Updated: 24 June 2021

1. Definitions

1.1 The following terms shall have the following meaning:

“Data Protection Legislation” means the data protection laws applicable to the processing of personal data in connection with the Subscription Services and Additional Services, including, where applicable, the General Data Protection Regulation, Data Protection Act 2018 and similar laws, or the applicable data privacy laws of any other relevant jurisdiction, in each case as amended, extended or re-enacted from time to time.

The terms “personal data”, “process(ing)”, “data subject”, “personal data breach”, “controller”, and “processor” shall have the meaning given to them in the applicable Data Protection Legislation which, however, shall be limited to the processing of Customer Personal Data.

“Customer Personal Data” means any Data that constitutes personal data which is processed in connection with the Subscription Services or Additional Services by Atticus on behalf of Customer, as the case may be, as further described below.
‍
1.2 The Customer is designated by its Authorised Users (Customer and Authorised Users collectively, the “Instructing Parties”) to provide and manage the Subscription Services and Additional Services on their behalf. Accordingly, Customer Personal Data may contain personal data in relation to which any of the Instructing Parties is controller. The Customer confirms that it is authorised to communicate to Atticus any instructions or other requirements on behalf of any of the Instructing Parties in respect of processing of Customer Personal Data by Atticus in connection with the Subscription Services and Additional Services. Apart from such instructions and any instructions given by Authorised Users by using the Platform, no other instructions are binding on Atticus. Atticus is appointed by the Customer to process Customer Personal Data on behalf of the Instructing Parties, as the case may be, as is necessary to provide and manage the Subscription Services and Additional Services and as otherwise agreed by the parties in writing.

1.3 Both parties acknowledge that under the Agreement:

a) Customer is the controller in relation to Customer Personal Data; and
b) Atticus is a processor in relation to Customer Personal Data.

1.4 In relation to its processing of Customer Personal Data during the Subscription Term, save as otherwise provided by law, Atticus agrees to:

a) process personal data only in connection with the Subscription Services and Additional Services in accordance with the Customer’s documented lawful instructions reasonably given in the context of such services from time to time, and inform the Customer if, in Atticus’ opinion, an instruction infringes the Data Protection Legislation;

b) subject to clause 6 of the Terms, implement appropriate technical and organisational measures to appropriately safeguard Customer Personal Data having regard to the nature of Customer Personal Data which is to be protected and the risk of harm which might result from any personal data breach;

c) subject to clause 6.5 of the Terms notify the Customer without undue delay if it becomes aware of a personal data breach. Where practicable, Atticus will provide phased notifications as information becomes available. Atticus will investigate the personal data breach and take reasonable action to identify, prevent and mitigate the effects of any personal data breach caused by Atticus. At the Customer’s expense, Atticus will take such further action as the Customer may reasonably request to comply with Data Protection Legislation;

d) inform without undue delay the Customer of any data subject requests under Data Protection Legislation or regulatory or law enforcement requests relating to Customer Personal Data. Atticus may acknowledge each data subject access request. Where agreed between the parties, Atticus may, at Customer’s expense, respond to the subject access request on Customer’s behalf;

e) where required under Data Protection Legislation, Customer and Client will enter into European standard contractual clauses for the transfer of Customer Personal Data to Atticus outside the UK or the EEA. Atticus will not transfer any Customer Personal Data outside the UK or European Economic Area except where required by law or to a Subprocessor (as defined below) appointed in accordance with paragraph 1.5 of this Schedule and subject to implementing appropriate safeguards as required by law, such as, where applicable, executing European standard contractual clauses with the recipient;

f) ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality;

g) at Customer’s expense, provide such assistance as the Customer may reasonably require in order to ensure the Customer’s compliance with Data Protection Legislation in relation to data security, data breach notifications, data protection impact assessments and prior consultations with the data protection authority;

h) at Customer’s expense, assist the Customer in complying with its obligations under the Data Protection Legislation by making available to the Customer the information necessary to demonstrate its compliance with the Data Protection Legislation and allowing for and contributing to audits and inspections carried out by an independent third party, as the parties may agree from time to time; and

i) on the Customer’s instructions, delete or return all Customer Personal

Data to the Customer after the end of the provision of Subscription Services and Additional Services. Atticus may delete or destroy any Customer Personal Data that are no longer needed in connection with the services.

1.5 Atticus may engage subcontractors to process Customer Personal Data (each a “Subprocessor”) subject to paragraph 1.6 of this Schedule.

1.6 When engaging a Subprocessor, Atticus will:

a) carry out reasonable due diligence;

b) enter into a contract on terms, as far as practicable, that are the same as or substantially similar to those in this Schedule, and which, where required by applicable Data Protection Legislation, may include European standard contractual clauses to provide adequate safeguards with respect to the processing of Customer Personal Data. However, where the Subprocessor provides industry standard services (e.g. AWS) and operates on non-negotiable terms, then, notwithstanding anything to the contrary in this Agreement, Atticus may accept such terms. Atticus will on request, subject to any confidentiality obligations to which it is subject, provide a copy of such terms to Customer and both parties agree to comply with such terms. Atticus’ liability to Customer in respect of data protection obligations of such Subprocessor shall be limited in the same way as that of the Subprocessor under those terms; and

c) inform the Customer of any intended changes concerning the addition or replacement of a Subprocessor from time to time. If the Customer objects to any such change on reasonable grounds, then acting in good faith the parties will work together to resolve such objection. If they are unable to resolve the objection, Atticus may terminate the Agreement without liability by notice with immediate effect.

1.7 Customer shall promptly provide such assistance as Atticus may reasonably require in order to comply with its data protection and security obligations under this Schedule.

1.8 Customer warrants and represents on a continuous basis that its instructions under this Schedule will not put Atticus or any Subprocessor in breach of the Law and that it and its agents will not deliberately do or omit to do anything which may put Atticus or any Subprocessor in such breach.

1.9 The Customer shall pay to Atticus within 14 days of invoice date any costs and expenses including without limitation reasonable attorney fees and the cost of preparing and sending correspondence incurred by Atticus in connection with carrying out duties at the Customer’s expense under this Schedule.

1.10 Save as otherwise required by law, the Customer may not publish any filing, communication, notice, press release, or report concerning any personal data breach involving Atticus without Atticus’ prior written approval; such approval shall not be unreasonably withheld.

1.11 Any Customer request that, acting reasonably, Atticus believes is disproportionate, taking into account the context of the Subscription Services and the Additional Services and the parties’ obligations under Data Protection Legislation, will be subject to a prior discussion between the parties in good faith and an agreement on the scope of services required and, where applicable, the payment of reasonable charges and expenses.

1.12 Apart from the Customer and Atticus or their successors no other party shall have any rights under this Schedule.

1.13 In addition to any exclusion and limitation of liability under the Agreement, Atticus shall not be liable under this Schedule to the extent any loss or damage is caused or contributed to by Customer, its group companies, Authorised Users, contractors or agents.

1.14 Details of data processing

Types of Customer personal data: Name, email address, IP address, location, employment position, phone number, correspondence and such other Customer Personal Data as needs to be processed in connection with the Subscription Services and Additional Services.

Categories of data subject: Customers, Clients, and other Authorised Users and such other data subjects whose personal data needs to be processed in connection with the Subscription Services and Additional Services, to the extent such data is Customer Personal Data.

Subject matter: The processing is required in order to provide the Subscription Services and Additional Services described in the Terms.

Duration of processing: For the duration of the Subscription Term and thereafter until erased in accordance with the data disposal processes of Atticus.

Nature and purposes of the processing: Providing the Subscription Services and such other activities as are carried out in connection with the Subscription Services and Additional Services.