Data Processing Agreement

Last Updated: October 11, 2023

This Data Processing Agreement (“DPA”) is made and entered into by and between Bold LLC (“Controller”); and you, the Vendor (“Processor”) as defined in the Master Service Agreement or as identified any other written or electronic agreement signed between the Parties (herein referred to as the “Agreement” or “MSA”), (hereinafter, each individually referred to as a “Party” and collectively as the “Parties”), effective as of the same date the Agreement was signed or the first Data Transfer, whichever occurred earlier.
.

WHEREAS, Processor provides certain services related to the Controller as detailed in the Agreement executed by the Parties;

WHEREAS, in relation to the performance of the services upon the Controller’s instructions, the Processor will process the personal data on behalf of the Controller within the scope specified in this Data Processing Agreement;

WHEREAS, the purpose of the DPA is to determine the terms and conditions of processing personal data by the Processor on behalf of the Controller, and;

WHEREAS, in concluding this DPA, the Parties seek to regulate the terms of personal data processing to ensure their full compliance with the provisions of the applicable Data Protection Laws, as amended from time to time, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

NOW, THEREFORE, the Parties hereto acknowledge and agree to enter this DPA reading as follows:

  1. Definitions and Interpretation
    1. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
      1. “Controller Personal Data” means any Personal Data Processed by a contracted Processor on behalf of Controller pursuant to or in connection with the Principal Agreement;
      2. “Data Protection Laws” means all applicable data protection, cybersecurity, and privacy laws and regulations to which the Parties are subject, in particular, but not limited to, in respect of the European Union the Regulation (EU) no. 2016/679 – the General Data Protection Regulation (“GDPR” or “EU GDPR”), in respect of the United Kingdom the Data Protection Act 2018 and the EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK-GDPR”), in respect of Switzerland the Swiss Federal Act on Data Protection and its implementing regulations (“Swiss FADP”), in respect of Brazil the General Personal Data Protection Act (“LGPD”), in respect of the United States (“US Data Protection Laws”) the California Consumer Privacy Act (“CCPA”) and subsequent California Privacy Rights Act (“CPRA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act (and any other state or federal data protection laws adopted after executing this DPA), in each case as may be amended, superseded or replaced from time to time.
      3. “EEA” means the European Economic Area;
      4. “Data Transfer” means:
        1. a transfer of Controller Personal Data from the Controller to a Contracted Processor; or
        2. an onward transfer of Controller Personal Data from a contracted Processor to a Sub-processor, or between two establishments of a contracted Processor, in each case, by abiding by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
      5. “Services” means the services related and to be provided to the Controller as detailed in the Agreement executed by the Parties.
      6. “Standard Contractual Clauses” (or “SCC”, “EU SCC”) means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021; as may be amended, superseded, or replaced from time to time.
      7. “Sub-processor” means any party appointed by or on behalf of Processor to process Controller Personal Data in connection with the Agreement.
      8. The terms, “Commission,” “Controller,” “Data Subject,” “Member State,” “Personal Data,” “Personal Data Breach,” “Processing,” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
  2. Entrustment of Personal Data Processing
    1. Controller entrusts the Processor with Controller Personal Data for processing, on the terms and for the purpose specified in this Agreement
    2. Processor undertakes to process the entrusted Personal Data in compliance with this DPA, the Data Protection Laws, and other provisions of generally applicable laws protecting the rights of data subjects. The Processor shall process the Personal Data only on documented instructions from the Controller.
    3. Processor represents it applies security measures that meet the Data Protection Laws requirements. The technical and organizational measures that Processor has implemented are listed in Annex II to this DPA.
  3. Scope and Purpose of Personal Data Processing
    1. Processor shall process the following categories data indicated below for the data subjects as described in Annex I (B)(1) herein attached (“Data Subjects”):
      1. types of personal data: as provided in the MSA and/or any other written or electronic agreement signed between the parties (“Personal Data”)
    2. The Personal Data shall be processed by the Processor only for the purpose and in scope of the Services performed under the Agreement.
  4. Technical and organizational measures
    1. Processor undertakes to secure the Personal Data by applying appropriate technical and organizational measures ensuring an adequate level of security corresponding to the risks related to processing of the Personal Data under GDPR Article 32 and applicable Data Protection Laws.
    2. In particular, Processor lays down technical and organizational measures indicated in Annex II to this DPA. Due to ongoing technical progress and further development, Processor may implement alternative adequate measures for a limited period of time. For permanent implementation, Processor is obliged to receive consent from the Controller. In any case, the secured level of the defined measures must not be reduced.
    3. Processor undertakes to apply due diligence when processing the Personal Data, including but not limited to undergoing data privacy impact assessments (“DPIAs”) as needed, or assist Controller in its DPIAs.
    4. Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the GDPR, other Union or Member State data protection provisions, or applicable Data Protection Laws or cannot be executed by the Processor in alignment with Data Protection Laws.
    5. Processor shall regularly monitor its internal processes and technical and organizational measures to ensure the processing is in accordance with the applicable Data Protection Laws and this DPA.
  5. Due care and other obligations of the Processor
    1. The Processor shall comply with Data Protection Laws and good practices when carrying out this DPA. In particular, Processor ensures compliance with the following requirements:
      1. only process the Personal Data in order to provide the services and act only in accordance with the Controller’s written instructions as represented by the Master Service Agreement or other any other written or electronic agreement and this DPA;
      2. notify the Controller in the unlikely event that applicable law requires Processor to process Personal Data other than pursuant to Controller’s written instructions (unless prohibited from so doing by applicable law);
      3. ensure only persons authorized and properly trained by the Processor process Personal Data and that such persons have committed themselves to confidentiality (under GDPR Article 28(3)(b) or applicable Data Protection Laws) – the Processor shall ensure access to the Personal Data will only be provided to those employees and cooperators who due to the scope of their duties will be involved in the rendition of the Services under the Agreement;
      4. maintain appropriate records of all categories of processing activities related to the Personal Data carried out on behalf of Controller and present evidence of the records when requested by Controller;
      5. if required, appoint a data processing officer (“DPO”) under GDPR Art. 37, or any other Data Protection Law, or if a DPO has been voluntarily appointed, the Processor shall disclose to Controller such DPO’s name and contact information;
      6. to the extent possible and in the necessary scope, assist Controller in fulfilment of Controller’s duty to respond to Data Subject requests and other duties embodied in GDPR Articles 32-36 within such timeframe and before such due date as reasonably determined by Controller to comply with GDPR or the applicable Data Protection Laws;
      7. provide Controller, with adequate cooperation and assistance needed to fulfil its obligations under applicable Data Protections Laws to carry out risk assessment, in particular DPIAs related to Controller’s use of the Services;
      8. assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests relating to the exercise of a Data Subject’s rights. In particular, the Processor shall forward any requests received and provide all necessary information to the Controller without undue delay and in a timeframe that allows the Controller to fulfil its obligation to answer the request, in no event later than one month of receipt of such request. If the Processor cannot provide all necessary information within the prescribed period, it shall inform the Controller without undue delay and before the expiration of the prescribed period, together with justified reasons for the delay; and
      9. not rectify, erase, or restrict Personal Data processed on behalf of Controller, on its own authority, unless it is required by MSA or Data Protection Laws.
  6. Deletion and return of Personal Data
    1. After the completion of processing related activities under the Agreement or when requested by the Controller, Processor shall, either return or delete (at the discretion of the Controller) the Personal Data and copies thereof within reasonable time which shall not exceed thirty (30) calendar days, unless Processor is required to store the Personal Data as an exception under applicable Data Protection Laws, and only for such time as provided under the applicable exception.
    2. Documentation of proper data processing shall be kept by the Processor beyond the termination of contractual relationship between the Parties in accordance with relevant Data Protection Laws. The Processor may share such documentation over to the Controller after expiration of the Agreement, upon request.
    3. Processor shall notify the Controller if it receives a Data Subject request and shall not respond to a Data Subject request received without the Controller’s prior written consent except to confirm that such request relates to the Controller. To the extent the Controller does not have the ability to address a Data Subject requests, the Processor shall provide reasonable assistance to facilitate the Data Subject request to the extent the Processor is able to be consistent with Data Protection Laws.
    4. Processor shall assist Controller in completing Data Subject deletion requests within a 30-day timeframe from the receipt of the request. If the processor can’t fulfill the data deletion request within a 30-day timeframe Processor will inform Controller within twenty five (25) days of the specific reasons why the request cannot be fulfilled and will complete the request within no more than forty five (45) days.
  7. Data Breach notification and cooperation
    1. Processor ensures appropriate level of protection through technical and organizational measures allowing immediate detection of relevant infringement events that constitute or may constitute Personal Data breach and project probability and severity of a possible infringement of Data Protection Laws under specific circumstances and purposes of processing of data.
    2. Processor implements and maintains data breach mitigation measures and policies that comply with applicable Data Protection Laws.
    3. In the case of a Personal Data breach or suspicion thereof (“Data Breach”), Processor shall without undue delay and no later than twenty-four (24) hours after having become aware of it, notify the Controller and present all necessary information so Controller can notify the applicable supervisory authority, and ensure that Controller can participate in the investigation and inform the Controller of any findings as soon as they are made.
    4. Processor shall promptly provide the Controller with a reasonable cooperation and assistance in respect of the Data Breach during applicable proceeding or investigation.
    5. Processor shall investigate Personal Data Breach and take any appropriate measures to mitigate the effects of such breach and, with Controller’s prior consent, carry out recovery or adequate measures necessary to remedy and eliminate Personal Data Breach.
    6. Processor shall assist the Controller by taking appropriate and adequate measures with regard to Controller’s obligation to inform interested parties in case of Personal Data Breach.
    7. Unless required by applicable Data Protection Laws, Processor shall not make any public announcement about Personal Data Breach that references the Controller without:
      1. the prior written consent of the Controller; and
      2. prior written approval by the Controller of the content, media, and timing of the Data Breach communication.
  8. Right to Audit
    1. Controller has the right to inspect and confirm compliance with GDPR and/or other Data Protection Laws, as applicable, and review the measures taken by the Processor to process Personal Data at least on a yearly basis. The Controller, or persons engaged by it, may enter Processor’s premises where the Personal Data is processed and access documentation related to Personal Data processing.
    2. Processor shall provide Controller with all information requested by the Controller necessary to demonstrate compliance with GDPR Article 28 requirements. Controller may request Processor to provide information regarding data processing and records of processing activities (“ROPA”).
    3. Processor shall allow Controller, or persons engaged by it, to conduct audits or inspections. Processor shall fully cooperate with Controller’s audits or inspections.
    4. Controller will exercise the right to conduct inspections during the Processor’s working hours and with at least five (5) days’ prior written notice (including that delivered in electronic form).
    5. Processor shall address deficiencies discovered during the audits within a reasonable time limit as indicated by the Controller.
  9. Sub-Processing and Third Country Transfers
    1. Processor is allowed to entrust the Personal Data covered by this Agreement for further processing to third parties from an agreed list in a written data sub-processing agreement . Processor shall notify Controller of any intended additions to the list at least fifteen (15) days in advance of any engagement to provide Controller sufficient time to make any objection.
    2. Controller has the right to raise an objection against entrusting the Personal Data to a specific Sub-processor. If such objection is raised, the Processor may not entrust the Personal Data to the Sub-processor referenced by the objection, and in case the objection refers to the existing Sub-processor, the Processor shall promptly discontinue entrusting Personal Data to such Sub-processor. Processor shall timely notify Controller of any doubts as to the legitimacy of the objection and potential adverse consequences thereof, ensuring processing continuity.
    3. A Sub-processor must provide for the same guarantees and perform the same obligations as provided for and imposed on the Processor hereunder.
    4. Processor is fully liable towards Controller for a Sub-processor’s failure to properly perform the Sub-processor duties under the GDPR and will be responsible for verifying Sub-processor’s compliance on a regular basis (minimum once a year).
    5. Processor may transfer Personal Data entrusted thereto by the Controller outside the EU and/or the European Economic Area (both directly and through employing the services of a Sub-processor) or outside the country where the Data Protection Law applies only with Controller’s the prior consent. The Personal Data transfer outside the EEA or the country where the Data Protection Law applies shall be performed in accordance with the GDPR and/or other applicable Data Protection Laws or regulations.
    6. If Controller grants consent for transferring the entrusted Personal Data outside the EEA or outside the country where the Data Protection Law applies, then Processor shall take any/all necessary safeguards to ensure the processing complies with the GDPR and/or other applicable Data Protection Law or regulation.
  10. Processor’s Liability
    1. Processor is liable for processing of the Personal Data and performing the Services under the Agreement in a manner non-compliant with the terms of the Agreement or this DPA, as well as with applicable Data Protection Laws – in particular, for providing unauthorized persons with access to the entrusted Personal Data.
    2. Processor undertakes to immediately inform Controller, upon having knowledge, of the following:
      1. any proceedings, in particular administrative or court proceedings, concerning the processing of the entrusted Personal Data;
      2. any administrative decision or judgement concerning processing of entrusted Personal Data addressed to the Processor or the Controller;
      3. any planned (if known) or conducted audits and inspections concerning the processing of the entrusted Personal Data within the Processor’s organization, in particular those conducted by any other competent supervisory authority.
      4. any order, demand, or document purporting to request, demand or compel the production of Personal Data to any third party, including, but not limited to the government for surveillance and/or other purposes; and not disclose Personal Data to the third party without providing the Customer at least forty-eight (48) hours ‘notice, so that, to the extent legally permitted, Controller may, at its own expense, exercise such rights as it may have under applicable Data Protection Laws to prevent or limit such disclosure.
    3. For avoidance of doubt, the above section applies only to the Personal Data entrusted by the Controller.
  11. Term
    1. This DPA remains in force for the term of performance of the Services under the Agreement, and for any reasonable amount of time thereafter in order to affect any processing or management of data which shall take place following the termination of the Agreement.
  12. Termination
    1. Controller has the right to terminate this DPA with immediate effect if the Processor:
      1. failed to timely remedy the deficiencies determined in the course of an audit, despite being obliged to do so;
      2. processed the Personal Data in any manner which is contrary to the DPA, the GDPR, Data Protection Laws or other applicable provisions of law or regulation;
      3. entrusted Personal Data processing to another entity without the prior notice to Controller;
      4. transferred Personal Data to a third country or an international organization outside the European Economic Area without informing the Controller; or
      5. Processor, and any Sub-processor contracted by such Processor, has ceased conducting Personal Data processing activities concerning the entrusted data.
  13. Confidentiality
    1. Processor undertakes to preserve the confidentiality of any information, data, materials, documents, and the Personal Data received from the Controller and from entities cooperating with the Controller, and data obtained in any other way, intended or accidental, in verbal, written, or electronic form.
    2. Processor represents that, due to the Processor’s obligation to keep the Personal Data confidential, such data will not be used, disclosed, or made available without prior written consent from the Controller, other than in pursuance of the implementation of this DPA, unless required by the DPA or relevant provisions of law or regulations.
    3. The Parties undertake to apply best efforts to ensure that the means of communication used for receiving, transferring, and storing data guarantee their protection against unauthorized access by third parties.
  14. Data transfers
    1. Processor shall only process, or permit the processing, of the Controller Personal Data subject to EU GDPR, UK GDPR, and/or Swiss FADP, outside the EEA/UK and/or Switzerland (“Restricted Transfer”), under one of the following conditions:
      1. Processor processes Personal Data in a country that offers an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, the UK, and/or Switzerland in accordance with applicable Data Protection Laws, or
      2. Processor participates in a valid cross-border transfer mechanism under the Data Protection Laws, which have not been subject to a relevant adequacy decision, and such transfers are performed through an alternative recognized compliance mechanism as may be adopted for the lawful transfer of personal data, in particular Standard Contractual Clauses (where the Controller is the entity sharing or otherwise transfer Personal Data to the Processor outside the EEA/UK/Switzerland) and the Parties complete all relevant details in Annexes attached to the agreement, as well as take all other actions required to legitimize the transfer, or
      3. Processor applied other applicable data transfer mechanisms permitted under the relevant Data Protection Laws.
    2. In the event processing is covered by more than one transfer mechanism, the transfer of Controller Personal Data subject to EU GDPR, UK GDPR, and/or Swiss FADP will be subject to a single transfer mechanism in the following order: (i) adequacy decisions, (ii) the applicable Standard Contractual Clauses; and if neither is applicable, then (iii) other applicable data transfer mechanisms permitted under Data Protection Laws.
    3. When the Data Transfer of Controller Personal Data subject to EU GDPR, UK GDPR, and/or Swiss FADP is based on the transfer mechanism specified in this Section 14.1(ii), then the EU SCC (as amended or replaced from time to time) or any other applicable set of personal data transfer rules, are incorporated to this DPA by reference (forming an integral part hereof) and shall apply to such Data Transfer, subject to additional establishments and rules as specified in Schedule 1. In case of any conflict between this DPA and the incorporated EU SCC, the terms of the EU SCC govern.
  15. Final Provisions
    1. This DPA, if executed in physical copies, will be drawn up in two counterparts, one for each Party.
    2. All matters not regulated by this DPA are subject to the provisions of EU GDPR and/or applicable Data Protection Laws. In case of discrepancies between this DPA and the MSA, the provisions of this DPA shall prevail.
    3. The jurisdiction to settle any disputes which may arise on the grounds of this DPA, will be granted to the common court competent for the registered office of the Processor. Nonetheless, the laws of Luxembourg shall apply when the Processor is subject to the Standard Contractual Clauses hereby referenced.
    4. Each Party to this DPA warrants it has the authority to enter into this DPA for itself and its affiliates and has caused this DPA to be signed in its name and on its behalf by its representative thereunto duly authorized as of the day and year first above written.
    5. All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post, or sent by email (with confirmation receipt) to the address or email address set out in the Agreement at such other address as notified from time to time by the Parties changing address.

SCHEDULE 1

Restricted Transfers

PART 1 – EU RESTRICTED TRANSFERS
These additional rules apply when there is a Restricted Transfer of Controller Personal Data subject to EU GDPR based on the EU SCC:

  1. Module 2 of the EU SCCs shall apply.
  2. Clause 7 of the EU SCCs (Docking Clause) is omitted.
  3. In Clause 9 Option 2: GENERAL WRITTEN AUTHORISATION of the EU SCCs shall apply, and the method for appointing and time period for prior notice of Sub-processor changes shall be fifteen (15) calendar days.
  4. In Clause 11 of the EU SCCs, the optional language will not apply.
  5. In Clause 13  of the EU SCCs’ (Supervisory) the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
  6. In Clause 17 of the EU SCCs, Option 1 shall apply, and the Parties agree that the EU SCCs shall be governed by the law of one of the EU Member States, provided such law allows for third party beneficiary rights. The Parties agree that this shall be the law of Luxembourg.
  7. In Clause 18(b) of the EU SCCs, disputes will be resolved before the courts of the Luxembourg.
  8. Annexes of the EU SCCs shall be deemed with the information set out this DPA:
    1. Annex IA of the EU SCCs: List of Parties;
    2. Annex IB of the EU SCCs: Description of Transfer;
    3. Annex IC of the EU SCCs: Competent Supervisory Authority;
    4. Annex II of the EU SCCs: Technical and Organizational Measures; and
    5. Annex III of the EU SCCs: List of Sub-processors.

PART 2 – UK RESTRICTED TRANSFERS
These additional rules apply when there is a Restricted Transfer of Controller Personal Data subject to UK GDPR based on the EU SCC:

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022, as amended from time to time.

This Addendum has been issued by the Information Commissioner for Parties making UK and EU Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract

AGREED TERMS

Table 1: Parties

The Parties Data Exporter (who sends the Restricted Transfer) Data Importer (who receives the Restricted Transfer)
Parties’ details As detailed in Annex IA of this DPA As detailed in Annex IA of this DPA
Key contacts As detailed in Annex IA of this DPA As detailed in Annex IA of this DPA
Signature (if required for the purposes of Section 2) By entering into the DPA, the Controller is deemed to have signed this Addendum and SCCs incorporated into this DPA including their Annexes, as of the Effective Date of the DPA. By entering into the DPA, the Vendor is deemed to have signed this Addendum and SCCs incorporated into this DPA including their Annexes, as of the Effective Date of the DPA.

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum.
Module Module in operation Clause 7 (Docking Clause) Clause 11 (Option) Clause 9a (Prior Authorization or General Authorization) Clause 9a (Time period) Is Personal Data received from the Data Importer combined with Personal Data collected by the Data Exporter?
2 Yes No No General 15 days n/a

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: Annex IA of this DPA
Annex 1B: Description of Transfer: Annex IB of this DPA
Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: Annex II of this DPA
Annex III: List of Sub-processors (Modules 2 and 3 only): Annex III of this DPA

Table 4: Ending this Addendum when the Approved Addendum changes

Ending this Addendum when the Approved Addendum changes Which Parties may end this Addendum as set out in Section 19:

☒ Importer

☒ Exporter

☐ Neither Party

Alternative Part 2 Mandatory Clauses

Mandatory Clauses Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses. These can be found here https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/.

PART 3 – SWISS RESTRICTED TRANSFERS
These additional rules apply when there is a Restricted Transfer of Controller Personal Data subject to Swiss FADP based on the EU SCC:
Provisions of section “Part 1 EU Restricted Transfers” above apply with the following modifications:

  1. any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” will be interpreted as references to the Swiss FADP, and references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of the Swiss FADP;
  2. references to “EU”, “Union”, “Member State” and “Member State law” will be interpreted as references to Switzerland and Swiss law, as the case may be, and will not be interpreted in such a way as to exclude data subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs;
  3. Clause 13 of the EU SCCs and Part C of Annex 1 are modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland will have authority over data transfers governed by the Swiss FADP. Subject to the foregoing, all other requirements of Clause 13 will be observed;
  4. references to the “competent supervisory authority” and “competent courts” will be interpreted as references to the FDPIC and competent courts in Switzerland;
  5. in Clause 17, the EU SCCs will be governed by the laws of Switzerland; and
  6. Clause 18(b) states that disputes will be resolved before the applicable courts of Switzerland.

ANNEX I

A. LIST OF PARTIES

1. Data exporter(s):

Name: Please refer to the entity contracting the services as detailed in the Master Service Agreement (“MSA”) or any other written or electronic agreement signed between the parties.Address: Please refer to the contracting entity’s address as detailed in the MSA or any other written or electronic agreement signed between the parties.

Contact person’s name, position and contact details: Please refer to applicable MSA or any other written or electronic agreement signed between the parties.

Activities relevant to the data transferred under these Clauses: All activities as covered and described in the MSA or any other written or electronic agreement signed between the parties.

Role: Controller

2. Data importer(s):

Name: Please refer to the entity providing the services as detailed in the MSA or any other written or electronic agreement signed between the parties.

Address: Please refer to address of the entity providing the services as detailed in the MSA or any other written or electronic agreement signed between the parties.

Contact person’s name, position and contact details: Please refer to applicable MSA or any other written or electronic agreement signed between the parties.

Activities relevant to the data transferred under these Clauses: All activities as covered and described in the MSA or any other written or electronic agreement signed between the parties.

Role: Processor

B. DESCRIPTION OF TRANSFER

  1. Categories of data subjects whose personal data is transferred:
    End-users, vendors, and/or employees (as provided in the MSA and/or any other written or electronic agreement signed between the parties)
  1. Categories of personal data transferred:
    As provided in the MSA and/or any other written or electronic agreement signed between the parties.
  2. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
    N/A
  3. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
    Continuous
  4. Nature of the processing
    Provision of online software services.
  5. Purpose(s) of the data transfer and further processing
    In furtherance of the Service offered by the Controller in accordance with applicable Data Protection Laws,  standards, and regulations.
  6. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that.
    Data will be retained for as long as the agreement between the parties is active or in compliance with the applicable laws and regulations, or until such time it’s deleted per Controller’s instructions.
  7. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
    The subject matter for sub-processors will be conformed to the same limitations as provided on the MSA, DPA, or any other written agreement signed between the parties.

C. COMPETENT SUPERVISORY AUTHORITY

  1. Identify the competent supervisory authority/ies in accordance with Clause 13:
    Where the EU GDPR applies, Luxembourg’s National Data Protection Commission (CNPD).Where the UK GDPR applies, the UK Information Commissioner’s Office, (ICO).Where the Swiss FADP applies, the Federal Data Protection and Information Commissioner (FDPIC)

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Processor warrants and undertakes to implement all appropriate technical and organizational security measures at all times to ensure appropriate and sufficient level of security to protect Personal Data processed on behalf of the Controller against unlawful, unauthorized or accidental processing and loss, destruction, damage, alteration, disclosure or access, in particular when processing involves the transmission of Personal Data over a network.

Data importer shall, inter alia, as appropriate:

  • to the extent possible, pseudonymize and encrypt the Personal Data it processes;
  • ensure at all times the confidentiality, integrity, availability and resilience of processing systems and services;
  • ensure at all times the availability and access to Personal Data in a timely manner in the event of
    a physical or technical incident; and
  • regularly test, assess and evaluate the effectiveness of technical and organizational measures to ensure the security of the processing.

Data importer shall provide the Data exporter, upon request, with adequate proof of compliance and detailed description of technical and organizational measures (for example data access control, data transfer control, availability measures, data separation, relevant agreements and policies).

ANNEX III

List of Sub-processors

Name Address Contact person’s name, position and contact details Description of processing
       
       
       
       
       
       
'