Data Processing Schedule

DATA PROCESSING SCHEDULE 

RECITALS

          WHEREAS, the Customer and Olive have entered into an agreement (the “Terms”) pursuant to which Customer will share information that may be connected to an identifiable individual with Olive, it being understood that Customer will not share, and Olive is not intended to receive, any individual identifiers associated with Customer’s End Users, but rather will only receive numerical or other unique anonymous identifiers of such End Users;

          WHEREAS, such End User information will be processed by Olive on behalf of Customer in the course of providing the services; and

          WHEREAS, this personal information processing schedule (these “Processing Terms”) set out additional terms, requirements and conditions for collecting, using, processing, disclosing, transferring or storing of Personal Information when Olive provides a subscription-based platform-as-a-service solution and ancillary services related to the provision of such platform to its Customer under the Master Partner Terms (the “Master Terms”);

          NOW THEREFORE, in consideration of the mutual covenants and agreements hereinafter set forth and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

1.  Definitions and Interpretation

1.1  The following definitions and rules of interpretation apply in these Processing Terms. Capitalized terms not otherwise defined herein have the meaning given to them in the Master Terms.

“Business Purpose” means the services described in the Master Terms or any other purpose specifically identified in the Order Form.

“Personal Information” means any information about an identifiable individual that Customer provides or makes available to Olive or that Olive otherwise Processes, in each case on Customer’s behalf and in connection with the provision of or as part of the services pursuant to the Master Terms at any time during the term of the Master Terms. For greater certainty, information will be about an “identifiable individual” where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information.

“Privacy and Data Protection Laws” means all applicable federal and provincial laws and regulations relating to the processing, protection or privacy of the Personal Information, including, where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. This includes, but is not limited to, Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”), Quebec's Act respecting the protection of personal information in the private sector, CQLR, c. P-39.1 (“QC PIPA”), Personal Information Protection Act, R.S.B.C. 2003, c. 63 (“BC PIPA”), Personal Information Protection Act, R.S.A. 2003, c. P-6.5 (“Alberta PIPA”), and the Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act as amended (“CASL”), its regulations, and all applicable and relevant provincial privacy and personal information laws.

“Processing, Processes, or Process” means any operation or set of operations performed upon Personal Information, such as accessing, obtaining, storing, transmitting, using, maintaining, disclosing or disposing of the information.

“Security Breach” means any act or omission that compromises the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure or acquisition of Personal Information is a Security Breach whether or not the incident rises to the level of a security breach under the Privacy and Data Protection Laws. 

2.  Processing Purposes

2.1  Customer has control of the Personal Information and remains solely responsible for its compliance obligations under Privacy and Data Protection Laws, providing any required notices and obtaining any required consents, and for the processing instructions it gives to Olive. The Parties agree that the Master Terms (including these Processing Terms and the Order Form), together with the Customer’s use of the services in accordance with such agreements, constitutes Customer’s complete and final instructions to Olive in relation to the Processing of Personal Information, and additional instructions shall require prior written agreement between the Parties. 
2.2  Olive processes the Personal Information obtained through the Olive Platform under the direction of the Customer, and accordingly, Olive has no direct relationship with the End Users whose data is processed on behalf of Customer.  

3.  Olive Obligations

3.1  Olive will only process the Personal Information to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with Customer’s instructions. Olive will not process the Personal Information for any other purpose or in a way that does not comply with these Processing Terms or the Privacy and Data Protection Laws. Olive must promptly notify Customer if, in its opinion, Customer’s instructions would not comply with the Privacy and Data Protection Laws.

3.2  Olive must promptly inform Customer of any individual request or instruction requiring Olive to amend, transfer, or delete the Personal Information, or to stop, mitigate or remedy any unauthorized Processing, and must provide reasonable assistance to Customer to allow Customer to fulfill its compliance obligations under the applicable Privacy and Data Protection Laws. Olive will not undertake to comply with such request or instruction except when Privacy and Data Protection Laws, or other laws or regulations, require it.

3.3  Olive will maintain the confidentiality of all Personal Information and will not disclose Personal Information to third parties unless Customer or these Processing Terms specifically authorizes the disclosure in compliance with Privacy and Data Protection Laws, or as otherwise required by law. If a law requires Olive to process or disclose Personal Information, Olive must first inform Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice. 

3.4  Olive will reasonably assist Customer with meeting Customer’s compliance obligations under the Privacy and Data Protection Laws, considering the nature of Olive’s processing and the information available to Olive. 

3.5  Olive must promptly notify Customer of any changes to Privacy and Data Protection Laws that may adversely affect Olive’s performance of the Master Terms. 

3.6  Olive will be responsible for its compliance obligations as a third party service provider/mandatory under the applicable Privacy and Data Protection Laws. 

3.7  Customer understands and agrees that Olive may use Personal Information to generate de-identified/anonymized data and will use such data for analytics, reports, improvement of the services and Platform, and other business purposes including without limitation disclosure to third parties in Olive’s sole discretion. Where required by Privacy and Data Protection Laws or other applicable laws, Customer will obtain such consent or provide notices as are required to authorize Olive to use Personal Information for such purposes.

4.  Olive’s Employees

4.1 Olive will limit Personal Information access to those employees who require Personal Information access to meet Olive’s obligations under these Processing Terms and the Master Terms; and, the part or parts of Personal Information that those employees strictly require for the performance of their duties.
4.2 Olive will ensure that all employees are informed of the Personal Information’s confidential nature and use restrictions; and, have undertaken training and are aware of their duties and obligations with respect to the handling and safeguarding of Personal Information under Privacy and Data Protection Laws.

5.  Customer Obligations

5.1  Customer shall, in its use of the services and Platform, process Personal Information in accordance with the requirements of Privacy and Data Protection Laws, including any applicable requirement to provide notice to or obtain consent from End Users for the use of the services and Platform. For greater certainty, Olive may require Customer to include such provisions in Customer’s end user licensing agreements, terms of use, privacy policies or other documentation, as Olive in its sole discretion deems necessary for Customer to fulfill the obligations in this section. Such provisions, agreements, terms, policies and other documentation shall be subject to Olive’s review, in Olive’s sole discretion. 
5.2  Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Information and the means by which Customer acquired Personal Information. Customer specifically acknowledges that its use of the services and Platform will not violate the rights of any End User that has opted-out from the collection, use or disclosure of their Personal Information by exercising rights available under Privacy and Data Protection Laws. 
5.3  Customer acknowledges that Olive will not assess the contents of Personal Information in order to identify information subject to any specific legal requirements. 

5.4  Customer is solely responsible for complying with Security Breach notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Breach. Olive’s assistance provided to Customer in response to a Security Breach will not be construed as an acknowledgement by Olive of any fault or liability with respect to the security Breach. 

5.5  Customer agrees that Customer is solely responsible for its use of the services and Platform and the compliance of Customer’s employees’, Authorized Users’ and End Users’ activities with respect to Personal Information, including: 

1. making appropriate use of the services and the Platform to ensure a level of security appropriate to the risk in respect of Personal Information;
2. securing the account authentication credentials, systems, and devices Customer uses to access the services and Platform; and 
3. backing up Customers’ Data including Personal Information.

5.6  Customer agrees that Olive has no obligation to protect Customer data including Personal Information that Customer elects to store or transfer outside of Olive and its third party suppliers’ systems (for example, offline or on-premise storage), or to protect Customer data including Personal Information by implementing or maintaining technical, physical or organizational measures except to the extent Customer has opted to use them.
5.7  Customer is solely responsible for reviewing Olive’s security measures and evaluating for whether the security measures and Olive’s commitments under these Processing Terms will meet Customer’s needs, including with respect to any security obligations of Customer under Privacy and Data Protection Laws, and provide a level of security appropriate to the risk in respect of Customer’s data including Personal Information.

6.  Security

6.1 Olive must at all times implement appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display or distribution, and against accidental loss, destruction or damage. 

7.  Security Breaches and Personal Information Loss

7.1 Olive will promptly notify the Customer if any Personal Information is lost or destroyed or becomes damages, corrupted or unusable.

7.2 Olive will notify Customer in a commercially reasonable period if it becomes aware of (i) any unauthorized or unlawful processing or attempted unauthorized or unlawful processing of Personal Information; or (ii) any Security Breach.

7.3 Immediately following any unauthorized or unlawful Personal Information processing or Security Breach, the Parties will coordinate with each other to investigate the matter. Olive will reasonably cooperate with Customer in the Customer’s handing of the matter.

7.4 Olive will not inform any third party of any Security Breach without first obtaining Customer’s prior written consent, except where Privacy and Data Protection Laws require it. 

8.  Cross-Border Personal Information Transfers

8.1  Customer acknowledges and agrees that Olive may transfer Personal Information to, or access Personal Information from outside of Canada in the course of providing the services and Platform, and that Customer is solely responsible for obtaining such consents or providing such notices to End Users regarding such cross-border Personal Information transfers as required by Privacy and Data Protection Laws. 
8.2  Olive stores Personal Information in the United States of America using Microsoft Azure but may access the Personal Information from other jurisdictions and may use third party service providers who process the Personal Information in other jurisdictions. Upon request of Customer, Olive will inform Customer of the locations to which the Personal Information is transferred and processed by Olive and/or its third party service providers.

9.  Third Party Service Providers

9.1  In accordance with the Master Terms, Customer acknowledges and agrees that Olive shall be entitled to engage third parties for the purposes of Processing Personal Information, to the extent strictly necessary to fulfill Olive’s obligations under the Master Terms.

9.2  Customer expressly acknowledges and agrees that Olive may add, replace or remove any third party service provider at any time following the effective date and that Olive has no obligation to provide any direct notice to Customer regarding such change in third party service providers. Olive will provide and maintain a list of all third party service providers.

9.3  If Olive engages a third party to Process Personal Information for the purpose of providing the services and the Platform, Olive shall:

1. agree to written terms with the third party that: (i) require the third party only to Process Personal Information for the purpose of delivering the services and Platform; (ii) require the third party to implement appropriate physical, technical and organizational security measures to protect the Personal Information against a Security Breach; and (iii) otherwise require compliance with the requirements of the Privacy and Data Protection Laws and these Processing Terms; and
2. remain responsible to Customer for any breach of the Master Terms and/or these Processing Terms that is caused by an act, error or omission of the third party.

10.  Term and Termination

10.1  These Processing Terms and its provisions will remain in full force and effect while the Master Terms remains in effect or while Olive retains any Personal Information related to the Master Terms in its possession or control (the “Term”).

10.2. Any provision of these Processing Terms that expressly or by implication should come into or continue in force on or after termination of the Master Terms to protect Personal Information will remain in full force and effect. 

11.  Data Return and Destruction

11.1  On termination of the Master Terms for any reason or expiration of its term, Olive will securely destroy or, if directed in writing by Customer, return and note retain, all or any Personal Information related to these Processing Terms in its possession or control.

11.2  If any law, regulation, or government or regulatory body requires Olive to retain any documents or materials that Olive would otherwise be required to return or destroy, it will notify Customer in writing of that retention requirement. Olive may only use this retained Personal Information for the required retention reason.

11.3  Olive will certify in writing that it has destroyed the Personal Information within 30 days after it completes the destruction. 

12.  Records

12.1. Olive will keep detailed, accurate and up-to-date records regarding any Personal Information processing it carries out for Customer.

13.  Indemnification

13.1  Customer agrees to indemnify, keep indemnified and defend at its own expense Olive against all losses incurred by Olive for which Olive may become liable due to any failure by the Customer or its employees, subcontractors or agents to comply with any of Customer’s obligations under these Processing Terms or applicable Privacy and Data Protection Laws and any other applicable laws, enactments, regulations, codes, orders, standards and other similar instruments. 

13.2. Olive agrees to indemnify, keep indemnified and defend at its own expense Customer against all losses incurred by Customer for which Customer may become liable due to any failure by Olive or its employees, subcontractors or agents to comply with any of Olive’s obligations under these Processing Terms or applicable Privacy and Data Protection Laws and any other applicable laws, enactments, regulations, codes, orders, standards and other similar instruments. Olive’s liability shall not exceed the total amount of fees received by Olive from Customer.