Data Processing Addendum

2. Purpose and Scope

• 2.1 This Addendum applies to the Processing of Personal Information by Wenco for or on behalf of Customer in the performance of the Agreement. Except as modified by this Addendum, the terms of the Agreement will remain in full force and effect. If there is a conflict between any of the provisions of the Agreement and the provisions of this Addendum, the provisions of this Addendum will govern and control.
  
  2.2 An overview of the categories of Personal Information, the categories of data subjects, and the nature and purposes for which Personal Information is being Processed is provided in Appendix 1 (Processing Details).

3. Data Usage and Restrictions

3.1 As between Customer and Wenco, Customer will remain the exclusive owner and controller of all Personal Information, and Wenco acts solely as a service provider/processor with respect to all Personal Information.

3.2 Wenco’s Processing activities are as set out in the Agreement. Wenco shall only Process Personal Information as follows:

• in accordance with the Agreement;
• as required to perform its obligations under the Agreement or at the initiation of end users in their use of the Services contemplated under the Agreement; and
• to comply with other documented, reasonable instructions provided by Customer (ex. via email), provided such instructions are consistent with the terms of the Agreement, in compliance with Applicable Law, technically feasible and do not require changes to the Services.

For greater certainty, the Agreement constitutes Customer’s documented instructions regarding Wenco’s Processing of Personal Information for the purposes of rendering the Services contemplated by the Agreement. Wenco shall use reasonable efforts to follow Customer’ s instructions pursuant to paragraph (iii) above. Wenco shall notify Customer (ex. via email) if Wenco is unable to comply with such instructions or if, in its opinion, any instruction violates Applicable Law.

3.3 Wenco may also Process Personal Information where required to do so by Applicable Law. In such a case, Wenco will inform Customer of that legal requirement prior to such Processing, unless prohibited by such Applicable Law.

3.4 For clarity, Wenco shall not:

• Process Personal Information except as necessary to provide Services pursuant to the Agreement or as otherwise required or permitted by Applicable Law; or
• sell any Personal Information to any third party.

3.5 Wenco shall not disclose the Personal Information to any third party without the prior written consent or instruction of the Customer, except where required by Applicable Law or as otherwise specified in the Agreement, this Addendum, or any other agreement, instrument or document between Wenco and Customer. In the event Wenco is legally required to disclose Personal Information, to the extent permitted, Wenco will endeavor to provide Customer with reasonable notice of the demand via email or postal mail to allow Customer to seek a protective order or other appropriate remedy. In addition, Wenco shall not use Personal Information to develop or market any product or service that could directly identify or re-identify individuals.
‍
3.6 Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Information and the means by which Customer acquired Personal Information.

3.7 Customer shall not submit, store, or send any sensitive personal information or special categories of personal data (collectively, “Sensitive Data”) to Wenco for processing, and Customer shall not permit nor authorize any of its employees, agents, contractors or data subjects to submit, store or send any Sensitive Data to Wenco for processing. Customer acknowledges that Wenco do not request or require Sensitive Data as part of providing the Service to Customer, that Wenco do not wish to receive or store Sensitive Data, and that Wenco's obligations in this Addendum will not apply with respect to Sensitive Data. The terms “sensitive personal information” and “special categories of personal data” have the meanings given in Applicable Privacy Laws.

4. Security Safeguards

• 4.1 Wenco declares its certification as ISO 27001 compliant, attesting to the company's commitment to maintaining a high standard of information security management. Wenco has implemented and will maintain appropriate technical, physical and administrative measures designed to protect the Personal Information against unauthorized or unlawful Processing, access, copying, modification, reproduction, display or distribution, and against accidental loss, theft, destruction or damage, as described in this Section 4 and as further described in Appendix 2 (Security Standards). In particular, Wenco has implemented and will maintain technical and organizational measures that address the (i) security of the Wenco Network; (ii) physical security of Wenco’s facilities; (iii) controls around Personnel access to the Wenco Network and/or Wenco’s facilities; and (iv) processes for testing, assessing and evaluating the effectiveness of technical and organizational measures implemented by Wenco.
  ‍
• 4.2 The security measures implemented in accordance with this Section 4 shall be commensurate with the sensitivity of the Personal Information and the risks associated with its Processing. Wenco shall ensure that its Personnel involved in Processing the Personal Information are bound by confidentiality obligations and properly trained in applicable security and data privacy measures, as set out in this Section 4.
  ‍
• 4.3 Wenco may make changes to the security measures implemented in accordance with this Section 4 at any time and without notice to Customer, provided that it maintains a comparable or better level of security and otherwise remains in compliance with this Section 4. For greater certainty, Wenco may replace individual security measures with new security measures that serve the same purpose so long as the security of the Personal Information is not diminished.

5. Records and Consent

5.1 The Parties acknowledge and agree that as between Customer and Wenco:

• All right, title, interest and control in and to all Records shall remain with Customer. No proprietary right or other interest respecting the Records, other than as expressly set out herein, is granted to Wenco under this Addendum or the Agreement, by implication or otherwise. Wenco is granted temporary access to the Personal Information and Records on the terms and conditions of this Addendum and the Agreement, for the sole and express purpose of performing the Services and for no other use or purpose. Where Wenco provides Services under contract with one or more other parties in which such other parties also assert control over the same or overlapping Records, Customer will work with such other parties to resolve each other’s rights and obligations with respect to such Records and Wenco will not be considered to be in breach of this Addendum or the Agreement by reason of its inability to provide unfettered control over the Records to Customer.
• Customer acts as a single point of contact and is solely responsible for obtaining any relevant consents, authorizations and permissions, providing any relevant notices, for the Processing of Personal Information in accordance with the Agreement and this Addendum, and for maintaining a record of those notices, consents authorizations and permissions. Customer represents, warrants, and covenants to Wenco that it has and will have all necessary rights to provide the Personal Information to Wenco for the Processing to be performed in relation to the Services contemplated in the Agreement and under this Addendum. If a data subject revokes a consent, Customer is responsible for notifying Wenco of that revocation, and Wenco shall implement Customer’s instruction with respect to the Processing of that Personal Information. Customer is solely responsible for its compliance under Applicable Privacy Law.

6. Assistance to Customer

At Customer’s request, Wenco will reasonably cooperate with Customer in responding to third party requests about Wenco’s Processing of Personal Information or any Security Incident. Except where prohibited by Applicable Law, Wenco will promptly notify Customer (ex. via email) about any such request received by Wenco, without responding to such request without Customer’s further instructions, if applicable. Wenco will enable Customer to access, correct and delete, or restrict its Processing of, Personal Information during the term of the Agreement in a manner consistent with the functionality of the Services, the Agreement and this Addendum. Where such functionality is not provided, Wenco will correct, delete or provide, or restrict its Processing of Personal Information in accordance with Customer’s documented instructions and Applicable Privacy Law.

7. Aggregate and De-Identified Data

Notwithstanding the provisions of this Addendum, Wenco retains the right to use and disclose aggregated and De-Identified Data in any manner. “De-Identified Data” means information (or any portion thereof) that has been de-identified, aggregated and/or anonymized such that the De-Identified Data cannot reasonably be used, alone or in conjunction with other data in the possession of Wenco, to identify or re-identify any individual.

8. Access by Personnel

8.1 Wenco will only grant access to the Personal Information to Wenco Personnel where such access is necessary for the performance of the Services contemplated by the Agreement or to comply with Customer documented instructions, and subject to the following terms:

• Prior to access, such Personnel shall have signed an appropriate confidentiality agreement or otherwise be bound by a duty of confidentiality;
• Wenco will revoke the access rights of any Personnel who engages in the unauthorized collection, use or disclosure of Personal Information or otherwise breaches their obligations of confidentiality or Applicable Law; and
• Wenco will ensure Personnel with access to Personal Information are familiar and comply with the obligations of Wenco under this Addendum, related policies, agreements and Applicable Law.

9. Access and Storage Outside of Canada

Customer hereby acknowledges and agrees that Personal Information and Records may be Processed, maintained, shared stored, managed and/or administered by Wenco outside of Canada using cloud computing or other information technology infrastructure selected by Wenco and managed using third party service providers.

10. Transfer to Third Party Service Providers

10.1 Authorized Third Party Service Providers. Customer acknowledges and agrees that Wenco may use third-party service providers to fulfil its contractual obligations under the Agreement and this Addendum or to provide certain services on its behalf, such as providing hosting or support services. Customer hereby consents to Wenco’s use of third-party service providers as described in this Section 10 and as further described in Appendix 3 (Third Party Service Providers).

10.2 Third-party service provider Obligations. Where Wenco uses any authorized third-party service provider as described in Section 10.1:

• Wenco will restrict the third-party service provider’s access to Personal Information only to what is necessary to maintain or provide the Services to Customer and any end users in accordance with the terms of the Agreement. Wenco will prohibit the third-party service provider from accessing Personal Information for any other purpose;
• Wenco will enter into a written agreement with the third-party service provider and, to the extent that the third-party service provider is Processing Personal Information for or on behalf of Wenco, Wenco will impose on the third-party service provider obligations consistent with this Addendum; and
• Wenco will remain responsible for its compliance with the obligations contained in this Addendum and for any acts or omissions of the third-party service provider that cause Wenco to breach any of Wenco’s obligations under this Addendum.

11. Security Incident

11.1 Security Incident.If Wenco becomes aware of a Security Incident, Wenco will (a) without undue delay and, in any event, within 48 hours, notify Customer of the Security Incident; and (b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.

11.2 Wenco Assistance. In order to assist Customer in relation to any data breach notifications Customer is required to make under Applicable Law, policies or agreement, Wenco will include in the notification such information about the Security Incident as Wenco is reasonably able to disclose to Customer, taking into account the nature of the Services, the information available to Wenco, and any restrictions on disclosing the information, such as confidentiality. Wenco will cooperate with Customer, to the extent reasonably requested, in relation to any notifications Customer is required to make under Applicable Law, including to any regulatory authority having jurisdiction or data subjects, following a Security Incident and will provide Customer such additional information regarding the Security Incident, as may be reasonably requested by Customer, in due course. Subject to Applicable Law, Wenco will not inform any third party of any Security Incident without first obtaining Customer’s prior written consent. If instructed by Customer, Wenco will refer any external communications relating to a Security Incident to Customer. Notwithstanding the foregoing, Wenco may, at its discretion, inform other entities that are directly affected by the Security Incident and its professional advisors, including Security Incident management professionals, however, except with respect to its professional advisors, Wenco should not make any reference, express or implied, to Customer.

11.3 Failed Security Incidents. Customer agrees that a failed Security Incident will not be subject to the terms of this Addendum. A “Failed Security Incident” is one that results in no unauthorized access to Personal Information or to any part of the Wenco Network, or equipment or facilities storing Personal Information, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful login attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.

11.4 Notification. Notification of Security Incidents, if any, will be delivered to one or more of Customer’s administrators by any means Wenco selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate Contact Information on the Wenco management console and secure transmission at all times.
‍
‍11.5 Corrective Action. Wenco will cooperate with Customer in preventing the occurrence or recurrence of any breach of this Addendum, the Agreement, or Applicable Law, including, if requested to do so, by preparing a written proposal to address or prevent further occurrences within Wenco’s systems.
‍
11.6 Records. Wenco will maintain records any Security Incident in accordance with Applicable Privacy Law.

11.7 No Acknowledgement of Fault by Wenco. Wenco’s obligation to report or respond to a Security Incident under this Addendum is not and will not be construed as an acknowledgement or admission by Wenco of any fault or liability with respect to the Security Incident.

12. Customer Rights

Independent Determination. Customer acknowledges that it has reviewed the information made available by Wenco relating to data security and its security standards and  agrees that the security measures implemented and maintained by Wenco, as described in Section 4 and further described in Appendix 2 (Security Standards), are taking into account industry standard practices and procedures, the costs of implementation and the nature, scope, context and purposes of the Processing of Personal Information, as well as the risks to individuals.
‍
12.1 Audit and Compliance. ‍

• The Customer may audit Wenco's internal audit controls and security practices relevant to Personal Information Processed by Wenco to verify Wenco’s compliance with the provisions of this Addendum. Customer shall only be entitled to conduct such an audit once in any 12-month period, unless Applicable Law requires more frequent audits. Customer shall give Wenco at least ten business days advance notice of any audit, unless Applicable Law or a competent regulatory authority require shorter notice. Customer’s audits shall be conducted during Wenco’s normal business hours (or a such other time as the parties may agree) in a manner that minimizes disruption to Wenco's operations, and will be subject to reasonable confidentiality obligations imposed by Wenco. Customer shall bear all costs and expenses associated with an audit. If an audit determines that Wenco has breached its obligations under this Addendum, Wenco will promptly remedy the breach at its own cost.
• Wenco shall reasonably cooperate with the Customer's audit requests and provide all necessary information and assistance to demonstrate compliance with this Addendum.

13. Duration and Termination

This Addendum will come into effect on the effective date of the Agreement and will continue in force until the termination of the Agreement (the “Termination Date”).

14. Return or Deletion of Personal Information

14.1 Except as otherwise specified in the Agreement, Wenco will retain the Personal Information and Records for as long as required to engage in the uses described in this Addendum, unless a longer retention period is required by Applicable Law.

14.2 Customer may access, export and retrieve Personal Information or Records in a standard format at any time during the term of the Agreement in a manner consistent with the functionality of the Services, terms of the Agreement and this Addendum. Export and retrieval may be subject to technical limitations, in which case, Wenco and Customer will find a reasonable method to allow Customer to export and retrieve and Personal Information, at Customer’s expense.

14.3 Upon written request of the Customer, or upon termination/expiration of the Agreement, or fulfillment of all purposes agreed in the context of the Services contemplated under the Agreement whereby no further Processing of Personal Information is required,  Wenco will within a reasonable period of time, in line with Applicable Privacy law, except where specific retention periods are required or permitted by Applicable Law: (i) return all Personal Information and Records in its possession or control; or (ii), or use commercially reasonable efforts to delete or destroy all Personal Information and Records remaining on servers hosting the Services, at Customer’s option and expense, excluding back-up copies. Customer hereby acknowledges and accepts the functionality of the Services and the data retention and deletion applications as made available by Wenco, which may impact Personal Information.  If Wenco is required for any reason, such as requirements under Applicable Law, to retain any Personal Information or Record, Wenco’s obligations pursuant to this Addendum will continue in full force and effect with respect to such retained Personal Information or Record.

15. Limitation of Liability

The liability of each party under this Policy will be subject to the exclusions and limitations of liability set out in the Agreement. Customer agrees that any regulatory penalties incurred by Wenco in relation to the Personal Information that arise as a result of, or in connection with, Customer’s breach of any term of this Addendum or Applicable Law will count towards and reduce Wenco’s liability under the Agreement as if it were liability to the Customer under the Agreement.

16. Amendments

If an amendment is required to this Addendum in order to comply with the Applicable Law or any requirements stipulated by the other agreements or policies, Wenco reserves the right to amend this Addendum as necessary to maintain compliance with Applicable Law and the updated version will be accessible on Wenco’s website.

17. Privacy Officer

Any questions regarding this Addendum may be sent to Wenco’s Privacy Officer at privacy@wencomine.com

18. General

18.1 If a provision of this Addendum conflicts with a provision of the Agreement, the provision of this Addendum will prevail only as it relates to the protection or process of Personal Information.

Appendix 1

PROCESSING DETAILS

1. Nature and Purpose of Processing. Wenco will Process Personal Information as necessary to perform the Services pursuant to the Agreement and the Addendum, and as further instructed by Customer throughout its use of the Services.

2. Duration of Processing. Subject to this Addendum, Wenco will process Personal Information during the term of the Agreement. Notwithstanding the foregoing, Wenco may retain Personal Information, or any portion of it, if required by Applicable Law or regulation, provided that such Personal Information remains protected in accordance with the terms of this Addendum and Applicable Law.

3. Categories of Data Subjects. Customer may upload Personal Information in the course of its use of the Services, the extent to which is determined and controlled by Customer in its sole discretion, relating to the following categories of data subjects:

• Customers: Individuals or entities who are customers of the Customer.
• Employees: Employees or representatives of the Customer.
• Suppliers: Individuals or entities who are suppliers or service providers to the Customer.
• Partners: Individuals or entities who are partners or affiliates of the Customer
• Other Business Contacts: Other individuals or entities with whom the Customer has a business relationship, such as Customer’s end users.

4. Categories of Personal Information. Wenco may collect and Customer may upload Personal Information in the course of Customer’s use of the Services, the type of and extent to which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Information:

• Contact Information (if the Applicable Privacy Law considers such information as Personal Information): Names, job titles, work addresses, work phone numbers, work email addresses, and other similar business contact details.
• Basic personal data (for example place of birth, street name and house number (address), postal code, city of residence, country of residence, mobile phone number, first name, last name, initials, email address, gender, date of birth);
• Authentication data (for example username, password or PIN code, security question, audit trail);
• Pseudonymous identifiers;
• Device identification;
• Transactional and commerce data: Details of business transactions or interactions between the Customer and its customers, suppliers, partners, or other business contacts. This may include Personal Information such as name, address or contact information depending on requirements for processing
• Any other personal data identified in Applicable Privacy Laws.

Appendix 2

SECURITY STANDARDS

I.  Technical and Organizational Measures 
We are committed to protect our Customers’ Personal Information.  Taking into account the best practices, the costs of implementation and the nature, scope, circumstances and purposes of processing, as well as the likelihood of occurrence and severity of the risk to the rights and freedoms of natural persons, we take the following technical, physical and administrative measures.  When selecting the measures, the confidentiality, integrity, availability and resilience of the systems are considered.

1. Confidentiality. We use a variety of physical and logical measures to protect the confidentiality of Personal Information. Those measures include:
‍
Physical Security

• Physical access control systems in place (Badge access control, Security event monitoring etc.)
• Surveillance systems including alarms and, as appropriate, CCTV monitoring
• Clean desk policies and controls in place (locked cabinets, etc.)
• Visitor Access Management
• Destruction of data on physical media and documents (shredding, degaussing etc.)

• User access restrictions applied, and role-based access permissions provided/reviewed based on segregation of duties principle
• Strong authentication and authorization methods (Multi-factor authentication, certificate based authorization, automatic deactivation/log-off etc. )
• Centralized password management and strong/complex password policies (minimum length, complexity of characters, company provided password manager  etc.)
• Controlled access to e-mails and the Internet
• Anti-virus & malware detection and response management
• Intrusion Detection and Prevention System management

• Encryption of external and internal communication via strong cryptographic protocols
• Encrypting personal data and sensitive data at rest (databases, shared directories etc.)
• Full disk encryption for company PCs and laptops
• Remote connections to the company networks are encrypted via VPN
• Securing the lifecycle of encryption keys

• PII/SPI minimization in application and debuggingand security logs, if applicable
• Pseudonymization of Personal Information to prevent directly identification of an individual, if applicable.
• Segregation of data stored by function (test, staging, live), if applicable
• Logical segregation of data by role-based access rights

• Regular network and vulnerability scans
  ‍

2. Integrity. Appropriate change and log management controls are in place, in addition to access controls to be able to maintain the integrity of Personal Information such as:

Change & Release Management

• Change and release management process including (impact analysis, approvals, testing, security reviews, staging, monitoring etc.)
• Role & Function based (Segregation of Duties) access provisioning on production environments

• Logging of access and changes on data
• Centralized audit & security logs
• Monitoring of the completeness and correctness of the transfer of data (end-to-end check)

3. Availability. We implement appropriate continuity and security measures to maintain the availability of its services and the data residing within those services:

• Regular fail-over tests applied for critical services
• Extensive performance/availability monitoring and reporting for critical systems
• Incident response programme
• Critical data either replicated or backed up (Cloud Backups/Hard Disks/Database replication etc.)
• Planned software, infrastructure and security maintenance in place (Software updates, security patches etc.)
• Redundant and resilient systems (server clusters, mirrored DBs, high availability setups etc.) located on off-site and/or geographically separated locations
• Use of uninterruptible power supplies, fail redundant hardware and network systems
• Alarm, security systems in place
• Physical Protection measures in place for critical sites (surge protection, raised floors, cooling systems, fire and/or smoke detectors, fire suppression systems etc.)
• DDOS protection to maintain availability
• Load & Stress Testing

4. Data Processing. It refers to ensuring that Personal Information will only be processed in accordance with the Agreement and the related company measures. We have established internal privacy policies, agreements and conduct regular privacy trainings for employees to ensure Personal Information is processed in accordance with the Agreement and legal obligations.

• Privacy and confidentiality terms in place within employee contracts
• Data privacy and security trainings for employees
• Appropriate contractual provisions to the agreements with sub-contractors to maintain instructional control rights
• Privacy checks for external service providers
• Providing customers control over their data processing preferences
• Security audits

5. Retention Period. We follow generally accepted standards to store and protect the Personal Information we collect, both during transmission and once received and stored, including utilization of encryption where appropriate. We retain Personal Information for as long as required to engage in the uses described in this Policy, unless a longer retention period is required by Applicable Law. The criteria used to determine our retention periods include the following:

• The length of time we have an ongoing relationship with Customer and provide Services to Customer (for example, for as long as Customer have an account with us or keep using our Services);
• Whether we have a legal obligation to keep the data (for example, certain laws require us to maintain records of your transactions for a certain period of time before we can delete them); or
• Whether retention is advisable in light of our legal position (such as in regard to the enforcement of our agreements, the resolution of disputes, and applicable statutes of limitations, litigation, or regulatory investigation).
  ‍

Appendix 3 - Wenco Third-Party Service Providers