At Stoneridge, we take the privacy of personal information seriously. This data processing addendum covers parameters around use of personal information of Californian citizens, in accordance with the requirements of the California Privacy Rights Act, that Stoneridge may receive from our clients and vendors.

I. Definitions

“Applicable Privacy Laws” means the California Privacy Rights Act (“CPRA”), as amended or replaced from time to time, along with any implementing regulations.

“Business Purpose” shall have the meaning ascribed in Section 1798.140 the Applicable Privacy Laws.

“Consumer” means any natural persons, households, or devices located in or residing in the U.S.

“Contractor” means a person to whom the Clients makes available a Customer’s Personal Information to Stoneridge Software for a Business Purpose.

“Customer Personal Information” is personal information and personal data, as defined under the Applicable Privacy Laws, of any Consumer, which is made available to Stoneridge Software on behalf of Client under the Agreement.

“Process”, “Processed” or “Processing” means any operation or set of operations that are performed on personal information or on sets of personal information, whether or not by automated means.

“Regulator” means any entity which has jurisdiction to enforce Clients’ and the Stoneridge Software’s compliance with the Applicable Privacy Laws, including but not limited to the California Attorney General’s office.

“Security Incident” has occurred when Stoneridge Software has knowledge of or reasonably believes there has been: a loss of; actual or attempted unauthorized or unlawful access to, or acquisition, use, or disclosure of Customer Personal Information within the possession of the Stoneridge Software.

Terms such as “Sell”, “Share” “Deidentify”, and “Aggregate” shall have the meaning ascribed to them in Section 1798.140 of the Applicable Privacy Laws.

“Service Provider” shall have the meaning ascribed in Section 1798.140 of the Applicable Privacy Laws.

All capitalized terms not defined herein shall have the same meaning set forth in the Master Services Agreement signed between the parties.

II. Application

The parties agree that to the extent the CPRA applies, Stoneridge Software acts as a Contractor for Client and Microsoft acts as Client’s Service Provider. Stoneridge Software shall have no liability to Client to the extent the basis of the liability arises from a Client’s violation of Applicable Privacy Laws.

III. Client’s Obligations

Consumer Requests. Subject to the extent required under Applicable Privacy Laws, Client shall be responsible for all communications with Consumers that relate to Customer Personal Information. Contractor will advise and confer with Client about any proposed response to a Consumer inquiry regarding Customer Personal Information.

Communications with Regulators. Subject to the extent required under the Applicable Privacy Laws, Client shall be responsible for all communications with Regulators that relate to Customer Personal Information. Otherwise the Stoneridge Software will advise and confer with Client about any proposed response to a Regulator inquiry regarding Customer Personal Information.

IV. Stoneridge Software’s Obligations

Stoneridge Software as a Contractor. Stoneridge Software agrees that as a Contractor, and to the extent Stoneridge Software may be a Service Provider under Applicable Privacy Laws, Stoneridge Software shall not (i) sell or share Customer Personal Information; (ii) retain, use, or disclose Customer Personal Information for any purpose other than for the specific purpose of performing functions under the MSA, any applicable SOW or Supplemental Agreement, and under this DPA; or (iii) with respect to Customer Personal Information subject to the CPRA, combine Customer Personal Information made available by Client in connection with performing Services with Customer Personal Information Stoneridge Software receives from another source except to perform the Business Purpose. In connection with providing Services, Stoneridge Software shall also (i) comply with the CPRA and provide the same level of privacy protection as is required by the CPRA for Customer Personal Information; (ii) allow Client to take reasonable and appropriate steps to help ensure that Stoneridge Software access to Customer Personal Information is in a manner consistent with Client’s obligations under the CPRA; (iii) notify Client in writing if Stoneridge Software makes a determination that it can no longer meet its obligations under the CPRA; and (iv) permit Client to, upon notice, take reasonable and appropriate steps to stop and remediate any unauthorized use of Customer Personal Information. Stoneridge Software Stoneridge Software understands the restrictions set forth in this Section and will comply with them.

Confidentiality. Stoneridge Software shall treat all Customer Personal Information as confidential in accordance with MSA Section titled “Confidentiality.”

Security Incident. Upon the Stoneridge Software’s discovery of a Security Incident, Stoneridge Software shall promptly provide Client with written notice after discovery of such Security Incident. Stoneridge Software shall promptly take all reasonable corrective action. Stoneridge Software’s notification of the Security Incident will include, to the extent known at the time of notification (i) a description of the Security Incident, including, where possible, the categories and approximate number of Consumer’s concerned; (ii) the name and contact details of Stoneridge Software’s data protection officer or other contact point where more information can be obtained; and (iii) a description of the measures taken or proposed to be taken by Stoneridge Software to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects. If Stoneridge Software us unable to provide all of the information above as part of the initial notification, Stoneridge Software will provide this information to Client as soon as reasonably practical. Except as otherwise required by Applicable Privacy Laws, the obligations herein will not apply to incidents that are caused by Client. Stoneridge Software’s notification of or response to a Security Incident will not be construed as an acknowledgement by Stoneridge Software of any fault or liability with respect to the Security Incident.

V. General Compliance Obligations

Audits. Parties acknowledge that Client must be able to assess Stoneridge Software’s compliance with its obligations under Applicable Privacy Laws and this DPA. Upon Client’s written request, to confirm the Stoneridge Software’s compliance, Stoneridge Software grants Client, at Client’s expense, permission to perform a reasonable assessment, audit, examination or review of all controls in relation to all Customer Personal Information made available to Stoneridge Software. Within 30 days of Clients’ written request, Stoneridge Software shall cooperate with such assessment by providing access to knowledgeable personnel, documentation, and application software that stores, uploads, accesses, transports, or otherwise makes available Customer Personal Information. Unless otherwise required under Applicable Privacy Laws, audits shall occur nor more than once annually.

Assistance with Customer Requests. If Stoneridge Software receives a Consumer request relating to that Consumer’s Customer Personal Information (“Request”), Stoneridge Software will provide a copy of the Request to Client within 7 days. Stoneridge Software shall not further communicate with the Consumer without the written permission of Client. If Client receives the Request, the Stoneridge Software will provide reasonable assistance at Client’s request to enable Client to respond to a Request, for example by providing Client with a copy of or access to all Consumer’s Customer Personal Information held by Stoneridge Software, or deleting all Customer Personal Information related to a Consumer.

Disclosure to Law Enforcement or Government Authorities. If Stoneridge Software is required by law to disclose any Customer Personal Information to law enforcement or government authorities, Stoneridge Software shall notify Client in writing (unless legally prohibited) before complying with such disclosure request. If Stoneridge Software receives communication from Regulators relating to Customer Personal Information, Stoneridge Software shall (unless legally prohibited) promptly provide a copy to Client.

Service Provider. Notwithstanding the foregoing, Client agrees that to the extent Stoneridge Software may be a Service Provider, Stoneridge Software may if otherwise permitted by Applicable Privacy Laws and subject to Stoneridge Software’s confidentiality obligations, Process Customer Personal Information to the extent permitted or required by applicable law.

Subprocessors. To the extent Stoneridge Software is deemed a Service Provider by Applicable Privacy Laws, the parties agree that Microsoft and any Independent Software Vendors (collectively,Third-Party Subprocessors”) Client licenses to utilize additional software, acts as a Subprocessor. Client authorizes Stoneridge Software to engage Third-Party Subprocessors in connection with the performance of the Services, provided that: (i) Stoneridge Software and Third-Party Subprocessors have entered into a written agreement containing confidentiality obligations not less protective than those set forth in this DPA, and (ii) if Stoneridge Software engages with additional subprocessors, Stoneridge Software will provide written notice to Client prior to Stoneridge Software’s appointment of a new subproccessor and Client may object to such appointment, provided such objection is submitted to Stoneridge Software in writing within 10 days after receipt of notice. In the event of such objection, the parties will discuss commercially reasonable alternatives in good faith. If the parties cannot promptly reach a resolution, either party may terminate the MSA as its sole and exclusive remedy. Customer is responsible for all fees, charges, and taxes incurred by Client prior to termination.

VI. Termination

The terms of this DPA shall continue until termination of the MSA.

VII. Miscellaneous

This DPA supersedes and replaces any existing data processing addendum that parties may have previously entered into in connection with the Services and all prior and contemporaneous agreements, oral and written, regarding the subject matter of this DPA. The parties agree this DPA may need to be updated as a result of changes in data protection laws, and in such event Stoneridge Software may amend the DPA without prior written notice or consent to comply with the Applicable Data Privacy Laws. If a court holds any provision of this DPA to be illegal, invalid, or unenforceable, the rest of the DPA will remain in effect. Except as provided in this DPA, the MSA remains unchanged and is in full force and effect. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions of the MSA.