Data Processing Agreement

Data Processing Agreement for Thought Industries tia   

The scope and applicability of this Data Processing Agreement (“DPA”) applies to Thought Industries, Inc., a Massachusetts corporation, with its principal place of business at 6 Liberty Square, #6099, Boston, MA 02109,  (“TI”) and its processing of Personal Data on your behalf; you (TI’s customer) are the “Controller” under this DPA and TI is the “Processor” in connection with the provision of TI’s Services specified in the applicable TI Services Agreement for tia (the “Agreement”). Unless otherwise expressly stated in the Agreement, this DPA shall be effective and remain in force for the full term of the Agreement. TI/Controller and the customer/Processor each may be referred to herein as a “Party” or collectively as the “Parties.”  

1. DEFINITIONS

1. Capitalized terms used but not defined within this DPA will have the meaning set forth in the Agreement. The following capitalized terms used in this DPA will be defined as follows:

“Applicable Data Protection Laws” means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time.

"Controller Affiliate" means an affiliate of Controller who is a beneficiary to the Agreement.

“Covered Data” means Personal Data that is: provided by or on behalf of Controller to Processor in connection with the Services.

“Data Subject” means a natural person whose Personal Data is Processed.

“Deidentified Data” means data created using Covered Data that cannot reasonably be linked to such Covered Data, directly or indirectly.

"EEA" means the European Economic Area including the European Union ("EU").

"GDPR" means Regulation (EU) 2016/679 (the "EU GDPR") or, where applicable, the "UK GDPR" as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 or, where applicable, the equivalent provision under Swiss data protection law.

“Instruction” means any documented instruction, submitted by Controller to Processor, directing Processor to perform a specific action with regard to Covered Data, including but not limited to the description of the Services under the Agreement.

"Member State" means a member state of the EEA, being a member state of the European Union, Iceland, Norway, or Liechtenstein.

“Personal Data” means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise “personal data,” “personal information,” “personally identifiable information,” or similarly defined data or information under Applicable Data Protection Laws.

"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Process”, “Processes” and “Processed” will be interpreted accordingly.

"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Covered Data.

"Services" means the services to be provided by Processor pursuant to the Agreement.

"Standard Contractual Clauses" or “SCCs” means Module Two (controller to processor) and/or Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914, dated June 4, 2021.

"Sub-processor" means an entity appointed by Processor to Process Covered Data on its behalf.

“UK” means the United Kingdom.

“US Data Protection Laws” means, to the extent applicable, federal and state laws relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States, including (but not limited to) (as may be amended from time to time) the California Consumer Privacy Act of 2018 (CCPA), the California Consumer Privacy Rights Act (CPRA), the Colorado Privacy Act and applicable Colorado Consumer Protection Act, the Connecticut Personal Data Privacy and Online Monitoring Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act, the Texas Data Privacy and Security Act, the Oregon Consumer Privacy Act.

2. Interaction with the Agreement

1. This DPA is incorporated into and forms an integral part of the Agreement. This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any Processing of Covered Data. Controller acknowledges that Processor’s Services are not designed, intended, or provided for the purpose of making predictions regarding any Data Subject, determining creditworthiness, or any other manner of automated decision-making regarding Data Subject(s). The scope of Processor’s Services is set forth in the Agreement, and Controller shall not permit any authorized user (with access to Processor Services under Controller’s Agreement with Processor) to utilize the Services for any other purpose.
2. Any Processing operation as described in clause 4 (Details of Data Processing) and Schedule 1 to this DPA will be subject to this DPA.
3. With respect to any Controller Affiliates, Controller warrants it is duly authorised to enter into the DPA for and on behalf of any such Controller Affiliates and, subject to clause 2.4, each Controller Affiliate shall be bound by the terms of this DPA as if they were the Controller.  Controller will ensure that all obligations under this DPA will be passed on to the respective Controller Affiliate.
4. Controller warrants that it is duly mandated by any Controller Affiliates on whose behalf Processor Processes Covered Data in accordance with this DPA to (a) enforce the terms of this DPA on behalf of Controller Affiliates, and to act on behalf of Controller Affiliates in the administration and conduct of any claims arising in connection with this DPA; and (b) receive and respond to any notices or communications under this DPA on behalf of Controller Affiliates.
5. Controller will be the only point of contact for all communication between Controller Affiliates and Processor. The Parties acknowledge and agree that any notice or communication sent by Processor to Controller shall satisfy any obligation to send such notice or communication to a Controller Affiliate.

3. Role of the Parties

The Parties acknowledge and agree that:

1. for the purposes of this DPA and Processing Personal Data under the applicable terms of the Agreement, and for purposes of the GDPR, Processor acts as "processor" or "sub-processor" (as defined in the GDPR). Processor's function as processor or sub-processor will be determined by the then-applicable function of Controller in connection with processing Personal Data:

1. Where Controller acts as a controller, Processor acts as a processor.
2. Where Controller acts as a processor on behalf of another controller, Processor acts as a sub-processor.

2. for the purposes of the US Data Protection Laws, Processor will act as a "service provider" or “processor” (as defined in US Data Protection Laws), as applicable, in its performance of its obligations pursuant to the Agreement and this DPA.

4. Details of data Processing

1. The details of the Processing of Personal Data under the Agreement and this DPA (such as subject matter, nature and purpose of the Processing, categories of Personal Data and Data Subjects) are described in the Agreement and in Schedule 1 to this DPA.
2. Covered Data will only be Processed on behalf of and under the Instructions of Controller and in accordance with Applicable Data Protection Laws. The Agreement and this DPA will generally constitute Instructions for the Processing of Covered Data. Controller may issue further written Instructions in accordance with this DPA. Without limiting the foregoing, Processor is prohibited from:

1. selling Covered Data or otherwise making Covered Data available to any third party for monetary or other valuable consideration;
2. sharing Covered Data with any third party for cross-context behavioural advertising;
3. retaining, using, or disclosing Covered Data for any purpose other than for the business purposes specified in the Agreement or as otherwise permitted by Applicable Data Protection Laws;
4. retaining, using, or disclosing Covered Data outside of the direct business relationship between the Parties; and
5. except as otherwise permitted by Applicable Data Protection Laws, combining Covered Data with Personal Data that Processor receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.

3. Processor will ensure that such personnel are subject to obligations reasonably consistent with the terms of this DPA and the Agreement.
4. To the extent that any of the Instructions require Processing of Covered Data in a manner that falls outside the scope of the Services, Processor may:

1. Notify the Controller that such Instructions fall outside the scope of Services under the Agreement and not carry out such Instructions, or at Processor’s election, make the performance of any such Instructions subject to the payment by Controller of any costs and expenses incurred by Processor or such additional charges as Processor may reasonably determine; or
2. Terminate the Agreement and the Services.

5. If Controller’s Instructions will cause Processor to Process Covered Data in violation of applicable law or outside the scope of the Agreement or the DPA, Processor shall promptly inform Controller thereof, unless prohibited by applicable law (without prejudice to the SCCs).
6. Processor may (without prejudice to clause 11) Process Covered Data anywhere that Processor or its Sub-processors maintain facilities, subject to clause 5 of this DPA.
7. Processor will reasonably cooperate and provide Controller with information to enable Controller to conduct and document any data protection assessments required under Applicable Data Protection Laws. In addition, Processor will notify Controller promptly if Processor determines that it can no longer meet its obligations under Applicable Data Protection Laws.
8. Controller will have the right to take reasonable and appropriate steps to ensure that Processor uses Covered Data in a manner consistent with Controller’s obligations under Applicable Data Protection Laws.
9. Processor is permitted to anonymize Covered Data through a reliable state of the art anonymization procedure and use such anonymized data for its internal business purposes, including for research, development of new products and services, and security purposes.

5. Sub-processors

1. Controller grants Processor the general authorisation to engage Sub-processors, subject to clause 5.2, as well as Processor's current Sub-processors listed in Schedule 5 as of the Effective Date.
2. Processor will (i) enter into a written agreement with each Sub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than Processor’s obligations under this DPA to the extent applicable to the nature of the services provided by such Sub-Processor; and (ii) remain liable for each Sub-processor’s compliance with the obligations under this DPA. 
3. Processor will provide Controller with at least fifteen (15) days’ notice of any proposed changes to the Sub-processors it uses to Process Covered Data (including any addition or replacement via email including a link to the updated list of processors as referred to in clause 5.1). Controller may object to Processor’s use of a new Sub-processor based upon reasonable data privacy and data security concerns regarding the new Sub-processor (including when exercising its right to object under clause 9(a) of the SCCs if applicable) by providing Processor with written notice of the objection within ten (10) days after Processor has provided notice to Controller of such proposed change (an "Objection"). If Controller does not object to the engagement within the Objection period, consent regarding the engagement will be assumed. In the event Controller objects to Processor’s use of a new Sub-processor, Controller and Processor will work together in good faith to find a mutually acceptable resolution to address such Objection. If the Parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, either Party may, as its sole and exclusive remedy, terminate the portion of the Agreement relating to the Services affected by such change by providing written notice to the other Party. During any such Objection period, Processor may suspend the affected portion of the Services. Controller may only request a pro-rata refund if Controller can prove the Objection is based on justified reasons of incompliance with Applicable Data Protection Laws.

6. Data Subject rights requests

1. As between the Parties, Controller will have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Covered Data under Applicable Data Protection Laws, including requests, complaints, inquiries, and objections (each, a "Data Subject Request"). Controller shall have sole discretion and responsibility for verifying the identity of Data Subjects (making all reasonable efforts) and confirming the proper and legitimate nature of such Data Subject Requests.  
2. Processor will forward to Controller promptly any Data Subject Request received by Processor or any Sub-processor from an individual in relation to their Covered Data and may advise the individual to submit their request directly to Controller, otherwise, Processor shall not respond directly to Data Subject Requests.
3. Processor will (taking into account the nature of the Processing of Covered Data) provide Controller with reasonable assistance as necessary for Controller to fulfil its obligation under Applicable Data Protection Laws to respond to Data Subject Requests, including if applicable, subject to the foregoing obligations, Controller’s obligation to respond to requests for exercising the rights set out in Applicable Data Protection Laws.

7. Security and Audits

1. Processor will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Covered Data, including, without limitation, protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage of or to it. When assessing the appropriate level of security, account will be taken in particular of the nature, scope, context and purpose of the Processing as well as the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data.
2. Processor will implement and maintain as a minimum standard the measures set out in Schedule 2.
3. With respect to any audits, the Parties agree that:

1. all such audits will be conducted:

1. upon reasonable written notice to Processor;
2. only once per year;
3. only during Processor’s normal business hours; and
4. in a manner that does not disrupt Processor’s business.

2. Controller will:

1. Enter into a confidentiality agreement with Processor prior to conducting the audit; and
2. Ensure that its personnel comply with Processor’s policies and procedures when attending Processor’s premises, as notified to Controller by Processor.

4. To conduct such audit, Controller may engage a third-party auditor subject to such auditor complying with the requirements under clause 7.3 and provided that such auditor is suitably qualified, independent and not a competitor of Processor.
5. To request an audit, Controller must submit a detailed proposed audit plan to Processor at least two weeks in advance of the proposed audit date. Processor will review the proposed audit plan and work cooperatively with Controller to agree on a final audit plan. All such audits must be conducted subject to the agreed final audit plan and Processor’s health and safety or other relevant policies. Nothing in this clause 7.5 will require Processor to breach any duties of confidentiality.
6. Controller will promptly notify Processor of any non-compliance discovered during the audit and provide Processor with any audit reports generated in connection with any agreement, unless prohibited by Applicable Data Protection Laws or otherwise instructed by a regulatory or government authority. Controller may use the reports only for the purposes of meeting Controller’s regulatory audit requirements and/or confirming compliance with the requirements of the DPA.
7. Controller will bear the costs for any audit initiated by Controller. Controller shall reimburse Processor for any time expended by Processor or its Sub-processors in connection with such audits.
8. Upon request, Processor will provide to Controller documentation reasonably evidencing the implementation of the technical and organizational data security measures in accordance with industry standards. Processor may, in its discretion, provide data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing company. If the requested audit scope is addressed in such a certification produced by a qualified third-party auditor within twelve (12) months of Controller’s audit request and Processor confirms there are no known material changes in the controls audited, Controller agrees to accept those findings in lieu of requesting an audit of the controls covered by the report
9. Processor will audit its Sub-processors, or conduct adequate due diligence on a regular basis and will, upon Controller’s request, confirm their compliance with Applicable Data Protection Laws and the Sub-processors’ contractual obligations. Controller may request Processor to conduct further audits only in the event reasonably justified, and in such case(s) Processor will conduct further audits to the extent permissible.

8. SECURITY INCIDENTS

Processor will notify Controller in writing without undue delay after becoming aware of any Security Incident, in any event within forty-eight (48) hours and reasonably cooperate in any obligation of Controller pursuant to Applicable Data Protection Laws to make any notifications, such as to individuals or supervisory authorities. Processor will take reasonable steps to contain, investigate, and mitigate any Security Incident, and will send Controller timely information about the Security Incident. Processor’s notification of or response to a Security Incident under this clause 8 will not be construed as an acknowledgement by Processor of any fault or liability with respect to the Security Incident.

Processor will provide reasonable assistance with Controller's investigation of the possible Security Incident and any notification obligation of Controller required under Applicable Data Protection Laws, such as in relation to individuals or supervisory authorities.

9. DELETION AND RETURN

Processor will, in any event, within forty-five (45) days of the date of termination or expiry of the Agreement (a) if requested to do so by Controller within that period, return a copy of all Covered Data or provide a self-service functionality allowing Controller to do the same; and (b) delete all other copies of Covered Data Processed by Processor or any Sub-processors. Processor shall not retain Covered Data for any purpose for more than sixty (60) days; unless stated otherwise in the Agreement, Processor shall automatically delete or anonymize all Covered Data within ninety (90) days following termination of the Agreement or termination of the Services for any reason.  

10. DPA Contract Period

This DPA will remain in effect for the duration of the Agreement, and shall remain in effect until, and automatically expire upon, Processor’s deletion of all Covered Data as described in this DPA.

11. Standard Contractual Clauses

1. The Parties agree that the terms of the Standard Contractual Clauses Module Two (Controller to Processor) and Module Three (Processor to Processor), as further specified in Schedule 3 of this DPA, are hereby incorporated by reference and will be deemed to have been executed by the Parties and apply to any transfers of Covered Data falling within the scope of the GDPR from Controller (as data exporter) to Processor (as data importer).
2. To the extent applicable, the jurisdiction-specific addenda to the Standard Contractual Clauses set out in Schedule 3 are also incorporated herein by reference and will be deemed to have been executed by the Parties and apply to any transfers of Covered Data falling within the scope of Applicable Data Protection Laws in the listed jurisdiction(s) from Controller (as data exporter) to Processor (as data importer).
3. Processor will provide Controller reasonable support to enable Controller’s compliance with the requirements imposed on international transfers of Covered Data. Processor will, upon Controller’s request, provide information to Controller which is reasonably necessary for Controller to complete a transfer impact assessment under Applicable Data Protection Laws.
4. Processor further agrees to implement certain supplementary measures in order to enable Controller’s compliance with requirements imposed on international transfers of Covered Data under Applicable Data Protection Laws. Processor may charge Controller, and Controller will reimburse Processor, for any assistance provided by Processor with respect to any transfer impact assessment(s), data protection impact assessments or consultation with any supervisory authority of Controller; Processor shall reasonably cooperate with Controller by providing responses to any data privacy or security questionnaires regarding Processor’s supplementary measures described above.

12. DEIDENTIFIED DATA

If Processor receives Deidentified Data from or on behalf of Controller, then Processor will:

1. take reasonable measures to ensure the information cannot be associated with a Data Subject.
2. publicly commit to Process the Deidentified Data solely in deidentified form and not to attempt to reidentify the information.
3. contractually obligate any recipients of the Deidentified Data to comply with the foregoing requirements and Applicable Data Protection Laws. 

 1. DETAILS OF PROCESSING

A.        List of Parties

The Parties are set out in the preamble to this DPA. With regard to any transfers of Covered Data falling within the scope of the GDPR from Controller to Processor, additional information regarding the data exporter and data importer is set out below.

1. Data Exporter

The data exporter is: each of the Controller and/or Controller Affiliates operating in the countries which comprise the European Economic Area, UK and/or Switzerland and/or – to the extent agreed by the Parties – Controller and/or Controller Affiliates in any other country to the extent the GDPR applies.

The data exporter’s contact person’s name, position and contact details as well as (if appointed) the data protection officer’s name and contact details and (if relevant) the representative’s contact details are included in the Agreement or will be disclosed to Processor upon request.

The activities relevant to the data transfer under these Clauses are defined by the Agreement and the data exporter who decides on the scope of the Processing of Personal Data in connection with the Services further described in section B of this Schedule 1.

2. Data Importer

The data importer is: Thought Industries, Inc., 6 Liberty Square, #6099, Boston, MA 02019, United States.

The data importer’s contact person and contact details are included in the Agreement or will be disclosed to Controller upon request.

The data importer’s activities relevant to the data transfer under these Clauses are as follows: the data importer Processes Personal Data provided by the data exporter on behalf of the data exporter in connection with providing the Services to the data exporter as further described in section B of this Schedule 1 and in the Agreement.

B.        Description of Processing

3. Categories of Data Subjects

The categories of Data Subjects whose Personal Data are Processed: Determined by the Controller (under the applicable terms of the Agreement).  

4. Categories of Personal Data

The Processed categories of Personal Data are: Determined by the Controller (under the applicable terms of the Agreement).

5. Special categories of Personal Data (if applicable)

The Processed Personal Data includes the following special categories of data: None. 

6. Frequency of the Processing

The Processing is performed on a continuous basis for the duration of the Agreement and is determined by Controller’s configuration of the Services.

7. Subject matter and nature of the Processing

The subject matter of the Processing is:  To provide the Services to the Controller which involves the third-party provision of a natural language-based, artificial intelligence-based machine-learning generated responses (output) based upon Controller’s prompts (input) as further described in the Agreement.

The nature of the Processing is the collection, storage, organisation and structuring of Personal Data to provide the Services to the Controller. Disclosure by transmission to third party sub-processors in order to provide the Services and erasure and destruction as per data retention requirements in accordance with Applicable Data Protection Laws.

8. Purpose(s) of the data transfer and further Processing

The purpose/s of the data transfer and further Processing is: To provide the Services to Controller pursuant to the Agreement and as may be further agreed upon by Controller and Processor.

9. Storage Limitation

The period during which the Personal Data will be Processed, or, if that is not possible, the criteria used to determine that period: The duration is defined in this DPA.

10. Sub-processor (if applicable)

For Processing by sub-processors, specify subject matter, nature, and duration of the Processing: To provide Processing system capability to Processor (as described in Schedule 5) to provide the Services described in the Agreement.  

C.        Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with clause 13 of the SCCs

Where the data exporter is established in an EU Member State: The supervisory authority of the country in which the data exporter established is the competent authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR: The competent supervisory authority is the one of the Member State in which the representative is established.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of the GDPR: The competent supervisory authority is the supervisory authority of Ireland.

        2. TECHNICAL AND ORGANIZATIONAL MEASURES

Processor has implemented the following technical and organizational measures (including any relevant certifications when applicable) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:

1) Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Processor’s information security program.

2) Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Processor’s organization, monitoring and maintaining compliance with Processor’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.

3) Utilization of commercially available and industry standard encryption technologies for Covered Data that is:

a) being transmitted by Processor over public networks (i.e., the Internet) or when transmitted wirelessly; or

b) at rest or stored on portable or removable media (i.e., laptop computers, CD/DVD, USB drives, back-up tapes).

4) Data security controls which include at a minimum, but may not be limited to, logical segregation of data, logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review, and revoking/changing access promptly when employment terminates or changes in job functions occur).

5) Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Processor’s passwords that are assigned to its employees; controls include appropriate password security requirements, and specific time and use limitations for passwords.  

6) System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.

7) Physical and environmental security of data center, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor, and log movement of persons into and out of Processor facilities, and (iii) guard against environmental hazards such as heat, fire, and water damage.

8) Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Processor’s possession.

9) Change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to Processor’s technology and information assets.

10) Incident / problem management procedures design to allow Processor to investigate, respond to, mitigate, and notify of events related to Processor’s technology and information assets.

11) Network security controls that provide for the use of firewall systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.

12) Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.

13) Business resiliency/continuity plan and procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.

3. STANDARD CONTRACTUAL CLAUSES

1. EU SCCS

The Standard Contractual Clauses will apply to any Processing of Covered Data that is subject to the GDPR. For the purposes of the Standard Contractual Clauses:

1. Module Two will apply in the case of the Processing under clause 3.1(a)(i) of the DPA and Module Three will apply in the case of Processing under clause 3.1(a)(ii) of the DPA.
2. Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.
3. Clause 9(a) option 2 (General written authorization) is selected, and the time period to be specified is determined in clause 5.3 of the DPA.
4. The option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.
5. With regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that, option 1 will apply and the governing law will be the law of the Republic of Ireland.
6. In Clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of the Republic of Ireland.
7. For the Purpose of Annex I of the Standard Contractual Clauses, Schedule 1 of the DPA contains the specifications regarding the parties, the description of transfer, and the competent supervisory authority
8. For the Purpose of Annex II of the Standard Contractual Clauses, Schedule 2 of the DPA contains the technical and organizational measures.
9. The specifications for Annex III of the Standard Contractual Clauses, are determined by clause 5.1 of the DPA. The Sub-processor’s contact person’s name, position and contact details will be provided by Processor upon request.

2. UK Addendum

This UK Addendum will apply to any Processing of Covered Data that is subject to the UK GDPR or to both the UK GDPR and the GDPR.

1. As used in this UK Addendum:

“Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Mandatory Clauses.

“Mandatory Clauses” means “Part 2: Mandatory Clauses” of the Approved Addendum.

2. With respect to any transfers of Covered Data falling within the scope of the UK GDPR from Controller (as data exporter) to Processor (as data importer):

1. the Approved Addendum as further specified in this Schedule 5 will form part of this DPA, and the Standard Contractual Clauses will be read and interpreted in light of the provisions of the Approved Addendum, to the extent necessary according to Clause 12 lit. 1 of the Mandatory Clauses;
2. In deviation to Table 1 of the Approved Addendum and in accordance with Clause 17 of the Mandatory Clauses, the parties are further specified in Schedule 1,A. of this DPA.
3. The selected Modules and Clauses to be determined according to Table 2 of the Approved Addendum are further specified in this Schedule as amended by the Mandatory Clauses.
4. Annex 1 A and B of Table 3 to the Approved Addendum are specified by Schedule 1 of this DPA, Annex II of the Approved Addendum is further specified by Schedule 2 of this DPA, and Annex III of the Approved Addendum is further specified by Schedule 1,B.10 of this DPA.
5. Processor (as data importer) may end this DPA, to the extent the Approved Addendum applies, in accordance with clause ‎19 of the Mandatory Clauses;
6. Clause 16 of the Mandatory Clauses will not apply.

3. Swiss addendum

This Swiss Addendum will apply to any Processing of Covered Data that is subject to Swiss Data Protection Laws (as defined below) or to both Swiss Data Protection Laws and the GDPR.

1. Interpretation of this Addendum

1. Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:

2. This Addendum will be read and interpreted in the light of the provisions of Swiss Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
3. This Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.
4. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

1. Hierarchy

In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects will prevail.

3. Incorporation of the Clauses

1. In relation to any Processing of Personal Data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends the DPA the Standard Contractual Clauses to the extent necessary so they operate:

1. for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws or Swiss Data Protection Laws and the GDPR apply to the data exporter’s Processing when making that transfer; and
2. to provide appropriate safeguards for the transfers in accordance with Article 46 of the GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.

2. To the extent that any Processing of Personal Data is exclusively subject to Swiss Data Protection Laws, the amendments to the DPA including the SCCs, as further specified in this Schedule and as required by clause 3.1 of this Swiss Addendum, include (without limitation):

1. References to the "Clauses" or the "SCCs" mean this Swiss Addendum as it amends the SCCs.
2. Clause 6 Description of the transfer(s) is replaced with:

"The details of the transfer(s), and in particular the categories of Personal Data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer."

3. References to "Regulation (EU) 2016/679" or "that Regulation" or "“GDPR" are replaced by "Swiss Data Protection Laws" and references to specific Article(s) of "Regulation (EU) 2016/679" or "GDPR" are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.
4. References to Regulation (EU) 2018/1725 are removed.
5. References to the "European Union", "Union", "EU" and "EU Member State" are all replaced with "Switzerland".
6. Clause 13(a) and Part C of Annex I are not used; the "competent supervisory authority" is the Federal Data Protection and Information Commissioner (the "FDPIC") insofar as the transfers are governed by Swiss Data Protection Laws;
7. Clause 17 is replaced to state

"These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by Swiss Data Protection Laws".

8. Clause 18 is replaced to state:

"Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts of Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts."

Until the entry into force of the revised Swiss Data Protection Laws, the Clauses will also protect Personal Data of legal entities and legal entities will receive the same protection under the Clauses as natural persons.

4. To the extent that any Processing of Personal Data is subject to both Swiss Data Protection Laws and the GDPR, the DPA including the Clauses as further specified in this Schedule will apply (i) as is and (ii) additionally, to the extent that a transfer is subject to Swiss Data Protection Laws, as amended by clauses 3.1 and 3.3 of this Swiss Addendum, with the sole exception that Clause 17 of the SCCs will not be replaced as stipulated under clause 3.3(b)(vii) of this Swiss Addendum.
5. Controller warrants that it and/or Controller Affiliates have made any notifications to the FDPIC which are required under Swiss Data Protection Laws.

4.0         CALIFORNIA addendum (California, usa)

4.1 The following additional provisions apply to Processor acting as a Service Provider regarding the Processing of Covered Data which may include Personal Information (as defined under the CCPA/CPRA) that is lawfully subject to the CCPA and/or CPRA, as applicable.

1. Definitions:  Unless otherwise indicated in this DPA, the capitalized terms used in this section shall have the meaning assigned to them in the California Privacy Rights Act (“CPRA” or the “Act”), codified at Cal. Civ. Code §1798.100 et seq., effective January 1, 2023.

1. “Business Purpose(s)” means Processing Personal Information on behalf of Controller for the following purposes: (i) to provide the Services as specifically defined in the Agreement; (ii) to detect security incidents or protect the Personal Information against malicious, deceptive, fraudulent or illegal activity; or (iii) otherwise as expressly permitted by the CPRA or the CPRA Regulations.

2. “CCPA” means Title 1.81.5 California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100–1798.199), as amended or superseded from time to time.

3. “Consumer” means a California resident (a) who is a natural person, and (b) whose Personal Information is Processed by Service Provider on Controller’s behalf for the purposes stated in the Agreement and this DPA.

4. “CPRA Regulations” means final regulations implementing the CPRA after those regulations go into effect.

5. “Personal Information” shall have the meaning set forth in the CPRA but shall be limited to Personal Information of California Consumers which Service Provider Processes on Controller’s behalf pursuant to the Agreement and this DPA.

2. Processing Of Personal Information: Controller is a Business and appoints Processor as its Service Provider (as defined under the CPRA) to Process Personal Information only for the Business Purposes. Service Provider shall comply with all applicable sections of the CPRA and/or the CPRA Regulations, including providing the same level of protection for Personal Information as the CPRA requires Controller, as a Business, to provide.  Service Provider grants Controller the right to take reasonable and appropriate steps to help ensure that Service Provider uses Personal Information consistent with the CPRA and to stop and remediate unauthorized use of Personal Information.

3. Restrictions On Processing Personal Information:  Service Provider is prohibited from: (i) Processing Personal Information for any purposes but for the Business Purposes; (ii) Processing Personal information for any additional commercial purpose (other than the Business Purposes) including in the servicing of a different business, unless otherwise expressly permitted by the CPRA or the CPRA Regulations; (iii) Processing Personal Information outside the direct business relationship between Controller and Service Provider unless otherwise expressly permitted by the CPRA or the CPRA Regulations; (iv) Selling or Sharing Personal Information; (v) combining Personal Information with personal information that it receives from, or on behalf of, another person or persons, or Collects from its own interaction with a Consumer (except as permitted by the CPRA Regulations); or (vi) Processing the Personal Information for any other purpose except as permitted by this DPA.  

4. Inability To Comply With CPRA:  Service Provider shall, within five (5) business days, notify Controller after Service Provider determines that it no longer can meet its obligations under this Addendum, the CPRA or the CPRA Regulations. In the event of Service Provider’s inability to meet its obligations, Controller may, in its discretion, (i) take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Information, or (ii) terminate the Service Agreement.

4. PROCESSOR’S ADDITIONAL SUPPLEMENTARY MEASURES

Processor further commits to implementing additional supplementary measures based on guidance provided by EU supervisory authorities in order to enhance the protection of Covered Data in relation to the Processing in a third country. Processor’s additional supplementary measures shall include appropriate technical and organizational measures to provide the Controller with assurances regarding the privacy and security of Covered Data. Upon written request, Processor shall provide Controller with applicable details and specifications regarding the implementation and maintenance of additional technical and organizational measures as required by Applicable Data Protection Laws.

5. SUB-PROCESSORS