Data Processing Addendum

1. Categories of Personal Data Transferred: The categories of Personal Data Processed by Turing are those described in the Agreement and any applicable Statement(s) of Work. Such categories may include, but are not limited to, any Personal Data that Company provides or otherwise makes available to Turing in connection with the Services.
2. Categories of Data Subjects whose Personal Data is Transferred: The categories of Data Subjects are as described in the Agreement and any applicable Statement(s) of Work, and may include any individuals whose Personal Data is Processed by Turing on behalf of Company in connection with the Services.
3. Duration and Frequency. The Processing will continue until the expiration or termination of the Agreement.  Personal Data is transferred in accordance with the standard functionality of the Services, or as otherwise agreed upon by the parties.
4. Nature, Subject Matter, and Purpose of the Processing. The performance of the Services described in the Agreement to which this Addendum is attached.
5. Sensitive Data Transferred: None, no sensitive data is intended to be transferred
6. Transfers to Sub-Processors:

Turing Subprocessor: Google Cloud Platform
Purpose: Cloud hosting, data storage
Location: United States
Transfer Mechanism: Standard Contractual Clauses

1. Subject Matter. This Addendum reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Company Personal Data in connection with Turing’s execution of the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum conflicts with the Agreement, this Addendum shall control.
2. Duration and Survival. This Addendum will become legally binding upon the effective date of the Agreement or upon the date that the parties sign this Addendum if it is completed after the effective date of the Agreement. Turing will Process Company Personal Data until the relationship terminates as specified in the Agreement.

For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.

1. “Company Personal Data” means Personal Data Processed by Turing on behalf of Company under the Agreement.
2. “Data Protection Laws” means the applicable privacy and data protection laws, rules, and regulations to which the Processing of Company Personal Data under the Agreement is subject. “Data Protection Laws” may include, but are not limited to, Brazil’s Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019); the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act) (“CCPA”) and other applicable U.S. federal and state privacy laws; the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; India’s Information Technology Act, 2000; the Swiss Federal Act on Data Protection; the United Kingdom General Data Protection Regulation; and the United Kingdom Data Protection Act 2018 (in each case, as amended, adopted, or superseded from time to time).  
3. “Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.
4. “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
5. “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Company Personal Data attributable to Turing. 
6. “Services” means the services that Turing performs under the Agreement. 
7. “Subprocessor(s)” means Turing’s authorized vendors and third-party service providers that process Company Personal Data.

1. Documented Instructions. Turing shall Process Company Personal Data to provide the Services in accordance with the Agreement, this Addendum, any applicable Statement of Work, and any instructions agreed upon by the parties. Turing will, unless legally prohibited from doing so, inform Company in writing if it reasonably believes that there is a conflict between Company’s instructions and applicable law or otherwise seeks to Process Company Personal Data in a manner that is inconsistent with Company’s instructions.
2. Authorization to Use Subprocessors. Company hereby authorizes Turing to engage Subprocessors. Company acknowledges that Subprocessors may further engage vendors.
3. Turing and Subprocessor Compliance. Turing shall (i) enter into a written agreement with Subprocessors that imposes on such Subprocessors data protection requirements for Company Personal Data that are consistent with this Addendum; and (ii) remain responsible to Company for Turing’s Subprocessors’ failure to perform their obligations with respect to the Processing of Company Personal Data. 
4. Right to Object to Subprocessors. Where required by Data Protection Laws, Turing will notify Company via email prior to engaging any new Subprocessors that Process Company Personal Data and allow Company ten (10) days to object. If Company has legitimate objections to the appointment of any new Subprocessor, the parties will work together in good faith to resolve the grounds for the objection.
5. Confidentiality. Any person authorized to Process Company Personal Data must be subject to a duty of confidentiality,  contractually agree to maintain the confidentiality of such information, or be under an appropriate statutory obligation of confidentiality.
6. Personal Data Inquiries and Requests. Where required by Data Protection Laws, Turing agrees to provide reasonable assistance and comply with reasonable instructions from Company related to any requests from individuals exercising their rights in Company Personal Data granted to them under Data Protection Laws.
7. Data Protection Assessment, Data Protection Impact Assessment, and Prior Consultation. Where required by Data Protection Laws, Turing agrees to provide reasonable assistance and information to Company where, in Company’s judgement, the type of Processing performed by Turing requires a data protection assessment, data protection impact assessment, and/or prior consultation with the relevant data protection authorities.
8. Demonstrable Compliance. Turing agrees to provide information reasonably necessary to demonstrate compliance with this Addendum upon Company’s reasonable request.
9. California Specific Terms. To the extent that Turing’s Processing of Company Personal Data is subject to the CCPA, this Section shall also apply. Company discloses or otherwise makes available Company Personal Data to Turing for the limited and specific purpose of Turing providing the Services to Company in accordance with the Agreement and this Addendum. Turing shall: (i) comply with its applicable obligations under the CCPA; (ii) provide the same level of protection as required under the CCPA; (iii) notify Company if it can no longer meet its obligations under the CCPA; (iv) not “sell” or “share” (as such terms are defined by the CCPA) Company Personal Data; (v) not retain, use, or disclose Company Personal Data for any purpose (including any commercial purpose) other than to provide the Services under the Agreement or as otherwise permitted under the CCPA; (vi) not retain, use, or disclose Company Personal Data outside of the direct business relationship between Company and Turing; and (vii) unless required to provide the Services, not combine Company Personal Data with Personal Data that Turing (a) receives from, or on behalf of, another person, or (b) collects from its own, independent consumer interaction. Company may: (1) take reasonable and appropriate steps agreed upon by the parties to help ensure that Turing Processes Company Personal Data in a manner consistent with Company’s CCPA obligations; and (2) upon notice, take reasonable and appropriate steps agreed upon by the parties to stop and remediate unauthorized Processing of Company Personal Data by Turing.

Turing shall implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Company Personal Data.

Upon becoming aware of a Security Incident, Turing agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws to Company’s designated POC. Where possible, such notice will include all available details required under Data Protection Laws for Company to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident. 

1. Cross-Border Transfers of Company Personal Data. Company authorizes Turing and its Subprocessors to transfer Company Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States. 
2. EU Standard Contractual Clauses. If Company Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Company to Turing in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the transfer shall be governed by Module Two’s obligations in the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU Standard Contractual Clauses”), the terms of which are incorporated herein by reference. Each party’s signature to the Agreement shall be considered a signature to the EU Standard Contractual Clauses to the extent that the EU Standard Contractual Clauses apply hereunder.
3. Brazil Standard Contractual Clauses. If Company Personal Data originating in Brazil is transferred by Company to Turing in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the transfer shall be governed by Annex II of the Resolution n°19 of the board of directors of the Autoridade Nacional de Proteção de Dados (“Brazil Standard Contractual Clauses”), the terms of which are incorporated herein by reference. Each party’s signature to this Agreement shall be considered a signature to the Brazil Standard Contractual Clauses to the extent that the Brazil Standard Contractual Clauses apply hereunder.

Where Data Protection Laws afford Company an audit or assessment right, Company (or its appointed representative) may carry out an audit or assessment of Turing’s policies, procedures, and records relevant to the Processing of Company Personal Data. Any audit or assessment must be: (i) conducted during Turing’s regular business hours; (ii) with reasonable advance notice to Turing; (iii) carried out in a manner that prevents unnecessary disruption to Turing’s operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit or assessment shall be limited to once per year, unless an audit or assessment is carried out at the direction of a government authority having proper jurisdiction.

At the expiry or termination of the Agreement, Turing will delete all Company Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Turing’s data retention schedule), except where Turing is required to retain copies under applicable laws, in which case Turing will isolate and protect that Company Personal Data from any further Processing except to the extent required by applicable laws.

Company represents and warrants that: (i) it has complied and will comply with Data Protection Laws; (ii) it has obtained and will obtain and continue to have, during the term, all necessary rights, lawful bases, authorizations, consents, and licenses for the Processing of Company Personal Data as contemplated by the Agreement; and (iii) Turing’s Processing of Company Personal Data in accordance with the Agreement will not violate Data Protection Laws or cause a breach of any agreement or obligations between Company and any third party.