Data processing addendum

Last updated: September 27, 2024

This Data Processing Addendum (“Addendum”) is a part of the Terms & Conditions the Privacy Policy (collectively referred to as the “Agreement”) between 4B Advisors Inc. (“SellerSail”) and you (as defined in the Agreement). SellerSail and you are collectively referred to as the “Parties.”

1. Subject Matter and Duration

1.1 Subject Matter. This Addendum outlines the Parties' commitment to comply with Applicable Data Protection Laws regarding the processing of your Personal Data in connection with SellerSail's execution of the Agreement. Capitalized terms that are not explicitly defined in this Addendum will carry the meanings assigned to them in the Agreement. In the event of any conflict between the language in this Addendum or its Exhibits and the Agreement, this Addendum shall take precedence.

1.2 Duration and Survival. This Addendum will become legally binding upon your acceptance of the Agreement. SellerSail will process your Personal Data until the termination of the relationship as specified in the Agreement. SellerSail's obligations and your rights under this Addendum will remain in effect for as long as SellerSail processes your Personal Data.

2. Definitions

For the purposes of this Addendum, the following terms, along with those defined within the text of this Addendum, shall apply:

a) “Applicable Data Protection Law(s)” refers to the relevant laws, rules, and regulations concerning data protection and privacy that govern your Personal Data. This includes, but is not limited to, the principles and requirements of the EU General Data Protection Regulation 2016/679 (“GDPR”).

b) “Your Personal Data” means any personal data related to you or your employees that SellerSail processes. The details and specific uses of Your Personal Data are outlined in Exhibit 1 attached hereto, as mandated by the GDPR.

c) “Controller” is the individual or entity, including public authorities, that determines the purposes and means of processing Personal Data, whether acting alone or in collaboration with others.

d) “Personal Data” holds the definition assigned to “personal data” or “personal information” under Applicable Data Protection Law(s).

e) “Process,” “Processes,” “Processing,” and “Processed” encompass any operation or series of operations performed on data, whether automated or manual, including collection, recording, organization, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, combination, restriction, erasure, or destruction of such data.

f) “Processor” designates any individual or entity that processes Your Personal Data on your behalf, in accordance with this Addendum.

g) “Security Incident(s)” refers to any breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Your Personal Data processed by SellerSail.

h) “Third Party(ies)” denotes SellerSail’s authorized contractors, agents, vendors, and third-party service providers involved in processing Your Personal Data.

3. Data Use and Processing

3.1 Compliance with Laws. Your Personal Data will be processed in accordance with this Addendum and all Applicable Data Protection Law(s).

3.2 Documented Instructions. SellerSail and its third parties will only process Your Personal Data based on your documented instructions or as expressly permitted by this Addendum or the Agreement. SellerSail will, unless legally barred from doing so, notify you in writing if it reasonably believes there is a conflict between your instructions and applicable laws or if it intends to process Your Personal Data in a manner inconsistent with your instructions.

3.3 Authorization to Use Third Parties. To fulfill its contractual obligations under the Agreement, you authorize SellerSail to:

(i) engage third parties, and

(ii) permit those third parties to utilize subprocessors. Any processing of Your Personal Data by third parties must align with your reasonable documented instructions and comply with all Applicable Data Protection Law(s).

3.4 SellerSail and Third Party Compliance. SellerSail commits to (i) entering into written agreements with third parties that establish data protection and security obligations compliant with Applicable Data Protection Law(s) regarding the processing of Your Personal Data, and (ii) maintaining responsibility to you for any failure of SellerSail’s third parties (and their subprocessors, if applicable) to meet their obligations related to the processing of Your Personal Data.

3.5 Right to Object to Third Parties. SellerSail will provide you with a list of third parties that process Your Personal Data upon reasonable request. You may object to the engagement of any new third party by promptly notifying SellerSail in writing within ten business days of receiving notice of their appointment. If you have valid objections, the parties will collaborate in good faith for no less than 30 days to address the grounds for the objection. If no resolution is reached, you may terminate the portion of the services that cannot be fulfilled by SellerSail without the involvement of the contested third party.

3.6 Confidentiality. Any individual or third party involved in the processing of Your Personal Data on behalf of SellerSail will be required to adhere to strict confidentiality obligations. This ensures that they will handle Your Personal Data with care and will only utilize it for the specific purposes outlined in this Addendum.

3.7 Security Measures. SellerSail will implement appropriate technical and organizational measures to safeguard Your Personal Data against unauthorized access, loss, or destruction. These measures will align with applicable data protection standards to ensure the security of your information.

3.8 Data Retention. SellerSail will retain Your Personal Data only for as long as necessary to fulfill the purposes specified in the Agreement and to comply with any legal obligations. Once Your Personal Data is no longer needed, it will be securely deleted or anonymized.

3.9 Assistance with Compliance. SellerSail will assist you in fulfilling your obligations under Applicable Data Protection Law(s), including responding to data subject requests, handling data breaches, and conducting necessary impact assessments.

3.10 Data Transfers. If SellerSail transfers Your Personal Data to a third country or an international organization, it will ensure that appropriate safeguards are implemented to protect the data in accordance with Applicable Data Protection Law(s).

3.11 Changes to Processing Activities. SellerSail will notify you of any significant modifications to its processing activities concerning Your Personal Data, maintaining transparency and enabling you to exercise your rights effectively.

4. International Transfers of Personal Data

4.1 International Transfers of Personal Data. You grant SellerSail and its third-party partners permission to transfer Your Personal Data across borders, including from the European Economic Area to the United States. Any such transfer must comply with an approved adequacy mechanism.

4.2 Standard Contractual Clauses. SellerSail and you will utilize the European Commission Decision C(2010)593 Standard Contractual Clauses for controllers to Processors (“Model Clauses”) as the adequacy mechanism for the transfer and processing of Your Personal Data. The terms of these clauses are incorporated by reference into this Addendum. In Appendix 1 of the Model Clauses, you are identified as the “data exporter” and SellerSail as the “data importer,” with the necessary details provided in Exhibit 1. Regarding Appendix 2 of the Model Clauses, the technical and organizational measures established by the data importer are outlined in Section 5 of this Addendum. According to clause 5(h) of the Model Clauses, you agree that SellerSail may engage new third-party providers as specified in Sections 3.1 to 3.5 of this Addendum. Both parties acknowledge that the Illustrative Clause (Optional) is explicitly excluded from the Model Clauses. Acceptance of this Addendum by either party will be regarded as a signature to the Model Clauses. If necessary under the laws or regulations of any jurisdiction, the parties will execute or re-execute the Model Clauses as separate documents.

5. Information Security Program

SellerSail commits to implementing suitable technical and organizational safeguards to protect Your Personal Data in compliance with Applicable Data Protection Laws (the “Information Security Program”). These measures will include:

i) The pseudonymization of Your Personal Data when appropriate, along with encryption of the data both in transit and at rest.

ii) Ensuring the ongoing confidentiality, integrity, and availability of SellerSail's data processing activities and Your Personal Data.

iii) The capability to restore access and availability to Your Personal Data following a physical or technical incident.

iv) A system for regularly testing, assessing, and evaluating the effectiveness of the Information Security Program to protect Your Personal Data from reasonably suspected or actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

6. Security Incidents

6.1 Security Incident Management. SellerSail will establish and follow comprehensive policies and procedures to identify, respond to, and manage Security Incidents. This includes:

(i) Detecting and responding to reasonably suspected or confirmed Security Incidents, mitigating any harmful effects, documenting incidents and their outcomes.

(ii) Restoring availability or access to Your Personal Data promptly.

6.2 Notification. SellerSail agrees to provide immediate written notification without undue delay, and within the timeframe mandated by Applicable Data Protection Laws (not exceeding 48 hours), to your designated point of contact upon becoming aware of a Security Incident. This notification will include all relevant information needed for you to fulfill your own reporting obligations to regulatory bodies or affected individuals as required by law.

7. Data Storage and Deletion

7.1 Data Storage. SellerSail will adhere to the following guidelines regarding the storage of Your Personal Data:

i) SellerSail will only store or retain Your Personal Data as necessary to fulfill the Services outlined in the agreement.

ii) SellerSail will:

(i) Provide written notice of all countries where Your Personal Data is processed or stored.

(ii) Obtain your consent for processing or storage in the specified countries. As of the effective date, SellerSail stores Your Personal Data in the following country, to which you hereby consent: United States.

7.2 Data Deletion. SellerSail will comply with the following regarding the deletion of Your Personal Data:

i) Within ninety (90) calendar days following the expiration or termination of the agreement, SellerSail will securely destroy all copies of Your Personal Data, including any automatically generated archival copies.

ii) Upon your request, SellerSail will promptly return a copy of all Your Personal Data within 30 calendar days. If you also request the deletion of Your Personal Data, SellerSail will proceed with this as described above.

iii) Deletion of Your Personal Data will be conducted according to industry-standard practices for handling sensitive data.

iv) Physical media such as tapes, printed materials, and optical disks will be securely destroyed using methods like shredding performed by a certified provider. Upon your request, SellerSail will provide proof of the deletion of all Your Personal Data, including a “Certificate of Deletion” within 30 calendar days of your request.