Data Protection and Information Security Agreement

This Global Data Protection and Information Security Agreement ("DPA") is made part of an agreement with Paramount Global. and/or one or more of its Affiliates (such party(ies), as applicable, "Paramount") which involves the Processing of Personal Data by Vendor and which makes reference to this DPA or the URL at which this DPA is located (the "Agreement"). This DPA does not limit other obligations of Vendor, including, without limitation, any obligations under the Agreement or laws that apply to Vendor or to Vendor’s performance under the Agreement. In the event of a conflict between the DPA, the Agreement or any applicable security requirements, the requirement that is most restrictive and protective of Paramount, as determined by Paramount in its sole discretion, shall apply unless otherwise expressly agreed upon in writing by Paramount.

  1. Definitions. Capitalized terms defined below shall have the meanings set forth herein, whether or not such terms are otherwise defined in the Agreement. Capitalized terms used but not otherwise defined in this DPA shall have the meanings assigned to such terms in the Agreement.
    • "Affiliate" means, with respect to Vendor, an entity, directly or indirectly, controlling, controlled by, or under direct or indirect common control with Vendor, either now or in the future and with respect to Paramount, an entity, directly or indirectly, controlled by Paramount, either now or in the future. For the purposes of an Affiliate, "control" means ownership of fifty percent (50%) or more of the outstanding shares having voting rights, or management or operational control by agreement or otherwise.
    • "Argentinian Model Clauses" mean the model contract for the international transfer of "personal data" (as defined under Argentina Data Protection Law) to other countries that do not provide an adequate level of protection for personal data related to Data Subjects residing in Argentina, as set out in Disposition 60-E/2016 A.
    • "Argentinian Personal Data" means Personal Data originating from or Processed in Argentina or otherwise subject to Argentinian Data Protection Laws.
    • "Data Protection Laws" mean any applicable law, treaty, statute, regulation, ordinance, order, directive, code, or other rule, or any administrative guidance or industry self- regulatory rules or guidelines regarding the same, whether of or by any legislative, administrative, judicial, or other Governmental Entity, that governs or relates to the confidentiality, security, privacy, or Processing of Personal Data or otherwise regulates marketing communications, data protection, or Security Incident management and/or notification including without limitation the EU General Data Protection Regulation (EU) 2016/679 ("GDPR"); the United Kingdom Data Protection Act 2018; the California Consumer Privacy Act of 2018, Cal. Civil Code section 1798.100 et seq., ("CCPA"); and the Brazilian General Data Protection Law, Law n. 13.709 of 2018 ("LGPD").
    • "Data Subject" means, as applicable, (i) any identified or identifiable individual, (ii) the meaning as set forth in Data Protection Laws, and (iii) such similar terms as defined in any Data Protection Laws, including the term "Consumer" as used in the CCPA.
    • "Data Subject Request" means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws, including without limitation the right of access, right to rectification, right to restrict Processing, right to erasure ("right to be forgotten"), right to data portability, or right to object to the Processing.
    • "European Model Clauses" means: (i) in respect of Personal Data to which the GDPR applies, the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Decision (EU) 2021/914 ("EU Model Clauses"); (ii) in respect of Personal Data to which the UK GDPR applies, the EU Model Clauses, as amended by the UK Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018 ("UK Model Clauses"); and (iii) in respect of Personal Data to which the Swiss Federal Act on Data Protection ("FADP") applies, the EU Model Clauses as applicable in Switzerland and adapted as follows: (A) the term 'Member State' shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with Clause 18(c); and (B) the EU Model Clauses also protect the data of legal entities until the entry into force of the revised FADP ("Swiss Model Clauses")."
    • "Governmental Entity" means any federal, state, provincial, municipal, local or foreign government, governmental authority, regulatory or administrative agency, governmental commission, department, board, bureau, agency, instrumentality, court or tribunal.
    • "Personal Data" means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to, a particular Data Subject, computing device, or household, and shall include, but is not limited to, all "personal data," "personal information," or similar terms, as defined in any Data Protection Laws.
    • "Process" or "Processing" means any operation or set of operations that is performed on Paramount Data, whether or not by automated means, such as collection, using, accessing, recording, reproducing, organization, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, evaluation or control, modification, blocking, restriction, erasure or destruction, or classification, and including all "processing" as defined in any Data Protection Laws.
    • "Sale of Data" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s Personal Data by a business to another business or a third party for monetary or other valuable consideration.
    • "Security Incident" means: (i) the unauthorized, unlawful or accidental acquisition, use, disclosure, destruction, alteration, deletion, modification, grant of access to, corruption, transfer, sale, rental, or other Processing of any portion of such Paramount Data; (ii) any act or omission that compromises the privacy, security, confidentiality, availability or integrity of such Paramount Data or any safeguards put in place to protect the same; (iii) any failure by Vendor to adhere to this DPA; (iv) any other event involving Personal Data that triggers notification or similar requirements under Data Protection Laws; or (v) any attempt to cause any of the events described in clauses (i)-(iv).
    • "Subcontractor" means another data processor (as defined by Data Protection Laws) engaged by Vendor for carrying out Processing activities in respect of the Paramount Data on behalf of Paramount.
    • "Supervisory Authority" means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
    • "Paramount Data" means any and all data or information, in any form, format or media, provided or otherwise accessed by or made available to Vendor or any of its employees, agents or contractors or by any other party in connection with or incidental to the Agreement, as well as all data and works obtained, developed or produced by Vendor in connection with the Agreement including derivatives, aggregations or analysis of any of the foregoing.
    • "Paramount Information Security Requirements" means Paramount global information securities policies applicable to Vendor as set forth in Section 4 below, as may be supplemented or amended in the Agreement.
    • "Paramount Personal Data" means Paramount Data that constitute Personal Data.
  2. Roles of the Parties
    • As part of the Services described in the Agreement, Vendor may Process Paramount Data.
    • The Parties acknowledge and agree that with regard to the Processing of Paramount Personal Data of Data Subjects located in the EU, UK and Switzerland, Viacom International Media Networks UK Limited shall be the Controller and Vendor shall be the Processor of Personal Data Processed by Vendor under the Agreement.
    • For purposes of the California Consumer Privacy Act ("CCPA"), Paramount shall be considered a "business" and Vendor shall be a "service provider" (as defined under the CCPA).
    • The subject matter of the Processing undertaken by Vendor is in the provision of the Services and the Processing will be carried out for the duration of the Agreement. The Services, categories of Data Subjects, categories of Personal Data, and any specific instructions are set forth in the Agreement.
    • Except as expressly provided in the Agreement, Vendor acknowledges that, as between Vendor and Paramount, Paramount owns all right, title and interest in the Paramount Data.
  3. Obligations of Vendor with respect to Personal Data
    • When Vendor or a Subcontractor Processes Personal Data under the Agreement for or on behalf of Paramount, Vendor represents, warrants, and covenants both for itself and on behalf of each such Subcontractor, that it shall:
      • comply with all Data Protection Laws when Processing Personal Data, and shall not intentionally take any actions or fail to take any actions that would cause Vendor, a Subcontractor, or Paramount to be in violation of Data Protection Laws;
      • Process Paramount Personal Data solely for the purpose of performing its obligations under the Agreement and in accordance with Paramount’s documented instructions and not for any other purpose (including the Sale of Data), unless required to do so by applicable law to which Vendor is subject, in which case Vendor shall inform Paramount of that legal requirement before commencing Processing;
      • immediately inform Paramount if, in Vendor’s opinion, Paramount’s instructions would be in breach of Data Protection Laws;
      • act only as a "processor," "subprocessor," "service provider," or "operator," or in an equivalent role as defined by Data Protection Laws, and not as a "controller" or equivalent role;
      • not disclose any Personal Data to any third party (including any Governmental Entity), for any reason, whatsoever, without Paramount’s prior express written consent, unless such disclosure is: (1) to a Subcontractor, as necessary for the performance of the Services as required by the Agreement for the benefit of Paramount and its Affiliates; or (2) required by Data Protection Laws, in which case Vendor shall, unless prohibited by such Data Protection Laws, promptly notify Paramount after receiving a request for disclosure and prior to complying with any such request. In such instances where disclosure of Personal Data is required by Data Protection Laws, Vendor shall notify Paramount in advance of any such disclosure, and at Paramount’s request, cooperate fully in resisting the disclosure request to the full extent permitted by Data Protection Laws, and in any event shall disclose the minimum Personal Data necessary to comply with Data Protection Laws;
      • notify Paramount without undue delay (and in any event within 24 hours) of (i) any request for information from, or complaint by, a Supervisory Authority in relation to Paramount Personal Data that Vendor Processes for the purpose of performing its obligations under the Agreement; and (ii) any Data Subject Request in relation to Paramount Personal Data. Vendor shall provide to Paramount, in writing, all details surrounding such Data Subject Request, in a commonly used, structured, electronic and machine-readable format, if required. Vendor shall not respond to any Data Subject Request without Paramount’s express written consent. Further, Vendor shall fully cooperate as requested by Paramount to enable Paramount to comply with any Data Subject Request. Vendor shall implement appropriate technical and organizational measures to enable it to comply with this paragraph;
      • provide full and prompt cooperation and assistance in relation to any data protection impact assessment or regulatory consultation that Paramount is legally required to make in respect of Personal Data;
      • not attempt to re-identify any non-identifying information provided to or obtained by Vendor as a result of or in connection with the Services at any time, whether during or after the term of the Agreement and not aggregate Paramount Personal Data, even if anonymized or pseudonymized, except as expressly authorized under the Agreement;
      • maintain records of its Processing activities under the Agreement, which will include, without limitation, the name or title of Vendor personnel who access Personal Data, the categories of Personal Data Processed on behalf of Paramount, a description of any international data transfers conducted on behalf of Paramount (including a list of any countries to which Personal Data has been transferred), a description of the technical and organizational measures used to safeguard Personal Data, and any other information required by Data Protection Laws or as may be requested by Paramount; and
      • limit any disclosure of Personal Data to those of its personnel and Subcontractors who have a need to know the information to effect the use permitted herein, and keep a record of such disclosures.
  4. Paramount Global Information Security Requirements
    • General Security Requirement. Vendor shall maintain physical, administrative, and technical safeguards consistent with industry-accepted best practices (including the International Organization for Standardization’s standards ISO 27001 and 27002, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the Cloud Security Alliance, or other similar industry standards for information security) to protect the confidentiality, integrity, and availability of Paramount Data and systems. Vendor shall maintain industry-leading standards in evolving technical controls to ensure the protection of Paramount Data, including, without limitation, firewalls, encryption technologies, anti-virus software, access and authentication, security monitoring, and security alerting systems.
    • Specific Safeguard Requirements. Vendor shall maintain an information security program (the "Information and Security Program"), which will include, at a minimum, the following safeguards and controls:
      • Documented information security program and policies. Vendor shall implement and document a formal Information and Security Program including appropriate policies, standards, procedures, and risk assessments that are reviewed, and approved by Vendor, at least annually. The program will apply to Vendor’s employees, agents, subcontractors, and suppliers. Vendor will maintain a process to monitor and enforce Information and Security Program compliance and log Information and Security Program violations. The documented Information and Security Program shall include comprehensive information security policies approved by Vendor, a current copy or summary of which will be made available to Paramount upon request.
      • Security awareness training. Vendor shall provide periodic security training to its personnel and personnel of its Subcontractors on relevant threats and business requirements such as, but not limited to, social-engineering attacks, sensitive data handling, causes of unintentional data exposure, and security incident identification and reporting.
      • Physically limit access. Vendor shall enforce physical security to limit access to systems and facilities to only authorized individuals
      • Access controls. Vendor shall restrict access to Paramount Data and systems to only those personnel with a need-to-know for an authorized purpose. Vendor shall ensure the use of secure user authentication protocols, including the use of individual user IDs and adequate password security, with policies to block access to inactive users or in the event multiple unsuccessful attempts have been made to access a system or account.
      • Remote access; multi-factor authentication required. Vendor will implement multi-factor authentication (i.e., requiring at least two factors to authenticate a user) for remote access to (i) any network, system, application, or other asset containing Paramount Data; or (ii) Vendor’s corporate or development networks.
      • Account and password management. Vendor shall implement account and password management policies to protect Paramount Data and systems, including, changing default and manufacturer-supplied passwords before deploying new hardware, software, or other assets, require periodic password changes, require complex passwords, and storing passwords in an industry- accepted form that is resistant to offline attacks.
      • Secure configurations. Vendor shall manage security configurations of its systems using industry best practices to protect Paramount Data and systems from exploitation through vulnerable services and settings.
      • Controlled use of administrative privileges. Vendor shall limit and control the use of administrative privileges on computers, networks, and applications consistent with industry best practices.
      • Encryption. Vendor shall enforce strong protection for Paramount Data, including TLS 1.2+ or equivalent, and AES-128 bit encryption for all data at rest and in transit, with logged access.
      • Vulnerability and patch management. Vendor shall maintain a process to timely identify and promptly remediate system, device, and application vulnerabilities through patches, updates, bug fixes, or other modifications to maintain the security of Paramount Data and systems.
      • Maintenance, monitoring, and analysis of audit logs. Vendor will collect, manage, retain, and analyze audit logs of events to help detect, investigate, and recover from unauthorized activity that may affect Paramount Data. Logs will be kept and maintained for at least 18 months, at all times in compliance with Data Protection Laws.
      • Malware defences. Vendor shall deploy anti-malware software to, and configure, all workstations and servers on Vendor’s network to control and detect the installation, spread, and execution of malicious code.
      • Firewalls. Vendor shall maintain and configure firewalls to protect systems containing Paramount Data from unauthorized access. Vendor will review firewall rule sets at least annually to ensure valid, documented business cases exist for all rules.
      • Security testing. Vendor shall conduct periodic internal and external penetration testing of systems that process Paramount Data to identify vulnerabilities and attack vectors that can be used to exploit those systems. Identified vulnerabilities shall be addressed as part of Vendor’s vulnerability management program.
      • Business Continuity. Vendor shall maintain a business continuity plan that includes requiring, at a minimum, offsite backups of systems processing Paramount Data, version control system software to protect against loss of work product, and provisioning of adequate back-up facilities for any site that processes Paramount Data.
      • Third-party risk management. Vendor shall implement and maintain a third-party risk management program, including the execution of periodic risk assessments to evaluate the security posture of Vendor’s third parties and suppliers with access to Vendor’s Data and systems.
    • Compliance. Vendor shall make available to Paramount all information necessary to demonstrate compliance with its Information and Security Program, the Paramount Information Security Requirements, this DPA, the Agreement and Data Protection Laws, including (i) completing privacy and data security questionnaires upon Paramount request, (ii) allowing for and facilitating audits and inspections of Vendor and Subcontractor facilities conducted by Paramount or Paramount’s authorized representatives; (iii) permitting Paramount to regularly test Vendor’s compliance with the Paramount Information Security Requirements; and (iv) providing Paramount with accurate books and records (including, without limitation, all policies, procedures, papers, correspondence, data, information, reports, records, receipts, files, and other sources of information) consistent with generally accepted practices regarding Vendor’s performance under this DPA and the Agreement. Vendor shall, at its own cost, make any changes reasonably requested by Paramount to correct any compliance failures discovered during such audits, inspections, or tests.
    • Risk Assessment. Vendor agrees to participate in an annual risk assessment conducted by Paramount or its designee and to provide to Paramount (or its designee) any supporting documentation required during the risk assessment process, such as but not limited to, information security policies, standards, procedures, and if available, SOC2- Type1/Type2 reports, ISO27001/27002. Vendor shall also remediate any findings or deficiencies identified during Paramount’ risk assessments within a reasonable timeframe.
    • Software Security. If software is provided as a deliverable or as part of the service provided under the Agreement, Vendor shall have its software reviewed for security vulnerabilities by an independent third party that specializes in application security and provide Paramount the results of such review or, if Vendor has not performed such review, Vendor hereby consents to allow Paramount to commission such review by a third party at Paramount’s cost. Vendor shall reasonably cooperate with such review. Vendor shall promptly remediate security vulnerabilities identified and shall repeat the review for updates or new versions.
    • Background Checks. Paramount may require that Vendor representatives be subject to a lawful background check. Vendor shall cooperate with Paramount in connection with obtaining any necessary written consents in connection with any such background checks.
    • PCI DSS requirements. If, in the course of its Processing Paramount Data, Vendor has access to or will Process credit, debit, or other payment cardholder information, Vendor shall at all times remain in compliance with the Payment Card Industry Data Security Standard ("PCI DSS") requirements (in addition to in addition to other Security Requirements), and shall remain aware at all times of changes to the PCI DSS and promptly implement all procedures and practices necessary to remain in compliance with the PCI DSS.
  5. Security Incidents
    • Detection and Response. Vendor will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to (i) identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and (ii) restore the availability or access to Paramount Data in a timely manner.
    • Notice of Security Incident. If Vendor becomes aware of a Security Incident, or information that should reasonably lead Vendor to suspect a Security Incident has occurred, Vendor shall notify Paramount without undue delay (and in any event within 24 hours), and on an ongoing basis provide the following information as soon as possible: (a) the segment and quantity of Paramount Data affected (including whether Paramount Personal Data was affected), (b) the nature of the intrusion (if applicable), (c) any indication of likely unauthorized use of Paramount Data, and the corrective action taken or to be taken by Vendor, and, (d) all other available details required under applicable laws, including Data Protection Laws, for Paramount to comply with its own investigation and notification obligations to regulatory authorities or individuals affected by the Security Incident.
    • Remediation Efforts. Following any Security Incident, Vendor shall consult in good faith with Paramount regarding remediation efforts that may be necessary and reasonable ("Remediation Efforts"). Vendor shall (i) undertake any Remediation Efforts requested by Paramount or any government agency with jurisdiction over Vendor, in either case at Vendor’s sole expense, (ii) ensure and provide assurance (including written evidence) to Paramount that reasonable measures were and are being taken to prevent recurrence of the same or similar type of Security Incident, and (iii) reasonably cooperate with any Remediation Efforts undertaken by Paramount. Unless prohibited by law, Paramount has the right to control the breach notification process, and Vendor shall not notify any affected individuals nor any government entity about the Security Incident without written authorization from Paramount.
    • Reimbursement. Without limiting Paramount’s other rights, Vendor shall reimburse Paramount for all costs and expenses of Remediation Efforts and regulatory fines incurred by Paramount as a result of any Security Incident related to Paramount Data while under the control or possession of Vendor.
    • Cooperation. Vendor shall provide all assistance to Paramount as is reasonably necessary for Paramount to meet its obligations under Data Protection Laws.
  6. Subcontractors.
    • Vendor shall not disclose, enable Processing of, or otherwise make accessible any Paramount Data to any Subcontractor without the prior written consent of Paramount for each Subcontractor and for each location at which such Subcontractor will provide Services on behalf of Vendor. Notwithstanding anything to the contrary herein: (i) Vendor shall be responsible for all acts and omissions of any Subcontractor; and (ii) Vendor shall require each of its Subcontractors, as a condition of performing work under the Agreement, to enter into a written agreement with the Vendor that contains obligations of confidentiality, security, and privacy at least as strict as those contained in this DPA and the Agreement.
    • Vendor shall ensure that each Subcontractor that Processes or otherwise accesses Paramount Data (i) is competent to perform the Services subcontracted to it in conformance with the standards of this DPA and the Agreement and (ii) has adopted and adequately implemented comprehensive written protocols to carry out the obligations of confidentiality, security, and privacy required by this DPA and the Agreement. Vendor further agrees that it shall closely monitor all work by each Subcontractor for compliance with this DPA and the Agreement and prevent Subcontractors from further assigning or subcontracting any part of their work without the prior express written consent of Paramount.
    • Vendor shall ensure that all Vendor or Subcontractor personnel engaged in Processing of Paramount Data (i) are duly authorized to Process Paramount Data only as set forth in this DPA and the Agreement and (2) have committed themselves to maintaining the confidentiality of Paramount Data or are under an appropriate legal obligation of confidentiality.
    • Vendor shall ensure all Subcontractors that are Processing Paramount Data comply with all terms of this DPA and the Agreement and shall be liable for any breach by Subcontractor of the terms of this DPA and the Agreement.
  7. International Data Transfer

    The parties acknowledge that the provision of the services under the Agreement may require the transfer or Processing of Personal Data within and across national boundaries ("International Data Transfers"). Vendor represents warrants, and covenants that it has complied and will comply (and has contractually obligated each of its Subcontractors to comply) with all Data Protection Laws applicable to such International Data Transfers. Notwithstanding the generality of the foregoing, the parties agree to the following with respect to International Data Transfers:

    • In the event that the provision of the Services involves the transfer of Personal Data from the UK, Switzerland or EEA to outside the UK, Switzerland or EEA (either directly or via onward transfer) to any country or recipient which has not been recognized by the European Commission as offering an adequate level of protection for Personal Data transferred to it from the EEA, Vendor and Paramount agree to comply with the European Model Clauses, which shall be deemed incorporated into and form part of this DPA. For the purposes of the European Model Clauses, Paramount will be regarded as the Data Exporter and Vendor will be regarded as the Data Importer. The description and details of transfers, for the purposes of the European Model Clauses, is set forth in the applicable exhibit or annex to the Agreement relating to such transfers.
    • In the event that the provision of the services involves the transfer of Personal Data from Argentina to outside of Argentina (either directly or via onward transfer), Vendor and Paramount agree to comply with the Argentinian Model Clauses. The description and details of transfers, for the purposes the Argentinian Model Clauses, is set forth in the Agreement relating to such transfers.
    • Vendor represents and warrants that neither Vendor nor, to Vendor’s knowledge, any of its Subcontractors, have received a request from any Governmental Entity for access to European Personal Data Processed by such Vendor or Subcontractor in connection with the services or substantially similar services for other clients. Vendor covenants to immediately notify Paramount in the event that, in Vendor’s opinion: (i) any International Data Transfers performed under this Agreement would be in breach of the European Model Clauses, Argentinian Model Clauses, or applicable Data Protection Laws governing such International Data Transfers or (ii) Vendor is unable to provide an adequate level of protection for Paramount Personal Data under applicable Data Protection Laws (each an "Inadequacy Notice"). Upon receipt of an Inadequacy Notice from Vendor, Paramount shall be entitled to terminate the Agreement with no further expenses, costs, or liabilities.
    • In the event that any additional Data Protection Laws become effective during the Agreement which impose restrictions on the cross-border transfer of Personal Data that are not contemplated herein, the Parties agree to meet in good faith to complete any formalities and enter into any documents as may be required by such Data Protection Laws.
  8. Deletion of Paramount Data; Preservation.
    • Without limiting any obligation in the Agreement, and subject to Vendor’s retention obligations under applicable laws, rules and regulations, including Data Protection Laws, Vendor shall, and shall cause its Subcontractors to, immediately, securely destroy (by making unreadable, un-reconstructable, and indecipherable) any or all Paramount Data (including, without limitation, all electronic copies on hard drives, backup media, portable devices, optical, magnetic, or other storage media, as well as hard copies) upon the earlier to occur of the following: (a) termination or expiration of the Agreement or any applicable statement of work, work order or similar transaction document for any reason; or (b) cessation of Vendor’s need to retain such Paramount Data to perform the Services. Vendor shall certify in writing that such destruction has been completed. If Paramount requests return or transfer of all or a portion of such Paramount Data prior to the destruction described above, Vendor shall promptly return to Paramount, at no cost to Paramount, all such Paramount Data, through a secure method designated by Paramount, or shall promptly transfer such Paramount Data to Paramount’s designee, in accordance with the instructions of, and using the secure method prescribed by, Paramount, following Paramount’s written demand therefor. In either event, Vendor shall promptly provide Paramount with a certification by an officer of Vendor that all Paramount Data has been removed from Vendor’s and any Subcontractor’s possession and/or control. If Vendor is required to retain Paramount Data pursuant to applicable laws, rules and regulations, including Data Protection Laws, Vendor shall so inform Paramount of such requirement.
    • If Paramount notifies Vendor in writing that particular Paramount Data may be Paramount attorney-client communication or attorney work-product, then Vendor shall (i) not take any action that would result in waiver of such privilege or work product immunity through the acts or omissions of Vendor or its Subcontractors, (b) if required by Paramount, immediately terminate the ability of any users of the applicable software or services to share such Paramount Data with third parties and (c) instruct all Vendor personnel who may have access to such Paramount Data to maintain such Paramount Data as strictly confidential.
    • If Vendor is required by law or by interrogatories, written requests for information or documents by a Governmental Entity, subpoena, civil investigative demand or similar legal process to disclose any Paramount Data that may be within a Vendor’s attorney- client or work-product privileges, then Vendor must provide (unless prohibited by applicable law) Paramount with prompt, written notice of such request or requirement so that Paramount may at its own expense seek an appropriate protective order or the continued confidential treatment of the requested information or documents.
    • Vendor shall comply with Paramount requirements regarding the preservation and production of Paramount Data held by Vendor that is relevant for legal and regulatory proceedings or investigations.
    • To the extent that Vendor is required to retain Paramount Data, this DPA and the Agreement will continue to apply in their entirety to such Paramount Data and Vendor’s Processing thereof.
  9. Indemnification. As an additional indemnification obligation under the applicable provision of the Agreement, Vendor will defend, indemnify and hold Paramount, its Affiliates, and their respective officers, directors, employees and agents, harmless from and against any and all claims, suits, causes of action, liability, loss, costs and damages, including reasonable attorney fees, arising out of or relating to any third-party claim arising from (i) failure by Vendor, its employees or Subcontractors to comply with any of its obligations contained in this DPA; (ii) Vendor‘s performance, purported performance or non-performance of its obligations contained in this DPA; and (ii) any security incident, except in each case to the extent resulting from the acts or omissions of Paramount. Notwithstanding any terms of the Agreement to the contrary, any limitation of liability with respect to indemnification set forth in the Agreement shall not apply to the indemnification obligations set forth above.
  10. Survival. Vendor’s data protection obligations in the Agreement, including its obligations under this DPA, shall continue for so long as Vendor, or any of Vendor’s Subcontractors, continues to Process Paramount Data on behalf of Paramount, even if the Agreement has expired or been terminated.