Data Protection Addendum

This Data Processing Addendum ("Addendum") forms part of the Terms of Use ( (the "Terms") between: (i) Botanalytics, Inc. (“Botanalytics”) and (ii) Client, acting on Client’s own behalf and on behalf of any affiliate of the Client ("Client") (each a “Party” and, collectively, the “Parties”). By using the Service, you agree to this Addendum effective upon the later of May 25, 2018 and the date of your consent to the Terms.

Except as modified below, the terms of the Terms shall remain in full force and effect. With respect to provisions regarding Processing of Personal Data, in the event of a conflict between this Addendum and the Terms, or any other agreement between the Parties, the provisions of this Addendum shall control. Capitalized terms not defined in this Addendum shall have the meaning as defined in the Terms.

This Addendum will only apply to the extent that the Applicable Data Protection Laws apply to the Processing of Personal Data.


“Applicable Data Protection Laws” shall mean, as applicable, (a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).

“Client Data” means Personal Data that is Processed by Botanalytics on behalf of Client in Botanalytics’ provision of the Services.

"Data Security Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Client Data transmitted, stored or otherwise Processed.

“Privacy Shield Principles” means the EU-US Privacy Shield Principles and the Swiss-US Privacy Shield Principles.

“Services” means the “Service” provided by Botanalytics to Client as defined in the Terms.

“Subprocessor” means any third party (excluding any employee or subcontractor of Botanalytics) retained by or on behalf of Botanalytics to Process Client Data in connection with the Terms.

"Technical and Organizational Measures" means security measures implemented by Botanalytics appropriate to the type of Personal Data being Processed and the Services being provided by Botanalytics to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure.

Additionally, as used in this Addendum, the terms "Data Controller", "Data Processor", "Data Subject", "Processing" and "Personal Data" shall have the meanings ascribed to them in the Applicable Data Protection Laws.



2.1.1 Processing of the Client Data of Data Subjects shall occur as follows:

2.1.2 Botanalytics shall Process Client Data only on documented instructions from Client, unless required to do so by applicable law; in such a case, Botanalytics shall inform Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. For the avoidance of doubt, Client specifically instructs Botanalytics to Process Client Data as necessary for the purpose of providing the core functionality of the Services, to perform Botanalytics's obligations under the Terms and as further documented in any other written instructions given by Client and acknowledged by Botanalytics as constituting instructions for purposes of this Addendum. Botanalytics shall immediately inform Client if, in its opinion, an instruction by Client infringes Applicable Data Protection Laws.

2.1.3 Botanalytics shall ensure that persons authorized to Process Client Data on its behalf have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.


2.2.1 Botanalytics shall take all measures required pursuant to Article 32 of the GDPR, including, without limitation, implementing appropriate Technical and Organizational Measures to ensure a level of security appropriate to the risk. Such Technical and Organizational Measures shall take into account: (i) the state of the art, (i) the costs of implementation, (iii) the nature, scope, context and purposes of Processing and (iv) the risk of varying likelihood and severity for the rights and freedoms of Data Subjects.

2.2.2 Taking into account the nature of the Processing, Botanalytics shall assist Client by appropriate Technical and Organizational Measures, to the extent possible, for the fulfilment of Client’s obligation to respond to requests for exercising Data Subjects’ rights laid down in Chapter III of the GDPR.


2.3.1 Client specifically authorizes and instructs Botanalytics to engage the following Subprocessors in connection with the provision of the Services:

2.3.2 Client also generally authorizes Botanalytics to engage, from time to time, any other Subprocessors in connection with the provision of the Services, provided that Botanalytics shall inform Client of any intended changes concerning the addition or replacement of any Subprocessors via Botanalytics’ website or through the Service. If Client objects to Botanalytics engaging any additional or replacement Subprocessor, Client may, within ten (10) days of being informed of such intended change, indicate its objection by contacting Botanalytics at Such notice shall state, in sufficient specificity, the reasonable and documented grounds relating to a Subprocessor’s non-compliance with Applicable Data Protection Laws. In the event that Botanalytics is unwilling or unable to provide a reasonably acceptable substitute, Client may terminate the Terms and its use of the Services as provided in the Terms. This termination right is Client’s sole and exclusive remedy if Client objects to any additional or replacement Subprocessor.

2.3.3 Where Botanalytics engages a Subprocessor that will have access to Personal Data, Botanalytics shall ensure that the same as or equivalent to data protection obligations set out in this Section 3 shall be imposed on that Subprocessor by way of a contract. Such contract shall provide sufficient guarantees to implement appropriate Technical and Organizational Measures in such a manner that the Processing will meet the requirements of Applicable Data Protection Laws. Where such Subprocessor fails to fulfil its data protection obligations, Botanalytics shall remain fully liable to Client for the performance of the Subprocessor’s obligations.


Taking into account the nature of Processing of Personal Data and the information available to Botanalytics, Botanalytics shall assist Client in ensuring compliance with the obligations laid out in Articles 32 to 36 of the GDPR. In addition to any other obligation of Botanalytics under this Addendum, such assistance shall include notifying Client, without undue delay, after becoming aware of a Data Security Breach.


2.5.1 Botanalytics shall, at the choice of Client: (i) delete or return all Client Data to Client after such Client Data is no longer necessary for the provision of the Services, and (ii) delete existing copies of such Client Data. Botanalytics reserves the right to charge Client a fee (based on Botanalytics’ reasonable costs) for the deletion of any Client Data pursuant to this paragraph. Botanalytics will provide Client with further details of any applicable fee, and the basis of its calculation, in advance of any such data deletion.

2.5.2 In the event that a Data Subject submits a Client Data deletion request to Botanalytics, Client hereby instructs and authorizes Botanalytics to delete or anonymize the Data Subject’s Personal Data on Client’s behalf.


2.6.1 Botanalytics shall make available to Client all information necessary to demonstrate compliance with its obligations as a Processor laid out in this Section 3 and allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client.

2.6.2 Any audit pursuant to Section 3.6.1 shall be permitted only on reasonable advance notice to Botanalytics and subject to appropriate confidentiality undertakings (including, without limitation, redacting any information relating to another Client of Botanalytics, Botanalytics’ internal accounting or financial information, and Botanalytics’ trade secrets).

2.6.3 Botanalytics may charge a fee (based on Botanalytics’ reasonable costs) for any audit under Section 3.6.1. Botanalytics will provide Client with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Client will be solely responsible for any fees charged by any third party auditor appointed by Client to execute any such audit.

2.6.4 Botanalytics may object to any third party auditor appointed by Client to conduct any audit under Section 3.6.1 if the auditor is, in Botanalytics’ reasonable opinion, not suitably qualified or independent, a competitor of Botanalytics or otherwise manifestly unsuitable. Any such objection by Botanalytics will require Client to appoint another auditor or conduct the audit itself.


2.7.1 Subject to Botanalytics’ obligations under Section 3.7.2, Client authorizes and instructs Botanalytics to store and Process Client Data in the United States of America.

2.7.2 Botanalytics confirms that it is certified under the Privacy Shield Principles. Botanalytics agrees to maintain its adherence to the Privacy Shield Principles throughout the duration of the Terms or implement another alternative data transfer mechanism which lawfully permits the transfer of Personal Data outside of the European Economic Area and the United Kingdom.


To the extent permitted under applicable law, and notwithstanding anything else in the Terms, the total liability of either Party towards the other Party under or in connection with this Addendum shall not exceed the aggregate sum of all amounts paid by Client to Botanalytics in the twelve (12) months immediately prior to the action or event forming the basis for such claim.


4.1 Botanalytics may modify the terms of this Addendum if, as reasonably determined by Botanalytics, such modification is (i) reasonably necessary to comply with Applicable Data Protection Laws or any other law, regulation, court order or guidance issued by a governmental regulator or agency; and (ii) does not: (a) result in a degradation of the overall security of the Services, (b) expand the scope of, or remove any restrictions on, Botanalytics’ processing of Client Data, and (c) otherwise have a material adverse impact on Client’s rights under this Addendum.

4.2 Any other modification to this Addendum shall require the signed written consent of both Parties.

4.3 In the event of any modification pursuant to Section 5.1, Botanalytics shall notify Client of such modification by email at least 30 days (or such shorter period as may be required to comply with Applicable Data Protection Laws or any other law, regulation, court order or guidance issued by a governmental regulator or agency) before the change will take effect.


Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.