Enterprise services

This data processing addendum (the “Addendum”) is incorporated into the Agreement (as defined below). Capitalised terms used herein but not defined will have the meanings ascribed to them in the Agreement. In the event of any conflict or ambiguity between this Addendum and the provisions of Agreement, this Addendum will prevail.

1. Definitions.

1.1 Adequate: a country or scheme which has been approved (i) by the European Commission pursuant to Article 45 of the GDPR or (ii) under the Data Privacy Laws of the applicable exporting country, as ensuring an adequate level of protection for the processing of personal data without the implementation of additional safeguards such as SCCs.

1.2 Agreement: the governing agreement or, where such agreement is a master or framework with call-off orders, the applicable order to which the services described herein relate.

1.3 Customer: the customer entity that has executed the Agreement.

1.4 Data Privacy Laws: all applicable laws, regulations, and regulatory guidance in relation to the Processing or protection of personal data, including but not limited to GDPR, UK GDPR, and the Californian Consumer Privacy Act 2018.

1.5 GDPR: the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).

1.6 UK GDPR: GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.

1.7 Personal Data Breach: a breach of SLB’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

1.8 Services: the Software-as-a-service, support and maintenance services, and/or other technology services as described in the Agreement and for which purposes SLB will process Customer Personal Data.

1.9 SCCs: the standard contractual clauses for use in relation to exports of personal data from the EEA approved by the European Commission under Commission Implementing Decision 2021/914, as may be amended or replaced from time to time (the “EU SCCs”) or such other standard data protection clauses approved pursuant to the Data Privacy Laws of the applicable exporting county from time to time to enable exports of personal data from that country.

1.10 SLB: the SLB entity that has executed the Agreement.

1.11 Sub-processor(s): any third party or SLB Affiliate who processes Personal Data on behalf of SLB for the purpose of providing the Services.

1.12 The terms “personal data”, “data subject”, “processing”, “controller” and “processor” will have the meanings ascribed to them in GDPR) irrespective of whether GDPR applies.

2. Description of the Processing.

The details of the processing are as follows:

a. Subject Matter: SLB’s provision of the Services.

b. Duration: the term of the Agreement, including any post-termination retention as set out therein.

c. Nature and Purpose:

i. to provide the Services as described;

ii. to support, maintain, and secure the Services including providing user support services; monitoring and maintaining performance, functionality, and security of the Services; and updating and improving the Services to provide a better user experience, availability, quality, and security.

d. Types of Personal Data: personal data related to individuals provided to SLB via the Services or by, or at the direction of, Customer or its personnel which may include name, email address, contact information, job title, location data, IP address, and device, technical, usage or statistical information.

e. Categories of Data Subjects: Customer personnel (which may include employees, agents, contractors, advisors, consultants and other individuals authorised by customer).

3. Obligations of the Parties.

3.1 Customer will be the controller and SLB the processor. Each Party will comply with the obligations applicable to it under the Data Privacy Laws in exercising its rights and performing its obligations under the Agreement.

3.2 Customer instructs SLB to process personal data for the specific purpose set out in Section 2 above and only in accordance with the terms of this Addendum (the “Instructions”). SLB will only process personal data in accordance with such Instructions unless required by applicable law, in which case SLB will inform Customer of the requirement prior to processing. SLB will not, unless otherwise permitted by applicable Data Privacy Laws, sell Customer personal data or otherwise retain, use, or disclose Customer personal data it processes under this Addendum outside of the scope of the Agreement or its business relationship with Customer.

3.3 SLB will immediately notify Customer if, in SLB’s opinion, the Instructions infringe applicable Data Privacy Laws or SLB is unable to comply with the Instructions, in each case unless notification is prohibited under applicable Data Privacy Laws.

4. Security.

4.1 SLB will implement and maintain appropriate technical and organisational measures to protect personal data against a Personal Data Breach. Where the Agreement includes specific cyber security measures, those measures will apply and Customer agrees that those measures are appropriate, given the nature of the personal data to be processed and the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction, disclosure, access or damage.

4.2 SLB will ensure that all persons authorised to process personal data are under an obligation of confidentiality and that such persons access personal data only as strictly necessary to comply with the Instructions.

4.3 In the event of a Personal Data Breach SLB will notify Customer without undue delay after having become aware of the breach. Such notification will contain, at least:

a. a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);

b. the details of a contact point where more information concerning the Personal Data Breach can be obtained; and

c. its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.

4.4 Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification will contain the information then available and further information will, as it becomes available, subsequently be provided without undue delay.

4.5 In no event will a notification of or response to a Personal Data Breach by SLB be construed as an admission of any fault or liability with respect to such Personal Data Breach.

5. Sub-processors.

5.1 Customer authorizes and consents to the engagement of Sub-processors as set out at SLB Sub-Processors. SLB will provide Customer with notice of the engagement or any new Sub-processor at least thirty (30) days prior to the commencement of processing by such Sub-processor. If, within thirty (30) days of that notice, Customer notifies SLB in writing of any objections (on reasonable grounds related to the processing of personal data), SLB will not permit commencement of processing by the new Sub-processor until it has taken reasonable steps to address the objections of Customer and provided Customer with a reasonable explanation of the steps taken.

5.2 When engaging any Sub-processor, SLB will ensure that the Sub-processor is bound by a written agreement which reflects in substance, the same obligations as the ones imposed on SLB herein. SLB will remain responsible for the performance of each Sub-processor’s obligations in accordance with the terms of this Addendum.

6. Data Transfers.

6.1 Customer acknowledges that the provision of the services may involve the transfer of personal data to any country in which SLB or its Sub-processors maintain facilities, including to countries which have not been deemed Adequate.

6.2 Customer expressly consents to the transfer or processing of personal data to countries not deemed Adequate provided that: (i) to the extent the export is between Customer and SLB, the Parties agree that the SCCs will apply in accordance with Appendix 1 to any relevant transfer and such SCCs will be deemed incorporated and effective from the date of the first relevant transfer; and (ii) SLB will ensure that applicable SCCs are in place between itself and any relevant sub-processors.

7. Assistance to Customer.

Taking into account the nature of processing and the information available to SLB, SLB will provide reasonable support to Customer: (i) in complying with any request for access, rectification, erasure, portability, or the right to restrict or object to certain processing made by a data subject under the applicable Data Privacy Laws (and where such request is submitted to SLB, SLB will promptly notify Customer of the request and will not respond itself, unless authorised to do so by Customer); (ii) in responding to requests or demands made to Customer by any court or governmental authority responsible for enforcing privacy or data protection laws; or (iii) in Customer’s preparation of a Data Protection Impact Assessment.

8. Requests for Personal Data.

8.1 If SLB (i) receives a legally binding request from a governmental authority, including judicial authorities or (ii) becomes aware of any direct access by a governmental authority to personal data transferred pursuant to these clauses, it will:

a. if legally permitted, notify Customer and assist Customer (at Customer’s cost) in seeking a protective order or other appropriate remedy;

b. if SLB is prohibited from notifying Customer:

i. use commercially reasonable efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible;

ii. review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting governmental authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. SLB will, under the same conditions, pursue possibilities of appeal; and

iii. provide Customer, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received.

8.2 If disclosure is required SLB will seek to provide to the governmental authority the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

9. Audit.

In order demonstrate compliance with the terms of this Addendum (including any applicable SCCs), upon request from Customer (such request to be made no more than once annually), SLB will provide to Customer such summary reports and/or other information as necessary and available to SLB. Any such reports and/or information will be deemed Confidential Information under the Agreement. To the extent such information does not reasonably satisfy Customer’s audit requirements under the Data Privacy Laws, SLB will allow Customer, at Customer’s sole cost, to conduct a security audit (including inspection) in accordance with the terms of this Section to verify SLB’s compliance with its obligations under this Addendum. Any audit will be subject to the following: (i) the parties will mutually agree upon the scope, date, timing, duration, and applicable security and confidentiality controls in advance of the audit; (ii) the audit will be conducted, no more than once annually, by an independent, accredited third-party audit firm, during regular business hours; and (ii) neither Customer nor the auditor will have access to any data of SLB’s other customers or to systems or facilities not involved in the Services provided to Customer. Under no circumstances will Customer or the auditor be permitted to conduct penetration tests of SLB’s systems.

10. Data Deletion.

SLB will delete personal data at any time during the Term of the Agreement on Customer’s written request. On expiry or termination of the Agreement, SLB will delete all personal data (subject to any data retention rights or obligations set out in the Agreement).

Appendix 1: Additions and details to the SCCs

EU SCCs

Where Customer is an EEA/EU incorporated entity, the EU SCCs Controller-to-Processor or Processor-to-Processor, as applicable will apply to relevant exports.

UK IDTA

The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0, in force 21 March 2022 (UK IDTA) will apply to relevant exports from the UK in accordance with the following:

1. Tables 1-3 will be interpreted in accordance with the EU SCCs Controller-to-Processor or Processor-to-Processor, as applicable.

2. Table 2: The “version of the Approved EU SCCs which this Addendum is appended to” option is selected.

3. Table 4: Importer and Exporter are selected.

Switzerland

For personal data subject to the Swiss revised Federal Act on Data Protection of 25 September 2020 (and associated Ordinances) (the “FADP”), the EU SCCs will apply subject to the following modifications:

1. Any reference to the EU GDPR will be interpreted as a reference the FADP insofar as the data transfers are subject to the FADP.

2. The Swiss Federal Data Protection and Information Commissioner will be deemed to the competent supervisory authority for data transfers subject to FADP.

3. The term ’member state’ shall not be interpreted in such a way as to prevent data subjects in Switzerland from exercising and/or enforcing their rights in Switzerland.

Other SCCs

In the event SCCs other than the EU SCCs or UK ITDA apply, the EU SCCs (with the adjustments noted above) will apply to the fullest extent possible to provide appropriate safeguards.