Data Processing Addendum

Chapman & Co. Leadership Institute Organizational Culture Survey

Date: 6/15/2020

1. Introduction and Scope

This Data Processing Addendum forms part of the Organizational Culture Survey contract between Chapman & Co. Leadership Institute (“the Company”) and the Client.

This Addendum sets out the roles and responsibilities of the Company and of the Client when the Company is processing Personal Data as data processor on behalf of the Client. The categories of Personal Data and the ways Personal Data is processed are described in the product description and this contract. In this Addendum, Personal Data refers to any information relating to an identified or identifiable person.

2. Responsibilities of the Client

As the data controller, the Client is responsible for, including but not limited to, providing transparent information to the individuals whose Personal Data is processed, ensuring that there is an appropriate legal basis for processing Personal Data, as well as for security, data breach notifications and data protection impact assessments.

3. Responsibilities of the Company

a) As the data processor, the Company is responsible for processing the Personal Data only on documented instructions from the Client.

b) The Company ensures that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Company ensures that the Company’s access to Personal Data is limited to those personnel performing services in accordance with this contract.

c) The Company implements and maintains industry standard technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access. The Company makes reasonable efforts to ensure a level of security appropriate to the risk of the processing, taking into account the costs of implementation and the nature, scope, context and purposes of processing of Personal Data.

d) The Company will assist the Client, insofar as this is possible, by appropriate technical and organizational measures, taking into account the nature of the processing, for the fulfilment of the Client’s obligation to respond to requests for exercising the data subject’s rights.

e) The Company cooperates with the Client to ensure compliance with the obligations of security, data breach notifications and data protection impact assessments, taking into account the nature of processing and the information available to the Company.

4. Return of Personal Data

At the direction of the Client, the Company shall delete or return (insofar as reasonable) all the Personal Data to the Client five years after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage of the Personal Data.

5. Right to Audit

The Company shall make available to the Client all reasonable information necessary to demonstrate compliance with the obligations set forth in this Addendum and allow for and contribute to audits, including inspections, conducted by the Client or an auditor mandated by the Client. Before the commencement of an audit, the Company and the Client will mutually agree upon the scope, timing, duration, control and evidence requirements. The Client is responsible for all costs and fees related to the audit.

6. Transfers of Personal Data

The Company may process Personal Data in any country where it has team members or facilities or in which it engages service providers, including in the United States of America. The Company shall implement appropriate safeguards to protect Personal Data as required when transferred, including Standard Contractual Clauses, when applicable.

7. Use of Sub-Processors

The Company may engage sub-processors in connection with the provision of the services. The Company shall provide the list of sub-processors to the Client upon request. The Client may object to the Company’s use of a sub-processor by notifying the Company promptly in writing. In the event the Client objects to a sub-processor, the Company will use reasonable efforts to change the service or the sub-processor.

Where the Company engages another processor for carrying out specific processing activities on behalf of the Client, the same data protection obligations as set out in the contract between the Company and the Client shall be imposed on that other processor. Where that other processor fails to fulfil its data protection obligations, the Company remains fully liable to the controller for the performance of that other processor’s obligations.

8. Compliance with CCPA

If the Company is processing Personal Data within the scope of the California Consumer Privacy Act (“CCPA”), the Company makes the following additional commitments to the Client: The Company will process customer data and Personal Data on behalf of Client and, not retain, use, or disclose that data for any purpose other than for the purposes set out in this contract and as permitted under the CCPA, including under any “sale” exemption. In no event will the Company sell any such data.

9. Data Protection Officer

The Company has appointed a Data Protection Officer, who can be reached at dataprotection@barry-wehmiller.com.