Vendor Data Processing Addendum

Callidus Software Inc. Master Agreement

on the Commissioned Processing of Personal Data

(hereinafter referred to as the ”MDPA”)

THE CALLIDUS DATA PROCESSING ADDENDUM TERMS HAVE CHANGED AS OF JANUARY 18, 2019 TO THE BELOW.

This MDPA is incorporated into the Agreement and forms part of a written (including in electronic form) contract between Callidus Software Inc., an SAP company (hereafter “SAP”) and Contractor.

1. Definitions and Interpretation
   • 1.1 “Controller” means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data which is processed by Contractor or Subprocessor in connection with the Services. Controllers may include SAP and/or SAP Resellers and Users who, as the case may be, determine alone or jointly the purposes and means of the processing of Personal Data processed in connection with the Services. For the purposes of this MDPA, where SAP and/or SAP Affiliates act as Processors for other Controllers, they shall, in relation to Contractor, be granted all rights under this MDPA and Data Protection Law towards Contractor and Subprocessors as if they they were Controllers (in addition to the Controllers determined in accordance with sentence 1 of this definition).
   • 1.2 “Data Protection Law” means the applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of Personal Data in connection with the Services (and includes, as far as it concerns the obligations of Contractor and Subprocessors regarding the processing of Personal Data for SAP and other Controllers under this MDPA, the GDPR as a minimum standard, irrespective of whether the Personal Data is subject to GDPR or not).
   • 1.3 “Data Subject” means any individual or other person who is protected by Data Protection Law and whose data is processed by Contractor or Subprocessor in connection with the Services.
   • 1.4 “EEA” means the European Economic Area, namely the European Union Member States along with Iceland, Liechtenstein and Norway.
   • 1.5 “GDPR” means the European Union’s General Data Protection Regulation 2016/679 as amended from time to time.
   • 1.6 “Incident” means any support ticket made accessible to Contractor.
   • 1.7 “Instructions” means any instructions given by the Controller with respect to the lawful processing of Personal Data in accordance Data Protection Law. Instructions may include, without limitation, the correction, erasure and/or the blocking of Personal Data in the legal responsibility of the respective Controller.
   • 1.8 “Personal Data” means any information relating to a Data Subject which is protected under Data Protection Law, and in particular include any information relating to an identified or identifiable natural or legal person; an identifiable person includes any person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
   • 1.9 “Personal Data Breach” means an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or unauthorized access to Personal Data.
   • 1.10 “PoA” means power of attorney or other means available to a legal entity or natural person under applicable law to validly enter into a data processing agreement on behalf of another party.
   • 1.11 “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller, be it directly as processor of a Controller or indirectly as subprocessor of a processor which processes personal data on behalf of the Controller.
   • 1.12 “SAP Affiliates” means any of SAP’s affiliates and subsidiaries, meaning a corporation or other entity of which SAP SE owns, either directly or indirectly, more than fifty percent (50%) of the stock or other equity interests.
   • 1.13 “SAP Contractor-Services based Solution Partners” means partners of SAP whose products and services (i) are marketed by SAP together with SAP products and services, and (ii) are stored on a server or platform of Contractor or a Subprocessor or otherwise require a processing of Personal Data by Contractor or a Subprocessor.
   • 1.14 “SAP Resellers and Users” means (i) SAP Affiliates, (ii) SAP resellers, (iii) direct and indirect customers of SAP, SAP Affiliates and of SAP resellers, (iv) SAP Contractor-Services based Solution Partners and/or (v) any other commercial end users of SAP products.
   • 1.15 “Service” means any work or service which Contractor provides to SAP and/or SAP Resellers and Users under a Service Agreement which may or may not expressly incorporate the terms of this MDPA by reference.
   • 1.16 “Service Agreement” means any contract, purchase order or other agreement for the provision of the Service between Contractor and SAP or an SAP Affiliate.
   • 1.17 “Standard Contractual Clauses” or “Clauses” means the Standard Contractual Clauses (Processors) 2010/87/EU as attached hereto as Annex 1, or any subsequent version thereof published by the European Commission (which will automatically apply).
   • 1.18 “Subprocessor” means any third parties (including Affiliates of Contractor) that are directly or indirectly engaged by Contractor in connection with the Service and that process Personal Data that are covered by this MDPA.
   • 1.19 Any terms not defined in this MDPA, but defined in the Data Protection Law shall have the meaning assigned to them in the Data Protection Law. In case of doubt, the definitions of the GDPR shall apply. The term “processing” in particular includes any kind of disclosure Personal Data, including the enablement of potential onsite and remote access irrespective of whether the access to Personal Data is actually exercised.
   • 1.20 For the avoidance of doubt, any reference to days shall mean calendar days.

2. Application of this MDPA; Purpose of Personal Data Transfer; Ownership of Data; Governance
   • 2.1 This MDPA, including its Annexes, shall apply to any processing of Personal Data by Contractor or Subprocessors on behalf of SAP or another Controller in connection with a Service. Appendices 1 and 2 to the Clauses also apply as Appendices to all processings under this MDPA, irrespective of whether a processing is covered by the Clauses or not. Contractor and Subprocessors in particular have implemented and will apply the technical and organizational measures set forth in Appendix 2.
   • 2.2 Any and all processing of Personal Data by Contractor and Subprocessors is solely intended to enable Contractor to provide the Services. Contractor and Subprocessors are prohibited from using the Personal Data for any purposes other than fulfilling Contractor’s contractual obligations related to the performance of the Services. Contractor agrees to process Personal Data only on behalf of SAP and in compliance with SAP’s Instructions, this MDPA and, if applicable according to Section 5.2, the Clauses.
   • 2.3 As between SAP and Contractor, all Personal Data and any copies, reproductions, summaries, analyses or extracts thereof or based thereon in any form, irrespective of whether made by Contractor in performance of its obligations under a Service Agreement or not and, including anonymous and aggregated data legally created on basis of the Personal Data, are the sole property of SAP.
   • 2.4 Contractor (for the Subprocessors) and SAP (for the Controllers) act as central points of contact. As far as possible under Data Protection Law and subject to deviating Instructions by Controllers, all communication in connection with this MDPA and the processing of Personal Data under it shall be through SAP and Contractor respectively. Between SAP and Contractor, Contractor is responsible to inform its Subprocessors appropriately where required, and SAP to inform the other Controllers appropriately where required. This shall however not limit any rights of Controllers under this MDPA, the Clauses and Data Protection Law.
   • 2.5 SAP enters into this MDPA also on behalf of the SAP Affiliates and this MDPA shall apply correspondingly between SAP Affiliates and Contractor when Contractor provides any Services to SAP Affiliates.

3. Additional Obligations
   • 3.1 Contractor shall restrict the access to and disclosure of Personal Data to those of its employees who are required in providing services under the Service Agreement. Contractor shall oblige any such personnel to obey data secrecy and confidentiality and shall only grant access to personnel who have committed themselves to confidentiality.
     In particular, Contractor shall:

1. • • 3.1.1 Prohibit its personnel from accessing, processing and/or using any Personal Data transferred to Contractor under the Service Agreement (i) without authorization or (ii) for purposes other than fulfilling Contractor’s contractual obligations under the Service Agreement (“Data Secrecy”).
     • 3.1.2 Oblige its personnel to keep all Personal Data strictly confidential and to disclose Personal Data only on a strict need-to-know basis to other authorised employees of Contractors only as required for fulfilling Contractor’s obligations (this requirement for the purposes of this Section 3.1 hereinafter referred to as “Confidentiality”); provided however that Contractor shall not disclose or otherwise make accessible Personal Data under any circumstances to anyone who has not been obliged to Data Secrecy and Confidentiality and is not required for fulfilling Contractor’s obligations under the Service Agreement.
     • 3.1.3 Ensure that obligations to Data Secrecy and Confidentiality survive forever the expiry and/or termination of the Service Agreement, this MDPA and/or the respective personnel’s employment or other working relationship with Contractor.
     • 3.1.4 Upon SAP’s request provide SAP with the evidence of such Data Secrecy and Confidentiality agreements.
     • 3.1.5 Regularly train personnel having access to Personal Data in applicable data security and data privacy measures.
   • 3.2 Where a Controller requests any correction, erasure, blocking or return of Personal Data which is subject to this MDPA, Contractor will promptly fulfill such requirement. To the extent that the Services provided by Contractor consist in hosting and/or operating or otherwise managing a hosted software, platform or infrastructure (“Cloud Services”), a Controller may give Instructions also by using the functionalities available to the Controller within those Cloud Services.
   • 3.3 Any engagement of Subprocessors requires the prior consent of SAP and shall only be allowed under the rules set forth in Clause 11 of the Clauses. In addition to the contents required under Clause 11, the Contractor’s agreements with Subprocessors (i) shall impose upon the Subprocessors all obligations of Contractor under this MDPA and (ii) shall provide that SAP may directly enforce any of the obligations under this MDPA against Contractor’s Subprocessors. The foregoing obligations apply to all Sections of this MDPA, irrespective of whether or not the application to Subprocessors is expressly mentioned. Notwithstanding, Contractor remains at all times responsible for its Subprocessors’ compliance with this MDPA and Data Protection Law, and Contractor will evaluate the security, privacy and confidentiality practices of a Subprocessor prior to selection to establish that it is capable of providing the level of protection of Personal Data required by this MDPA.
   • 3.4 Any Contractor’s Subprocessors listed in a completed Annex 2 form to this MDPA shall be considered approved Subprocessors. Where the Contractor intends to replace an approved sub-processor, Contractor must notify SAP 90 calendar days prior to the intended use of such Subprocessor. SAP may object against the use of a new Subprocessor for reasonable grounds. Such reasonable grounds shall in particular exist if SAP made negative experience with the respective Subprocessor, the Subprocessor is not sufficiently reliable in SAP’s reasonable discretion, the Subprocessor is a competitor of SAP, or a customer of SAP has objected against the use of the Subprocessor. If SAP objects against the use within 90 calendar days after being notified, Contractor must ensure that the Subprocessor is not used for the provision of the Services towards SAP and/or another Controller.
   • 3.5 Contractor shall cooperate with SAP in dealing with inquiries and requests from data subjects, in particular data subject rights requests according to Data Protection Law (such as Art. 12-22 GDPR), other Controllers, supervisory authorities, law enforcement authorities and other competent authorities and courts with respect to Contractor’s or Subprocessor’s processing of Personal Data within the context of a Service. In the event that a Data Subject contacts Contractor or a Subprocessor to exercise its Data Subject rights or otherwise regarding the processing of its Personal Data within the context of a Service, Contractor shall pass on the request to SAP without undue delay. Contractor agrees and warrants that it shall not disclose any information to the requesting Data Subject in the absence of an express instruction from SAP or the Controller. In the event that an authority or a court files a request towards, or otherwise contacts, Contractor or Subprocessors regarding the processing of Personal Data within the context of a Service (in particular a request for the disclosure of any Personal Data), Contractor shall inform SAP immediately and discuss and agree with SAP the response to the request in order to allow the SAP and/ or Controller to assert any objections, exclusions, exemptions, or protective measures. Contractor or Subprocessor agrees and warrants that it will not fulfill such a request and in particular not disclose any Personal Data of SAP or a Controller without SAP’s prior written consent unless (i) it is required to do so under applicable law, (ii) it has exercised all legal remedies to avoid fulfilling the request (without SAP’s consent), and (iii) the fulfillment of the request is permissible under Data Protection Law.
   • 3.6 If, pursuant to Data Protection Law, SAP or another Controller is required to perform a data protection impact assessment or a similar assessment or prior consultation with a regulator, at SAP’s request, Contractor will provide all required information and documents available to it and its Subprocessors. Any additional assistance shall be mutually agreed between the Parties and not be unreasonably withheld by Contractor or Subprocessors.
   • 3.7 Contractor shall maintain a comprehensive documentation about the processing of Personal Data in line with Data Protection Law with relation to its area of responsibility, and provide such documentation to SAP upon first request. The documentation shall enable SAP to verify Contractor’s compliance with Data Protection Law, including the use of Subprocessors in accordance with Data Protection Law. Contractor shall further provide to SAP all information which concerns (i) Contractor (ii) the Subprocessors and (iii) the processing of Personal Data by it and the Subprocessors, to the extent it is necessary for SAP to maintain its register of processing activities according to Data Protection Law.
   • 3.8 Any Personal Data stored by Contractor or Subprocessors, and any copies of other data mentioned in Section 2.3 of this MDPA, shall be promptly returned to SAP upon the earliest of the following events: (i) upon SAP request’s; or (ii) upon completion of all tasks for which the respective Personal Data was transferred to Contractor; or (iii) upon expiry or termination of this MDPA; or (iv) upon expiry or termination of the Service Agreement. Alternatively, where such data cannot be returned, or if SAP elects so, Contractor shall destroy, and certify to SAP in writing that it has destroyed, all such data within a reasonable time period in line with Data Protection Law (not to exceed three months) unless a retention of the data is required by applicable law and allowed under Data Protection Law. Notwithstanding that, Contractor must ensure that Controllers can enable Data Subjects to access their Personal Data at any time, and that Controllers may be able to export and retrieve Personal Data it controlls in a standard format upon request of a concerned Data Subject.

4. Data Breach Reporting; Compliance; Audits
   • 4.1 Contractor will promptly report to SAP any Personal Data Breach and any violations of this MDPA by it or a Subprocessor that Contractor becomes aware of. The reporting of a Personal Data Breach shall contain all information which is available to Contractor or Subprocessors and which may be required to enable the Controller to comply with its reporting obligations towards authorities and/or data subjects.
   • 4.2 Contractor agrees that SAP may audit Contractor’s compliance with the terms of this MDPA, including the technical and organisational security measures implemented by Contractor (as documented in Appendix 2 to the Clauses) both prior to commencement of Personal Data processing and at any time later during the term of this MDPA or when required under Data Protection Law. SAP may, within the scope of a regular audit, either conduct an on-site inspection of Contractor’s business operations or have the same conducted by a qualified third party, in each case upon reasonable notice, during regular business hours and without interrupting Contractor’s business operations. SAP may conduct an audit at any time in particular, if (i) a Personal Data Breach has occurred which concerns it; (ii) it has reasonable grounds to suspect that Contractor is not in compliance with its obligations under this MDPA; (iii) an audit is formally requested by its data protection authority; or (iv) Data Protection Law provides the Controller with a direct audit right.
   • 4.3 For the avoidance of doubt, if SAP has reasonable ground to suspect non-compliance with this MDPA, or in the case of a Personal Data Breach, SAP shall be entitled to conduct an on-site inspection on short notice.
   • 4.4 Where requested by SAP (in connection with an audit or otherwise), Contractor shall make available to SAP or Controller all information necessary to demonstrate compliance with the obligations laid down in this MDPA and Data Protection Law. Upon request, Contractor shall in particular provide all existing certifications with respect to its and Subprocessor’s IT control environment relevant for the Services (such as ISO 27001 and ISAE3402 and/or ISAE3000 or other SOC1-3 attestation reports) or any existing actual attestation or certificate by an independent professional expert.
   • 4.5 Each Party shall bear its own costs of any audit unless such audit reveals a breach by Contractor or Subprocessor of this MDPA, then Contractor shall also bear all reasonable fees and expenses charged by an external auditor to SAP or Controller. If an audit determines that Contractor (or a Subprocessor) has breached its obligations under the MDPA, it will promptly remedy the breach at its own cost.
   • 4.6 Contractor will conduct regular internal audits (at least once a year) to ensure its own compliance with the technical and organisational security measures specified in Appendix 2 to the Clauses and will submit the audit reports to SAP without delay upon request. Contractor may use internal resources or an external independent and certified third party auditor for such internal audits.

5. International Processing
   • 5.1 Unless otherwise agreed (e.g. in the Service Agreement), Contractor shall be entitled to process Personal Data, including by using Subprocessors, in accordance with this MDPA outside the country in which the relevant Controllers are located as permitted under Data Protection Law.
   • 5.2 Where (i) Personal Data of an EEA or Swiss based Controller is processed in a country outside the EEA, Switzerland and any country, organization or territory acknowledged by the European Union as safe country with an adequate level of data protection under Art. 45 GDPR, or where (ii) Personal Data of another Controller is processed internationally and such international processing requires an adequacy means under the laws of the country of the Controller and the required adequacy means can be met by entering into Standard Contractual Clauses, then
     • 5.2.1 SAP and Contractor enter into the Standard Contractual Clauses; AND
     • 5.2.2 SAP and each Subprocessor enter into the Standard Contractual Clauses, with Contractor representing the Subprocessors with PoA . Contractor represents and warrants to SAP that it has the necessary PoA. If requested by SAP, Contractor will further ensure that SAP may enter into Standard Contractual Clauses with Subprocessors directly (i.e. without representation by Contractor).
     • 5.2.3 Nothing in the MDPA shall be construed to prevail over any stricter clause contained in the Standard Contractual Clauses (if applicable in accordance to this Section 5.2).

6. Other Controllers; Multi-Tier Personal Data Processing
   • 6.1 This Section 6 only applies where, in connection with the Services, Contractor or a Subprocessor processes Personal Data controlled by a Controller other than SAP or an SAP Affiliate. In such case, Controller shall have the same rights as SAP under this MDPA (including the Clauses where applicable).
   • 6.2 To address such situations, Contractor therefore:
     • 6.2.1 grants SAP (and for the avoidance of doubt, also any SAP Affiliates) a PoA to enter (including in electronic form) into a data processing agreement including at least the same rights and being not more onerous than the rights and obligations under this MDPA with such other Controller on Contractor’s behalf. Whenever exercising this PoA and, where applicable, SAP shall be exempted by Contractor and Subprocessors from any applicable restrictions on self-contracting or other restrictions to represent multiple parties (including other Controllers). Such data processing agreement shall include an unchanged version of the Clauses; AND
     • 6.2.2 agrees that (i) SAP Resellers and Users may accede to the Clauses with the same rights and obligations as SAP , provided that SAP and SAP Resellers and Users shall enjoy the same rights under those agreements as Contractor but in no event less than SAP’s rights under this Data Protection Agreement; AND
     • 6.2.3 will enter, and ensures that Subprocessors will enter, into a direct data processing agreement including the Clauses with Controllers where this is required under Data Protection Law, by a Controller or by a competent data protection authority.
     • 6.2.4 agrees that, if he is located outside the EEA, Clause 11 applies with regards to its Subprocessors.
   • 6.3 Notwithstanding anything in the Service Agreement to the contrary,
     • 6.3.1 Contractor has to provide to SAP the agreements with its Subprocessors as far as relevant to the processing of Personal Data on behalf of the Controller; AND
     • 6.3.2 SAP may disclose to any other Controller: (i) this MDPA; (ii) any parts of the Service Agreement relevant to the processing of Personal Data on behalf of Controller; (iii) details on Contractor’s Subprocessors and Contractor’s agreements with its Subprocessors as far as relevant to the processing of Personal Data on behalf of the Controller; (iv) all information provided by Contractor and Contractor’s Subprocessors that are directly related to the processing of Personal Data on behalf of the Controller; (v) Contractor’s and Contractor’s Subprocessors’ technical and organisational measures; (vi) Contractor’s and Contractor’s Subprocessors’ audit reports and reports on Personal Data Breaches and other data protection violations; and (vii) any of SAP’s own findings with respect to Contractor’s and Contractor’s Subprocessors’ processing of Personal Data on behalf of the Controller.

7. Miscellaneous
   • 7.1 If any provision in this MDPA is ineffective or void, this shall not affect the remaining provisions. The parties hereto shall replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. The parties shall similarly add a necessary appropriate provision where such a provision is missing.
   • 7.2 This MDPA, excluding the attached Clauses, may be modified by a written declaration of representatives with authority of both Parties. This written-declaration requirement can also be met by exchange of documents with an electronically transmitted signature (facsimile transmission, e-mail transmission with scanned signatures, or other electronically permissible form of contract conclusion provided by or on behalf of SAP, such as the SAP Signature Management by DocuSign® procedure).
   • 7.3 This MDPA prevails over any additional, conflicting, or inconsistent terms and conditions appearing on any document submitted by either party regarding the subject of this MDPA. No other agreement may limit or extend the rights, obligations and/or liability of either Party under this MDPA and under statutory law unless expressly agreed in this MDPA or an amendment to this MDPA. Any modification, supplement or other amendment to this MDPA shall only be effective for any purpose if undertaken by representatives of the Parties who have POA to sign and amend this MDPA and if undertaken by written declaration in accordance with Section 7.2 and by express reference to the sections of this MDPA which shall be changed.
   • 7.4 Any existing data protection or processing agreement between SAP and Contractor (if any) is replaced with the this MDPA (alternatively (hilfsweise) such existing data protection agreement is herewith terminated by SAP). The current Data Protection Annex of Contractor (if any), however, shall continue to be valid and now refer to this MDPA.
   • 7.5 This MDPA may be terminated by either party, if no contractual relationship between the parties exist any longer where the processing of Personal Data is in scope.
   • 7.6 This MDPA shall be governed by German law. The venue for any disputes related to this MDPA shall be Karlsruhe, Germany. However, any dispute with another Controller than SAP or an SAP Affiliate shall be governed by the law of the country in which the relevant Controller is incorporated; and venue shall be the seat of the respective Controller.

Annex 1

STANDARD CONTRACTUAL CLAUSES (PROCESSORS)^[1]

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

SAP on behalf of SAP and the SAP Affiliates

(in the Clauses hereinafter referred to as the ‘data exporter’)

and

Contractor

(in the Clauses hereinafter referred to as the ‘data importer’)

each a ‘party’; together ‘the parties’,

HAVE AGREED to incorporate the Standard Contractual Clauses (the Clauses) located at http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32010D0087&from=en by reference to this Agreement in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the MDPA and the Clauses and must be completed and signed by the parties. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is consuming Services provided by data importer. These services may include the processing of personal data by data importer or the provisioning of maintenance and support services by data importer on systems which may contain personal data. Details are specified in Service Agreements, in particular in specific “data protection service description” annexes.

Data importer

The data importer is providing services and support or fulfilling contractual obligations towards data exporter as described in the individual contracts or a purchase orders for the Services which reference this MDPA. These services may include the processing of personal data by data importer or the provisioning of maintenance and support services by data importer on systems which may contain personal data.

Data subjects

Details are specified in the contracts or a purchase orders for the Services which reference this MDPA.

Categories of data

Details are specified in the contracts or a purchase orders for the Services which reference this MDPA.

Special categories of data

Details are specified in the contracts or a purchase orders for the Services which reference this MDPA.

Processing operations

The personal data transferred will be subject to the processing activities as described in in the contracts or a purchase orders for the Services which reference this MDPA.

Appendix 2 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Annex 2

List of Sub-Processors

Contractor agrees to submit this Annex 2 if they utilize Subprocessors. The following Subprocessors processing personal data controlled by SAP and/or SAP Resellers and Users as listed below shall be considered approved Subprocessors as outlined in Section 3.5 of the MDPA. Contractor shall maintain a list of Subprocessors (including Affiliates of Contractor, if applicable) concluded in accordance with this MDPA subject to the service provided and make it available to SAP at least once a year or upon request: