Addendum
Data Privacy and Information Security

This Data Privacy and Information Security Addendum (the "Addendum") sets forth the terms and conditions relating to the privacy, confidentiality and security of Personal Data (as defined below), and supplements the MKS Terms and Conditions of Purchase, located at https://www.mksinst.com/purchaset-c/ and together the documents make up the "Agreement". For purposes of this Addendum, MKS Instruments, Inc., and its affiliates, the Controller and Supplier is the Processor.

Any terms capitalized in this Addendum, not otherwise defined herein, shall have the meaning given to them in the MKS Terms and Conditions of Purchase. Except as modified below, the terms of the MKS Terms and Conditions of Purchase shall remain in full force and effect.

"Personal Data" means any information relating to an identified or identifiable individual (including, but not limited to, a person's name, postal address, email address, telephone number, date of birth, Social Security number or its equivalent, driver's license number, account number, credit or debit card number, personal identification number, health or medical information, information relating to an individual's economic or social identity) and any other information classified and protected as personal data or equivalent under applicable privacy or data security laws, including but not limited to the EU General Data Protection Regulation 2016/679 (the "GDPR") and the California Consumer Privacy Act (the "CCPA").

"Process" or "Processing" means any operation or set of operations performed upon Personal Data, including but not limited to accessing, obtaining, storing, transmitting, using, maintaining, disclosing or disposing of Personal Data.

"Security Incident" means any actual or reasonably suspected loss, theft, misappropriation, unauthorized use, and/or disclosure of access to Personal Data, including any access to or use of or issue relating to the Supplier systems that store or access any Personal Data and that may compromise the privacy, confidentiality or security of such Personal Data.

"Sell" "Selling", or "Sale" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means an individual's Personal Data by a business to another business or any third party for monetary or other valuable consideration.

  1. Supplier shall solely Process Personal Data only on behalf of and for the benefit of Controller and only as necessary for Supplier to carry out its obligations pursuant to the Agreement and in accordance with Controller's written instructions (which may be in the form of the terms of a contract) or as required by any applicable law to which Supplier is subject, in which case Supplier shall immediately notify Controller of any requirements before Processing such Personal Data. Further, to the extent any of Controller's instructions regarding processing infringe the applicable data privacy laws, Supplier shall immediately notify Controller.
  2. As between Supplier and Controller, Controller owns all Personal Data provided by or on behalf of Controller to Supplier in connection with the Services. Supplier shall not Sell any of the Personal Data it receives from MKS to any third party or affiliate, without MKS prior written consent at MKS' sole discretion.
  3. Supplier shall not subcontract or delegate any part of the Processing of Personal Data nor provide access to the Personal Data to any third party, without MKS' prior written consent at MKS' sole discretion. Supplier shall ensure that its employees, agents, authorized subcontractors and other third parties with access to such Personal Data comply with all applicable laws related thereto and the terms of this Addendum. Supplier shall limit access to Personal Data to those employees, agents, and authorized subcontractors who have a need to know the Personal Data in order for Supplier to provide the Services to Controller and who have agreed in writing to protect the Personal Data in compliance with applicable laws and Controller's policies including, without limitation, commitments of confidentiality by contract or otherwise under statutory obligations of confidentiality.
  4. Supplier shall document, implement and maintain processes, systems and technical, physical and administrative information security safeguards to protect Personal Data that is appropriate and commensurate to the risk associated with the relevant Processing activities. Supplier represents and warrants that it will comply with all applicable data privacy and security laws (including, but not limited to the GDPR and any local Member State laws) in Processing the Personal Data.
  5. Supplier will not access, transfer or store the Personal Data outside of the jurisdiction in which the Personal Data was provided, unless otherwise expressly authorized in writing by Controller in connection with the Services. In the event that Supplier or a third party working on Supplier's behalf needs to transfer Personal Data in connection with the Services, Supplier shall ensure that it has established a legal basis for such transfer pursuant to applicable data privacy laws relating to cross border transfers of Personal Data. If requested by Controller in connection with the Services, Supplier agrees to enter into one or more Standard Contractual Clauses for Processors to effectuate a legal basis for data transfers from the European Union to the United States (or any country deemed inadequate).
  6. When Personal Data is no longer necessary for the performance of the Services, or promptly upon expiration or termination of the Agreement (whichever is earlier), or at such earlier time if requested by Controller, Supplier shall, in Controller's discretion, return to Controller or destroy and certify such destruction in writing to Controller, all Personal Data (including any copies or backups of that data in any media) in Supplier's possession, custody or control, subject to any right to ongoing storage of the Personal Data covered by applicable laws in the relevant jurisdiction.
  7. Supplier shall notify Controller within 24 hours of any Security Incident. In the event of a Security Incident, Supplier shall (i) conduct a reasonable investigation of the cause of the Security Incident, (ii) immediately use best efforts to promptly take all actions to rectify, prevent, contain, mitigate and remediate the Security Incident, (iii) cooperate with Controller in providing information to Controller as requested relating to the Security Incident, (iv) if requested by Controller, provide notice to individuals whose Personal Data was affected by the Security Incident in a manner and format determined by Controller, as well as to any third party law enforcement or regulatory agencies, provided that Controller retains the right, in its sole discretion, to provide any reasonably required information relating to the Security Incident to third parties or employees that may have been affected by the Security Incident. Supplier agrees to defend, indemnify and hold Controller harmless from and against any and all third party claims and resulting damages and losses relating to (a) a Security Incident or (b) Supplier's breach of the terms of this Addendum.
  8. Upon request by Controller in the event of a subject access request, portability or other similar request to produce or delete Personal Data, Supplier shall comply with Controller's request to produce or remove such Personal Data entirely and cooperate with Controller's instructions to comply with applicable laws related thereto. If Supplier directly receives any such request, Supplier shall immediately notify Controller. Supplier shall have the appropriate technical and organizational measures in order to respond to such requests.
  9. To the extent that Controller deems a Processing activity to be high risk or otherwise requires a privacy impact assessment, Supplier shall cooperate with Controller to complete the privacy impact assessment and produce any information, policies, security assessments and related procedures required by Controller to fulfill such request.
  10. Controller retains the right to conduct an audit at any time of Supplier's (and its third party suppliers') facilities, networks, policies and procedures to ensure compliance with this Addendum and with applicable law.

DPA_2019_08_14 (v.2)