|
E204 (Products and Services)
<br />REV: 07-22-25 MI
<br />February 14, 2025
<br />viii. If Esri becomes aware of a Data Incident, Esri will (a) notify Customer of the Data Incident promptly and
<br />without undue delay after becoming aware of the Data Incident; and (b) promptly take reasonable steps to
<br />minimize harm and secure Personal Data. Notifications made pursuant to this section will describe, to the
<br />extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps
<br />Esri recommends Customer take to address the Data Incident. Esri will not assess the contents of Personal
<br />Data in order to identify information subject to any specific legal requirements. Customer is solely
<br />responsible for complying with incident notification laws applicable to Customer and fulfilling any notification
<br />obligations to third parties related to any Data Incident(s). Esri's notification of or response to a Data Incident
<br />under this section will not be construed as an acknowledgement by Esri of any fault or liability with respect
<br />to the Data Incident.
<br />C. Esri currently has the third-party certifications and review processes in place as described at
<br />https://trust.arcgis.com. Esri participates in and has certified its compliance with Data Privacy Framework.
<br />D. Esri will comply with applicable data protection and privacy laws, including, but not limited to, the GDPR and
<br />CCPA, to the extent such laws apply to Esri in its role as Processor or Service Provider.
<br />E. Customer certifies that it has
<br />i. Obtained the written consent, affirmative opt-in, or other written authorization ("Consent") from applicable
<br />individuals or has another legitimate, legal basis for delivering or making accessible Personal Data to Esri
<br />(as well at its subsidiaries, affiliates, and subprocessors), and such Consent or other legitimate basis allows
<br />Esri (and its subsidiaries, affiliates, and subprocessors) to Process the Personal Data pursuant to the terms
<br />of the Agreement and this Addendum; and
<br />ii. Ensured that the delivery and disclosure to Esri of Personal Data is in compliance with the GDPR, CCPA,
<br />and other Privacy Laws that are applicable to Customer.
<br />F. Esri will assist Customer in ensuring that its secure Processing obligations, as Controller, under the GDPR are
<br />met, which may include assisting Customer in a consultation with a supervisory authority where a data
<br />protection impact assessment indicates that the intended Processing would result in a high level of risk. Upon
<br />request, Esri shall make available to Customer the information necessary to demonstrate compliance with the
<br />GDPR and will allow for and contribute to audits, including inspections, to confirm Esri's compliance with this
<br />Addendum by Controller or another auditor mandated by Controller. At Customer's request to verify compliance,
<br />Esri will provide to Customer a summary of its most recent independent third-party audit results or similar self-
<br />assessment. The summary will be provided no more than once annually, and disclosure of the summary will be
<br />subject to a written nondisclosure agreement between the parties. An on-site audit may be conducted by
<br />Customer or an independent third-party auditor as agreed by the parties when (i) such an audit is required by
<br />Privacy Law or Customer's competent supervisory authority; and (ii) Customer has received a notice from Esri
<br />of a Data Incident affecting Customer's Personal Data. The scope and scheduling of such audit will be mutually
<br />agreed upon by the parties in advance. Any on-site audits will be limited to Customer Content processing and
<br />storage facilities operated by Esri. Customer acknowledges that Esri operates a multitenant cloud environment.
<br />Accordingly, Esri shall have the right to reasonably adapt the scope of any on-site audit to avoid or mitigate
<br />risks with respect to, and including, service levels, availability, and confidentiality of other Esri customers'
<br />information. All expenses resulting from this Subsection F will be incurred by Customer, unless Esri is found
<br />materially noncompliant. Customer must promptly notify Esri of any discovered noncompliance.
<br />G. Upon fulfillment of the purpose for which Customer provided Personal Data under this Addendum, Esri shall
<br />either return all Personal Data Processed on behalf of Customer or delete or destroy the Personal Data,
<br />including any existing copies, at Customer's expense, if any, unless Esri has a legal obligation to maintain such
<br />Personal Data.
<br />H. Trial, Evaluation, and Beta Program offerings may employ lesser or different privacy and security measures
<br />than those typically present in the Online Services. Unless otherwise noted, Customer should not use trial,
<br />evaluation, and beta program offerings to process Personal Data or other data that is subject to legal or
<br />regulatory compliance requirements. The following terms in this Addendum do not apply to trial, evaluation, and
<br />beta program offerings: Processing of Personal Data, GDPR, Data Security, and Health Insurance Portability
<br />and Accountability Act (HIPAA) Business Associate.
<br />ATTY/AGR.2025.178/Environmental Systems Research Institute, Inc.(ESRI Agreement for Services) (Page 26 of 31)
|