Hyland Software, Inc Legal Center

Data Processing Addendum - Brazil
Data Processing Addendum - GDPR
Global Data Processing Addendum
HIPAA Subcontractor Addendum
Hyland Anti-Bribery/Anti-Corruption Policy and Guide - English
Hyland Anti-Bribery and Anti-Corruption Policy and Guide - German
Hyland Anti-Bribery and Anti-Corruption Policy and Guide - Portuguese
Hyland Anti-Bribery and Anti-Corruption Policy and Guide - Spanish
Hyland Poland Sp. zoo Purchase Order Terms and Conditions
Hyland Purchase Order Terms and Conditions

Data Processing Addendum - Brazil

Version

Effective April 29th 2021

Download

Data Processing Addendum – Brazil

This Data Processing Addendum - Brazil together with all attachments and appendices (“Addendum”) forms part of the Master Services Agreement (or similar agreement under which Services are provided to Hyland) (“Services Agreement”) between Service Provider (or similar term under the Services Agreement) and Hyland.

DEFINITIONS
1. “Controller”, “Processor”, “Processing”, and “National Authority” have the same meanings as in Article 5 of the LGPD.
2. “Data Subject” means the subject of Personal Data.
3. “Hyland” means Hyland Software, Inc. on behalf of itself and its affiliates. The term affiliates shall be deemed to include any parent company, subsidiary, affiliate of, or entity controlled by (including beneficial control), controlling or under common control with Hyland Software, Inc.
4. “Personal Data” means any information received by Service Provider from, or received or created on behalf of, Hyland relating to an identified or identifiable natural person located in Brazil. An “identifiable natural person” is one who can be identified, directly or indirectly, in particular, by reference to an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of the natural person.
5. “Personal Data Breach” means breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed when that Personal Data is in the possession of Service Provider or its agents or subcontractors.
6. “Required By Law” means that a statute, regulation, court order, or legal process, enforceable in a court of law, mandates the conduct.
7. “Sensitive Personal Data” shall have the meaning given to it under Article 5 of the LGPD and also includes information about criminal history.
8. “Sub-processor” means an entity that processes Personal Data at the request of Service Provider.
SERVICE PROVIDER’S PROCESSING OF PERSONAL DATA
1. Nature and Purpose of Processing of Personal Data. Service Provider agrees to Process Personal Data solely in accordance with Appendix A.
2. Duration of Processing. Service Provider shall Process Personal Data only during the term of the Service Agreement.
3. Violation Of Data Protection Law. Service Provider will immediately notify Hyland if Service Provider becomes aware that Service Provider’s compliance with a term or condition of this Addendum has violated, violates, or will violate Service Provider’s or Hyland’s obligations under applicable law.
4. Disclosures of Personal Data. Service Provider may not disclose Personal Data to third parties unless the disclosure is (1) Required By Law, or (2) with the prior written consent of Hyland. Before disclosing Personal Data as Required By Law, Service Provider will immediately notify Hyland in writing of such required disclosure and will provide Hyland a reasonable opportunity to object to the request before Service Provider produces any Personal Data in response. Upon request, Service Provider will provide Hyland a copy of any Personal Data disclosed to a third party as Required by Law.
5. Cross-Border Data Transfers. Service Provider will not transfer Personal Data outside of Brazil unless (1) Hyland has provided prior written permission for the transfer, and (2) in addition to the other requirements set forth in this Addendum, Service Provider ensures an adequate level of protection in accordance with the LGPD or the transfer falls under a derogation in accordance with the LGPD.
SERVICE PROVIDER’S SAFEGUARDS FOR PERSONAL DATA
1. Confidentiality Of Personal Data. Service Provider will maintain the confidentiality of all Personal Data. Service Provider has required employees responsible for Processing Personal Data to sign a confidentiality agreement prohibiting the disclosure of Personal Data Processed for Hyland to any third party except as permitted by this Addendum or as Required By Law.
2. Physical, Technical And Organizational Safeguards. Service Provider shall maintain a comprehensive written information privacy and security program that includes reasonable and appropriate measures to protect against reasonably foreseeable risks to the security, confidentiality, integrity and resilience of Personal Data, which risks could result in the unauthorized disclosure, use, alteration, destruction or other compromise of the Personal Data, including a Personal Data Breach. Such program shall comply with the LGPD concerning the protection of Personal Data and shall include the measures set forth in the Services Agreement and such measures shall not be materially reduced during the Term of the Services Agreement. Service Provider will regularly monitor, test, and update its information security program. Service Provider shall also maintain in accordance with good industry practice, measures to protect Personal Data from interception such as: (i) network protections intended to deny attackers the ability to intercept or access Personal Data; and (ii) anonymization or other measures to deny attackers the ability to read intelligible Personal Data, including encryption in transit between Service Provider and any third party, as permitted by this Agreement. Service Provider will provide Hyland with such information concerning its information security program as Hyland may reasonably request from time to time.
3. Reporting Personal Data Breaches. Service Provider shall report to Hyland any Personal Data Breach of which it becomes aware. Service Provider will make such report within 24 hours of Service Provider’s becoming aware of the incident and such report shall include, at a minimum subject to the availability of necessary information, the following: (1) a description of the incident; (2) the date that the incident occurred; (3) the date that Service Provider became aware of the incident; (4) the identity and last known mailing address of each affected Data Subject; (5) the approximate number of affected Personal Data records involved; (6) the affected categories of Personal Data, including Sensitive Personal Data, if any, for each affected Data Subject that was affected; (7) the approximate number of Data Subjects affected; (8) an identification of any law enforcement agency or National Authority that has been contacted about the incident and contact information for the relevant official; (9) a description of the steps that have been, or will be, taken to mitigate the incident; (10) a description of the steps that have been, or will be, taken to prevent a recurrence; (11) the likely consequences of the Personal Data Breach; and (12) contact information for the person at Service Provider principally responsible for responding to the Personal Data Breach.
4. Service Provider will update the written report periodically as new information becomes available. All reports required by this provision shall be made to: Hyland Legal Department, Attn: Person In Charge, 28500 Clemens Rd. Westlake, Ohio 44145, 440-788-5000, brazilprivacy@hyland.com, or such other person that Hyland may designate from time to time in writing to Service Provider without amending this Addendum. Service Provider acknowledges that its determination that a particular set of circumstances constitutes a Personal Data Breach shall not be binding on Hyland.
5. Mitigation Of Damages By Service Provider And Cooperation in Investigation. Service Provider agrees to take, at its own expense, measures reasonably necessary to mitigate any harmful effect of a Personal Data Breach. Service Provider agrees to cooperate, at its own expense, with Hyland in its investigation of any Personal Data Breach. Service Provider will reimburse Hyland for all imputed and out-of-pocket costs reasonably incurred by Hyland in connection with the Personal Data Breach, including, but not limited to, costs related to provision of notices to affected Data Subjects and to any services offered to affected Data Subjects.
6. Notifications Related To A Personal Data Breach. Service Provider acknowledges that Hyland shall determine (1) whether and when to notify any National Authority and which National Authority to notify; (2) who will provide notice to Data Subjects with respect to any Personal Data Breach; (3) the content of any such notice(s); (4) the timing for, and method of, delivery of any such notice(s); and (5) the products or services, if any, to be offered to affected Data Subjects. Service Provider shall not disclose the fact that a Personal Data Breach has occurred, or any details related to a Personal Data Breach to any third party without Hyland’s written consent, unless otherwise Required By Law.
SERVICE PROVIDER’S ASSISTANCE WITH AUDITS AND REQUESTS FROM DATA SUBJECTS
1. Information Technology Audits. Service Provider will permit Hyland, directly or through a contractor, to conduct audits of the information technology and information security controls to ensure that: (i) Service Provider is in compliance with this Addendum; and (ii) Service Provider provides the appropriate level of security for the Personal Data.
2. Requests For Impact Assessment Information. Service Provider shall promptly provide the information requested by Hyland to assist in conducting a data protection impact assessment pursuant to the LGPD.
3. Requests Directed to Service Provider. Service Provider agrees to assist Hyland in responding to a request from a Data Subject to exercise any of his/her rights as provided for under the LGPD. In the event a Data Subject submits such a request with respect to the Data Subject’s Personal Data, Service Provider agrees to comply with the request within five (5) business days of receiving the request from Hyland. Service Provider will immediately provide Hyland with any requests concerning Personal Data that are sent directly to Service Provider from parties other than Hyland.
SERVICE PROVIDER’S SUB-PROCESSORS
1. Consent To Processing By Sub-Processors. Service Provider will not disclose Personal Data to any sub-processor without Hyland’s prior written consent. In the event that Hyland consents to Service Provider’s disclosure of Personal Data to a sub-processor, Service Provider shall remain responsible for, and remain liable to, Hyland for, the acts and omissions of such sub-processor as if they were Service Provider’s own acts and omissions.
2. Sub-processors’ Physical, Technical And Administrative Safeguards: Service Provider shall obtain reasonable assurances, in writing, from any sub-processor to whom Service Provider discloses Personal Data. Such assurances shall include at least the following: that the sub-processor (1) will comply with substantially the same restrictions and conditions on Processing of Personal Data that this Addendum imposes on Service Provider, including the restrictions on cross-border data transfers; (2) will implement reasonable and appropriate physical, technical and organizational safeguards to protect Personal Data in compliance with the LGPD; and (3) will notify Service Provider within 24 hours of becoming aware of any Personal Data Breach involving Personal Data.

SERVICE PROVIDER’S OBLIGATIONS UPON TERMINATION OF THE SERVICE AGREEMENT
1. Return Or Destruction Of Personal Data. Upon Hyland's written instruction, Service Provider shall return or destroy Personal Data. If Hyland directs Service Provider to destroy the Personal Data, Service Provider shall do so in a manner reasonably intended to prevent recovery of the Personal Data and shall certify to the same in writing.
2. Service Provider’s Retention Of Personal Data. If local law requires Service Provider to retain a copy of any Personal Data, then Service Provider shall (1) notify Hyland of such requirement, (2) extend the protections of this Addendum to the retained Personal Data and (3) limit further Processing of the retained Personal Data to those purposes Required By Law for as long as Service Provider maintains the Personal Data.
3. Survival. Service Provider’s obligations and duties under this Addendum with respect to Personal Data shall survive the termination of the Service Agreement and of this Addendum and shall continue for as long as the Personal Data remains in the possession of Service Provider or of its sub-processors.
MISCELLANEOUS TERMS
1. Indemnification. Service Provider shall defend and indemnify Data Processor, its parent and subsidiary corporations, officers, directors, employees and agents for any and all claims, charges, inquiries, investigations, costs, reasonable attorneys’ fees, monetary penalties, and damages incurred by Hyland and/or its parent or subsidiary corporations, officers, directors, employees and agents resulting from (1) any Processing of Personal Data not permitted by the Services Agreement including this Addendum, (2) any Personal Data Breach involving Personal Data in the possession, custody or control of Service Provider or its sub-processors, in the event such Personal Data Breach results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
2. Indemnification Process. The foregoing indemnification obligations are conditioned upon Hyland: (1) notifying Service Provider promptly in writing of any claim, charge, inquiry, or investigation as described in Section 7.1 above; (2) reasonably cooperating and assisting in defense of such claim, charge, inquiry, or investigation; and (3) giving sole control of the defense and any related settlement negotiations to Service Provider with the understanding that Service Provider may not settle any claim in a manner that admits guilt or otherwise prejudices Hyland, without Hyland’s consent.
3. Construction. This Addendum supersedes any inconsistent provisions in the Services Agreement and/or other existing agreements between the Hyland and Service Provider with respect to Service Provider’s obligation to safeguard Personal Data.

APPENDIX A

Subject Matter and During of the Processing	The subject matter of the Processing is Service Providers provision of Services under the Services Agreement. The duration of the Processing is the term of the Services Agreement, and any exit period, if applicable.
Nature and Purpose of the Processing	The purpose of the Processing is to provide the Services as set forth in the Services Agreement. The nature of the Processing may include, but is not limited to, collection, recording, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Type of Personal Data Processed	The Personal Data transferred may concern the following categories of data subjects: *Employees* - Past, potential, present and future staff of Hyland (including job candidates, volunteers, agents, independent contractors, interns, temporary and casual workers). *Vendors* - Past, present and potential advisors, consultants, vendors, contractors, subcontractors and other professionals engaged by Hyland and related staff. *Website visitors* – Individuals who visit any Hyland owned or operated website. *Hyland Customers or End Users (collectively, “Customers”)* – (a) Past, present and potential Customers of Hyland, and (b) data subjects whose Personal Data is uploaded or provided by Customers to Hyland during use of Hyland’s services or products.
Categories of Personal Data Processed	The Personal Data transferred may concern the following categories: *Employees* Identification data: civil/marital status; first and last name; photograph; date and place of birth; nationality; corporate identifier; gender. Contact details: address; telephone number (fixed and mobile); email address; fax number; emergency contact information. Employment details: job title; company name; grade, occupation code; geographic location; employee performance and evaluation data; employee discipline information; information regarding previous roles and employment; employee benefits information such as election decisions, leave requests, authorization/declination, health insurance company. National identifiers: national ID/passport number; tax ID; government identification number; driver's license, visa or immigration status. Academic and professional qualifications: degrees; titles; skills; language proficiency; training information; employment history; CV/résumé. Financial data: bank account number; IBAN number; bank details including bank name, bank code, sort code; salary and compensation data; bonuses; pension qualification information; payroll data; tax class; tax office name. IT related data: computer ID; user ID and password; domain name; IP address; log files; software and hardware inventory; software usage pattern tracking information (i.e., cookies and information recorded for operation and training purposes). Lifestyle: hobbies; social activities; holiday preferences. *Vendors* Identification data: first and last name; date of birth; place of birth; nationality; photograph; vendor ID. Contact details: address; professional email address; professional telephone number (including mobile telephone number). Professional details: job title; employer; academic and professional qualifications; data related to transactions involving goods and services. National identifiers: tax ID; government identification number. Financial data: bank account number; bank details. *Website visitors* IT-related data: unique device identifiers, dynamic and static Internet Protocol addresses, as well as other information, such as browser characteristics, language preferences, operating system details, referring URLs, length of visits, and pages viewed. *Customers, potential Customers and/or their staff, each as applicable* Contact information (including name, physical address, e-mail and telephone numbers); Employer; Job title; Login credentials; Account profile, including interests and photograph; Applications for Hyland’s educational opportunities, including name, contact information, references, programming experience, and application essays; Dietary preferences and restrictions; Order information for trainings courses; Training records including courses taken, certifications completed, and scores and grades; Questions, feedback, comments and other postings, including through https://community.hyland.com; Other information the Customer chooses to provide; Information provided by third parties: data relating to the Customer, potential Customer or staff having clicked on a Hyland advertisement posted on a third party website; Information provided by third parties, where a Customer attends a Hyland event sponsored by a third party: including name, e-mail address, and phone number; Versions of Hyland Group company software used and how the software is being used (what functions, how often etc.); bank account number; bank details; credit card details; purchasing history; return history; cancellation history; and Personal Data submitted by a Customer in the course of the Customer's use of Hyland's Services or during the performance of Services under the Service Agreement.
Categories of Sensitive Personal Data Processed	No collection of any sensitive data by a Service Provider is anticipated other than employee data required to provide Services in connection with valid employment purposes or to the extent required by applicable law. Such collection will only concern limited sensitive data, for example, health-related information for the purpose of managing employee absences, or disabilities in order to provide access to our premises.

Global Data Processing Addendum

Version

Effective September 29th 2022

Download

Confidential - Ó 2022 Hyland Software, Inc.

Global Data Processing Addendum

This Global Data Processing Addendum together with all appendices and addenda (“DPA”) forms part of the Master Services Agreement (or similar agreement under which Services are provided to Hyland) (“Services Agreement”) which incorporates this DPA by reference.

1. DEFINITIONS

Any capitalized term not defined herein shall have the meaning given to that term under the Services Agreement.

1.1 “Adequacy Determination” means a final determination by a Regulator that the laws of a third country provide an adequate level of protection for Personal Data when that Personal Data is transferred from the jurisdiction of the governmental authority to the third country.

1.2 “Data Protection Law” means: (i) all privacy, security, data protection, direct marketing, consumer protection, and workplace privacy laws, rules, requirements and regulations of any relevant jurisdiction; and (ii) all current industry standards, guidelines, and practices with respect to privacy, security, data protection, direct marketing, consumer protection, and workplace privacy, including the collection, processing, storage, protection, and disclosure of Personal Data, in each case as applicable to the processing of Personal Data in connection with this DPA.

1.3 “Data Subject” means an identified or identifiable natural person as defined by applicable Data Protection Law and whose Personal Data is Processed, on Hyland’s behalf, by Service Provider or its Sub-processor.

1.4 “EU SCCs” means the Commission Implementing Decision (EU) 2021/914 establishing Standard Contractual Clauses for data transfers to Third Countries.

1.5 “Hyland” means Hyland Software, Inc. located at 28500 Clemens Rd., Westlake, Ohio 44145 on behalf of itself and its affiliates. The term affiliates shall be deemed to include any parent company, subsidiary, affiliate of, or entity controlled by (including beneficial control), controlling or under common control with Hyland.

1.6 “Personal Data” means any individually identifiable information related to a Data Subject and received by Service Provider from, or received or created on behalf of, Hyland. Personal Data includes Sensitive Personal Data.

1.7 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed when that Personal Data is in the possession of Service Provider or its agents or subcontractors.

1.8 “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.9 “Regulator” means the competent supervisory authority or regulatory body under applicable Data Protection Law.

1.10 “Sensitive Personal Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health, sex life, or sexual orientation, genetic data and biometric data when Processed for the purpose of uniquely identifying a natural person, and also includes information about criminal history as well as any other information characterized as “sensitive” under applicable Data Protection Laws.

1.11 “Sub-processor” means an entity that Processes Personal Data at the request of Service Provider.

2. SERVICE PROVIDER’S PROCESSING OF PERSONAL DATA

2.1 Instructions for Processing Personal Data. Service Provider agrees to Process Personal Data solely to provide the Services and in accordance with the Data Processing Particulars, except where otherwise required by law. Service Provider shall inform Hyland without undue delay if, in its reasonable opinion, an instruction issued by Hyland violates applicable Data Protection law.

2.2 Duration of Processing. Service Provider shall Process Personal Data only for the duration set out in Data Processing Particulars.

3. SERVICE PROVIDER’S SAFEGUARDS FOR PERSONAL DATA

3.1 Confidentiality Of Personal Data. Service Provider will maintain the confidentiality of all Personal Data. Service Provider will ensure that all personnel authorized to Process Personal Data have signed a confidentiality agreement or are otherwise under an appropriate statutory obligation of confidentiality.

3.2 Physical, Technical And Organizational Safeguards. Service Provider will maintain a comprehensive written information privacy and security program that includes reasonable and appropriate measures to protect against reasonably foreseeable risks to the security, confidentiality, integrity and resilience of Personal Data, which risks could result in the unauthorized disclosure, use, alteration, destruction or other compromise of the Personal Data, including a Personal Data Breach. Such program shall comply with the requirements of applicable Data Protection Laws concerning the protection of Personal Data and to the extent that Addenda I or II apply, such measures shall include, at a minimum, the measures set forth in Appendix A (Security Measures) attached hereto and incorporated herein. Service Provider shall also maintain in accordance with good industry practice, measures to protect Personal Data from interception such as: (i) network protections intended to deny attackers the ability to intercept or access Personal Data; and (ii) anonymization or other measures to deny attackers the ability to read intelligible Personal Data, including encryption in transit between Service Provider and any third party. Service Provider will provide Hyland with such information concerning its information security program as Hyland may reasonably request from time to time. If Service Provider Processes Sensitive Personal Data, Service Provider shall apply specific restrictions and/or additional safeguards.

3.3 Reporting Personal Data Breaches. Service Provider will report to Hyland any Personal Data Breach of which it becomes aware. Service Provider will make such report orally to Hyland within 24 hours of Service Provider’s becoming aware of the Personal Data Breach followed by a report in writing (e-mail is acceptable) within 24 hours of the initial oral report. The written report shall include, at a minimum subject to the availability of necessary information, the following: (1) a description of the Personal Data Breach; (2) the date that the Personal Data Breach occurred; (3) the date that Service Provider became aware of the Personal Data Breach; (4) the identity and last known mailing address of each affected Data Subject; (5) the approximate number of affected Personal Data records involved; (6) the affected categories of Personal Data, including Sensitive Personal Data, if any, for each affected Data Subject that was affected; (7) the approximate number of Data Subjects affected; (8) an identification of any law enforcement agency or Regulator that has been contacted about the incident and contact information for the relevant official; (9) a description of the steps that have been, or will be, taken to mitigate the incident; (10) a description of the steps that have been, or will be, taken to prevent a recurrence; (11) the likely consequences of the Personal Data Breach; (12) contact information for the person at Service Provider principally responsible for responding to the Personal Data Breach and who can provide more details about the Personal Data Breach; and (13) any other information required by applicable Data Protection Law. Service Provider will update such written report periodically as new information becomes available.

3.4 Hyland Breach Response Point of Contact. All written reports shall be made to: Hyland Legal Department, Attn: Privacy Officer, 28500 Clemens Rd. Westlake, Ohio 44145, 440-788-5000, privacy@hyland.com. Service Provider acknowledges that its determination that a particular set of circumstances constitutes a Personal Data Breach shall not be binding on Hyland.

3.5 Mitigation Of Damages By Service Provider And Cooperation in Investigation. Service Provider agrees to take, at its own expense, measures reasonably necessary to mitigate any harmful effect of a Personal Data Breach. Service Provider agrees to cooperate, at its own expense, with Hyland in its investigation of any Personal Data Breach. Service Provider will reimburse Hyland for all imputed and out-of-pocket costs reasonably incurred by Hyland in connection with the Personal Data Breach, including, but not limited to, costs related to provision of notices to affected Data Subjects and to any services offered to affected Data Subjects.

3.6 Notifications Related To A Personal Data Breach. Service Provider acknowledges that as between Hyland and Service Provider, Hyland shall determine: (1) whether and when to notify any Data Subject or Regulator and which Regulator to notify; (2) who will provide notice to Data Subjects with respect to any Personal Data Breach; (3) the content of any such notice(s); (4) the timing for, and method of, delivery of any such notice(s); and (5) the products or services, if any, to be offered to affected Data Subjects. Service Provider shall not disclose the fact that a Personal Data Breach has occurred or any details related to a Personal Data Breach to any third party without Hyland’s written consent, unless otherwise required by law.

3.7 Third Party Access Requests. In the event Service Provider receives a request from any third party, including without limitation, any law enforcement, regulatory, judicial or governmental authority, for disclosure of, or access to, Personal Data, Service Provider will not disclose or provide such access unless instructed to do so by Hyland or as otherwise required by law. Where Service Provider is legally required to disclose Personal Data in accordance with an applicable lawful process, Service Provider shall: (i) immediately notify Hyland of such order (unless prohibited by applicable law); (ii) inform the requesting third party that Service Provider is not authorized to disclose such Personal Data and that all demands shall be directed to Hyland; and (iii) to the extent that Service Provider reasonably believes the order is overly broad use reasonable efforts to challenge the scope or validity of the order.

4. SERVICE PROVIDER’S ASSISTANCE WITH AUDITS AND DATA SUBJECT REQUESTS

4.1 Availability Of Records Of Processing. To the extent required by applicable Data Protection Law, Services Provider shall maintain a record of processing activities. Service Provider shall promptly, after a reasonable request from Hyland, make available to Hyland all information necessary to demonstrate Hyland’s compliance with its obligations established under applicable Data Protection Laws. Service Provider shall notify Hyland without undue delay if it becomes aware that the Personal Data it is Processing on Hyland’s behalf is inaccurate or has become outdated.

4.2 Information Technology Audits. Service Provider will permit Hyland, directly or through a contractor, to conduct site audits of the information technology and information security controls for all facilities used to Process Personal Data so that Hyland can ensure that Service Provider provides the appropriate level of security for the Personal Data. Where required to do so by applicable Data Protection Laws, the Parties shall make the results of such audits available to relevant Regulators. Where applicable, Hyland may share the results of any such audit with its applicable customer(s).

4.3 Requests For Privacy Assessment Information. Service Provider shall promptly provide the information reasonably requested by Hyland to assist Hyland in conducting a data privacy assessment.

4.4 Requests Directed to Service Provider. Service Provider agrees to assist Hyland in responding to a request from a Data Subject to exercise any of his/her rights as provided under applicable Data Privacy Laws. In the event a Data Subject submits such a request to Hyland with respect to the Data Subject’s Personal Data processed by Service Provider, Service Provider agrees to comply with the request within 5 business days of receiving the request from Hyland. Service Provider will immediately provide Hyland with any requests concerning Personal Data that are sent directly to Service Provider from parties other than Hyland. Service Provider shall not respond to the request itself, unless authorized by Hyland to do so.

5. SERVICE PROVIDER’S SUB-PROCESSORS

5.1 Consent To Processing By Sub-Processors. Hyland authorizes Service Provider to engage the Sub-Processors listed in the Data Processing Particulars . Service Provider shall notify Hyland at least thirty (30) days prior to authorizing any new Sub-Processor to Process Personal Data. Where such rights are granted by applicable Data Protection Law, Hyland may object to any new Sub-Processor by Service Provider. If Service Provider continues use of such Sub-Processor after Hyland’s reasonable objection, then Hyland may elect to immediately (without prejudice to accrued fees or other rights under the Services Agreement) suspend or terminate the applicable Services Agreement. Service Provider will not disclose Personal Data to any third party, including Sub-processors, without Hyland’s prior written consent. Service Provider shall remain fully responsible for, and remain liable to, Hyland for, the acts and omissions of its Sub-processors as if they were Service Provider’s own acts and omissions.

5.2 Sub-processors’ Physical, Technical And Administrative Safeguards. Service Provider shall obtain reasonable assurances, in writing, from any Sub-processor to which Service Provider discloses Personal Data or that creates or receives Personal Data on Hyland’s behalf. Such assurances shall include at least the following: that the Sub-processor: (1) will comply with substantially the same restrictions and conditions on Processing of Personal Data that this DPA imposes on Service Provider, including the applicable restrictions on cross-border data transfers; (2) will implement reasonable and appropriate physical, technical and organizational safeguards to protect Personal Data at least in compliance with applicable Data Protection Law; and (3) will notify Service Provider within 24 hours of becoming aware of any Personal Data Breach.

5.3 Sub-Processor Agreements. To the extent permitted by applicable Data Protection Law and at Hyland’s request, Service Provider shall provide a copy of all Sub-processor agreements and any subsequent amendments. To the extent necessary to protect business secret or other confidential information, including Personal Data, the Service Provider may redact text of the agreement prior to sharing the copy.

6. JURISDICTION - SPECIFIC TERMS

6.1 The Parties acknowledge that certain jurisdictions require the Parties to provide additional protections for Personal Data. Such additional jurisdiction-specific terms are contained in the following addenda and are incorporated by reference into this DPA. Each addendum, to the extent applicable, is binding on the Parties as follows:

6.1.1 Addendum I (EEA & Switzerland): Addendum I applies when Service Provider Processes, in a country not subject to an Adequacy Determination, Personal Data related to a Data Subject residing in the European Economic Area (“EEA”) or Switzerland.

6.1.2 Addendum II (UK): Addendum II applies when Service Provider Processes Personal Data, in a country not subject to an Adequacy Determination, related to a Data Subject residing in the United Kingdom (“UK”).

6.1.3 Addendum III (California, USA): Addendum III applies when Hyland is subject to the California Privacy Rights Act (“CPRA”), and Service Provider Processes Personal Data of a Data Subject residing in California.

7. SERVICE PROVIDER’S OBLIGATIONS UPON TERMINATION OF THE SERVICE AGREEMENT

7.1 Term. This DPA shall have a term commencing on the Effective Date and will terminate automatically upon the termination or expiration of the Services Agreement.

7.2 Return Or Destruction Of Personal Data. Upon termination of the Services Agreement or in response to Hyland’s written request at any time, and pursuant to Hyland's written instruction, Service Provider shall return or destroy Personal Data. If Hyland directs Service Provider to destroy Personal Data, Service Provider shall (a) do so in a manner reasonably intended to prevent recovery of the Personal Data, (b) ensure that any Sub-processor that Processes Personal Data also has done so, and (c) promptly provide Hyland with a certification to the same in writing. If Hyland directs Service Provider to return Personal Data, Service Provider shall promptly return the Personal Data in its possession and in the possession of any Sub-processor and shall retain no copies thereof unless required to do so by applicable law.

7.3 Service Provider’s Retention Of Personal Data. If applicable law requires Service Provider to retain a copy of any Personal Data, then Service Provider shall (1) notify Hyland of such requirement, (2) extend the protections of this DPA to the retained Personal Data, and (3) limit further Processing of the retained Personal Data to those purposes required by law for as long as Service Provider maintains the Personal Data.

7.4 Survival. Service Provider’s obligations and duties under this DPA with respect to Personal Data shall survive the termination of the Services Agreement and of this DPA and shall continue for as long as the Personal Data remains in the possession of Service Provider or of its Sub-processors.

8. MISCELLANEOUS TERMS

8.1 Indemnification. Service Provider shall defend, indemnify and hold harmless Hyland, its parent and subsidiary corporations, officers, directors, employees and agents for any and all claims, charges, inquiries, investigations, costs, reasonable attorneys’ fees, monetary penalties, judgments, and damages incurred by Hyland and/or its parent or subsidiary corporations, officers, directors, employees and agents resulting from (1) any Processing of Personal Data not permitted by the Services Agreement and this DPA and (2) any Personal Data Breach caused by Service Provider’s or its Sub-Processors acts or omissions.

8.2 Indemnification Process. The foregoing indemnification obligations are conditioned upon Hyland: (1) notifying Service Provider promptly in writing of any claim, charge, inquiry, or investigation as described in the Indemnification section above; (2) reasonably cooperating and assisting in defense of such claim, charge, inquiry, or investigation; and (3) giving sole control of the defense and any related settlement negotiations to Service Provider with the understanding that Service Provider may not settle any claim in a manner that admits guilt or otherwise prejudices Hyland, without Hyland’s consent.

8.3 Construction. This DPA supersedes any inconsistent provisions in the Services Agreement and/or other existing agreements between Hyland and Service Provider (other than the agreements referenced in Jurisdiction Specific Terms section of this Agreement) with respect to Service Provider’s obligation under this DPA.

ADDENDUM I

EEA and Switzerland

The Parties agree that transfers of Personal Data from the European Economic Area or Switzerland (collectively the “EEA”) shall be governed by the EU SCCs (as supplemented by this DPA), which are incorporated herein by reference.

The Parties further agree that the EU SCCs shall be completed as follows:

Module 2 shall apply unless Hyland is a Processor in which case Module 3 will apply.
Clause 7, the optional docking clause will not apply.
Clause 9(a), Option 2 will apply. Hyland authorizes Service Provider to engage Sub-Processors as set forth in Section 5 of this DPA.
Clause 11, the optional redress language will not apply.
Clause 17, Option 1 will apply, and the EU SCCs shall be governed by the law specified in the Services Agreement, provided that law is an EU Member State recognizing third party beneficiaries, otherwise the laws of the Netherlands shall apply.
Under Clause 18(b), disputes will be resolved before the courts specified under the Services Agreement, provided those courts are in an EU Member State recognizing third party beneficiaries, otherwise those courts shall be the courts of the Netherlands.
Annex I of the EU SCCs shall be deemed completed with the information set out in the Data Processing Particulars.
Annex II of the EU SCCs shall be deemed completed with the information set out in Appendix A.
Annex III of the EU SCCs shall be deemed completed with the information set out in the Data Processing Particulars.

In relation to Personal Data that is protected by the Swiss Federal Act on Data Protection, the EU SCCs will apply as completed herein and as adapted below:

The Swiss Federal Data Protection and Information Commissioner (“Swiss DPA”) is the exclusive supervisory authority, and each reference to a “supervisory authority” shall be understood to be a reference to the Swiss DPA.
The term “member state” will not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of enforcing their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 and the choice of law in Clause 17 shall be the applicable Swiss law.
References to the GDPR and EU SCCs shall include equivalent provisions of the Swiss Federal Act on Data Protection.

Signatures to the Services Agreement shall constitute all necessary signatures to the EU SCCs, including the Annexes attached thereto.

ADDENDUM II

United Kingdom

Part 1: Tables

TABLE 1: Parties
Start date	Effective Date as defined in the Services Agreement.
The Parties	Exporter (who sends the Restricted Transfer)	Importer (who receives the Restricted Transfer)
Parties’ details	Full legal name: Hyland on behalf of its affiliates located in the United Kingdom, including the following: Hyland UK Operations Limited Hyland UK Holdings Limited Hyland Software UK Ltd. Hyland Software Solutions UK Ltd. Nuxeo Group Limited Nuxeo Limited Trading name (if different): n/a Main address (if a company registered address): As specified in the Services Agreement Official registration number (if any) (company number of similar identifier):	Full legal name: Service Provider, as set forth in the Services Agreement. Trading name (if different): Main address (if a company registered address): As specified in the Services Agreement Official registration number (if any) (company number of similar identifier):
Key Contact	Full Name (optional): Job Title: Global Privacy Officer Contact Details including email: privacy@hyland.com	Full Name (optional): Job Title: Contact Details including email: As set forth in the Data Processing Particulars
Signature (if required for purposes of Section 2)	Signatures to the Services Agreement shall constitute all necessary signatures to this Addendum II.	Signatures to the Services Agreement shall constitute all necessary signatures to this Addendum II.

TABLE 2: Selected SCCs, Modules, and Selected Clauses
Addendum EU SCCs	The version of the Approved EU SCCs which this Addendum is appended, including the Appendix Information.

TABLE 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in.
Annex 1A: List of Parties:	As described in the Data Processing Particulars
Annex 1B: Description of Transfer:	As described in the Data Processing Particulars
Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data:	As described in the DPA, Appendix A
Annex III: List of Sub processors (Modules 2 and 3 only):	As described in the Data Processing Particulars

TABLE 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum Changes

Which Parties may end this Addendum as set out in Section 19:

Importer

Exporter

Part 2: Mandatory Clauses

Mandatory Clauses

Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.

ADDENDUM III

California, USA

The following additional provisions apply to Service Providers ’s Processing of the Personal Information that is subject to the CCPA and/or CPRA, as applicable.

a. Definitions: Unless otherwise indicated in this DPA, the capitalized terms used in this section shall have the meaning assigned to them in the California Privacy Rights Act (“CPRA” or the “Act”), codified at Cal. Civ. Code §1798.100 et seq., effective January 1, 2023.

i. “Business Purpose(s)” means Processing Personal Information on behalf of Hyland for the following purposes: (i) to provide the Services as specifically defined in the Services Agreement; (ii) to detect security incidents or protect the Personal Information against malicious, deceptive, fraudulent or illegal activity; or (iii) otherwise as expressly permitted by the CPRA or the CPRA Regulations.

ii. “CCPA” means Title 1.81.5 California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100–1798.199), as amended or superseded from time to time.

iii. “Consumer” means a California resident (a) who is a natural person, and (b) whose Personal Information is Processed by Service Provider on Hyland’s behalf for the purposes stated in the Services Agreement and this DPA.

iv. “CPRA Regulations” means final regulations implementing the CPRA after those regulations go into effect.

v. “Personal Information” shall have the meaning set forth in the CPRA but shall be limited to Personal Information of California Consumers which Service Provider Processes on Hyland’s behalf pursuant to the Services Agreement and this DPA.

b. Processing Of Personal Information: Hyland is a Business and appoints Service Provider as its Service Provider (as defined under the CPRA) to Process Personal Information only for the Business Purposes. Service Provider shall comply with all applicable sections of the CPRA and/or the CPRA Regulations, including providing the same level of protection for Personal Information as the CPRA requires Hyland, as a Business, to provide. Service Provider grants Hyland the right to take reasonable and appropriate steps to help ensure that Service Provider uses Personal Information consistent with the CPRA and to stop and remediate unauthorized use of Personal Information.

c. Restrictions On Processing Personal Information: Service Provider is prohibited from: (i) Processing Personal Information for any purposes but for the Business Purposes; (ii) Processing Personal information for any additional commercial purpose (other than the Business Purposes) including in the servicing of a different business, unless otherwise expressly permitted by the CPRA or the CPRA Regulations; (iii) Processing Personal Information outside the direct business relationship between Hyland and Service Provider unless otherwise expressly permitted by the CPRA or the CPRA Regulations; (iv) Selling or Sharing Personal Information; (v) combining Personal Information with personal information that it receives from, or on behalf of, another person or persons, or Collects from its own interaction with a Consumer (except as permitted by the CPRA Regulations); or (vi) Processing the Personal Information for any other purpose except as permitted by this DPA.

d. Inability To Comply With CPRA: Service Provider shall, within 5 business days, notify Hyland after Service Provider determines that it no longer can meet its obligations under this Addendum, the CPRA or the CPRA Regulations. In the event of Service Provider’s inability to meet its obligations, Hyland may, in its discretion, (i) take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Information, or (ii) terminate the Service Agreement.

APPENDIX A

Security Measures

Taking into account

the state of the art,
the costs of implementation and
the nature, scope, context and
the purpose of processing as well as
the risk of varying likelihood and severity for the rights and freedoms of natural persons ,

Service Provider shall maintain a comprehensive written information privacy and security program that includes reasonable and appropriate measures to protect against reasonably foreseeable risks to the security, confidentiality, integrity and resilience of Personal Data. Such program shall include those measures set forth in the Services Agreement and the DPA, including, at a minimum, the following:

Administrative Controls

A person or committee responsible for Service Provider’s information security and privacy program;
Policies and procedures to investigate, mitigate, and provide notice of a Personal Data Breach;
Vulnerability management program to identity, prioritize and remediate security vulnerabilities;
Employees that are subject to confidentiality commitments and understand their obligations and responsibilities in relation to the Service Provider’s information privacy and security program;
A security awareness training program, which includes periodic security reminders and updates;
A password policy, requiring complex passwords, a maximum password age, a minimum password complexity, account lockout policies and other logon restrictions; and
Disaster recovery and business continuity procedures.

Physical Controls

Policies and procedures to safeguard the facilities and equipment that house Personal Data against unauthorized physical access, theft or destruction;
Procedures to control and validate access to facilities that house Personal Data based on role/function, including visitor control;
Physical safeguards for all workstations that access Personal Data to restrict access from authorized users; and
Permanently and securely destroying or removing Personal Data from hardware prior to final disposition.

Technical Controls

Policies and procedures to limit access rights based on the principle of least privilege;
User access controls that address timely provisioning and de-provisioning of user accounts;
Workstations that are set to lock automatically after a set period of inactivity;
Encryption at rest and in transit of Personal Data;
Industry standard anti-malware software used on all endpoints with behavioral based protection against ransomware and other exploits;
Procedures to ensure that all security patches are applied in a timely manner;
Operating system and application patches and updates pushed regularly;
Network segregation including but not limited to the separation of all Hyland Personal Data stored by Service Provider;
An external audit program, tested at least annually; and
Completed attestations, such as SOC 2 reports, shall be provided to Hyland upon written request.

Hyland Poland Sp. zoo Purchase Order Terms and Conditions

Version

Effective June 6th 2024

Download

HYLAND POLAND SP. Z O.O.

PURCHASE ORDER TERMS AND CONDITIONS

1. Scope and Acceptance. This purchase order (“P.O.”) is a complete and binding agreement between Hyland Poland Sp. z o.o. (“Hyland”) and the supplier identified by Hyland on the face of this P.O. (“Supplier”). This P.O. covers Hyland’s purchase of: (a) software licenses, tangible goods or deliverables in the nature of intellectual property or work products developed specifically for Hyland by Supplier or any subcontractor of Supplier in the performance of services to Hyland (“Goods”); or (b) services (“Services”). This P.O. is effective upon the first to occur of Supplier’s commencement of fulfillment or acceptance in accordance with the terms of an applicable agreement described in Section 2 below.

2. Relationship to Other Agreements. If Hyland and Supplier have both signed a written agreement on or before the date this P.O. is placed by Hyland, which relates specifically to the Goods or Services covered by this P.O. and which is effective at the date this P.O. is placed by Hyland, then the provisions of that agreement are incorporated into this P.O. If any conflict exists or arises between the terms of this P.O. and the terms of that agreement, then the terms of that agreement will apply. If Hyland and Supplier are parties to more than one agreement described in the preceding sentence and the terms of those agreements have similar or contradictory terms, then the most favorable terms to Hyland will apply, except to the extent the result would be unconscionable or prohibited by law. No other, additional or different terms will supersede the terms of this P.O.

3. Prices; Shipping Charges; Taxes; Payment Terms.

(a) All prices for Goods or Services covered by this P.O. are the prices included on the face of this P.O. If the P.O. does not include pricing, then the prices under this P.O. will be Supplier’s lowest prevailing market price for each covered Good or Service.

(b) Prices are exclusive of shipping and handling charges and all other expenses incurred by Supplier or its subcontractors in providing Goods or Services and performing under this P.O. Supplier is responsible for all such shipping and handling charges and other expenses.

(c) Prices are exclusive of taxes. Save for the next sentence, Hyland is not responsible for any taxes that Supplier is obligated to pay, including without limitation income taxes. Hyland will pay to Supplier value added taxes Hyland owes in connection with this P.O. and which Supplier is legally required to collect from Hyland.

(d) Terms of payment are 2% net 10 days or net 60 days, at Hyland’s election, after Hyland’s receipt and acceptance of the Goods or Services and a correct and undisputed invoice. Payment is not deemed to constitute acceptance of the Goods or Services.

4. Invoices. Each invoice must contain the P.O. number, description of Goods or Services, quantities, unit prices, extended totals, shipping information, taxes and any other information reasonably required by Hyland to verify accuracy and process payment. All invoices shall be sent to payableinvoices@hyland.com. Supplier is responsible for any costs or expenses incurred by Supplier associated with researching, reporting on or correcting any invoice errors. Hyland may dispute any invoice by providing oral or written notice or partial payment. Neither the failure to provide notice nor payment or partial payment is a waiver by Hyland of any claim or right of Hyland.

5. Deliveries; Risk of Loss; Packaging; Returns.

(a) All deliveries of Goods will be made: (1) F.O.B. to the Hyland location designated for delivery if the Goods originate in the same jurisdiction as that location; or (2) DDP (Incoterms 2010) to the Hyland location designated for delivery for cross border deliveries to that location. Supplier will not charge Hyland for packaging or pre-shipping costs such as crating, handling, damage, drayage or storage. Hyland will pay only for the quantity received, not to exceed the maximum quantity ordered.

(b) Supplier bears all risk of loss, damage or destruction of Goods occurring prior to final acceptance by Hyland of the Goods at the Hyland location designated for delivery, except to the extent caused by the gross negligence of Hyland employees after receipt and prior to acceptance of the Goods.

(c) Supplier shall cause all shipping containers to be packed and packaged to ensure safe arrival at final destination, secure the lowest shipping charges, comply with requirements of common carriers and meet all legal requirements. Supplier shall include itemized packing list in each container.

(d) Buyer reserves the right to return for full credit any excess over-shipped quantities. Supplier is responsible for all costs and expenses of returns, including shipping charges, for over-shipped quantities or for rejected items.

6. Inspection and Acceptance.

(a) All Goods and Services are subject to Hyland’s inspection and testing prior to final acceptance. No inspection or testing done prior to final acceptance relieves Supplier from responsibility for any defects, non-conformities or other failures to meet the requirements of this P.O.

(b) If an item does not conform to the requirements, then Hyland may reject it and require its correction or replacement within a specified period of time, accept it with an adjustment in price or return it to Supplier for full credit.

(c) All Goods and Services are subject to final acceptance by Hyland after receipt at the Hyland location designated for delivery, within a reasonable time after delivery or performance.

7. Title to Goods. Supplier will convey to Hyland good and merchantable title to all Goods (other than software that is licensed), which will pass from Supplier to Hyland upon final acceptance.

8. Intellectual Property.

(a) Each party will own and retain all right, title and interest in and to any pre-existing intellectual property and any intellectual property developed outside of the Goods and Services subject to this P.O.

(b) If Goods that are deliverables created or developed by Supplier, working either alone or in conjunction with others, in the performance of Services include materials subject to copyright, patent, trade secret or other proprietary rights protection, Supplier hereby irrevocably assigns to Hyland, and if such assignment in advance shall not be deemed to be effective, shall irrevocably assign to Hyland, all ownership rights and other right, title and interest Supplier or any of its personnel may have in any such deliverables and related items. In addition, the parties agree that Hyland shall own on an exclusive basis all right, title and interest in and to any intellectual property developed, discovered, conceived or introduced by Supplier and represented by or embodied in any of the deliverables or related items described in this paragraph (b), including, but not limited to, all patents, patent applications, copyrights and other intellectual property rights relating to or associated therewith, and Supplier hereby irrevocably assigns to Hyland, and if such assignment in advance shall not be deemed to be effective, shall irrevocably assign to Hyland, all ownership rights and other right, title and interest Supplier or any of its personnel may have in any such intellectual property. When the Goods are or contain original works of authorship (“Works”), for remuneration for Goods and Services, Supplier assigns to Hyland, and Hyland receives, always at the time when the Goods are delivered to Hyland, without the necessity to make any separate statements in this respect, all copyrights to the Works, along with the right to exercise derivative copyright and the exclusive right to permit the exercise of derivative copyright on works derived from Works, within the scope of use and disposition without any territorial restrictions, for the statutory term of copyrights, in every form of exploitation known by the day of their assignment including every form of exploitation stated in Article 50 and Article 74.4. of Act of Copyrights and Related Rights (unified text Journal of Laws of 2018, unit 1191), including inter alia the following forms of exploitation: (a) when original work of authorship is a computer program (including source code): (i) permanent or temporary reproduction of a computer program by any means and in any form, in part or in whole; (ii) translation, adaptation, arrangement and alteration of a computer program in any other way, (iii) distribution of the original computer program or copies thereof to the public, including use or rental; (b) when original work of authorship is not a computer program: (i) with regard to fixing and reproducing a work – producing copies of a work using a specific technique, including printing, reprographic, magnetic recording and digital techniques; (ii) with regard to circulating the original or copies on which the work is fixed – putting into circulation, lending or renting the original or copies; (iii) with regard to distributing the work in a manner different from that set forth in point (ii) – public performance, exhibition, screening, retransmission and broadcasting and rebroadcasting, as well as making the work available to the public in a manner allowing anyone to access it in a place and at a time selected by that person. The Supplier declares that it has obtained from individual authors of the Works, commitments that they will not exercise author’s moral rights towards Hyland, its legal successors, contractors of Hyland and other entities cooperating with Hyland all personal rights to the Works and their constituent elements. Simultaneously, based on the agreements concluded with the authors of the Works, the Supplier authorizes Hyland or any person entitled to the Works to perform personal copyrights to the Works.

(c) If Supplier uses any Supplier or third party intellectual property in any Goods or Services, Supplier will retain all right, title and interest to Supplier’s intellectual property. Supplier grants to Hyland a non-exclusive, irrevocable, perpetual, fully paid-up, royalty-free worldwide license under all current and future intellectual property to use Supplier’s and third party intellectual property consistent with Hyland’s ownership of rights, title and interests under this Section 8.

(d) Supplier may access or obtain Hyland documents, data, know-how, methodologies, functional specifications, software, hardware, processes, techniques and other materials provided by Hyland to perform Services. Hyland shall own and retain all right, title and interest in and to such materials, including all intellectual property therein. Supplier will take reasonable precautions to protect Hyland’s materials against loss, damage, theft or disappearance.

(e) Supplier grants to Hyland a non-exclusive, irrevocable, perpetual, fully paid-up, royalty-free worldwide license for any Goods that include software or intellectual property not subject to a separate license, including installed applications, to use any such Goods.

9. Representations and Warranties. Supplier represents and warrants that:

(a) All Goods that are tangible goods are free from defects in design, materials and workmanship and will perform to the manufacturer’s published specifications in effect on the date of this P.O. All Goods that are or include software or deliverables shall be in conformity in all material respects to the documentation and specifications of such software or deliverables.

(b) All Services shall be performed in a good and workmanlike manner, substantially in accordance with industry standards and in conformity with all requirements of this P.O.

(c) All Goods and Services shall be free from any liability for royalties and any mechanic’s liens, other statutory liens, security interests or encumbrances.

(d) No Goods or Services are governed, in whole or in part, by any software license that requires as a condition of use, modification or distribution that the software or other software combined or distributed with it be (1) disclosed or distributed in source code form; (b) licensed to make derivative works; or (c) redistributable at no charge.

(e) No Goods or Services will contain any viruses or other malicious code that will degrade or infect any Goods, Services, other products, other services or Hyland’s information systems.

(f) Supplier will comply with all applicable foreign, federal, state and local laws, rules and regulations.

Supplier also assigns and passes through to Hyland all third party manufacturers’ and licensors’ warranties and indemnities for any portion of any Goods or Services.

10. Data Protection. If Supplier creates or receives Personal Data (as defined below in paragraph (a)) in the course of performing this P.O., then:

(a) “Personal Data” means any individually identifiable information created or received by Supplier on Hyland’s behalf, or received by Supplier from Hyland — whether in paper, electronic or other form — related to any of Hyland’s customers or member of Hyland’s workforce who is a natural person. Personal Data includes, but is not limited to, name, contact information, Social Security number or other identification number, credit card, debit card, or other financial account number or details with or without any required security code, access code, or password, and compensation information.

(b) Supplier agrees to receive, create, maintain, use, and disclose Personal Data only (1) to the extent necessary to provide services to Hyland pursuant to the terms of the P.O., or (2) as required by law.

(c) Supplier shall maintain a comprehensive written information privacy and security program that includes reasonable and appropriate measures — including technical, physical, and administrative safeguards appropriate to the size and complexity of Supplier’s operations and the nature and scope of its activities — to protect against reasonably foreseeable risks to the security, confidentiality and integrity of Personal Data which risks could result in the unauthorized disclosure, use, alteration, destruction or other compromise of the Personal Data. Supplier represents and warrants that such program complies with all applicable foreign, federal, state, and local laws and regulations concerning the protection of Personal Data. Supplier has and will maintain a process for identifying, assessing, and mitigating the risks to Hyland’s Personal Data in each relevant area of Supplier’s operations and evaluating the effectiveness of the safeguards for controlling these risks. Supplier will regularly monitor, test, and update its information security program. Supplier will provide Hyland with such information concerning its information security program as the Hyland may reasonably request from time to time.

(d) Supplier will maintain (and, if necessary, develop and implement) a written security incident response plan to ensure that any Security Incident will be promptly discovered and promptly reported to Hyland.

(e) Supplier shall report to Hyland any Security Incident discovered by Supplier, regardless of whether the Security Incident results from the actions of Supplier or its agents or subcontractors. Supplier will make such report initially to Hyland within 24 hours of Supplier’s becoming aware of the incident followed by a full report in writing (facsimile or e-mail is acceptable) within 48 hours of the initial report. The full written report shall include, at a minimum subject to the availability of necessary information, the following: (1) a description of the incident; (2) the date that the incident occurred; (3) the date that the incident was discovered; (4) the identity and last known mailing address of each affected individual; (5) the affected categories of information for each affected individual; (6) an identification of any law enforcement agency that has been contacted about the incident and contact information for the relevant official; (7) a description of the steps that have been, or will be, taken to mitigate the incident; (8) a description of the steps that have been, or will be, taken to prevent a recurrence; and (9) contact information for the person at Supplier principally responsible for responding to the Security Incident. Supplier will update the written report periodically as material, new information becomes available. All reports required by this provision shall be made to pursuant to the terms of this P.O. with a copy to safeharbor@hyland.com.

Except upon request of Hyland, Supplier is not required to report to Hyland any unsuccessful Security Incident, provided however, that Supplier shall document and maintain records of such unsuccessful incidents so that Supplier will be able to provide a report in response to Hyland’s reasonable request.

(f) Supplier agrees to take, at its own expense, measures reasonably necessary to mitigate any harmful effect of a Security Incident. Supplier agrees to cooperate, at its own expense, with Hyland in its investigation of any Security Incident. In the event of a Security Incident involving Hyland’s Personal Data in the possession, custody or control of Supplier or its agents or subcontractors, Supplier will promptly reimburse Hyland for all imputed and out-of-pocket costs reasonably incurred by Hyland in connection with the Security Incident, including, but not limited to, costs related to Hyland’s provision of notice of security breach and to any services offered in a security breach notification to affected individuals.

(g) Supplier acknowledges that Hyland shall determine: (1) whether Hyland will provide notice to individuals with respect to any Security Incident; (2) the content of any such notice(s); (3) the timing for, and method of, delivery of any such notice(s); (4) the products or services, if any, to be offered to affected individuals; and (5) whether and when to notify any government agency.

(h) Supplier acknowledges that Supplier has no ownership rights with respect to any Personal Data received from Hyland, or created or received by Supplier on Hyland’s behalf.

(i) Supplier will not disclose Personal Data to any agent or subcontractor without Hyland’s prior written consent. Supplier shall obtain reasonable assurances, in writing, from any agent or subcontractor to whom Supplier discloses Personal Data. Such assurances by the agent or subcontractor will include at least the following: that the agent or subcontractor will: (1) comply with the same restrictions and conditions on the use and disclosure of Personal Data that this Amendment imposes on Supplier; (2) implement reasonable and appropriate physical, technical and administrative safeguards to protect Personal Data; and (3) immediately notify Supplier of any breach of the confidentiality of the Personal Data or of any impermissible use or disclosure of the Personal Data. Such written agreement will identify Hyland as a third-party beneficiary with rights of enforcement and indemnification from such agents or subcontractor in the event of any violation of such agent’s or subcontractor’s agreement with respect to the use or disclosure of Personal Data. Supplier shall implement and maintain sanctions against agents and subcontractors that violate such restrictions and conditions and shall mitigate the harmful effects of any such violation.

(j) Supplier will: (1) immediately notify Hyland of any judicial or administrative order, subpoena, civil discovery request or other legal process requiring or requesting that Supplier produce Personal Data, and (2) allow Hyland adequate time to exercise its legal options to prohibit or limit disclosure of Personal Data before Supplier produces any Personal Data.

(k) Upon termination of the business relationship between the parties related to this P.O., Supplier, at Hyland’s election but at Supplier’s expense, shall return, destroy, or transfer to a third party designated by an authorized Hyland representative in writing, all Personal Data. If Hyland directs Supplier to destroy the Personal Data, Supplier shall do so in a manner reasonably intended to ensure that recovery of the Personal Data would be impracticable. Within three (3) business days of the date of destruction, Supplier will provide Hyland with written notice, signed by an authorized representative, representing that the Personal Data has been destroyed and describing the method of destruction.

(l) If, within five (5) business days of the termination of the business relationship between the parties related to this P.O., Supplier delivers to Hyland written notice explaining the conditions which make return, destruction or transfer of Personal Data as required by paragraph (k) above infeasible, then Hyland, in its sole and absolute discretion, may excuse Supplier from complying, in whole or in part, with paragraph (k) above. If Hyland does excuse compliance with paragraph (k), in whole or in part, Supplier agrees that, with respect to the Personal Data for which compliance with paragraph (k) has been excused, Supplier will: (1) deliver to Hyland within fifteen (15) business days of the termination of the business relationship a duplicate of all Personal Data retained by Supplier, and (2) extend the protections of this P.O. to the retained Personal Data and limit further uses and disclosures of the retained Personal Data to those purposes which make return or destruction commercially impracticable, for as long as Supplier maintains such Personal Data.

11. Confidential Information.

(a) “Confidential Information” means information that (1) is marked “Proprietary” or “Confidential,” (2) is known by the recipient to be confidential, or (3) is of such a nature as customarily would be confidential between business parties. Confidential Information shall not include information that: (A) is or becomes generally known to the public without breach of this P.O. by the recipient, or (B) is demonstrated by the recipient to have been in the recipient’s possession prior to its disclosure by the disclosing party, or (C) is received by the recipient from a third party that is not bound by restrictions, obligations or duties of non-disclosure to the disclosing party, or (D) is demonstrated by recipient to have been independently developed by recipient without breach of its obligations under this Section 11.

(b) Supplier, as a recipient of any Confidential Information of Hyland, agrees that it shall at all times maintain the confidentiality of such Confidential Information using the same degree of care that Supplier uses to protect its own confidential information, but in any event not less than reasonable care; and shall not use (except in performance of this P.O.) or disclose to any third party any such Confidential Information, except as may be required by law or court order. Supplier shall be liable and responsible for any breach of this Section 11 committed by any of Supplier’s employees, agents, consultants, subcontractors or representatives.

12. Indemnification. Supplier shall indemnify, defend and hold harmless Hyland and its directors, officers, employees and agents (collectively, the “Indemnitee(s)”) against any and all losses, liabilities, monetary penalties, damages and reasonable court costs (including reasonable legal fees, reasonable witnesses’ fees, and reasonable investigation expenses) arising out of or related to:

(a) any and all third party claims against any Indemnitee based upon any infringement or alleged infringement or misappropriation or alleged misappropriation by any Goods or Services of any patent, trademark, copyright, trade secret, or other intellectual property right of a third party. Indemnitee shall give Supplier: (1) written notice within a reasonable time after Indemnitee is served with legal process in an action asserting such claims, provided that the failure or delay to notify Supplier shall not relieve Supplier from any liability that it may have to Indemnitee hereunder so long as the failure or delay shall not have prejudiced the defense of such claim; (2) reasonable assistance in the defense or settlement of the claim; and (3) sole authority to defend or settle such claim, provided, that such settlement involves only the payment of money damages by Supplier. Supplier agrees that Hyland may participate, at its expense, in the defense of any claim subject to indemnification hereunder; or

(b) any and all claims, compensations, inquiries or investigations incurred by an Indemnitee resulting from (1) any use or disclosure or any other processing of Personal Data not permitted by this P.O., (2) any Security Incident involving any Personal Data in the possession, custody or processing of Supplier or its subcontractors or agents; or

(d) any failure to comply with applicable laws, rules or regulations by Supplier or its agents, employees or subcontractors.

13. Insurance. Supplier will maintain and keep in force, at its own expense, the following insurance coverages:

(a) Commercial general liability insurance with policy limits of not less than PLN equivalent of US$2,000,000.00 per occurrence, including automobile liability, for personal injury or property damage; and

(b) Employer’s liability insurance with policy limits of not less than PLN equivalent of US$500,000.00 per occurrence; and

(d) If Services are included in the P.O., professional liability/errors and omissions liability insurance with policy limits of not less than PLN equivalent of US$2,000,000.00 per claim.

Upon request by Hyland, Supplier will provide proof of the required insurance coverages.

14. Audit Rights. Upon Hyland’s notice to Supplier, and at no additional charge to Hyland, Supplier will permit Hyland and its auditors to access, at reasonable times, any facility at which Supplier is providing Goods or Services and to all systems, data and records relating to such Goods or Services for purposes of auditing Supplier’s performance of its obligations under this P.O., including to verify compliance with applicable laws and protection and integrity of Hyland’s data. Supplier shall identify an individual point of contact to support the audit and promptly respond to all reasonable requests for information from Hyland, including completing periodic compliance-related questionnaires and providing supporting documentation and other data.

15. Record Keeping Requirements. Supplier will maintain (and provide access to Hyland upon reasonable request) relevant business, technical and accounting records to support Supplier’s invoices and to demonstrate compliance with Supplier’s performance of its security-related obligations under this P.O., for a period of time as required by applicable law, but not for less than three (3) years following completion or termination of this P.O.

16. Governing Law; Jurisdiction. This P.O. and any claim, action, suit, proceeding or dispute arising out of this P.O. shall in all respects be governed by and interpreted in accordance with the substantive laws of Poland, without regard to the conflicts of laws provisions thereof (and not by the 1980 United Nations Convention on Contracts for the International Sale of Goods, as amended). Venue and jurisdiction for any action, suit or proceeding arising out of this P.O. shall vest exclusively in the common court having jurisdiction over Hyland’s registered seat.

17. No Waiver. No delay or failure to exercise any right or remedy by Hyland shall be deemed a waiver of such right or remedy or any other right or remedy.

18. Binding Effect; No Assignment. This P.O. shall be binding upon and shall inure to the benefit of the parties and their respective successors and permitted assigns. Supplier may not assign this P.O. or its rights or obligations under this P.O., in whole or in part, to any other person or entity without the prior written consent of Hyland. Any assignment by Supplier made without compliance with the preceding sentence shall be null and void and of no force or effect. Hyland may assign this P.O.

19. Severability. In the event any provision of this P.O. is held to be invalid or unenforceable for any reason, such invalidity or unenforceability will attach only to such provision and will not affect or render invalid or unenforceable any other provision of this P.O.

20. Subcontracting. Supplier will not subcontract to any third party to furnish any of the Goods or Services without Hyland’s prior written consent. Supplier shall remain responsible to Hyland for the furnishing of any subcontracted Goods or Services.

21. Independent Contractor. The parties acknowledge that they are independent contractors, that they will each be responsible for their respective obligations as employers for those individuals who are their employees, and that they are not in any manner agents, co-owners, partners or joint venturers of each other under this P.O.

22. Termination. Hyland may terminate this P.O. with or without cause, effective upon written notice. If Hyland terminates for convenience, and not as the result of any breach or non-performance by Supplier, Hyland will remain obligated to pay for Goods it has accepted before the effective date of termination; and, to the extent Hyland retains the benefit after termination, for Services performed before the effective date of termination.

23. Force Majeure. No failure, delay or default in performance of any obligation of a party to this P.O. shall constitute a default or breach to the extent that such failure to perform, delay or default arises out of a cause, existing or future, beyond the control (including, but not limited to: action or inaction of governmental, civil or military authority, such as shelter-in-place, quarantine or similar orders; diseases or pandemic/epidemic illness or outbreak; action of unrelated third parties due to a force majeure event which frustrates the purpose of this P.O. (such as cancellation of a third party contract by the third party due to a force majeure event, and such third party contract was otherwise necessary to realize the benefit of this P.O.); fire; flood; war; riot; theft; earthquake; natural disaster or acts of God; national or regional emergencies; unavailability of materials or utilities; sabotage; viruses; or the act, negligence or default of the other party) and without negligence or willful misconduct of the party otherwise chargeable with failure, delay or default. Either Party desiring to rely upon any of the foregoing as an excuse for failure, default or delay in performance shall, when the cause arises, give to the other party prompt notice in writing of the facts which constitute such cause; and, when the cause ceases to exist, give prompt notice of that fact to the other Party. In the event the failure to perform, delay or default remains uncured for a period of thirty (30) consecutive days following written notice, either Party may thereafter terminate this P.O. without liability upon written notice. This section shall in no way limit the right of either Party to make any claim against third parties for any damages suffered due to said causes.

Revised: 4-22-20

Contracts

Data Processing Addendum - Brazil

Effective April 29th 2021

Table of Contents

Data Processing Addendum - GDPR

Effective April 29th 2021

Table of Contents

Global Data Processing Addendum

Effective September 29th 2022

Table of Contents

Effective January 19th 2022 to September 29th 2022

Table of Contents

Effective December 7th 2021 to January 19th 2022

Table of Contents

Effective September 24th 2021 to December 7th 2021

Table of Contents

HIPAA Subcontractor Addendum

Effective April 30th 2021

Table of Contents

Hyland Anti-Bribery/Anti-Corruption Policy and Guide - English

Effective May 10th 2021

Table of Contents

Effective April 30th 2021 to May 10th 2021

Table of Contents

Hyland Anti-Bribery and Anti-Corruption Policy and Guide - German

Effective April 30th 2021

Table of Contents

Hyland Anti-Bribery and Anti-Corruption Policy and Guide - Portuguese

Effective April 30th 2021

Table of Contents

Hyland Anti-Bribery and Anti-Corruption Policy and Guide - Spanish

Effective April 30th 2021

Table of Contents

Hyland Poland Sp. zoo Purchase Order Terms and Conditions

Effective June 6th 2024

Table of Contents

Effective May 5th 2021 to June 6th 2024

Table of Contents

Effective May 5th 2021 to May 5th 2021

Table of Contents

Hyland Purchase Order Terms and Conditions

Effective June 6th 2024

Table of Contents

Effective May 4th 2021 to June 6th 2024

Table of Contents