DATA PROCESSING ADDENDUM (GLOBAL) for VS&A Channel Partners 

Last modified: April 2024

This Data Processing Addendum, including the Annex incorporated herein by reference (“DPA”) supplements the Video Security & Access Control Channel Partner Agreement between Motorola Solutions, Inc., on behalf of itself and its Affiliates (collectively ​“Motorola”) and ________ (“Customer”) entered into ____________ as it has been modified, amended and supplemented thereto (collectively, the ​“Agreement”). Unless otherwise defined herein, all capitalized terms shall have the meaning set forth in the Agreement. Customer and Motorola are hereafter referred to collectively as the ​“Parties,” or individually as a ​“Party.”

In the event of a conflict between this DPA, the Agreement or any schedule, annex or other addenda to the Agreement, this DPA will prevail with respect to the handling of Customer and end user data, including but not limited to personally identifiable information. 

1. Definitions.

All capitalized terms not defined herein must have the meaning set forth in the Agreement. 

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Customer Contact Data” means contact information Motorola collects from Customer, including but not limited to contact information for Customer’s End Users and their Users, for business contact purposes, including without limitation marketing, advertising, licensing, and sales purposes.

“Data Protection Laws” means all data protection laws and regulations applicable to a Party with respect to the Processing of data accessible as a result of the Agreement and the use or provision of the Products and Services.

“Data Subject” means the identified or identifiable person to whom Personal Data relates. 

“GDPR” means EU General Data Protection Regulation 2016/679.

“Metadata” means data that describes other data.

“Personal Data” means any information relating to an identified or identifiable natural person processed by Motorola at the direction of Customer and Customer’s End Users and their Users as part of Customer Data, Customer Contact Data, End User Data, and Service Use Data. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

“Process” or ​“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as accessing, collecting, recording, copying, analyzing, caching, organizing, restructuring, storing, adapting, altering, retrieving, consulting, using, transmitting, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying.

“Processor” means the Party engaged in Processing data on behalf of the Controller.

“End User Data” means data including but not limited to images, text, videos, and audio, that are provided to Motorola by, through, or on behalf of Customer’s end user and their authorized users, through the use of the Products and Services. End User Data does not include Service Use Data, other than that portion comprised of Personal Data. 

“Customer Data” means data related to Customer and made available to Motorola in connection with their business relationship or through use of Products and Services.

“Security Incident” means an incident leading to the accidental or unlawful destruction, loss, alteration or disclosure of, or access to Customer Data or End User Data, which may include Personal Data, while processed by Motorola. 

“Service Use Data” means data generated about the use of the Products and Services through Customer end users’ use of or Motorola’s support of the Products and Services, which may include metadata (data about data), Personal Data, product performance and error information, activity logs, and date and time of use. 

“Sub-processor” means other Processors engaged by Motorola to Process Customer Data or End User Data which may include Personal Data, as outlined on the following website: https://​www​.motoro​la​so​lu​tions​.com/​e​n​_​u​s​/​a​b​o​u​t​/​t​r​u​s​t​-​c​e​n​t​e​r​/​p​r​i​v​a​c​y​/​d​a​t​a​-​s​u​b​-​p​r​o​c​e​s​s​o​r​s​.html.

2. Processing of Customer Data and End User Data PERSONAL DATA

• 2.1 Roles of the Parties. The Parties agree that with regard to the Processing of End User Data hereunder, Customer’s end users are Controllers, Customer is a Processor and Motorola is a Processor who may engage Sub-processors pursuant to the requirements of Section 5 entitled ​“Sub-processors” below. With regard to the Processing of Customer Data and Service Use Data hereunder, Customer is the Controller and Motorola is a Processor. For purposes of each Party’s obligations regarding Data Subjects hereunder, such obligations apply only with respect to the subject of information that was provided by such Party to the other Party, whether directly or indirectly.
• 2.2 Customer’s Processing of Personal Data. Customer must, in its resale of Products and Services, Process Personal Data in accordance with the requirements of applicable Data Protection Laws, including any applicable requirement to provide notice to end user Data Subjects of the use of Motorola as a Processor and contractually obligating such end users to comply with Data Protection Laws. Customer is solely responsible for its compliance with all Data Protection Laws and establishing and maintaining its own policies and procedures to ensure such compliance. Customer will not, and will contractually require Customer end users to not, use the Products and Services in a manner that would violate applicable Data Protection Laws. With respect to Personal Data transferred by Customer or its end users to Motorola pursuant to the Agreement, Customer must have sole responsibility for (i) the lawfulness of any transfer of Personal Data to Motorola, (ii) the accuracy of Personal Data provided to Motorola by Customer; (iii) the means by which Customer or Customer end users acquired Personal Data, and (iv) the provision of any required notices to, and obtaining any necessary acknowledgements, authorizations or consents from applicable Data Subjects. Customer and/​or End User takes full responsibility to keep the amount of Personal Data provided by Customer and/​or End User to Motorola to the minimum necessary for Motorola to perform in accordance with the Agreement.
• 2.3 Motorola’s Processing of Customer Data, End User Data, and Personal Data. Motorola shall only Process Personal Data on behalf of and in accordance with Customer’s instructions whenever Customer acts as Data Controller and/​or a Customer’s end users’ instructions, as the case may be, and in compliance with all applicable Data Protection Laws. Instructions by Customer and/​or a Customer’s end user may be given only as provided for and within the limits of this DPA and the applicable Ordering Document. Customer and/​or the applicable Customer end user, instructs Motorola to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and applicable orders thereunder; (ii) Processing initiated by Customer’s end users in their use of the Products or Services; (iii) Processing to comply with other reasonable instructions provided by Customer and/​or End User (s) where such instructions are consistent with the terms of the Agreement. Any additional or alternate instructions must be agreed to according to the process for amending the Agreement. Customer Data and End User Data may be processed by Motorola at any of its global locations and/​or disclosed to Sub-processors as long as in line with applicable legislation. With respect to data transferred by Motorola or its Sub-processors to Customer or its end users pursuant to the Agreement, as between Customer and Motorola, Motorola must have sole responsibility for (i) the lawfulness of any transfer of Personal Data, (ii) the accuracy of Personal Data; (iii) the means by which such Personal Data was acquired, and (iv) the provision of any required notices to, and obtaining any necessary acknowledgements, authorizations or consents from applicable Data Subjects.
• 2.4 Details of Processing. The Processing, the categories of Data Subjects and types of Personal Data are set forth on Schedule 2, Annex I to this DPA.
• 2.5 Disclosure of Processed Data. Motorola must not disclose to or share any Customer Data or End User Data with any third party except to Motorola’s Sub-processors, as necessary to provide the Products and Services to Customer or its End Users, unless expressly permitted under the Agreement authorized by Customer or required by law. In the event a government or supervisory authority demands access to Customer Data or End User Data, to the extent allowable by law, Motorola must provide Customer with notice of receipt of the demand with sufficient time for Customer to seek appropriate relief in the relevant jurisdiction. In all circumstances, Motorola shall comply with applicable law. Motorola must ensure that its personnel are subject to a duty of confidentiality, and will contractually obligate its Sub-processors to a duty of confidentiality, with respect to the handling of Customer Data, End User Data and all Personal Data accessible as a result of the Agreement.
• 2.6 Indemnity. Each Party will defend, indemnify, and hold the other Party and its subcontractors, subsidiaries and other affiliates harmless from and against any and all damages, losses, liabilities, and expenses (including reasonable fees and expenses of attorneys) arising from any actual or threatened third-party claim, demand, action, or proceeding arising from or related to the indemnifying Party’s failure (or the failure of a third party acting on the indemnifying Party’s behalf) to comply with its obligations under this Agreement and/​or applicable Data Protection Laws. The indemnified Party will give prompt, written notice of any claim subject to the foregoing indemnity, and will, at its own expense, cooperate with the indemnifying Party in its defense or settlement of the claim. Neither Party shall settle or compromise any claim, or consent to the entry of any judgment, without the prior written consent of the other Party and without an unconditional release of all liability by each claimant or plaintiff with respect to such other Party.

3. Service Use Data. Customer understands and agrees that Motorola may collect and use Service Use Data (which shall be anonymized and sanitized to exclude Personal Data) for its own purposes, provided that such purposes are compliant with applicable Data Protection Laws. Service Use Data may be processed by Motorola at any of its global locations and/​or disclosed to Sub-processors. 

4. Motorola as a Controller or Joint Controller. In all instances where Motorola acts as a Controller it must comply with the applicable provisions of the Privacy Statement at: https://​www​.avig​ilon​.com/​p​r​ivacy as each may be updated from time to time (the ​“Privacy Statement”). Motorola holds all Customer Contact Data as a Controller and must Process such Customer Contact Data in accordance with the Privacy Statement and the Agreement. Notwithstanding anything to the contrary, Motorola may use Customer Contact Data solely for purposes of fulfilling its obligations under the Agreement.

5. Sub-processors.

• 5.1 Use of Sub-processors. Customer agrees that Motorola may engage Sub-processors who in turn may engage Sub-processors to Process Personal Data in accordance with this DPA. A current list of Sub-processors is set forth at the following website: https://​www​.motoro​la​so​lu​tions​.com/​e​n​_​u​s​/​a​b​o​u​t​/​t​r​u​s​t​-​c​e​n​t​e​r​/​p​r​i​v​a​c​y​/​d​a​t​a​-​s​u​b​-​p​r​o​c​e​s​s​o​r​s​.html.When engaging Sub-processors, Motorola must avoid Prohibited Contractors and enter into agreements with the Sub-processors to bind them to obligations which are substantially similar and equally or more stringent than those set out in this DPA. Prior to providing access to Personal Data, Motorola will assess the security and privacy controls of the new Sub-processor utilizing industry standard risk assessment frameworks. Motorola will monitor Sub-processors to ensure continued compliance with security and privacy requirements. 
• 5.2 Changes to Sub-processing. Customer hereby consents to Motorola making changes to Sub-processors to Process Personal Data provided that: (i) subject to (iii) below, Motorola must use its reasonable endeavors to provide at least 30 days’ prior notice of the addition or removal of any Sub-processor, which may be given by posting details of such addition or removal at the URL provided in Section 5.1; (ii) Motorola imposes data protection terms on any Sub-processor it appoints that protect the Personal Data to the same standard provided for by this DPA; (iii) in the event Motorola becomes aware that a Sub-processor becomes a Prohibited Contractor at any time during the term of the Agreement, Motorola shall promptly cease using such Sub-processor for any activity related to the Agreement, and (iv) Motorola remains fully liable for any breach of the Agreement that is caused by an act, error or omission of its Sub-processor(s).

6. Data Subject Requests. Motorola must, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject, including without limitation requests for access to, correction, amendment, transport or deletion of such Data Subject’s Personal Data (“Data Subject Request”). If the Data Subject is Customer’s end user, Motorola will not respond to the Data Subject Request, and Customer authorizes Motorola to redirect the Data Subject Request to Customer for action. Customer will make a commercially reasonable effort to communicate the Data Subject Request to the applicable Customer end user in an effort to ensure that all such Data Subject Requests are handled by the applicable Customer end user in a timely manner and in compliance with Data Protection Laws. To the extent applicable, Motorola must provide Customer with commercially reasonable cooperation and assistance in relation to any Data Subject Request. Customer is responsible for any reasonable costs arising from Motorola’s provision of such assistance to Customer or Customer end users under this Section.

7. Data Transfers. Motorola agrees that it must not make transfers of Personal Data under this Agreement from one jurisdiction to another, or otherwise Process Personal Data unless all such actions are performed in compliance with this DPA and applicable Data Protection Laws. Motorola agrees to enter into appropriate agreements with its Sub-processors, which will permit Motorola to transfer Personal Data to its Sub-processors. Motorola agrees to amend as necessary the Agreement to permit transfer of Personal Data from Motorola to Customer’s end users. Motorola also agrees to assist the Customer in entering into agreements with its affiliates, Customer end users and Sub-processors if required by applicable Data Protection Laws for necessary transfers.

8. Security. Motorola must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by the Processing of Personal Data, taking into account the costs of implementation; the nature, scope, context, and purposes of the Processing; and the risk of varying likelihood and severity of harm to the Data Subjects. The appropriate technical and organizational measures implemented by Motorola are set forth in Annex I. In assessing the appropriate level of security, Motorola must weigh the risks presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise Processed.

9. Security Incident Notification. If Motorola becomes aware of a Security Incident, then Motorola must (i) notify Customer, Customer end users, and Data Subjects, of the Security Incident without undue delay and, in any case, in compliance with timeframes dictated by applicable law, (ii) investigate the Security Incident and apprise Customer of the details of the Security Incident and (iii) take reasonable steps (but no less than legally required steps) to stop any ongoing loss of Personal Data due to the Security Incident to the extent in the control of Motorola or its Sub-processors. Notification of a Security Incident must not be construed as an acknowledgement or admission by Motorola of any fault or liability in connection with the Security Incident. Motorola must make reasonable efforts to assist Customer in fulfilling Customer’s obligations under Data Protection Laws to notify the relevant supervisory authority and Data Subjects about such incident. 

10. Data Retention and Deletion. Except for anonymized Service Use Data, or as otherwise provided under the Agreement, Motorola must delete (in accordance with all applicable laws) all Customer Data and End User Data no later than ninety (90) days following termination or expiration of the Agreement or applicable order unless otherwise required to comply with applicable law.

11. Audit Rights

• 11.1 Periodic Audit. Motorola will allow Customer to perform an audit of reasonable scope and duration of Motorola operations relevant to the Products and Services purchased under the Agreement, at Customer’s sole expense, for verification of compliance with the technical and organizational measures set forth in Annex II if (i) Motorola notifies Customer of a Security Incident that results in actual compromise to the Products and/​or Services purchased; (ii) if Customer reasonably believes Motorola is not in compliance with its security commitments under this DPA, or (iii) if such audit is legally required by the Data Protection Laws. Except to the extent in conflict with (iii), any audit must be conducted in accordance with the procedures set forth in Section 11.3 of this DPA and may not be conducted more than one time per year. If any such audit requires access to confidential information of Motorola’s other customers, suppliers or agents, such portion of the audit may only be conducted by Customer’s nationally recognized independent third party auditors in accordance with the procedures set forth in Section 11.3 of this DPA. Unless mandated by applicable Data Protection Laws or otherwise mandated by law or court order, no audits are allowed within a data center for security and compliance reasons. Motorola must, in no circumstances, provide Customer with the ability to audit any portion of its software, products, and services which would be reasonably expected to compromise the confidentiality of any third party’s information which was not Processed or otherwise provided to Customer or an end user as a result of the Agreement.
• 11.2 Satisfaction of Audit Request. Upon receipt of a written request to audit, and subject to Customer’s agreement, Motorola may satisfy such audit request by providing Customer with a confidential copy of a Motorola’s applicable most recent third party security review performed by a nationally recognized independent third party auditor, such as a SOC2 Type II report or ISO 27001 certification, in order that Customer may reasonably verify Motorola’s compliance with national standards.
• 11.3 Audit Process. Except to the extent in conflict with Section 11.1(iii), Customer must provide at least five days (5) days prior written notice to Motorola of a request to conduct the audit described in Section 11.1. All audits must be conducted during normal business hours, at applicable locations or remotely, as designated by Motorola; provided that Motorola shall designate the location(s) which are in the best position to give Customer access to the most relevant information in the most logical and expedient manner. Audit locations, if not remote will generally be those location(s) where Customer Data or End User Data is accessed, or Processed. The audit must not unreasonably interfere with Motorola’s day to day operations. An audit must be conducted at Customer’s sole cost and expense and subject to the terms of the confidentiality obligations set forth in the Agreement. Notwithstanding the foregoing, in the event of an audit pursuant to Section 11.1(ii) which finds Motorola in violation of this DPA, in addition to all other remedies available to Customer, Motorola will reimburse Customer for all costs of such audit. Before the commencement of any such audit, Motorola and Customer must mutually agree upon the time, and duration of the audit. Motorola must provide reasonable cooperation with the audit, including providing the appointed auditor a right to review, but not copy, Motorola security information or materials provided such auditor has executed an appropriate non-disclosure agreement. Motorola’s policy is to share methodology and executive summary information, not raw data or private information. If the audit finds Motorola in violation of this DPA, Customer must, at no charge, provide to Motorola a full copy of all findings of the audit.
• 11.4 Customer end user Audit or Evaluation Requests. In the event a Customer end user makes a request of Motorola or Customer for an audit or evaluation of Motorola’s security or privacy general practices or specific practices with respect to a Product or Service, such as a request for privacy or security documentation, completion of a privacy or security questionnaire, or other security or privacy review (collectively ​“Evaluation Documentation”), Motorola will assist Customer as follows: (i) Motorola will notify Customer of any request that comes directly to Motorola, Motorola will refer Customer end user to Customer for follow up and refrain from initiating further contact with such end user, and Customer and Motorola will collaboratively determine the appropriate process for responding to Customer end user, and (ii) Motorola will provide all Evaluation Documentation to Customer for Customer’s review and approval of the Evaluation Documentation. Customer will present the Evaluation Documentation to Customer’s end user. By Customer’s transmittal of the Evaluation Documentation to Customer end user, Customer acknowledges that it has reviewed the Evaluation Documentation. Motorola will not communicate Evaluation Documentation to Customer end users unless Customer has signed a waiver agreement with Motorola releasing Motorola from any and all claims Customer may have against Motorola arising out of or related to the Evaluation Documentation.

12. Regulation Specific Terms

• 12.1 HIPAA Business Associate. If Customer is a ​“covered entity” or a ​“business associate” and includes ​“protected health information” in Customer Data as those terms are defined in 45 CFR § 160.103, execution of the MCA or Channel Partner Agreement includes execution of the Motorola HIPAA Business Associate Agreement Addendum (“BAA”). Customer may opt out of the BAA by sending the following information to Motorola in a written notice under the terms of the Customer’s Agreement: ​“Customer and Motorola agree that no Business Associate Agreement is required. Motorola is not a Business Associate of Customer’s, and Customer agrees that it will not share or provide 
• 12.2 FERPA. If Customer is an educational agency or institution to which regulations under the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (FERPA), apply, Motorola acknowledges that for the purposes of the DPA, Motorola is a ​“school official” with ​“legitimate educational interests” in the Customer Data, as those terms have been defined under FERPA and its implementing regulations, and Motorola agrees to abide by the limitations and requirements imposed by 34 CFR 99.33(a) on school officials. Customer understands that Motorola may possess limited or no contact information for Customer’s students and students’ parents. Consequently, Customer must be responsible for obtaining any parental consent for any end user’s use of the Online Service that may be required by applicable law and to convey notification on behalf of Motorola to students (or, with respect to a student under 18 years of age and not in attendance at a post-secondary institution, to the student’s parent) of any judicial order or lawfully-issued subpoena requiring the disclosure of Customer Data in Motorola’s possession as may be required under applicable law.
• 12.3 CJIS. Motorola agrees to support the Customer’s obligation to comply with the Federal Bureau of Investigation Criminal Justice Information Services (CJIS) Security Policy and must comply with the terms of the CJIS Security Addendum for the Term of this Agreement and such CJIS Security Addendum is incorporated herein by reference. Customer hereby consents to allow Motorola ​“screened” personnel as defined by the CJIS Security Policy to serve as an authorized ​“escort” within the meaning of CJIS Security Policy for escorting unscreened Motorola personnel that require access to unencrypted Criminal Justice Information for purposes of Tier 3 support (e.g. troubleshooting or development resources). In the event Customer requires access to Service Use Data for its compliance with the CJIS Security Policy, Motorola must make such access available following Customer’s request. Notwithstanding the foregoing, in the event the MCA or applicable Ordering Document terminates, Motorola must carry out deletion of Customer Data in compliance with Section 10 herein and may likewise delete Service Use Data within the time frame specified therein. To the extent Customer objects to deletion of its Customer Data or Service Use Data and seeks retention for a longer period, it must provide written notice to Motorola prior to expiration of the 30 day period for data retention to arrange return of the Customer Data and retention of the Service Use Data for a specified longer period of time.
• 12.4 CCPA / CPRA. If Motorola is Processing Personal Data within the scope of the California Consumer Protection Act (“CCPA”) and/​or the California Privacy Rights Act (“CPRA”) (collectively referred to as the ​“California Privacy Acts”), Customer acknowledges that Motorola is a ​“Service Provider” within the meaning of California Privacy Acts. Motorola must process Customer Data and Personal Data on behalf of Customer and, not retain, use, or disclose that data for any purpose other than for the purposes set out in this DPA and as permitted under the California Privacy Acts, including under any ​“sale” exemption. In no event will Motorola sell any such data. If a California Privacy Act applies, Personal Data must also include any data identified with the California Privacy Act or Act’s definition of personal data. Motorola shall provide Customer with notice should it determine that it can no longer meet its obligations under the California Privacy Acts, and the parties agree that, if appropriate and reasonable, Customer may take steps necessary to stop and remediate unauthorized use of the impacted Personal Data
• 12.5 CPA, CTDPA, VCDPA. If Motorola is Processing Personal Data within the scope of the Colorado Privacy Rights Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), or the Virginia Consumer Data Protection Act (“VCDPA”) Motorola will comply with its obligations under the applicable legislation, and shall make available to Customer all information in its possession necessary to demonstrate compliance with obligations in accordance with such legislation. Motorola Contact. If Customer believes that Motorola is not adhering to its privacy or security obligations hereunder, Customer must contact the Motorola Data Protection Officer at Motorola Solutions, Inc., 500 W. Monroe, Chicago, IL USA 90661 – 3618 or at privacy1@​motorolasolutions.​com.
• 12.6 GDPR. To the extent Motorola is a Processor or Sub-processor of Personal Data subject to the GDPR (as defined in Section 7 herein), the Standard Contractual Clauses set forth in Schedule 1 hereto must apply.
• 12.7 UK-GDPR. To the extent Motorola is a Processor or Sub-processor of Personal Data subject to the UK-GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses Schedule 2 hereto must apply.
• 12.8 Amendments for Additional Local Data Protection Requirements. To the extent that additional country-specific, state, regional, provincial, or other geographic area specific provisions are required under Data Protection Laws, Motorola and Customer agree to incorporate such provisions solely to the extent they are required and solely to the extent they are applicable to particular Personal Data processed by Motorola.

13. Motorola Contact. If Customer believes that Motorola is not adhering to its privacy or security obligations hereunder, Customer must contact the Motorola Data Protection Officer at Motorola Solutions Connectivity, Inc., 500 W. Monroe, Chicago, IL USA 90661 – 3618 or at privacy1@​motorolasolutions.​com.

Motorola Solutions, Inc. Customer: [___________]

By: ______________________________ By: ______________________________

Name: ___________________________ Name: ____________________________

Title: _____________________________ Title: _____________________________

Date: ____________________________ Date: ____________________________

Schedule 1

Cross Border Transfer Mechanisms

1.1​“Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.

1.2 ​“UK IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022.

2. Cross Border Data Transfer Mechanisms.

2.1 2021 Standard Contractual Clauses. The parties agree that the 2021 Standard Contractual Clauses will apply to personal data that is transferred via the Services from the European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for personal data. For data transfers from the European Economic Area that are subject to the 2021 Standard Contractual Clauses (https://​com​mis​sion​.europa​.eu/​p​u​b​l​i​c​a​t​i​o​n​s/sta), the 2021 Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:

(a) Module Two (Controller to Processor) of the Standard Contractual Clauses will apply where Customer is the Controller and Motorola is the Processor.

(b) Module Three (Processor to Processor) of the Standard Contractual Clauses will apply where Customer is the Processor and Motorola is the Sub-Processor.

(c) For each Module, where applicable:

2.2 Data Transfers From Switzerland. For data transfers from Switzerland that are subject to the Standard Contractual Clauses, the Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by this reference) and completed as set out in Section 2.1 of this Schedule 1, subject to the following modifications:

(i) references to ​“EU Member State” and ​“Member State” will be interpreted to include Switzerland, and

(ii) insofar as the transfer or onward transfers are subject to the Swiss Federal Act on Data Protection, as revised (FADP):

(1) references to ​“Regulation (EU) 2016/679” are to be interpreted as references to the FADP;

(2) the ​“competent supervisory authority” in Annex I, Part C will be the Swiss Federal Data Protection and Information Commissioner;

(3) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by the laws of Switzerland; and

(4) in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Switzerland.

2.3 UK International Data Transfer Agreement. The parties agree that the UK IDTA will apply to personal data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body as providing an adequate level of protection for personal data. For data transfers from the United Kingdom that are subject to the UK IDTA, the UK IDTA will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:

(a) In Table 1 of the UK IDTA, the parties’ details and key contact information is located in Section 2.1(d)(vi) of Schedule 3 of this Addendum.

(b) In Table 2 of the UK IDTA, information about the version of the Approved EU SCCs, modules and selected clauses which this UK International Data Transfer Agreement is appended to is located in Section 2.1 of this Addendum.

(c) In Table 3 of the UK IDTA:

1. The list of Parties is located in Section 2.1(d)(vi) of Schedule 3 of this Addendum.

2. The description of the transfer is set forth in Section 1 (Nature and Purpose of the Processing) of Schedule 1 (Details of the Processing) of this Addendum.

3. Annex II is located in Schedule 2 (Technical and Organizational Security Measures) of this Addendum.

(d) In Table 4 of the UK IDTA, both the Importer and the Exporter may end the UK IDTA in accordance with the terms of the UK IDTA.

SCHEDULE 2

ANNEX I

DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Data subjects include the data exporter’s representatives and end-users including employees, contractors, collaborators, and customers of the data exporter. Data subjects may also include individuals attempting to communicate or transfer personal information to users of the services provided by data importer. Motorola acknowledges that, depending on Customer’s or End Users’ use of the Online Service, Customer or End User may elect to include personal data from any of the following types of data subjects in the Customer or End User Data:

• Employees, contractors, and temporary workers (current, former, prospective) of data exporter;

• Dependents of the above;

• Data exporter’s collaborators/​contact persons (natural persons) or employees, contractors or temporary workers of legal entity collaborators/​contact persons (current, prospective, former);

• Users (e.g., customers, clients, visitors, etc.) and other data subjects that are users of data exporter’s services;

• Partners, stakeholders or individuals who actively collaborate, communicate or otherwise interact with employees of the data exporter and/​or use communication tools such as apps and websites provided by the data exporter;

• Stakeholders or individuals who passively interact with data exporter (e.g., because they are mentioned in documents or correspondence from or to the data exporter);

• Minors; or

• Professionals with professional privilege (e.g., doctors, lawyers, notaries, religious workers, etc.).

SCHEDULE 3

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Measures of pseudonymization and encryption of personal data

Where technically feasible and when not impacting services provided: 

• Motorola minimizes the data it collects to information it believes is necessary to communicate, provide, and support products and services and information necessary to comply with legal obligations. 

• Motorola encrypts in transit and at rest. 

• Motorola pseudonymizes and limits administrative accounts that have access to reverse pseudonymization.

In order to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services, Motorola Solutions Information Protection policy mandates the institutionalization of information protection throughout solution development and operational lifecycles. Motorola maintains dedicated security teams for its internal information security and its products and services. Its security practices and policies are integral to its business and mandatory for all Motorola employees and contractors The Motorola Chief Information Security Officer maintains responsibility and executive oversight for such policies, including formal governance, revision management, personnel education and compliance. Motorola generally aligns to the NIST Cybersecurity Framework as well as ISO 27001. 

Some of the system configuration is under the control of the customer.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Security Incident Procedures Motorola maintains a global incident response plan to address any physical or technical incident in an expeditious manner. Motorola maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the procedure for recovering data. For each security breach that is a Security Incident, notification will be made in accordance with the Security Incident Notification section of this DPA.

Business Continuity and Disaster Preparedness Motorola maintains business continuity and disaster preparedness plans for critical functions and systems within Motorola’s control that support the Products and Services purchased under the Agreement in order to avoid services disruptions and minimize recovery risks.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

Motorola periodically evaluates its processes and systems to ensure continued compliance with obligations imposed by law, regulation or contract with respect to the confidentiality, integrity, availability, and security of Customer Data and End User Data, including personal information. Motorola documents the results of these evaluations and any remediation activities taken in response to such evaluations. Motorola periodically has third party assessments performed against applicable industry standards, such as ISO 27001, 27017, 27018 and 27701.

Measures for user identification and authorization

Identification and Authentication. Motorola uses industry standard practices to identify and authenticate users who attempt to access Motorola information systems. Where authentication mechanisms are based on passwords, Motorola requires that the passwords are at least eight characters long and are changed regularly. Motorola uses industry standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage.

Access Policy and Administration. Motorola maintains a record of security privileges of individuals having access to Customer Data and End User Data including personal information. Motorola maintains appropriate processes for requesting, approving and administering accounts and access privileges in connection with the processing of data. Only authorized personnel may grant, alter or cancel authorized access to data and resources. Where an individual has access to systems containing Customer Data and End User Data, the individuals are assigned separate, unique identifiers. Motorola deactivates authentication credentials on a periodic basis.

Measures for the protection of data during transmission

Data is generally encrypted during transmission within the Motorola managed environments. Encryption in transit is also generally required of any sub-processors. Further, protection of data in transit is also achieved through the access controls, physical and environmental security, and personnel security described throughout this Annex I.

Measures for the protection of data during storage

Data is generally encrypted during storage within the Motorola managed environments. Encryption in storage is also generally required of any sub-processors. Further, protection of data in storage is also achieved through the access controls, physical and environmental security, and personnel security described throughout this Annex I.

Measures for ensuring physical security of locations at which personal data are processed

Motorola maintains appropriate physical and environment security controls to prevent unauthorized access to Customer Data and End User Data, including personal information. This includes appropriate physical entry controls to Motorola facilities such as card-controlled entry points, and a staffed reception desk to protect against unauthorized entry. Access to controlled areas within a facility will be limited by job role and subject to authorized approval. Use of an access badge to enter a controlled area will be logged and such logs will be retained in accordance with Motorola policy. Motorola revokes personnel access to Motorola facilities and controlled areas upon separation of employment in accordance with Motorola policies. Motorola policies impose industry standard workstation, device and media controls designed to further protect Customer Data and End User Data, including personal information.

Measures for ensuring personnel security

Access to Customer Data and End User Data. Motorola maintains processes for authorizing and supervising its employees, and contractors with respect to monitoring access to Customer Data and End User Data. Motorola requires its employees, contractors and agents who have, or may be expected to have, access to Customer Data and End User Data to comply with the provisions of the Agreement, including this Annex and any other applicable agreements binding upon Motorola. 

Security and Privacy Awareness. Motorola must ensure that its employees and contractors remain aware of industry standard security and privacy practices, and their responsibilities for protecting Customer and End User Data. This must include, but not be limited to, protection against malicious software, password protection, and management, and use of workstations and computer system accounts. Motorola requires periodic Information security training, privacy training, and business ethics training for all employees and contract resources

Sanction Policy. Motorola maintains a sanction policy to address violations of Motorola’s internal security requirements as well as those imposed by law, regulation, or contract.

Background Checks. Motorola follows its standard mandatory employment verification requirements for all new hires. In accordance with Motorola internal policy, these requirements must be periodically reviewed and include, but may not be limited to, criminal background checks, proof of identity validation and any additional checks as deemed necessary by Motorola. 

Measures for ensuring events logging

Motorola maintains policies requiring continuous monitoring and event logging on all production information resources. Application audit trail logs must be captured on all production Motorola information resources. Audit trail logs of production Motorola information resources are regularly reviewed and appropriate remedial actions are taken when necessary.

Measures for ensuring system configuration, including default configuration 

Motorola on-site systems are provided with a default secure configuration that may require end user input to complete the secure configuration. For example, some default configurations must be changed by the end user to maintain a secure system (e.g., default usernames and passwords, connecting to active directory, etc.). This completion of the default secure configuration is dependent on the end user input for transitioning from the default secure configuration to a secure configuration. 

Measures for internal IT and IT security governance and management

The Motorola Solutions Enterprise Information Security organization is structured as follows: Governance/​ Risk/​ Compliance, Threat Intelligence & Vulnerability Management, Detection, Protection, and Response. Motorola assesses organization’s effectiveness annually via external assessors who report and share the assessment findings with Motorola Audit Services who tracks any identified remediations. For more information, please see the Motorola Trust Center at https://​www​.motoro​la​so​lu​tions​.com/​e​n​_​u​s​/​a​b​o​u​t​/​t​r​u​s​t​-​c​e​n​t​e​r​/​s​e​c​u​r​i​t​y​.html

Measures for certification/​assurance of processes and products

Motorola performs internal Secure Application Review and Secure Design Review security audits and Production Readiness Review security readiness reviews prior to service release. Where appropriate, privacy assessments are performed for Motorola’s products and services. A risk register is created as a result of internal audits with assignments tasked to appropriate personnel. Security audits are performed annually with additional audits as needed. Additional privacy assessments, including updated data maps, occur when material changes are made to the products or services. Further, Motorola Solution has achieved AICPA SOC2 Type 2 reporting and ISO/IEC 27001:2013 certification for many of its development and support operations. 

Measures for ensuring data minimization 

Motorola policies require processing of all personal information in accordance with applicable law, including when that law requires data minimization. Further, Motorola conducts privacy assessments of its products and services and evaluates if those products and services support the principles of processing, such as data minimization.

Measures for ensuring data quality

Motorola policies require processing of all personal information in accordance with applicable law, including when that law requires ensuring the quality and accuracy of data. Further, Motorola conducts privacy assessments of its products and services and evaluates if those products and services support the principles of processing, such as ensuring data quality.

Measures for ensuring limited data retention

Motorola maintains a data retention policy that provides a retention schedule outlining storage periods for personal data. The schedule is based on business needs and provides sufficient information to identify all records and to implement disposal decisions in line with the schedule. The policy is periodically reviewed and updated. 

Measures for ensuring accountability

To ensure compliance with the principle of accountability, Motorola maintains a Privacy Program which generally aligns its activities to both the Nymity Privacy Management and Accountability Framework and NIST Privacy Framework. The Privacy Program is audited annually by Motorola Solutions Audit Services. 

Measures for allowing data portability and ensuring erasure

When subject to a data subject request to move, copy or transfer their personal data, Motorola will provide personal data to the Controller in a structured, commonly used and machine readable format. Where possible and if the Controller requests it, Motorola can directly transmit the personal information to another organization.

For transfers to Sub-processors,

If, in the course of providing Products and Services under the Agreement, Motorola transfers information containing Personal Data to third parties, prior to said transfer Motorola shall ensure said third parties will be subjected to a security assessment and bound by obligations substantially similar, but at least as stringent, as those included in this DPA.