Xactware Data Protection Addendum for Canadian Personal Information

Last Updated: March 8, 2023

This Data Protection Addendum for Canadian Personal Information (“Addendum”) supplements and forms a part of the applicable Xactware Solutions, Inc. License Agreement (“EULA”), as amended from time to time, when Applicable Law applies to the Processing of Personal Information in connection with your use of the Services. Unless otherwise defined in this Addendum, all terms used herein have the same meanings as in the EULA or the Services Agreement.

Whereas the Verisk Customer or its employees, agents, consultants or contractors (collectively hereinafter, “Company”) may provide Verisk (hereinafter “Service Provider”) with access to Personal Information in connection with certain Services performed by Service Provider for or on behalf of Company pursuant to the EULA, the Services Agreement, or both; and

Whereas Company and Service Provider desire to preserve and maintain the privacy, confidentiality, and security of such Personal Information.

Now therefore, in consideration of the mutual covenants and agreements in this Addendum, the EULA, and the Services Agreement and for other good and valuable consideration, the sufficiency of which is hereby acknowledged, Company and Service Provider agree as follows:

1. Definitions

1.1. “Data Controller” means a person who alone or jointly with others determines the purposes and means of the Processing of Personal Information.

1.2. “Data Processor” or “Service Provider” means a person who Processes Personal Information on behalf of the Data Controller.

1.3. “Information Security Incident” means, with respect to Personal Information in Service Provider’s or its agents’ or its Subprocessors’ custody or control: (i) loss, theft, damage or unauthorized access to or use, disclosure, acquisition of, any Personal Information; or (ii) any other breach in the protection of Personal Information.

1.4. “Personal Information” means any information relating to an identified or identifiable individual (including information that could, alone or in combination with other information, be used to identify an individual) that is provided or made available to Service Provider by Company for the provision of Services contemplated by the EULA or the Services Agreement and excludes Anonymous Data as defined by the EULA or the Services Agreement.

1.5. “Applicable Law” means Canada’s laws, rules, and regulations that are applicable to Personal Information including the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”), applicable provincial and territorial laws in Canada, and Canada’s Anti-Spam Legislation (“CASL”).

1.6. “Process”, “Processed”, or “Processing” means any operation or set of operations performed upon Personal Information, whether or not by automatic means, such as creating, collecting, procuring, obtaining, accessing, recording, organizing, managing, storing, adapting, altering, modifying, retrieving, consulting, using, de-identifying, pseudonymizing, anonymizing, disclosing, deleting or destroying the data.

1.7. “Subprocessor” means any third party engaged by or on behalf of Service Provider to Process Personal Information.

2. Anticipated Roles and Authority to Process Personal Information

2.1. Pursuant to the EULA or the Services Agreement, Company shall have exclusive authority to determine the purposes for and means of Processing Personal Information. Service Provider shall Process Personal Information only on behalf of and for the benefit of Company in accordance with the EULA or Services Agreement.

2.2. The parties agree that Company will act as a Data Controller and Service Provider will act as a Data Processor with respect to the Processing of Personal Information under the EULA or Services Agreement.

2.3. Any Personal Information will at all times be and remain the sole property of Company and Service Provider will not have or obtain any rights therein, except as may otherwise be agreed to by the parties.

2.4. Service Provider shall not send any commercial electronic messages (“CEMs”), as such term is defined under Canada’s Anti-Spam Legislation (Statutes of Canada 2010, c 23) and its associated regulations (collectively, “CASL”), on behalf of Company, or cause or permit the sending of CEMs on behalf of Company, or otherwise in connection with the EULA or Services Agreement without the prior written consent of Company or as otherwise agreed to or in accordance with the EULA or Services Agreement. If Company provides consent, Service Provider represents, warrants and agrees that it fully complies, and will cause any of its permitted Subprocessors or agents to fully comply, with all applicable consent, notice, unsubscribe and other requirements under CASL.

3. Disclosure and Storage of and Access to Personal Information

3.1. Service Provider shall (i) limit access to Personal Information to its employees, agents, and contractors who have a need to know the Personal Information as a condition to Service Provider’s performance of the Services and who are subject to comparable obligations of privacy and security as applicable to Service Provider under this Addendum.

3.2. Service Provider may share, transfer, disclose, make available or otherwise provide access to Personal Information to Subprocessors and in order to provide the Services contemplated by the EULA or Services Agreement, and to any third party as required by law. A list of current Subprocessors is available upon request.

3.3. Service Provider shall only transfer, access, store or otherwise Process Personal Information in Canada or the United States or as otherwise agreed to by the parties.

3.4. Service Provider shall promptly, unless prohibited by applicable law, inform Company of any: (i) requests received relating to an individual’s exercise of rights under applicable law or (ii) individual’s complaint relating to the Processing of Personal Information, with respect to any Personal Information received from Company in accordance with the Services contemplated by the EULA or Services Agreement, to the extent Service Provider is able to associate such individual request or complaint with Company. Service Provider shall reasonably cooperate with Company with respect to any such request or complaint.

3.5. Service Provider shall notify Company, unless prohibited by applicable law, of the receipt of any subpoena, demand, warrant, or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Personal Information.

3.6. Service Provider shall reasonably assist Company in complying with its obligations under Applicable Law, in particular Company’s obligation to implement appropriate security measures, to carry out a data protection or privacy impact assessment, and to consult the competent data protection authority.

4. Compliance with Privacy and Information Security Requirements

4.1. Service Provider shall comply with Applicable Law and represents and warrants that no applicable law, or legal requirement, or privacy or information security enforcement action, investigation, litigation or claim prohibits Service Provider from (i) fulfilling its obligations under this Addendum or (ii) complying with instructions it receives from Company concerning Personal Information.

4.2. In case of any conflict between this Addendum and the EULA or Services Agreement, this Addendum shall prevail with regard to the Processing of Personal Information covered by it.

5. Personal Information Security Safeguards

5.1. Service Provider shall develop, maintain, implement and ensure ongoing compliance with a comprehensive written information privacy and security program that includes policies and procedures, risk management, monitoring, backup, disaster recovery and audit processes as necessary to comply with this Addendum and Applicable Law.

5.2. Service Provider shall provide training, as appropriate, regarding the privacy, confidentiality and information security requirements set forth in this Addendum to all Service Provider’s employees with access to Personal Information.

5.3. Company may, upon 30 days’ prior written notice and no more than once per calendar year, request to monitor or audit Service Provider’s compliance with the terms of this Addendum with respect to Company’s Personal Information provided or made available to Service Provider under the EULA or Services Agreement. Service Provider may supply Company with evidence of the most recent opinion from Service Provider’s independent auditor in lieu of such audit. Any audit requested or performed by Company pursuant to this section shall be at Company’s sole cost and expense.

5.4. Service Provider shall inform Company of any Information Security Incident without undue delay once confirmed by Service Provider.

5.5. Promptly upon the expiration or earlier termination of the EULA or Services Agreement, and upon Company’s request, Service Provider shall securely destroy Personal Information in Service Provider’s custody or control subject to applicable law and record retention obligations.