3.1 Evvnt agrees:
(a) to process Client Personal Data only: (i) on behalf of Client and/or the applicable business or controller and in accordance with Client’s documented instructions unless otherwise required by UK, European Union or European Member State law or state or Federal U.S. law to which Evvnt is subject; (ii) for the purpose of carrying out the Services or as otherwise instructed by Client; and(iii) in compliance with this DPA.
(b) that it shall not process the personal information other than on Client’s documented instructions in the Underlying Agreement, which include processing to detect data security incidents, protecting against fraudulent or illegal activity, creation of datasets of aggregate consumer information and de-identified information appointing sub-processors, and any other business purpose or operational purpose permissible under the UK Data Protection Legislation and that does not cause Evvnt to lose its service provider status under the CCPA.
(c) that it shall not (i) sell the personal information, (ii) retain, use or disclose the personal information for any purpose other than for providing the Services, or (iii) retain, use, or disclose the personal information outside of the business relationship between Client and Evvnt, except as instructed by the Client;
(d) that if it is legally required to process Client Personal Data otherwise than as instructed by Client, it shall notify Client before such processing occurs, unless the law requiring such processing prohibits Evvnt from notifying Client on an important ground of public interest, in which case it shall notify Client as soon as that law permits it to do so.
(e) that it has implemented and will maintain appropriate technical and organisational measures to protect Client Personal Data against accidental or unlawful destruction or accidental loss, alteration, un-authorised disclosure or access. Having regard to the state of the art and cost of their implementation, the Evvnt agrees that such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of Client Personal Data to be protected.
(f) to take reasonable steps to ensure that its personnel who have access to the Client Personal Data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality.
(g) that it will, as required by applicable law, notify Client about: (i) any instruction which, in its opinion, infringes applicable law; and (ii) any actual, confirmed security breach, unauthorized access, misappropriation, loss, damage or other compromise of the security, confidentiality, or integrity of Client Personal Data processed by Evvnt or a Sub-processor (“Security Breach”).
(h) that within a reasonable time following discovery of any Security Breach, it shall: (i) take reasonable steps to mitigate the harm to Data Subjects and prevent any further Security Breach; and (ii) provide Client with cooperation and assistance in relation to any notifications that Client is required to make as a result of the Security Breach.
(i) to assist Client in ensuring compliance with the obligations pursuant to Articles 32 to 36 of theUK GDPR taking into account the nature of processing and the information available to Evvnt.
(j) to forward to the Client a Data Subject request under the UK Data Protection Legislation;
(k) to assist Client in complying with a request from a Data Subject by providing functionality through the Services for Client to fulfill the request itself; and
(l) to make available to Client all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR and allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client, upon terms mutually agreeable to the parties.