Data Processing Addendum

This Data Processing Addendum (“Addendum“) is between Posit Science Corporation (“Posit Science“) and the Client or Reseller (collectively referred to as “Partner“) specified in the agreement to which this Addendum is attached or the agreement to which this Addendum applies or the agreement which this Addendum modifies (“Original Agreement“). Posit Science has developed, owns and operates a website at www.brainhq.com and offers products and services to clients direct and through resellers around the world which are further described herein and in the Original Agreement.  Collectively, Posit Science and Partner are referred to as the “Parties“.

WHEREAS:

1. Partner either uses Posit Science’s products and services (the “Client(s)“) or is a reseller that resells Posit cience’s products or services to said Clients (the “Reseller(s)“);
2. Posit Science offers BrainHQ, a brain training program, (“Services“) directly or through its Resellers; and
3. This Addendum sets out data protection, security and confidentiality requirements with regard to the Processing of Personal Data collected, disclosed, stored, accessed or otherwise Processed by or on behalf of Partner for the purpose of performing the Services.

NOW, THEREFORE, in consideration of the mutual covenants and agreements in this Addendum and for other good and valuable consideration, the sufficiency of which is hereby acknowledged, Posit Science and Partner agree as follows:

1. Definitions. When used in this Addendum, the following terms have the following meaning. Any capitalized terms not defined in this Addendum shall have the meaning given to them in the Original Agreement.

“Applicable Data Protection Law” means all applicable international, federal, state, provincial and local laws, rules, regulations, directives and governmental requirements currently in effect and as they become effective relating in any way to the privacy, confidentiality or security of Personal Data including without limitation: (i) the Gramm-Leach-Bliley Act (“GLBA“), 15 U.S.C. §§ 6801-6827, and all regulations implementing GLBA; the Fair Credit Reporting Act (“FCRA“), 15 U.S.C. § 1681 et seq., as amended by the Fair and Accurate Credit Transactions Act (“FACTA“), and all regulations implementing the FCRA and FACTA; Health Insurance Portability and Accountability Act of 1996 (“HIPAA, and all regulations implementing HIPAA); the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM“); information security breach notification laws; laws imposing minimum information security; laws requiring the secure disposal of records containing certain Personal; and all other similar international, federal, state, provincial, and local requirements; (ii) the European Union (“EU“) Data Protection Directive 95/46/EC, as repealed by the General Data Protection Regulation 2016/679 (“GDPR“), effective as of May 25, 2018, and EU Member State laws supplementing the GDPR; the EU Directive 2002/58/EC (“e-Privacy Directive“), as replaced from time to time, and EU Member State laws implementing the e-Privacy Directive; and (iii) all applicable industry standards concerning privacy, data protection, confidentiality or information security including, without limitation the Payment Card Industry Data Security Standard (“PCI DSS“);

“Data Controller” shall have the meaning given to it in the Applicable Data Protection Law;

“Data Processor” shall have the meaning given to it in the Applicable Data Protection Law;

“Data Security Measures” means administrative, technical and physical safeguards and other security measures that are designed to (i) ensure the security and confidentiality of Personal Data, (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Data and (iii) protect against any actual or suspected unauthorized Processing, loss, use, disclosure or acquisition of or access to any Personal Data;

“Data Subject” means a natural person to which the Personal Data pertain;

“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be specifically identified, directly or indirectly by reference to certain information such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; and,

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2. Roles and Responsibilities of the Parties.
   1. Both Posit Science and Partner serve as Data Processors with respect to any Personal Data. Posit Science serves as the Data Controller with regards to Personal Data that Posit Science collects directly from Data Subjects, and Partner serves as the Data Controller with respect to any Personal Data that Partner collects from Data Subjects and submits to Post Science for processing.
   2. Both Parties agree and warrant to Process Personal Data and to perform all of their respective obligations under this Addendum in compliance with the Applicable Data Protection Law.
   3. The Parties acknowledge and agree that Posit Science has the sole and exclusive authority to determine the purposes and means of the Processing of Personal Data Processed under this Addendum, and that Partner will Process Personal Data only on behalf of and under the instructions of Posit Science for the purpose of using, providing, maintaining or distributing the Services.
   4. Both Parties shall limit access to Personal Data to their respective personnel who have a need to know the Personal Data and who have explicitly agreed in writing to comply with legally-enforceable privacy, confidentiality and security obligations that are substantially similar to those required by this Addendum. Both parties shall provide training, as appropriate, regarding the privacy, confidentiality, and information security requirements set forth in this Addendum to relevant personnel who have access to Personal Data.
   5. Both Parties will implement and maintain a comprehensive written information security program that complies with the Applicable Data Protection Law, including commercially reasonable Data Security Measures to protect Personal Data processed under this Addendum from loss, theft, misuse, unauthorized access, disclosure, or acquisition, destruction or other compromise (“Information Security Incident“). Each Party shall inform the other Party without unreasonable delay, but in no event more than 72 hours, after it knows or reasonably suspects that an Information Security Incident has occurred in or with respect to its systems which affects Personal Data under this Addendum or the Original Agreement. The affected Party shall promptly take all necessary steps to mitigate the impact of the Information Security Incident, cooperate with the other Party and provide information as appropriate to address the incident.
   6. Upon the occurrence of an Information Security Incident involving Personal Data in the possession, custody, or control of Partner or for which Partner is otherwise responsible, Partner shall reimburse Posit Science on demand for all Notification Related Costs (defined below) incurred by Posit Science arising out of or in connection with any such Information Security Incident.  “Notification Related Costs” shall include Posit Science’s internal and external costs associated with investigating, addressing, and responding to the Information Security Incident, including but not limited to:  (i) preparation and mailing or other transmission of notifications or other communications to Posit Science users, consumers, employees, customers or others as Posit Science deems reasonably appropriate; (ii) establishment of a call center or other communications procedures in response to such Information Security Incident (e.g., customer service FAQs, talking points and training); (iii) public relations and other similar crisis management services; (iv) legal, consulting, and accounting fees and expenses associated with Posit Science’s investigation of and response to such event; and (v) costs for commercially reasonable credit reporting and monitoring services that are associated with legally required notifications or are advisable under the circumstances. Partner shall not publish or communicate any filings, communications, notices, press releases or reports related to any Information Security Incident that expressly mention Posit Science or Posit Science Clients.
   7. Partner may engage a sub-processor to Process Personal Data protected under this Addendum only if it is authorized by Posit Science to do so. Partner shall enter into a written agreement with the sub-processor imposing on the sub-processor the same obligations as imposed on Partner under this Addendum, including appropriate Data Security Measures.  In case the sub-processor fails to fulfil its obligations under such written agreement with Partner, Partner shall remain fully liable to Posit Science for the performance of the sub-processor’s obligations.
   8. Partner agrees and warrants that it will inform Posit Science promptly of any requests made by government authorities of any jurisdiction requesting or requiring Partner to disclose the Personal Data Processed under this Addendum or to participate in an investigation involving such Personal Data, including but not limited to subpoenas, judicial or administrative orders, or proceedings seeking access to or disclosure of Personal Data. Posit Science shall have the right to defend such action in lieu of and/or on behalf of Partner. Posit Science may, if it chooses, seek a protective order. Partner shall reasonably cooperate with Posit Science in such defense or in any action seeking a protective order.
   9. Posit Science will have the right to monitor and audit Partner’s compliance with the terms of this Addendum. Upon prior written request by Posit Science, Partner agrees to cooperate and, within reasonable time, provide Posit Science with: (a) audit reports and all information necessary to demonstrate Vendor’s compliance with the obligations laid down in this Addendum; and (b) confirmation that the audit has not revealed any material vulnerability in Partner’s systems, or to the extent that any such vulnerability was detected, that Vendor has fully remedied such vulnerability.
   10. Promptly upon the expiration or earlier termination of this Addendum or the related Original Agreement, or such earlier time as Posit Science requests, Partner shall (i) securely delete or return all Personal Data to Posit Science and (ii) securely delete any existing copies, unless (x) further storage of Personal Data is required, in which case Partner shall protect the confidentiality of Personal Data, will not actively process Personal Data further, and will continue to comply with this Addendum or (y) Partner has received consent from each Data Subject to continue to store and process data from that Data Subject.
   11. Partner and Posit Science shall enter into any further privacy or information security agreement reasonably requested by Posit Science for purposes of compliance with the Applicable Data Protection Law.
3. Onward Transfer Terms.
   1. This Section 3 applies to the extent that Partner receives, accesses or otherwise Processes Personal Data for the purpose of using, performing, maintaining or distributing the Services.
   2. Partner will Process Personal Data only as directed by Posit Science for the purpose of performing the Services in accordance with this Addendum and the Original Agreement.
   3. Partner will provide Personal Data at least the same level of privacy protection as is required by all applicable laws including the Applicable Data Protection Law. If Partner determines that it can no longer meet its obligation to provide at least the same level of privacy protection as is required by applicable laws, Partner will immediately notify Posit Science in writing and will: (i) stop Processing the Personal Data; and (ii) return or destroy all Personal Data in accordance with Posit Science’s instructions. In that event, Posit Science may terminate, without penalty, this Addendum, the Original Agreement, and/or any other agreement made between the Parties. Posit Science may also take any actions it deems reasonable to stop or remediate unauthorized Processing.
4. Termination. This Addendum will have the same duration as the Original Agreement. The obligations of Partner to implement appropriate security measures survive the termination of this Addendum to the extent that further storage of Personal Data is required by the Applicable Data Protection Law.
5. Invalidity and Severability. If any provision of this Addendum is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this Addendum and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
6. Indemnification. Partner agrees to indemnify and hold harmless Posit Science and its officers, directors, employees and agents from, and at Posit Science’s option, defend against, any and all claims, losses, liabilities, damages, costs and expenses, including third-party claims, demands, reasonable attorneys’ fees, consultants’ fees and court costs (collectively, “Claims“), to the extent that such Claims arise from, or may be in any way attributable to (i) any violation of its obligations under this Addendum; (ii) the negligence, gross negligence, bad faith, or intentional or willful misconduct of Partner or its personnel in connection with obligations set forth in this Addendum; (iii) Partner’s use of any contractor or subcontractor providing services in connection with or relating to Partner’s performance under this Addendum and the Original Agreement; or (iv) any Information Security Incident involving Personal Data in Partner’s possession, custody or control, or for which Partner is otherwise responsible.
7. Governing Law and Dispute Resolution. The governing law and dispute resolution provisions of the Original Agreement will apply to this Addendum.
8. Conflicts. In case of a conflict between this Addendum and any other agreements made between the Parties with regard to the Processing of Personal Data in the context of the Services, this Addendum shall prevail.
9. Summary or Copy of Agreement. Posit Science may provide a summary or a representative copy of the relevant privacy provisions of this Addendum to an authorized regulatory body upon request.