as set out in the Agreement, providing any required notices and obtaining any required consents and for the processing instructions it provides to Scientist.

2.4

Subject to Clause 2.2 and in the context of such Personal Data it is recognised that the Data Protection Laws require appropriate contractual provisions to be agreed and put in place by the Parties in relation to such sharing and Processing of Personal Data.

2.5

This Addendum solely relates to the sharing and/or Processing of Personal Data under or in connection with the Agreement, as between Scientist and the Client. To the extent the Client and the Supplier share and/or Process Personal Data directly between them (including where Scientist provides Service Data to Suppliers in accordance with the Agreement or where sharing of data between the Client and the Supplier via the Platform will involve transfers of data to and from a Restricted Country), the Client acknowledges and agrees that it shall agree separate terms in respect of such data sharing/ processing arrangement directly with the Supplier and Scientist shall have no liability in respect of such data sharing/ processing arrangement, including without limitation, the acts or omissions of the Supplier or Client and Client shall indemnify and hold Scientist harmless in relation to any liability, loss, claim or expense incurred by Scientist as a result of a failure to ensure such data sharing and transfer terms are agreed or otherwise for any failure to comply with applicable Data Protection Laws in relation to such data sharing and transfers to a Restricted Country. Neither Suppliers nor the Client are Scientist’s sub-processors.

2.6

This Addendum applies where and to the extent that:

2.6.1

the Client is a Controller or Processor established in the UK, EEA and/or Switzerland and the Personal Data to be shared and transferred to Scientist under and in accordance with this Agreement is Personal Data processed in the context of such establishment; or

2.6.2

the data subject in relation to whom the Client shares their Personal Data are data subjects located in the UK, EEA and/or Switzerland and Scientist processed such Personal Data for the purpose of such data subjects using the facilities available on the Platform in the UK, EEA and/or Switzerland; or

2.6.3

otherwise, either Party is subject to the Data Protection Laws in any other country or jurisdiction in relation to the Processing of Personal Data for the purposes of the performance of its obligations under the Agreement or otherwise for the delivery of the Platform as contemplated and set out in the Agreement.

2.7

This Addendum sets out the terms to enable the transfer and sharing of the Personal Data between the Client and Scientist and includes without limitation, terms permit the transfer of data to Scientist in the United States of America in compliance with the Data Protection Laws.

2.8

Save as amended by this Addendum all other provisions of the Agreement remain unaltered and shall continue in full force and effect. With effect from the date of this Addendum the Agreement and this Addendum shall each be read and construed as one document and, unless the context otherwise requires, references in the Agreement to "this Agreement" and references in this Addendum to "the Agreement" shall be references to the Agreement as amended by this Addendum.

2.9

In accordance with the terms and conditions set out in the Agreement, and in consideration of the variation of the respective obligations of the Parties, the Parties agree to vary the terms of the Agreement as follows:

2.9.1

to the extent such terms deal with the Processing of Service Data, Account Data and/or Personal Data the Parties agree to amend the Agreement by replacing such terms with the following provisions as set out in this Addendum; or

2.9.2

to the extent such terms do not deal with the Processing of Service Data, Account Data and/or Personal Data but such data is shared between the Parties for the purposes set out in this Addendum, the Parties agree to amend the Agreement by inserting the following provisions as set out in this Addendum.

2.10

In the event of any conflict between Scientist’s Global Privacy Policy and the Agreement the terms of the Global Privacy Policy shall prevail.

2.11

Scientist may modify or update its Policies from time to time. Scientist will update the "last updated" date at the top of the Policies upon modifying such Policies. Scientist will endeavour to provide reasonable notice of such changes by posting notice on the Platform and/or by direct notice to Client. The Client is responsible for reviewing the notice and the applicable changes. Notwithstanding the foregoing, the Client’s continued use of the Platform following posting of any changes will constitute the Clients acceptance of such changes or modifications. If the Client does not agree to any of the modified terms or any future terms, the Client should refrain from using or accessing the Platform. For the avoidance of doubt, particular SOW’s shall be governed by the terms in existence at the time such SOW became effective.

3.

ARRANGEMENT BETWEEN THE PARTIES

3.1

The Parties acknowledge that the factual arrangement between them dictates the classification of each Party in respect of the Data Protection Laws. Notwithstanding the foregoing, the Parties anticipate that during the term of the Agreement:

3.1.1

the Client shall be the Controller of the (i) Service Data (ii) Client Account Data for its own internal business purposes and (ii) where it is Processed by it in accordance with Clause 3.2 Scientist Account Data;

3.1.2

Scientist shall be the Controller of the (i) Scientist Account Data for its own internal business purposes and (ii) where it is Processed by it in accordance with Clause 3.2 Client Account Data; and

3.1.3

Scientist shall be the Processor in relation to its Processing of the Service Data which have been made available to Scientist by the Client (whether directly or indirectly) for the purpose of the Supplier providing its goods and/or services to the Client.

3.2

Each Party shall Process the other Party's Account Data (in its capacity as a Controller) in order to:

3.2.1

in the case of Scientist to establish, maintain and administer the Client's account on the Platform and to provide and market the Platform to the Client, including names, email addresses or contact details and any other Personal Data provided in order to complete the client registration process or provided in relation to Scientist marketing initiatives and to raise invoices and seek payment and to otherwise administer the Agreement; and

3.2.2

in the case of the Client, to contact Scientist's representatives to receive the benefit of the Platform and the services available under the Agreement and to administer its relationship with Scientist in accordance with the Agreement.

3.3

Each Party shall Process the other Party's Account Data for the purposes set out in Clause 3.2 in accordance with that Party's relevant privacy policy. Each Party may be required to share the other Party's Account Data referred to in Clause 3.2 with its affiliates and other relevant Parties, within or outside the country of origin, in order to carry out the activities specified in Clause 3.2, but in doing so, each Party will ensure that the sharing and use of the Account Data complies with the applicable Data Protection Laws.

3.4

Scientist shall Process the Service Data (in its capacity as a Processor) in order to facilitate the relationship between the Client and the Supplier, to enable the Client and the Supplier to receive the benefit of the Platform and the services available.

3.5

Each of the Parties acknowledges and agrees that Schedule 1 is an accurate description of the Data Protection Particulars.

3.6

Each Party agrees that in performing its obligations under the Agreement, it shall comply with the obligations imposed upon it under the Data Protection Laws (including in the case of the Client, when uploading, sharing and receiving data via the Platform with a Supplier).

4.

DATA SHARING OBLIGATIONS

4.1

Where acting as a Controller:

4.1.1

for the purposes of the Account Data, each Party shall ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to allow the other Party to share its applicable Authorised Users and /or Employees Personal Data with the other Party and any relevant Supplier (each of whom may be in a Restricted Country). Each Party shall make available to the other a copy of their applicable privacy policy (of which Scientist's can be located at Legal Notices) and the receiving Party shall ensure that this policy is provided to the applicable Authorised Users and/or Employees whose Personal Data has been shared with the other Party for the purposes set out in the Agreement;

4.1.2

for the purposes of the Service Data, the Client shall ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to allow the Client to (a) upload the Service Data to the Platform; (b) upload and share the Service Data to a Restricted Country; and (c) disclose the Service Data to Scientist in accordance with the Data Protection Laws and for the purposes set out in the Agreement (including permitting the disclosure of the Service Data to the relevant Supplier).

4.2

Each Party warrants, represents and undertakes that it is not subject to any prohibition or restriction which would prevent or restrict it from disclosing or transferring either Account Data or Service Data (as applicable) to the other Party in accordance with the terms of the Agreement.

5.

CLIENT OBLIGATIONS

5.1

The Client warrants, represents and undertakes to Scientist that it will not put any Special Category Personal Data or data relating to criminal convictions and offences on the Platform, or include such Special Category Personal Data or data relating to criminal convictions and offences within any attachments submitted on the Platform. The Client instructs Scientist to remove any such Special Category Personal Data and data relating to criminal convictions and offences that the Client does place on or send via the Platform that it becomes aware of, although Scientist does not have any obligation to the Client to check for this or to do so.

6.

PROCESSING OBLIGATIONS

6.1

To the extent that Scientist is acting as a Processor in relation to the Processing that it is carrying out arising out of, or in connection with, the performance of its obligations under the Agreement, it shall:

6.1.1

Process Service Data for and on behalf of the Client for the purposes of performing its obligations under the Agreement, and only in accordance with the terms of the Agreement and any instructions from the Client. For the avoidance of doubt, the Client's instructions are deemed to include an instruction to provide relevant Service Data to the Supplier. If Scientist is required by applicable law to act other than in accordance with the instructions of the Client, Scientist shall (to the extent permitted by applicable law) as soon as possible notify the Client;

6.1.2

not otherwise modify, amend or alter the contents of the Service Data unless specifically authorised to do so in writing by the Client;

6.1.3

notify the Client as soon as practicable if it considers, in its opinion (acting reasonably), that any of the Client's instructions under clause 6.1.1 infringes any of the Data Protection Laws;

6.1.4

in relation to Scientist’s processing of the Service Data ensure that it has appropriate operational and technical measures in place to safeguard against any unauthorised or unlawful Processing of the Service Data and against accidental loss or destruction of, or damage to, Service Data and where requested provide to the Client evidence of its compliance with such requirement;

6.1.5

take all reasonable steps to ensure the reliability and integrity of any of its staff who shall have access to the Service Data and ensure that each member of its staff shall have entered into appropriate contractually binding confidentiality undertakings;

6.1.6

provided at all times that this Clause 6.1.6 is limited to the Account Data and Service Data of the Client and its marketplace, allow, no more than once in any twelve month period, on a date and time agreed between Client and Scientist and subject to confidentiality undertakings being agreed to by the Client’s representatives and appointed auditors, its data processing facilities, procedures and documentation to be submitted for scrutiny, inspection or audit by the Client (and/or its representatives, including its appointed auditors) in order to ascertain compliance with the terms of this Addendum and provide reasonable information, assistance and co-operation to the Client, including access to relevant staff and/or, on the request of the Client provide the Client with written evidence of its compliance with the requirements of this Addendum. Under no circumstances shall any obligation under this Clause 6.1.6 permit the Client (and/or its representatives, including appointed auditors) to audit or be entitled to information in respect of any third Party (including third Party marketplaces, suppliers or other clients) (as determined by Scientist acting in its sole discretion);

6.1.7

subject to Clauses 6.1.1 and 6.2 not disclose Service Data to a third Party (including a sub- contractor) in any circumstances without the Client's prior written consent (not to be unreasonably withheld or delayed). For the avoidance of doubt, by selecting to use the Platform (including without limitation the research concierge service), the Client will be deemed to be consenting to the disclosure of Service Data to such Supplier;

6.1.8

notify the Client promptly following its receipt of any Data Subject Request or Regulator Correspondence or Third Party Request, and shall:

(a)

not disclose any Service Data in response to any Data Subject Request or Regulator Correspondence or Third Party Request without the Client's prior written consent; and

(b)

provide the Client promptly at the Client's sole cost and expense with all reasonable co-operation and assistance required by Scientist in relation to any such Data Subject Request or Regulator Correspondence or Third Party Request;

6.1.9

notify the Client promptly upon becoming aware of any Personal Data Breach, and:

(a)

where such Personal Data Breach arises as a result of Scientist’s failure Scientist shall implement any measures necessary to restore the security of compromised Service Data;

(b)

where such personal Data Breach arises as a result of the Client, the Supplier or any third Party outside of Scientist’s control, Scientist shall, at Client’s sole cost and expense, provide such reasonable assistance as required by the Client to implement any measures necessary to restore the security of the compromised Service Date; and

(c)

assist the Client to make any notifications to the Regulator and affected Data Subjects;

6.1.10

except to the extent required by applicable law and/or as required for Scientist to perform its surviving obligations and/or for its own internal record keeping and audit purposes, on termination or expiry of the Agreement and/or all SOW's thereunder (as applicable) or otherwise where requested by the Client, cease Processing all Service Data and return and/or permanently and securely destroy (as directed in writing by the Client) all Service Data and all copies in its possession or control; and

6.1.11

at the Client’s sole cost and expense, use reasonable endeavours in accordance with good industry practice to assist the Client to comply with the obligations imposed on the Client by the Data Protection Laws, including:

(a)

obligations relating to ensuring the security and integrity of the Service Data;

(b)

obligations relating to notifications and communication of Personal Data Breaches required by the Data Protection Laws to the Regulator and/or any relevant Data Subjects; and

(c)

undertaking any Data Protection Impact Assessments that are required by the Data Protection Laws (and, where required by the Data Protection Laws, consulting with the Regulator in respect of any such Data Protection Impact Assessments).

6.2

Subject to Clause Error! Reference source not found., the Client expressly agrees that Scientist may transfer:

6.2.1

Service Data and Account Data to third-Party sub-processors for the purpose of providing technical, operational and administrative support related to the Platform, and will ensure that any onward transfers to sub-processors by such third Parties are made in conformity with (a) the terms of this Addendum and (b) Scientist’s commitments under Data Protection Laws;

6.2.2

Service Data and Account Data to Suppliers for the purpose of responding to and delivering a Client's Request for Proposal placed on the Platform by the Client. The Client acknowledges that subject to Clause 2.5 the Processing of such Service Data and Account Data by the Supplier is subject to the terms of the Supplier Agreement and any other terms put in place between the Client and the Supplier. Expressly Scientist shall have no liability for the Processing of such Service Data and Account Data by the Supplier.

6.3

Each Party shall use its reasonable endeavours to assist the other Party to comply with any obligations under the Data Protection Laws and shall not perform its obligations under the Agreement in such a way as to cause the other Party to breach any of its obligations under the Data Protection Laws to the extent that such Party is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

6.4

Except as otherwise provided, the Agreement does not transfer ownership of, or create any licences (implied or otherwise), in any intellectual property rights in any Personal Data.

7.

CROSS BORDER TRANSFERS OF PERSONAL DATA

7.1

If the Data Protection Laws of the Data Exporter restrict cross-border Personal Data transfers, the Client will only transfer Personal Data to Scientist where:

7.1.1

the Client has obtained the valid Data Subject consent to the transfer to Scientist, its sub- processors and the Suppliers under the Data Protection Laws;

7.1.2

the Client agrees that (a) in providing and continuing to provide Account Data to Scientist and (b) by providing and continuing to provide Service Data and selecting to engage with a Supplier in a Restricted Country, the Client shall have obtained the consent of the applicable Data Subjects whose data is shared with Scientist or any Supplier and the Client's provision of such Personal Data will be deemed to be consenting to the disclosure of Account Data and Service Data (respectively) to a Restricted Country. Client shall provide such information to evidence such consents to Scientist as it may request from time to time;

7.2

Transfers of Service Data and Account Data shared with a Supplier in a Restricted Country for the purpose of responding to and delivering a Client's request for services placed on the Platform by the Client, shall be subject to the terms of the Supplier Agreement and any other terms put in place between the Client and the Supplier. Expressly Scientist shall have no liability for the Processing of such Service Data and Account Data by the Supplier and Client.

8.

THIRD PARTY REQUESTS

8.1

Where Scientist or any Sub-Processor or any of their Sub-Processors, in each case who receive Account Data or Service Data as part of a Restricted Transfer receive a Third Party Request or becomes aware of Government Access in relation to Service Data or Account Data transferred to it as part of a Restricted Transfer (the "Receiving Party"), Scientist shall, unless prohibited by Applicable Law from doing so, promptly notify the Client and provide all information available to it (including in the case of a Third Party Request, the requesting authority, legal basis for the request and any initial response provided).

8.2

Where the Receiving Party is prohibited by Applicable Law from notifying the Client of a Third Party Request or Government Access, it shall use its reasonable efforts, at Client’s sole cost and expense, to obtain a waiver of the prohibition to notify the Client and communicate to any entity requesting such disclosure the following message: "The information you wish to access is the legal responsibility of [Client legal entity name]"). [Client legal entity name] requests in the strongest terms that, before any further steps are taken, you consult [Client legal entity name] urgently by contacting [Client legal entity name] using the contact details provided on their website".

8.3

In the event of a request referred to in Clause 8.1, the Receiving Party shall, at the Client’s sole cost and expense:

8.3.1

review the legality of the request and exhaust all reasonable remedies to challenge the request if it concludes there are grounds under the Applicable Laws of the country of receipt to do so. No disclosure shall be made until required under applicable procedural rules;

8.3.2

document its assessment and challenge of the request for disclosure and to the extent permitted under the Applicable Laws of the Data Importer make this available to the Client and a Regulator upon request from such Party; and

8.3.3

only provide the minimum amount of information possible, based on a reasonable interpretation of the request, including without limitation, redacting any Client confidential information and Service Data which is not necessary for the purposes of the request.

9.

INDEMNITY AND LIABILITY UNDER THIS ADDENDUM

9.1

Notwithstanding any other term of the Agreement each Party shall indemnify (the "Indemnifying Party") and keep indemnified and hold harmless the other (the "Indemnified Party") from and against all Losses suffered or incurred by the Indemnified Party arising out of or in connection with claims and proceedings arising from any breach of the Indemnifying Party's obligations under this Addendum. The limitations of liability set out in the Agreement shall not apply in respect of this indemnity and shall instead be subject to Clauses 9.2 to 9.8.

9.2

Subject to Clauses 9.8,

9.2.1

the liability of the Client under the indemnities set out at Clauses 2.5 and 9.1 in relation to all Losses incurred by Scientist as a result of a breach of the Client of Clause 5.1 shall be unlimited;

9.2.2

otherwise, each Party's total liability under this Addendum (including (without limitation) in respect of (I) the indemnity set out at Clause 9.1 and (ii) the payment of compensation under Clause 9.9) shall not exceed the sum of £1,000,000.

9.3

Subject to Clause 9.8, to the maximum extent permitted by law Scientist shall have no liability of any nature whatsoever regardless of the cause of action, including breach of contract, breach of warranty, strictly liability or negligence to the Client, Supplier and/or any other third Party in relation to (a) Special Category Personal Data or data relating to criminal convictions and offences placed on or shared via the Platform by the Client or Supplier, or (b) for any acts or omissions of the Client and/or Supplier in relation to any information placed on or received or shared via the Platform by the Client and/or Supplier (including Personal Data and Special Category Personal Data and including Service Data provided by Scientist to Supplier in accordance with this Agreement and service data of Supplier provided to Client by Scientist via the Platform).; or (c) for any failure by the Client to obtain the necessary consents or to otherwise undertake its due diligence and satisfy itself that it has the right to transfer the Personal Data to Scientist and its sub- processors; or (d) otherwise in relation to the Client’s compliance with any laws and regulations applicable to the Client, Client is solely responsible for determining whether the Platform and the use of the online services are appropriate for the storage and processing of information subject to any specific law or regulation and for using the Platform in a manner consistent with the Client’s legal and regulatory obligations.

9.4

Subject to Clause 9.8, to the maximum extent permitted by law Scientist shall have no liability of any nature whatsoever regardless of the cause of action, including breach of contract, breach of warranty, strictly liability or negligence to the Client or any third Party:

9.4.1

for any breach of this Addendum, where:

(a)

such breach is attributable (in whole or part) to an act or omission of the Supplier;

(b)

such breach (in whole or part) is attributable to an act or omission of the Client; or

(c)

such breach arises due to the action of any third Party outside of Scientist’s control;

9.4.2

for any breach of the Supplier Agreement by the Supplier or any third Party outside of Scientist’s control.

9.5

Subject to Clause 9.8, neither Party shall be liable for consequential, indirect or special losses relating to or arising from this Addendum.

9.6

Subject to Clause 9.8, neither Party shall be liable for any of the following (whether direct or indirect) relating to or arising from this Addendum:

9.6.1

loss of profit;

9.6.2

loss of use;

9.6.3

loss of production;

9.6.4

loss of contract;

9.6.5

loss of opportunity;

9.6.6

loss of savings, discount or rebate (whether actual or anticipated); or

9.6.7

harm to reputation or loss of goodwill.

9.7

Except as expressly stated in this Addendum, and subject to Clause 9.8, all warranties and conditions whether express or implied by statute, common law or otherwise are excluded to the extent permitted by law.

9.8

Notwithstanding any other provision of this Addendum, the liability of the Parties shall not be limited in any way in respect of the following:

9.8.1

death or personal injury caused by negligence;

9.8.2

fraud or fraudulent misrepresentation; or

9.8.3

any other losses which cannot be excluded or limited by applicable law.

9.9

Data Subject and third Party compensation

To the extent that either Party (the "Payor") has an entitlement under Data Protection Laws to claim from the other Party compensation paid by the Payor to a Data Subject or third Party as a result of a breach of Data Protection Laws (in full or in part) by the other Party, the other Party shall be liable only for such amount as directly relates to such other Party's responsibility for any damage caused to the relevant Data Subject or third Party. For the avoidance of doubt the Payor shall only be liable to make payment to the other Party under this Clause 9.9 upon receipt of evidence from the Payor, which shall be to the other Party's reasonable satisfaction and that clearly demonstrates:

9.9.1

that the other Party has breached Data Protection Laws;

9.9.2

that such breach contributed (in part or in full) to the harm caused entitling the relevant Data Subject or third Party to receive compensation in accordance with Data Protection Laws; and

9.9.3

the proportion of responsibility for the harm caused to the relevant Data Subject or third Party which is attributable to the other Party.

9.10

Mitigation and Conduct of claims

In respect of any indemnity given by either Party (the "Indemnifying Party" under this Addendum, the Party which receives the benefit of the indemnity (the "Indemnified Party") shall take all reasonable steps to reduce or mitigate the loss covered by the indemnity.

9.11

The obligations on the Indemnifying Party under this Addendum shall be conditioned upon: (i) the Indemnified Party providing the Indemnifying Party with prompt (but no less than thirty (30) days) written notice of the existence of any claim covered by the indemnity provided however that any delay by an Indemnified Party in giving such notice shall not relieve the Indemnifying Party of its obligations under this Addendum except to the extent that such delay materially impairs or causes prejudice to the Indemnifying Party; and (ii) the Indemnified Party cooperating as reasonably requested with the Indemnifying Party, at the sole cost and expense of the Indemnifying Party, in the defense of any claim. The Indemnified Party shall not accept any settlement which imposes liability not covered by the indemnities under this Addendum or place restrictions on the Indemnifying Party without the prior written consent of the Indemnifying Party. Nothing in this Clause shall limit or prohibit a Party from dealing with any claim or proceeding issued by a Regulator and the Parties agree that each Party shall have the right to defend and deal with any Regulator claims directly, but shall take into account, acting reasonably the requests of the Indemnifying Party.

9.12

Each Party shall take all reasonable steps to reduce or mitigate any compensation due to a Data Subject or third Party, arising from a breach of this Addendum.

10.

GOVERNING LAW AND EXECUTION

10.1

This Addendum may be executed in one or more counterparts, each of which shall be deemed an original for all purposes. An electronic signature shall be deemed to be the equivalent of an original for all purposes.

10.2

The validity and interpretation of this Addendum shall be:

10.2.1

for the purpose of Processing Personal Data shall mean the Data Protection Laws applicable to the Controller being:

(a)

in the case of Scientist the laws of the State of Delaware, USA and the federal and state courts of the State of Delaware, USA shall be the exclusive venue for the resolution of any disputes relating hereto;

(a)

in the case of the Client the laws of the country in which the Controller is established;

10.2.2

for all other purposes, governed by the laws of the State of Delaware, USA and the federal and state courts of the State of Delaware, USA, shall be the exclusive venue for the resolution of any disputes relating hereto.

SCHEDULE 1
DATA PROTECTION PARTICULARS

The subject matter and duration of the Processing For the duration of the Agreement and any SOWs entered into and for the period thereafter as required for Scientist to perform its surviving obligations under the Agreement, SOW’s and/or Supplier Agreement and for the duration of the statutory contractual claim period thereafter and for the length of time required for Scientist's lawful record keeping and internal audit purposes, (whichever is the longer).
The nature and purpose of the Processing Client Account Data: for administration of the Agreement

Service Data: to facilitate the introduction of Clients and Suppliers and interaction of Client and Suppliers through the Platform
The type of Personal Data being Processed Client Account Data: name, email address, IP address, phone number and/or contact information

Service Data: name, contact information
The categories of Data Subjects Individual traders, company representatives
Data Retention/Deletion Period and Process For the longer of the duration of the Agreement and for up to seven years thereafter, or otherwise where required for legal, regulatory or taxation purposes.
Locations (including the geographic region) in which the personal data may be Processed by Scientist and/or any Sub-Processor To transfers of data to Scientist, data may be Processed in the USA, United Kingdom, European Economic Area and Japan.

Transfers to Supplier shall be subject to separate terms agreed between the Client and the Supplier and Client shall ensure it has appropriate safeguards in place to meet the requirements of any such transfers it requests Scientist to make, including any transfer to a Supplier in a Restricted Country.