Data Sharing Agreement

This Data Sharing Agreement (“DSA”) forms part of the Master Services Agreement or Engagement Letter (the "Agreement") between EisnerAmper LLP, Eisner Advisory Group LLC (“EA” or “Company”) and the Client, as defined in the Agreement, referred to jointly as the “Parties” and individually as the “Party.

In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement and shall have the meanings set forth in this DSA. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement, otherwise, terms defined herein shall prevail over any and all such terms related to the processing of Personal Data as defined in the Agreement.

Except as modified below, the terms of the Agreement shall remain in full force and effect.  Except where the context requires otherwise, references in this DSA to the Agreement are to the Agreement as amended by, and including, this DSA. In the event of any conflict or inconsistency between this DSA and any Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

1. Definitions.

1.1 The following terms shall have the meanings set out below:

1.1.1 "Applicable Laws" means all mandatory laws and regulations, including laws and regulations of the European Union, the European Economic Area and their Member States, the U.K., and Switzerland applicable to the Processing of Personal Data under the Agreement;

1.1.2 “Controller” means the entity that determines the purposes and means of the Processing of Personal Data. For the purposes of this DSA, EA and Client are Controllers.

1.1.3 "Data Protection Laws" means EEA Data Protection Laws, UK Data Protection Laws, or data protection or privacy laws of other countries that govern the processing of Client Personal Data

1.1.4 “Data Subject” means the identified or identifiable natural person to whom the Personal Data pertains, as referred to in Article 4 of the GDPR;

1.1.5 "GDPR" means, as applicable Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("EU GDPR"); or the EU GDPR as it forms part of the laws of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR").

1.1.6 "Restricted Transfer" means: a transfer of Client Personal Data from Client to Company; or an onward transfer of Client Personal Data from Company to a Controller or Processor, or between two establishments of Company

where such transfer would be prohibited by applicable Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses or an alternative adequate transfer mechanism.

1.1.7 “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. In connection with the application of the Data Protection Laws, this term shall be defined only as broadly as set forth in the applicable Data Protection laws referenced herein.

1.1.8 “Personal Data Breach” means the actual or reasonably suspected compromise of the security, confidentiality, integrity, or availability of Personal Data, including any unlawful or unauthorized access to or processing, acquisition, distribution, disclosure, loss, alteration, or destruction of Personal Data as referred to in Article 4 of the GDPR.

1.1.9 “Process/Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, as referred to in Article 4 of the GDPR.

1.1.10 "Services" mean the services constituting Company’s services and other activities provided by Company to Client pursuant to the Agreement.
1.1.11 "Standard Contractual Clauses" means those clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 set out in the European Commission decision 2021/914 of 4 June 2021;

1.2 The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

2. Data Controller.

Parties agree that each is an independent Data Controller under this Agreement.

3. Obligations of Client.

3.1 Client shall be solely responsible for keeping the amount of Client Personal Data provided or accessible to Company to the minimum necessary for the Services.

3.2 Client shall have sole responsibility for the accuracy, quality and legality of Client Personal Data and the means by which Client acquired Client Personal Data.

3.3 Client represents that it has obtained all required consents and authorizations from Data Subjects or their lawful personal representatives for Processing Client Personal Data, including disclosing such Personal Data to Company, or otherwise has determined the transfer and Processing of such Client Personal Data for purposes of the Services to be lawful under the applicable Data Protection Laws.

3.4 Client authorizes Company to engage third parties as required for assistance with the Services. Company shall ensure the arrangement between Company and third parties is governed by a written contract including terms which offer at least the same level of protection for Client Personal Data as those set out in this DSA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of this DSA and the GDPR.

4. Obligations of Company.

4.1 Company shall maintain any Client Personal Data in confidence to be used solely for the Services and compatible purposes.

4.2 Company shall comply in all respects with all international, federal, state and local privacy and data security laws, regulations and ordinances (“Government Regulations”) relating to the access, maintenance, use, protection or disclosure of Client Personal Data to which such Government Regulations apply, including, without limitation, any Personal Data Breach notification requirements.

4.3 Company shall use appropriate safeguards to prevent any access, use or disclosure of Client Personal Data other than as required for the Services and compatible purposes or as permitted under this Agreement, which shall include but not be limited to administrative, physical and technical safeguards as necessary and appropriate to protect the confidentiality, integrity and availability of Client Personal Data.

4.4 As applicable, Company shall provide reasonable assistance to Client for the fulfilment of Client’s obligations to respond to Data Subject requests to exercise rights under the Data Protection Laws with respect to Client Personal Data.

5. Transfer.

5.1 A Restricted Transfer of Personal Data from Client to Company shall be subject to the following adequate protections, as applicable:

5.1.1 To the extent Client Personal Data is subject to the EU GDPR, the relevant Standard Contractual Clauses shall apply.

5.1.2 To the extent Client Personal Data is subject to the UK GDPR, the UK International Data Transfer Agreement shall apply.

5.1.3 To the extent Client Personal Data is subject to the Swiss DPA, the Standard Contractual Clauses shall apply with the designations and modifications set out below, which are intended to comply with all the Swiss DPA and all Swiss data privacy laws. References to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA. References to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA. References to “EU”, “Union” and “Member State” shall be replaced with references to “Switzerland.” Clause 13(a) and Part C of Annex I shall not be used and the “competent supervisory authority” shall be the Swiss Federal Data Protection and Information Commissioner. In Clause 17, the laws of Switzerland shall govern. In Clause 18(b), disputes shall be resolved before the competent courts of Switzerland. The term “Personal Data” shall be deemed to include the data of legal entities to the extent such data is protection under the Swiss DPA. Any amendments to the Swiss DPA, or by the Information Commissioner, codified after the Effective Date, in order to continue to comply with the Swiss DPA.

6. Retention.

Company agrees to securely delete all copies of Client Personal Data in its possession upon the later of i) termination of the Services, 2) in accordance with Company’s data retention schedules, or 3) when Client Personal Data is no longer needed for compliance with applicable legal requirements or Company’s legitimate business needs.

7. Term.

This Agreement shall survive as long as a Company retains Client Personal Data.

8. General Terms.

Governing law and jurisdiction
The Parties to this DSA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DSA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and this DSA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.

Entire Agreement
This DSA sets forth the full and complete understanding of the Parties hereto with regard to its subject matter. Except as herein otherwise provided, no amendment or modification of, or supplement to, this Agreement shall be binding unless duly executed in writing by each of the Parties hereto.

Should any provision of this DSA be invalid or unenforceable, then the remainder of this DSA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

This Agreement may be executed in one or more counterparts and all such counterparts shall constitute one and the same agreement and shall become effective when one or more counterparts have been signed by each Party and delivered to the other Party (which delivery may occur by facsimile or other secure electronic transmission without the need to obtain signed originals).

IN WITNESS WHEREOF, this Data Sharing Agreement is entered into and becomes a binding part of the Agreement with effect from the date set out in the underlying Agreement.