MERCER MOBILITY EXCHANGE™

SOFTWARE LICENSE AGREEMENT

IMPORTANT - PLEASE READ CAREFULLY BEFORE USING THE SYSTEM

THE COPYRIGHT, DATABASE RIGHTS AND ANY OTHER INTELLECTUAL PROPERTY RIGHTS IN THE PROGRAMS, TOOLS, MODULES, DOCUMENTATION, INFORMATION, SURVEY MATERIALS, AND DATA CONTAINED WITHIN THE MERCER MOBILITY EXCHANGE ARE AND REMAIN THE PROPERTY OF MERCER (US) INC. (“MERCER”). YOU ARE LICENSED TO ACCESS AND USE THE MERCER MOBILITY EXCHANGE ONLY IF YOU ACCEPT ALL THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT (THE “LICENSE”). IF AN AFFILIATE OF MERCER HAS SUPPLIED ACCESS TO THIS SOFTWARE, THE AFFILIATE HAS AUTHORITY TO ENTER INTO THIS LICENSE ON MERCER’S BEHALF, AND ALL REFERENCES TO MERCER HEREIN INCLUDE REFERENCES TO SUCH AFFILIATE.

WHEN YOU CLICK "I accept these terms" BELOW TO ACCEPT THIS LICENSE, YOU AGREE THAT THE MERCER MOBILITY EXCHANGE IS INTENDED ONLY FOR INTERNAL USE FOR INFORMATION PURPOSES ONLY BY THE ORGANIZATION WHOSE FULL CORPORATE NAME HAS BEEN IDENTIFIED TO MERCER IN THE ORDER FORM (THE “ORDER”) AS THE CLIENT (“CLIENT”). BY PROCEEDING AND ACCESSING THE MERCER MOBILITY EXCHANGE, YOU REPRESENT AND WARRANT THAT YOU ARE AUTHORIZED TO ACCEPT THE TERMS AND CONDITIONS OF THIS LICENSE ON BEHALF OF THE CLIENT. ACCORDINGLY, REFERENCES TO “YOU” MEAN REFERENCES TO THE CLIENT. THE MERCER MOBILITY EXCHANGE AND THE INFORMATION AND DATA CONTAINED THEREIN MAY NOT BE COPIED, MODIFIED, SOLD, TRANSFORMED INTO ANY OTHER MEDIA, OR OTHERWISE TRANSFERRED IN WHOLE OR IN ANY PART TO ANY PARTY OTHER THAN THE CLIENT AND ITS PRESCRIBED USERS (THE “USERS”), WITHOUT PRIOR WRITTEN CONSENT FROM MERCER. ACCESSING THIS INFORMATION EITHER THROUGH ONLINE ACCESS, PDF, OR XLS, MEANS THAT YOU HAVE ACCEPTED DELIVERY OF YOUR REPORTS AND THE TERMS OF THIS LICENSE AGREEMENT AND THAT YOU AGREE TO PAY THE INVOICE, IF FEES APPLY.

YOU SHOULD THEREFORE READ THIS LICENSE CAREFULLY BEFORE CLICKING ON “I accept these terms” BELOW OR ACCESSING THE MERCER MOBILITY EXCHANGE. IF YOU DO NOT ACCEPT THE TERMS AND CONDITIONS OF THIS LICENSE, YOU CANNOT ACCESS THE MERCER MOBILITY EXCHANGE. IF IT HAS BEEN MORE THAN THIRTY (30) DAYS SINCE THE MERCER MOBILITY EXCHANGE HAS BEEN MADE AVAILABLE TO YOU AND YOU HAVE NOT ACCESSED IT, NO REFUNDS WILL BE PROVIDED.

1. LICENSE

1.1 Subject to the terms and conditions of this License and upon receipt of full consideration, Mercer agrees to grant you a limited, non-exclusive license to access and use the Mercer Mobility Exchange on personal computers or a local area network in the normal places of business of your company, or through a secure remote network access facility provided by you. The Mercer Mobility Exchange and the information and data contained therein is for your internal research and analysis purposes only. You will not provide access to the Mercer Mobility Exchange, or to any information contained therein, to anyone other than the prescribed Users. Mercer has the right at any time to receive full and complete reporting from you of these locations and the individuals provided with access to the Mercer Mobility Exchange.

1.2 Information to be provided

1.2.1. Any information that you are required to supply (or which is supplied on your behalf) is expected to be accurate and complete. You remain accountable for the accuracy of your data. Problems with information quality and/or delays in providing such information may result in inaccurate calculations.

1.2.2. You acknowledge and accept that all figures contained in surveys/questionnaires will be estimates derived from sample surveys and subject to the limits of statistical errors/rounding up or down.

2. DISCLAIMER OF WARRANTIES

2.1 EXCEPT AS EXPRESSLY SET OUT IN THIS LICENSE, MERCER MAKES NO WARRANTIES OR REPRESENTATIONS WITH RESPECT TO THE MERCER MOBILITY EXCHANGE OR ANY PART THEREOF, AND DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES OF ANY KIND TO YOU OR ANY THIRD PARTY, INCLUDING, BUT NOT LIMITED TO, REPRESENTATIONS AND WARRANTIES REGARDING ACCURACY, TIMELINESS, COMPLETENESS, MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, NON-INFRINGEMENT OF THIRD PARTY RIGHTS, AND/OR FREEDOM FROM COMPUTER VIRUS. YOU ASSUME THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE MERCER MOBILITY EXCHANGE.

2.2 YOU ACCEPT THE MERCER MOBILITY EXCHANGE ON AN “AS IS” AND “AS AVAILABLE” BASIS. YOU ACKNOWLEDGE THAT THE MERCER MOBILITY EXCHANGE AND THE INFORMATION AND DATA PROVIDED THEREIN ARE FOR GENERAL INFORMATION AND USE ONLY. IN PARTICULAR, THE MERCER MOBILITY EXCHANGE DOES NOT CONSTITUTE ANY FORM OF ADVICE, RECOMMENDATION, REPRESENTATION, OR ARRANGEMENT BY MERCER. MERCER DOES NOT WARRANT THE ACCESS OR USE OF THE MERCER MOBILITY EXCHANGE OR THE INFORMATION AND DATA PROVIDED THEREIN IN ANY SPECIFIC SITUATION OR FOR ANY SPECIFIC APPLICATION, NOR DOES MERCER WARRANT THAT THE MERCER MOBILITY EXCHANGE WEB SITE WILL BE ACCESSIBLE AT ALL TIMES OR THAT IT WILL BE ERROR FREE.

2.3 MERCER MAKES NO WARRANTIES OF ANY KIND AS TO THE ACCURACY OF THE DATA OR ASSUMPTIONS CONTAINED IN OR ENTERED INTO THE MERCER MOBILITY EXCHANGE, NOR DOES IT ASSUME ANY RESPONSIBILITY FOR THE CONSEQUENCES OF ANY ERRORS OR OMISSIONS. YOU ASSUME THE ENTIRE LIABILITY AND RESPONSIBILITY FOR THE DATA AND ASSUMPTIONS ENTERED BY USERS INTO ANY PARTS OF THE MERCER MOBILITY EXCHANGE THAT HAVE THE FUNCTIONALITY TO RECEIVE USER DATA AND FOR ANY REPRESENTATIONS OR CONCLUSIONS DRAWN FROM SUCH DATA OR ASSUMPTIONS.

2.4 MERCER ASSUMES NO RESPONSIBILITY FOR THE EFFECTIVENESS OF ANY ENCRYPTED DATA, NOR WILL IT GUARANTEE THAT AN ENCRYPTION ALGORITHM WILL BE INDECIPHERABLE. MERCER MAKES NO CLAIMS OR WARRANTIES REGARDING THE VIABILITY, INTEGRITY OR INVINCIBILITY OF THE ENCRYPTION USED, NOR WILL MERCER ACCEPT RESPONSIBILITY FOR THE SUCCESS OR FAILURE OF THE SECURE SERVER TO PROPERLY ENCRYPT DATA. BY ACCESSING THE MERCER MOBILITY EXCHANGE, YOU ASSUME ANY RISKS THAT THE ENCRYPTION MAY BE DECIPHERABLE.

3. LIMITATION OF LIABILITY

3.1 EXCEPT IN RESPECT OF PERSONAL INJURY OR DEATH CAUSED DIRECTLY BY MERCER’S NEGLIGENCE, THE LIMIT OF MERCER’S OR ITS AFFILIATES’ LIABILITY TO YOU OR TO ANY THIRD PARTY FOR ANY AND ALL CLAIMS CONCERNING PERFORMANCE OR NON-PERFORMANCE BY MERCER OR ITS AFFILIATES RELATED TO MERCER’S OBLIGATIONS UNDER THIS LICENSE SHALL NOT, IN THE AGGREGATE, EXCEED THE GREATER OF THE FEES PAID BY YOU TO MERCER FOR ACCESS TO AND USE OF THE MERCER MOBILITY EXCHANGE (AS SPECIFIED IN THE ORDER) FOR THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE MONTH IN WHICH THE CLAIM OR CLAIMS ARISE, OR US$500.00 (U.S. FIVE HUNDRED DOLLARS).

3.2 IN NO EVENT SHALL MERCER OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, LOSSES OR EXPENSES, INCLUDING, WITHOUT LIMITATION: LOSS OF SALES OR REVENUES, LOSS OF GOODWILL, LOSS OF BUSINESS INFORMATION, OR LOSS OF SAVINGS OR PROFITS, BASED ON ANY THEORY OF LIABILITY ARISING OUT OF OR IN ANY WAY CONNECTED WITH: THIS LICENSE, THE ACCESS, USE OR INTERPRETATION OF THE INFORMATION ON THE MERCER MOBILITY EXCHANGE OR ANY INFORMATION ON A LINKED SITE, THE INABILITY TO USE SUCH INFORMATION, OR ANY FAILURE OF PERFORMANCE, ERROR, OMISSION, INTERRUPTION, DEFECT, DELAY IN OPERATION OR TRANSMISSION, COMPUTER VIRUS OR LINE OR SYSTEM FAILURE, WHETHER IN TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY), CONTRACT OR OTHERWISE. THIS PARAGRAPH APPLIES EVEN IF MERCER, OR REPRESENTATIVES THEREOF, ARE ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, LOSSES OR EXPENSES.

3.3 WITHOUT LIMITATION TO THE FOREGOING, YOU ACKNOWLEDGE THAT THE MERCER MOBILITY EXCHANGE AND THE ASSUMPTIONS, INFORMATION AND DATA CONTAINED THEREIN MAY BE INCOMPLETE OR CONDENSED AND THAT THE ASSUMPTIONS, INFORMATION AND DATA OBTAINED THROUGH YOUR ACCESS AND USE OF THE MERCER MOBILITY EXCHANGE ARE FOR GENERAL INFORMATION PURPOSES ONLY AND ARE NOT INTENDED AS, NOR IMPLIED TO BE, A SUBSTITUTE FOR PROFESSIONAL ADVICE. IN NO EVENT WILL MERCER OR ITS AFFILIATES BE LIABLE TO YOU OR TO ANY THIRD PARTY FOR ANY DECISION MADE OR ACTION TAKEN IN RELIANCE OF THE RESULTS OR CONCLUSIONS OBTAINED THROUGH THE ACCESS AND USE OF SUCH INFORMATION OR DATA.

3.4 YOU ACKNOWLEDGE THAT NO DEFENSE OR INDEMNITY OF ANY KIND IS PROVIDED HEREUNDER BY MERCER OR ITS AFFILIATES WITH RESPECT TO ANY CLAIM, DEMAND, CAUSE OF ACTION, COST, LOSS, DAMAGE, EXPENSE OR LIABILITY ARISING FROM OR BASED ON YOUR OR ANY THIRD PARTY’S USE OF OR INABILITY TO USE THE MERCER MOBILITY EXCHANGE.

3.5 SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN DAMAGES, SO THE ABOVE EXCLUSIONS MAY NOT APPLY TO YOU. YOU MAY HAVE OTHER RIGHTS WHICH VARY FROM COUNTRY TO COUNTRY. ANY RIGHTS WHICH YOU MAY HAVE AS A RESULT OF THE APPLICATION OF APPLICABLE LAWS IN THESE JURISDICTIONS SHALL NOT BE AFFECTED BY THIS DISCLAIMER OF LIABILITY.

4. INTELLECTUAL PROPERTY RIGHTS

4.1 You agree and acknowledge that the Mercer Mobility Exchange, including, without limitation, the information contained in its database, its table structures, queries, and reports, their arrangement, organization, and methods of interactions, the algorithms and other database artifacts, the site’s structure, all textual and graphical materials, and all technical information and other content appearing on this site and their modifications and enhancements, are confidential and trade secret information that is proprietary to and owned solely by Mercer, together with all related copyrights and trademarks. Mercer retains the exclusive and sole ownership of the Mercer Mobility Exchange, and Mercer retains the exclusive and sole ownership of their information and data, and all related intellectual property rights. Other confidential and trade secret information of Mercer may be revealed to you in the future.

4.2 You agree to hold all such proprietary and confidential information of Mercer in strictest confidence. You may not modify, sell, transfer or otherwise provide any of the proprietary and confidential information, in whole or in part, in any form to any person or entity who is not a User, the Client or an employee of Mercer who needs access to the information to facilitate your licensed access and use of the Mercer Mobility Exchange without Mercer’s prior written permission.

4.3 You may not create derivative works of, or decompile, reverse engineer, translate or disassemble the Mercer Mobility Exchange, in whole or in part, except as expressly permitted by applicable law.

4.4 You may not create or store in electronic form any shared library, data warehouse, archive, cache or frame of the data or information contained in the Mercer Mobility Exchange.

4.5 Nothing contained herein shall be deemed to confer by implication, estoppel or otherwise, any license or any other grant of right to use any trademark, copyright, or any other intellectual property right of Mercer or any third party. The “Mercer” name and the names of Mercer’s products referred to on the Mercer Mobility Exchange site are Mercer’s trademarks. All other product and company names belong to their respective owners. You agree that you will take no action inconsistent with this paragraph 4.5.

4.6 Except as required herein, you agree not to use Mercer’s intellectual property in the press and not to refer to Mercer or attribute any information to Mercer in the press, for advertising or promotional purposes, or for the purpose of informing or influencing any other party without Mercer’s prior written consent.

4.7 You will be responsible for any access to, or use or disclosure of Mercer’s confidential and proprietary information by you and, further, shall indemnify and hold harmless Mercer for any and all loss, damage or liability incurred by Mercer as a result of a breach by you or any other party to whom you may have provided access to the Mercer Mobility Exchange of any or all of the obligations contained in this License.

4.8 You may (subject to paragraph 4.9 below) access, extract and re-utilize any reports you generate from the Mercer Mobility Exchange for internal research purposes only in the normal course of business which is limited to: (i) making one or more copies in hard copy form of the reports provided that such copies may not be sold and may not be distributed to anyone who is not a User; and (iii) extracting, paraphrasing or summarizing the reports on an occasional, non-systematic and infrequent basis for internal redistribution via derivative works and/or reference certain information contained in the Mercer Mobility Exchange.

4.9 User access, as set out above, is subject at all times to: (i) persons to whom insubstantial parts of the Mercer Mobility Exchange or references to the Mercer Mobility Exchange are made available, are made aware that such parts or references may not be redistributed or sub-licensed; and (ii) such parts or references to the Mercer Mobility Exchange are properly attributed to Mercer.

4.10 Except as expressly permitted by this License, you will not: copy, cut and paste, email, reproduce, publish, distribute, redistribute, broadcast, transmit, modify, adapt, edit, abstract, create derivative works of, store, archive, publicly display, sell or in any way commercially exploit, in whole or in part, the Mercer Mobility Exchange, or set up derived databases or materials.

4.11 Mercer reserves the right to add to, remove from or edit the contents or change the form of the information provided within the Mercer Mobility Exchange at any time with or without notice.

4.12 Mercer reserves the right to monitor usage by you (in terms of volume, frequency or otherwise) of the Mercer Mobility Exchange during the term of this License. In case of unauthorized use of the Mercer Mobility Exchange by you, Mercer reserves the right to deny you access to the Mercer Mobility Exchange and associated services by blocking, without prior notification, the IP address(es) that you used to access the Mercer Mobility Exchange.

4.13 This License does not constitute a sale of the Mercer Mobility Exchange, or any part thereof and, except as expressly provided for in this Agreement, no rights or licenses, express or implied, are hereby granted to you in respect of the Mercer Mobility Exchange. You acknowledge that as between you and Mercer, Mercer (or its Suppliers) is throughout the world the owner of the Mercer Mobility Exchange. Nothing herein contained shall be construed so as to transfer any intellectual property rights whatsoever in the Mercer Mobility Exchange to you or the Client.

5. TECHNICAL SUPPORT

5.1 Throughout the term of the License, Mercer will provide you and where applicable the Client with reasonable technical support and training. Mercer reserves the right, with your prior written consent, to charge you an additional fee for this support. The level of technical support and/or training will be at Mercer’s sole discretion. Mercer will provide a help desk during normal business hours if you or the Client has any questions about how to access and use the Mercer Mobility Exchange.

5.2 You, or where necessary the Client, will be responsible for obtaining and maintaining all requisite computer systems, communication lines and equipment (the “Systems”) needed for access to and use of the Mercer Mobility Exchange and all charges related thereto. You, or where necessary the Client, acknowledge that the speed of the Mercer Mobility Exchange and the Services will depend upon the quality of your own Systems, connection to and extent of your use of the Internet.

6. USE OF THE INTERNET

You should be aware that the Internet is not a fully secure medium, and therefore confidentiality cannot be totally guaranteed. Mercer will not be liable for any harm or damage you, the Client or a third party may experience by sending privileged or confidential information to it over the Internet or by e-mail. The performance of the Internet may fluctuate and will be limited by the bandwidth of your connection to the Internet. Mercer makes no warranties or claims as to the performance of the Mercer Mobility Exchange system in your computer environment.

7. CONFIDENTIAL INFORMATION

7.1 You will keep confidential and will not share with any third party any password that is provided to you to access to the Mercer Mobility Exchange.

7.2 Mercer will regard and preserve as confidential the information that you input into the Mercer Mobility Exchange. Notwithstanding the foregoing, you hereby grant Mercer a perpetual, non-exclusive, royalty-free license to copy, modify and use any information and data supplied by you or on your behalf so that Mercer may create analytical trend data (in anonymous form) and in order to improve the quality of Mercer’s advice to its clients, including its use in Mercer’s surveys. Mercer will not disclose any information in a manner that allows particular clients or individuals to be identified. You request that the relevant personal data is appropriately anonymized. Notwithstanding the foregoing, you agree that your name may appear in a list of participating organizations for reports containing such analytical trend data.

7.3 You agree that Mercer may retain copies of the confidential information under a continuing duty of confidentiality for the purpose of complying with its legal and regulatory obligations and to defend its work product.

8. USE OF PERSONAL INFORMATION

Each of us and our respective Affiliates (as defined below) will comply with our respective obligations arising from data protection and privacy laws in effect from time to time to the extent applicable to this License and the access and use of the Services. This includes, without limitation, (i) the obligation, if any, of you or the Client’s Affiliates, to obtain any required consent(s) in respect of the transfer of information to Mercer by you, the Client or any third party relating to an identified or identifiable individual that is subject to applicable data protection, privacy or other similar laws (“Personal Information”), (ii) any obligation with respect to the creation or collection of additional Personal Information by Mercer, and (iii) any obligation with respect to the use, disclosure and transfer by Mercer of Personal Information as necessary with respect to access and use of the information on the Mercer Mobility Exchange or for Mercer to perform any services to you or the Client or as expressly permitted under this License. Subject to the section entitled “Your Confidential Information,” any use or processing by Mercer of Personal Information supplied by or on your behalf in connection with the Mercer Mobility Exchange shall be done solely on your behalf. Mercer shall handle such Personal Information in accordance with your reasonable instructions as may be provided from time to time or as reasonably necessary with respect to access and use of the information on the Mercer Mobility Exchange or for the purpose of providing any Services and shall not handle such Personal Information in a manner inconsistent with the terms of this License. Mercer also confirms that it has taken appropriate technical and organizational measures intended to prevent the unauthorized or unlawful processing of Personal Information and the accidental loss or destruction of, or damage to, Personal Information. To the extent you provide Mercer with any Personal Information from the European Union or Switzerland under this Agreement, the parties agree to comply with requirements of Schedule 1. For purposes of this License, “Affiliates” means, with respect to either party, any entity directly or indirectly controlling, controlled by or under common control with such party.

9. EXPORT/IMPORT RESTRICTIONS AND TARIFFS

The Mercer Mobility Exchange is not available through Mercer to any Restricted Entity. “Restricted Entity” shall mean any individual, organization or other entity owned or controlled by, or acting as an agent for, any person or entity who is the subject of an asset freeze or otherwise designated under United Nations Security Council Resolutions, or the trade sanctions laws of the U.S. or the EU, or other governments of jurisdictions in which you or the Client is based or operated and from which the Mercer Mobility Exchange may be accessed. Neither you nor the Client shall provide access to or use of the Mercer Mobility Exchange to anyone for use in any country or used in any manner prohibited by United States or European Union trade sanctions or export control laws, including the Export Administration Act or laws administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control. Furthermore, you and the Client shall comply with any trade sanctions and export and import control laws of the countries and jurisdictions where you or the Client access and use the materials or receives copies of any technical information or other materials. Client agrees to indemnify, defend Mercer and hold Mercer harmless from any fines or other penalties arising from a violation of this Section 9. Client agrees to indemnify, defend Mercer and hold Mercer harmless from any tariffs, import or export taxes, levied with respect to its use of the Mercer Mobility Exchange by jurisdictions in which the Client uses it.

10. U.S. GOVERNMENT RESTRICTED RIGHTS

The Mercer Mobility Exchange and documentation are provided with Restricted and Limited Rights (as defined in DFAR). Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in DFAR Section 252.227-7013 or FAR Section 52.227-19, as applicable, and additional restrictions set forth in this License. Contractor/Manufacturer of the Mercer Mobility Exchange is Mercer (US) Inc., 400 West Market Street, Suite 700, Louisville, Kentucky 40202-3431.

11. UNFORESEEN EVENTS

Neither Mercer nor you can predict delays or failures in performance under the License resulting from events beyond their reasonable control. This, for example, includes 'acts of God,' fire, flood, riots, new laws which prevent the carrying out of any services, the results of terrorist activity, failures of third party suppliers, and electronic and other power failures. Should such circumstances arise, Mercer will use its reasonable endeavors to continue to provide access to the Mercer Mobility Exchange or any related services but recognizes that you or, where applicable, the Client, may not be able to wait while the matter is remedied. In such a case, either party may terminate the License with immediate effect by giving written notice to the other.

12. JURISDICTION

12.1 Each party hereby irrevocably agrees that this License and the Order and any controversy or claim of whatever nature arising out of or relating to them or breach thereof (save for any controversy or claim of whatever nature arising out of or relating to a breach of the payment terms (as set out in the Order)) shall be construed, interpreted and governed by the laws of the State of New York in the United States of America, without regard to the United Nations Convention on Contracts for the International Sale of Goods and any amendments thereto, the application of which is expressly excluded. The jurisdictional venue for any proceedings involving this Agreement and/or the Order shall be the exclusive jurisdiction of the United States Federal Courts for the Southern District of New York.

12.2 You acknowledge that Mercer will be irreparably harmed if your obligations under this License are not specifically enforced and that it would not have an adequate remedy at law in the event of an actual or threatened violation by you of your obligations. Therefore, you agree that Mercer will be entitled to an injunction or any appropriate decree of specific performance for any actual or threatened violations or breaches by you, or any of the Users, without the necessity of showing actual damages or that monetary damages would not afford an adequate remedy.

12.3 The English language version of this License shall prevail over any translation thereof into another language.

13. WAIVER OF TRIAL BY JURY

EACH PARTY, ON BEHALF OF ITSELF AND ITS AFFILIATES, TO THE FULLEST EXTENT PERMITTED BY LAW, KNOWINGLY, VOLUNTARILY, AND INTENTIONALLY WAIVES ITS RIGHT TO A TRIAL BY JURY IN ANY ACTION OR OTHER LEGAL PROCEEDING ARISING OUT OF OR RELATING TO THIS LICENSE, THE ACCESS, USE AND INTERPRETATION OF THE INFORMATION ON THE MERCER MOBILITY EXCHANGE, OR ANY SERVICES PROVIDED BY MERCER OR ITS AFFILIATES. THE WAIVER APPLIES TO ANY ACTION OR LEGAL PROCEEDING, WHETHER SOUNDING IN CONTRACT, TORT OR OTHERWISE. EACH PARTY AGREES NOT TO INCLUDE ANY EMPLOYEE, OFFICER, DIRECTOR OR TRUSTEE OF THE OTHER AS A PARTY IN ANY ACTION, PROCEEDING OR COUNTERCLAIM RELATING TO SUCH DISPUTE.

14. ENTIRE AGREEMENT

THIS LICENSE AND THE ORDER CONSTITUTE THE ENTIRE AGREEMENT BETWEEN YOU, THE CLIENT AND MERCER WITH RESPECT TO THE SUBJECT MATTER THEREOF AND SUPERSEDE ANY AND ALL PRIOR PROPOSALS, UNDERSTANDINGS, REPRESENTATIONS AND/OR AGREEMENTS, WHETHER ORAL OR WRITTEN, AND ALL OTHER COMMUNICATIONS BETWEEN THE PARTIES RELATING THERETO. INVOICES, PURCHASE ORDERS, PURCHASE ORDER ACKNOWLEDGMENTS AND ANY TERMS AND CONDITIONS SET FOR THE ON SUCH DOCUMENTS OR ANY SIMILAR DOCUMENTS SHALL BE FOR THE ISSUING PARTY’S INTERNAL PURPOSES ONLY. THE PARTIES SPECIFICALLY REJECT ANY SUCH TERMS AND CONDITIONS. ANY ADDITIONAL TERMS INCLUDED IN SUCH DOCUMENTS SHALL NOT BE CONSIDERED TO BE VALID OR IN ANY WAY INCORPORATED UNDER THIS AGREEMENT EVEN IF SUCH DOCUMENTS ARE ACKNOWLEDGED OR ACCEPTED BY THE RECEIVING PARTY.

WITH RESPECT TO THE MERCER MOBILITY EXCHANGE, IN THE EVENT OF ANY CONFLICT OR INCONSISTENCY BETWEEN A PROVISION OF THIS LICENSE AND A PROVISION OF ANY OTHER AGREEMENT BETWEEN YOU AND MERCER, THE APPLICABLE PROVISION OF THIS LICENSE SHALL CONTROL.

15. TRANSFER/ASSIGNMENT

15.1 ACCESS TO THE MERCER MOBILITY EXCHANGE IS LICENSED ONLY TO YOU (AND THE PERMITTED USERS). YOU MAY NOT RENT, LEASE, SUBLICENSE, SELL, ASSIGN, PLEDGE, TRANSFER OR OTHERWISE DISPOSE OF THE ACCESS TO THE MERCER MOBILITY EXCHANGE, OR ANY OF YOUR RIGHTS OR OBLIGATIONS UNDER THIS LICENSE, IN WHOLE OR IN PART, TO ANY OTHER PARTY, INCLUDING, WITHOUT LIMITATION, YOUR EMPLOYEES WHO ARE NOT USERS, ON A TEMPORARY OR PERMANENT BASIS, WITHOUT MERCER’S PRIOR WRITTEN CONSENT. ANY PURPORTED ASSIGNMENT IN VIOLATION OF THIS PARAGRAPH WILL BE VOID AND CONSTITUTE A MATERIAL BREACH OF THIS LICENSE.

15.2 MERCER MAY RENT, LEASE, SUB-LICENSE, SELL, ASSIGN, PLEDGE, TRANSFER, CHARGE OR OTHERWISE DISPOSE OF THIS LICENSE TO ANY AFFILIATE OF MERCER, AND WILL PROVIDE YOU WITH WRITTEN NOTICE OF THE AFFILIATE TO WHICH THE LICENSE HAS BEEN DISPOSED.

15.3 THIS LICENSE IS BINDING UPON AND SHALL INURE TO THE BENEFIT OF ALL PARTIES AND THEIR RESPECTIVE SUCCESSORS, HEIRS, EXECUTOR, ADMINISTRATORS, PERSONAL REPRESENTATIVES AND PERMITTED ASSIGNS.

16. SUBCONTRACTING

In order to provide the Services in the most efficient manner, Mercer may sub-contract appropriate parts of any services to a trusted third party or parties who may be located anywhere in the world. Notwithstanding paragraphs 7 and 8 of the License, in the event that the third party processes personal data, Mercer will ensure that such third party agrees in writing to act only on Mercer's instructions and provides appropriate guarantees in respect of the technical and organizational security measures governing the processing to be carried out. Mercer will take all reasonable steps to ensure compliance with those measures. Where such third party is located outside the European Economic Area, Mercer will take all necessary steps to ensure that the processing of any personal data by the third party, including its transfer to the third party, complies with all relevant data protection and privacy laws.

17. OTHER

17.1 Severability. It is the intent of the parties that the provisions of this License shall be enforced to the fullest extent permitted by applicable law. To the extent that the terms set forth in this License or any word, phrase, clause or sentence is found to be illegal or unenforceable for any reason, such word, phrase, clause or sentence shall be modified deleted or interpreted in such a manner so as to afford the party for whose benefit it was intended the fullest benefit commensurate with making this License as modified, enforceable and the balance of this License shall not be affected thereby, the balance being construed as severable and independent.

17.2 Modification and Waiver. Mercer reserves the right to amend this License as necessary from time to time. Any other modification or waiver of the provisions of this License and the Order shall be effective only if made in writing and signed by both parties. The failure by a party to insist upon strict performance of any provisions of this License shall not be construed as a waiver of such party’s rights arising out of any subsequent default of the same or similar nature. Any use of pre-printed, standard or posted term forms, including without limitation purchase orders, shrink-wrap agreements, click-wrap agreements, acknowledgements or invoices provided by the Client or the User, are for administrative and convenience use only and any terms and conditions stated therein shall not have the ability, unless expressly agreed between the parties, to modify or override the terms contained in this License.

17.3 Consent to Disclose. You agree that Mercer is entitled to disclose information relating to this License or you to its regulators having jurisdiction over its business. You also agree that, notwithstanding any other provision in this License, Mercer may include the identities of those persons who are identified by you as contacts persons for you and information about the terms of this License in their internal client management, financial and conflict checking database.

17.4 Survival. The following provisions will survive any expiration, termination or rescission of this License: 2 to 4 and 12 to 17.

17.5 Third Party Beneficiaries. Neither this License nor access and use of the information on the Mercer Mobility Exchange or the provision of the Services is intended to confer any right or benefit on any third party.

17.6 Term and Termination. This License will continue for twelve (12) months from the date you first access the Mercer Mobility Exchange (the “Initial Term”). Thereafter, it shall renew automatically for additional twelve (12) month terms (a “Renewal Term”) unless a party notifies the other in writing at least thirty (30) days prior to the expiration of the Initial Term or any Renewal Term of its intent not to renew. This License shall automatically terminate upon the termination of Order between you and Mercer. In the event you terminate the Order for convenience prior to the end of the Term (as defined in the Order), you may be required to pay termination fees to the extent provided in such Order. Mercer may terminate the Order and this License immediately if you fail to comply with any term or condition of this License, or upon thirty (30) days written notice to you, at its sole discretion. You agree upon termination for any reason to return any materials associated with the Mercer Mobility Exchange in your possession together with all copies in any form.

17.7 Marketing. Any public statement, marketing material, press releases or the like that contain the whole or any part of the Services shall only be (a) disclosed with the prior written consent of Mercer; and (b) accompanied by an acknowledgement that any such data, information or figures are supplied by Mercer. Either party may use the other party’s name and logo in its publicity, provided that any reference to the other party beyond its name or logo will be subject to prior approval of the party whose name and logo is being used.

17.8 Notices. Any notice which is to be given by one party to the other under the License or the Order will be given in writing (other than email). It will be effective if delivered to the address of the other party set out in the Order or any other address specified subsequently. A notice will be effective 48 hours after delivery. Either party may change its address for service by giving notice to the other party in accordance with this paragraph 17.8.

Should you have questions regarding this License, you may contact Mercer by writing to Mercer (US) Inc., 400 West Market Street, Suite 700, Louisville, Kentucky 40202-3431, USA.

Schedule 1 - Data Processing Addendum (“DPA”)
This Schedule applies solely to the extent that: (i) the Services are provided by Mercer or its Affiliates from an establishment within the EEA or the United Kingdom; or (ii) the Services involve Mercer or its Affiliates processing Personal Data relating to the offering of goods or services to Data Subjects in the EEA or the United Kingdom or to the monitoring of their behaviour as far as such behaviour takes place within the EEA or the United Kingdom.

1 Introduction
1.1 This DPA sets out:
(i) the data protection terms that are required under the GDPR in relation to the Processing of Personal Data that Mercer undertakes as Processor;
(ii) the parties’ respective obligations where the parties each act as Controllers; and
(iii) all other terms governing the parties’ Processing of Personal Data in connection with the License;

2 Definitions
2.1 Capitalised terms used but not defined in this DPA shall have the meaning set forth in the License.
2.2 The following terms have the following meanings when used in this DPA:
Affiliate means, with respect to a party, an entity that (directly or indirectly) controls, is controlled by or is under common control with, such party, where control refers to the power to direct or cause the direction of the management policies of another entity, whether through ownership of voting securities, by contract or otherwise.
Controller means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
Data Importer means the relevant entity identified in the Standard Contractual Clauses.
Data Exporter means the relevant entity that transfers Personal Data from the EEA to the Data Importer.
Data Protection Laws means the GDPR and all other mandatory laws and regulations of the European Union, the European Economic Area and their member states and the United Kingdom applicable to the parties’ Processing of Personal Data under the License.
Data Subject means the individual to whom Personal Data relates.
Data Subject Request means a Data Subject's request to access, correct, amend, transfer or delete that person's Personal Data consistent with that person’s rights under Data Protection Laws.
EEA means European Economic Area and, in connection with the use of the Standard pursuant to clause 12, Switzerland.
GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), as amended from time to time.
Personal Data means any information relating to an identified or identifiable natural person provided by or on behalf of Client to Mercer as part of the Services; an identifiable natural person, is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that natural person.
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, transmitted, stored or otherwise Processed.
Processing, Processed or Process means any operation or set of operations which is performed by either party as part of, or in connection with, the Services upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
Processor has the meaning given in GDPR.
Regulator means any supervisory authority with authority under Data Protection Laws over the Processing of Personal Data.
Services means the services and/or products as detailed in the letter of engagement between Mercer and the Client.
Standard has the meaning given in clause 12.2(b).
Standard Contractual Clauses means the agreement in the form annexed to the European Commission's decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries.
Sub-processor means a subcontractor engaged by Mercer or its Affiliates that will Process Personal Data as part of the performance of the Services where Mercer acts as a Processor.
Workforce Products means the following Mercer products: (1) Mercer remuneration and policy surveys and guides, (2) the Global Data Acquisition Program and (3) Mercer Comptryx.

3 Relationship with the License
3.1 In the event of a conflict between the terms of the License and the terms of this DPA, the terms of this DPA shall prevail.
3.2 In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

4 Processing of Personal Data
4.1 Roles of the Parties
(a) The parties acknowledge and agree that (to the extent applicable):
(i) Client and Mercer each act as Controllers in connection with the Processing of Personal Data in relation to the provision of the Workforce Products;
(ii) Mercer acts as Controller when Processing Personal Data for the following business and operational purposes: (1) carrying out fraud, anti-money laundering, sanctions and any other checks and investigating and prosecuting fraud, money laundering or sanctions violations in connection with the establishment and maintenance of a client relationship and provision of services; (2) where required for compliance with legal and regulatory obligations; and (3) for data analytics as described at clause 13.1;
(iii) except as set out in clauses 4.1(a)(i) and (ii), Mercer acts as a Processor with respect to Personal Data; and
(iv) in the event that, during the course of the License, in response to emerging guidance or legislation Mercer considers that its categorisation for any Processing carried out under the License should change: (i) from Controller to Processor; or (ii) from Processor to Controller, Mercer shall provide written notice of this change to Client and the parties agree that the terms under this DPA relating to the new status shall apply to all Processing from date of receipt of such notice.
(b) Client has engaged Mercer to provide certain services as detailed in the License.
4.2 Client's Processing of Personal Data – General Obligations
(a) In respect of the parties’ Processing, Client shall:
(i) comply with Data Protection Laws and ensure that any instructions it issues to Mercer shall comply with Data Protection Laws; and
(ii) have sole responsibility for the accuracy, quality, and legality of Personal Data, and the means by which Client acquired Personal Data and shall establish the legal basis for Processing under Data Protection Laws.
(b) Client warrants that:
(i) the disclosure of Personal Data to Mercer is limited to what is necessary in order for Mercer to perform the Services; and
(ii) such Personal Data is accurate and up-to-date at the time that it is provided to Mercer.
(c) Client shall:
(i) collect Personal Data in a manner compliant with Data Protection Laws, including by providing all notices and obtaining all consents as may be required under Data Protection Laws in order for Mercer to lawfully and fairly Process Personal Data in connection with the provision of the Services and as otherwise contemplated by this DPA and the remainder of the License; and
(ii) notify Mercer upon becoming aware that Personal Data has become inaccurate or out of date.
4.3 Mercer's Processing of Personal Data – General Obligations
(a) Where Mercer Processes Personal Data as a Controller, Mercer shall only Process Personal Data:
(i) to the extent that it is reasonably necessary for the purposes of providing Workforce Products and as required by Applicable Law; and
(ii) as otherwise set out in the License (including this DPA).
(b) Where Mercer Processes Personal Data as a Processor, it shall comply with the Data Protection Laws as they apply to Mercer as a Processor and only Process Personal Data in accordance with Client's instructions or as required by law. Client instructs Mercer to Process Personal Data to perform the Services and as described in the DPA and the remainder of the License.
(c) This DPA and the License are Client’s complete and final instructions to Mercer for the Processing of Personal Data. Mercer shall not be bound by additional or alternate instructions except pursuant to the parties’ mutual written agreement.
(d) Without prejudice to Client’s obligations under clause 4.2(a)(i), Mercer shall inform Client if, in its reasonable opinion, an instruction issued by Client infringes Data Protection Laws and shall, without liability, be entitled to stop Processing Personal Data in accordance with such infringing instruction. The parties acknowledge and agree that a failure or delay by Mercer to identify that an instruction infringes Data Protection Laws shall not cause Mercer to be in breach of this License nor relieve Client from its liability under this License.
4.4 Compliance with Data Protection Law
In respect of the Personal Data for which Client and Mercer each act as Controllers, Client and Mercer shall comply with their respective obligations as Controllers under Data Protection Law (except to the extent that this DPA allocates responsibility for compliance with a particular requirement under Data Protection Law to one party).
4.5 Purpose; Categories of Personal Data and Data Subjects
The purpose of Processing of Personal Data by Mercer is the performance of the Services pursuant to the License. The types of Personal Data and categories of Data Subjects Processed by Mercer, when acting as a Processor, under this DPA are further specified in Attachment 1 (Data Processing Details Addendum) to this DPA.
4.6 Limitation on Disclosure
Mercer shall not disclose Personal Data to any third parties without Client’s prior consent, except as required by law or permitted by the License. Without limiting the generality of the foregoing, Mercer may disclose Personal Data to Processors and Sub-processors (including Mercer Affiliates acting in such capacities) engaged as described in clause 10.
4.7 Confidentiality
Mercer shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data and are subject to binding confidentiality obligations.

5 Data Subject Rights; Other Complaints and Requests
5.1 Data Subject Requests
If Mercer receives a Data Subject Request (whether as a Processor or a Controller):
(a) Mercer shall, to the extent permitted by law, promptly notify Client upon receipt of a Data Subject Request. Following receipt of a Data Subject Request, Mercer may contact the relevant Data Subject to acknowledge receipt of the Data Subject Request and to notify the Data Subject that it has referred the Data Subject Request to Client, but Mercer shall otherwise not respond to any Data Subject Request without Client’s prior written instructions;
(b) Client shall handle the Data Subject Request in accordance with Data Protection Law; and
(c) Mercer shall provide such commercially reasonable assistance as Client may reasonably request to help Client fulfil its obligations under Data Protection Laws to respond to Data Subject Requests. Client shall be responsible for any reasonable costs arising from Mercer’s provision of such assistance.
5.2 Other Complaints and Requests
(a) Mercer shall, to the extent permitted by law, promptly notify Client upon receipt of any complaint or request (other than Data Subject Requests or enquiries of Regulators described in clause 6) relating to: (a) Client’s obligations under Data Protection Laws; or (b) Personal Data.
(b) Unless otherwise agreed between the parties, Client shall handle the relevant request or complaint in accordance with Data Protection Law.
(c) Mercer shall provide such commercially reasonable assistance as Client may reasonably request in relation to such complaint or request. Client shall be responsible for any reasonable costs arising from Mercer’s provision of such assistance.

6 Cooperation with Regulators and Conduct of Claims
6.1 Mercer shall notify Client of all enquiries from a Regulator that Mercer receives which relate to the Processing of Personal Data, unless prohibited from doing so at law or by the Regulator.
6.2 Unless a Regulator requests in writing to engage directly with Mercer or the parties (acting reasonably and taking into account the subject matter of the request) agree that Mercer shall handle a Regulator request itself, Client shall:
(a) be responsible for all communications or correspondence with the Regulator in relation to the Processing of Personal Data; and
(b) keep Mercer informed of such communications or correspondence to the extent permitted by law.

7 Security
7.1 Mercer shall take the technical and organisational measures set out in Attachment 2 (Security Measures) to protect the confidentiality, integrity, availability and resilience of Mercer systems which are involved in Processing Personal Data.
7.2 Client has assessed the level of security appropriate to the Processing in the context of its obligations under Data Protection Laws and agrees that the security measures set out in Attachment 2 (Security Measures) are consistent with such assessment.
7.3 Client shall take appropriate technical and organisational measures to protect the security of the Personal Data, including ensuring that Personal Data is securely transferred to Mercer.

8 Security Breach Management and Notification
8.1 Mercer shall:
(a) promptly notify Client upon becoming aware of the occurrence of a Personal Data Breach and provide Client with the following information as it becomes available:
(i) a description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned;
(ii) the name and contact details of the Mercer contact from whom more information can be obtained; and
(iii) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
8.2 Client shall promptly notify Mercer upon becoming aware of the occurrence of a Personal Data Breach involving Mercer, or Mercer’s systems or facilities, personnel, Processors or Sub-processors.
8.3 The parties agree to coordinate in good faith on developing the content of any related public statements and any required notices to the affected Data Subjects and/or the relevant Regulators in connection with a Personal Data Breach, provided that nothing in this clause 8.3 shall prevent either party from complying with its obligations under Data Protection Laws.

9 Return and Deletion of Client Data
9.1 Subject to clause 13 on termination of the License for any reason, or upon written request from Client at any time, Mercer shall cease Processing any Personal Data, and (at Client's direction) return to Client or delete (in accordance with Mercer’s document retention and deletion policies), any Personal Data in Mercer's possession or control, except as required by law or as required in order to defend any actual or possible legal claims.
9.2 Client acknowledges and agrees that Mercer shall have no liability for any losses incurred by Client arising from or in connection with Mercer’s inability to perform the Services as a result of Mercer complying with a request to delete or return Personal Data made by Client pursuant to clause 9.1.

10 Mercer Processors and Sub-processors
10.1 Appointment of Processors and Sub-processors
Client acknowledges and agrees that: (a) Mercer may engage Processors (where Mercer acts as Controller) and Sub-processors (where Mercer acts as Processor) in connection with the provision of the Services; and (b) such Processors and Sub-processors may include Mercer Affiliates.
10.2 Sub-processing Agreement
Mercer shall ensure that its contract with any Sub-processor imposes on the Sub-processor obligations that are equivalent to the obligations to which Mercer is subject under this DPA.
10.3 List of Current Sub-processors and Notification of New Sub-processors
A list of Sub-processors, current as of the Effective Date, shall be made available at https://www.uk.mercer.com//data-protection.html on or before the Effective Date. At that location Mercer shall also provide Client with a mechanism to subscribe in order to receive notifications regarding Mercer’s use of any new Sub-processor not included in such list (“New Sub-processors”) for the Processing of Personal Data. Notification of a New Sub-processor shall be issued prior to such New Sub-processor being authorised to Process Personal Data in connection with the provision of the Services.
10.4 Objection Right for New Sub-processors
Client may object to Mercer's use of a New Sub-processor where there are reasonable grounds to believe that the New Sub-processor will be unable to comply with the terms of this DPA or the License. If Client objects to Mercer’s use of a New Sub-processor, Client shall notify Mercer promptly in writing within ten (10) days after notification regarding such Sub-processor. Client’s failure to object in writing within such time period shall constitute approval to use the New Sub-processor. Client acknowledges that the inability to use a particular New Sub-processor may result in delay in performing the Services, inability to perform the Services or increased fees. Mercer will notify Client in writing of any change to Services or fees that would result from Mercer’s inability to use a New Sub-processor to which Client has objected. Client may either execute a written amendment to the License implementing such change or exercise its right to terminate the License in accordance with the termination provisions thereof. Such termination shall not constitute termination for breach of the License. Mercer shall have a right to terminate the License if Client unreasonably objects to a Sub-Processor, or does not agree to a written amendment to the License implementing changes in fees or Services resulting from the inability to use the Sub-processor at issue.
10.5 Responsibility for Sub-processors
Mercer shall be responsible and liable for the acts, omissions or defaults of its Sub-processors in the performance of obligations under this DPA or otherwise as if they were Mercer’s own acts, omissions or defaults.

11 Audits and Requests for Information and Assistance
11.1 Client may audit Mercer’s compliance with its obligations under this DPA, subject to the following requirements:
(a) Client may perform such audits once per year or more frequently if required by Data Protection Laws applicable to Client;
(b) Client may use a third party to perform the audit on its behalf, provided the third party is mutually agreed to by Client and Mercer and executes a confidentially agreement acceptable to Mercer before the audit;
(c) audits must be conducted during regular business hours, subject to Mercer’s policies, and may not unreasonably interfere with Mercer’s business activities;
(d) Client must provide Mercer with any audit reports generated in connection with any audit at no charge unless prohibited by law. Client may use the audit reports only for the purposes of meeting its audit requirements under Data Protection Laws and/or confirming compliance with the requirements of this DPA. The audit reports shall constitute confidential information of the parties under the License;
(e) to request an audit, Client must submit a detailed audit plan to Mercer at least six (6) weeks in advance of the proposed audit date. The audit plan must describe the proposed scope, duration, and start date of the audit. Mercer will review the audit plan and inform Client of any concerns or questions (for example, any request for information that could compromise Mercer’s confidentiality obligations or its security, privacy, employment or other relevant policies). Mercer will work cooperatively with Client to agree on a final audit plan;
(f) nothing in this clause 11.1 shall require Mercer to breach any duties of confidentiality owed to any of its clients or employees;
(g) if the requested audit scope is addressed in an SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Client’s audit request and Mercer confirms there are no known material changes in the controls audited, Client agrees to accept those findings in lieu of requesting an audit of the controls covered by the report; and
(h) all audits are at Client’s sole cost and expense. Any request for Mercer audit assistance requiring the use of resources different from or in addition to those required for provision of the Services will be considered an additional service for which reasonable additional fees may be charged. Mercer reserves the right to require Client’s written agreement to pay for such fees before providing such audit assistance.
11.2 Each party will be separately responsible for assessing the need to undertake, and the completion of, any data protection impact assessment, including any consultation with a Regulator, under Articles 35 and 36 of the GDPR or otherwise in respect of its use or provision of the Services.
11.3 Where requested by Client, Mercer shall, at Client’s cost, provide Client with such assistance and information as may be reasonably required in order for Client to comply with any obligation to carry out a data protection impact assessment or consult with a Regulator pursuant to Articles 35 and 36 of the GDPR, respectively.
11.4 Where requested by Mercer, Client shall, at Mercer’s cost, provide Mercer with such assistance and information as may be reasonably required in order for Mercer to comply with any obligation to carry out a data protection impact assessment or consult with a Regulator pursuant to Articles 35 and 36 of the GDPR, respectively.

12 Transfers Outside of the European Economic Area
12.1 Subject to the remainder of this clause 12, Client consents to transfers of Personal Data to Mercer, Mercer’s Affiliates or Mercer’s and Mercer’s Affiliates’ respective Sub-processors based in countries outside the EEA.
12.2 Data Transfer Mechanisms where Mercer acts as a Processor
(a) Where Mercer acts as a Processor of Personal Data that is transferred, either directly or via onward transfer, from the EEA to a recipient outside the EEA in a country not recognised by the European Commission as providing an adequate level of protection for personal data (“Third Country Recipient”), such transfer shall be covered by a framework recognised by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including but not limited to Standard Contractual Clauses, binding corporate rules or the EU-US Privacy Shield Framework (each a “Data Transfer Mechanism”).
(b) Mercer is an affiliate of Marsh & McLennan Companies, Inc. “MMC”, and “MMC Group” shall mean the corporate group of MMC. MMC has adopted processor binding corporate rules in the form of the Processor standard, which shall be made available on or before the Effective Date at https://www.uk.mercer.com//data-protection.html (the “Standard”) in order to provide adequate safeguards for transfers of Personal Data from certain MMC Group Affiliates to certain non-EEA MMC Group Affiliates.
(c) Mercer warrants that:
(i) it is a party to and is bound by the intra-group agreement regarding the Standard dated 20 June 2017 and entered into between MMC UK Group Limited and MMC Group Affiliates as listed and amended in the same agreement from time to time (the “Intra-Group Agreement”);
(ii) clause 1.1 of the Intra-Group Agreement binds Mercer to comply with all of the provisions of the Standard in respect of any Personal Data transferred from any of the EEA MMC Group members to any of the non-EEA MMC Group members (as defined in the Standard);
(iii) it shall comply with all of the provisions of the Standard;
(iv) where Client is established within the EEA, the Standard has been duly approved by the data protection authority with competent jurisdiction in the EEA territory where Client is established (the “Competent DPA”); and
(v) it will promptly notify Client if the Competent DPA withdraws its approval of the Standard.
(d) Client undertakes to make available to Data Subjects upon request a copy of the Standard and of this DPA unless the DPA contains any sensitive and confidential commercial information in which case it will remove such information.
(e) If Mercer elects to apply the Standard Contractual Clauses pursuant to clause 12.2(a):
(i) if required by Mercer, Client shall sign a copy of the Standard Contractual Clauses and take such further action as is required by applicable law to ensure that the Standard Contractual Clauses are legally valid;
(ii) they shall constitute a separate agreement between each Data Exporter and the Data Importer;
(iii) if the Processing under the Standard Contractual Clauses can subsequently be performed under an alternative Data Transfer Mechanism (including where the relevant Data Importer becomes party to the Intra-Group Agreement), then the Standard Contractual Clauses shall automatically terminate effective as of the date that such alternative Data Transfer Mechanism takes effect in respect of such Processing, and Client shall execute such documents or acknowledgements as Mercer may reasonably request to evidence such termination;
(iv) the parties agree to amend the Standard Contractual Clauses if required in accordance with a relevant European Commission decision or Data Protection Laws;
(v) the parties agree that the prior written consent to the engagement of Sub-processors required by Clause 5(h) of the Standard Contractual Clauses has been given pursuant to clause 10.1 of this DPA;
(vi) the parties agree that upon Data Exporter’s request, Data Importer will provide the copies of the Sub-processor agreements that must be sent by the Data Importer to the Data Exporter pursuant to Clause 5(j) of the Standard Contractual Clauses, and that Data Importer may remove or redact all commercial information or clauses unrelated to the Standard Contractual Clauses or their equivalent beforehand; and
(vii) the parties agree that clause 11 of this DPA shall satisfy the audit requirements of the Standard Contractual Clauses applied to Data Importer under Clause 5(f) and to any Sub-processors under Clause 11 and Clause 12(2).
12.3 Transfer where Mercer acts as a Controller
Where Mercer acts as a Controller and transfers Personal Data outside of the EEA or a country recognised by the European Commission as providing an adequate level of protection for personal data, Mercer will ensure that such transfers are covered by a Data Transfer Mechanism.

13 Analytics
13.1 Client agrees that during and after the term of the License, Mercer may use any information it collects and uses in connection with the Services, together with information from its other clients, for data analytics purposes, including to create insights, reports and other analytics to improve the quality of and market Mercer’s advice, products and services. The output of such analytics will not identify particular clients or individuals.

14 Termination and General
14.1 This DPA and the Standard Contractual Clauses will terminate when Mercer ceases to Process Personal Data, unless otherwise agreed in writing between the parties.
14.2 Liability
The parties agree that all liabilities between them under this DPA and the Standard Contractual Clauses will be subject to the limitations and exclusions of liability and other terms of the License, except that such limitations and exclusions of liability will not apply to any party’s liability to Data Subjects under the third party beneficiary provisions of the Standard Contractual Clauses to the extent limitation of such rights is prohibited by Data Protection Laws.
14.3 Exclusion of third party rights
Subject to clause 12.2, Data Subjects are granted third party rights under the Standard Contractual Clauses. All other third party rights are excluded.
14.4 Governing Law
To the extent required by applicable Data Protection Laws (e.g., in relation to the governing law of the Standard Contractual Clauses), this DPA shall be governed by the law of the applicable jurisdiction. In all other cases, this DPA shall be governed by the laws of the jurisdiction specified in the License in respect of the applicable Services.

ATTACHMENT 1
Data Processing Details Addendum

Controller
Client and the Client Affiliates that Process Personal Data for their own business purposes.

Processor
The Processor is Mercer.

Data subjects
The Personal Data Processed may concern the following categories of Data Subjects:

- current, former and potential employees, agents, directors, officers, self-employed contractors of the Client and their spouse and dependents;
- current, former and potential members of Client’s pension scheme and their beneficiaries.
Categories of data
The Personal Data Processed may concern the following categories of data:
Details such as a Data Subject’s name, date of birth, gender, address, email address, telephone number, employer name, employee ID, employment and pensionable service status and periods, dates of absence, employment grade, employee performance, job title, salary and remuneration arrangements, nature and details of current and historic pension arrangements, pension amounts, pension contributions, employee benefit details, insurance cover, marital status, beneficiary details, bank details, national insurance number/national identification number/social security number, underwriting status, business travel information, educational background, passport number, driving licence number, details of power of attorney, pyschometric test results, number of dependents/beneficiaries and/or ill-health status.
Special categories of data (if appropriate)
The Personal Data Processed may concern the following special categories of data:
Details of a Data Subject’s sexual orientation, trade union membership, political affiliation, ill-health status and/or medical records/details.
Processing operations
The Personal Data Processed will be subject to the following basic Processing activities:
Mercer, acting as a Processor, will, depending on the scope of its engagement, Process the Personal Data to perform the Services, to comply with its statutory and regulatory obligations, to maintain accounts and records. This will involve, among other things, the collection, storage, analysis and disclosure of Personal Data that Mercer receives from (or on behalf of) the Client in accordance with the License.

ATTACHMENT 2
Security Measures

In satisfaction of its obligation under clause 7 of this DPA, Mercer shall implement the following:
1) Organisational management and dedicated staff responsible for the development, implementation and maintenance of Mercer’s information security program.
2) Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Mercer’s organisation, monitoring and maintaining compliance with Mercer’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
3) Data security controls which include at a minimum, but may not be limited to, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilisation of commercially available and industry standard encryption technologies for Personal Data that is:
a) transmitted over public networks (i.e. the Internet) or when transmitted wirelessly; or
b) at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD, USB drives, back-up tapes).
4) Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
5) Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Mercer’s passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on Mercer’s computer systems; (iii) must be changed every ninety (90) days; must have defined complexity; (v) must have a history threshold to prevent reuse of recent passwords; and (vi) newly issued passwords must be changed after first use.
6) System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
7) Physical and environmental security of data center, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorised physical access, (ii) manage, monitor and log movement of persons into and out of Mercer facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
8) Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Mercer’s possession.
9) Change management procedures and tracking mechanisms designed to test, approve and monitor all changes to Mercer’s technology and information assets.
10) Incident / problem management procedures designed to allow Mercer to investigate, respond to, mitigate and notify of events related to Mercer’s technology and information assets.
11) Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
12) Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
13) Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
Mercer reserves the right to revise the security measures set out in this Attachment 2 at any time, without notice, so long as any such revisions will not materially reduce or weaken the protection provided for Personal Data that Mercer Processes in the course of providing the Services to Client.