Data Processing Addendum

This Data Processing Addendum (“Addendum”) applies pursuant to, and supplements, the Order Form (“Agreement”) entered into between the customer named on the Order Form  (“Controller”) and Supertools, Inc. d/b/a timeOS (“Processor”).

1. Select Definitions. The following terms, when capitalized and used in this Addendum (unless otherwise indicated), shall have the meaning set forth below. Any capitalized terms not defined in this Addendum shall have the meanings given to them in the Agreement.
2. “Anonymous Information” means information which does not relate to an identified or identifiable natural person or to Personal Data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
3. “Applicable Law” means any law, regulation, ordinance, rule, or order of any governmental or judicial body which applies to the Processing of the Personal Data.
4. “Consent” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
5. “Data Protection Laws” means all laws and regulations, ordinances, rules, or orders of any governmental or judicial body, which applies to the Processing of Personal Data, such as GDPR, the CCPA and the Israeli Protection of Privacy Law, 1981.
6. “Controller Personal Data” means any Personal Data which is supplied or made available by Controller or on its behalf and Processed by Processor, or on its behalf, on behalf of the Controller in connection with the Services (defined below).
7. “EU Data Protection Laws” means the GDPR and any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements the GDPR, the e-Privacy Directive 2002/58/EC, or any decision, directive or regulation of the EU Parliament, EU Commissions, EU Court of Justice or other body, as any of the above may amended, replaced or superseded from time to time.
8. “GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation).
9. “CCPA” means the California Consumer Privacy Act of 2018 and the regulations issued thereunder.
10. “Personal Data” shall have the meaning ascribed to the terms “personal data”, “personal information”, or other such terms as provided under applicable Data Protection Law. It means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
11. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
12. “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, destruction and any automated mean necessary for the improvement of the Services, including without limitation, AI learning and testing, machine learning models and any other automated model required for the Services.
13. “Services” means the products, services and other activities to be supplied or carried out by or on behalf of the Processor or its affiliates pursuant to the Agreement.
14. “Subprocessor” means any third party appointed by or on behalf of Processor to Process Controller Personal Data in connection with the Services or this Addendum.
15. Processing Personal Data by Processor. Processor shall only Process Controller Personal Data: (i) pursuant to the Controller’s reasonable and necessary documented instructions; (ii) as necessary to perform the Services; (iii) to share Controller Personal Data with, or receive Controller Personal Data from, third parties in accordance with Customer’s instructions and/or pursuant to Customer’s use of the Services (e.g. integrations between Processor’s Services and any services provided by third parties as configured by or on behalf of Customer); (iv) to render Customer Personal Data anonymous, thus excluding it from the definition of Personal Data; (v) as required by Union or Member State law or any other applicable law to which Processor and its affiliates are subject, in which case, Processor shall, to the extent possible, inform the Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest. Controller hereby instructs Processor, along with companies within its corporate group, to Process Controller Personal Data as needed in order to perform the Services or to comply with the Agreement or Applicable Law.

To the extent that Processor or its affiliates cannot comply with a request (including, without limitation, any instruction, direction, code of conduct, certification, or change of any kind) from Customer relating to the Processing of Controller Personal Data or where Processor considers such a request to be unlawful, Processor (i) shall inform Customer, providing relevant details of the problem, (ii) Processor may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Customer Personal Data (other than securely storing the data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, Processor may, as its sole remedy, terminate the Agreement and this Addendum with respect to the affected Processing, and Customer shall pay to Processor all the amounts owed to Processor or due before the date of termination. Customer will have no further claims against Processor (including, without limitation, requesting refunds for Services) due to the termination of the Agreement and/or the Addendum in the circumstances described above.

Processor will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of Processor, to the extent that such is a result of Customer’s instructions.

1. Description of Processing. The subject-matter and duration of the Processing to be performed, the nature and purpose of such Processing, the type of Personal Data and categories of data subjects and the obligations and rights of the Controller in respect of such Processing, is set forth in Annex 1 (Description of Processing), attached hereto.
2. Confidentiality. Processor shall only authorize persons to participate in the Processing of the Controller Personal Data who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Data Subject Rights. Taking into account the nature of the processing, Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible and at the Controller’s expense, for the fulfilment of the Controller’s obligations as a data controller under Applicable Law to respond to requests for exercising of data subject’s rights pursuant to EU Data Protection Applicable Law
4. Assistance. Processor shall assist Controller, at Controller’s expense, in complying with its obligations pursuant to Articles 32 to 36 of the GDPR as may be relevant to Processing of Controller Personal Data performed by Processor and taking into account the nature of processing and the information available to Processor.
5. Notifications of Data Breach. Processor shall notify Controller without undue delay after becoming aware of a Personal Data Breach. Such notice shall (a) describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (b) communicate the name and contact details of the data protection officer or other contact point of Processor where more information, if available, can be obtained; (c) describe the likely consequences of the Personal Data Breach; and (d) describe the measures taken or proposed to be taken by Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible for Processor to provide such information at the same time, the information may be provided in phases without undue further delay.
6. Demonstrating Compliance; Audits. Each Party shall, following the other Party’s written request and at such requesting Party’s expense, make available to the other reasonable information necessary for the requesting Party to demonstrate compliance with the obligations applicable to it pursuant to Applicable Law and to allow for and contribute to audits, including inspections, conducted by such Party or its designated auditor (subject to an undertaking of confidentiality). All audits of another Party shall be performed at a time and manner determined jointly by the Parties, and in any case in a manner which does not interfere with the operations of the audited Party, and not more than a reasonable number of times in any given period. The auditing Party shall be responsible for all costs and expenses incurred by the audited Party as a result of the audit. All information learned or obtained during such audits shall be deemed Confidential Information of the audited Party and any third-party person or entity participating or performing the audit shall execute a non-disclosure agreement with the audited Party at least as protective of such Confidential Information as the relevant provisions of the Agreement.
7. Deletion or Return of Data. Processor shall delete all Controller Personal Data to the Controller following termination of the provision of Services, except regularly scheduled backups which shall be retained for a reasonable period and then deleted. Notwithstanding the above, Processor may retain Controller Personal Data to the extent EU Data Protection Laws or the laws of any European Union member state require storage of such Personal Data.
8. Security
1. Processor and Controller shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Such measures may include, inter alia, as appropriate: (1) the pseudonymisation and encryption of personal data; (2) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (3) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (4) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. In assessing the appropriate level of security, Controller and Processor shall take account in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
9. Subprocessors.
1. Controller agrees that Processor may engage Subprocessors to carry out Processing activities as part of the provision of the Services. The list of approved Subprocessors is detailed in Annex 1.
2. Processor shall notify Controller of the appointment of new Sub-processors. Customer may reasonably object to Processor’s use of a Sub-processor for reasons related to data privacy/security by notifying Processor promptly in writing within three (3) business days after receipt of Processor’s notice and such written objection shall include the reasons related to data privacy/security for objecting to Processor’s use of such Sub-processor. Failure to object to such Sub-processor in writing within three (3) business days following Processor’s notice shall be deemed as acceptance of the Sub-Processor. In the event Controller reasonably objects to a Sub-processor, as permitted in the preceding sentences, Processor will use reasonable efforts to make available to Controller a change in the Services or recommend a commercially reasonable change to Controller’s use of the Services to avoid Processing of Controller Personal Data by the objected-to Sub-processor without unreasonably burdening the Controller. If Processor is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Controller may, as a sole remedy, terminate the Agreement and this Addendum with respect only to those Services which cannot be provided by Processor without the use of the objected-to Sub-processor by providing written notice to Processor. Until a decision is made regarding the Sub-processor, Processor may temporarily suspend the Processing of the affected Personal Data. Customer will have no further claims against Processor due to the termination (including, without limitation, requesting refunds) in the situation described in this paragraph.
3. Processor shall only engage Subprocessors pursuant to an agreement containing similar data protection obligations on the Subprocessor which apply to Processor in this Addendum.
4. Engagement of a Subprocessor by Processor shall not derogate from Processor’s obligations to Controller under this Agreement.
10. International Transfers.
1. Transfers to countries that offer adequate level of data protection. Customer Personal Data may be transferred from the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) and the United Kingdom (collectively, “EEA”) to countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the Union, the Member States the European Commission, or the UK secretary of state (“Adequacy Decisions”), without any further safeguard being necessary.
2. Transfers to other countries. If the Processing of Personal Data includes transfers from the EEA or the UK to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision (“Other Countries”), the Parties shall comply with the below terms shall apply:

a) with respect to the EU transfers of Customer Personal Data, Customer as a Data Exporter and Processor on behalf of itself and each of its affiliate (as applicable) as a Data Importer hereby enter into the Standard Contractual Clauses set out in Annex 2. To the extent that there is any conflict or inconsistency between the terms of the Standard Contractual Clauses and the terms of this Addendum, the terms of the Standard Contractual Clauses shall take precedence.

b) with respect to the UK transfers of Customer Personal Data (from the UK to other countries which have not been subject to a relevant Adequacy Decision), Customer as a Data Exporter and Processor on behalf of itself and each affiliate (as applicable) as a Data Importer, hereby enter into the UK Standard Contractual Clauses set out in Annex 2. To the extent that there is any conflict or inconsistency between the terms of the UK SCC and the terms of this Addendum, the terms of the UK SCC shall take precedence.

1. The “Additional Safeguards” in Annex 2 shall apply to any transfer of Personal Data to Other Countries.
2. Anonymous Information. The obligations of Controller hereunder do not concern the Processing of Anonymous Information, including, without limitation, Anonymous Information derived or rendered from Controller Personal Data, which Processor and its affiliates may use without restriction.
3. Controller’s Responsibility.
1. Controller represents, warrants, and undertakes that all Controller Personal Data is and shall be collected, obtained and provided or made available to Processor (or anyone on its behalf) in accordance with all Applicable Laws, including EU Data Protection Laws. Controller agrees that it is solely liable for the legality of (and any claims of violations of any Applicable Laws relating to) the Processing of the Controller Personal Data by Processor (or its Subprocessors) which is done in accordance with the Agreement and this Addendum. Without limitation of the foregoing, Controller will indemnify, keep indemnified and harmless Processor, its subcontractors and affiliates (each an "Indemnified Party”) from and against all third party loss, harm, cost (including reasonable legal fees and expenses), expense and liability that an Indemnified Party may suffer or incur as a result of Controller's non-compliance with the requirements of this Addendum.
2. Controller represents, warrants, and undertakes that it does and shall (a) post a privacy policy on its website describing its receipt, collection, use and Processing of Controller Personal Data (“Privacy Policy”) which complies with all Data Protection Laws and other Applicable Laws, (b) posting and providing all other notices and policies obtaining Consents required by all Data Protection Laws and any other Applicable Law; and (b) comply with its Privacy Policy and such other notices and policies, and any other published policies or statements, promises or warranties made by Controller, as well as all other requirements under Data Protection Laws and any Applicable Laws (including, without limitation, responding to the requests of data subjects or privacy or data protection authorities).
3. Controller represents, warrants, and undertakes that except as expressly set forth in Annex 1, the Controller Personal Data is not, does not and shall not include (a) the categories of Personal Data described in Article 9(1) of the GDPR (sensitive or special categories of data) or “genetic data”, “biometric data”, “data concerning health” as such terms are defined in the GDPR; (b) “Personal Health Information” as such term is defined in 45 C.F.R. §160.103; (b) the personal data of children under the age of 18 years of age, including, without limitation, “Personal Information” of a “Child” as such terms are defined in 15 C.F.R. §312.2.
4. Changes in Law. In the event that Processor at any time determines that the use of the Services or Processing of the Controller Personal Data, or any change in any Applicable Law, require the execution of additional agreements or documentation, including, without limitation, amendments to the Agreement or this Addendum, Controller shall promptly execute such agreements or documents.
5. Applicable Law. Notwithstanding anything to the contrary, Processor will comply with Applicable Law, and may refuse to comply with any Processor instruction or request or to take any action or perform any Processing, to the extent Processor reasonably believes that such instruction, request, act or Processing violates Applicable Law. In such case, Processor shall, to the extent permitted by Applicable Law, notify Controller of such refusal and the relevant Applicable Law.
6. Governing Law; Jurisdiction. This Addendum, the subject matter thereof, and any disputes relating to the foregoing shall be subject to the laws of the jurisdiction set forth in the Agreement, and any such disputes shall be exclusively adjudicated in by the competent courts of the jurisdiction, city or county set forth in the Agreement.
7. Incorporation to Agreement. This Addendum is hereby incorporated into and made part of the Agreement. Unless a provision of the Agreement expressly states that it overrides this Addendum, in the event any provision of this Addendum expressly contradicts any provision of the Agreement, the provisions of this Addendum shall prevail to the extent necessary in order to resolve such contradiction.

Annex 1 - Description of Processing

Subject matter. Processor will Process Controller Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Controller in its use of the Services.

Nature and Purpose of Processing

1. Performing the Agreement, this Addendum and/or other contracts executed by the Parties, including, providing the Service(s) to Controller and providing support and technical maintenance, if agreed in the Agreement.

2. For Processor to comply with documented reasonable instructions provided by Controller where such instructions are consistent with the terms of the Agreement.

3. Resolving disputes, enforcing the Agreement, this Addendum and/or defending Processor’s rights.

4. Management of the Agreement, the Addendum and/or other contracts executed by the Parties, including fees payment, account administration, accounting, tax, management, litigation; and

5. Complying with applicable laws and regulations, including for cooperating with local and foreign tax authorities, preventing fraud, money laundering and terrorist financing.

Duration of Processing. Subject to any Section of this Addendum and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Processor will Process Controller Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

Type of Personal Data. Controller may submit Controller Personal Data to the Services, the extent of which is determined and controlled by Controller  in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

• Contact and registration data (name, email, etc.)
• Calendar data (meeting details)
• Meeting content (recordings, transcripts, summaries, action items, follow-ups)
• AI data (inputs, queries and correspondence with AI models)
• Social media data (information from social media accounts, if connected)
• Documents, reports, photos, and any attachments uploaded to the Services
• Any interactions with other users of the Services

In addition, the Controller shall provide the Controller Personal Data, and any other Personal Data it chooses to upload, to Processor by supplying the Personal data to Processor’s Service.

Categories of Data Subjects

Controller may submit Controller Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

• Controller’s employees, agents, advisors and freelancers (who are natural persons)
• Controller’s customers and/or prospective customers
• Any other individual with whom Controller or it’s representatives interact

The frequency of the transfers of Personal Data.

Continuous basis

The period for which the Controller Personal Data will be retained, or, if that is not possible, the criteria used to determine that period

For as long as the Addendum is in effect, and thereafter as determined by the Controller and as further described in the Addendum and/or the Agreement.

Authorized Subprocessors

Annex 2 - Standard Contractual Clauses

EU SCCs. If the Processing of Personal Data includes transfers from the EEA to countries outside the EEA which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, the Standard Contractual Clauses (“EU SCCs”) set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 shall be deemed incorporated into the DPA as follows:

a)     Module Two - Controller-to-Processor of the SCCs (in the case where the Controller is the data controller and Processor is the data processor) or Module Three - Processor to Processor of the SCCs (in the case where the Controller is the data processor and Processor is a sub-processor), as applicable will apply with respect to restricted transfers between Controller and Processor that are subject to the GDPR.

b)     The Parties agree that for the purpose of transfer of Controller Personal Data between Controller (as Data Exporter) and Processor (as Data Importer), the following shall apply: (i) Clause 7 of the Standard Contractual Clauses shall be applicable; (ii) In Clause 9, option 2 shall apply and the method described in Section 12 of the Addendum shall apply; (iii) Clause 11 of the Standard Contractual Clauses shall be not applicable; (iv) In Clause 13: the relevant option applicable to the Controller, as informed by Controller to Processor; (v) In Clause 17, option 1 shall apply. The Parties agree that the Standard Contractual Clauses shall be governed by the laws of Ireland; and (vi) In Clause 18(b) the Parties choose the courts of Ireland, as their choice of forum and jurisdiction.

c)     Annex I.A: With respect to Module Two: (i) Data Exporter is Controller as a data controller and (ii) the Data Importer is Processor as a data processor. With respect to Module Three: (i) Data Exporter is Controller as a data processor and (ii) the Data Importer is Processor as a data processor (sub-processor). Data Exporter and Data Importer Contact details: As detailed in the Agreement. Signature and Date: By entering into the Agreement and this Addendum, each Party is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Addendum.

d)     Annex I.B of the Standard Contractual Clauses shall be completed as described in Annex 1 (Description of Processing) of this Addendum.

e)     Annex I.C of the Standard Contractual Clauses shall be completed as follows: The competent supervisory authority is the Irish supervisory authority.

f)      Annex II of the Standard Contractual Clauses shall be completed as described and agreed between the parties in the Agreement and/or this Addendum.

g)     Annex III of the Standard Contractual Clauses shall be completed with the authorized subprocessors detailed in Annex 1 of this Addendum.

UK SCCs. If the Processing of Personal Data includes transfers from the UK to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision (“UK Transfer”), the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) as set out by the ICO, as available here, as updated, amended, replaced or superseded from time to time by the ICO shall apply, as follows:

Table 1: The Parties: as stipulated in Annex I.A of the EU SCCs.

Table 2: Selected SCCs, Modules and Selected Clauses: as stipulated in Annex I of the EU SCCs.

Table 3: Appendix Information: means the information which must be provided for the selected modules as set out in the Appendix of the EU SCCs (other than the Parties), and which for this UK Addendum is set out in Annex I.

Entering into this UK Addendum:

1. Each Party agrees to be bound by the terms and conditions set out in this UK Addendum, in exchange for the other Party also agreeing to be bound by this UK Addendum.

2. Although Annex I.A and Clause 7 of the EU SCCs require signatures by the Parties, for the purpose of making UK Transfers, the Parties may enter into this UK Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this UK Addendum. Entering into this UK Addendum will have the same effect as signing the EU SCCs and any part of the EU SCCs.

Interpretation of this UK Addendum:

3. Where this UK Addendum uses terms that are defined in the EU SCCs, those terms shall have the same meaning as in the EU SCCs. In addition, the following terms have the following meanings:

4. This UK Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.

5. If the provisions included in the UK Addendum amend the EU SCCs in any way which is not permitted under the EU SCCs, such amendment(s) will not be incorporated by this UK Addendum and the equivalent provision of the EU SCCs will take their place.

6. If there is any inconsistency or conflict between UK Data Protection Laws and this UK Addendum, UK Data Protection Laws apply.

7. If the meaning of this UK Addendum is unclear or there is more than one meaning, the meaning that most closely aligns with UK Data Protection Laws applies.

8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted, and/or replaced after this DPA has been entered into.

Hierarchy:

9. Although Clause 5 of EU SCCs sets out that the EU SCCs prevail over all related agreements between the Parties, the Parties agree that, for a UK Transfer, the hierarchy in Section ‎10 below will prevail.

10.   Where there is any inconsistency or conflict between this UK Addendum and the EU SCCs (as applicable), this UK Addendum overrides the EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the EU SCCs provides greater protection for data subjects, in which case those terms will override the provisions of this UK Addendum.

11.   Where this UK Addendum incorporates the EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this UK Addendum impacts those EU SCCs.

Incorporation and changes to the EU SCCs:

12.   This UK Addendum incorporates the EU SCCs which are amended to the extent necessary so that:

a.  Together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;

b. Sections 9 to 11 override Clause 5 (Hierarchy) of the EU SCCs; and

c.  This UK Addendum (including the EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.

13.   Unless the Parties have agreed on alternative amendments which meet the requirements of Section 12 above, the provisions of Section ‎15 below will apply.

14.   No amendments to the EU SCCs other than to meet the requirements of Section ‎12 above may be made.

15.   The following amendments to the Addendum EU SCCs (for the purpose of Section 12 above) are made:

a.  References to the “Clauses” mean this UK Addendum, incorporating the EU SCCs;

b. In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;

c.  Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;

d. Clause 8.8 is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”

e.  References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;

f.  References to Regulation (EU) 2018/1725 are removed;

g. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;

h. Clause 13(a) and Part C of Annex I are not used;

i.  The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;

j.  In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;

k. Clause 17 is replaced with:“These Clauses are governed by the laws of England and Wales.”;

l.  Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and

m. The footnotes to the EU SCCs do not form part of this UK Addendum, except for footnotes 8, 9, 10 and 11.

Amendments to this UK Addendum:

16.   The Parties may agree to change Clause 17 and/or 18 of this UK Addendum to refer to the laws and/or courts of Scotland or Northern Ireland.

17.   If the Parties wish to change the format of the information included in Tables 1, 2 or 3 of this UK Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

18.   From time to time, the ICO may issue a revised UK Addendum which:

a.  Makes reasonable and proportionate changes to the UK Addendum, including correcting errors in the UK Addendum; and/or

b. Reflects changes to UK Data Protection Laws;

The revised UK Addendum will specify the start date from which the changes to the UK Addendum are effective and whether the Parties need to review this UK Addendum including the Appendix Information. This UK Addendum is automatically amended as set out in the revised UK Addendum from the start date specified.

19.   If the ICO issues a revised UK Addendum under Section ‎18, if any Party, will as a direct result of the changes in the UK Addendum have a substantial, disproportionate and demonstrable increase in:

a.  Its direct costs of performing its obligations under this UK Addendum; and/or

b. Its risk under this UK Addendum, and in either case, it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this UK Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised UK Addendum.

20.   The Parties do not need the consent of any third party to make changes to this UK Addendum, but any changes must be made in accordance with its terms.

Additional Safeguards.

1. In the event of any transfer where the EU SCCs or the UK Addendum apply, the Parties agree to supplement these with the following safeguards and representations, where appropriate:

(a) The data importer shall have in place and maintain in accordance with good industry practice measures to protect the Personal Data from interception (including in transit from the data exporter to the data importer and between different systems and services). This includes having in place and maintaining network protection intended to deny attackers the ability to intercept data and encryption of Personal Data whilst in transit and at rest intended to deny attackers the ability to read data.

(b) The data importer will make commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under GDPR and the UK GDPR, including under section 702 of the United States Foreign Intelligence Surveillance Act (“FISA”);

(c) If the data importer becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise:

(i) The data importer shall inform the relevant government authority that the data importer is a processor of the Personal Data and that the data exporter has not authorized the data importer to disclose the Personal Data to the government authority, and inform the relevant government authority that any and all requests or demands for access to the Personal Data should therefore be notified to or served upon the data exporter in writing;

(ii) The data importer will use commercially reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the data importer’s control. Notwithstanding the above, (a) the data exporter acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended government authority access, and (b) if, taking into account the nature, scope, context and purposes of the intended government authority access to Personal Data, the data importer has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this subsection (c)(ii) shall not apply. In such an event, the data importer shall notify the data exporter, as soon as possible, following the access by the government authority, and provide the data exporter with relevant details of the same, unless and to the extent legally prohibited to do so.

2. Once in every 12-month period, the data importer will inform the data exporter, at the data exporter’s written request, of the types of binding legal demands for Personal Data it has received and solely to the extent such demands have been received, including national security orders and directives, which shall encompass any process issued under section 702 of FISA.

Annex 3 - Israeli Addendum

This Annex 3 shall apply if and when the Processing of the Controller Personal Data by the Processor includes Personal Data which is subject to Israel’s Privacy Protection Law, 1981.The following terms, when capitalized and used in this Annex 3 (unless otherwise indicated), shall have the meaning set forth below.

“Data Protection Laws” - shall include, in addition to the definition in the Addendum, also the Privacy Protection Law, 1981 and the regulations promulgated thereunder.

“Data Transfers” - if the Controller Personal Data is being transferred to a subprocessor outside of Israel, Customer Personal Data shall be transferred to the subprocessor in accordance with and subject to the provisions of the Privacy Protection Regulations (Transfer of Information to Databases Outside the State), 2001.

“Industry-standard technical and organizational measures required for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data”, shall include, at minimum:

1. Processor shall maintain and implement sufficient and appropriate (based on the type of Customer Personal Data and its sensitivity) environmental, physical and logical security measures with respect to Customer Personal Data and to Processor’s system infrastructure, data processing system (including the system in which the Customer Personal Data is processed), communication means, terminals, system architecture, hardware and software, in order to prevent penetration and unauthorized access to Customer Personal Data or to the system or communication lines between Customer and Processor. Systems on which Customer Personal Data is processed shall be located in a secure location, which may be accessed only by properly authorized employees.
2. The Processor will separate, to the extent and level reasonably possible, between the database systems which enable access to Customer Personal Data and other computer systems used by the Processor. Processor shall update the database systems on a regular basis, including the computer material required for their operation; no use will be made of systems whose manufacturer does not support their security aspects, unless an appropriate security solution is provided.
3. Processor shall list all components (hardware and software) used to process Customer Personal Data, including computer systems, communication equipment, and software. Processor shall use such list to continuously monitor such components and identify weaknesses and risks for the purpose of implementing appropriate security measures to mitigate them.
4. Processor maintains procedures to restrict and limit access to Customer Personal Data, as well as procedures relating to backup and recovery procedures of security related data as required under the Security Regulations.
5. Processor shall record the access to the Customer Personal Data, including recording the exit or entry of any employee into and out of the facilities where the Customer Personal Data is processed, as well as any equipment brought in or taken out of such facilities.
6. Processor shall implement automatic control mechanisms for verifying access to systems containing Customer Personal Data, which shall include, inter alia, the user identity, date and time of access attempt, the system component attempted to be accessed, type and scope of access and if access was granted or denied.
7. Processor shall periodically monitor the information from the control mechanisms, list issues and irregularities and the measures taken to handle them. Control records shall be maintained for a minimum of 24 months. Processor records and any related reports and measures will be shared with Customer, upon request, and to extent required under Privacy Law, such records shall be backed-up by Processor.
8. Processor declares and undertakes that it has a valid SOC2 certification and that it will continue to hold it, comply with and continue to meet its requirements throughout the term of the Agreement.
9. The Processor will not transfer Customer Personal Data through a public communications network or via the internet, without using industry-standard encryption methods.