Last updated: October 2023 

Supplier Privacy Engagement 

 Averna Technologies Inc., together with its affiliates and subsidiaries (collectively, “Averna”) is committed to the protection of personal data in compliance with the applicable legislative acts including, but not limited to, Canada’s Personal Information Protection Electronic Documents Act (PIPEDA), Europe’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Québec’s Act respecting the protection of personal information in the private sector as amended by Law 25, An Act to modernize legislative provisions as regards the protection of personal information. 

 This Supplier Privacy Engagement (this “Engagement”) applies to subcontractors, suppliers, third-party service providers, vendors, as well as their employees and subcontractors (collectively, “Suppliers”) who conduct business with Averna and who collect, use, access, disclose or otherwise process personal data received from Averna (i.e., data processor). 

 This Engagement sets out expectations and minimum requirements for how Suppliers shall treat personal data received from Averna in the course of a commercial agreement concluded with Averna. This Engagement does not replace, but supplements, the obligations set out in such commercial agreement. 

 In this Engagement, “personal data” refers to any information about an identified or identifiable individual and excludes anonymous or de-identified data that is not associated with a particular individual.  

  1. Conduct Requirements 

Suppliers are responsible for ensuring that the entirety of its personnel and subcontractors involved in the collection, use, disclosure, and retention of personal data received from Averna is made aware of this Engagement and is bound by the necessary contractual agreements to achieve compliance with the provisions contained therein. 

Suppliers shall further assist Averna in the compliance with its legislative obligations as they pertain to data security, data breach notification requirements, and data protection impact assessments, as well as with the handling of requests from data subjects concerning the processing of their personal data. 

Failure to comply with this Engagement may adversely impact Averna. Failure to comply with this Engagement or to timely report a breach thereof will impact the Supplier’s ability to continue business with Averna and may lead to termination of the supplier relationship.  

2. Data Processing Principles 

Suppliers shall only process personal data received from Averna in accordance with documented instructions provided by Averna, including with regard to cross-border and international transfers of personal data.   

Suppliers shall ensure that collection, use, disclosure, and retention of personal data is limited to the purpose identified in the commercial agreement between the Supplier and Averna. Suppliers are expected to obtain the appropriate consents to use and disclose the personal data as required by such identified purpose.   

Suppliers shall limit access to the personal data received from Averna to the personnel involved in the processing of the personal data on a “need to know” basis. Additionally, Suppliers shall not use the services of sub-processors without the prior written consent of Averna.   

Suppliers shall immediately report personal data breaches to Averna. Where a Supplier is made aware of inaccuracies or irregularities in the personal data received from Averna, it shall notify Averna without undue delay and assist Averna in the completion of the necessary rectifications. 

Suppliers shall at all times maintain the appropriate technical and organizational measures to ensure data integrity and protection, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed for Averna. Such technical and organizational measures shall include comprehensive data privacy programs and policies, readily available documentation to demonstrate compliance, and privacy impact assessments as required. 

At a minimum, Suppliers shall maintain and ensure the following safeguards: the pseudonymization and encryption of personal data; the guarantee of ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and, a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.  

Averna may audit the Supplier’s compliance with this Engagement, in which case Suppliers shall make available to Averna all the information necessary to demonstrate compliance, and allow for and contribute to audits, including inspections conducted by Averna or a third-party mandated by Averna.  

Upon termination of the commercial agreement concluded with Averna, Suppliers shall ensure that all personal data belonging to Averna be either returned or destroyed, as indicated by Averna at the time of contract termination.