EisnerAmper Customer Data Protection Addendum

This Data Protection Addendum (Addendum) supplements the Master Services Agreement or Engagement Agreement (Agreement) entered into between Eisner Advisory Group LLC, EisnerAmper LLP and/or their respective subsidiaries (collectively, “Provider”) and the customer identified in the applicable Agreement to whom services outlined therein are provided (Customer) (referred to collectively as the “Parties”), solely to the extent that the provision of services to Customer pursuant to such Agreement requires that Provider access, create, collect, process, retain, or disclose personal information of consumers, as defined below.

WHEREAS, "EisnerAmper" is the brand name under which EisnerAmper LLP and Eisner Advisory Group LLC provide professional services. EisnerAmper LLP and Eisner Advisory Group LLC are independently owned firms that practice in an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable laws, regulations and professional standards. EisnerAmper LLP is a licensed CPA firm that provides attest services, and Eisner Advisory Group LLC and its subsidiary entities provide tax and business consulting services to clients and provide staff and other administrative resources to EisnerAmper LLP. Eisner Advisory Group LLC and its subsidiary entities are not licensed CPA firms;

WHEREAS, Customer desires to provide or make available to Provider, or permit Provider to access, create, collect, process, retain, or disclose certain personal information for the purposes of providing some or all of the services described in the Agreement (Services);

WHEREAS, Provider desires to access, create, collect, process, retain, and/or disclose certain of Customer’s personal information as necessary and appropriate to perform the Services under the Agreement;

WHEREAS, the parties wish to include provisions for the requirements of applicable data protection laws, which may include the European Union’s General Data Protection Regulation (the GDPR); the United Kingdom's General Data Protection Regulation (the UK GDPR) and the UK Data Protection Act of 2018; Cayman Islands’ Data Protection Act, (2021 Revision) and the Data Protection Regulations, 2018 (SL 17 of 2019) (Cayman DPA); the comprehensive privacy laws in the U.S. states of California, Colorado, Connecticut, Montana, Oregon, Tennessee, Texas, Utah, and Virginia (collectively, “U.S. State Privacy Laws”); and any other applicable law, regulation, or other legal requirements protecting a data subject’s privacy with respect to the processing of personal information to the extent the Agreement is subject. 

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms set out below shall be added as an Addendum to the Agreement.

The terms set out in this Addendum will take effect from the date of execution of the Agreement and in the event of a conflict between this Addendum and the Agreement, the terms of this Addendum shall supersede the Agreement. 

NOW, THEREFORE, in consideration of the mutual covenants, and for continuing to perform the Services, the Parties agree as follows.

1. Definitions. The following definitions and rules of interpretation apply in this Addendum:

1. 1. “Appropriate Safeguards” means such legally enforceable mechanism(s) for transfers of personal information across national borders, as may be permitted under applicable data protection laws, including the EU-US Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, or the standard contractual clauses adopted by the European Commission for the transfer of personal information to third countries pursuant to the GDPR or the international data transfer agreement adopted by the UK Information Commission’s Office pursuant to the UK GDPR.
   2. “Authorized Persons” means the persons or categories of persons that Customer authorizes to provide or permit Provider to access personal information for processing in accordance with their instructions.
   3. “Contracted Business Purposes” means the Services described in the Agreement.
   4. “Data Controller” means the entity which alone or jointly with others determines the purposes and means of the processing of personal information.
   5. “Data Processor” means an entity that processes personal information on behalf of the Data Controller, and also includes entities acting as a “Service Provider” as that terms is defined in US State Privacy Laws.
   6. “Sell” (and its conjugates, including without limitation, “selling,” “sale,” and “sold,”) means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, personal information to a third party for monetary or other valuable consideration.
   7. “Share” (and its conjugates, including without limitation, “sharing” and “shared”) means (1) sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, personal information to a third party for cross-context behavioral advertising or targeted advertising, whether or not for monetary or other valuable consideration.
   8. Unless specifically defined in this Addendum, any terms defined in an applicable data protection law, such as “consumer,” “sensitive personal information,” “data breach,” “profiling,” “cross-context behavioral advertising,” “targeted advertising,” or “third party” have the meaning given to that term or a materially similar term in that law solely to the extent that the relevant personal information is covered by that law, regardless of whether such terms are capitalized or not in this Addendum. 

2. Data Protection.

1. 1. Both parties will comply with all applicable requirements of the data protection laws. This clause is in addition to, and does not relieve, remove or replace, a party’s obligations under the applicable data protection laws.
   2. Schedule 1 sets out the scope, nature and purpose of processing by Provider, the duration of the processing and the types of personal information and categories of individuals whose personal information is processed under the Agreement.
   3. Without prejudice to the generality of clause 2.a, Customer shall be solely responsible for keeping the amount of personal information provided or accessible to Provider to the minimum necessary for the Services. Customer shall have sole responsibility for the accuracy, quality and legality of personal information and the means by which Customer acquired personal information, including ensuring that Customer has all necessary appropriate consents and notices in place to enable lawful transfer of the personal information to Provider for the duration and purposes of this Addendum.
   4. If a law requires Provider to disclose personal information collected pursuant to the Agreement for a purpose unrelated to the Contracted Business Purposes, Provider must first inform Customer of the legal requirement and give Customer a reasonable opportunity to object or challenge the requirement, unless the law prohibits such notice. In the event Customer fails to respond promptly and Provider determines, in its sole discretion, such disclosure is required by law, Provider may make the disclosure and shall not be liable therefor in any way under the Agreement or these Provisions.
   5. Provider will ensure that all personnel who have access to and/or process personal information are obliged to keep the personal information confidential.
   6. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Both Parties will ensure that it has in place appropriate technical and organizational measures for personal information in transit, at rest, or during processing to protect against unauthorized or unlawful processing of personal information and against accidental loss or destruction of, or damage to, personal information, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected.
   7. Provider will notify Customer without undue delay on becoming aware of a data breach.
   8. At the written request of Customer, Provider will delete or return personal information and copies thereof to Customer on termination of the Agreement except to the extent permitted or required by applicable law to store the personal information. 

3. Provider’s Obligations as Independent Controller. This section applies solely to the extent that Provider and Customer each acts as an independent Controller as required or permitted by applicable data protection laws. Provider acts as an Independent Controller in the European Union when providing accounting and auditing services where Provider is required by law and applicable standards of professional ethics to exercise independent judgment and process data in accordance with its own obligations. 

1. 1. Customer authorizes Provider to engage vendors to process personal information as required for assistance with the Services. Provider shall ensure the arrangement between Provider and the vendor is governed by a written contract including terms which offer at least the same level of protection for personal information as those set out in this Addendum, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of this Addendum and the applicable data protection laws.
   2. Provider shall maintain any personal information in confidence to be used solely for the Services and compatible purposes.

4. Provider’s Obligations as Processor. This section applies when Provider acts as a Processor of personal information on behalf of Customer.  Without prejudice to the generality of clause 2.a, Provider shall comply with the following in relation to any personal information processed in connection with the performance by Provider of its obligations under the Agreement, where applicable. Provider is a Processor when providing services in the EU where it is not legally required to exercise independent judgment and in the United States when providing services to entities subject to US State Privacy Laws. 

1. 1. Customer shall ensure all instructions given by it to Provider in respect of personal information shall at all times be in accordance with applicable data protection laws.
   2. Provider will process personal information only as reasonably necessary and proportionate to achieve the Contracted Business Purpose for which Customer provides or permits the processing of personal information, consistent with Customer’s written instructions from an Authorized Person, unless Provider is required by law to process that personal information in some other way. In particular, to the extent permitted by applicable data protection laws, Provider may make internal use of personal information to build or improve the quality of its services, provided such use is not to perform services on behalf of another person. Provider will not be obligated to follow instructions from any persons at Customer other than Authorized Persons.
   3. Provider will immediately inform Customer if Provider is requested to take any action which may be inconsistent with applicable data protection laws or if Provider makes a determination that it can no longer meet its obligations under this Addendum or applicable data protection laws.
   4. Provider will assist Customer and promptly comply with any reasonable Customer instruction, at Customer's cost charged at Provider’s then current fees, in responding to any request from an individual pursuant to privacy rights under applicable data protection laws and in ensuring compliance with its obligations solely to the extent that the relevant personal information is covered by the applicable data protection laws with respect to security, data breach notifications, impact assessments and consultations with supervisory authorities or regulators. The obligations in this paragraph are subject to the nature of the processing and information available to Provider and any available exceptions under applicable data protection laws. In its role as a Data Processor, Provider will not be required to comply with a request submitted directly to Provider by an individual, but shall promptly inform Customer of the request and reasonably cooperate with Customer as detailed in this clause.
   5. Provider will maintain complete and accurate records and information to demonstrate its compliance with the applicable data protection laws and to enable Customer to take reasonable and appropriate steps to ensure compliance with its legal obligations solely to the extent required by applicable data protection laws.
   6. Where required by applicable data protection laws, Provider will permit audits by Customer or Customer's designated auditor, subject to a maximum of one audit request in any 12-month period, at Customer’s cost. In all other instances and where permitted by applicable data protection laws, in lieu of an audit, Provider may elect to arrange for a qualified and independent assessor to conduct an assessment of Provider’s policies and technical and organizational measures in support of its obligations under the applicable data protection laws with respect to personal information collected pursuant to the Agreement using an appropriate and accepted control standard or framework and assessment procedure for such assessments and provide a report of such assessment to Customer upon written request.
   7. Customer consents to Provider appointing sub-processors to process personal information under the Agreement, and provides a general authorisation for Provider to appoint further sub-processors. A list of Provider’s current sub-processors is available at https://www.eisneramper.com/privacy-documents/eisneramper-llp-sub-processors/. Provider confirms that it has entered or (as the case may be) will enter into a written agreement with the sub-processor incorporating terms that are substantially similar to those set out in this Addendum or that are required to qualify the sub-processor as a Data Processor under applicable data protection laws. As between Customer and Provider, Provider shall remain fully liable for all acts or omissions of any sub-processor appointed by it pursuant to this clause. The list of sub-processors engaged by Provider will be provided upon request. Where required by applicable data protection laws, Provider will inform Customer of any addition, replacement, or other changes of sub-processors and provide Customer with the opportunity to reasonably object to such changes on legitimate grounds. To the extent U.S. State Privacy Laws apply to the processing of personal information under the Agreement, Provider may not make any disclosures of personal information to the sub-processors in ways that the U.S. State Privacy Laws would treat as a Sale or Sharing of personal information.
   8. To the extent required by U.S. State Privacy Laws, Provider will not: (i) process personal information collected pursuant to the Agreement for Provider’s own commercial purposes that are outside of the Contracted Business Purposes; (ii) process personal information collected pursuant to the Agreement for any purpose outside of the direct business relationship between the parties; (iii) combine personal information collected from different sources in a way that is inconsistent with its role as a Data Processor under the U.S. State Privacy Laws; or (iv) Sell or Share personal information belonging to Customer. Provider certifies that it understands the restrictions contained in this clause and will comply with them.
   9. If the Contracted Business Purposes require Provider to collect personal information directly from consumers on Customer’s behalf, Provider will provide the relevant notice using the form and content that Customer specifically pre-approves in writing and will not modify or alter the notice in any way without Customer’s prior written consent. This clause is in addition to and does not relieve, remove, or replace Customer’s obligation under clause 2.c.
   10. Provider must notify Customer promptly if it receives any complaint, notice, or communication that directly or indirectly relates to either Party’s compliance with applicable data protection laws with respect to personal information collected pursuant to the Agreement.
   11. Provider will permit Customer, upon thirty (30) days advance written notice, to take reasonable and appropriate steps to stop and remediate the use of personal information collected pursuant to the Agreement that is unauthorized under applicable data protection laws and this Addendum.

5. International Data Transfer 

1. 1. Customer acknowledges that Provider’s primary processing facilities are based in the United States of America. Customer agrees that Provider may transfer personal information outside of the jurisdiction where the personal information was collected to affiliated entities or a sub-processor. Where Provider initiates such transfer and solely to the extent required by applicable data protection laws, Provider shall implement Appropriate Safeguards and comply with any other requirements (such as obtaining consent or ensuring an appropriate legal basis for the transfer) in accordance with applicable data protection laws.
   2. To the extent that Customer transfers Personal Data for purposes of the Agreement to Provider or directs Provider to transfer Personal Data to Customer from the European Economic Area (“EEA”) or Switzerland to the United States of America, the Parties acknowledge that Provider is an active participant in the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, which requirements govern such transfer.

6. General

1. 1. To the extent permitted by applicable data protection laws, nothing in the Agreement or these Provisions, whether expressed or implied, is intended to confer any rights or remedies under or by reason of same on any persons, including consumer, other than the Parties to it and their respective successors and permitted assigns, nor shall any provisions give any third parties any right of subrogation or action against any Party to the Agreement.

Schedule 1

Processing, personal information and individuals

Processing of personal information by Provider under the Agreement shall be for the subject matter, duration, nature and purposes and involve the types of personal information and categories of individuals set out in this Schedule 1.

1. Processing by Provider

1. Subject matter of processing
   The subject matter of the data processing under this Addendum is Customer's personal information processed by Provider pursuant to the services provided to Customer under the Agreement.
2. Nature and purpose of processing
   Provider will process personal information for the purposes of providing the services to Customer in accordance with the Agreement.
3. Duration of the processing
   The duration of the processing under the Agreement is determined by Customer and as set forth in the Agreement.

2. Types of personal information
Data relating to individuals processed by Provider in order to provide services under the Agreement, including of Customer’s personnel and customers, including but not limited to the following:

1. First and last name
2. Mailing address
3. Bank account information

3. Categories of data subject

1. Fund employees, managers and investors