DATA PROCESSING ADDENDUM

Last Updated: February 2024

This Data Processing Addendum (“DPA”) is incorporated into, forms part of, and supplements the Verification Services Agreement and all incorporated documents (collectively, the “Agreement”) by and between SheerID, Inc. (“SheerID” or the “Processor”) and the customer identified in the Agreement (“Customer” or the “Controller”) and supersedes any previous data processing addendum entered into by the parties.

WHEREAS,

• Customer desires to obtain Services from SheerID, and SheerID agrees to provide such Services, on the terms and conditions set forth in the Agreement.
• Customer is the Controller of the Personal Data.
• SheerID is the Processor of the Personal Data.
• SheerID may Process Personal Data on behalf of Customer in provision of the services under the Agreement.
• SheerID and Customer wish to ensure Processing of Personal Data is conducted in accordance with Data Protection Laws.

The Parties agree as follows:

1.    Definitions. For the purposes of this DPA only (unless expressly incorporated elsewhere in the Agreement), capitalized terms not defined herein have the meaning given to those terms in the Agreement. To the extent there is a conflict between the definitions in this DPA and any definition in the Agreement, the definitions in this DPA shall control with regard to this DPA only.

1.1.    “Affiliate” means, with respect to a party, that party’s parents, subsidiaries or any other entity that directly or indirectly Controls, is Controlled by, or is under common Control with that individual, organization or entity at any time during the Term. “Control” (including, with correlative meanings, the terms “Controlled by” and “under common Control with”), means the possession, directly or indirectly, of the power to direct or exercise a controlling influence over the management or policies of such entity, whether through the ownership of voting securities or by contract

1.2.    “Controller” means a person or entity that, alone or jointly with others, determines the purposes and means of the processing of Personal Data. A Controller includes “businesses,” “controllers,” “data owners,” and other similar terms under Data Protection Laws that refer to persons or entities that determine the purposes and means of the processing of Personal Data.

1.3.    “Data Protection Laws” means any and all applicable laws, regulations, or industry standards, including subsequent amendments, that: (i) relate to the confidentiality, processing, privacy, security, protection, disclosure, sharing, transfer, or trans-border data flow of Personal Data; (ii) relate to the privacy or interception, recording or monitoring of communications; (iii) provide rights to an individual whose Personal Data is being processed; or (iv) that triggers a duty to notify an individual whose Personal Data has been, or may have been, the subject of a Personal Data Breach. To the extent the term “Law” and/or “Applicable Law” is defined in the Agreement, the Parties agree that Data Protection Laws shall be included in such definition.  Data Protection Laws, include, but are not limited to, the European Union’s General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), as amended by the California Consumer Privacy Rights Act (“CPRA”).

1.4.    “Data Subject Access Request” means a request pertaining to Personal Data from a Data Subject to exercise its rights pursuant to Data Protection Laws.

1.5.    “Personal Data” means all information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual (“Data Subject”) or household, which is provided to SheerID by or on behalf of a Customer in connection with the Agreement.  Personal Data includes any information that constitutes: “personally identifiable information”; “personal data”; “protected data”; or any similar category of information or data protected under Data Protection Laws.  Personal Data shall be considered Customer’s Confidential Information under this Agreement.  Personal Data excludes any information that has been anonymized in accordance with Data Protection Laws.

1.6.    “Personal Data Breach” means any actual or reasonably suspected misuse, compromise, or unauthorized, accidental, or unlawful access, disclosure, acquisition, destruction, loss, or alteration of Personal Data, including, without limitation, any circumstance pursuant to which applicable Data Protection Laws require either notification to be given to affected parties or other activity in response to such circumstance.

1.7.    “Process” “Processed” or “Processing” (whether or not capitalized) (i) has the same meaning as in Data Protection Laws; and (ii) shall include any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means, including, but not limited to, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.8.    “Processor” means a person or entity that processes Personal Data on behalf of a Controller. A Processor includes “service providers,” “processors,” “third-party service providers,” “third-party agents,” and other similar terms under Data Protection Laws that refer to persons or entities that process Personal Data on behalf of a Controller.

1.9.    “Services” means any services to be supplied by SheerID to Customer pursuant to the Agreement, including Professional Services, Support Services, and the provision of the Solution.

1.10.   “Sub-processor” means any Processor engaged by SheerID in support of SheerID’s performance of its obligations under the Agreement.  For the avoidance of doubt, sub-processors are not third parties.

2.   Term. The term of this DPA shall commence on the Agreement Effective Date and continue until, and automatically expire upon, the return or deletion of all Customer Personal Data as described in this DPA.

3.   Processing of Personal Data.

3.1.   Customer Instructions. Customer discloses Personal Data to SheerID as set forth in Schedule 1 – Details of Processing of Personal Data, attached to the Verification Services Agreement or, if applicable, the Order Form (“Schedule 1”)., .  Customer instructs SheerID to Process Personal Data: (i) solely for the specific, limited business purpose of SheerID performing Services in accordance with the Agreement, including this DPA; and (ii) to comply with other reasonable written instructions provided by Customer where such instructions are consistent with the terms of the Agreement, including this DPA, and with Data Protection Laws. If SheerID believes or becomes aware that any of Customer’s instructions conflict with any Data Protection Law of if SheerID makes a determination that it can no longer meet its obligations as a Processor under applicable Data Protection Laws, SheerID shall inform Customer without undue delay. As between the Parties, Customer shall have sole responsibility for the accuracy, quality, and legality of processing Personal Data, the means by which Customer obtained the Personal Data, the disclosures and notices provided at the time of collecting Personal Data, and for identifying a lawful basis or limited, specific business purpose for processing Personal Data as required under appliable Data Protection Laws.

3.2.    Processor. Customer appoints SheerID as a Processor to Process Personal Data. SheerID shall process Personal Data only (i) in accordance with the documented instructions received from Customer, and (ii) for the purpose of fulfilling its obligations or exercising its rights under the Agreement. SheerID may Process Personal Data other than on the written instructions of Customer if it is required under applicable law to which SheerID is subject. In this situation, SheerID shall inform Customer of such requirement before SheerID Processes the Personal Data unless prohibited by applicable law.

3.3.    Processor Personnel. SheerID shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and are subject to obligations of confidentiality that survive the termination of the individual’s engagement with SheerID. SheerID shall ensure that access by SheerID’s personnel to Personal Data is limited to those personnel performing Services in accordance with the Agreement.

3.4.    No Sale or Sharing. SheerID shall not “sell” or “share” any Personal Data with third parties. The Parties acknowledge and agree that (i) SheerID has not and will not receive any monetary or other valuable consideration in exchange for SheerID’s receipt of the Personal Data, and (ii) any consideration paid by Customer to SheerID under the Agreement is only for SheerID’s provision of the Services.  SheerID shall not collect, retain, use, process, or disclose the Personal Data (a) for any commercial purpose other than for the specific purpose of providing the Services to Customer pursuant to the Agreement; or (b) outside of the direct business relationship between SheerID and Customer, unless expressly permitted by applicable Data Protection Laws.

3.5.    Prohibited Data. Customer shall not provide to SheerID, import into the Solution, or cause SheerID to process any protected health information as defined under the Health Insurance Portability and Accountability Act, also known as HIPAA, and its implementing regulations, as amended, unless otherwise expressly agreed to by SheerID in the Agreement. If SheerID does not expressly agree to process such information pursuant to the previous sentence, SheerID has no obligations or liability with respect such data.  If Customer inadvertently provides or causes SheerID to process any protected health information, Customer shall: (i) immediately notify SheerID in writing; (ii) take all necessary steps to assist SheerID in removing protected health information from SheerID’s systems.

4.    Assistance.

4.1.    Data Subject Access Requests. Where the Data Subject Access Request is received directly by the Customer and to the extent Customer does not have the ability to address such Data Subject Request using the functionalities available to Customer through the Solution, SheerID will provide commercially reasonable assistance as requested by Customer to enable Customer to respond to a Data Subject Access Request to the extent SheerID is legally able to do so. If SheerID receives a Data Subject Access Request directly, where Customer has been explicitly identified, SheerID will promptly inform Customer within three (3) business days, and SheerID shall not respond to such requests except as instructed by Customer, unless otherwise required by applicable law, including Data Protection Laws, provided, however, that SheerID may: (i) confirm receipt; (ii) advise that such request relates to Customer; (iii) direct such Data Subject to Customer; or (iv) take other action as may be necessary to comply with Data Protection Laws.

4.2.    Regulatory Authorities. SheerID will also assist Customer with the resolution of any request or inquiries that Customer receives from data protection authorities relating to SheerID and, if and to the extent requested by Customer, cooperate with any authorities’ requests.

4.3.    Data Privacy Impact Assessments. Upon Customer’s request, SheerID shall, at Customer’s expense, provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR or other applicable Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services or Solution, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to SheerID.

5.    Security.

5.1.    Security Program. Without limiting the Parties’ security-related obligations under the Agreement and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Parties shall at all times have implemented and maintain a comprehensive written information security program (“Security Program”) that (i) complies with all Data Protection Laws; (ii) contains reasonable and appropriate administrative, operational, technical, physical and organizational measures that are designed to preserve and protect the security, integrity and confidentiality of Personal Data and protect Personal Data against Personal Data Breaches, and (iii) complies with any other specific requirements agreed upon by the Parties under the Agreement.

5.2.    No Degradation. SheerID’s Security Program are subject to technical progress and further development, and SheerID reserves the right to modify its Security Program at any time, provided, however, that SheerID will not reduce or degrade the level of security provided to the protection of Personal Data without the approval of Customer.

6.    Sub-Processors.

6.1.    Appointment of Sub-processors. Customer agrees that: (i) SheerID’s Affiliates may be retained as Sub-processors; and (ii) SheerID and SheerID’s Affiliates may engage Sub-processors in connection with the Solution or the performance of Services. SheerID or a SheerID Affiliate shall impose substantially similar, but no less protective, data privacy and data security obligations as those in the Agreement and this DPA on its Sub-processors prior to such Sub-processor Processing Personal Data. SheerID shall be liable for the acts and omissions of its Sub-processors to the same extent SheerID would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

6.2.    List of Current Sub-processors and Notification of New Sub-processors. SheerID shall make available to Customer the SheerID’s list of Sub-processors, as will be updated from time to time, at the following website: https://www.sheerid.com/subprocessors/ (the “Sub-processor Website”). At least ten (10) days prior to authorizing any new Sub-processor to access Personal Data, SheerID will update the Sub-processor Website, and such update will serve as notice to Customer. If Customer wishes to object to the approval of the new Sub-processor, it must provide such objection in writing to SheerID within ten (10) days after receipt of SheerID’s notice, and the Parties will work together in good-faith to address Customer’s objection. In the event that Customer objects to such new Sub-processor and such objection is not resolved within twenty (20) days of SheerID’s receipt of such objection, SheerID may terminate the applicable Solution or Service by providing written notice of termination.

7.    Personal Data Breach Notification and Management.

7.1.    Notification. SheerID will, without undue delay upon becoming aware of a Personal Data Breach, notify Customer of any Personal Data Breach and take steps to remediate the Personal Data Breach. The obligations in this Section 7 do not apply to incidents that are caused by Customer, Customer’s personnel or end users, or to unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

7.2.    Manner of Notification. Notifications of Personal Data Breaches, if any, will be delivered to one or more of Customer’s business, technical, or administrative contacts by means selected by SheerID, including via email. It is Customer’s sole responsibility to ensure it maintains accurate contact information on SheerID’s support systems at all times.

7.3.    Contents of the Notification. To the extent feasible or known at the time of notification, SheerID will provide the following details: (i) the nature of the Personal Data Breach; (ii) the categories and approximate number of Data Subjects impacted; (iii) to the extent reasonably possible, information regarding the Data Subjects and data records concerned; (iv) measures taken or proposed to be taken by SheerID to address or remediate the Personal Data Breach; and (vi) the name and contact details of SheerID’s data protection officer or other relevant contact from whom more information may be obtained.

7.4.    No Admission. SheerID’s notification of, or response to, a Personal Data Breach under this Section will not be construed as an acknowledgement by SheerID of any fault or liability with respect to the Personal Data Breach.

8.    Return, Deletion, and Retention of Personal Data.

8.1.  SheerID is authorized to retain all Personal Data for Customer’s access to and use of the Solution and SheerID’s provision of Services as set forth in the Agreement.  Upon the expiration or termination of the Agreement (in whole or in part) for the Services described therein and upon Customer’s written request, SheerID will either delete or make available to Customer for retrieval all Personal Data (including copies, if applicable) in its possession or control, except to the extent that (i) SheerID is required by applicable law, rules, regulations, directives, ordinances, codes or similar enactments and any obligations imposed by self-regulatory bodies promulgating standards to retain the Personal Data; or (ii) such Customer Data is archived in offline archives, “cold storage” systems, or physical or virtual system backups, which will be securely deleted and protected from further Processing in accordance with SheerID’s standard deletion practices. Accordingly, SheerID may retain such portion of Personal Data, provided that SheerID (i) complies with the confidentiality, privacy, and data security provisions of the Agreement and this DPA for as long as it retains such Personal Data, and (ii) deletes such data without undue delay once SheerID is no longer subject to such requirement or Personal Data is retrieved from its archived state.

9.    Compliance Assistance, Inspections, and Audits.

9.1.    Audit Reports. SheerID has obtained the third-party certification and audits demonstrating its compliance with the security measures set forth in Annex 2, including but not limited to Service Organization Control (SOC) 2 Type II certifications. Upon Customer’s written request no more than once per year and subject to the confidentiality obligations set forth in the Agreement, SheerID will provide a copy of SheerID’s then most recent third-party audits or certifications (the “Reports”), as applicable, or any summaries thereof, that SheerID makes available to its customers. Requests for Reports and Audits (as defined below) must be sent to [email protected].  SheerID may satisfy such audit request by providing Customer with a confidential copy of a Report in order that Customer may reasonably verify SheerID’s compliance with the technical and organizational measures as required under this DPA.

9.2.    Audits. To the extent a Report does not, in Customer’s reasonable judgment, provide sufficient information to demonstrate compliance with obligations under Data Protection Laws and this DPA, SheerID, upon written request from Customer, will allow an annual remote audit to verify SheerID’s and any of its Sub-processors’ compliance with obligations under Data Protection Laws and this DPA (each an “Audit”), to be carried out either (i) by an independent third party audit firm bound by a duty of confidentiality selected by Customer and approved by SheerID (which approval will not unreasonably be withheld or delayed) and where applicable, in agreement with the competent data protection authority, or (ii) by a competent data protection authority. The Parties will mutually agree upon the scope and duration of, and the data protection controls applicable to, the Audit. Customer will notify SheerID in writing with a minimum of 10 business days prior to any Audit being carried out. Customer will bear the costs of the Audit. If Customer requests SheerID to incur out-of-pocket costs to assist Customer in the Audit, then SheerID is entitled to a reasonable reimbursement for its costs of the Audit incurred by SheerID, to be paid by Customer.

9.3.    Limits on Auditing Party. Nothing in the Agreement or this DPA will require SheerID either to disclose to an independent auditor or Customer, or to allow an independent auditor or Customer to access: (i) any data of any other customer of SheerID; (ii) SheerID’s internal accounting or financial information; (iii) any trade secret of SheerID; (iv) any premises or equipment not controlled by SheerID; or (v) any information that, in SheerID’s reasonable opinion, could: (a) compromise the security of SheerID’s systems or premises; (b) cause SheerID to breach its obligations under Data Protection Law or the rights of any third party, or (b) any information that an independent auditor seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under Data Protection Law. Customer shall contractually impose, and designate SheerID as a third-party beneficiary of, contractual terms that prohibit any independent auditor from disclosing the existence, nature, or results of any audit to any party other than Customer unless such disclosure is required by applicable law.

10.    Limitation on Liability.

10.1.  The limitations on liability, liability caps, and/or exclusions of certain types of damages as set forth in the Agreement shall apply to the subject matter of this DPA and the Parties’ related rights and obligations hereunder.  Under no circumstances will a Party be liable for any liabilities, claims, or amounts to the extent that such liabilities, claims, or amounts result from the other Party’s acts or omissions.

11.    Europe Specific Provisions. To the extent SheerID processes Personal Data subject to the GDPR, UK GDPR, and/or FADP, the following provisions shall also apply:

11.1.    Definitions.

11.1.1.    “DPF” means the EU-U.S. Data Privacy Framework and the EU-U.S. Data Privacy Framework Principles incorporated therein, as set forth by the U.S. Department of Commerce and as described by the European Commission Implementing Decision, dated October 7, 2023 pursuant to the GDPR and the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework, as well as the UK Extension and the Swiss-U.S. Data Privacy Framework.

11.1.2.    “FADP” means the Swiss Federal Act on Data Protection of 19 June 1992, as may be updated and amended from time to time.

11.1.3.    “GDPR” means the Regulation (EU) 2016 /679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

11.1.4.    “SCCs” means Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance) (the text of which is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj).  The SCCs are hereby incorporated into this DPA to the extent the Services contemplate the export of Personal Data from the European Union or Switzerland to jurisdictions not recognized by a competent data protection authority transferring jurisdiction as providing an adequate level of data protection without other safeguards.

11.1.5.    “UK” means the United Kingdom of Great Britain and Northern Ireland.

11.1.6.    “UK International Data Transfer Addendum” means United Kingdom’s Information Commissioner’s Office’s International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued pursuant to S119A(1) Data Protection Act 2018, and is incorporated into this DPA and available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.   The UK International Data Transfer Addendum, including but not limited to the Part 2: Mandatory Clauses, are hereby incorporated into this DPA to the extent the Services contemplate the export of Personal Data from the United Kingdom to jurisdictions not recognized by a competent data protection authority in the United Kingdom as providing an adequate level of data protection without other safeguards.

11.1.7.  “UK GDPR” means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

11.2. Details of Processing. The subject-matter of Processing of Personal Data by SheerID is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data, and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 of the Agreement.

12.    International Transfers of Personal Data.

12.1.    SheerID is an active participant in the DPF and registered with the U.S. Department of Commerce at https://www.dataprivacyframework.gov/list. Consistent with SheerID’s participation in the DPF, SheerID shall:

12.1.1.    process Personal Data only for the limited and specified purposes set out in the Agreement, as set forth in Section 3 above;

12.1.2.    provide at least the same level of privacy protection as is required by the DPF;

12.1.3.    notify Customer if it determines that it can no longer meet its obligation to provide the same level of protection as is required by the DPF;

12.1.4.    cooperate with Customer to the extent the Customer is required to provide a summary or a representative copy of the relevant privacy provisions of the Agreement to the U.S. Department of Commerce upon request.

12.2.    The parties agree to negotiate in good faith and enter into the appropriate data transfer agreements when required by Data Protection Laws.

12.3.    SheerID shall not transfer Personal Data to or from a jurisdiction whose Data Protection Laws restrict the transfer of Personal Data unless in accordance with (i) the documented Instructions from Customer, including this DPA, and (ii) in accordance with applicable Data Protection Laws.

12.4.    In the event that Personal Data is required to be processed outside of the European Economic Area (“EEA”), Switzerland, or the UK, then the parties agree that:

12.4.1.    with respect to transfers from the EEA and Switzerland, the SCCs will apply;

12.4.2.    with respect to transfers from the UK, the UK International Data Transfer Addendum will apply; and

12.4.3.    The SCCs and the UK International Data Transfer Addendum are incorporated into and form part of the Agreement and DPA.

12.5.     For the purposes of the SCCs, Module 2 will apply to the processing of Personal Data by SheerID on behalf of Customer.  Whereby:

12.5.1.    Clause 7 (“Docking clause”) shall apply.

12.5.2.     Clause 9 (a) Option 2 (“GENERAL WRITTEN AUTHORISATION”) shall apply with a 10 day period to object to the sub-processor.  Section 6.2 shall control the notification process.  See Annex 3 for list of current sub-processors.

12.5.3.    Clause 11 (a) (“Redress”) without the mentioned OPTION.

12.5.4.    Clause 17 (“Governing law”) Option 1 shall apply and shall reference the laws of France.

12.5.5.    Clause 18 (“Forum Choice”) with the courts of Paris, France.

12.5.6.     The parties will complete Schedule 1, which includes the information called for in the SCCs Annexes I, II, and III.  By executing the Agreement, the parties hereby execute this DPA and Annexes I-III, to the extent applicable, which are incorporated by reference into the Agreement.

12.6.    For transfers of Personal Data originating from Switzerland, i) the competent supervisory authority in Annex I.C under Clause 13 shall be the Federal Data Protection and Information Commissioner insofar as the data transfer is governed by FADP; ii) references in the SCCs to a “Member State” and “EU Member State” will not be read to prevent data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); and iii) until the revised FADP enters into force, the SCCs will also protect the data of legal entities in Switzerland.

12.7.     For the purposes of the UK International Data Transfer Addendum, the parties will complete Schedule 1, which includes the information called for in the UK International Data Transfer Addendum, including the information called for in the tables set out in Annex IV.  By executing the Agreement, the parties hereby execute this DPA and Annex IV, to the extent applicable, which are incorporated by reference into the Agreement.

12.8.    Conflicts with Transfer Mechanisms. If any term or provision of the DPA or Agreement is contradictory or inconsistent with any term or provision of the SCCs or UK International Data Transfer Addendum (as applicable), then the terms and provisions of the SCCs or UK International Data Transfer Addendum that provide adequate protection for such Personal Data under Data Protection Laws shall control.

12.9.    SheerID shall provide Customer with all reasonable information necessary to allow Customer to obtain any applicable data transfer authorization in connection with the Services.

13.    Miscellaneous.

13.1.    Change in Data Protection Laws. The Parties may propose amendments to this DPA, which the Parties determine are required to satisfy the requirements of Data Protection Laws. The parties shall negotiate in good faith to agree and implement such revisions to address the requirements identified by a Party as soon as practicable.

13.2.    Certification. By executing the Agreement, each of the Parties certifies that it understands its obligations under, and the restrictions imposed by, this DPA and will comply with them.

13.3.    Order of Precedence.  Except as set forth in Section 12.7, in the event of any conflict or inconsistency between the terms of the Agreement and this DPA, the terms of this DPA shall control.

ANNEX I
(SCCs)

A. LIST OF PARTIES

Data exporter(s): See Schedule 1

Data importer(s): See Schedule 1

B. DESCRIPTION OF TRANSFER –

Categories of Data Subjects: See Schedule 1

Categories of Personal Data transferred: See Schedule 1

Sensitive data transferred (if applicable): See Schedule 1

and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: See Schedule 1 – Details of Processing of Personal Data

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): See Schedule 1

Nature of the processing: See Schedule 1

Purpose(s) of the data transfer and further processing:  See Schedule 1

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: See Schedule 1

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: See Schedule 1

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13: See Schedule 1

ANNEX II
(SCCs)

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Measures taken by the Data Exporter in respect of the transfer: See Schedule 1

Measures taken by the Data Importer:  See Schedule 1

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter: See Schedule 1

ANNEX III
(SCCs)

LIST OF SUB-PROCESSORS

The controller has authorised the use of the following sub-processors: See Schedule 1

ANNEX IV
(UK INTERNATIONAL DATA TRANSFER ADDENDUM)

For information called for in Table 1, see Schedule 1 – Details of Processing of Personal Data.

For information called for in Table 2, to the extent applicable, see DPA § 12.4.

For information called for in Table 3, see Schedule 1 – Details of Processing of Personal Data.

Part 1: Tables

Table 1: Parties

Table 2: Selected SCCs, Modules and Selected Clauses

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Table 4: Ending this Addendum when the Approved Addendum Changes