Supplier Codes & Policies - Simulations Plus

Supplier Codes Of Conduct

Simulations Plus has adopted the Responsible Business Alliance (RBA) Code of Conduct as our code of conduct for all of our suppliers. The RBA Code of Conduct is an industry standard code that reflects the principles of responsible supplier conduct including provisions covering labor practices, health & safety, environment, ethics, and management. To accommodate global sourcing, the RBA Code of Conduct is available for download directly from the RBA website in more than 25 languages.

Simulations Plus expects its suppliers to conduct their business and operations in accordance with the RBA Code of Conduct. Regarding a supplier’s responsibility to the environment, it is understood that the supplier’s efforts and compliance will be consistent with standards and practices in the supplier’s relevant industry. With regard to handling of personal data, Simulations Plus also expects its suppliers to comply with the Supplier Data Protection Agreement provided below.

Contents of the current RBA Code:

Labor
- Prohibition of Forced Labor
- Young Workers
- Working Hours
- Wages and Benefits
- Non-Discrimination/Non-Harassment/Humane Treatment
- Freedom of Association and Collective Bargaining
Health & safety
- Occupational Health and Safety
- Emergency Preparedness
- Occupational Injury and Illness
- Industrial Hygiene
- Physically Demanding Work
- Machine Safeguarding
- Sanitation, Food, and Housing
- Health and Safety Communication
Environment
- Environmental Permits and Reporting
- Pollution Prevention and Resource Conservation
- Hazardous Substances
- Solid Waste
- Air Emissions
- Materials Restrictions
- Water Management
- Energy Consumption and Greenhouse Gas Emissions
Ethics
- Business Integrity
- No Improper Advantage
- Disclosure of Information
- Intellectual Property
- Fair Business, Advertising and Competition
- Protection of Identity and Non-retaliation
- Responsible Sourcing of Minerals
- Privacy
Management systems
- Company Commitment
- Management Accountability and Responsibility
- Legal and Customer Requirements
- Risk Assessment and Risk Management
- Improvement Objectives
- Training
- Communication
- Worker/Stakeholder Engagement and Access to Remedy
- Audits and Assessments
- Corrective Action Process
- Documentation and Records
- Supplier Responsibility

Supplier Data Protection Agreement

SIMULATIONS PLUS SUPPLIER DATA PROTECTION AGREEMENT

For Distributors, Resellers, Suppliers, and Service Providers (“Service Providers”).

This Simulations Plus Data Processing Addendum, including its exhibits and appendices (the “Addendum”) is between:

Simulations Plus, Inc., including its Affiliates (“Simulations Plus”); and
Service Provider.

Purpose:

Simulations Plus and Service Provider have entered into an agreement (“Agreement”) which incorporates or otherwise references this Addendum for regulating the processing of Simulations Plus Personal Data by Service Provider in the course of Service Provider providing Services (as defined herein) to Simulations Plus pursuant to the Agreement.

Definitions
1. Capitalized terms which are used but not defined herein shall have the meanings given to them in the Agreement. Except as modified or supplemented below, the definitions of the Agreement shall remain in full force and effect. The terms “Controller”, “Data Subject”, “Processor”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, “Supervisory Authority”, and “Third Country” shall have the same meanings as in the Applicable Data Protection Laws, and their cognate and corresponding terms shall be construed accordingly. For the purposes of this Addendum, “Data Importer” and “Data Exporter” also refer specifically to a Party or the Parties to this Addendum, as the case may be.
2. For the purpose of interpreting this Addendum, the following terms (and their applicable cognates) shall have the meanings set out below:
  1. “Affiliate” means any entity within a controlled group of companies that directly or indirectly, through one or more intermediaries, is controlling, controlled by, or under common control with one of the Parties.
  2. “Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Simulations Plus Personal Data, including but not limited to the laws and regulations identified in Exhibit B hereto as may be amended, modified or supplemented from time to time, as applicable.
  3. “CPRA” means the California Privacy Rights Act, as amended from time to time.
  4. “Contracted Processor” means any third party appointed by or on behalf of Service Provider to Process Simulations Plus Personal Data in connection with the Services.
  5. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as may be amended from time to time.
  6. “Personal Data Recipient” means Service Provider, a Contracted Processor, or both collectively.
  7. “Restricted International Transfer” means any transfer of Simulations Plus Personal Data protected by Applicable Data Protection Laws to a Third Country or an international organization in a Third Country (including data storage on foreign servers).
  8. “Security Incident” means any actual or reasonably suspected unauthorized use, destruction, loss, control, alteration, acquisition, exfiltration, theft, retention, disclosure of, or access to, Simulations Plus Personal Data for which Service Provider is responsible. Security Incidents do not include unsuccessful access attempts or attacks that would not potentially compromise the confidentiality, integrity, or availability of Simulations Plus Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems. For the avoidance of doubt, a Security Incident includes any Personal Data Breach.
  9. “Services” means the services and other activities carried out by or on behalf of Service Provider for Simulations Plus pursuant to the Agreement.
  10. “Simulations Plus Personal Data” means any Personal Data of Simulations Plus (including employees, consultants, or representatives of it or its Affiliates) which is Processed by or on behalf of Service Provider to provide the Services in accordance with the Agreement.
  11. “Standard Contractual Clauses” are the model clauses for Restricted International Transfers adopted from time to time by the relevant authorities of the jurisdictions indicated in Exhibit B, insofar as their use is approved by the relevant authorities as an appropriate mechanism or safeguard for Restricted International Transfers.
  12. “Sub-Processor” means a direct Processor of a Processor. For the avoidance of doubt, Contracted Processors are Sub-Processors.
3. Unless expressly stated otherwise, references to a Section of this Addendum refer to the content of the body of this Addendum and not to the content of the exhibits and appendices.
Applicability
1. This Addendum will apply to the Processing of all Simulations Plus Personal Data, regardless of country of origin, place of Processing, location of Data Subjects, or any other factor.
Processing of Simulations Plus Personal Data
1. In the context of this Addendum, and with regard to the Processing of Simulations Plus Personal Data, Simulations Plus acts as a Controller, and Service Provider acts as a Processor.
2. Service Provider shall:
  1. comply with all Applicable Data Protection Laws in the Processing of Simulations Plus Personal Data;
  2. not Process Simulations Plus Personal Data other than on Simulations Plus’s relevant documented instructions (including with regard to Restricted International Transfers), unless such Processing is required by Applicable Data Protection Laws to which the relevant Processing activity(ies) are subject, in which case Service Provider shall, to the extent permitted by Applicable Data Protection Laws, inform Simulations Plus of that legal requirement before the respective act of Processing of that Simulations Plus Personal Data;
  3. only conduct Restricted International Transfers in compliance with Applicable Data Protection Laws and the requirements of Exhibit B; and
  4. immediately inform Simulations Plus in the event that, in Service Provider’s reasonable opinion, a Processing instruction given by Simulations Plus may infringe Applicable Data Protection Laws.
3. All necessary information relating to the details of the Processing is set out in Exhibit A attached hereto and incorporated by reference. Simulations Plus shall be entitled to update Exhibit A from time to time by sending an updated version to Service Provider using the Notice details set out in the Agreement. Service Provider will be considered to have accepted any such update unless it provides Simulations Plus with written notice of non-acceptance within fourteen (14) days following receipt of the updated version. If Service Provider issues such notice of non-acceptance, the Parties will cooperate and negotiate in good faith regarding any required updates to Exhibit A.
4. Simulations Plus instructs Service Provider (and authorizes Service Provider to instruct each Contracted Processor it engages) to Process Simulations Plus Personal Data and, in particular, transfer Simulations Plus Personal Data to any country or territory (subject to the requirements of Applicable Data Protection Laws governing Restricted International Transfers), only as reasonably necessary for the provision of the Services and consistent with the Agreement and this Addendum.
5. Service Provider represents and warrants that it is not, and has never been, subject to civil or criminal litigation, government investigation, or a consent decree, judgment, or order regarding data privacy or information security and that it has not suffered any material security breach or, if it has, that it has disclosed information regarding such security breach(es) to Simulations Plus.
Service Provider Personnel
1. Service Provider shall take reasonable steps to ensure the reliability of any of its employees, agents, or contractors who may have access to Simulations Plus Personal Data.
2. Service Provider shall ensure that access to Simulations Plus Personal Data is strictly limited to those individuals who need to know or access it, as strictly necessary to fulfil the documented Processing instructions given to Service Provider by Simulations Plus or to comply with Applicable Data Protection Laws.
3. Service Provider shall ensure that all such individuals are subject to formal confidentiality undertakings, professional obligations of confidentiality, or statutory obligations of confidentiality.
Security of Processing
1. Taking into account the state of the art and the high sensitivity of the Simulations Plus Personal Data, Service Provider shall, with regard to Simulations Plus Personal Data, implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to that risk (several of which are described in Appendix I to Exhibit A). Service Provider shall also assist Simulations Plus with regard to ensuring Simulations Plus’s compliance with its own obligations related to its security measures, including, without limitation, as required by Article 32 of the GDPR and subdivision (c) of Section 1798.81.5 of the California Civil Code.
2. In assessing the appropriate level of security, Service Provider shall take into account, in particular, the risks that are presented by the nature of its Processing activities, and particularly those related to Security Incidents.
Sub-processing
1. Simulations Plus authorizes Service Provider to appoint (and permit each Contracted Processor appointed in accordance with this Section 6 to appoint) Contracted Processors in accordance with this Section 6 and any relevant restrictions set out in the Agreement.
2. Service Provider may continue to use those Contracted Processors already engaged by Service Provider as of the date of this Addendum, subject to Service Provider meeting the obligations set out in Section 6.5. The list of Service Provider’s Contracted Processors as of the Effective Date is provided in the Agreement.
3. Service Provider shall provide Simulations Plus prior written notice of the appointment of any new Contracted Processor by email to privacy@simulations-plus.com, including details of the Processing to be undertaken by that respective Contracted Processor.
4. Neither Service Provider nor any Contracted Processor shall appoint (nor disclose any Simulations Plus Personal Data to the prospective Contracted Processor, except with the prior written consent of Simulations Plus (email shall suffice). If Simulations Plus objects to a proposed appointment, the Parties will, for a period of no more than thirty (30) days from the date of Simulations Plus’s refusal, work together in good faith to attempt to find a commercially reasonable solution for Simulations Plus that avoids the use of the objected-to Contracted Processor. If no solution can be found that is satisfactory to both Parties, Simulations Plus, upon written notice to Service Provider, may terminate the Agreement immediately (or upon such date as Simulations Plus selects), with no further fees due, other than what has been accrued up to and including the date of termination.
5. With respect to each Contracted Processor, Service Provider shall:
  1. before the Contracted Processor first Processes Simulations Plus Personal Data (or, where relevant, in accordance with Section 2), carry out adequate due diligence to ensure that the Contracted Processor is capable of providing the level of protection and security for Simulations Plus Personal Data required by this Addendum, the Agreement, and Applicable Data Protection Laws;
  2. disclose the results of that due diligence, with documentation sufficient to support Service Provider’s findings, to Simulations Plus upon request of Simulations Plus;
  3. restrict the Contracted Processor’s access to Simulations Plus Personal Data only to what is necessary to assist Service Provider in providing or maintaining the Services, and prohibit the Contracted Processor from accessing Simulations Plus Personal Data for any other purpose; and
  4. ensure that the arrangement between Service Provider and the prospective Contracted Processor is governed by a written contract that includes terms which offer at least the same level of protection for Simulations Plus Personal Data as those set out in this Addendum, and that such terms meet the requirements of Applicable Data Protection Laws.
6. Service Provider shall agree a third-party beneficiary clause with all Contracted Processors whereby, in the event the Service Provider has factually disappeared, ceased to exist in law or has become insolvent, Simulations Plus shall have the right to terminate the arrangement with the Contracted Processor and to instruct the Contracted Processor to erase or return the Simulations Plus Personal Data.
7. Where any Contracted Processor fails to fulfil its data protection obligations under such written contract (or in the absence thereof, as the case may be), Service Provider shall remain fully liable to Simulations Plus for the performance of the respective Contracted Processors’ data protection obligations under such contract and/or Applicable Data Protection Laws.
Rights of the Data Subjects
1. Taking into account the nature of the Processing, Service Provider shall assist Simulations Plus by implementing appropriate technical and organizational measures, insofar as possible, to respond to requests to exercise rights of the Data Subjects under Applicable Data Protection Laws.
2. With regard to the rights of the Data Subjects within the scope of this Section 7, Service Provider shall:
  1. promptly notify Simulations Plus if any Personal Data Recipient receives a request from a Data Subject under any Applicable Data Protection Laws with respect to Simulations Plus Personal Data;
  2. ensure that the Personal Data Recipient does not respond to that request, except on the documented instructions of Simulations Plus or as required by Applicable Data Protection Laws to which the Personal Data Recipient or Processing activity/ies are subject, in which case Service Provider shall, to the extent permitted by Applicable Data Protection Laws, inform Simulations Plus of that legal requirement before the Personal Data Recipient responds to the request; and
  3. promptly comply with any documented instructions from Simulations Plus regarding responding to a request to exercise rights of a Data Subject under Applicable Data Protection Laws.
Security Incidents
1. Service Provider will maintain a reasonable and appropriate Security Incident response program.
2. If Service Provider discovers, is notified of, or has reason to suspect a Security Incident affecting Simulations Plus Personal Data under its or any other party’s control, Service Provider will (i) immediately stop the unauthorized access and resolve the Security Incident; (ii) secure the Simulations Plus Personal Data; and (iii) notify Simulations Plus in accordance with Section 8.3 by contacting privacy@simulations-plus.com without undue delay and, in any event, within twenty-four (24) hours of such discovery.
3. Service Provider shall:
  1. as part of the notification mentioned in Section 8.2, describe to Simulations Plus in as much detail as reasonably possible: (i) the nature of the Security Incident, (ii) where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned, (iii) the impact of such Security Incident upon Simulations Plus and the Data Subjects whose Personal Data is affected by such Security Incident, (iv) the measures taken or proposed to be taken by Service Provider to address the Security Incident, and (v) contact information for relevant individual(s) of Service Provider who is responsible for managing and addressing the Security Incident until it has been resolved;
  2. in no case delay notification because of insufficient information, but instead provide and supplement notifications as and when information becomes available;
  3. provide Simulations Plus with sufficient information to assist Simulations Plus, or to allow Simulations Plus to assist its clients, so that each affected entity can meet its respective obligations pursuant to Applicable Data Protection Laws, including any obligations to report a Personal Data Breach to the supervisory authorities and inform the Data Subjects of a Personal Data Breach; and
  4. in cooperation with Simulations Plus, use its best efforts (at Service Provider’s expense) to investigate, mitigate, and remediate each such security Incident and prevent a recurrence of such Security Incident.
4. Service Provider will promptly reimburse Simulations Plus for all costs reasonably incurred by Simulations Plus in connection with the Security Incident including, but not limited to, costs related to Simulations Plus’s provision of notice of a Personal Data Breach to supervisory authorities, Simulations Plus’s clients, or affected Data Subjects and costs related to offering credit monitoring services to affected Data Subjects (if determined appropriate by Simulations Plus or required by Applicable Data Protection Laws).
Data Protection Impact Assessment and Prior Consultation
1. Service Provider shall provide Simulations Plus with relevant information and documentation, and assist Simulations Plus in complying with its obligations with regard to any data protection impact assessments or prior consultations with supervisory authorities when Simulations Plus determines that such data protection impact assessments or prior consultations are required pursuant to Applicable Data Protection Laws (including, without limitation, Article 35 or 36 of the GDPR), but in each such case solely with regard to Processing of Simulations Plus Personal Data by, and taking into account the nature of the Processing and information available to, the respective Personal Data Recipient.
Deletion or Return of Personal Data
1. Service Provider shall provide Simulations Plus with the technical means, consistent with the way the Services are provided, to request the deletion of Simulations Plus Personal Data, unless Applicable Data Protection Laws require storage of any such Simulations Plus Personal Data.
2. Service Provider shall promptly, following the date of cessation of Services involving the Processing of Simulations Plus Personal Data, at the choice of Simulations Plus, delete or return all Simulations Plus Personal Data to Simulations Plus, as well as delete existing copies, unless applicable law requires storage of any such Simulations Plus Personal Data. In the event that Simulations Plus has not specified its choice, Service Provider shall return all Simulations Plus Personal Data to Simulations Plus.
3. Service Provider shall also cause all Contracted Processors that may have received any Simulations Plus Personal Data to delete or return, as applicable, all such Simulations Plus Personal Data without undue delay.
Audit Rights
1. Simulations Plus may request, and Service Provider will provide (subject to obligations of confidentiality), a current SOC 2 Type II audit report, ISO 27001 certificate, or other substantially similar independent third-party audit report issued to Service Provider, and any related documentation that Simulations Plus may request, to confirm Service Provider’s compliance with the Applicable Data Protection Laws.
2. If Simulations Plus, after having reviewed such audit report(s) and related documentation, still requires additional information (for example, Service Provider’s policies and procedures regarding data protection, information from Service Provider’s Contracted Processors, or any other relevant information), Service Provider shall further assist and make available to Simulations Plus all such additional information and/or documentation (including relevant provisions of contracts with Contracted Processors) necessary to demonstrate compliance with this Addendum and/or Applicable Data Protection Laws.
3. In addition, Service Provider shall allow for and contribute to audits, including remote inspections of the Services, by Simulations Plus (on behalf of itself or its clients) or an auditor mandated by Simulations Plus (on behalf of itself or its clients) with regard to the Processing of the Simulations Plus Personal Data by the Personal Data Recipient.
Jurisdiction Specific Terms
1. To the extent Service Provider Processes Simulations Plus Personal Data originating from, or protected by, Applicable Data Protection Laws in, one of the jurisdictions listed in Exhibit B, then the terms and definitions specified in Exhibit B with respect to the applicable jurisdiction(s) (“Jurisdiction Specific Terms”) shall apply in addition to the terms of this Addendum.
2. Simulations Plus may update Exhibit B from time to time to reflect changes in or additions to Applicable Data Protection Laws to which relevant Processing operations are subject. If Simulations Plus updates Exhibit B, an update version will be made accessible by Service Provider on the online version of this Addendum available at the website of Simulations Plus.
3. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this Addendum, the applicable Jurisdiction Specific Terms will prevail.
No Selling of Simulations Plus Personal Data
1. Service Provider acknowledges and confirms that it does not receive any Simulations Plus Personal Data as consideration for any Services or other items that Service Provider provides to Simulations Plus. As between Simulations Plus and Service Provider, Simulations Plus retains all rights and interests in Simulations Plus Personal Data. Service Provider agrees to refrain from taking any action that would cause any transfers of Simulations Plus Personal Data to or from Service Provider to qualify as selling Simulations Plus Personal Data under Applicable Data Protection Laws.
International Data Transfers
1. Restricted International Transfers of Simulations Plus Personal Data within the scope of this Addendum shall be conducted in accordance with the applicable terms and requirements set out in Exhibit B and Applicable Data Protection Laws.
Updates to Exhibits to this Addendum
1. Simulations Plus may update Exhibit A and Exhibit B (and their appendices) from time to time to reflect changes in or additions necessary to conclude the Standard Contractual Clauses (as defined in Exhibit B). Without limiting the generality of the foregoing, if the execution of a new version of the Standard Contractual Clauses adopted by the relevant authorities in the jurisdiction governing the processing of Simulations Plus Personal Data is later required in order for the Parties to rely on the Standard Contractual Clauses as a lawful mechanism for Restricted International Transfers, the Parties are deemed to have agreed to the new version of the Standard Contractual Clauses by signing this Addendum, and, if necessary, Simulations Plus shall be entitled to update Exhibit A and Exhibit B (and their appendices) accordingly.
2. Simulations Plus may update Exhibit C from time to time to provide for additional safeguards to Simulations Plus Personal Data subject to the requirements of Applicable Data Protection Laws for Restricted International If Simulations Plus updates Exhibit C, it will provide the updated Exhibit C to Service Provider. If Service Provider does not object to the updated Exhibit C within fourteen (14) days of receipt, Service Provider will be deemed to have consented to the updated Exhibit C.
Liability
1. The liability of each Party under this Addendum shall be subject to the exclusions and limitations of liability set out in the Agreement. Notwithstanding anything to the contrary in the Agreement, Service Provider shall be fully liable for any breach of the Addendum or Applicable Data Protection In no event does this Addendum restrict or limit the rights of any Data Subject under the Applicable Data Protection Laws.
2. Service Provider shall be fully liable to Simulations Plus for any breach of the Agreement or this Addendum, and the obligations set out therein (including by means of additional contract, as the case may be), by any Personal Data Recipient, without prejudice to the liability of Service Provider in accordance with Applicable Data Protection Laws.
Indemnification
1. Service Provider agrees to indemnify, defend, and hold harmless Simulations Plus and its officers, directors, employees, agents, Affiliates, successors, and permitted assigns against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind which Simulations Plus may sustain as a consequence of any breach by Service Provider (or the Contracted Processors, as the case may be) of the provisions of this Addendum.
General Terms
1. This Addendum supersedes and replaces all prior and contemporaneous proposals, statements, sales materials or presentations, and agreements, oral and written, with regard to the subject matter of this Addendum, including any prior data processing addenda entered into between Service Provider and Simulations Plus in connection with the Agreement.
2. All clauses of the Agreement that are not explicitly amended or supplemented by the clauses of this Addendum remain in full force and effect and shall apply, as long as this does not contradict compulsory requirements of Applicable Data Protection Laws.
3. In the event of any conflict between the Agreement (including any annexures, exhibits, and appendices thereto) and this Addendum, the provisions of this Addendum shall prevail, except in such cases where the applicable Jurisdiction Specific Terms listed in Exhibit B will apply and take precedence.
4. Should any provision of this Addendum be found legally invalid or unenforceable, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision, and the remainder of this Addendum will continue in effect.
5. If Service Provider determines that it can no longer meet any of its obligations in this Addendum, Applicable Data Protection Laws, or the Standard Contractual Clauses (where applicable), it shall (i) promptly notify Simulations Plus of that determination and (ii) cease the Processing or immediately take other reasonable and appropriate steps to remediate the lack of compliance.
6. If Service Provider is accepting the terms of this Addendum on behalf of an entity, Service Provider represent and warrant to Simulations Plus that it has the authority to bind that entity and its Affiliates, where applicable, to the terms and conditions of this Addendum.
7. In the event that Service Provider materially breaches this Addendum or suffers a material Security Incident, Simulations Plus may, upon written notice to Service Provider, terminate the relevant Agreement immediately (or upon such date as Simulations Plus selects), with no further fees due, other than what has been accrued up to and including the date of termination.
8. Service Provider acknowledges that Simulations Plus may disclose this Addendum and any relevant privacy provisions in the Agreement to supervisory authorities, or any other judicial or regulatory body upon their request.
Data Protection Officer
1. The Data Protection Officer of Simulations Plus is:
  Margaret Richardson
  P.O. Box 12317
  Research Triangle Park, NC 27709
  USA
  +1 (661) 723-7723
  Email: privacy@simulations-plus.com
2. The Data Protection Officer of Service Provider is set forth in the Agreement.
Notices Pursuant to this Addendum
1. Notices to Simulations Plus shall be sent according to the Notice section of the Agreement, unless this Addendum indicates
2. Notices to Service Provider shall be sent according to the Notice section of the Agreement, unless this Addendum indicates

Exhibit A

Details of Processing

A. LIST OF PARTIES:

Simulations Plus:

Name:	Simulations Plus, Inc. and its relevant Affiliates (“Simulations Plus”)
Address:	P.O. Box 12317, Research Triangle Park, NC 27709
Contact Person:	Personal Data Protection Liaison; privacy@simulations-plus.com
Article 27 EU Representative:	See Section 20 of this Addendum.
Article 27 UK Representative:	See Section 20 of this Addendum.
Data Protection Officer:	See Section 19 of this Addendum.
Activities Relevant to Transferred Data:	Processing activities relating to enabling Processor perform Services or its activities, as set forth in the Agreement.
Controllership Role:	Controller
Data Transfer Role:	Data Exporter

Service Provider:

Name:	SERVICE PROVIDER and its relevant Affiliates (the “Service Provider”), as provided in the Agreement
Address:	As provided in the Agreement
Contact Person:	As prevented in the Agreement
Article 27 EU Representative:	See Section 20 of this Addendum.
Article 27 UK Representative:	See Section 20 of this Addendum.
Data Protection Officer:	See Section 19 of this Addendum.
Activities Relevant to Transferred Data:	Importer – Processing activities in providing the Services or performing its activities as set forth in the Agreement.
Controllership Role:	Processor and Sub-Processor
Data Transfer Role:	Data Importer

B. DESCRIPTION OF TRANSFER:

Subject Matter of the Processing:	The subject matter of the Processing of Simulations Plus Personal Data pertains to the provision of Services or the Processor’s activities pursuant to the Agreement.
Nature and Purpose of Processing:	The Processing is related to the provision of Services to Simulations Plus, as further detailed within the Agreement, and Service Provider and its Contracted Processors (if applicable) will perform such acts of Processing of Personal Data as are necessary to provide those Services according to Simulations Plus’s instructions, including but not limited to the transmission, storage, and other Processing of Personal Data submitted to the Services.
Further Processing:	Service Provider shall not carry out any further processing of Personal Data beyond the provision of the Services under the Agreement.
Retention Criteria (Duration): (The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period.)	Generally, retention of Personal Data should not be required. In case Personal Data should be retained, any retention period will be limited to the duration necessary to perform the Services under the Agreement.
Categories of Data Subjects:	Data Exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the Data Exporter in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of Data Subjects: Prospective, current, and former employees, independent contractors, officers, directors, and interns of Simulations Plus (“Staff”); Current and former employees, independent contractors, officers, directors, representatives, participants, users, personnel, and interns of Simulations Plus’s current, former, and prospective leads, prospects, and customers (who are natural persons) (“Customer Employees”); Current and former employees, independent contractors, officers, directors, representatives, participants, users, personnel, and interns of Simulations Plus’s business partners (who are natural persons) (“Partner Employees”); and Current and former visitors to a website or social media profile of Simulations Plus who may or may not also be email recipients and respondents to webforms on Simulations Plus’s website (“Website Visitors”).
Categories of Personal Data:	Data Exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the Data Exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data: Staff: Biographical information, including but not limited to first name, middle name, last name, former last name, preferred first name, and date of birth. Contact information, including but not limited to email, address, and personal and corporate phone number. Financial information, including but not limited to salary and bank account number. Protected characteristics, including but not limited to information needed for equal opportunities monitoring policy (such as age, race, marital status, medical conditions, pregnancy status, physical or mental disability, sex (including gender, gender identity and gender expression), veteran or military status, and sexual orientation). Employment information, including but not limited to position, company name, hire date, start date, salaried or hourly, pay rate, full time or part time status, hours per week, schedule information, contract of employment and amendments to it, sick leave information, career history, training records, appraisals, and other performance measures and disciplinary and grievance records. Application information, including but not limited to the information included in an application form, CV, and references. Health-related information, including but not limited to reasons for absence and medical reports and notes. Mobile and computer usage, including but not limited to hours of work clocked on and off system, work clocked on and off system, websites visited, VPN used, IP address, and phone logs. Other: corporate account username, photograph, information entered into company calendar, points for benefits program, rewards and the benefits redeemed, information included in correspondence from/to the Staff member, and other information shared by the Staff member. Customer Employees: Biographical information, including but not limited to first name, last name, former last name, preferred first name, social media profile name and associated URL, if provided. Contact information, including but not limited to email, and personal and corporate phone number. Employment information, including but not limited to position, title, and company name. Other: corporate account username, information entered into company calendar, general geographic location, dietary preferences, interests, activities, education, photograph, information included in correspondence from/to the Customer Employee, and other information shared by the Customer Employee. Partner Employees: Biographical information, including but not limited to first name, last name, former last name, preferred first name, social media profile name and associated URL, if provided. Contact information, including but not limited to email, and personal and corporate phone number. Employment information, including but not limited to position, title, and company name. Biographical information, including but not limited to first name, middle name, last name, former last name, preferred first name, and date of birth. Contact information, including but not limited to email, address, and personal and corporate phone number. Financial information, including but not limited to salary and bank account number. Protected characteristics, including but not limited to information needed for equal opportunities monitoring policy (such as age, race, marital status, medical conditions, pregnancy status, physical or mental disability, sex (including gender, gender identity and gender expression), veteran or military status, and sexual orientation). Employment information, including but not limited to position, company name, hire date, start date, salaried or hourly, pay rate, full time or part time status, hours per week, schedule information, contract of employment and amendments to it, sick leave information, career history, training records, appraisals, and other performance measures and disciplinary and grievance records. Application information, including but not limited to the information included in an application form, CV, and references. Health-related information, including but not limited to reasons for absence and medical reports and notes. Mobile and computer usage, including but not limited to hours of work clocked on and off system, work clocked on and off system, websites visited, VPN used, IP address, and phone logs. Other: corporate account username, photograph, information entered into company calendar, points for benefits program, rewards and the benefits redeemed, information included in correspondence from/to the Staff member, and other information shared by the Staff member. Customer Employees: Biographical information, including but not limited to first name, last name, former last name, preferred first name, social media profile name and associated URL, if provided. Contact information, including but not limited to email, and personal and corporate phone number. Employment information, including but not limited to position, title, and company name. Other: corporate account username, information entered into company calendar, general geographic location, dietary preferences, interests, activities, education, photograph, information included in correspondence from/to the Customer Employee, and other information shared by the Customer Employee. Partner Employees: Biographical information, including but not limited to first name, last name, former last name, preferred first name, social media profile name and associated URL, if provided. Contact information, including but not limited to email, and personal and corporate phone number. Employment information, including but not limited to position, title, and company name. Other: corporate account username, information entered into company calendar, general geographic location, interests, activities, education, photograph, information included in correspondence from/to the Partner Employee, and other information shared by the Partner Employee. Website Visitors: Identifiers, including but not limited to first name, middle name, last name, former last name, preferred first name, date of birth, social media profile name and associated URL, if provided. Contact information, including but not limited to address, telephone number(s), and email address, if provided. Employment information, including but not limited to job title and company, if provided by Website Visitor. Mobile and computer usage, including but not limited to websites visited, VPN used, IP address, data collected from cookies and submitted via forms, last email opened, content of forms, email messages, source from which a Simulations Plus page was accessed, campaign associated with a link clicked, last interaction, Simulations Plus’s videos watched, Simulations Plus’s presentations viewed, Simulations Plus’s posts viewed, social media views, likes, comments, followers, and feedback, and aggregate data provided by social media platform for analytics. Other: interest in Simulations Plus’s offerings.
Special Categories of Personal Data: (Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.)	Data Exporter may submit special categories of Personal Data to Service Provider as necessary for Processing for the Services, the extent of which is determined and controlled by the Data Exporter in its sole discretion Protected characteristics, including but not limited to information needed for equal opportunities monitoring policy (such as race, marital status, medical conditions, pregnancy status, physical or mental disability, sex (including gender, gender identity and gender expression), veteran or military status, and sexual orientation). Health-related information, including but not limited to reasons for absence and medical reports and notes. Restrictions: Sensitive data must be transferred in encrypted form.
Frequency of the Transfer:(e.g. whether Personal Data is transferred on a one-off or continuous basis)	Regular and repeating for as long as Simulations Plus uses the Services.
Subject Matter, Nature, and Duration of Contracted Processors:	Any transfer to Contracted Processors will be only as strictly required to perform the Services pursuant to the Agreement. Upon request, Service Provider will provide to Simulations Plus a description of Processing for any Contracted Processor(s), including the subject matter, nature, and duration of Processing.
Technical and Organizational Measures of Contracted Processors:	When Service Provider engages a Contracted Processor under this Addendum, Service Provider and the Contracted Processor must enter into an agreement with data protection terms substantially similar to those contained in this Addendum. Service Provider must ensure that the agreement with each Contracted Processor allows Service Provider to meet its respective obligations with respect to Simulations Plus. In addition to implementing technical and organizational measures to protect Simulations Plus Personal Data, Contracted Processors must: notify Service Provider in the event of a Security Incident so that Service Provider may immediately notify Simulations Plus; delete Simulations Plus Personal Data when instructed by Service Provider in accordance with Simulations Plus’s instructions to Service Provider; not engage additional Contracted Processors without Service Provider’s authorization; and not process Simulations Plus Personal Data in a manner which conflicts with Simulations Plus’s instructions to Service Provider.

Appendix I to Exhibit A

Technical and Organizational Security Measures

Throughout the term of the Agreement and for so long as Service Provider has access to any Simulations Plus Personal Data, Service Provider shall implement and maintain at least the following (or superior) technical and organizational security measures (“TOMs”) to safeguard such Simulations Plus Personal Data:

Type of TOMs	Description of TOMs
Measures for pseudonymization and encryption of Personal Data:	Secure implementation of the Transport Layer Security (TLS) protocol version 1.2 or higher for Personal Data in transit using a minimum of 128-bit encryption or 256-bit encryption if applicable. Personal data that is pseudonymized can no longer be attributed to a single data subject without the use of additional data which is kept separate from the pseudonymized data.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services:	Access to computer systems is regulated through unique accounts and role-based access within operational and corporate environments. Authorization requests for access are tracked and logged on a regular basis. Removal of access for employees upon termination or change of role. Multi-factor Authentication (MFA) is required for access to systems storing sensitive data. Strong passwords are required, never stored in clear text, and are encrypted in transit and at rest. Mandatory security training for employees is required, covering data protection, confidentiality, social engineering, password policies, and overall security responsibilities. Confidentiality requirements are imposed on employees. NDAs with third parties are required. Separation of networks based on trust levels is in place.
Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident:	Implementation and maintenance of procedures to create and maintain retrievable exact copies of Personal Data that Service Provider stores or otherwise maintains. A business continuity plan and disaster recovery plan that are reviewed, tested, and updated as needed.
Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of the Processing:	Perform frequent penetration tests for all components of the Services. Maintain security incident management policies and procedures; Notify impacted Simulations Plus without undue delay of any unauthorized disclosure of their respective Personal Data by Service Provider or its Subprocessors, of which Service Provider becomes aware to the extent permitted by law.
Measures for user identification and authorization:	Role-based access authorization policy based on least privilege and need to know. Configuration of systems and applications to restrict access to only authorized access. Monitoring of all user access. Password policies and password management procedures that require strong passwords and authentication (e.g., Multi-Factor authentication).
Measures for the protection of Personal Data during transmission:	Encryption of Personal Data during transmission using the Transport Layer Security (TLS) protocol version 1.2 or higher with a minimum of 128-bit encryption or 256-bit encryption if applicable
Measures for the protection of Personal Data during storage:	Encryption of Personal Data during storage (i.e., at rest). Secure configuration for network devices, such as firewalls, routers, and switches
Measures for ensuring physical security of locations at which Personal Data are Processed:	Physical access controls to prevent unauthorized access to facilities (door locks, card readers, security cameras, etc.
Measures for ensuring events logging:	Active monitoring and logging of software application, network, and database security for potential security events at the system, platform, and application levels. Retention of audit logs in accordance with legal requirements
Measures for ensuring system configuration, including default configuration:	Perform regular manual or automated audits of all systems to ensure compliance with the organization’s security baseline configurations.
Measures for internal IT and IT security governance and management:	Maintain internal information security policies and procedures, which are communicated to all employees upon hire and at least annually; conduct Information Security training upon hire and at least annually thereafter. The Information Security function reports to the senior leadership that can take necessary actions to establish, implement and manage Draft’s Information System Security Policy.
Measures for certification/assurance of processes and products:	Maintain policies and procedures to ensure compliance with applicable legislative and regulatory requirements. Maintenance of relevant certifications.
Measures for ensuring data minimization:	Collect and process Personal Data in accordance with stated purposes related to the Agreement. Access is provisioned and restricted in accordance with roles and requirements for job responsibilities.
Measures for ensuring data quality:	Implement and maintain appropriate technical controls to prevent, detect, and correct data integrity violations in IT Systems.
Measures for ensuring limited data retention:	Implementation of an internal retention schedule for Personal Data, including backups, based on legal and regulatory requirements. Ensuring secure disposal of devices that store Personal Data.
Measures for ensuring accountability:	Implement and maintain a security and awareness program that includes at least an annual privacy and security training for all individuals responsible for Processing Personal Data.
Measures for allowing data portability and ensuring erasure:	Maintain policies and processes for Data Subjects to access, export, correct, or delete their Personal Data
Information about Contracted Processors’ TOMs:	Set forth in Part B of Exhibit A, and Appendix II to Exhibit A.

Appendix II to Exhibit A

List of Contracted Processors

In the Agreement, Service Provider will provide to Simulations Plus the following information of sub-processors contracted by Service Provider to Process Simulations Plus Personal Data om behalf of Service Provider under the Agreement (“Contracted Processor”) (1) Name and location of Contracted Processor; (2) a description of Processing for any Contracted Processor(s), including the subject matter, nature, and duration of Processing and a description of the TOMs implemented by each Contracted Processor.

Exhibit B

Jurisdiction Specific Terms

1. Brazil

When applicable, the Processing of Simulations Plus Personal Data shall be compliant with Brazil’s Lei Geral de Proteção de Dados, Law No. 13.709 of 14 August 2018 and any corresponding decrees, regulations, or guidance.

2. California

1. 1. 1. Definitions
      1. “Business Purpose” (as used in this Section) shall have the meaning ascribed to it by California Data Protection Laws.
      2. “California Data Protection Laws” (as used in this Section) includes the California Consumer Privacy Act of 2018, and the California Consumer Privacy Act Regulations, and the California Privacy Rights Act of 2020.
      3. “Commercial Purpose” (as used in this Section) shall have the meaning ascribed to it in the California Data Protection Laws.
      4. “Personal Data Breach” (as used in this Addendum) includes “Breach of the Security of the System” as defined under paragraph (g) of Section 1798.82. of the California Civil Code.
      5. “Sell” (as used in this Section) shall have the meaning ascribed to it in the California Data Protection Laws.
      6. “Share” (as used in this Section) shall have the meaning ascribed to it in the California Data Protection Laws.
    2. Simulations Plus discloses Simulations Plus Personal Data to Service Provider solely for: (i) valid Business Purposes; and (ii) to enable Service Provider to perform the Services under the Agreement.
    3. Service Provider shall not: (i) Sell or Share Simulations Plus Personal Data; (ii) retain, use, or disclose Simulations Plus Personal Data for a Commercial Purpose other than providing the Services specified in the Agreement or as otherwise permitted by the California Data Protection Laws; nor (iii) retain, use, or disclose Simulations Plus Personal Data except where permitted under the Agreement between Simulations Plus and Service Provider. Service Provider certifies that it understands these restrictions and will comply with them.

3. Canada

When applicable, the Processing of Simulations Plus Personal Data shall be compliant with the Canadian Federal Personal Information Protection and Electronic Documents Act and any other applicable Canadian privacy or data protection laws.

4. European Economic Area

1. 1. 1. Definitions
      1. “EEA” (as used in this Section) means the European Economic Area, consisting of the EU Member States, and Iceland, Liechtenstein, and Norway.
      2. “EEA Data Protection Laws” (as used in this Section) means the GDPR and all laws and regulations of the EU and the EEA countries applicable to the Processing of Simulations Plus Personal Data.
      3. “EU 2021 Standard Contractual Clauses” (as used in these Jurisdiction Specific Terms) means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
    2. With regard to any Restricted International Transfer subject to EEA Data Protection Laws from Simulations Plus to Service Provider, one of the following transfer mechanisms shall apply, in the following order of precedence:
      1. A valid adequacy decision adopted by the European Commission on the basis of Article 45 of the GDPR
      2. The appropriate Standard Contractual Clauses adopted by the European Commission from time to time.
      3. Any other lawful data transfer mechanism, as laid down in EEA Data Protection Laws, as the case may be.
    3. Standard Contractual Clauses:
      1. This Addendum hereby incorporates by reference the Standard Contractual Clauses. The Parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses where necessary in their entirety (including the annexures thereto)
      2. The Parties agree that any references to sections, annexures, exhibits, modules and choices within the Standard Contractual Clauses as set out in this Section 8.3 of these Jurisdiction Specific Terms, shall be deemed to be the same as the cognate and corresponding references to sections, annexures, exhibits, modules and choices within any appropriate, updated Standard Contractual Clauses as may be applicable from time to time pursuant to this Addendum.
      3. For the purposes of the annexures to the EU 2021 Standard Contractual Clauses and any substantially similar Standard Contractual Clauses which may be adopted by the relevant authorities in the future:
        
        Annex I(A): The content of Annex I(A) is set forth in Part A of Exhibit A, except that the details of the Parties’ Data Protection Officers and Data Protection Representatives in the EU (if applicable) are specified in Sections 19 and 20, respectively, of this Addendum.
        
        Annex I(B): The content of Annex I(B) is set forth in Part B of Exhibit A.
        
        Annex I(C): The content of Annex I(C) is set forth in Section 3(d) of these Jurisdiction Specific Terms.
        
        Annex II: The content of Annex II is set forth in Appendix I to Exhibit A.
        
        The Parties agree to apply the following module[s]:
        
        With respect to any Controller-to-Processor Restricted International Transfers, the Parties agree to implement Module Two of the EU 2021 Standard Contractual Clauses.
        
        With respect to any Processor-to-Sub-Processor Restricted International Transfers of EEA Personal Data, the Parties agree to implement Module Three of the EU 2021 Standard Contractual Clauses.
      4. The Parties further agree to the following choices under the EU 2021 Standard Contractual Clauses:
        
        Clause 7: The Parties choose not to include the optional docking clause.
        
        Clause 9(a): The Parties choose Option 2, “General Written Authorization,” and the time period set forth in Section 6.4 of this Addendum. The procedures for designation and notification of new Contracted Processors are set forth in more detail in Section 6 of this Addendum.
        
        Clause 11: The Parties choose not to include the optional language relating to the use of an independent dispute resolution body.
        
        Clause 13 (Annex C): The competent Supervisory Authority is Commission Nationale de l’Informatique et des Libertés (CNIL) in France.
        
        Clause 17: The clauses shall be governed by the laws of the Republic of Ireland.
        
        Clause 18: The Parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland.
    4. The terms contained in Exhibit C to this Addendum supplement the Standard Contractual Clauses.
    5. In cases where the Standard Contractual Clauses apply and there is a conflict between the terms of this Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail with regard to the Restricted International Transfer in question.

5. United Kingdom

1. 1. 1. Definitions
      1. “UK Data Protection Laws” (as used in this Section) includes the Data Protection Act 2018 and the UK GDPR (as defined below).
      2. “UK GDPR” (as used in this Section) means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
      3. “UK ICO” (as used in this Section) means the UK Information Commissioner’s Office.
      4. “UK IDTA” (as used in this Section) means the International Data Transfer Agreement issued pursuant to Section 119A(1) of the Data Protection Act 2018 and approved by the UK Parliament.
      5. UK Transfer Addendum” (as used in this Section) means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued pursuant to Section 119A(1) of the Data Protection Act 2018 and approved by the UK Parliament.]
    2. With regard to any Restricted International Transfer subject to UK Data Protection Laws from Simulations Plus to Service Provider within the scope of this Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:
      1. A valid adequacy decision adopted pursuant to Article 45 of the UK GDPR.
      2. The UK IDTA.
      3. Any other lawful data transfer mechanism, as laid down in the UK Data Protection Laws, as the case may be.
      4. \
    3. UK IDTA:
      1. This Addendum hereby incorporates by reference the UK IDTA. The Parties are deemed to have accepted, executed, and signed the UK IDTA where necessary in its entirety.
      2. For the purposes of the tables to the UK IDTA:
        
        Table 1: The information required by Table 1 appears within Part A of Exhibit A.
        
        Table 2:
        
        The UK IDTA, shall be governed by the laws of England and Wales
        
        The Parties agree that any dispute arising from the UK IDTA shall be resolved by the courts of England and Wales.
        
        The Parties’ controllership and data transfer roles are set out in Part A of Exhibit A.
        
        The UK GDPR applies to the Data Importer’s Processing of the Personal Data.
        
        This Addendum and the Agreement set out the instructions for Processing Personal Data.
        
        The Data Importer shall Process Personal Data for the time period set out in Part B of Exhibit A. The Parties agree that the Data Exporter may terminate the UK IDTA before the end of such time period.
        
        The Data Importer may only transfer Personal Data to authorized Contracted Processors (if applicable), as set out within Section 6 of this Addendum, or to such third parties that the Data Exporter authorizes in writing or within the Agreement.
        
        Each Party must review this Addendum at regular intervals, to ensure that this Addendum remains accurate and up to date and continues to provide appropriate safeguards to the Personal Data. Each Party will carry out these reviews as frequently as [at least once [each time there is a change to the Personal Data, purposes for Processing, Data Importer information, or risk assessment or sooner.
        
        Table 3: The content of Table 3 is set forth in Part B of Exhibit A and may be updated in accordance with Section 3.3 of this Addendum.
        
        Table 4: The content of Table 4 is set forth in Appendix I to Exhibit A and may be updated in accordance with Section 3.3 of this Addendum.
      3. Part 2 (Extra Protection Clauses) and Part 3 (Commercial Clauses) of the UK IDTA are noted throughout this Addendum.
      4. The terms contained in Exhibit C to this Addendum supplement the UK IDTA.
      5. In cases where the UK IDTA applies and there is a conflict between the terms of this Addendum and the terms of the UK IDTA, the terms of the UK IDTA shall prevail.

Exhibit C

Supplemental Clauses to the Standard Contractual Clauses

By this Exhibit C (this “Exhibit”), the Parties provide additional safeguards and redress to the Data Subjects whose Personal Data is transferred to Service Provider pursuant to Standard Contractual Clauses. This Exhibit supplements and is made part of, but is not in variation or modification of, the Standard Contractual Clauses that may be applicable to the Restricted International Transfer.

1. 1. Definitions
    1. For the purpose of interpreting this Exhibit, the following terms shall have the meanings set out below:
      1. “Data Importer” and “Data Exporter” shall have the same meaning assigned to them in Part A of Exhibit A.
      2. “EO 12333” means the S. Executive Order 12333.
      3. “FISA” means the S. Foreign Intelligence Surveillance Act.
      4. “Schrems II Judgment” means the judgment of the European Court of Justice in Case C- 311/18, Data Protection Commissioner v. Facebook Ireland Limited and Maximilian Schrems.
  2. Applicability of Surveillance Laws to Data Importer and its Contracted Processors
    1. U.S Surveillance Laws
      1. Data Importer represents and warrants that, as of the Effective Date, it has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II judgment.
      2. Data Importer represents that it reasonably believes that it is not eligible to be required to provide information, facilities, or assistance of any type under FISA Section 702 because:
        
        No court has found Data Importer to be an entity eligible to receive legal process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 S.C. § 1881(b)(4); or (ii) an entity belonging to any of the categories of entities described within that definition.
        
        If Data Importer were to be found eligible for process under FISA Section 702, which it believes it is not, it is nevertheless also not the type of provider that is eligible to be subject to UPSTREAM collection pursuant to FISA Section 702, as described in paragraphs 62 and 179 of the Schrems II judgment.
      3. EO 12333 does not provide the S. government the ability to order or demand that Data Importer provide assistance for the bulk collection of information and Data Importer shall take no action pursuant to EO 12333.
  3. Backdoors
    1. Data Importer certifies that:
      1. It has not purposefully created backdoors or similar programming for governmental agencies that could be used to access Data Importer’s systems or Simulations Plus Personal Data subject to the Standard Contractual Clauses.
      2. It has not purposefully created or changed its business processes in a manner that facilitates governmental access to Simulations Plus Personal Data or systems.
      3. National law or government policy does not require Data Importer to create or maintain back doors or to facilitate access to Simulations Plus Personal Data or systems.
    2. Data Exporter will be entitled to terminate the contract on short notice in cases in which Data Importer does not reveal the existence of a back door or similar programming or manipulated business processes or any requirement to implement any of these or fails to promptly inform Data Exporter once their existence comes to its knowledge.
  4. Information About Legal Prohibitions
    1. Data Importer will provide Data Exporter information about the legal prohibitions on Data Importer to provide information under this Exhibit. Data Importer may choose the means to provide this information.
  5. Additional Measures to Prevent Authorities from Accessing Simulations Plus Personal Data
    1. Notwithstanding the application of the security measures set forth in this Addendum, Data Importer will implement internal policies establishing that:
      1. If Data Importer is legally required to comply with an order, it will respond as narrowly as possible to the specific request; and
      2. If Data Importer receives a request from public authorities to cooperate on a voluntary basis, Simulations Plus Personal Data transmitted in plain text may only be provided to public authorities with the express agreement of Data Exporter.
  6. Termination
    1. This Exhibit shall automatically terminate with respect to the Processing of Simulations Plus Personal Data transferred in reliance of the Standard Contractual Clauses if the European Commission or a competent regulator approves a different transfer mechanism that would be applicable to the Restricted International Transfers covered by the Standard Contractual Clauses (and if such mechanism applies only to some of the data transfers, this Exhibit will terminate only with respect to those transfers) and that does not require the additional safeguards set forth in this Exhibit.

Download PDF Version of DPA

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.