This Data Processing Addendum (“DPA”) sets forth the terms and conditions governing the privacy, security and Processing of Customer Personal Data. This DPA is incorporated into and forms a part of the Harmonic Subscription Agreement or the Harmonic End User License Agreement (each “Agreement”) previously made between Harmonic Security, Inc. (“Harmonic”) and the Customer (defined below) (collectively, the “Parties”). Except as modified below, the Agreement’s terms shall remain in full force and effect. 

‍HOW AND WHEN THIS DPA APPLIES

‍This DPA applies only if and to the extent Applicable Data Protection Laws govern Harmonic’s Processing of Customer Personal Data in performance of the Service(s) as a ‘processor’, ‘service provider’ or similar role defined under Applicable Data Protection Laws.  

Accordingly, this DPA does not apply to Harmonic’s Processing of any Personal Data for its own business/customer relationship administration purposes, its own marketing or service analytics, its own information and systems security purposes supporting the operation of the Services, nor its own legal, regulatory or compliance purposes. 

1.              INTERPRETATION
1.1           In this DPA (including the explanatory notes above) the following terms shall have the meanings set out in this Section 1, unless expressly stated otherwise:(a)            “Applicable Data Protection Laws” means the privacy, data protection and data security laws and regulations of any jurisdiction directly applicable to Harmonic’s Processing of Customer Personal Data under the Agreement (including, as and where applicable, GDPR and State Privacy Laws).  
(b)           “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
(c)            “Customer” means the person or entity that has entered into the Agreement with Harmonic. (d)           “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
(e)            “Data Subject Request” means the exercise by a Data Subject of its rights in accordance with Applicable Data Protection Laws in respect of Customer Personal Data and the Processing thereof.(f)            “Customer Personal Data” means any Personal Data Processed by Harmonic or its Sub‑Processor on behalf of Customer to perform the Services under the Agreement.
(g)            “EEA” means the European Economic Area.(h)           “GDPR” means, as and where applicable to Processing concerned: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law (as amended from time to time) (“UK GDPR”). (i)             “Personal Data ”means “personal data,” “personal information,” “personally identifiable information” or similar term defined in Applicable Data Protection Laws (including as may be comprised in any Traffic Intercept Agent Data or any other Customer Content).
(j)             “Personal Data Breach” means a breach of Harmonic’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Harmonic’s possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data.
(k)           “Personnel” means a person’s employees, agents, consultants, contractors or other staff.(l)             “Process” and inflections thereof means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(m)          “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller, including, as applicable, a “service provider” as that term may be defined by Applicable Data Protection Laws.(n)           “Restricted Transfer” means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in: (i) in the context of the EU GDPR, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EEA Restricted Transfer”); and (ii) in the context of the UK GDPR, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.(o)           “SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914.(p)           “State Privacy Laws” means the California Consumer Privacy Act of 2018 (“CCPA”), the Colorado Privacy Act, the Virginia Consumer Data Protection Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act, in each case only if and to the extent applicable to Harmonic’s Processing of Customer Personal Data under the Agreement.
(q)           “Sub-Processor” means any third party appointed by or on behalf of Harmonic to Process Customer Personal Data.
(r)            “Supervisory Authority” means any governmental or regulatory body with competent authority to enforce any Applicable Data Protection Laws, including: (i) in the context of the EEA and the EU GDPR, a “supervisory authority” within the meaning given to that term in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, the UK Information Commissioner’s Office.
(s)            “UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of the UK Mandatory Clauses included in Part 2 thereof (the “UK Mandatory Clauses”).
1.2           Unless otherwise defined in this DPA, all capitalized terms in this DPA shall have the meaning given to them in the Agreement.
2.              APPLICATION OFTHIS DATA PROCESSING ADDENDUM
2.1           The front-end of this DPA applies generally to Harmonic’s Processing of Customer Personal Data under the Agreement.
2.2          This DPA governs the processing of non-Protected Health Information (“PHI”) by Harmonic on behalf of Customer. In instances where Customer acts in its capacity as a ”Covered Entity,” as that term is defined under the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act, and all implementing regulations (collectively, “HIPAA”), then Harmonic, in its capacity as a Business Associate, shall be subject to the terms and conditions of the Business Associate Agreement (“BAA”) found here: https://www.harmonic.security/r/hipaa-business-associate-agreement.
2.3.         In instances where Customer acts in its capacity as a “Business Associate,” as such term is defined under HIPAA, , then Harmonic, in its capacity as a Business Associate subcontractor shall be subject to the terms and conditions of the BAA applicable to Subcontractors (“BASA”) found here: https://www.harmonic.security/r/hipaa-business-associate-subcontractor-agreement.
2.4.        The parties acknowledge and agree that each relevant BAA or BASA, as referred to in 2.3 and 2.4 above, shall be incorporated by reference into this Agreement and shall form an integral part of the Supplier’s obligations regarding the processing of PHI. Each party agrees to review and comply with the applicable BAA or BASA terms accessible via the provided links.  The engagement in the processing of PHI on behalf of Customer implies acceptance of the terms outlined in the relevant BAA or BASA.
2.5           Annex 2 (European Annex) applies only if and to the extent Harmonic’s Processing of Customer Personal Data under the Agreement is subject to the GDPR. 2.6          Annex 3  (State Privacy Laws Annex) applies only if and to the extent Harmonic’s Processing of Customer Personal Data on behalf of Customer under the Agreement is subject to the State Privacy Laws.    2.7           Section 9 of this DPA applies to Harmonic’s Processing of Customer Personal Data to the extent required under ApplicableData Protection Laws for contracts with Processors, and in such cases, only in respect of Processing of Customer Personal Data subject to such laws.
3.              PROCESSING OF CUSTOMER PERSONAL DATA
3.1           The Parties acknowledge and agree to the details of Harmonic’s Processing of Customer Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to the DPA.
3.2           Harmonic shall not Process Customer Personal Data other than: (a) on Customer’s instructions; or (b) as required by applicable laws provided that, in such circumstances, Harmonic shall inform Customer in advance of the relevant legal requirement requiring such Processing if and to the extent Harmonic is: (i) required to do so by Applicable Data Protection Laws; and (ii) permitted to do so in the circumstances. Customer instructs Harmonic to Process Customer Personal Data to provide the Services to Customer and in accordance with the Agreement.  The Agreement is a complete expression of such instructions, and Customer’s additional instructions will be binding onHarmonic only pursuant to any written amendment to this DPA signed by both Parties.  Where required by Applicable Data Protection Laws, if Harmonic receives an instruction from Customer that, in its reasonable opinion, infringes Applicable Data Protection Laws, Harmonic shall notify Customer.
4.              HARMONIC PERSONNELHarmonic shall take commercially reasonable steps designed to ascertain the reliability of any Harmonic Personnel who Process Customer Personal Data, and shall enter into written confidentiality agreements with all Harmonic Personnel whoProcess Customer Personal Data that are not subject to professional or statutory obligations of confidentiality.
5.              SECURITY
5.1           Harmonic shall implement and maintain technical and organizational measures in relation to Customer Personal Data designed to protect Customer Personal Data against Personal Data Breaches as described in Annex 4 (Security Measures) (the “Security Measures”).  
5.2           Harmonic may update the Security Measures from time to time, provided the updated measures do not materially decrease the overall protection of Customer Personal Data.
6.              DATA SUBJECT RIGHTS
6.1           Harmonic, taking into account the nature of the Processing of Customer Personal Data, shall provide Customer with such assistance as may be reasonably necessary and technically feasible to assist Customer in fulfilling its obligations to respond to Data Subject Requests. If Harmonic receives a Data Subject Request, Customer will be responsible for responding to any such request.
6.2           Harmonic shall: (a) promptly notify Customer if it receives a Data Subject Request; and (b) not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Customer, except as required by Applicable Data Protection Laws.
7.              PERSONAL DATA BREACH
7.1           Harmonic shall notify Customer without undue delay upon Harmonic’s confirmation of a PersonalData Breach affecting CustomerPersonal Data. Harmonic shall provide Customer with information (insofar as such information is within Harmonic’s possession and knowledge and does not otherwise compromise the security of any Personal Data Processed by Harmonic) to allow Customer to meet its obligations under the Applicable Data Protection Laws to report the PersonalData Breach. Harmonic’s notification of or response to a Personal Data Breach shall not be construed as Harmonic’s acknowledgement of any fault or liability with respect to the Personal Data Breach.
7.2           Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breaches.
7.3           If Customer determines that a Personal Data Breach must be notified to any Supervisory Authority, any other governmental authority, any Data Subject(s), the public or others under Applicable Data Protection Laws, to the extent such notice directly or indirectly refers to or identifies Harmonic, where permitted by applicable laws, Customer agrees to: (a) notify Harmonic in advance; and (b) in good faith, consult with Harmonic and consider any clarifications or corrections Harmonic may reasonably recommend or request to any such notification, which: (i) relate to Harmonic’s involvement in or relevance to such Personal Data Breach; and (ii) are consistent with applicable laws.
8.              SUB-PROCESSING
8.1           Customer generally authorizes Harmonic to appoint Sub-Processors in accordance with this Section 8. Without limitation, Customer authorizes Harmonic engagement of the Sub-Processors listed on the Sub-Processor List as of the effective date of the Agreement at the URL specified in Section 8.2.
8.2           Information about Sub-Processors, including their functions and locations, is available at:harmonic.security/r/subprocessors as may be updated by Harmonic from time to time or such other website address as Harmonic may provide to Customer (the “Sub-ProcessorList”).
8.3           Harmonic shall give Customer prior written notice of the appointment of any proposed Sub-Processor after the effective date of the Agreement, including reasonable details of the Processing to be undertaken by the Sub‑Processor. If, within fourteen(14) days of receipt of that notice, Customer notifies Harmonic in writing of any objections (on reasonable grounds) to the proposed appointment: (a) Harmonic shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services, which avoids the use of that proposed Sub-Processor; and (b) where: (i) such a change cannot be made within fourteen (14) days from Harmonic’s receipt of Customer’s notice; (ii) no commercially reasonable change is available; and/or (iii) Customer declines to bear the cost of the proposed change, then Customer may terminate the Agreement by written notice to Harmonicas its sole and exclusive remedy.
8.4           If Customer does not object to Harmonic’s appointment of a Sub-Processor during the objection period referred to in Section 8.3, Customer shall be deemed to have approved the engagement and ongoing use of that Sub-Processor.
8.5           With respect to each Sub-Processor, Harmonic shall maintain a written contract between Harmonic and the Sub-Processor that includes terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this DPA (including the Security Measures). Harmonic shall remain liable for any breach of this DPA caused by a Sub-Processor. 9.              AUDITS
9.1           Harmonic shall make available to Customer on request, such information as Harmonic(acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA. 9.2           Subject to Sections 9.3 to 9.6, in the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by Harmonic pursuant to Section 9.1 is not sufficient in the circumstances to demonstrate Harmonic’s compliance with this DPA, Harmonic shall allow for and contribute to audits, including on‑premise inspections, by Customer or an auditor mandated by Customer in relation to the Processing of Customer Personal Data by Harmonic.
9.3           Customer shall give Harmonic reasonable notice of any audit or inspection to be conducted under Section 9.2 (which shall in no event be less than fourteen (14) days’ notice) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing any destruction, damage, injury or disruption to Harmonic’s premises, equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of Harmonic’s other customers or the availability of Harmonic’s services to such other customers).
9.4           Prior to conducting any audit, Customer must submit a detailed proposed audit plan providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Harmonic will review the proposed audit plan and provide Customer with any feedback, concerns or questions (for example, any request for information that could compromise Harmonic security, privacy, employment or other relevant policies). Harmonic will work cooperatively with Customer to agree on a final audit plan.  
9.5           If the controls or measures to be assessed in the requested audit are assessed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request (“Audit Report”) and Harmonic has confirmed in writing that there have been no known material changes in the controls audited and covered by such Audit Report(s), Customer agrees to accept provision of such Audit Report(s) in lieu of requesting an audit of such controls or measures. Harmonic shall provide copies of any such Audit Reports to Customer upon request; provided that they shall constitute the confidential information of Harmonic, which Customer shall use only for the purposes of confirming compliance with the requirements of this DPA or meeting Customer’s obligations under Applicable Data Protection Laws.
9.6           Harmonic need not give access to its premises for the purposes of such an audit or inspection: (a)where an AuditReport is accepted in lieu of such controls or measures in accordance withSection 9.5; (b) to any individual unless they produce reasonable evidence of their identity; (c) to any auditor whom Harmonic has not approved in advance (acting reasonably); (d) to any individual who has not entered into a non-disclosure agreement with Harmonic on terms acceptable to Harmonic; (e) outside normal business hours at those premises; or (f) on more than one occasion in any calendar year during the term of the Agreement, except for any audits or inspections which Customer is required to carry out under the GDPR or by a Supervisory Authority. Nothing in this DPA shall require Harmonic to furnish more information about its Sub-Processors in connection with such audits than such Sub-Processors make generally available to their customers. Nothing in this Section 9 shall be construed to obligate Harmonic to breach any duty of confidentiality.
10.           RETURN AND DELETION
10.1         Upon expiration or earlier termination of the Agreement, Harmonic shall return and/or delete all Customer Personal Data in Harmonic’s care, custody or control in accordance Customer’s instructions as to the post-termination return and deletion of Customer Personal Data expressed in the Agreement. To the extent that deletion of any Customer Personal Data contained in any back-ups’ maintained by or on behalf of Harmonic is not technically feasible within the timeframe set out in Customer’s instructions, Harmonic shall (a) securely delete such Customer Personal Data in accordance with any relevant scheduled back-up deletion routines (e.g., those contained within Harmonic’s relevant business continuity and disaster recovery procedures); and (b) pending such deletion, put such Customer Personal Data beyond use.
10.2         Notwithstanding the foregoing, Harmonic may retain Customer Personal Data where required by applicable laws, provided that Harmonic shall (a) maintain the confidentiality of all such Customer Personal Data and (b) Process the Customer Personal Data only as necessary for the purpose(s) and duration specified in the applicable law requiring such retention. 11.           CUSTOMER’S RESPONSIBILITIES
11.1         Customer agrees that, without limiting Harmonic’s obligations under Section 5 (Security), Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Customer Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Harmonic uses to provide the Services; and (d) backing up Customer Personal Data.
11.2         Customer shall ensure: (a) that there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Harmonic of Customer Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing) for the purposes of all Applicable Data Protection Laws;(b) that all Data Subjects have (i) been presented with all required notices and statements; and (ii) provided all required consents, in each case (i) and (ii) relating to the Processing by Harmonic of Customer Personal Data; and(c) it does not use, and does not permit any other person to use, the Services(including any ‘risk scores’ generated thereby) to make decisions about DataSubjects that are based solely on automated processing (i.e., without appropriate human input, oversight and review) which would, or may reasonably be expected to, produce legal effects concerning, or otherwise similarly significantly affect, Data Subjects.
11.3         Customer agrees that the Services, the Security Measures, and Harmonic’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Customer Personal Data.
11.4         Except to the extent prohibited by Applicable Data Protection Laws, Customer shall compensateHarmonic at Harmonic’s then-current professional services rates for, and reimburse any costs reasonably incurred by Harmonic in the course of providing, cooperation, information, or assistance requested by Customer in respect of this DPA (including pursuant to Sections 6, 7 and  9 of this DPA and Paragraph 1 of Annex 2 (European Annex)), beyond providing self-service features included aspart of the Service.
12.           MISCELLANEOUS
12.1         Harmonic may on notice vary this DPA to the extent that (acting reasonably) it considers necessary to address the requirements of Applicable Data Protection Laws from time to time (including to apply a new transfer mechanism, which complies with relevant requirements of the GDPR, to replace the SCCs should it see fit).  
12.2         This DPA shall be incorporated into and form part of the Agreement with effect on and from the Effective Date.
12.3         In the event of any conflict or inconsistency between: (a) this DPA and the Agreement, this DPA shall prevail; or (b) any SCCs entered into pursuant to Paragraph 2 of Annex 2 (European Annex) and this DPA and/or the Agreement, the SCCs shall prevail in respect of the Restricted Transfer to which they apply.

Annex 1: Data Processing Details
‍
‍HARMONIC / ‘DATA IMPORTER’ DETAILS
Name:Harmonic Security, Inc., a Delaware corporation.
‍
‍Address: As set out in the preamble to the DPA
‍
‍Contact Details for Data Protection:

‍Role: Data Protection Officer (DPO)

Email: dpo [at] harmonic.security

‍Harmonic Activities:
‍Harmonic Security Service helps partners/customers accelerate secure adoption of AI technologies without risking the security and privacy of their data.Harmonic provides Services to partners/customers through the provision of a software-as-a-service solution, which allows partners/customers to gain visibility and insight into how the partner/customers’ enterprise uses A.I. and other SaaS services. The Services risk score these behaviors and allows customers to create and enact a data privacy constitution to control the associated risks. The Harmonic Service collects information about web browsing behaviors and interchanges with external applications through the use of a Traffic Intercept Agent.

‍Role: Processor  

‍CUSTOMER/ ‘DATA EXPORTER’ DETAILS

Name:
‍Customer, being the entity or other person who is a counterparty to the Agreement

‍Address:
‍Customer’s address is the address shown in or determined by the Agreement; or if no such address is contained within the Agreement, Customer’s principal business trading address – unless otherwise notified to Harmonic’s contact point noted above.

‍Contact Details for Data Protection:
‍Relevant contact details shall be those of Harmonic’s primary point of contact with Customer; or any other contact details notified by Customer for the purpose of providing it with Data Protection‑related communications or alerts. Customer agrees that it is solely responsible for ensuring that such email addresses are valid and up to date,  and direct relevant communications to the appropriate individual within its organization.  

‍Customer Activities:
‍Customer’s activities relevant to this DPA  are the use and receipt of the Services as part of its ongoing business operations under and in accordance with the Agreement. The use of the  Services will include the required deployment of the Traffic Intercept Agent in the Customers systems that are in the scope of the project.

‍Role:
‍·       Controller – in respect of any Processing of Customer Personal Data in respect of which Customer is a Controller in its own right; and/or
·        Processor – in respect of any Processing of Customer Personal Data in respect of which Customer is itself acting as a Processor on  behalf of any other person (including its affiliates if and where applicable). 

‍DETAILS OF PROCESSING

Categories  of Data Subjects:
‍Any individuals whose Personal Data is comprised within  data submitted to the Services by or  on behalf of Customer under the Agreement,  which will be as determined by Customer through its use of the  Services (including as a result of any systems, applications, platforms  or technologies which Customer uses the Services to analyze and  monitor) – which may include:
·        Customer’s  Personnel
·        Customer’s customers, clients, (sub-)licensees,  partners, prospects, marketing contacts, suppliers, service providers,  vendors and other providers of goods or services

Where any  of the above is a business or organization, it includes their Personnel or  other relevant natural persons. Each category includes current, past and  prospective Data Subjects.

‍Categories  of Personal Data:
‍Any Personal Data comprised within data submitted to Services by or on  behalf of Customer under the Agreement, which will be as determined by Customer  through its use of the Services (including as a result of any systems,  applications, platforms or technologies which Customer uses the Services to  analyze and monitor) – which may include:
·       Personal  details – for  example any information that identifies the Data Subject and their personal  characteristics, name, age, date of birth, sex, and physical description
·        Contact details – for  example home and/or business address, email address, telephone details and  other contact information such as social media identifiers/handles
·        Commercial  details –  for example Personal Data relating to goods, services or other intellectual property  licensed, developed provided and related information, including details of  the goods or services supplied, licenses issued and contracts, by or to Data  Subjects.
·        Technological  details – for  example internet protocol (IP) addresses, unique identifiers and numbers  (including unique identifier in tracking cookies or similar technology),  pseudonymous identifiers, precise and imprecise location data, internet /  application / program activity data, and device IDs and addresses. 

‍Sensitive  Categories of Data, and associated additional restrictions/safeguards:
‍Categories of sensitive data:Customer acknowledges that Harmonic  is unable to distinguish between the various categories of data which Customer  may cause Harmonic to Process in its provision of the Services. For this  reason, Harmonic provides uniform standards of information and data security  across the board to all relevant systems and data types in the manner  determined by and set out in Section 5 of the DPA and Annex 4 (Security Measures) to the DPA.

Additional safeguards for sensitive data:

See Section 5 of the DPA and Annex 4 (Security Measures) to the DPA.

‍Frequency  of transfer:
‍Ongoing for  the duration of the engagement of Harmonics Services – as initiated by Customer  in and through its use, or use on its behalf, of the Services.  

‍Nature of  the Processing:
‍Processing  operations required in order to provide the Services in accordance with the Agreement.

‍Purpose  of the Processing:
‍Customer Personal  Data will be processed: (i) as necessary to provide the Services  as initiated by Customer in its use thereof, and (ii) to comply with any other reasonable instructions provided by Customer in accordance with the  terms of this DPA.  

‍Duration  of Processing / Retention Period:
‍For the period determined in accordance with the Agreement  and DPA, including Section 10 of the DPA.

‍Transfers to (sub‑)  processors:
‍Transfers to Sub-Processors are as, and for  the purposes, described from time to time in the Sub-Processor List (as may be  updated from time to time in accordance with Section 8 of the DPA).

Annex 2: European Annex
‍
1.              DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
‍Harmonic, taking into account the nature of the Processing and the information available to Harmonic, shall provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments and prior consultations with SupervisoryAuthorities which Customer reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Customer PersonalData by Harmonic.
2.              RESTRICTED TRANSFERS
‍2.1           Entry into Transfer Mechanisms
(a)            EEA Restricted Transfers. To the extent that any Processing of Customer Personal Data under this DPA involves an EEA RestrictedTransfer from Customer to Harmonic, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be (i) populated in accordance with Section 2.2 of this Annex 2 (European Annex); and (ii) entered into by the Parties and incorporated by reference into this DPA.
(b)           UK Restricted Transfers. To the extent that any Processing of Customer PersonalData under this DPA involves a UK RestrictedTransfer from Customer to Harmonic, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be: (i) varied to address the requirements of the UK GDPR in accordance with the UK Transfer Addendum and populated in accordance withSections 2.2 and 2.3 of this Annex 2 (European Annex); and (ii) entered into by the Parties and incorporated by reference into this DPA.
2.2           Population of SCCs
(a)            Signature of SCCs. Where the SCCs apply in accordance withParagraph 2.1(a) and/or Paragraph 2.1(b) of this Annex 2 (European Annex), each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to theSCCs.
(b)           Modules of SCCs. As and where relevant: Module Two of the SCCs applies to any EEA Restricted Transfer involving Processing of Personal Data in respect of which Customer is a controller in its own right; and/or Module Three of the SCCs applies to any EEA Restricted Transfer involving Processing of Personal Data in respect of which Customer is a processor.
(c)            Population of body of SCCs. As and where applicable to the relevant Module and the Clauses thereof: (i) in Clause 7: the ‘Docking Clause’ is not used; (ii) in Clause 9: ‘Option 2: General Written Authorizations applies, and the minimum time period for advance notice of the addition or replacement of Sub-Processors shall be the advance notice period set out inSection 8.2 of the DPA;  (iii) in Clause 11: the optional language is not used; (iv) in Clause 13: all square brackets are removed and all text therein is retained; (v) in Clause 17: ‘OPTION 1’ applies, and the Parties agree that the SCCs shall be governed by the law of Ireland in relation to anyEEA Restricted Transfer; and (vi) in Clause 18(b): the Parties agree that any dispute arising from the SCCs in relation to any EEA Restricted Transfer shall be resolved by the courts of Ireland.  
(d)           Population of Appendix to SCCs.  Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Annex 1 (Data Processing Details) to the DPA, with: Customer being ‘data exporter’; and Harmonic being ‘data importer’, and Part C to that Annex I is populated with: the competent Supervisory Authority shall be determined as follows: (i) where Customer is established in an EU Member State: the competentSupervisory Authority shall be the Supervisory Authority of that EU Member State in which Customer is established; and (ii) where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies and Customer has appointed an EEA Representative under Article 27 of the GDPR: the competent Supervisory Authority shall be the SupervisoryAuthority of the EU Member State in which Customer’s EEA Representative relevant to the Processing hereunder is based (from time-to-time), which Customer shall notify to Harmonic in writing – Customer agrees that it is solely responsible for making such notification and its accuracy. Annex II shall be populated with reference to the information contained in or determined bySection 2.3 of the DPA(including the Security Measures).
2.3           UK Restricted Transfers
(a)            UK Transfer Addendum.  Where relevant in accordance withSection 2.1(b) of this Annex 2 (European Annex), the SCCs apply to any UK Restricted Transfers as varied by the UKTransfer Addendum in the following manner: (i) ‘Part 1 to the UK Transfer Addendum’: (A) the Parties agree: Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data Processing Details) to the DPA and Section 2.2 of this Annex 2 (European Annex); and (B) Table  4to the UK Transfer Addendum is completed with ‘Data Importer’ only; and(ii)  ‘Part 2 to the UK TransferAddendum’: the Parties agree to be bound by the UK Mandatory Clauses of the UKTransfer Addendum and that the SCCs shall apply to any UK Restricted Transfers as varied in accordance with those Mandatory Clauses.(b)           Interpretation. As permitted by section 17 of the UK Mandatory Clauses, the Parties agree to the presentation of the information required by ‘Part 1: Tables’ of the UK Transfer Addendum in the manner determined by 2.3(a) of this Annex 2 (European Annex); provided that the Parties further agree that nothing in the manner of that presentation shall operate or be construed so as to reduce the Appropriate Safeguards (as defined in section3 of the UK Mandatory Clauses). In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in this Section 2.3 of this Annex 2 (European Annex).
2.4           Operational Clarifications  
(a)            When complying with its transparency obligations under Clause 8.3 of the SCCs, Customer agrees that it shall not provide or otherwise make available, and shall take all appropriate steps to protect Harmonic’s and its licensors’ trade secrets, business secrets, confidential information and/or other commercially sensitive information.
(b)           Where applicable, for the purposes of Clause 10(a) of Module Three of the SCCs, Customer acknowledges and agrees that there are no circumstances in which it would be appropriate for Harmonic to notify any third-party controller of any DataSubject Request and that any such notification shall be the sole responsibility of Customer.
(c)            For the purposes of Clause 15.1(a) of the SCCs, except to the extent prohibited by applicable law and/or the relevant public authority, as between the Parties, Customer agrees that it shall be solely responsible for making any notifications to relevant Data Subject(s) if and as required.
(d)           The terms and conditions of Section 8 of the DPA apply in relation toHarmonic’s appointment and use of Sub-Processors under the SCCs. Any approval by Customer of Harmonic’s appointment of a Sub-Processor that is given expressly or deemed given pursuant to that Section 8 constitutes Customer’s documented instructions to effect disclosures and onward transfers to any relevant Sub-Processors if and as required under Clause 8.8 of the SCCs.
(e)            The audits. described in Clauses 8.9(c) and 8.9(d) of the SCCs shall be subject to any relevant terms and conditions detailed in Section 9 of the DPA.(f)            Certification of deletion of Personal Data as described in Clauses 8.5 and 16(d) of the SCCs shall be provided only upon Customer’s written request.(g)            In respect of any given Restricted Transfer, if requested of Customer by a SupervisoryAuthority, Data Subject or further Controller (where applicable) – on specific written request; accompanied by suitable supporting evidence of the relevant request), Harmonic shall provide Customer with an executed version of the relevant set(s) of SCCs responsive to the request made of Customer (amended and populated in accordance with relevant provisions of this DPA in respect of the relevant Restricted Transfer) for countersignature by Customer, onward provision to the relevant requestor and/or storage to evidence Customer’s compliance with Applicable Data Protection Laws. 

Annex 3: State Privacy Laws Annex
1.              In this Annex 3, the terms “business,” “business purpose,” “commercial purpose,”“consumer,” “sell,” “share,” and “service provider” shall have the respective meanings given thereto in the CCPA; and“personal information” shall mean Customer Personal Data that constitutes “personal information” as defined in and that is subject to the State Privacy Laws.
2.              The business purposes and services for which Harmonic is Processing personal information are for Harmonic to provide the Services to and on behalf of Customer as set forth in the Agreement, as described in more detail in Annex 1 (Data Processing Details) to the DPA.
3.              It is the Parties’ intent that with respect to any personal information, Harmonic is a service provider. Harmonic (a) acknowledges that personal information is disclosed by Customer only for limited and specific purposes described in the Agreement; (b) shall comply with applicable obligations under the State Privacy Laws and shall provide the same level of privacy protection to personal information as is required by the State PrivacyLaws; (c) agrees that Customer has the right to take reasonable and appropriate steps under and subject to Section 9 (Audits) of the DPA to help ensure that Harmonic’s use of personal information is consistent with Customer’s obligations under the State Privacy Laws; (d) shall notify Customer in writing of any determination made by Harmonic that it can no longer meet its obligations under the State Privacy Laws; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.  4.              Harmonic shall not (a) sell or share any personal information; (b) retain, use or disclose any personal information for any purpose other than for the business purposes specified in the Agreement, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purpose specified in the Agreement, or as otherwise permitted by State Privacy Laws; (c) retain, use or disclose the personal information outside of the direct business relationship between Harmonic and Customer; or (d) combine personal information received pursuant to the Agreement with personal information (i) received from or on behalf of another person, or (ii) collected from Harmonic’s own interaction with any consumer to whom such personal information pertains except as and to the extent necessary as a part of Harmonic’s provision of the Services. Harmonic hereby certifies that it understands its obligations under this Section 4 and will comply with them.
5.              Harmonic shall implement reasonable security procedures and practices appropriate to the nature of the personal information received from, or on behalf of, Customer, in accordance with Section 5 (Security Measures) of the DPA.
6.              When Harmonic engages any Sub-Processor, Harmonic shall notify Customer of such Sub-Processor engagements in accordance with Section 8(Sub-Processing) of the DPA and that such notice shall satisfy Harmonic’s obligation under the State Privacy Laws to give notice of and an opportunity to object to such engagements.
7.              Harmonic agrees that Customer may conduct audits, in accordance with Section 9 of the DPA, to help ensure that Harmonic’s use of personal information is consistent with Harmonic’s obligations under the State Privacy Laws.
8.              The parties acknowledge that Harmonic’s retention, use and disclosure of personal information authorized by Customer’s instructions documented in the Agreement and DPA are integral to Harmonic’s provision of the Services and the business relationship between the Parties. 

Annex 4: Security Measures

As from the Effective Date, Harmonic will implement and maintain the Security Measures as set out in this Annex 4.

1.              Organizational management and staff responsible for the development, implementation and maintenance of Harmonic’s information security program.
2.              Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Harmonic’s organization, monitoring and maintaining compliance with Harmonic’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
3.              Data security controls which include at a minimum logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for CustomerPersonal Data.
4.              Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
5.              Password controls designed to manage and control password strength, expiration and usage.
6.              System auditor event logging and related monitoring procedures to proactively record user access and system activity.
7.              Physical and environmental security of production resources relevant to the Services is maintained by the relevant Sub-Processor(s) (and their vendors) engaged from time-to-time by Harmonic to host those resources. Harmonic takes steps to ensure that such Sub‑Processors provide appropriate assurances and certifications that evidence such physical and environmental security –including security of data center, server room facilities and other areas containing Customer Personal Data designed to: (a)            protect information assets from unauthorized physical access,
(b)           manage, monitor and log movement into and out of Sub-Processor facilities, and
(c)            guard against environmental hazards such as heat, fire and water damage.
8.              Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Harmonic’s possession.
9.              Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to Harmonic’s technology and information assets.
10.           Incident management procedures designed to allow Harmonic to investigate, respond to, mitigate and notify of events related to Harmonic’s technology and information assets.
11.           Network security controls that provide for the use of enterprise firewalls and intrusion detection systems designed to protect systems from intrusion and limit the scope of any successful attack.
12.           Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
13.           Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.

 Harmonic may freely update or modify these Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of Services and/or relevant Customer Personal Data.