Great wall at sunset

    31 July 2023

    Supplier Data Processing Addendum

    View Appendices

    NASDAQ SUPPLIER

    DATA PROCESSING ADDENDUM

    This Data Processing Addendum (this "DPA"), effective as of the date both Parties sign this DPA (the "Effective Date"), forms part of the definitive written agreement between the Supplier Entity Name on the Agreement ("Supplier") and the Nasdaq Entity Name on the Agreement ("Nasdaq") dated the Effective Date of the Agreement (as amended from time to time, the "Agreement"). Supplier and Nasdaq may be referred to herein collectively as the "Parties" or individually as a "Party."

    By signing this DPA, Nasdaq enters into this DPA on behalf of itself and its Affiliates to the extent Supplier Processes Nasdaq Personal Data in performance of the Services for such Affiliates. For the purposes of this DPA only, and except where indicated otherwise in this DPA, the term "Nasdaq" will include Nasdaq and its Affiliates.

    HOW THIS DPA APPLIES

    This DPA is binding on the Parties only to the extent applicable Data Protection Laws govern the Processing of Nasdaq Personal Data in performance of the Services. This DPA is fully incorporated into and made a part of the Agreement. This DPA replaces any existing terms, addendums, or other attachments related to the Processing of Nasdaq Personal Data unless otherwise expressly stated in this DPA. In the event of any inconsistency between the terms of this DPA and any terms of the Agreement with respect to Nasdaq Personal Data, the terms of this DPA will govern and control.

    DATA PROCESSING TERMS

    The Parties agree that the terms of this DPA govern the Processing of Nasdaq Personal Data in performance of the Services. Each Party, acting reasonably and in good faith, will comply with the terms of this DPA.

    1. Definitions and Interpretation

    For the purposes of this DPA, the following defined terms will have the meanings set forth in this Section 1. All other defined terms not defined herein will have the meanings set forth in the Agreement. Unless the context otherwise requires: (i) the words "include," "includes," and "including" are deemed to be followed by the words "without limitation"; (ii) the word "or" is not exclusive; (iii) words denoting the singular have a comparable meaning when used in the plural, and vice-versa; and (iv) words denoting any gender include all genders.

      1. "Affiliate" means, with respect to any entity, another entity that, directly or indirectly through one or more intermediaries, controls, is controlled by or is under common control with, such entity. For purposes of this definition, “control” means the possession, direct or indirect, of the power to direct or cause the direction of management and policies of the entity, whether through the ownership of voting securities, by contract or otherwise.
      1. "Nasdaq Personal Data" means Personal Data Processed by Supplier (or any Sub-Processor) on behalf of and at the direction of Nasdaq under the Agreement.
      1. "Data Controller" (or equivalent term under applicable Data Protection Laws) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
      1. "Data Processor" (or equivalent term under applicable Data Protection Laws, including “service provider”) means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Data Controller.
      1. "Data Protection Laws" means any applicable laws or regulations governing the Processing of Nasdaq Personal Data in performance of the Services, including, to the extent applicable, the European General Data Protection Regulation (the "GDPR"), the United Kingdom (UK) General Data Protection Regulation (the "UK GDPR"), and the California Consumer Privacy Act ("CCPA").
      1. "Data Subject" means an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
      1. "Personal Data" means any information relating to a Data Subject that is subject to protection under applicable Data Protection Laws.
      1. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
      1. "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, retention, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
      1. "Restricted Transfer" means:
        1. A transfer of Nasdaq Personal Data from Nasdaq or its Affiliates to Supplier or its Affiliates; or
        2. An onward transfer of Nasdaq Personal Data from Supplier or its Affiliates to a Sub-Processor,
        in each case, where such transfer would be prohibited by applicable Data Protection Laws in the absence of appropriate safeguards for the transfer of such Nasdaq Personal Data, including the Standard Contractual Clauses or the UK International Data Transfer Addendum (as applicable);
      1. "Services" means the services provided by Supplier to Nasdaq or Nasdaq’s Affiliates (as the case may be) under the Agreement.
      1. "Special Data Categories" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation; or such other similar types of information designated for heightened protection under applicable Data Protection Laws.
      1. "Standard Contractual Clauses" means the Commission Implementing Decision (EU) 2021/914 establishing Standard Contractual Clauses for data transfers to Third Countries. For purposes of this DPA, the applicable modules within the EU Model Clauses are MODULE TWO (Transfer Controller to Processor) and/or MODULE THREE (Transfer Processor to Processor). For the avoidance of doubt, neither MODULE ONE (Transfer Controller to Controller) nor MODULE FOUR (Transfer Processor to Controller) shall apply to this DPA.
      1. "Sub-Processor" means a Data Processor engaged by Supplier for the purpose of Processing Nasdaq Personal Data in performance of the Services.
      1. "Supervisory Authority" means the relevant governmental body or bodies having jurisdiction over the Processing of Nasdaq Personal Data under this DPA.
      1. "UK International Data Transfer Addendum" means the International Data Transfer Addendum to the Standard Contractual Clauses version B1.0, in force 21 March 2022 as adopted under the UK GDPR or such successor clauses as may be adopted by the UK.
    1. Processing of Nasdaq Personal Data
      1. Roles of the Parties. To the extent Supplier Processes Nasdaq Personal Data in performance of the Services, the Parties agree that Nasdaq is the Data Controller and Supplier is the Data Processor.
      1. Supplier as Data Processor. Supplier, as Data Processor, will Process Nasdaq Personal Data only on the documented instructions of Nasdaq as provided in Section 2.4 and Section 2.5 of this DPA. Supplier warrants that, except to the extent Processing of Nasdaq Personal Data is required by applicable laws, it will: (i) only Process such Customer Personal Data for the limited and specified purposes described in the Agreement and this DPA and will not Process Nasdaq Personal Data for any other purpose other than the business purpose with Nasdaq pursuant to the Agreement and this DPA; (ii) comply with the CCPA and provide the same level of protection to Nasdaq Personal Data as Nasdaq is required to provide such Personal Data under the CCPA; and (iii) notify Nasdaq if Supplier makes a determination that it can no longer meets its obligations under this DPA and, in such event, shall comply with Nasdaq’s instructions regarding ceasing Processing Nasdaq Personal Data and remediating any Processing that was not in compliance with this DPA.  By executing this DPA, Supplier certifies that it will comply with the requirements herein.
      1. Nasdaq as Data Controller. Nasdaq, as Data Controller, agrees that Nasdaq will provide Supplier with lawful instructions with respect to the Processing of Nasdaq Personal Data.
      1. Nasdaq's Instructions. Nasdaq instructs Supplier (and authorizes Supplier to instruct each Sub-Processor) to Process Nasdaq Personal Data in performance of the Services. The Parties agree that the scope of Nasdaq’s instructions for the Processing of Nasdaq Personal Data is defined by: (i) the Agreement; (ii) any applicable ordering documents, including service orders, order forms, statements of work, and product or service descriptions; (iii) this DPA; and (iv) any Modified Instructions (as defined below). For the avoidance of doubt, except as expressly permitted by the Agreement, Service Provider is prohibited from: (i) selling, sharing, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, or in writing, or by electronic or other means Personal Data to another entity (whether affiliated or not), including to another entity for cross-context behavioral advertising, whether or not for monetary or other valuable consideration; (ii) Processing Nasdaq Personal Data outside of the direct business relationship between Supplier and Nasdaq; and (iii) combining Nasdaq Personal Data with personal data which it receives from or on behalf of any other customer or data subject, or that Supplier collects from its own interaction with any individuals.
      1. Modified Instructions. Nasdaq and Supplier may mutually agree to amendments to Nasdaq's instructions in order for Nasdaq to comply with applicable Data Protection Laws ("Modified Instructions"). Nasdaq may request such Modified Instructions by submitting a written request to Supplier in accordance with the change control or amendment procedures set forth in the Agreement. If Supplier notifies Nasdaq that it is infeasible or impracticable to implement any Modified Instructions, Nasdaq may terminate the applicable Service by providing Supplier with written notice within thirty (30) days of such notification and receive a prorated refund of prepaid fees applicable to the terminated Service for the period after termination as its sole and exclusive remedies.
      1. Details of the Processing of Nasdaq Personal Data. The duration of the Processing of Nasdaq Personal Data will be the same as the duration of the Agreement, except as otherwise agreed in writing by the Parties. The subject matter of the Processing of Nasdaq Personal Data is set forth in the Agreement and this DPA. The nature and purpose of the Processing of Nasdaq Personal Data involve the provision of the Services to Nasdaq as set forth in the Agreement and this DPA. The types of Nasdaq Personal Data Processed under this DPA and the relevant categories of Data Subjects are set forth in Appendix 1 to this DPA.
    1. Confidentiality Obligations of Supplier Personnel
      1. Confidentiality Obligations of Supplier Personnel. Supplier will ensure that persons authorized to Process Nasdaq Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
    1. Information Security Program
      1. Information Security Program. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Supplier will in relation to Nasdaq Personal Data implement a written information security program that includes technical and organizational measures designed to protect such Nasdaq Personal Data against unauthorized access, use, disclosure, alteration, or destruction, including the measures set forth in Article 32(1) of the GDPR  (and corresponding provisions of the UK GDPR) to the extent such measures are applicable to Supplier’s Processing of Nasdaq Personal Data in performance of the Services. As of the Effective Date of this DPA, a summary of such technical and organizational measures is set forth in Appendix 2 to this DPA.
    1. Subprocessing
      1. Supplier will obtain the prior written consent of Nasdaq to engage any new Sub-Processor. If Nasdaq does not consent to the engagement of a new Sub-Processor and the Parties cannot reach an agreement as to the use of the new Sub-Processor, Nasdaq may terminate the Agreement, in whole or in part, and receive a prorated refund of prepaid fees applicable for the period after termination. Supplier will enter into a written agreement with each Sub-Processor containing data protection obligations not less protective than those set forth in this DPA with respect to the Processing of Nasdaq Personal Data. Supplier will remain responsible for any Sub-Processor's actions with respect to the Processing of Nasdaq Personal Data.
    1. Assistance to Nasdaq Related to Data Subject Requests
      1. Data Subject Request Notification. Supplier will promptly notify Nasdaq if Supplier receives a request from a Data Subject to exercise his or her rights under applicable Data Protection Laws with respect to Nasdaq Personal Data.
      1. Nasdaq's Responsibility with respect to Data Subject Requests. Nasdaq will be solely responsible for responding to requests, complaints, and all other communications from Data Subjects; provided, however, Supplier may confirm to the Data Subject that Supplier received his or her communication.
      1. Assistance in Responding to Data Subject Requests. Upon Nasdaq's written instruction and to the extent required by applicable Data Protection Laws, Supplier will provide Nasdaq with assistance to fulfill Nasdaq’s obligations to respond to requests from Data Subjects to exercise his or her rights under applicable Data Protection Laws by implementing appropriate and technical organizational measures, insofar as it is possible, taking into account the nature of the Processing.
    1. Assistance with Nasdaq's Other Data Protection Rights and Obligations
      1. Assistance Related to Nasdaq's Other Data Protection Rights and Obligations. Taking into account the nature of the Processing and the information available to Supplier, Supplier will provide assistance required to be provided by Data Processors to Data Controllers under applicable Data Protection Laws, including the assistance required under Article 28(3) of the GDPR (and corresponding provisions of the UK GDPR).
      1. Duty to Inform. To the extent required by applicable Data Protection Laws, Supplier will immediately inform Nasdaq if, in Supplier's opinion, any Nasdaq instruction violates such applicable Data Protection Laws.
      1. Nasdaq Audit Rights. Supplier shall provide Nasdaq, Nasdaq's Nasdaq, an independent third-party auditor, or a Supervisory Authority as requested by Nasdaq, access to Supplier's facilities, systems, records and supporting documentation in order to audit Supplier's compliance with its obligations under or related to this DPA, applicable data protection laws, and/or its information security program as set forth in Section 4 of this DPA. Audits shall be subject to all applicable confidentiality obligations agreed to by Nasdaq and Supplier, unless otherwise required by a Supervisory Authority or other government authority, and shall be conducted in a manner that minimizes any disruption of Supplier's performance of services and other normal operations. In the event that any such audit reveals material gaps or weaknesses in Supplier's Information Security Program, Nasdaq shall be entitled to suspend transmission of Personal Data to Supplier and terminate Supplier's Processing of Personal Data until such issues are resolved without penalty and Nasdaq may suspend payment for any Services reliant on such Processing.
    1. Return or Deletion of Nasdaq Personal Data
      1. Return or Deletion of Nasdaq Personal Data. Upon termination of the Agreement, Supplier will delete, return, or provide Nasdaq with a mechanism to allow Nasdaq to obtain a copy of or delete all Nasdaq Personal Data, except to the extent such data may be required to be retained by Supplier under applicable laws or document retention policies adopted in accordance with such laws; provided, however, the confidentiality obligations and use restrictions in the Agreement will continue to apply to such Nasdaq Personal Data for the duration of retention.
    1. Personal Data Breach of Nasdaq Personal Data
      1. Personal Data Breach Notification. If Supplier becomes aware of a Personal Data Breach of the Services involving Nasdaq Personal Data, Supplier will notify Nasdaq of such Personal Data Breach without undue delay, but in any event within twenty-four (24) hours of becoming aware. To the extent that a Personal Data Breach gives rise to a need to provide (i) notification to public authorities, individuals, or other persons, or (ii) undertake other remedial measures including, without limitation, notice, credit monitoring services and the establishment of a call center to respond to inquiries (each of the foregoing a "Remedial Action"), at Nasdaq's request, Supplier shall, at Supplier’s cost, undertake such Remedial Actions.
      1. Personal Data Breach Assistance. If Supplier notifies Nasdaq of a Personal Data Breach in accordance with Section 9.1 of this DPA, Supplier will provide Nasdaq with assistance in relation to such Personal Data Breach as required by applicable Data Protection Laws.
    1. Cross-Border Transfers of Nasdaq Personal Data from Nasdaq
      1. Standard Contractual Clauses. To the extent that Nasdaq makes a Restricted Transfer to Supplier (except for a Restricted Transfer subject to the UK GDPR which shall be governed by Section 10.4 below), the Parties agree that the relevant transfer shall be governed by the appropriate Standard Contractual Clauses (as supplemented below), which are incorporated herein by referenced into this DPA, as follows:
        1. Nasdaq as Controller. In all such cases, MODULE TWO of the Standard Contractual Clauses applies. 
        2. Nasdaq as Processor. In all such cases, MODULE THREE of the Standard Contractual Clauses applies.
        3. For purposes of the Standard Contractual Clauses, the Parties agree:
          1. Clause 7 (Docking Clause) shall not apply;
          2. Option 2 (Specific Authorization) of Clause 9 shall apply and the terms thereof are as provided in Section 5 (Sub-Processing) of this DPA;
          3. The optional language in Clause 11 (Redress) shall not apply;
          4. For Clause 13 (Supervision), the Supervisory Authority with responsibility for ensuring compliance by the data exporter with the GDPR with regard to Restricted Transfers, namely, the lead Supervisory Authority of the data exporter, shall act as the competent Supervisory Authority; and
          5. For Clause 17 (Governing Law), Option 2 shall apply and that, in the event that the law of the jurisdiction in which the data exporter is established does not allow for third-party beneficiary rights, the Standard Contractual Clauses shall be governed by the laws of Sweden.
      1. Details of the Standard Contractual Clauses. The Personal Data Processing activities in Appendix 1 to the Standard Contractual Clauses will be such activities as necessary for Supplier to perform the Services for Nasdaq as described in the Agreement. The categories of Data Subjects and categories of Personal Data in Appendix 1 to the Standard Contractual Clauses will be those set forth in Appendix 1 (Processing Details) to this DPA. The data security measures in Appendix 2 to the Standard Contractual Clauses will be those identified in Appendix 2 (Information Security Program) of this DPA. The initial list of Sub-Processors appointed and used to provide the Services is set forth in Appendix 3 (Sub-Processors) to this DPA.
      1. Non-EEA Jurisdictions; Conflicts. To the extent that the jurisdiction of the data exporter is not located in the European Economic Area or the United Kingdom, the Standard Contractual Clauses shall be deemed to be amended to remove references to the European Union and its laws and replace such references to the jurisdiction of the data exporter and that jurisdiction's applicable Data Protection Laws. In the event of any inconsistency between the terms of the Standard Contractual Clauses and any terms of this DPA with respect to Restricted Transfers, the terms of the Standard Contractual Clauses will govern and control with respect to such Restricted Transfers.
      1. Transfers Under UK GDPR. To the extent that Nasdaq makes a Restricted Transfer to Supplier subject to the UK GDPR, the Parties agree that the UK International Data Transfer Addendum will apply to such Restricted Transfer. The UK International Data Transfer Addendum is incorporated by reference into this DPA, and the remaining details required under the UK International Data Transfer Addendum are deemed completed, as appropriate, with the information set forth in this DPA, including the appendices to this DPA.  The additional details required to be provided under Part 1 and Part 2 of the UK International Data Transfer Addendum are set out in Appendix 4.  In the event of any inconsistency between the terms of the UK International Data Transfer Addendum and any terms of this DPA with respect to Restricted Transfers subject to the UK GDPR, the terms of the UK International Data Transfer Addendum will govern and control with respect to such Restricted Transfers.
    1. Miscellaneous
      1. Certification. By signing this DPA, Supplier certifies that it understands and will comply, and cause all Supplier personnel to certify that they understand and will comply with the requirements of this DPA.
      1. Nasdaq Termination Rights. Nasdaq may terminate this DPA or the Agreement immediately, without judicial notice or resolution and without prejudice to any other remedies, in the event that a Supervisory Authority or other regulatory authority or other tribunal or court finds that there has been a breach of any relevant laws in that jurisdiction by virtue of Supplier’s or Nasdaq's processing of the Personal Data.
      1. Choice of Law. Except with respect to the Model Processor Contract, this DPA is governed by the laws which govern the Agreement, and any dispute between the Parties is to be handled as set forth in the Agreement. The Model Processor Contract will be governed by the laws of the jurisdiction in which the relevant data exporter is established.
      1. Entire Agreement; Amendments and Modifications. This DPA, together with any other documents incorporated herein by reference and all exhibits, schedules, addenda, and appendices incorporated into this DPA, constitutes the sole and entire agreement of the Parties with respect to the subject matter of this DPA and supersedes all prior and contemporaneous understandings, agreements, and representations and warranties, both written and oral, with respect to such subject matter. Except as expressly provided in this DPA, the terms of the Agreement are and will remain in full force and effect. This DPA may only be amended by a written amendment that specifically references this DPA and the intent of the Parties to modify it.

    IN WITNESS WHEREOF, EACH PARTY HAS CAUSED THIS DPA TO BE EXECUTED BY ITS DULY AUTHORIZED SIGNATORY.

    Nasdaq:   Supplier:  
    Signature:   Signature:  
    Name:   Name:  
    Authorized Signatory Title:   Authorized Signatory Title:  
    Date:   Date:  

     

    DATA PROCESSING ADDENDUM

    APPENDIX 1

    Processing Details

    LIST OF PARTIES

    DATA EXPORTER(S)
    Name Nasdaq and its Affiliates
    Address The address for Nasdaq as set forth in the Agreement
    Contact person's name, position and contact details The contact details for Nasdaq as set forth in the Agreement
    Activities relevant to the data transferred under the Standard Contractual Clauses Receipt of the Services
    Signature and date Nasdaq's signature and date on the DPA
    Role (controller/processor) Data Controller

     

    DATA IMPORTER(S)
    Name Supplier and its Affiliates
    Address The address for Supplier as set forth in the Agreement
    Contact person's name, position and contact details By e-mail: Add Supplier Details
    Activities relevant to the data transferred under the Standard Contractual Clauses Performance of the Services
    Signature and date Supplier's signature and date on the DPA
    Role (controller/processor) Data Processor

    DESCRIPTION OF THE TRANSFER

    Categories of data subjects whose personal data is transferred

    Nasdaq may submit Nasdaq Personal Data to the Services (as determined and controlled by the Nasdaq in its sole discretion subject to any constraints set forth in the Agreement), which may relate to the following categories of Data Subjects:

    • Employees, agents, advisors, and contractors of Nasdaq (in each case, who are natural persons)
    • Users of Nasdaq’s systems or users of systems over which the Nasdaq has oversight which are the subject of the Services
    • Data Subjects whose data is included within data feeds or resources used to support performance of the Service
    • Users authorized by Nasdaq to access and use the Services
    • Any other category of Data Subjects whose Personal Data is contained or embedded within the data, information, and materials Nasdaq submits to the Services or has Supplier (or another third party) submit into the Services on its behalf

    Categories of personal data transferred

    Nasdaq may submit Nasdaq Personal Data to the Services (as determined and controlled by the Nasdaq in its sole discretion subject to any constraints set forth in the Agreement), which may relate to the following categories of Personal Data:

    • First and last name, title, position, employment-related and professional information
    • Contact information (company, email, phone, physical address)
    • Transaction activity, account numbers, trader/trading identifiers
    • Any other category of Personal Data contained within the data, information, and materials Nasdaq submits to the Services or has Nasdaq (or another third party) submit into the Services on its behalf

    Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

    In the general course of using the Services, Nasdaq does not anticipate that Nasdaq will provide any Special Data Categories to Nasdaq. However, subject to Section 2.9 of the DPA, Nasdaq may submit Special Data Categories to the Services (as determined and controlled by Nasdaq in its sole discretion).

    The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)

    Nasdaq transfers Nasdaq Personal Data in accordance with Nasdaq's instructions as set forth Section 2.5 and Section 2.6 of the DPA. The frequency of such transfers is determined and controlled by Nasdaq in its sole discretion.

    Nature of the processing

    The Processing of Nasdaq Personal Data in order to provide the Services to Nasdaq.

    Purpose(s) of the data transfer and further processing

    Supplier Processes Nasdaq Personal Data, including any necessary Restricted Transfers, for the purpose of providing the Services.

    The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

    Supplier will retain Nasdaq Personal Data for the duration agreed upon by the Parties in the Agreement.

    For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

    The subject matter and nature of any Processing conducted by a Sub-Processor shall be as set forth in Appendix 3 (Sub-Processors) to the DPA. The duration of any Processing conducted by a Sub-Processor shall be as set forth in Section 2.7 of this Appendix 1 (Processing Details).

    COMPETENT SUPERVISORY AUTHORITY

    Identify the competent supervisory authority/ies in accordance with Clause 13 of the Standard Contractual Clauses.

    For Clause 13 (Supervision), the Supervisory Authority with responsibility for ensuring compliance by the data exporter with the GDPR with regard to Restricted Transfers, namely, the lead Supervisory Authority of the data exporter, shall act as the competent Supervisory Authority.

    APPENDIX 2

    Information Security Program

    Taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons. Supplier has implemented, and will maintain, a comprehensive written information security program ("Information Security Program") with respect to the Nasdaq Personal Data transferred to or received by Supplier in performance of the Services that includes administrative, technical, and physical safeguards to ensure the confidentiality, security, integrity, and availability of Nasdaq Personal Data and to protect against unauthorized access, use, disclosure, alteration or destruction of Nasdaq Personal Data.

    In particular, the Information Security Program will include the following safeguards where appropriate or necessary to ensure the protection of Nasdaq Personal Data:

    Measures of pseudonymisation and encryption of personal data

    • Access Controls – policies, procedures, and physical and technical controls to encrypt and decrypt Nasdaq Personal Data where appropriate.

    Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

    • Information Security Program – a comprehensive written information security program that includes administrative, technical, and physical safeguards to ensure the confidentiality, security, integrity, and availability of Nasdaq Personal Data and to protect against unauthorized access, use, disclosure, alteration or destruction of Nasdaq Personal Data.
    • Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Nasdaq Personal Data or systems that contain Nasdaq Personal Data, including a data backup plan and a disaster recovery plan.

    Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

    • Security Incident Procedures – policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Nasdaq Personal Data or information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes.
    • Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Nasdaq Personal Data or systems that contain Nasdaq Personal Data, including a data backup plan and a disaster recovery plan.

    Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

    • Testing – The data importer will regularly test the key controls, systems and procedures of its Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.

    Measures for user identification and authorization

    • Access Controls – policies, procedures, and physical and technical controls: (i) to limit physical access to its information systems and the facility or facilities in which they are housed to properly authorized persons; (ii) to ensure that all members of its workforce who require access to Nasdaq Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access; and (iii) to authenticate and permit access only to authorized individuals and to prevent members of its workforce from providing Nasdaq Personal Data or information relating thereto to unauthorized individuals.
    • Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of Nasdaq Personal Data and protect it from disclosure, improper alteration, or destruction.

    Measures for the protection of data during transmission

    • Storage and Transmission Security – technical security measures to guard against unauthorized access to Nasdaq Personal Data that is being transmitted over an electronic communications network, including a mechanism to encrypt Nasdaq Personal Data in electronic form while in transit and in storage on networks or systems to which unauthorized individuals may have access.

    Measures for the protection of data during storage

    • Storage Media – policies and procedures to ensure that prior to any storage media containing Nasdaq Personal Data being assigned, allocated or reallocated to another user, or prior to such storage media being permanently removed from a facility, the data importer will delete such Nasdaq Personal Data from both a physical and logical perspective, such that the media contains no residual data, or if necessary physically destroy such storage media. The data importer will maintain an auditable program implementing the disposal and destruction requirements set forth in this section for all storage media containing Nasdaq Personal Data.

    Measures for ensuring physical security of locations at which personal data are

    Processed

    • Information Security Program – a comprehensive written information security program that includes administrative, technical, and physical safeguards to ensure the confidentiality, security, integrity, and availability of Nasdaq Personal Data and to protect against unauthorized access, use, disclosure, alteration or destruction of Nasdaq Personal Data.

    Measures for ensuring events logging

    • Audit Controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

    Measures for ensuring system configuration, including default configuration

    • Audit Controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

    Measures for internal IT and IT security governance and management

    • Assigned Security Responsibility – The data importer will designate a security official responsible for the development, implementation, and maintenance of its Information Security Program. The data importer will inform the data exporter as to the person responsible for security.
    • Adjust the Program – The data importer will monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Nasdaq Personal Data, internal or external threats to the data importer or the Nasdaq Personal Data, and the data importer's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems. In light of the foregoing, the Information Security Program is subject to change; provided, however, that any such update will not lessen the applicable information security protections.

    Measures for certification/assurance of processes and products

    • Testing – The data importer will regularly test the key controls, systems and procedures of its Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.
    • Adjust the Program – The data importer will monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Nasdaq Personal Data, internal or external threats to the data importer or the Nasdaq Personal Data, and the data importer's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems. In light of the foregoing, the Information Security Program is subject to change; provided, however, that any such update will not lessen the applicable information security protections.

    Measures for ensuring data quality

    • Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of Nasdaq Personal Data and protect it from disclosure, improper alteration, or destruction.

    Measures for ensuring limited data retention

    • Device and Media Controls – policies and procedures on hardware and electronic media that contain Nasdaq Personal Data into and out of a data importer facility, and the movement of these items within a data importer facility, including policies and procedures to address the final disposition of Nasdaq Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Nasdaq Personal Data from electronic media before the media are made available for re-use.
    • Storage Media – policies and procedures to ensure that prior to any storage media containing Nasdaq Personal Data being assigned, allocated or reallocated to another user, or prior to such storage media being permanently removed from a facility, the data importer will delete such Nasdaq Personal Data from both a physical and logical perspective, such that the media contains no residual data, or if necessary physically destroy such storage media. The data importer will maintain an auditable program implementing the disposal and destruction requirements set forth in this section for all storage media containing Nasdaq Personal Data.

    Measures for ensuring accountability

    • Security Awareness and Training – a security awareness and training program for all members of the data importer's workforce (including management), which includes training on how to implement and comply with its Information Security Program.
    • Audit Controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

    Measures for allowing data portability and ensuring erasure

    • Device and Media Controls – policies and procedures on hardware and electronic media that contain Nasdaq Personal Data into and out of a data importer facility, and the movement of these items within a data importer facility, including policies and procedures to address the final disposition of Nasdaq Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Nasdaq Personal Data from electronic media before the media are made available for re-use.

    For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

    • Nasdaq shall ensure Sub-Processors provide technical and organizational measures no less protective than those set forth in the DPA, including this Appendix 2 (Information Security Program).

    APPENDIX 3

    Sub-Processors

    THIRD-PARTY SUB-PROCESSORS

    Name  
    Address  
    Contact Details  
    Subprocessing Activities  
    Subprocessing Location(s)  

    SUPPLIER AFFILIATE SUB-PROCESSORS

    Name Address Contact Details Subprocessing Activities Subprocessing Location Applicable Service(s)
               

    APPENDIX 4

    UK International Data Transfer Addendum

    Any capitalized term used herein and not specifically defined in the Agreement shall be deemed to have the meaning given to it in the UK International Data Transfer Addendum.

    PART 1

    Table 1: Parties

     

    Start date As set out on first page of the DPA
    The Parties Exporter (who sends the Restricted Transfer) as set out in Appendix 1 of the DPA to the extent such entities are located in the United Kingdom Importer (who receives the Restricted Transfer) as set out in Appendix 1 of the DPA
    Parties' details
    1. Full legal name
    2. Trading name (if different):
    3. Main address:
    4. Official registration number:
    1. As set out in the Agreement.
    2. N/A
    3. As set out in the Agreement.
    4. To the extent applicable, as set out in the Agreement.
    1. As set out in the Agreement.
    2. N/A
    3. As set out in the Agreement.
    4. To the extent applicable, as set out in the Agreement.
    Key contact As set out in the Agreement and/or relevant applicable ordering documents, including service orders, order forms, statements of work. As set out in the Agreement and/or relevant applicable ordering documents, including service orders, order forms, statements of work.
    Signature The parties agree that the Signature to the DPA to which this Appendix is attached shall serve as the signature for this UK International Data Transfer Addendum. The parties agree that the Signature to the DPA to which this Appendix is attached shall serve as the signature for this UK International Data Transfer Addendum

     

    Table 2: Selected SCCs, Modules and Selected Clauses

    The version of the Approved EU SCCs which this UK International Data Transfer Addendum is appended to, detailed below, including this appendix information are the Commission Implementing Decision (EU) 2021/914 establishing for data transfers to Third Countries (as amended, modified, or replaced from time to time); specifically, the applicable module within the Standard Contractual Clauses is MODULE TWO (Transfer Controller to Processor). For the avoidance of doubt, MODULE ONE (Transfer Controller to Controller), MODULE THREE (Transfer Processor to Processor), and MODULE FOUR (Transfer Processor to Controller) do not apply to this DPA.

    The clauses options are set out in Section 10.1 of the DPA.

    TABLE 3: Appendix Information

     

    Annex 1A
    List of Parties    		 See appendix 1 to the DPA.
    Annex 1B
    Description of Transfer    		 See appendix 1 to the DPA.
    Annex II
    Technical and organizational measures    		 See appendix 2 to the DPA.
    Annex III
    List of Sub processors    		 See appendix 3 to the DPA.

     

    TABLE 4: Ending this Addendum when the Approved Addendum Changes

    Neither party shall have the right to end this UK International Data Transfer Addendum if the approved addendum changes. In the event any such change occurs, the parties shall work together to agree any relevant updates.

    PART 2

    Mandatory Clauses

    Mandatory Clauses: Mandatory Clauses of the approved addendum, being the template addendum B.1.0 issued by the UK Information Commissioner's Office (ICO) and laid before the UK Parliament in accordance with s119A of the UK GDPR on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses is hereby incorporated by reference into this International Data Transfer Addendum.