Data Protection Addendum

DATA PROTECTION ADDENDUM

(Last Updated September 14, 2023)

  1.  Definitions and interpretation

In this Addendum, the following terms have the following meanings:

Agreed Purpose

  1. means for the sole purpose of providing or ensuring the receipt by Customers of Installation Services or any other authorised activities in connection with a Programme;

controller, data subject, personal data breach, processing and processor

  1. shall have the meanings designated to those terms (or equivalent terms) under applicable Data Protection Laws;

Covered Data

  1. means the personal data to be processed by or on behalf of the Installer in connection with this Agreement;

CSP Personnel

means the CSP’s employees, consultants, agents, independent contractors and subcontractors;

Data Protection Laws

  1. means all applicable data privacy, data protection, and cybersecurity laws, rules and regulations (including judgments of any relevant court of law) of the United Kingdom (UK), the European Union, and the United States, to which the CSP or its Installers, Qmerit or the Personal Data are subject, including, the EU General Data Protection Regulation 2016/679 (“EU GDPR”), the UK Data Protection Act 2018 (“UK DPA 2018”), the UK GDPR (as defined in section 3(10), UK DPA 2018) and the Swiss Federal Data Protection Act (“Swiss FADP”) and the California Consumer Privacy Act of 2018 (“CCPA”), each as amended, updated, re-enacted, restated or replaced from time to time;

Data Protection Losses

means all liabilities arising directly or indirectly from any breach or alleged breach of any of the Data Protection Laws or of this Addendum, including all: (a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); (b) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a data protection regulator; (c) compensation which is ordered by a court or data protection regulator to be paid to a data subject; and/or (d) costs of compliance with investigations by a data protection regulator;

Personal Data (and equivalent terms such as “personal information” or “personally identifiable information”)

  1. shall have the corresponding meaning given to them in applicable Data Protection Laws, and in the context of this Agreement includes Covered Data;

Processing End Date

  1. means in respect of any Covered Data once processing by the CSP or any of its Installers of such Covered Data is no longer required for the purpose of the CSP’s performance of its relevant obligations under this Agreement;

Processor Terms

  1. means the mandatory clauses required by Article 28(3) of the UK GDPR and the EU GDPR;

Restricted Transfer

  1. means: (a) where the EU GDPR applies, a transfer of Personal Data to a country outside of the European Economic Area (EEA) which is not subject to an adequacy determination by the European Commission; (b) where the Swiss FADP applies, a transfer of personal data from Switzerland to any other country which has not been determined to have a legislative framework that guarantees an adequate level of data protection (binding adequacy decisions will be issued by the Federal Council after the coming into force of the revised Swiss  FADP), and (c) where the UK GDPR applies, a transfer of personal data from the UK to any other country which is not based on adequacy regulations pursuant to Section 17A of the UK DPA 2018;

Standard Contractual Clauses or SCCs

  1. means: (a) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); (b) where the Swiss  FADP applies, the EU SCCs with the Swiss amendments as required by the Federal Data Protection and Information Commissioner (FDPIC), and (c) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR as amended or replaced from time to time ("UK SCCs");

Sub-Processor

  1. means an Approved Sub-Processor, a New Processor or any other processor or third party engaged by the CSP that processes Covered Data (including its Installers);

Supplemental Measures

  1. means the specific technical, organisational and/or contractual measures necessitated by applicable Data Protection Laws for the transfer of Covered Data originating in the EEA, Switzerland, and/or the UK to a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws; and

Transfer Impact Assessment or TIA

  1. means a risk assessment necessitated by applicable Data Protection Laws in respect of the transfer of Covered Data originating in the EEA, Switzerland, and/or the UK to a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws.

  1. Conflicts
  1. Unless otherwise expressly stated in this Addendum, if there is any conflict or inconsistency between different parts of this Addendum or between this Addendum and the remainder of this Agreement, the following descending order of priority applies: (a) the mandatory provisions of the SCCs contained in Annex 3; (b) the terms and conditions in the main body of this Addendum; (c) the other Annexes of this Addendum; (d) the remainder of this Agreement, and subject to the above order of priority between documents, later versions of documents shall prevail over earlier ones if there is any conflict or inconsistency between them.
  2. The CSP’s obligations and Qmerit’s rights and remedies under this Addendum are without prejudice and additional to the CSP’s obligations and Qmerit’s other rights and remedies under this Agreement.
  3. Nothing in this Addendum (or in this Agreement) affects the rights of data subjects under Data Protection Laws (including those in Articles 79 and 82 of the GDPR or in any equivalent Data Protection Laws) against Qmerit, the CSP or any Sub-Processor.
  1. Roles of the Parties and Compliance with Data Protection Laws
  1. Each Party acknowledges and agrees that, for the purposes of the Data Protection Laws:
  1. Qmerit and the CSP are independent controllers of certain Personal Data comprising the contact details of their respective contact points involved in contract administration and management of this Agreement;
  2. except for in the scenarios expressly set out in clauses 3.1.1, 3.1.3 and 3.1.4, Qmerit is the controller and the CSP is the processor in relation to the processing by the Installer of any Covered Data, including for the purposes of:
  1. the CSP or its Installers contacting the Customer via the Platform to perform Installation Services;
  2. the CSP or its Installers providing evidence of Installation Services (such as building permits, photographs of completed work and invoices) and any related services via the Platform for administration and quality assurance purposes;
  3. the CSP or its Installers developing Customers and prospects for Installation Services via the Platform;
  1. Qmerit is the processor processing Personal Data related to Customers on behalf of the CSP or its Installers via the Platform for the purposes of processing Customer payments on behalf of the CSP or its Installers (“Payment Processing Services”), subject to clauses 3.1.4.e) and 5.3;
  2. the CSP is an independent controller in relation to its use of Customer Personal Data obtained by it outside of the Platform, specifically, where such use relates to the CSP or its Installers:
  1. entering into its own separate contract with the Customer for installation services and related services such as maintenance (where relevant);
  2. working with utility companies in relation to installations;
  3. assisting Customers with building permit applications related to installations;
  4. complying with its legal obligations in relation to product warranty claims or for other relevant purposes;
  5. processing Customer payments on an interim basis until the Payment Processing Services are operational; and
  6. offering other products and services that are unrelated to Installation Services or this Agreement.
  1. To the extent that:
  1. either Party is processing Personal Data under clause 3.1.1, the provisions of clauses 4 and 5 inclusive shall apply;
  2. the CSP or its Installers are processing Covered Data under clause 3.1.2, the provisions of clauses 4 and 6 inclusive shall apply;
  3. Qmerit is processing Personal Data under clause 3.1.3, the provisions of clauses 4.1 and 6.19 shall apply; or
  4. the CSP or its Installers are processing Covered Data under clause 3.1.4, the CSP shall comply with its obligations under Data Protection Laws in respect of such processing, including in relation to transparency, lawful basis and security of processing.

  1. General provisions
  1. Each Party shall comply with their respective obligations under Data Protection Laws and the terms of this Addendum.
  2. Each obligation on the CSP under this Addendum shall include a corresponding requirement on the CSP to procure compliance with that obligation by each of its Installers.
  3. The CSP shall comply with Qmerit’s relevant policies and procedures, including those in relation to information security, data subjects’ rights, government access requests, business continuity and disaster recovery, security incident management, data protection by design and by default, data retention, which will be provided by or on behalf of Qmerit to the CSP.
  4. The CSP shall only disclose to, or allow access to Covered Data by, CSP Personnel who are bound by confidentiality obligations in relation to the Covered Data.
  5. The CSP shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks presented by processing the Covered Data (and any other relevant Customer Personal Data), including the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, such Personal Data transmitted, stored or otherwise processed, including those minimum security measures set out in Annex 2 (or equivalently robust measures).
  6. The CSP shall in relation to any Covered Data processed by it or on its behalf:
  1. process the Covered Data for the Agreed Purposes and for no other purposes, and for the purposes for which that Personal Data was obtained and is processed by Qmerit; and
  2. comply with Qmerit’s instructions as regards to data security and the security of Qmerit IT systems, including the Platform, and any third-party systems that the CSP uses or has access to, which includes only accessing those systems, areas and data that the CSP is expressly authorised to access, only doing so using Qmerit-authorised means of access and not attempting to circumvent any Qmerit or third-party security controls.
  1. The CSP shall maintain complete and accurate records and information to demonstrate compliance with applicable Data Protection Laws and this Addendum, and shall provide Qmerit with access to such records on request.
  1. Controller to controller provisions
  1. Without prejudice to clause 4.1, in order for the CSP to enter into and perform its obligations under this Agreement, the CSP will provide Qmerit with certain Personal Data related to CSP Personnel, which Qmerit will process in accordance with Qmerit’s applicable privacy notice(s) that will be provided by or on behalf of Qmerit.
  2. Qmerit may monitor the activities of all users of the Platform, including CSP Personnel, in accordance with its relevant policies, which will be provided by or on behalf of Qmerit to the CSP.  Qmerit may also track CSP activities, such as journey times and the time within which the Installer contacts a Customer, for quality assurance and performance management purposes.
  3. Without prejudice to clauses 4.5 and 4.6.2, to the extent that the CSP or its Installers use any third party or proprietary IT systems to process Personal Data, it shall ensure that that such systems and any third party providers meet the requirements of Data Protection Laws in terms of security, data protection by design and default and other relevant requirements, including as regards the CSP’s or its Installers’ use of any payment processing system on an interim basis until the Payment Processing Services are operational.
  4. Each Party shall process the Personal Data relating to the other’s personnel solely for the purposes of contract administration and management of this Agreement related to the Agreed Purpose (except to the extent otherwise required by any applicable law).
  5. Each Party shall promptly make available to the other Party on request such information as is required to demonstrate compliance with their respective obligations under this Addendum and Data Protection Laws.
  1. Controller to processor provisions
  1. Except to the extent expressly set out in this Agreement, the CSP shall not make any decisions as to the purposes and means of processing of Covered Data or otherwise do anything that would render it the controller of any Covered Data.
  2. The types of Covered Data, categories of data subject to whom it relates, and the subject matter, duration, nature and purposes of the processing to be carried out under this Agreement are set out in Annex 1 – Part A.
  3. The CSP shall process (and will procure that any Sub-Processors will process) the Covered Data (including the transfer to an international organisation or a third country) only:
  1. on Qmerit’s documented instructions from time to time; or
  2. as otherwise required by law (subject to the CSP notifying Qmerit of such legal requirement prior to processing unless such notification is prohibited by law on important grounds of public interest),

and only to the extent and in such a manner as is necessary for the Agreed Purpose and for the Installer to perform its other obligations under this Agreement in accordance with this Agreement and not for any other purpose.

  1. The CSP shall immediately notify Qmerit if the CSP (or any of its Sub-Processors) believes any of Qmerit’s instructions relating to processing Covered Data infringes any Data Protection Laws.
  2. Qmerit acknowledges and agrees that the CSP may use the third parties listed in Annex 1 (if any) (each an “Approved Sub-Processor”), to process any Covered Data on behalf of Qmerit pursuant to this Agreement.
  3. The CSP shall not replace any Approved Sub-Processor or use any other third party to process any Covered Data on behalf of Qmerit in connection with this Agreement (in each case, a “New Processor”) without Qmerit’s prior written authorisation and subject to conditions that the CSP shall:
  1. provide Qmerit with not less than 30 days’ prior notice of the proposed appointment of any New Processor, and Qmerit shall have 14 days within which to notify the CSP of any objection to such appointment on reasonable grounds related to data protection;
  2. if reasonable and practicable, propose an alternative sub-processor, and if Qmerit objects to this third party within 7 days, Qmerit shall be entitled to terminate this Agreement by giving the CSP not less than 30 days’ written notice, otherwise the alternative sub-processor shall be deemed to be an Approved Sub-Processor.
  1. The CSP shall ensure that all Sub-Processors:
  1. provide sufficient guarantees to implement appropriate technical and organisation measures in such a way that their processing will comply with the Data Protection Laws; and
  2. enter into a written agreement that includes provisions which are at least equivalent to those under this Addendum, including in relation to sub-contracting and sufficient guarantees, provided that all Installers shall enter into a written agreement directly with Qmerit.
  1. The CSP remains fully liable to Qmerit for the performance of each Sub-Processor in relation to processing of Covered Data.
  2. The CSP must, at no additional cost to Qmerit, take such technical and organisational measures as may be appropriate, and provide such information and assistance to Qmerit without undue delay (taking into account any timeframes and information required to be provided under Data Protection Laws) as Qmerit may reasonably require, to enable Qmerit to comply with:
  1. requests by data subjects to exercise their rights under the Data Protection Laws, including subject access rights, the rights to rectify, port and erase Covered Data, object to the processing and automated processing of Covered Data, and restrict the processing of Covered Data (“Data Subject Request”); and
  2. any request, communication or investigation by a data protection regulator under Data Protection Laws (“Regulator Notice”).
  1. The CSP must notify Qmerit without undue delay (taking into account any timeframes and information required to be provided under Data Protection Laws) if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Covered Data or to either Party's compliance with the Data Protection Laws, including a Data Subject Request or a Regulator Notice.
  2. The CSP must not disclose Covered Data to any data subject or to a third-party other than in accordance with Qmerit's written instructions, or as required by applicable law.
  3. Where Qmerit makes a Restricted Transfer of Personal Data to an CSP, the CSP shall cooperate with Qmerit to ensure that such Restricted Transfer:
  1. is effected using the relevant form of SCCs as appropriate safeguards; and
  2. otherwise complies with applicable Data Protection Laws, including by supporting any TIA carried out by Qmerit and ensuring that any necessary Supplemental Measures are in place, and otherwise complies with this Addendum.
  1. The CSP shall not make a Restricted Transfer nor permit any Sub-Processor to make a Restricted Transfer of Personal Data without first:
  1. providing Qmerit with written notice, including full details, of such Restricted Transfers;
  2. ensuring that any such Restricted Transfer is effected using appropriate safeguards (such as SCCs), and shall (as relevant):
  1. provide to Qmerit on request a copy of such safeguards entered into between the CSP and any third party; and / or
  2. enter into (or shall procure all relevant Sub-Processors to enter into) appropriate safeguards with Qmerit directly;
  3. ensure that any such Restricted Transfer otherwise complies with Data Protection Laws, including that CSP has carried out or supports Qmerit in carrying out a TIA (as applicable) and ensures that any necessary Supplemental Measures are in place, and otherwise complies with this Addendum.
  1. If any Restricted Transfer:
  1. between Qmerit and the CSP (where Qmerit is the entity exporting Personal Data to the CSP outside the UK or the EEA);
  2. between the CSP and a Sub-Processor (where the CSP is the entity exporting Personal Data to the Sub-Processor outside the UK or the EEA); or
  3. from any Sub-Processor to a third party (where the Sub-Processor is the entity exporting Personal Data to the third party outside the UK or the EEA),

requires execution of SCCs to comply with the Data Protection Laws, the Parties will complete all relevant details in, and execute, the appropriate form of SCCs contained in Annex 3 and take all other actions required to legitimise the Restricted Transfer.

  1. In respect of any personal data breach, the CSP shall:
  1. without undue delay (and in any event within any specific timeframes specified in Annex 2):
  1. notify Qmerit of the personal data breach; and
  1. provide Qmerit with such details of the personal data breach as Qmerit requires to fulfil its obligations under Data Protection Laws, provided that, if the CSP cannot provide all these details within the timeframes set out in this clause it shall provide Qmerit with reasons for the delay and when it expects to be able to provide the relevant details (which may be phased), and give Qmerit regular updates on these matters;
  2. otherwise comply with the security incident management procedure in section K of Annex 2; and
  1. provide Qmerit with reasonable assistance in relation its notification of the personal data breach to relevant data protection regulators and affected data subjects and with any remedial action in response to any personal data breach (subject in each case to Qmerit’s prior written authorisation).
  1. The CSP shall promptly provide such information, cooperation and other assistance to Qmerit as Qmerit requires (taking into account the nature of processing and the information available to the CSP), and at no additional cost to Qmerit, to ensure compliance with Qmerit’s obligations under Data Protection Laws, including with respect to security of processing (including with any review of security measures), data protection impact assessments (DPIAs) and prior consultation with a data protection regulator regarding high-risk processing.
  2. The CSP shall (and shall ensure all Sub-Processors shall):
  1. promptly make available to Qmerit on request such information as is required to demonstrate the CSP’s, and Qmerit’s compliance with their respective obligations under this Addendum and Data Protection Laws; and
  2. allow for, permit and contribute to audits, including inspections, by Qmerit (or another auditor mandated by Qmerit for this purpose) at Qmerit’s request from time to time and at no additional cost to Qmerit.
  1. Following the Processing End Date, the CSP shall, at the choice of Qmerit, delete all Covered Data and certify to Qmerit that it has done so, or, return all the Covered Data to Qmerit and delete existing copies unless applicable law requires storage of the Covered Data. Until the Covered Data is deleted or returned, the CSP shall isolate the Covered Data from further processing except to the extent required by applicable law.
  2. Where Qmerit is acting as a processor on behalf of the CSP, the provisions of clauses 4.4 and 4.5 and 6.1 to 6.18 inclusive shall apply to such arrangement, except that
  1. “CSP” shall be replaced with “Qmerit” in respect of the provisions that are applicable to processors;
  2. “Qmerit” shall be replaced with “CSP” in respect of the provisions that are applicable to controllers;
  3. the types of personal data, categories of data subject to whom it relates, and the subject matter, duration, nature and purposes of the processing to be carried out under this Agreement are set out in Annex 1 – Part B;
  4. “Agreed Purpose” in the context of this clause shall mean the purposes of Qmerit providing the Payment Processing Services;  
  5. “Covered Data” shall be replaced with “personal data”;
  6. the references to “30 days” in clause shall be replaced with “14 days” and there shall be no termination right by the CSP;
  7. clause 6.12 shall be replaced with the following clause:

“Qmerit shall not make a Restricted Transfer of personal data without first ensuring that any such Restricted Transfer is effected using appropriate safeguards (such as SCCs), and otherwise complying with applicable Data Protection Laws in respect of such Restricted Transfer.”

  1. the references to “at no additional cost to Qmerit” shall be deleted from clauses 6.9, 6.16 and 6.17.2; and
  2. the reference to “(and in any event within any specific timeframes specified in Annex 2)” shall be deleted from clause 6.15.1 and clause 6.15.1(c)shall be deleted.
  1. Processor to sub-processor provisions
  1. To the extent that the CSP is processing any Covered Data as a sub-processor, the provisions in clause 6 shall apply to the CSP, subject to the following modifications:
  1. Sub-Processors shall mean sub-Sub-Processors;
  2. any processing instructions shall be those of the relevant controller (as in the Sponsor) on behalf of which Qmerit is processing Covered Data as a processor (if relevant) (“Relevant Controller”);
  3. as regards any notifications, information (including Covered Data) or assistance to be given by the CSP to Qmerit, if Qmerit directs, the CSP shall give the same to the Relevant Controller directly; and
  4. references to compliance with Qmerit’s obligations shall mean compliance with the Relevant Controller’s obligations.

  1. Liability and indemnities
  1. The CSP shall indemnify and keep indemnified Qmerit without limit in respect of all Data Protection Losses suffered or incurred by, awarded against or agreed to be paid by the Qmerit arising from or in connection with any:
  1. non-compliance by the CSP or its Installers with the Data Protection Laws;
  2. the CSP (or any person acting on its behalf) acting outside or contrary to the lawful processing instructions of Qmerit in respect of the processing of Covered Data; and

  1. breach by the CSP or its Installers of any of its obligations related to data protection under this Agreement.


ANNEX 1

PART A – Data Processing Details – CSP as Processor

The legally binding provisions of this Annex 1 are attached as Addendum F to the Certified Solutions Partner Agreement.

PART B – Data Processing Details – Qmerit as Processor

  1. The subject matter and duration of the processing of the personal data
  1. The subject matter of the processing is processing by Qmerit of Customer personal data in connection with the purpose set out in clause 3.1.3 of this Addendum.
  2. The processing will continue for the duration of the relevant services related to that processing under this Agreement.
  1. The purpose of the processing of the personal data
  1. The personal data will be processed in order to fulfil the purpose set out in clause 3.1.3 of this Agreement.
  1. The nature of the processing of the personal data
  1. The processing of personal data relates to Qmerit’s provision of the Payment Processing Services to CSPs or its Installers under this Agreement.
  1. A description of the types of personal data
  1. The personal data will comprise non-sensitive Customer personal data such as:
  1. Customer name and contact details; and
  2. Customer payment details.
  1. Sensitive data transferred (if applicable)
  1. Qmerit shall not process special categories of personal data or criminal data on behalf of the CSP or its Installers.
  1. A description of the categories of data subjects
  1. The data subjects will include Customers of Qmerit and the CSP or its Installers that are connected with the CSPs or its Installers via the Platform.
  1. Approved Sub-Processors

Full name and business address

Services provided that involve personal data processing

Location of processing of / access to Covered Data

Transfer safeguards used (e.g., SCCs, binding corporate rules, transfer adequacy assessment)

Microsoft https://azure.microsoft.com/en-us/support/legal/

Cloud Service Provider

United States; Business User data and End Customer data

Standard Contractual Clauses

HubSpot

https://legal.hubspot.com/privacy-policy

Customer service software that supports customer interactions

United States; The information included in those individuals contacting Qmerit for support

Standard Contractual Clauses

Twilio

https://www.twilio.com/legal/privacy

Cloud communications provider

United States; Business User data and End Customer data

Standard Contractual Clauses

Five9

https://www.five9.com/legal/privacy-addendum

Could communications provider

United States; Data collected in conjunction with customer support interactions

Standard Contractual Clauses

 


ANNEX 2

Security Measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the CSP and its Installers shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:

  1. the pseudonymisation and encryption of personal data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

For CSPs and its Installers (in this Annex referred to as “Entity”), the following minimum security controls and requirements shall apply:

  1. COMPREHENSIVE INFORMATION SECURITY PROGRAM

Entity shall not materially change any aspect of the Entity’s operations that would, from the perspective of Qmerit, degrade or otherwise materially adversely impact the level of security provided to Qmerit Covered Data.

  1. REMOTE ACCESS TO QMERIT INFORMATION SYSTEMS

Access to Qmerit web applications (EV charging installation sites) must be protected at all times. When remote access to Qmerit systems is required, the Entity may be provided with secure access to an email account, an external cloud-based system and/or a Qmerit laptop. Any changes on the entity personnel accessing Qmerit systems need to be notified to Qmerit as soon as possible not exceeding 5 working days.

If access is granted to Qmerit web applications (EV charging installation sites) for Entity personnel, the Entity has a responsibility to notify Qmerit of the termination or departure to ensure that account access is terminated. Furthermore, if accounts with access to Qmerit web applications (EV charging installation sites) are compromised, the Entity must notify Qmerit immediately to ensure that access is revoked.

  1. PROTECTING QMERIT INFORMATION

Entity shall implement agreed as well as general information security best practices across all supplied components and materials including software, hardware and information to safeguard the confidentiality, availability and integrity of Qmerit and its information. When applicable, the Entity shall provide Qmerit with full documentation in relation to the implementation of logical security and shall ensure that it has such security that:

  • prevents unauthorized access to Qmerit systems,
  • reduces the risk of misuse of Qmerit systems or Information
  • detects security breaches and enables quick rectification of any problems and identification of the individuals who obtained access and determination of how they obtained it.
  1. DATA ENCRYPTION

Entity will encrypt all Qmerit Covered Data when stored on portable devices and media or when transmitted over non-secure communication channels (e.g. internet, email or wireless transmission) including remote connectivity using solutions that are certified against the U.S. Federal Information Processing Standard 140-2, Level 2, or equivalent industry standard, and will verify that the encryption keys and any keying material are not stored with any associated data.

When transferring Qmerit Covered Data and in communications between Qmerit and Entity, Entity will use secure email, such as enforced Transport Layer Security (TLS), and will implement any network connectivity with Qmerit that Entity is required to provide by Qmerit in accordance with any Qmerit-approved connectivity standards.

Qmerit Covered Data shall not be transferred to removable media.

Entity shall prohibit the transfer of Qmerit Covered Data to Entity mobile devices where the security measures employed on such mobile devices do not meet the requirements of this Section 9 (including, without limitation, where such mobile devices do not support the technologies required to comply with such requirements).

  1. ACCESS

  1. General

Entity will limit access to Qmerit Covered Data to authorized persons or roles, based upon a principle of least privilege which limits all users to the lowest permission levels that they can be assigned to that does not prevent the relevant Entity Personnel from completing their assigned tasks.

Entity must confirm the identities of all Entity Personnel using independent, verifiable identity documents (for example, government-issued documents such as a passport or driver’s license) prior to creating any accounts for Entity Personnel that will provide access to the Entity's Information Systems.

Entity will review all account access and change such access commensurate with role changes.

  1. Passwords

Any passwords issued to a user by an administrator must be reset by the user upon initial use.

Where user-initiated password resets are used, the processes that create the temporary password must create secure temporary passwords which cannot be derived from previous passwords (for example, an auto-incrementing system which generates "abc1" followed by "abc2" would not meet this requirement nor would a system which identifiably uses the current date as the basis of password generation), must not reuse passwords and must communicate the temporary password to the user through a channel accessible only to the user.

Where Entity suspects any unauthorized access has occurred to any user account, Entity shall immediately revoke the password to such user account.

  1. VETTING OF ENTITY PERSONNEL

Entity shall ensure that any Entity Personnel who will have:

Physical access to any Qmerit site for a period of time sufficient to warrant Qmerit security providing such Entity Personnel with an identification badge permitting unescorted access; or access to Qmerit Covered Data, shall have been the subject of pre-engagement screening in accordance with Qmerit’s screening procedures, as notified to Entity in writing.

  1. PHYSICAL SECURITY

Depending on the type of services that the Entity is providing, one of the following (a or b) controls will be required:

  1. General

Entity shall ensure that Qmerit Covered Data is physically secured against unauthorized access, including, but not limited to, by use of appropriate physical safeguards such as electronic ID card access to all areas of the Entity's Information System.

  1. Hosting

Where, and to the extent that, Entity is providing hosting services1 as part of the Services, it must implement the following controls as a minimum level of physical security:

  • All datacenter hosting facilities including buildings and infrastructure shall meet the standards set out in ISO/IEC 27001 and also ISAE 3000 /3402 or such other standards.
  • All Qmerit Covered Data processed, accessed, held or transmitted by Entity will be physically stored in a facility subject to the following security controls:
  • Authorized access control list requiring a photo ID check to access data center floor;
  • Biometric and/or keycard access to monitored man-traps leading to data center floor;
  • Locked server cabinets;
  • 24×7 indoor and outdoor CCTV monitoring with video being saved for at least 30 days;
  • 24×7 physical intrusion monitoring alarm system;
  1. MALICIOUS CODE

Entity will not incorporate or introduce or permit or facilitate the incorporation or introduction of Unauthorized Code into the Entity's Information Systems nor any Qmerit Information Systems.

Entity shall ensure it at all times employs adequate security practices to prevent, detect, mitigate and protect against the introduction of any such Unauthorized Code into the Entity's Information Systems in real-time.

“Unauthorized Code” is defined as any: (i) computer virus, harmful programs or data that destroys, erases, damages or otherwise disrupts the normal operation of the Entity's Information Systems, allows for unauthorized access to the Entity's Information Systems, (ii) worms, trap door, back door, timer, counter, software locks, password checking, CPU serial number checking or time dependency or other such limited routine instruction that is designed to interrupt or limit the proper operation of the Entity's Information Systems, (iii) spyware/adware, and (iv) any other similar program, data or device that is being inserted for an improper purpose.

  1. NETWORK SECURITY

On reasonable notice or information and during normal working hours, Qmerit shall have the right, but not the obligation, to review periodically the Entity's and/or Entity Affiliates’ operations, processes and systems insofar as they relate to the Services for the purpose of monitoring the Entity's and/or Entity Affiliates’ compliance with the terms and conditions of these Information Security Requirements. Such reviews shall not relieve the Entity and/or Entity Affiliates from their responsibilities to comply with, and monitor its own compliance with, all terms and conditions of this Policy.

Entity shall implement all recommendations resulting from any such audit having been conducted.

Entity shall maintain and keep up to date the network component inventories, network topology diagrams, data centre diagrams and IP addresses for each network that connects to Qmerit Information Systems (and their interconnections), whether supported by the Entity, any Entity Affiliate or a third party on Entity's behalf, to a standard that meets compliance.

Requirements for all connectivity to the Entity's Information Systems from the Internet, to include at least the following:

  • Ensuring the network perimeter is protected by industry-leading enterprise firewall systems, including (but not limited to): (i) establishing port, protocol and IP address restrictions that limit the inbound/outbound protocols to the minimum required; and

(ii) ensuring all inbound traffic is routed to specific and authorized destinations;

  • Interrogating communications by monitoring network packets to identify and alert upon or prevent known patterns that are associated with security vulnerabilities or denial of service attacks with regularly updated signatures to generate alerts for known and new threats;
  • Maintaining and enforcing security procedures in operating the network that are at least: (i) consistent with industry standards for such networks; and (ii) as rigorous as those procedures which are in effect for other similar networks owned or controlled by Entity;
  • Maintaining and enforcing operational and security procedures that prevent the provision of network connectivity to third parties where such access would enable the third party to access Qmerit Covered Data, or access the Qmerit Information Systems should network interconnections between Qmerit and

Entity be enabled, without express written permission from Qmerit;

  • Implementing perimeter management controls to ensure, at a minimum, that perimeter systems are configured to be resistant to resource exhaustion (e.g., to denial of service attacks); and
  1. DATA PRIVACY

The Entity agrees that Qmerit or Qmerit customer data shall not be transferred, accessed, or stored outside of the Entity that has been approved to access Qmerit data by Qmerit. The Entity may not use any Qmerit data for other purposes, such as marketing, selling of Qmerit data, or use in any other method than the approved work methods outlined by Qmerit.

  1. SECURITY INCIDENT MANAGEMENT

Entity will implement documented standards / procedures for dealing with suspected and actual security events, incidents and cybercrime attacks against the organization (the “Incident Management Procedure”) and shall provide Qmerit with full details of such Incident Management Procedure upon request.

The Supplier shall notify Qmerit of any suspected and actual security events, incidents and cybercrime attacks by emailing Qmerit at security@qmerit.com.

Supplier will notify Qmerit within six (6) hours of identifying an actual or potential personal data breach affecting Qmerit data or systems.

In the event of a personal data breach, Entity will:

  • Take all appropriate corrective action including, solely at the request of Qmerit (and at the expense of Entity where the personal data breach save where the personal data breach is due to the fault of Qmerit), providing notice to all persons whose personal data may have been affected by such personal data breach, whether or not such notice is required by Applicable Law; and
  • Where the personal data breach is due to the fault of Entity, (without limitation to clause 8) reimburse Qmerit (subject to Qmerit giving Entity written notification of such costs together with reasonable supporting information) for all reasonable costs Qmerit may incur in connection with remediation efforts, including costs incurred in connection with;
  1. The development and delivery of legal notices as required by Applicable Law and as reasonably directed by Qmerit where not required by Applicable Law;
  2. The establishment of a toll-free telephone number where affected persons may receive information relating to the personal data breach; and
  3. The provision of credit monitoring/repair and/or identity restoration for affected persons for one (1) year following the announcement or disclosure of the personal data breach or following notice to the affected persons, whichever is later, or such longer period as is required by Applicable Law.
  • Resolve any personal data breach resulting from unauthorized access, including identification of any Qmerit Covered Data disclosure, alteration or loss, and notification of Qmerit as required under the Incident Management Procedure.

Within five (5) days after detection of such a compromise, Entity shall provide to Qmerit a root cause analysis and written notice with confirmed receipt of such unauthorized access or modification. Such notice shall summarize in reasonable detail the impact of such unauthorized access or modification upon Qmerit and as applicable the persons whose personal data is affected.

Entity must remediate any personal data breach within fourteen (14) days of such a compromise resulting from unauthorized access, including identification of any Qmerit Covered Data disclosure, alteration or loss, and notification of Qmerit as required under the Incident Management Procedure. In the event the Entity determines that a personal data breach cannot be remediated within fourteen (14) days, Entity must submit and obtain Qmerit’ written consent to a remediation plan within seven (7) days of the personal data breach.


ANNEX 3

STANDARD CONTRACTUAL CLAUSES

PART A – EEA Standard Contractual Clauses

As relevant, the following modules of the EEA SCCs are hereby incorporated by reference into the Agreement via the following link, as supplemented by the additional details and customizations set out in Section 2 below: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en 

  1. Module 1, for Controller to Controller Restricted Transfers;
  2. Module 2, for Controller to Processor Restricted Transfers;
  3. Module 3, for Processor to Sub-Processor Restricted Transfers; and
  4. Module 4, for Processor to Controller Restricted Transfers.

For restricted transfers where the CSP is transferring personal data to Qmerit in the US, the following details and terms shall apply:

Reference

Module

Details or customisations

Clause 7: Docking clause

1 and 4

Clause 7 shall be included.

Clause 11(a): Redress

1 and 4

The optional part of Clause 11(a) shall be excluded.

Clause 17: Governing law

1

The Parties select Option 2. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Ireland.

Clause 17: Governing law

4

The Parties select the law of England & Wales.

Clause 18(b): Choice of forum and jurisdiction

1

The Parties select the courts of the jurisdiction which governing law applies under Clause 17.

Clause 18(b): Choice of forum and jurisdiction

4

The Parties select the courts of England & Wales.

Annex I

1 and 4

1 and 4

1

  1. List of parties

Data exporter:

Name: The CSP

Address: As set out in the Agreement

Contact person’s details: As set out in Exhibit One

Activities relevant to the data transferred under these Clauses: Provision of technical and service support by Qmerit US to users of the Qmerit Platform, including CSPs, Installers and drivers. It may be necessary for the data importer to access Personal Data (and other data) in order to contact CSPs, Installers or drivers to troubleshoot / fix issues and provide support.

Signature: As set out in the Agreement

Date: The Effective Date of the Agreement

Role:

Controller – if the Personal Data being transferred has been collected by or on behalf of the CSP independently of the Qmerit Platform and is being processed by the CSP as a controller in accordance with this Addendum.

Processor – if the Personal Data being transferred is being processed by the CSP as a processor in accordance with this Addendum.

Data importer:

Name: Qmerit Electrification LLC

Address: As set out in the Agreement

Contact person’s details:

Name: Tyler Ward

Position: Chief Information Security Officer

Email: privacy@qmerit.com

Other contact details: N/A

Activities relevant to the data transferred under these Clauses Provision of technical and service support by Qmerit US to users of the Qmerit Platform, including CSPs, Installers and drivers. It may be necessary for the data importer to access Personal Data (and other data) in order to contact CSPs, Installers or drivers to troubleshoot / fix issues and provide support.

Signature: As set out in the Agreement

Date: The Effective Date of the Agreement

Role: Controller

  1. Description of transfer

Categories of data subjects whose Personal Data is transferred:

Users of the Platform.

Categories of Personal Data transferred:

Platform usernames

CSP, Installer and / or driver contact details

Platform usage information

Other information as required to resolve the issue

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

None

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):

Ad hoc basis, whenever a Platform-related technical support request requires access to Personal Data by Qmerit personnel located in the US.

Nature of the processing:

Incidental viewing of user Personal Data by the Provider when Qmerit personnel require access to the Platform to provide Platform-related technical support services in connection with this Agreement.

Purpose(s) of the data transfer and further processing:

Provision of technical and service support by Qmerit US to users of the Qmerit Platform, including CSPs, Installers and drivers.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:

Personal Data is viewable only (for the duration for which the specific support request is open), and shall not under any circumstances be copied, downloaded, or exported.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

N/A

  1. Competent Supervisory Authority

The competent supervisory authority/ies in accordance with Clause 13 are applicable based on the relevant status of the data exporter, as selected from one of the following statutes:

  1. [Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards for the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
  2. [Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
  3. [Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority is one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

Annex II

1

Technical and organisational measures including technical and organisational measures to ensure the security of the data

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

The security measures in Annex 2.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

N/A

Execution of the SCCS

Execution by the Parties of this Agreement, which incorporates by reference the relevant form SCCs, shall be valid execution by the Parties of those SCCs.


Section 2: UK Standard Contractual Clauses

The UK Addendum is hereby incorporated by reference into the Agreement via the following link, as supplemented by the additional details and customizations set out in the tables below: international-data-transfer-addendum.pdf

PART 1: TABLES

Table 1: Parties

Start date

The Effective Date of this Agreement

The Parties

Exporter (who sends the Restricted Transfer)

Importer (who receives the Restricted Transfer)

Parties’ details

As set out in this Agreement

As set out in this Agreement

Key Contact

As set out in Part A of this Annex 3

As set out in Part A of this Annex 3

Signature (if required for the purposes of Section 2)

As set out in this Agreement

As set out in this Agreement

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:

Date: The version current as at the Effective Date Agreement

Reference (if any): N/A

Other identifier (if any): N/A

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties:

As set out in Part A of this Annex 3

Annex 1B: Description of Transfer:

As set out in Part A of this Annex 3

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data:

As set out in Part A of this Annex 3

Annex III: List of Sub processors (Modules 2 and 3 only):

None

Table 4: Ending this Addendum when the Approved Addendum changes

Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section 19:

Importer

Exporter

☐ neither Party

Alternative Part 2 Mandatory Clauses

Mandatory Clauses

Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.

PART D – USE OF EU SCCS UNDER SWISS FADP

Pursuant to the Swiss Federal Data Protection and Information Commissioner’s guidance titled “The transfer of personal data to a country with an inadequate level of data protection based on recognized standard contractual clauses and model contracts” dated 27 August 2021, the Parties agree to adopt the EU GDPR standard for data transfers in scope of the Swiss FADP (referred to in such guidance as Case 2, Option 2).

Accordingly, the Parties agree that: (a) the EU SCCs shall apply to all Restricted Transfers in connection with the Agreement in scope of the Swiss FADP; and (b) Section 1 shall be incorporated by reference in its entirety into this clause 3, subject to the modifications and additional details in clause 3(a) below.

  1. Modifications and additional details

None.