Data Processing Addendum

January 2nd, 2025

This Data Processing Addendum (“DPA”) supplements the Terms of Service (the “Agreement”) entered into by and between the customer signing this DPA (“Customer”) and CHATLAB Sp. z o.o. (“Company”). By executing the DPA in accordance with Section 11 herein, the Customer agrees to this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws (defined below), on behalf of its Affiliates (defined below), if any. This DPA incorporates the terms of the Agreement, and any terms not defined in this DPA shall have the meaning specified in the Agreement.

Definitions

  • Data Exporter refers to the Customer.
  • ex-EEA Transfer denotes the transfer of Personal Data, processed in accordance with the GDPR, from the Data Exporter to the Data Importer (or its premises) outside the European Economic Area (EEA), where such transfer is not covered by an adequacy decision issued by the European Commission under the relevant provisions of the GDPR.
  • Company Usage Data encompasses data collected and processed by the Company in connection with providing the Services. This includes, but is not limited to, activity logs, data used to identify the source and destination of communications, and information used to optimize service performance and prevent abuse.
  • Data Importer refers to the Company.
  • Standard Contractual Clauses means both the EU SCCs and the UK SCCs.
  • Authorized Sub-Processor refers to any third party that requires access to Customer’s Personal Data in order to enable the Company to fulfill its obligations under this DPA or the Agreement. Such entities must either (i) be listed in Exhibit B or (ii) be authorized subsequently in line with Section 4.2 of this DPA.
  • Affiliate describes any entity that (i) directly or indirectly owns at least fifty percent (50%) of a party’s stock or equity interest, (ii) is at least fifty percent (50%) owned by a party, or (iii) is under common control with a party by having at least fifty percent (50%) of its stock or equity owned by the same individual or entity. An entity qualifies as an Affiliate only while this ownership exists.
  • Data Protection Laws encompass all relevant laws and regulations related to the use or processing of Personal Data in applicable jurisdictions. These include, but are not limited to:
    (i) the General Data Protection Regulation (GDPR) and its adaptations, such as the EU GDPR and UK GDPR;
    (ii) the California Consumer Privacy Act (CCPA);
    (iii) the Swiss Federal Act on Data Protection;
    (iv) the UK Data Protection Act 2018;
    (v) the Privacy and Electronic Communications (EC Directive) Regulations 2003.
    The terms "controller," "processor," "processing," "supervisory authority," "Data Subject," "Personal Data," and "Personal Data Breach" are as defined in the GDPR.
  • Company Account Data includes personal data related to the Company’s relationship with the Customer. This covers names, contact details of authorized individuals accessing the Customer’s account, billing information, and other data necessary for identity verification or compliance with applicable laws.
  • EU SCCs refer to the standard contractual clauses issued by the European Commission in Decision 2021/914 of 4 June 2021, for data transfers to countries without an adequacy decision under GDPR. These clauses may be updated and modified per Section 6.2 of this DPA.
  • UK SCCs means the EU SCCs as amended by the UK Addendum for data transfers under the UK GDPR and the Data Protection Act 2018.
  • ex-UK Transfer describes the transfer of Personal Data subject to the UK GDPR and the Data Protection Act 2018 from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom, where the transfer is not governed by an adequacy decision by the UK Secretary of State.
  • Services shall carry the definition ascribed to it in the Agreement.

1. Relationship of the Parties; Processing of Data

  1. The parties agree that, concerning the processing of Personal Data, the Customer may act as either a controller or a processor, while the Company serves as a processor, except as explicitly stated in this DPA or the Agreement. The Customer must always process Personal Data and issue processing instructions in compliance with applicable Data Protection Laws when using the Services. The Customer is responsible for ensuring that its instructions for processing Personal Data do not lead to the Company violating Data Protection Laws.The Customer is solely accountable for the accuracy, quality, and legality of:
    1. Personal Data provided to the Company by or on behalf of the Customer,
    2. the means by which such Personal Data was acquired, and
    3. the instructions given to the Company regarding its processing.
  2. The Customer must not supply or make available to the Company any Personal Data that violates the Agreement or is unsuitable for the nature of the Services and agrees to indemnify the Company against any claims or losses arising from such actions.
  3. The Company shall only process Personal Data: 4. for purposes defined in the Agreement and Exhibit A, 5. in line with the documented instructions provided by the Customer, including for international data transfers, unless required by law or a Supervisory Authority, in which case the Company shall notify the Customer unless prohibited by law for public interest reasons, or 6. in compliance with applicable Data Protection Laws.
  4. The Customer authorizes the Company to process Personal Data as described above and as part of the Customer's use of the Services. The details of the processing, including its subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects, are outlined in Exhibit A of this DPA.
  5. Upon completion of the Services, the Company shall, at the Customer's request, either return or delete the Customer’s Personal Data unless further retention is required or permitted by law. If deletion or return is impracticable or prohibited, the Company will block the data from further processing, except as necessary for legal or regulatory compliance, and continue safeguarding the data appropriately. If the parties have entered into Standard Contractual Clauses (SCCs) as per Section 6, the Company will provide the certification of deletion required under Clauses 8.1(d) and 8.5 of the EU SCCs, but only upon the Customer’s request.
  6. The parties agree that, except for Company Account Data and Company Usage Data, the Company acts as a service provider under the CCPA (to the extent applicable) when processing personal information received from the Customer for providing the Services, which constitutes a business purpose. The Company shall not sell such personal information, nor shall it retain, use, or disclose it for purposes other than those necessary to perform the Services, as set forth in the Agreement, or as otherwise permitted by the CCPA. The terms "personal information," "service provider," "sale," and "sell" are defined in Section 1798.140 of the CCPA. The Company certifies that it understands and will adhere to the restrictions outlined in this section.

2. Confidentiality

  1. The Company shall ensure that any individual it authorizes to process Personal Data agrees to safeguard it in accordance with the Company's confidentiality obligations as outlined in the Agreement. The Customer acknowledges that the Company may share Personal Data with its advisers, auditors, or other third parties as reasonably necessary to fulfill its obligations under this DPA, the Agreement, or to provide Services to the Customer.

3. Authorized Sub-Processors

  1. The Customer acknowledges and agrees that the Company may:

    1. Engage its Affiliates and the Authorized Sub-Processors listed in the Sub-Processor List (defined below) to access and process Personal Data in relation to the Services, and
    2. Occasionally engage additional third parties to process Personal Data as required for providing the Services.

    Through this DPA, the Customer grants the Company general written authorization to utilize sub-processors as needed to perform the Services.

4. Authorized Sub-Processors List

  1. A list of the Company’s current Authorized Sub-Processors (the "List") is available to the Customer at https://chatlab.com/subprocessors. The Company may update this List from time to time. The Company will provide a mechanism for subscribing to notifications (such as email alerts) about new Authorized Sub-Processors. If the Customer wishes to receive such notifications, it must subscribe through the provided mechanism. By choosing not to subscribe, the Customer waives any right to receive prior notice of changes to Authorized Sub-Processors.
  2. Before allowing any third party, other than existing Authorized Sub-Processors, to access or process Personal Data, the Company will update the List and notify subscribers, including the Customer, at least ten (10) days in advance through the aforementioned notifications.
  3. The Customer may object to the engagement of a new sub-processor by notifying the Company in writing within ten (10) days of receiving such notice, provided the objection is based on reasonable data protection concerns. The Customer acknowledges, however, that certain sub-processors are critical to delivering the Services, and objecting to their use may prevent the Company from continuing to provide the Services to the Customer. If the Customer raises a reasonable objection to an engagement as outlined in Section 4.2, and the Company is unable to offer a commercially viable alternative within a reasonable timeframe, the Customer may terminate their use of the affected Service by providing written notice to the Company. However, such termination does not exempt the Customer from any fees due to the Company under the Agreement.
  4. If the Customer does not object to the engagement of a third party as described in Section 4.2 within ten (10) days of receiving notice from the Company, that third party will be considered an Authorized Sub-Processor under this DPA.
  5. The Company will enter into a written agreement with each Authorized Sub-Processor, requiring the Sub-Processor to adhere to data protection obligations comparable to those outlined in this DPA regarding the safeguarding of Personal Data. If an Authorized Sub-Processor fails to meet its obligations under the agreement, the Company will remain liable to the Customer for the Sub-Processor’s performance of those obligations.
  6. If the Customer and the Company have agreed to Standard Contractual Clauses (SCCs) as outlined in Section 6 (Transfers of Personal Data):
    1. The above authorizations will be deemed the Customer’s prior written consent to the Company’s subcontracting of Personal Data processing, as required under the SCCs.
    2. The parties agree that any copies of agreements with Authorized Sub-Processors, required to be provided to the Customer under Clause 9(c) of the EU SCCs, may have commercial or non-relevant information redacted by the Company. Such copies will be shared with the Customer only upon request.

5. Security of Personal Data

  1. Considering the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, the Company will implement and maintain appropriate technical and organizational measures to ensure a level of security suitable to the risks associated with processing Personal Data. Further details about the Company's technical and organizational security measures are provided in Exhibit C.

6. Transfers of Personal Data

  1. The parties agree that the Company may transfer Personal Data governed by this DPA outside the EEA, the UK, or Switzerland as needed to provide the Services. The Customer acknowledges that the Company primarily processes Personal Data in the United States, and transferring the Customer’s Personal Data to the United States is essential for delivering the Services. If the Company transfers Personal Data to a jurisdiction where no adequacy decision has been issued by the European Commission, it will implement appropriate safeguards to ensure compliance with Data Protection Laws.
  2. Ex-EEA Transfers: The parties agree that transfers of Personal Data from the EEA are governed by the EU SCCs, which are deemed incorporated into this DPA and completed as follows:
    1. Module One (Controller to Controller) applies when the Company processes Personal Data as a controller under Section 9 of this DPA.
    2. Module Two (Controller to Processor) applies when the Customer is a controller and the Company processes Personal Data on behalf of the Customer under Section 2 of this DPA.
    3. Module Three (Processor to Sub-Processor) applies when the Customer is a processor and the Company processes Personal Data on the Customer’s behalf as a sub-processor.
  3. For each applicable module: 4. The optional docking clause in Clause 7 does not apply. 5. Clause 9 adopts Option 2 (general written authorization), and the minimum notice period for sub-processor changes is defined in Section 4.2 of this DPA. 6. The optional language in Clause 11 is excluded. 7. All square brackets in Clause 13 are removed. 8. Clause 17 (Option 1) specifies that Irish law governs the EU SCCs. 9. Clause 18(b) designates the courts of Ireland for resolving disputes. 10. Exhibit B includes the information required for Annex I and Annex III of the EU SCCs. 11. Exhibit C provides the details required for Annex II of the EU SCCs. 12. By signing this DPA, the parties agree to the EU SCCs, including their Annexes.
  4. Ex-UK Transfers: Transfers of Personal Data from the UK are governed by the UK SCCs, which are deemed incorporated into this DPA and amended by the UK Addendum, included as Exhibit D of this DPA.
  5. Transfers from Switzerland: Transfers from Switzerland are governed by the EU SCCs, with the following adjustments: 13. References to the "General Data Protection Regulation" or "Regulation (EU) 2016/679" include the Swiss Federal Act on Data Protection (FADP) and its revisions. 14. The EU SCCs will protect the data of legal entities until the Revised FADP becomes effective. 15. Clause 13 designates the Swiss Federal Data Protection and Information Commissioner (FDPIC) for FADP-governed transfers and the appropriate EU supervisory authority for GDPR-governed transfers. 16. The term "EU Member State" does not exclude Swiss Data Subjects from exercising their rights under Clause 18(c) of the EU SCCs.
  6. Supplementary Measures: For ex-EEA or ex-UK Transfers, the following apply:
  7. As of this DPA’s effective date, the Data Importer has not received formal requests from government intelligence or security agencies for access to Customer’s Personal Data ("Government Agency Requests").
  8. If Government Agency Requests are received after this date, the Company will redirect such requests to the Customer and may share basic contact information with the requesting agency. If compelled to disclose Personal Data, the Company will notify the Customer (unless prohibited by law) and cooperate with the Customer to seek protective measures. The Company will not voluntarily disclose Personal Data to any law enforcement or government agency. The parties will evaluate whether transfers should be suspended in response to Government Agency Requests.
  9. The Data Exporter and Data Importer will collaborate as necessary to:
  10. Assess whether the laws of the Data Importer’s jurisdiction provide adequate protection for Data Subjects’ Personal Data.
  11. Identify additional measures to comply with Data Protection Laws.
  12. Determine whether transferring Personal Data to the Data Importer remains appropriate.
  13. If Data Protection Laws require the execution of separate Standard Contractual Clauses for specific transfers, the Data Importer will promptly execute them upon the Data Exporter’s request, incorporating necessary amendments to reflect the transfer’s details and applicable laws.
  14. If any transfer mechanisms in this DPA become invalid or require suspension per a supervisory authority’s direction, the Data Importer may, with notice, amend or implement alternative arrangements to comply with Data Protection Laws.

7. Rights of Data Subjects

  1. To the extent permitted by law, Company will notify Customer upon receiving any request from a Data Subject to exercise the right of access, rectification, erasure, data portability, restriction or cessation of processing, withdrawal of consent, or objection to automated decision-making (each such request, individually and collectively, a “Data Subject Request”). Should Company receive a Data Subject Request related to Customer’s data, it will instruct the Data Subject to direct the request to Customer. Customer bears sole responsibility for responding to all Data Subject Requests, including—where necessary—by using the functionality of the Services. Customer is also solely responsible for informing Company of any Data Subject Requests involving erasure, restriction or cessation of processing, or withdrawal of consent, and for maintaining any required records of consent for each Data Subject.
  2. At Customer’s request, and taking into account the nature of the processing relevant to the Data Subject Request, Company shall implement appropriate technical and organizational measures to assist Customer in fulfilling its obligations to respond to such requests and/or demonstrate compliance, to the extent (i) Customer is unable to do so independently, and (ii) Company is able to provide such assistance in accordance with applicable laws, rules, and regulations. To the extent legally permissible, Customer shall bear responsibility for any costs or expenses incurred by Company in providing this assistance.

8. Actions and Access Requests, Audits

  1. Company Assistance with DPIAs: Taking into account the nature of the processing and the information available to Company, Company shall provide Customer with reasonable cooperation and assistance as necessary for Customer to meet its GDPR obligations concerning data protection impact assessments and/or to demonstrate compliance, provided that Customer does not otherwise have access to the necessary information. To the extent legally permissible, Customer shall be responsible for any costs and expenses incurred by Company in providing such assistance.
  2. Assistance with Supervisory Authorities: Considering the nature of the processing and the information available to Company, Company shall offer reasonable cooperation and assistance to Customer regarding Customer’s engagement and/or prior consultation with any Supervisory Authority, as required by the GDPR. Where legally permitted, Customer shall bear any costs and expenses resulting from such assistance.
  3. Record Keeping: Company shall maintain records sufficient to demonstrate its compliance with its obligations under this DPA and shall retain these records for three (3) years after termination of the Agreement. Upon providing reasonable notice, Customer may review, audit, and copy such records at Company’s offices during normal business hours.
  4. Audit Rights: Upon Customer’s written request at reasonable intervals and subject to reasonable confidentiality safeguards, Company shall either (i) provide copies of certifications or reports that demonstrate Company’s compliance with relevant data security standards for processing Customer’s Personal Data, or (ii) if such certifications or reports are insufficient under Data Protection Laws, allow an independent third-party representative of Customer to conduct an audit or inspection of Company’s data security infrastructure and procedures to verify compliance with Data Protection Laws. Such audits shall only occur if (a) Customer provides reasonable prior written notice and the audit does not unreasonably disrupt Company’s operations; (b) the audit takes place during business hours and no more than once per calendar year; and (c) the audit is limited to data relevant to Customer. Customer is responsible for the costs of such audits or inspections, including reimbursement for any time Company spends facilitating them. If Customer and Company have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), the audits described in Clause 8.9 of the EU SCCs will be carried out in accordance with this Section 8.4.
  5. Notification of Infringing Instructions: Company shall promptly inform Customer if it believes, in its reasonable opinion, that any instruction from Customer infringes Data Protection Laws or guidance from a Supervisory Authority.
  6. Personal Data Breach Notification: If a Personal Data Breach occurs, Company shall, without undue delay, notify Customer of the breach and take steps that Company, at its sole discretion, deems necessary and reasonable to remediate the breach, to the extent such remediation is within Company’s reasonable control.
  7. Cooperation in the Event of a Breach: Taking into account the nature of the processing and the information available to Company, Company shall provide Customer with reasonable cooperation and assistance needed for Customer to comply with its GDPR obligations related to informing (i) the relevant Supervisory Authority, and (ii) any affected Data Subjects about the Personal Data Breach without undue delay.
  8. Exceptions and Liability: The obligations in Sections 8.6 and 8.7 shall not apply if the Personal Data Breach results from Customer’s own actions or omissions. Company’s obligation to notify or otherwise respond to a Personal Data Breach as described in Sections 8.6 and 8.7 shall not be interpreted as an admission of fault or liability by Company with respect to any such breach.

9. Company’s Role as a Controller.

The parties acknowledge that, for purposes of Company Account Data and Company Usage Data, Company acts as an independent controller rather than a joint controller with Customer. Specifically, Company processes Company Account Data and Company Usage Data in its capacity as a controller (i) to manage its relationship with Customer; (ii) to conduct core business activities (including accounting, auditing, tax preparation, and compliance efforts); (iii) to monitor, investigate, detect, and prevent fraud or security incidents, and to avert misuse of the Services or harm to Customer; (iv) for identity verification; (v) to satisfy legal or regulatory obligations related to processing and retaining Personal Data; and (vi) as otherwise allowed by Data Protection Laws and consistent with this DPA and the Agreement. Company may also process Company Usage Data as a controller in order to provide, optimize, and maintain the Services, as permitted by Data Protection Laws. All such processing by Company as a controller is conducted in accordance with Company’s privacy policy, available at https://chatlab.com/privacy

10. Conflict.

In the event of any conflict or inconsistency among the following documents, the order of precedence shall be: (1) the applicable terms in the Standard Contractual Clauses; (2) this DPA; (3) the Agreement; and (4) the Company’s privacy policy. Any claims arising out of or relating to this DPA shall be governed by the terms and conditions (including, without limitation, any exclusions and limitations) set forth in the Agreement.

Exhibit A

Details of Processing

Nature and Purpose of Processing:

Company will process Customer’s Personal Data as necessary to provide the Services under the Agreement, for the purposes outlined in the Agreement and this DPA, and in accordance with Customer’s instructions as specified in this DPA. The processing activities include, but are not limited to:

  • Receiving data, such as collecting, accessing, retrieving, recording, and entering data.
  • Protecting data, including applying restrictions, encryption, and conducting security tests.
  • Holding data, including storage, organization, and structuring.
  • Erasing data, including destruction and deletion.
  • Analyzing data, such as assessing product usage.
  • Sharing data, including disclosure to subprocessors as allowed by this DPA.

Duration of Processing:

Company will process Customer’s Personal Data for as long as necessary to:

  1. Deliver the Services to Customer under the Agreement;
  2. Fulfill Company’s legitimate business needs; or
  3. Comply with applicable laws or regulations.
    Processing and storage of Company Account Data and Company Usage Data will be carried out in accordance with Company’s privacy policy.

Categories of Data Subjects:

  • Employees, consultants, contractors, and agents of Customer.

Categories of Personal Data:

Company processes Personal Data contained in Company Account Data, Company Usage Data, and any Personal Data provided by Customer or collected by Company to deliver the Services. This may include Personal Data collected from Customer’s end users and processed through the Services. The categories of Personal Data may include:

  • Name
  • Email address
  • Job title
  • Username
  • Company device identifiers (e.g., serial numbers)
  • IP address of company devices
  • Installed applications on company devices
  • Background check verification records (at Controller’s discretion)
  • Security training records

Sensitive Data or Special Categories of Data:

Customers are strictly prohibited from providing sensitive personal data or special categories of data to Company, including but not limited to data that reveals criminal history.

Exhibit B

The following includes the information required by Annex I and Annex III of the EU SCCs, and Table 1, Annex 1A, and Annex 1B of the UK Addendum.

The Parties

Data exporter(s):

  • Name: Customer, as stated and defined in the applicable Order (as such term is defined under the Agreement).
  • Trading Name (if different):
  • Address: Customer’s registered business address and any address provided to Linear at the time that Customer uses the Services.
  • Official Registration Number (if any) (company number or similar identifier):
  • Contact person’s name, position, and contact details: Customer’s contact for the purposes of the SCCs will be the individual who properly accepts and binds Customer to the Agreement unless another contact person’s information is specifically provided to Linear in writing.
  • Activities relevant to the data transferred under these Clauses: As described in Section 2 of the DPA.
  • Signature and date: The UK SCCs and EU SCCs will be considered executed upon Customer’s proper acceptance of the Agreement.
  • Role (controller/processor): Controller

Data importer(s):

  • Name: CHATLAB Sp. z o.o.
  • Address and contact information: Zamknieta 10/1.5 30-554 Krakow, Poland
  • Activities relevant to the data transferred under these Clauses: As described in Section 2 of the DPA.
  • Signature and date:
  • Role (controller/processor): As described in Section 2 of the DPA.

Description of the Transfer

  • Data Subjects: As described in Exhibit A of the DPA
  • Categories of Personal Data: As described in Exhibit A of the DPA
  • Special Category Personal Data (if applicable): As described in Exhibit A of the DPA
  • Nature of the Processing: As described in Exhibit A of the DPA
  • Purposes of Processing: As described in Exhibit A of the DPA
  • Duration of Processing and Retention (or the criteria to determine such period): As described in Exhibit A of the DPA
  • Frequency of the Transfer: As necessary to perform all obligations and rights with respect to Personal Data as provided in the Agreement or DPA
  • Recipients of Personal Data Transferred to the Data Importer: Company will maintain a list of Authorized Sub-Processors at: https://chatlab.com/subprocessors

Competent Supervisory Authority

  • The supervisory authority shall be the authority of the Data Exporter, as determined in accordance with Clause 13 of the EU SCCs.
  • For the purposes of the UK Addendum, the supervisory authority shall be the UK Information Commissioner’s Office.

Exhibit C

Description of the Technical and Organizational Security Measures Implemented by the Data Importer

The following includes the information required by Annex II of the EU SCCs and Annex II of the UK Addendum.

  • Measures of pseudonymization and encryption of personal data:
    • Company employs secure methods and protocols for transmitting confidential or sensitive information over public networks.
    • Databases containing sensitive customer data are encrypted at rest using strong ciphers.
    • All traffic in transit is encrypted with recommended secure cipher suites and protocols.
  • Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services:
    • Company enforces strict confidentiality obligations through customer agreements.
    • All subprocessors sign confidentiality provisions equivalent to those in the Company’s customer agreements.
  • Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident:
    • Regular backups of production datastores are conducted daily, weekly, and monthly.
    • Backups are periodically tested according to information security and data management policies.
  • Measures for user identification and authorization:
    • Secure access protocols and industry best practices for authentication, such as Multi-Factor Authentication (MFA) and Single Sign-On (SSO), are implemented.
    • Production access requires two-factor authentication.
    • Network infrastructure is configured to block unauthorized access and unnecessary traffic.
  • Measures for the protection of data during transmission:
    • Secure protocols such as TLS 1.2 are used to encrypt traffic in transit over public networks.
  • Measures for the protection of data during storage:
    • Encryption-at-rest is automated using AWS’s transparent disk encryption, employing industry-standard AES-256 encryption.
    • Encryption keys are fully managed by AWS.
  • Measures for ensuring physical security of locations at which personal data are processed:
    • Processing is conducted in AWS-managed physical data centers, as detailed at AWS Compliance.
  • Measures for ensuring events logging:
    • Access to applications, tools, and resources is monitored.
    • Security logs are reviewed and managed by security and engineering teams, with investigations and escalations as necessary.
  • Measures for ensuring system configuration, including default configuration:
    • Changes to production environments are managed through a structured change management process.
    • Automated CI/CD tools ensure consistent configurations.
  • Measures for ensuring data minimization:
    • Customers control the data they route through the Services.
    • The Services include self-service tools to allow customers to delete or suppress data.
  • Measures for ensuring data quality:
    • Data quality is ensured through unit testing, database schema validation, schema-first API design, and strong typing.
    • Measures are applied to maintain data integrity from ingestion to export.
  • Measures for ensuring limited data retention:
    • Customers control data retention via self-service tools.
    • If necessary, Company deletes Personal Data upon Customer request, within the timeframe specified in the DPA and Applicable Data Protection Law.
  • Measures for ensuring accountability:
    • Company enforces data protection and information security policies, assigns roles for information security, and conducts regular third-party audits.
    • Personal Data Breaches are recorded and reported as required.
  • Measures for allowing data portability and ensuring erasure:
    • Customers can delete or request deletion of Personal Data submitted to the Services.
    • Data portability requests are addressed on a case-by-case basis, given the Company’s focus on Privacy by Design and Data Minimization.
  • Technical and organizational measures of subprocessors:
    • The Company requires Authorized Subprocessors to sign Data Processing Agreements with obligations substantially similar to those in this DPA.

Exhibit D

UK Addendum

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

Part 1: Tables

Table 1: Parties

  • Start Date: This UK Addendum becomes effective on the same date as the DPA.
  • The Parties:
    • Exporter: Customer
    • Importer: Company
  • Parties’ Details:
    • Exporter Details: Customer
    • Importer Details: Company
  • Key Contact:
    • Exporter: Refer to Exhibit B of this DPA
    • Importer: Refer to Exhibit B of this DPA

Table 2: Selected SCCs, Modules, and Selected Clauses

  • EU SCCs: The version of the Approved EU SCCs to which this UK Addendum is appended, as specified in the DPA and completed in Sections 6.2 and 6.3 of the DPA.

Table 3: Appendix Information

  • Appendix Information” refers to the information required for the selected modules as outlined in the Appendix of the Approved EU SCCs (excluding the Parties), and is specified for this UK Addendum as follows:
    • Annex 1A: List of Parties: Refer to Table 1 above.
    • Annex 2B: Description of Transfer: Refer to Exhibit B of this DPA.
    • Annex II: Technical and organizational measures, including measures to ensure data security: Refer to Exhibit C of this DPA.
    • Annex III: List of Subprocessors (Modules 2 and 3 only): Refer to Exhibit B of this DPA.

Table 4: Terminating this UK Addendum Due to Changes in the Approved UK Addendum

[SELECT OPTION]
Note: This provision allows the selected party (if any) to terminate the UK Addendum if changes made by the ICO to the approved UK Addendum cause a substantial, disproportionate, and demonstrable increase in either (a) the party’s direct costs of fulfilling its obligations under the UK Addendum, or (b) the party’s risk under the UK Addendum.

  • Option for Termination:
    • x Importer
    • x Exporter
    • ☐ Neither Party

Entering into this UK Addendum

  1. Each party agrees to be bound by the terms and conditions of this UK Addendum in consideration of the other party’s agreement to be similarly bound.
  2. While Annex 1A and Clause 7 of the Approved EU SCCs require the Parties' signatures, for the purpose of enabling ex-UK Transfers, the Parties may enter into this UK Addendum through any legally binding method that ensures enforceability of data subjects’ rights as outlined in this UK Addendum. By entering into this UK Addendum, the Parties agree that it will have the same legal effect as signing the Approved EU SCCs and any related sections of the Approved EU SCCs.

Interpretation of this UK Addendum

  • Terms Defined in the Approved EU SCCs:
    • Terms used in this UK Addendum that are defined in the Approved EU SCCs shall have the same meaning as in the Approved EU SCCs.
  • Additional Definitions:
    • UK Addendum: Refers to this International Data Transfer Addendum incorporating the EU SCCs, attached to the DPA as Exhibit D.
    • EU SCCs: Refers to the version(s) of the Approved EU SCCs to which this UK Addendum is appended, as specified in Table 2, including the Appendix Information.
    • Appendix Information: As outlined in Table 3 of this UK Addendum.
    • Appropriate Safeguards: Refers to the standard of protection required under UK Data Protection Laws for personal data and data subjects’ rights when making an ex-UK Transfer using standard data protection clauses under Article 46(2)(d) of the UK GDPR.
    • Approved UK Addendum: Refers to the template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on February 2, 2022, as revised under Section ‎18 of the UK Addendum.
    • Approved EU SCCs: Refers to the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated June 4, 2021, for transfers of personal data to countries not recognized by the European Commission as offering an adequate level of data protection (as amended or updated over time).
    • ICO: Refers to the Information Commissioner of the United Kingdom.
    • ex-UK Transfer: As defined in the DPA.
    • UK: Refers to the United Kingdom of Great Britain and Northern Ireland.
    • UK Data Protection Laws: Refers to all laws concerning data protection, the processing of personal data, privacy, and electronic communications currently in force in the UK, including the UK GDPR and the Data Protection Act 2018.
    • UK GDPR: As defined in the DPA.
  1. The UK Addendum must always be interpreted in a manner consistent with UK Data Protection Laws and in a way that ensures the Parties fulfill their obligation to provide the Appropriate Safeguards.
  2. If any provisions in the UK Addendum modify the Approved EU SCCs in a manner not permitted under the Approved EU SCCs or the Approved UK Addendum, such modifications will not be included in the UK Addendum. Instead, the equivalent provisions of the Approved EU SCCs will apply.
  3. In the event of a conflict or inconsistency between UK Data Protection Laws and the UK Addendum, UK Data Protection Laws shall prevail.
  4. If the UK Addendum’s meaning is unclear or open to more than one interpretation, the interpretation that aligns most closely with UK Data Protection Laws shall apply.
  5. Any references to legislation (or specific provisions of legislation) within the UK Addendum are to be understood as referring to such legislation (or provision) as it may be amended, consolidated, re-enacted, or replaced over time, even after the UK Addendum has been executed.

Hierarchy

  1. While Clause 5 of the Approved EU SCCs specifies that the Approved EU SCCs take precedence over all related agreements between the parties, the parties agree that, for ex-UK Transfers, the hierarchy outlined in Section 10 below will prevail.
  2. If there is any conflict or inconsistency between the Approved UK Addendum and the EU SCCs, the Approved UK Addendum will take precedence. However, if the conflicting or inconsistent terms in the EU SCCs offer greater protection for data subjects, those terms will take precedence over the Approved UK Addendum.
  3. When this UK Addendum incorporates EU SCCs entered into to safeguard ex-EU Transfers subject to the GDPR, the parties agree that the UK Addendum does not alter or affect the terms of those EU SCCs.

Incorporation and Changes to the EU SCCs:

  1. This UK Addendum incorporates the EU SCCs, amended as necessary to ensure that:
  2. They operate effectively for data transfers from the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing for those transfers. They provide Appropriate Safeguards for such data transfers.
  3. Sections 9 to 11 of this UK Addendum override Clause 5 (Hierarchy) of the EU SCCs.
  4. The UK Addendum, including the EU SCCs incorporated within it, is: 1. Governed by the laws of England and Wales. 2. Subject to dispute resolution in the courts of England and Wales.
  5. Unless the parties agree on alternative amendments that satisfy the requirements of Section 12 of this UK Addendum, the provisions outlined in Section 15 of this UK Addendum will apply.
  6. No amendments to the Approved EU SCCs are permitted except those made to meet the requirements of Section 12 of this UK Addendum.
  7. The following amendments to the EU SCCs are made for the purposes of Section 12 of this UK Addendum.
  8. References to the “Clauses” shall be understood to mean this UK Addendum, which incorporates the EU SCCs.
  9. In Clause 2, the following text is deleted:
    “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679.”
  10. Clause 6 (Description of the transfer(s)) is replaced with the following:
    “The details of the transfer(s), including the categories of personal data transferred and the purpose(s) of the transfer, are specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing for that transfer.”
  11. Clause 8.7(i) of Module 1 is replaced with:
    “It is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer.”
  12. Clause 8.8(i) of Modules 2 and 3 is replaced with:
    “The onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer.”
  13. References to “Regulation (EU) 2016/679,”
    “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation),” and “that Regulation” are all replaced with “UK Data Protection Laws.” References to specific Articles of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws.
  14. References to Regulation (EU) 2018/1725 are removed.
  15. References to the “European Union,” “Union,” “EU,” “EU Member State,” “Member State,” and “EU or Member State” are all replaced with “UK.”
  16. The reference to “Clause 12(c)(i)” in Clause 10(b)(i) of Module 1 is replaced with “Clause 11(c)(i).”
  17. Clause 13(a) and Part C of Annex I are not used.
  18. References to the “competent supervisory authority” and “supervisory authority” are replaced with the “Information Commissioner.”
  19. In Clause 16(e), subsection (i) is replaced with:
    “The Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply.”
  20. Clause 17 is replaced with:
    “These Clauses are governed by the laws of England and Wales.”
  21. Clause 18 is replaced with:
    “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The parties agree to submit themselves to the jurisdiction of such courts.”
  22. The footnotes to the Approved EU SCCs are not part of the UK Addendum, except for footnotes 8, 9, 10, and 11.

Amendments to the UK Addendum

  1. The parties may agree to amend Clauses 17 and/or 18 of the EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
  2. If the parties wish to modify the format of the information included in Part 1: Tables of the Approved UK Addendum, they may do so by mutual agreement in writing, provided that such changes do not diminish the Appropriate Safeguards.
  3. From time to time, the ICO may issue a revised Approved UK Addendum that:
  4. Makes reasonable and proportionate changes to the Approved UK Addendum, including corrections of errors.
  5. Reflects updates to UK Data Protection Laws.

The revised Approved UK Addendum will specify the start date when the changes take effect and indicate whether the parties must review this UK Addendum, including the Appendix Information. From the specified start date, this UK Addendum is automatically amended in line with the revised Approved UK Addendum.

  1. If the ICO issues a revised Approved UK Addendum under Section 18 of this UK Addendum, and a party experiences, as a direct result of the changes:
  2. A substantial, disproportionate, and demonstrable increase in its direct costs of performing obligations under the UK Addendum; and/or
  3. A substantial, disproportionate, and demonstrable increase in its risk under the UK Addendum,
  4. that party may terminate this UK Addendum by providing written notice to the other party. Termination must follow a reasonable notice period, with notice given before the revised Approved UK Addendum’s start date, provided the party has first taken reasonable steps to mitigate those costs or risks to avoid them being substantial and disproportionate.
  5. The parties may make changes to this UK Addendum without the consent of any third party, but any changes must comply with the terms of the UK Addendum.