NETLAB+ DATA PROCESSING ADDENDUM (GDPR)

This NETLAB+ Data Processing Addendum (this “Addendum”) is by and between Network Development Group, Inc. (“NDG”) and the organization who is signing this Addendum below or who is otherwise accepting this Addendum by other means, such as by attachment or incorporation by reference into a NETLAB+ License Agreement with NDG (“Licensee”).

This Addendum applies if Licensee has determined that it is a data controller subject to GDPR (defined below) and contains agreed terms relating to privacy and security. This Addendum serves as an amendment to the existing License or Customer Agreement (the “Agreement”) entered into by the parties. Capitalized terms used in this Addendum but not defined have the meaning set forth in the Agreement or under GDPR, as applicable.

For good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:

1. Definitions. As used herein the following terms shall have the following definitions:
   1. "controller", "processor", "data subject", “personal data” and "processing" (and "process") shall have the meanings given in Privacy Laws, as applicable to the processing of Licensee Personal Data under the Agreement.
   2. “Licensee Personal Data” means personal data supplied by Licensee or its Users to NDG in connection with the Services provided under the Agreement.
   3. “GDPR” means the General Data Protection Regulation, Regulation (EU) 2016/679.
   4. “NETLAB+” means NDG’s standard software solution licensed from NDG by Licensee, and hosted and managed by Licensee, that lets students complete labs remotely and on-demand.
   5. “Privacy Laws” means all applicable U.S. and international laws that regulate the use, disclosure and processing of personal data. Privacy Laws include as applicable GDPR and other applicable laws that specify privacy, data protection, security or security breach notification obligations that apply to personal data.
   6. “NDG Services” means the technical support and data restoration services provided by NDG to Licensee, solely to the extent agreed by the parties pursuant to the Agreement.
2. Roles of the Parties under GDPR. The parties acknowledge and agree that Licensee is the controller and NDG is processor with regard to the processing by NDG of Licensee Personal Data under the Agreement. The subject matter, nature and purpose of NDG’s processing are limited to providing the NDG Services under the Agreement. For clarity, NDG does not store or host any Licensee Personal Data under the Agreement. The duration of the processing is the term of the Agreement. Data subjects include Authorized Users who are participating in and administering online labs facilitated by NETLAB+.
3. Instructions for Processing. NDG shall process Licensee Personal Data only to provide NDG Services in accordance with the Agreement and this Addendum, which the parties agree serve as Licensee’s documented instructions.
4. NDG Personnel. NDG shall require its personnel who have access to Licensee Personal Data to: (a) receive appropriate training on their responsibilities regarding the handling and safeguarding of Licensee Personal Data, and (b) agree to comply with confidentiality obligations that survive the termination of such personnel’s employment.
5. Security Measures. Licensee and NDG each shall maintain (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons), appropriate technical and organizational measures to protect against loss, alteration, unauthorized disclosure of, or access to Licensee Personal Data.
6. Compliance with Privacy Laws. Licensee and NDG each agree to comply with all Privacy Laws. As between the parties, Licensee shall be solely responsible for the inputting, deletion, updating, accuracy, quality, and legality of Licensee Personal Data and the means by which Licensee obtained Licensee Personal Data.
7. Rights of Data Subjects. To the extent permitted by law, NDG will tell data subjects who make requests to NDG exercising their data subject rights (such as deletion, rectification, and data portability requests) with respect to Licensee Personal Data to contact Licensee directly regarding such request. Licensee shall be solely responsible to respond to such requests from data subjects. If the Software does not provide Licensee the ability to respond to such requests, then, upon Licensee’s request, NDG will provide reasonable support assistance to Licensee to respond to such requests. Depending on the nature of such assistance, NDG reserves the right to charge Licensee for assistance with such requests.
8. Security Incidents. Each party shall, to the extent permitted by law, notify the other party without undue delay after becoming aware of a personal data breach involving Licensee Personal Data (“Security Incident”). Each party shall provide reasonably requested assistance to the other party in dealing with any Security Incident, taking into account the nature of processing and the information available to such party. Neither party shall make any public announcement about a Security Incident without the prior written consent of the other party, unless required by applicable law.
9. Government Access Requests. Unless prohibited by applicable law or a legally-binding request of law enforcement, NDG shall promptly notify Licensee of any request by government agency or law enforcement authority for access to or copy of Licensee Personal Data.
10. Audits. Subject to reasonable notice, and at Licensee’s expense (including fees and expenses to compensate NDG for its time and out of pocket costs involved in responding to any audit request), NDG shall provide Licensee with reasonably requested information regarding NDG’s security program and systems and procedures that are applicable to the NDG Services, as necessary to demonstrate NDG’s compliance with Privacy Laws, and as reasonably necessary allow for audits of the same. Audits will occur at most annually or following notice of a Security Incident.
11. Subprocessors. Licensee grants a general authorization to NDG to appoint subprocessors to support the performance of the NDG Services, including data center providers. Upon request, NDG will provide Licensee with a list of such subprocessors. If Licensee has an objection to any such subprocessor, NDG will work with Licensee to address any such concerns. NDG will ensure that any subprocessor it engages on its behalf in connection with this Addendum agrees in a written contract to subprocessor terms substantially as protective of Licensee Personal Data than those imposed on NDG in this Addendum (the "Subprocessor Terms"). NDG shall be liable to Licensee for any breach by a subprocessor of any of the Subprocessor Terms.
12. Entire Addendum; Conflict: This Addendum supersedes and replaces all prior and contemporaneous statements, understandings, and communications, oral and written, with regard to the subject matter of this Addendum. If there is any conflict between this Addendum and the Agreement, the terms of this Addendum shall control. Except as expressly set forth in this Addendum, the terms of the Agreement shall remain in place. For the avoidance of doubt, the parties intend that the limitations on liability clauses in the Agreement shall apply to this Addendum.

Each person signing below for a party represents that he or she is duly authorized to execute this Addendum on behalf of such party.

Date: , Organization: __________, Name: , Address: __________