This Data Processing Addendum (“DPA”) is entered into between Purchaser and Supplier and applies between the Parties to the extent Supplier has access to or otherwise processes Purchaser Personal Data. Defined terms used in this DPA have the meanings set forth below. Capitalized terms that are not defined have the meanings assigned to them in the Contract.

A.  Definitions.

1) “Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with either Purchaser or Supplier, respectively.  

2) “Applicable Privacy Law” means applicable data privacy, data protection, and cybersecurity laws, rules and regulations, ordinaces, licenses, orders, directives, judgements, decrees, treaties, and other similar restrictions to which Purchaser is subject, including, but not limited to, (a) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (together, the “CCPA”), (b) the EU General Data Protection Regulation 2016/679 (“EU GDPR”) including the applicable implementing legislation of each Member State, (c) the UK Data Protection Act 2018,  and the UK General Data Protection Regulation (“UK GDPR” and together with the EU GDPR, the “GDPR”), (d) the Swiss Federal Act on Data Protection of 19 June 1992, (e) the Law on Protection of Personal Data (Official Gazette of the Republic of Serbia, No. 87/2018), (f) the Colorado Privacy Act (“CPA”); (g) the Connecticut Data Privacy Act (“CTDPA”); (h) the Utah Consumer Privacy Act (“UCPA”); (i) the Virginia Consumer Data Protection Act (“VCDPA”); (j) the Texas Data Privacy and Security Act ("TDPSA"); (k) the Oregon Consumer Privacy Act ("OCPA"); (l) the Montana Consumer Data Privacy Act ("MCDPA"); (m) Canada’s Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”), (n) any other Law to which Supplier is subject with respect to any Personal Data, and (o) any other data protection law and any guidance or statutory codes of practice issued by any relevant privacy authority, in each case, as amended from time to time and any successor legislation to the same.

3) “Data Subject” means an identified or identifiable natural person.

4) “Process”, “Processing,” or “Processed” means any operation or set of operations, as defined in the Applicable Privacy Law, performed upon Purchaser Personal Data whether or not by automatic means, including collecting, recording, organizing, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing, and destroying Purchaser Personal Data.

6) “Purchaser Personal Data” means (a) personal data, personal information, personally identifiable information, or similar term as defined by Applicable Privacy Law or (b) any information, in any form or format, that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Data Subject, including any derivatives thereof or inferences made therefrom ((a) and (b), collectively, "Personal Data") that may be supplied or made available to Supplier or otherwise Processed by Supplier on behalf of Purchaser pursuant to or in connection with Supplier's performance of the Services.

7) “Security Breach” means an actual or reasonably suspected accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Purchaser Personal Data. 

B. Personal Data Processing.

1)   Processing Details. The Agreement, including relevant orders or statements of work associated with the Services, will specify the Processing activities, subject matter, duration of Processing, categories of individuals, and the types and categories of Personal Data Processed, including any special categories of Personal Data or sensitive Personal Data.

2)   Relationship of the Parties. As between the Parties, except as otherwise expressly stated herein or in the Contract, Purchaser is the “Controller” and Supplier is the “Processor” of Purchaser Personal Data (as those terms are defined under Applicable Privacy Law). Controller is inclusive of the term “Business” and Processor is inclusive of the term “Service Provider” as each of those terms are defined in the CCPA. Purchaser retains all right, title, and interest in and to the Purchaser Personal Data it provides or makes available to Supplier. Supplier acquires no rights to Purchaser Personal Data other than the rights Purchaser grants to it in this DPA.

3)   Business Contact Data. Each Party acknowledges that it is an independent controller with respect to Personal Data of the other Party’s personnel that is received and Processed for the purposes of facilitating the Services and maintaining the business relationship between the Parties. Each Party shall adhere to all Laws regarding the Processing of such Personal Data and, inter alia, limit the use of such business contact data to such purposes.

4)   Survival of Obligations. Supplier’s obligations under in this DPA will survive termination of the Contract and/or this DPA unless and until all Purchaser Personal Data held or controlled by Supplier (and any of its subprocessors) are irrevocably deleted or returned to Purchaser.

C.  Control of Purchaser Personal Data. In processing the Purchaser Personal Data on behalf of Purchaser, Supplier represents and warrants that it will:

1)   At all times comply with any Law, including Applicable Privacy Law, regarding its Processing of the Purchaser Personal Data including providing CCPA level privacy protection. Supplier shall immediately notify Purchaser if Supplier reasonably determines that it can no longer meet its obligations under this DPA and/or Applicable Privacy Law. Purchaser may take reasonable steps as may be necessary (a) to remediate Supplier’s unauthorized use of Purchaser Personal Data, and (b) to ensure that Purchaser Personal Data is used in accordance with the terms of this DPA and/or Applicable Privacy Law.

2)   Process the Purchaser Personal Data solely for the purpose of providing the Services to Purchaser for Purchaser's business purpose or purposes and in accordance with Purchaser’s documented instructions and not for any other purpose, unless required to do so by Law, in which case Supplier shall inform Purchaser of that legal requirement before commencing Processing unless that Law prohibits such information on important grounds of public interest. 

3)   Immediately inform Purchaser if Supplier is of the opinion that an instruction of Purchaser regarding the Processing of the Purchaser Personal Data infringes Law or is inconsistent with this DPA.

4)   Not (a) “Sell,” “Share,” resell, lease, assign, rent, sublicense, distribute, transfer, disclose, time-share, or otherwise exchange Purchaser Personal Data with any “Third Party” (as those terms may be defined in Applicable Privacy Law, including the CCPA); (b) retain, use, disclose, repurpose, combine, augment, store, analyse, or otherwise Process Purchaser Personal Data for any purpose other than for the specific purpose of performing the Services; (c) retain, use, disclose, repurpose, combine, augment, store, analyse, or otherwise Process Purchaser Personal Data for a commercial purpose other than providing the Services; (d) retain, use, disclose, repurpose, combine, augment, store, analyse, or otherwise Process Purchaser Personal Data outside of the direct business relationship between Supplier and Purchaser; or (e) Process Purchaser Personal Data for behavioral or targeted advertising purposes. Supplier certifies that it understands these restrictions and shall fully comply with them.

5)   Ensure that its Personnel are only granted access to the Purchaser Personal Data on a need-to-know basis; are bound by appropriate obligations of confidentiality; are appropriately supervised; and are provided with appropriate training in the care and handling of the Purchaser Personal Data.

6)   Implement, maintain, and enforce for as long as the Contract is in effect or as long as Supplier stores or otherwise Processes Purchaser Personal Data (whichever is later) appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented by the Processing of the Purchaser Personal Data hereunder, including, at a minimum Purchaser’s written Supplier security standards that have been provided to Supplier, or, if no such written standards have been provided, (a) maintaining a written data security program; (b) appointing an individual who is responsible for the data security program, (c) conducting regular awareness and training exercises for all individuals responsible for processing the Purchaser Personal Data; (d) to the extent applicable to the Services, providing patching and vulnerability management for all software licensed to Purchaser; (e) to the extent applicable to the Services, applying industry grade security and monitoring tools that identify malicious, unauthorized, or otherwise abnormal activity within Supplier’s systems and networks which generate auditable logs; (f) managing enterprise-wide detection, prevention, and recovery controls to protect systems containing or processing the Purchaser Personal Data against malware and ransomware; (g) to the extent applicable to the Services, maintaining an industry standard secure development lifecycle program for the development of any software licensed to Purchaser; and (h) maintaining and regularly testing a written incident response plan that includes protocols for complying with Supplier’s obligations regarding any Security Breaches hereunder. Supplier warrants that it will not modify its security measures in any way that materially diminishes or degrades the security of Purchaser Personal Data. 

7)   Provide Purchaser with all necessary assistance required to respond to requests by Data Subjects exercising their rights under Applicable Privacy Law, including the ability to access, extract, and delete Purchaser Personal Data stored by Supplier and/or its subprocessors, within such reasonable timescale as may be specified by Purchaser. If Supplier receives a request directly from a Data Subject, Supplier shall, to the extent not prohibited by Applicable Privacy Law: (a) promptly forward the request to Purchaser for handling; (b) if requested, provide Purchaser with copies of documents relating to the request; (c) not refer to Purchaser or its Affiliates in any correspondence with the Data Subject without Purchaser's prior written consent; (d) not disclose any Purchaser Personal Data without Purchaser's prior written consent; (e) communicate with the Data Subject in accordance with the Purchaser's instructions; and (f) maintain a current record of requests received and requests to which Supplier responded and make such record available to Purchaser upon request.

8)   Not disclose or transfer Purchaser Personal Data to any third party without Purchaser’s written prior consent except (a) where such disclosure is to an authorized subprocessor in accordance with the terms of this DPA; or (b) such disclosure is required by Applicable Privacy Law, regulation, or supervisory authority, in which case Supplier will promptly notify Purchaser in writing prior to complying with any such request for disclosure and Supplier will comply with Purchaser’s reasonable directions regarding the disclosure or transfer, unless Supplier is legally prohibited from doing so.

9)   Not re-identify, or attempt to re-identify, any Purchaser Personal Data, or portions thereof, to the extent the Purchaser Personal Data has been anonymized, deidentified, or pseudonymized. To the extent that Supplier Processes Purchaser Personal Data that has been anonymized, deidentified, or pseudonymized, Supplier shall: (a) take reasonable measures to ensure that the Purchaser Personal Data cannot be associated with a Data Subject or household; and (b) publicly commit to maintain and Process the Purchaser Personal Data in deidentified form and not to attempt to reidentify the Purchaser Personal Data, except that Supplier may attempt to reidentify the Purchaser Personal Data solely for the purpose of determining whether its deidentification processes satisfy obligations under Applicable Privacy Laws.

10) Not combine the Purchaser Personal Data with, or match Purchaser Personal Data to, Personal Data from Supplier’s own interactions, or third parties’ interactions, with an individual.

11) Not use live production Purchaser Personal Data for testing purposes.

12) Provide all information and assistance to Purchaser as reasonably necessary for Purchaser to meet its obligations (a) in respect of performing privacy or data protection impact assessments and in consulting with competent supervisory authorities as required by Law; (b) in connection with a Security Breach; (c) in order to address any inquiry, notice, or investigation by a supervisory authority; (d) in respect of demonstrating Purchaser or Supplier’s compliance with Laws and this DPA, including allowing for Purchaser or an auditor authorized by Purchaser to audit Supplier’s compliance with this DPA; and (e) in order to facilitate the collection of any legally required consents from Data Subjects.

13) Keep detailed, accurate, and up-to-date records regarding any Processing of Purchaser Personal Data it performs for Purchaser, including, but not limited to: (a) the access to, control of, and security of the Purchaser Personal Data; (b) authorized subprocessors’ and Affiliates’ Processing activities in connection with the Purchaser Personal Data; (c) the purposes of Processing the Purchaser Personal Data; (d) the duration of Processing of the Purchaser Personal Data (i.e., the data retention period); and (e) any other records required by Law.

14) Notify Purchaser without undue delay (and in any event within 24 hours) upon discovering a Security Breach, in which case Supplier shall:

(a)  as part of such notification, include at least the following information to the extent then known: (i) describe the nature of the incident, (ii) the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned, (iii) the name and contact details of Supplier's data protection officer or other contact point where more information can be obtained, (iv) explain the impact of such Security Breach upon Purchaser and the Data Subjects whose Personal Data is affected by such Security Breach, and (v) the measures taken or proposed to be taken by Supplier to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects and to prevent subsequent, similar breaches;

(b) in no case delay notification because of insufficient information but instead provide and supplement notifications as information becomes available to Supplier; 

(c)  fully cooperate with Purchaser and use its best efforts to investigate such Security Breach and meet any necessary reporting obligations required by Applicable Privacy Law;

(d) take all necessary and appropriate corrective action to respond to, remedy and/or mitigate any damages caused by the Security Breach and prevent a recurrence of such Security Breach;

(e)  not communicate with any Data Subject or Governmental Authority with respect to the Security Breach without the prior written consent of Purchaser;

(f) grant Purchaser the right to take all reasonable and appropriate steps to stop and remediate any unauthorized Processing of Purchaser Personal Data; and

(g) in the event that any Purchaser Personal Data is corrupted or lost or materially degraded as a result of the Supplier's or any of its Personnel’s negligence or default so as to be unusable, Purchaser will have the option to: require Supplier at its own expense to use commercially reasonable efforts to restore or procure the restoration of the Purchaser Personal Data and Supplier shall do so as soon as possible; or itself restore or procure the restoration of the Purchaser Personal Data and require Supplier to reimburse Purchaser for any reasonable costs incurred in so doing.

15) Following expiration or termination of the Contract, safely destroy all of the Purchaser Personal Data (and direct its subprocessors to do the same) and promptly notify Purchaser in writing (in a form acceptable to Purchaser such as a certificate of secure destruction) once all Purchaser Personal Data has been destroyed, provided that where continued storage by Supplier (or one of its subprocessors) is required by Law, Supplier shall inform Purchaser of those requirements. In such case, Supplier may retain a single copy of such data and only Process such data for the limited purposes required or permitted by applicable law.

D.  Use of Subprocessors. Supplier may use subprocessors to assist in Purchaser Personal Data processing hereunder, provided that prior to such disclosure, the subprocessor has agreed by written contract to be bound by obligations that are no less onerous than the obligations set out herein. Supplier shall carry out adequate due diligence to ensure that the subprocessor is capable of providing the same level of protection for the Purchaser Personal Data that is required under this DPA. Supplier has made available to Purchaser a current list of subprocessors. At least thirty (30) days prior to an intended change of subprocessor, Supplier shall provide Purchaser information about (i) the identity, processing services, and location of the intended subprocessor; and (ii) the due diligence Supplier has conducted on the intended subprocessor. If Purchaser objects to Supplier’s change of subprocessor, Purchaser shall notify Supplier of its objections in writing within thirty (30) business days of receipt of information about the change from Supplier and shall be entitled to terminate the Contract with immediate effect and without liability in the event Supplier does not take into consideration Purchaser’s objections. Supplier shall remain fully liable to Purchaser for the performance of any subprocessors’ obligations that are delegated by Supplier herein.

E.  Audits and Oversight. 

1)   Audits by Supplier. Supplier shall perform periodic audits relating to the security of its computers, computing equipment, cloud environments (if applicable), networks and systems used in processing the Purchaser Personal Data on an at-least annual basis. Such audits will be performed by qualified, independent security auditors at Supplier’s choice and expense, and will result in the generation of an internal audit report, which Supplier will make available to Purchaser at Purchaser’s request (each, an “Internal Audit Report”). Supplier will promptly remediate any issues raised in such Internal Audit Report to the satisfaction of the auditor. Such Internal Audit Report is understood to be Supplier confidential information.

2)   Privacy and Security Certifications. If Supplier maintains privacy and security certifications through an internationally-recognized organization (e.g., ISO/IEC 27001 and ISO/IEC 27002; ISO 27701 (PIMS); ISO/IEC 27032; UK NIS Regulations 2018; NIST (CSF); etc.), a copy of such certification may be acceptable to Purchaser to demonstrate annual cybersecurity compliance in lieu of the Internal Audit Report detailed above.

3)   Audits by Purchaser. In addition to Supplier’s obligations set forth above, Supplier shall provide Purchaser (or its authorized auditors, inspectors, regulators or other representatives) access to (a) any Supplier (or subprocessor) owned or managed facility (or part thereof) at which Supplier is providing the Services; (b) relevant Personnel; and (c) computer systems, data, and records relating to the Services; each for the purpose of performing audits of Supplier (or subprocessors) to verify Supplier’s compliance with this DPA and/or Laws. Each audit by Purchaser will result in a “External Audit Report” disclosing any material findings by the auditors and/or recommending any remediations required under Law. Purchaser may perform such audits no more than once in any calendar year unless (i) Purchaser has a reasonable suspicion of a Security Breach by Supplier (or a subprocessor); (ii) Purchaser receives a request from a supervisory authority; or (iii) Purchaser receives a complaint or request from a Data Subject, in which event Purchaser may perform an external audit on a more frequent basis as necessary. Supplier will respond in writing within thirty (30) days to all recommendations within Purchaser’s External Audit Report, shall promptly remediate issues raised or discovered as part of any such External Audit Report, and shall comply with all reasonable recommendations from Purchaser that result from such External Audit Reports. 

F.   Cross-Border Transfers of Personal Data. To the extent that the provision of the Services involves the transfer of Personal Data from the European Economic Area (“EEA”), Switzerland, the United Kingdom, or Serbia to (either directly or via onward transfer) any country or recipient which has not been recognized by the European Commission, Switzerland, the United Kingdom, or Serbia as offering an adequate level of protection for personal data, Supplier agrees that: 

1)   With regard to EEA or Swiss Personal Data, the EU-Commission-approved version of the standard contractual clauses in Commission Decision 2021/914/EC Module Two (controller to processor) (as set out in https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en) (the “EU SCCs”) shall be deemed to be incorporated by reference and apply for the benefit of Purchaser as the data exporter, if and to the extent that Purchaser transfers EEA or Swiss Personal Data to Supplier outside the EEA or Switzerland to any jurisdiction not deemed adequate for data protection purposes. Where the data exporter and the data importer are directed to complete portions of the EU SCCs, the Parties agree:

a.   For purposes of Section I, Clause 7, the optional docking clause does not apply.

b.   For purposes of Section II, Clause 8.1, the instructions to the data importer shall be instructions to process Personal Data as necessary to perform the Services and/or supply the Products provided by Supplier;

c.   For purposes of Section II, Clause 8.5, Supplier’s storage, erasure and return of Personal Data, shall be construed by reference to Section C.16 of this DPA.

d.   For purposes of Section II, Clause 9, Supplier’s ability to engage sub-processors shall be construed by reference to Section D of this DPA.

e.   For purposes of Section II, Clause 11, the optional language does not apply.

f.    For purposes of Section II, Clause 13(a), option 1 shall apply.

g.   For purposes of Section IV, Clauses 17 and 18, to the extent permitted by applicable data protection law, the Parties agree that their respective obligations under the EU SCCs shall be governed by the laws of and subject to the jurisdiction of the courts of the Netherlands and the competent supervisory authority is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), Bezuidenhoutseweg 30, 2594 AV DEN HAAG, Netherlands.

h.   The information required by Annex I (List of Parties and Description of Transfer) is contained in Sections B.1 and B.2 of this DPA.

i.    The information required by Annex II (Technical and Organizational Measures) is contained in Section C.6 of this DPA.

j.    The information required by Annex III (List of Subprocessors) is contained in Section D of this DPA.

2)   With regard to U.K. Personal Data, version B1.0 of the International Data Transfer Addendum to the EU SCCs, as issued by the U.K. Information Commissioner under s119A(1) of the U.K. Data Protection Act 2018, in force 21 March 2022 (as set out in https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf) (the “U.K. SCCs”) shall be deemed to be incorporated by reference and apply for the benefit of Purchaser as the data exporter, if and to the extent that Purchaser transfers U.K. Personal Data to Supplier outside the U.K. to any jurisdiction not deemed adequate for data protection purposes. Where the data exporter and the data importer are directed to complete portions of the U.K. SCCs, the Parties agree:

a.   For purposes of Part 1, Table 1, the Parties shall be as set forth herein.

b.   For purposes of Part 1, Table 2, the EU SCCs noted above are selected; Clause 7, the optional docking clause, does not apply; Clause 11, the optional language, does not apply; Clause 9, Supplier’s ability to engage sub-processors, shall be construed by reference to Section D of this DPA; and personal data received from the importer shall not be combined with Personal Data collected by the exporter.

b.   For purposes of Part 1, Table 3, the information required by Annex I (List of Parties and Description of Transfer) is contained in Sections B.1 and B.2 of this DPA, the information required by Annex II (Technical and Organizational Measures) is contained in Section C.6 of this DPA, and the information required by Annex III (List of Subprocessors) is contained in Section D of this DPA.

c.   For purposes of Part 1, Table 4, only the data exporter (Purchaser) may end this DPA as set out in Section 19 of the UK SCCs.

d.   For purposes of Part 2, all Mandatory Clauses shall be incorporated into the EU SCCs.

3)   With regard to Serbian Personal Data, the unchanged standard contractual clauses issued on 16 January 2020 by the Serbian Commissioner for Information of Public Importance and Personal Data Protection, as located here in Serbian (https://www.poverenik.rs/images/stories/dokumentacija-nova/podzakonski-akti/Klauzulelat.docx) or such alternative clauses as may be approved by the Serbian Commissioner from time to time (the “Serbian SCCs,” collectively with the EU SCCs and the U.K. SCCs, the “SCCs”) shall be deemed to be incorporated by reference and apply for the benefit of Purchaser as the data exporter, if and to the extent that Purchaser transfers Serbian Personal Data to Supplier outside Serbia to any jurisdiction not deemed adequate for data protection purposes. Where the data exporter and the data importer are directed to complete portions of the Serbian SCCs, the Parties agree:

a.   Purchaser is the “data exporter” and Controller and Supplier is the “data importer” and Processor. The exporter’s full legal name, main address and official registration number are those of Purchaser; the importer’s full legal name, main address and official registration number are those of Supplier; the representative of each party is as set forth in the Contract.

b.   For the purposes of Clause 12 (Duration of the processing), the duration is set forth in Section B.1 of this DPA.

c.   For the purposes of Clause 15 (Dispute resolution), any disputes arising from the Serbian SCCs shall be resolved by the courts of Serbia;

d.   For the purposes of Annex 1, the required description of the processing is set forth in Section B.1 of this DPA.

e.   For the purposes of Annex 2, the procedure to follow where the Processor believes that any instruction from Controller is in violation of, or would result in Processing in violation of, applicable law, is referenced in Section C.3 of this DPA. Any notifications in relation to this point must be sent to Purchaser’s Data Protection Officer at dpo@rivianvw.tech;

f.    For the purposes of Annex 3, the description of the security measures by the Processor is set forth in in Section C.6 of this DPA;

g.   For the purposes of Annex 4, the deadline to notify the Controller and the procedure to follow upon occurrence of a Personal Data Breach is described in Section C.14 of this DPA; the notification to the Controller must, at least, contain the information referred to in Clause 6 (Notification of personal data breach) of the Serbian SCCs; any notifications in relation to this point must be sent to Purchaser’s Data Protection Officer at dpo@rivianvw.tech.

h.   For the purposes of Annex 5, the engagement of subprocessors can only be made pursuant to prior specific written authorization (no general authorization).

i.    for the purposes of Annex 6, the instructions for international transfers of Personal Data are those contained in this Section F of this DPA;

j.    for the purposes of Annex 7, the manner in which the Controller can verify compliance of its obligations by the Processor is described in Section E of this DPA;

k.   in the event of any conflict between the Serbian SCCs and this DPA and/or the Contract, the Serbian SCCs shall control to the extent of such conflict.

4)   Nothing in the Agreement will be construed to prevail over any conflicting clause of the SCCs. Each Party acknowledges that it has had the opportunity to review the SCCs.

5)   To the extent that any subprocessor engaged by Supplier is located in a country outside the EEA, Switzerland, the United Kingdom, or Serbia which has not been recognized as offering an adequate level of protection for Personal Data, Supplier shall assist Purchaser to adduce an adequate level of protection for the Personal Data as required by Law by entering into the SCCs with the subprocessor on Purchaser's behalf. Supplier shall provide Purchaser with a copy of any SCCs entered into pursuant to this provision on Purchaser’s request. If necessary to comply with Law where requested by Purchaser on behalf of its enterprise customers, Supplier shall enter into the SCCs directly with Purchaser’s enterprise customers.

6)   In the event that the SCCs are amended, replaced or repealed by the European Union, Switzerland, the United Kingdom, or Serbia, the Parties shall work together in good faith to enter into any updated version of the respective SCCs or negotiate in good faith a solution to enable a transfer of Personal Data to be conducted in compliance with Law. 

G.  Insurance. Subject to the policies’ terms and conditions, in addition to any other insurance required of Supplier under the Contract, Supplier shall maintain, at its own cost and expense, Media/Technology/Cyber Liability insurance, including coverage for breaches of network security, wrongful disclosure of confidential information, unauthorized access to or use of data, corruption of data (aka Errors and Omissions) in a form acceptable to Purchaser and in amounts sufficient to ensure its obligations hereunder (the “Policy”). Supplier shall name Purchaser as an additional insured to the Policy and Supplier shall, upon written request, provide Purchaser with a certificate of insurance, showing Purchaser as an additional insured to the Policy. Supplier will provide Purchaser with at least thirty (30) calendar days prior written notice of cancellation or nonrenewal of the Policies.

H.  Indemnification. Supplier will indemnify, defend, and hold harmless Purchaser from and against any and all liabilities, costs, claims, charges, damages, expenses, and losses including any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal fees and costs suffered or incurred by Purchaser or for which Purchaser may become liable arising out of or in connection with (1) Supplier’s failure to comply with any of its, or its subprocessors’, obligations in this DPA; and (2) any Security Breach. Supplier agrees to provide the preceding indemnity whether or not it obtains the insurance coverage required herein, or whether such coverage is reduced, canceled, terminated, or disputed by the insurance carrier. The indemnity will survive the termination or earlier expiration of this DPA. 

I.   Termination. Purchaser is entitled to suspend and/or terminate the Contract with immediate effect if Supplier or any of its subprocessors commit any breach of this DPA. Such suspension or termination shall be without penalties or additional charges. Upon termination of the Contract and/or this DPA, Supplier shall, at Purchaser's direction, delete or return all Purchaser Personal Data to Purchaser as requested at the end of the provision of Services, unless retention of Purchaser Personal Data is required by Law.

J.   Miscellaneous. Notwithstanding anything to the contrary in the other portions of the Contract, this DPA shall take precedence and will govern and supersede over conflicting or inconsistent terms in the Contract. Except as otherwise expressly provided in this DPA each Party will perform its obligations under this DPA at its own cost. All notices regarding this DPA will be provided pursuant to the notice clause within the Contract; provided, however that a copy of any notice provided to Purchaser hereunder must also be made to Purchaser’s Data Protection Officer at dpo@rivianvw.tech. Additionally, Supplier shall, upon Purchaser's request, cooperate in good faith with Purchaser to enter into additional or modified contract terms to address any modification, amendments, or updates to Applicable Privacy Law.