Data Processing Addendum

DEFINITIONS.

The following terms shall have the following meanings. Capitalized terms not defined herein shall have the same meaning set forth in the Sapience Master Software Agreement (the “Agreement”)

“Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with a Party.

“Business Contact Data” means (i) contact information of Customer’s representatives for invoicing, billing, and other business inquiries; (ii) information on Customer’s usage of Services; and (iii) other information that Sapience collects and needs to communicate with Controller.

“Controller” means the party or parties to this DPA that determine(s) the purposes and means of the Processing of Personal Data for purposes of the Agreement.

“Controller Personal Data” means any Personal Data Processed by a Party under the Agreement in its capacity as a Controller.

“Data Protection Law” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable, the laws and regulations of the United States, the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the California Consumer Privacy Act of 2018 (“CCPA”).

“Data Subject” means an identified or identifiable natural person whose Personal Data is, or will be, Processed.

“Personal Data” shall mean “personal data,” “personal information,” or equivalents as defined in applicable Data Protection Laws. In the absence of applicable Data Protection Laws, “Personal Data” shall mean any information relating, directly or indirectly, to an identified or identifiable natural person.

“Process,” “Processes,” “Processing,” or “Processed” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collecting, recording, accessing, releasing, disclosing, making available, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination or otherwise, aligning or combining, restricting, erasing or destroying.

“Processor” means a Party to DPA that Processes Personal Data on behalf of the Controller or Controller’s Affiliates. The term Processor as used herein is equivalent to the term “Processor” as used in the GDPR, and the term “Service Provider” as used in the CCPA.

“Services” means the services provided or received by the Parties pursuant to the Agreement.

“Standard Contractual Clauses” means the agreement executed by and between Controller and Processor pursuant to the European Commission’s decision on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection found at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=en.

“Subprocessor” means another Processor engaged by Processor with specific instructions to carry out Personal Data Processing Activities listed at https://d824jnzl62zcj.cloudfront.net/subprocessors/.

“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.

GENERAL TERMS.

Roles of Parties. The Parties acknowledge and agree that for purposes of this DPA, Sapience is a Processor of the Personal Data Processed in connection with the Agreement, and that Customer is a Controller:

Personal Data Processing.  In connection with its performance of the Services specified in the Agreement,

Processor will Process the Personal Data relating to the Controller Data Subjects. The Agreement may include restrictions regarding the types of Personal Data that may be provided by Customer to Sapience and such restrictions are hereby incorporated into this DPA.

Sapience will comply with all laws, including Data Protection Laws, in connection with the performance of Services.

Limitations and Prohibitions.

Processor shall only Process Controller Personal Data during the term of the Agreement and for the purpose of performing the services specified in the Agreement. Customer is the owner of any and all Personal Data.

Processor shall (1) limit access to Controller Personal Data to only those employees or agents that require access to perform their roles and responsibilities in connection with the Services, and (2) under no circumstances rent, sell or disclose Controller Personal Data, except as otherwise allowed under the Agreement.

Processor will not combine Controller Personal Data with data from any other source, company, organization or entity, unless necessary to provide the Services. Processor will not copy or reproduce Controller Personal Data for its own purposes or those of any subprocessor or other third party.

DATA SECURITY.

Processor will maintain appropriate physical, technical and organizational informational security measures set out in Annex II to protect the integrity, security and confidentiality of all Controller Personal Data against any anticipated threats or hazards, and/or unauthorized access to or use of such data.  The information security measures in Annex II, may be supplemented or modified in the applicable transaction document, to protect Controller Personal Data and Business Contact Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access.

Controller acknowledges that Processor may change the security measures through the adoption of new or enhanced security technologies and authorizes Processor to make such changes provided that they do not diminish the level of protection.  Processor shall make information about the most up to date security measures applicable to the Services available to Controller upon request.

Data Retention and Deletion.

Processor shall retain Controller Personal Data for only so long as necessary to perform its obligations under the Agreement, unless otherwise required under applicable laws.

Upon termination or expiration of the Agreement or earlier as requested by Controller, Processor shall destroy or return to Controller (at Controller’s election) all Controller Personal Data in its possession, custody and control, except for such Personal Data as must be retained under applicable law (which Processor shall destroy once it is no longer required under applicable law to retain). At Controller’s request, Processor shall provide Controller with a written log evidencing the destruction and any retention of Controller Personal Data.

Data Security Incidents.

Notice to Controller. Processor shall notify Controller within forty-eight (48) hours of discovery of unauthorized access to, acquisition or disclosure of Controller Personal Data, or other identified breach of security or confidentiality with respect to Controller Personal Data in Processor’s or its representatives’ control or possession (a “Data Security Incident”).

Third Party Notices. If a Data Security Incident requires notice to any regulator, Data Subject or other third party: (1) Controller shall have sole control over the content, timing and method of distribution of any needed notice, unless otherwise required by applicable law; (2) Processor may notify the affected parties only upon Controller’s prior written approval and instructions, unless otherwise required by applicable law; and (3) Processor shall reimburse Controller for all reasonable expenses incurred by Controller in connection with any notice with respect to any breach of security or confidentiality for which Processor is responsible.

Notice requirements. The notice to Controller shall include:

• a description of the Data Security Incident, including the date and time the Data Security Incident was discovered;
• an overview of the affected Personal Data;
• the number of Data Subjects affected;
• the expected consequences of the Data Security Incident; and
• a description of the measures taken by Processor to mitigate such consequences.

Indemnification. In addition to the terms set forth in the Agreement, Processor agrees to indemnify, defend and hold harmless

Controller, its directors, officers, employees and agents from and against any and all losses, damages, fees and expenses arising from any claims due to Processor’s loss, alteration, or misuse of Controller Personal Data, or unauthorized access to or destruction or disclosure of Controller Personal Data when under Processor’s sole control.

Limitation of Liability.  Any loss suffered by a Party resulting from, arising out of or relating to a breach of this DPA by the other Party that is not due to claims from third parties shall be governed by the provisions regarding limitation of liability in the Agreement.

PROCESSOR TERMS.

Compliance with Controller instructions and applicable laws. In connection with its Processing of Controller Personal Data, Processor shall not be required to comply with or observe Controller’s instructions if, in its reasonable discretion, such instructions would violate any Data Protections Laws and regulations, and Sapience shall promptly notify Controller of such. This DPA, the Agreement, and Customer’s use of the Services, features and functionality, are Customer’s complete set of instructions to Sapience in relation to the processing of Personal Data.

Business Contact Data. Processor shall also comply with all applicable laws and Processor’s privacy policy with respect to the Processing of Business Contact Data and use Business Contact Data only for legitimate business purposes, including, without limitation, for invoicing, collections, service usage monitoring and optimization, service improvements, maintenance, support, communications relating to contract renewals (directly or through a subprocessor acting on Processor’s behalf or a Processor approved reseller for contract renewal purposes) and information about new and additional services.

Internal Audits. Upon written request, Processor shall provide, if available, any data security compliance reports or audit reports that assess the effectiveness of Processor’s information security program, system(s), internal controls, and procedures relating to the Processing of Personal Data.

Controller Audits. Certain information about Processor’s security standards and practices are sensitive confidential information which will not be disclosed by Processor to Controller.  Upon request, Processor agrees to respond, no more than once per year, to a reasonable information security questionnaire concerning security practices specific to the Services provided hereunder.  Upon reasonable advance written notice in no case fewer than five (5) business days and Processor acceptance, Controller may, not more than once per year, during normal business hours and at its own expense, inspect Processor’s facilities, networks and procedures directly related to the processing of Controller Personal Data in order to determine compliance with this DPA.  Processor shall reasonably cooperate with such audit by providing access to knowledgeable personnel, physical premises as applicable, documentation, infrastructure, and any application software that Processes Controller Personal Data. Controller shall be responsible for its costs and expenses of such audit. Processor will promptly address and correct any deficiencies identified in any such audit.

Requests or Demands from Governmental or Regulatory Bodies. Processor shall inform Controller as soon as possible if it receives a request or demand from a governmental or regulatory body with authority over Processor or Controller relating to Processor’s Processing of Controller Personal Data and shall fully cooperate with Controller in connection with such investigation or audit.

Data Subject Rights. If Processor receives a request from a Data Subject relating to their Controller Personal Data, Processor shall immediately forward the request to Controller and provide all reasonable cooperation necessary to fulfill the Data Subject’s request in compliance with applicable laws.

Cross Border Transfers. To the extent that Processor Processes the Personal Data of Data Subjects in, or in relation to services provided in the European Economic Area (EEA) in connection with its performance of the Services and such Personal Data is transferred outside of the EEA, the Parties hereby incorporate, and Processor agrees to comply with the Standard Contractual Clauses found in Annex IV that are approved by the European Commission for data transfers to processors that are current at the time of the data transfer.

Subprocessors.

Prior written consent. By executing this DPA, Controller has given its general written consent and authorization for Sapience to engage Subprocessors in connection with the Services. Controller may request a copy of such agreement between Processor and any Subprocessor and may withhold consent to the use of such Subprocessor if Processor does not provide such agreement or such agreement does not contain sufficient protection of Controller Personal Data.  A current list of Subprocessors is found at https://d824jnzl62zcj.cloudfront.net/subprocessors/, such link may be updated by Sapience from time to time.

Onward Transfer of Personal Data. Any transfer by Processor of Personal Data to a Data Sub-processor will be governed by a written contract providing that the Subprocessor will process Personal Data in accordance with Sapience’s instructions as required by Data Protection Laws.

Appointment of new Data Sub-processors. Sapience may not transfer Personal Data to any other Subprocessor without providing prior written notice to Controller, provided that Controller will have ten (10) business day to reasonably object that such change causes Controller to be in violation of Data Protection Laws.  In the even that Controller has not provided an objection to such changes within ten (10 ) business days, Controller will be deemed to have waived its right to object and to have consented to the use of the new or alternative Subprocessor. In the event that Controller reasonably objects to such change, Sapience shall, in its discretion, use commercially reasonable efforts to (1) offer an alternative to provide the Service to Controller per the Agreement; (2) take the corrective steps requested by Controller in its objection and proceed to use the new Subprocessor; or (3) cancel its plans to use the Subprocessor.  If Sapience is unable or unwilling to achieve either (1)-(3) in its sole discretion and the objection has not been resolved to the mutual satisfaction of the parties within thirty (30) days from the receipt by Sapience of the objection, Controller may, as its sole and exclusive remedy available under this paragraph, terminate its applicable services under the Agreement with respect only to those aspects of the Service which cannot be provided by Sapience without the use of the new Subprocessor. In such event, Sapience shall refund Controller any unused, prepaid fees for the applicable Service covering the remainder of the subscription term after the date of termination.

Liability. Processor is responsible for all acts of the Subprocessors with respect to processing Customer data.

CONTROLLER TERMS.

Role of Controller:

• is an independent controller of Controller Personal Data under the Data Protection Law.
• will individually determine the purposes and means of its Processing of Controller Personal Data.
• will individually inform Data Subjects and allow Data Subjects to exercise their rights under applicable laws.
• will comply with the obligations applicable to it under the Data Protection Law with respect to the Processing of Controller Personal Data.

Restrictions. Notwithstanding anything to the contrary under this Exhibit, this Exhibit will not affect any restrictions on either Party’s rights to use or otherwise Process Controller Personal Data under the Agreement.

MISCELLANEOUS.

Termination and Survival. This DPA and all provisions herein shall survive so long as, and to the extent that, Processor Processes or retains Controller Personal Data; provided that the indemnity provisions herein shall survive expiration or termination of the Agreement.

Ineffective clause. If individual provisions of this Agreement are or become ineffective, the effectiveness of the remaining provisions shall not be affected. The Parties shall replace the ineffective clause with a legally allowed clause, which will accomplish the intended commercial intention as closely as possible.

Conflict. In case of contradictions between this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.

Applicable law and jurisdiction. The applicable law and jurisdiction as set forth in the Agreement apply to this Agreement.

ANNEX I

1. LIST OF PARTIES

MODULE TWO: Transfer controller to processor

Data exporter:

1. Name: x

Address: x

Contact:  x

Activities relevant to the data transferred under this Data Processing Addendum.

Role:  Controller

Data importer:

1. Name: Sapience Analytics Corporation

Address: 7850 Collin McKinney Pkwy Suite 201 McKinney, TX 75070

Contact person:  Noel Camacho, IT Security and Compliance Manager

Activities relevant to the data transferred under these Clauses:

• Access Control
• Availability Control
• Integrity Control
• Transmission Control
• Input Control
• Documentation
• Monitoring

Role: Processor

B.     DESCRIPTION OF TRANSFER                                                        

MODULE TWO: Transfer controller to processor                     

Categories of data subjects whose personal data is transferred

• Employees
• Contractors

Categories of personal data transferred:

• First and last name
• User ID
• Device ID
• Email address
• Work Address
• IP Address
• Internet Cookie

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Not Applicable. Sapience Analytics Corporation does not process sensitive data as defined by Article 9 of the GDPR.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):

Continuous data transfer from data subject device(s) to Sapience Analytics Corporation’s Cloud Environment

Nature of the Processing

Workforce Analytics

Purpose(s) of the data transfer and further processing:

Data transferred to Sapience Analytics is used for the purposes of storage, business intelligence, and application processing.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

Throughout the duration of customer contract or at the authorized request of the customer contact via Customer Support Functions.

For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing

• Microsoft Azure – Cloud hosting provider for Sapience Analytics Corporation.
• Auth0 – Authentication data for the session on the Sapience platform web-application.
• Confluent Cloud – Data streaming service to consolidate data processed by Canopy to internal databases. Duration of processing is as long as the data subject is a registered user for the Sapience platform

ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

MODULE TWO: Transfer controller to processor

EXPLANATORY NOTE:

The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.

• Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Sapience Analytics Corporation’s information security program.
• Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to the Sapience Analytics Corporation organization, monitoring and maintaining compliance with Sapience Analytics Corporation policies and procedures, and reporting the condition of its information security and compliance to senior internal management.
• Maintain Information security policies and make sure that policies and measures are regularly reviewed and where necessary, improve them.
• Communication with Sapience Analytics Corporation applications utilizes cryptographic protocols such as TLS to protect information in transit over public networks. At the network edge, stateful firewalls, web application firewalls, and DDoS protection are used to filter attacks. Within the internal network, applications follow a multi-tiered model which provides the ability to apply security controls between each layer.
• Data security controls which include logical segregation of data, restricted (e.g., role-based) access and monitoring, and where applicable, utilization of commercially available and industry-standard encryption technologies, minimization of data collection, and limiting data retention.
• Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review, and revoking/changing access promptly when employment terminates or changes in job functions occur).
• Password controls designed to manage and control password strength, and usage including prohibiting users from sharing passwords.
• System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
• Physical and environmental security of data center, server room facilities and other areas containing Customer confidential information designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor, and log movement of persons into and out of Sapience Analytics Corporation facilities, and (iii) guard against environmental hazards such as heat, fire, and water damage.
• Operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Sapience Analytics Corporation possession.
• Change management procedures and tracking mechanisms to designed to test, approve, and monitor all changes to Sapience Analytics Corporation technology and information assets.
• Incident / problem management procedures designed to allow to Sapience Analytics Corporation investigate, respond to, mitigate, and notify of events related to Sapience Analytics Corporation technology and information assets.
• Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
• Vulnerability assessment, patch management, and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.
• Business resiliency/continuity and disaster recovery procedures, as appropriate, designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
• Formal Vendor Management program, including vendor security reviews for critical vendors to ensure compliance with Sapience Analytics Corporation Information Security Policies.

Details of the Technical and Organizational controls can be found in Sapience Analytics, Inc.’s SOC 2 Type 2 Report

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter. Sub-processor technical and organizational measures can be found in the following:

• Microsoft Azure: https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3
• Auth0: https://auth0.com/security
• Confluent Cloud:
  • https://assets.confluent.io/m/78ad5f3b218ba12f/original/20200101-Confluent_Cloud_DPA.pdf
  • https://www.confluent.io/trust-and-security#trust-and-security-form

 

ANNEX III – LIST OF SUB-PROCESSORS

MODULE TWO: Transfer controller to processor

The controller has authorised the use of the following sub-processors:

1. Name: Microsoft Azure

Address: One Microsoft Way, Redmond, WA 98052

Contact person’s name, position, and contact details: https://www.microsoft.com/en-us/concern/privacy

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):

• Microsoft Azure is the cloud hosting provider for Sapience Analytics and hosts cloud security tools in support of Sapience products.

• Name: Auth0

Address: 10800 NE 8th Street Suite 700 Bellevue, WA 98004

Contact person’s name, position, and contact details: https://www.microsoft.com/en-us/concern/privacy

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):

• Identity as a service tool for the Sapience platform. It manages authentication and identity of data subjects for the Sapience platform.

• Name: Confluent Cloud

Address: 899 W Evelyn Ave, Mountain View, CA 94041

Contact person’s name, position, and contact details: https://www.confluent.io/contact

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):

• Data streaming service to consolidate data collected by the Sapience Lens collector and send data to internal databases.

ANNEX IV – TRANSFER IMPACT ASSESSMENT

In light of the “Schrems II” ruling of the Court of Justice for the European Union and the recommendations from the European Data Protection Board, Sapience Analytics Corporation has included this Annex to describes the legal regimes applicable to Sapience Analytics Corporation in the US, the safeguards Sapience Analytics Corporation puts in place in connection with transfers of customer personal data from the European Economic Area, United Kingdom or Switzerland (“Europe”), and Sapience Analytics Corporation’s ability to comply with its obligations as “data importer” under the Standard Contractual Clauses (“SCCs”).

Data Transfers

Where Sapience Analytics Corporation processes personal data governed by European data protection laws as a data processor (on behalf of Sapience Analytics Corporation’s customers), Sapience complies with its obligations under its Data Processing Addendum available at Data Processing Agreement (“DPA”). The DPA provides the description of Sapience Analytics Corporation’s processing of customer personal data.

A list of all of Sapience Analytics Corporation’s data sub-processors is available at https://sapienceanalytics.com/subprocessors/ and in Annex III.

Sapience Analytics imports data from data exporter outlined in Annex I to its Microsoft Azure Data Center located in the United States of America.

Transfer Mechanism

Sapience Analytics Corporation relies upon the European Commission’s SCCs to provide an appropriate safeguard for the transfer of personal data originating from Europe. Sapience Analytics Corporation enters into SCCs with third party sub-processors when customer personal data originating from Europe is transferred to Sapience Analytics Corporation, or transferred by Sapience Analytics Corporation and its third-party sub-processors.

Regulations Applicable Data Transfers

The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring equivalent protection for personal data in the US:

• FISA Section 702 (“FISA 702”)
  • FISA 702 allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering. This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC. In-scope providers subject FISA 702 are electronic communication service providers (“ECSP”) within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers (“RCSP”), as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711.
• Executive Order 12333 (“EO 12333”)
  • EO 12333 – authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. In particular, it provides authority for US intelligence agencies to collect foreign “signals intelligence” information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US. EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.
• CLOUD Act
  • The CLOUD Act is the US statute governing how law enforcement agencies may obtain information held by certain technology companies, including cloud service providers.

Further information about these US surveillance laws can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II whitepaper from September 2020. This whitepaper details the limits and safeguards pertaining to US public authority access to data and was issued in response to the Schrems II ruling.

Regarding FISA 702 the whitepaper notes:

• For most companies, the concerns about national security access to company data highlighted by Schrems II are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies handling “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.”
• There is individual redress, including for EU citizens, for violations of FISA section 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages.

Regarding Executive Order 12333 the whitepaper notes:

• EO 12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Instead, EO 12333 must rely on a statute, such as FISA 702 to collect data.
• Bulk data collection, the type of data collection at issue in Schrems II, is expressly prohibited under EO 12333.

Regarding CLOUD Act the whitepaper notes:

• The CLOUD Act only permits U.S. government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act.
• The CLOUD Act does not allow U.S. government access in national security investigations, and it does not permit bulk surveillance

Is Sapience Analytics Corporation subject to FISA 702 or EO 12333?

Sapience Analytics Corporation, like most US-based SaaS companies, could technically be subject to FISA 702 where it is deemed to be a RCSP. However, Sapience Analytics Corporation does not process personal data that is likely to be of interest to US intelligence agencies.

Furthermore, Sapience Analytics Corporation is not likely to be subject to upstream surveillance orders under FISA 702, the type of order principally addressed in, and deemed problematic by,the Schrems II decision. Sapience Analytics Corporation does not provide internet backbone services, but instead only carries traffic involving its own customers. To date, the U.S. Government has interpreted and applied FISA 702 upstream orders to only target market providers that have traffic flowing through their internet backbone and that carry traffic for third parties (i.e., telecommunications carriers).

EO 12333 contains no authorization to compel private companies (such as Sapience Analytics Corporation) to disclose personal data to US authorities and FISA 702 requires an independent court to authorize a specific type of foreign intelligence data acquisition which is generally unrelated to commercial information. In the event that US intelligence agencies were interested in the type of data that Sapience Analytics Corporation processes, safeguards such as the requirement for authorization by an independent court and the necessity and proportionality requirements would protect data from excessive surveillance.

In the event that Sapience Analytics Corporation receives a US National Security Request (including requests for access under FISA 702 or direct access under EO 12333), Sapience Analytics Corporation will inform the affected customer within 24 hours of the request. While Sapience Analytics Corporation may technically be subject to the surveillance laws identified in the Schrems II judgment, Sapience has not been subject to these types of requests in day-to-day business operations.

Identify the technical, contractual, and organizational measures applied to protect the transferred data

• Technical and Organizational Measures – See Annex II within this document and detailed within the annual Sapience Analytics Corporation SOC 2 Type 2 report.
• Contractual Measures – Sapience Analytics Corporation outlines contractual measures within Master Service Agreements, documented Data Processing Agreement, and SCC. Sapience Analytics is obligated under the SCCs to notify its customers in the event it is made subject to a request for government access to customer personal data from a government authority. Under the SCCs, Sapience Analytics Corporation is obligated to review the legality of government authority access requests and challenge such requests where they are considered to be unlawful.