← back to legal

legal /dpa
Data Processing Addendum

Last updated: March 30th, 2026

Paper (”Provider“) and the undersigned customer (”Customer“) enter into this Data Processing Addendum (including the annexes attached hereto, this ”DPA“). This DPA supplements and forms part of the Terms of Service.

1. Definitions

For purposes of this DPA, the terms below have the meanings set forth below. Capitalized terms that are used but not defined in this DPA have the meanings given in the Agreement.

  1. Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.

  2. Authorized User means an employee or contractor of Customer who is authorized by Customer to access and use the Service on behalf of and for the benefit of Customer.

  3. Applicable Data Protection Laws means, as and to the extent applicable, the State Privacy Laws, GDPR, and FADP.

  4. Controller means the entity that, alone or jointly with others, determines the purposes or means of the Processing of Personal Data, including, as applicable, any “business” as that term is defined by the California Consumer Privacy Act.

  5. Data Subject means the identified or identifiable natural person to whom Personal Data relates.

  6. EEA means the European Economic Area.

  7. FADP means the Swiss Federal Act on Data Protection in its revised version of 25 September 2020.

  8. FDPIC means Swiss Federal Data Protection and Information Commissioner.

  9. GDPR means, as and where applicable to Processing concerned: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (”EU GDPR“); and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (”UK GDPR“), including, in each case (i) and (ii) any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, replacement, amendment or re-enactment, to or of the foregoing. References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.

  10. Information Security Incident means an actual breach of Provider’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Provider’s possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

  11. Personal Data means Your Content that constitutes “personal data,” “personal information,” or “personally identifiable information” as defined in Applicable Data Protection Laws, except that Personal Data does not include such information received by Provider directly or from other sources (such as its other customers) independent of Provider’s relationship with Customer.

  12. Process or Processing means any operation or set of operations which is performed by Provider on behalf of Customer under this Agreement, on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

  13. Processor means the entity that Processes Personal Data on behalf and at the direction of the Controller, including, as applicable, any “service provider” as that term is defined by the California Consumer Privacy Act.

  14. Restricted Transfer means the disclosure, grant of access or other transfer of Personal Data to any person located in: (i) when transferred from the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EU Restricted Transfer”); (ii) when transferred from the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a ”UK Restricted Transfer“); and (iii) when transferred from Switzerland, a country or territory outside of Switzerland which does not benefit from an adequacy decision from the Swiss authorities (a “Swiss Restricted Transfer”), in each case, which would be prohibited without a legal basis under the GDPR or FADP.

  15. SCCs means the applicable (C-to-C, C-to-P, P-to-P or P-to-C) standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914).

  16. Security Measures has the meaning given in Section 4(a) (Provider Security Measures).

  17. Service Data means any data relating to the use, support and/or operation of the Services, which is collected by Provider from and/or about Authorized Users of the Services and/or Customer’s use of the Service for use for Provider’s own purposes (certain of which may constitute Personal Data). Service Data includes Personal Data of Customer’s business representatives.

  18. Services means the services that Provider performs for Customer under the Agreement.

  19. State Privacy Laws means, collectively, the comprehensive state-specific data privacy laws and their regulations currently in effect and applicable to Provider’s Processing of Personal Data under the Agreement.

  20. Subprocessors means third parties that Provider engages to Process Personal Data in relation to the Services.

  21. Supervisory Authority means any entity with the authority to enforce Applicable Data Protection Laws, including, (i) in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR; (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office (ICO); and (iii) in the context of Switzerland and the FADP, means the FDPIC.

  22. UK Transfer Addendum means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the Mandatory Clauses included in Part 2 thereof.

2. Duration and Scope of DPA

  1. This DPA will remain in effect so long as Provider Processes Personal Data, notwithstanding the expiration or termination of the Agreement.

  2. Processing of Personal Data subject to the GDPR shall be subject to Annex 2 (European Annex).

  3. Processing of Personal Data subject to the State Privacy Laws with respect to which Customer is a Business, Controller, Processor, or Service Provider and Provider is Customer’s service provider or processor (as such terms are defined in State Privacy Laws) shall be subject to Annex 3 (State Privacy Laws Annex) to this DPA.

3. Customer Instructions

Provider will Process Personal Data as a Processor only in accordance with Customer’s instructions to Provider. By entering into this DPA, Customer instructs Provider to Process Personal Data to provide the Services and to perform its other obligations and exercise its rights under the Agreement. The Parties acknowledge and agree that the details of Provider’s Processing of Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to the DPA.

4. Security

  1. Provider Security Measures. Provider will implement and maintain technical, administrative, physical and organizational measures designed to protect Personal Data against Information Security Incidents as described in Annex 4 (the ”Security Measures“). Provider may update the Security Measures from time to time, so long as the updated measures do not materially decrease the overall protection of Personal Data.

  2. Security Compliance by Provider Staff. Provider shall require that its personnel who are authorized to access Personal Data are subject to appropriate confidentiality obligations.

  3. Information Security Incidents. Provider will notify Customer without undue delay of any Information Security Incident of which Provider becomes aware. Such notifications will describe available details of the Information Security Incident, including steps taken to mitigate the potential risks and steps Provider recommends Customer take to address the Information Security Incident. Provider’s notification of or response to an Information Security Incident will not be construed as Provider’s acknowledgement of any fault or liability with respect to the Information Security Incident. Provider shall reasonably co-operate with Customer and take such commercially reasonable steps as may be directed by Customer to assist in the investigation of any such Information Security Incident. Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Information Security Incident. If Customer determines that an Information Security Incident must be notified to any Supervisory Authority, any Data Subject(s), the public or others under Applicable Data Protection Laws, to the extent such notice directly or indirectly refers to or identifies Provider, where permitted by applicable laws, Customer agrees to (i) notify Provider in advance, and (ii) in good faith, consult with Provider and consider any clarifications or corrections Provider may reasonably recommend or request to any such notification, which: (i) relate to Provider’s involvement in or relevance to such Information Security Incident; and (ii) are consistent with applicable laws.

  4. Customer’s Security Responsibilities. Customer agrees that Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of Your Content; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Provider uses to provide the Services; and (d) backing up Personal Data.

  5. Customer’s Security Assessment. Customer has determined that the Services, the Security Measures and Provider’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Personal Data.

5. Data Subject Rights

  1. Data Subject Request Assistance. Provider will (taking into account the nature of the Processing of Personal Data) provide Customer with assistance reasonably necessary and technically feasible for Customer to perform its obligations under Applicable Data Protection Laws to fulfill requests by Data Subjects to exercise their rights under Applicable Data Protection Laws (”Data Subject Requests“) with respect to Personal Data in Provider’s possession or control, including but not limited to, access, correction, deletion, and cessation of Processing of Personal Data. Customer shall compensate Provider for any such assistance at Provider’s then-current professional services rates, which shall be made available to Customer upon request.

  2. Customer’s Responsibility for Requests. If Provider receives a Data Subject Request, Provider will (i) notify Customer; and (ii) advise the Data Subject to submit the request to Customer. Customer will be solely responsible for responding to any such request.

6. Customer Responsibilities

  1. Customer shall ensure (and is solely responsible for ensuring) that it has given such notices to and obtained such consents and permissions from third parties (including, without limitation, Data Subjects), and has all rights, in each case, as may be required under applicable law or otherwise for Provider to Process Personal Data as contemplated by the Agreement.

  2. Customer represents and warrants to Provider that Your Content does not and will not contain any Personal Data that contains racial, ethnic or national origin; religious or philosophical beliefs; political opinions; protected health information subject to the Health Insurance Portability and Accountability Act (”HIPAA“); other mental or physical health condition, diagnosis, history, treatment or other health data; health insurance information; pregnancy; sex life, sexuality or sexual orientation; status as transgender or non-binary; citizenship; citizenship or immigration status; union membership; status as a victim of crime; genetic, biometric, neural or biological data; personal information of children or teens; precise location information; Social Security number; driver’s license number; state identification card number; passport number; other government-issued identification numbers; account login information; financial information or account number; tax return data; contents of a communication to which you were not a party; or any bulk U.S. sensitive personal data or U.S. government-related data, in each case as defined in the U.S. Department of Justice’s Final Rule on Prohibition on Bulk Data Transfers to Foreign Adversaries (28 C.F.R. Part 202), as amended, or any successor or similar rule, law, or regulation (collectively, ”Restricted Data“).

  3. Customer represents and warrants that there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Provider of Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing) for the purposes of all Applicable Data Protection Laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR (where applicable)).

  4. Customer shall ensure that all Data Subjects have (i) been presented with all required notices and statements (including as required by Article 12–14 of the GDPR (where applicable)); and (ii) provided all required consents, in each case (i) and (ii) relating to the Processing by Provider of Personal Data.

7. Subprocessors

  1. Consent to Subprocessor Engagement. Customer generally authorizes Provider to engage third parties as Subprocessors in accordance with this Section 7.

  2. Information about Subprocessors. Information about Subprocessors, including their functions and locations, is available at /legal/subprocessors (the ”Subprocessor Site“). Provider may continue to use those Subprocessors already engaged by Provider as at the date of this DPA.

  3. Requirements for Subprocessor Engagement. When engaging any Subprocessor, Provider will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. Provider shall be liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor in connection with the services they provide to Provider to the same extent as Provider would have been had it performed the Processing itself.

  4. Opportunity to Object to Subprocessor Changes. When Provider engages any new Subprocessor after the effective date of the DPA, Provider will notify Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating the Subprocessor Site. If Customer objects to such engagement in a written notice to Provider within 15 days after being informed of the engagement on reasonable grounds relating to the protection of Personal Data, Customer and Provider will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Provider and pay Provider for all amounts due and owing under the Agreement as of the date of such termination.

8. Audits

Reviews and Audits of Compliance. Customer may audit Provider’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by Applicable Data Protection Laws. Provider will contribute to such audits by providing Customer with the information and assistance reasonably necessary to conduct the audit. Due to the nature of the Services, on-site audits are not necessary for Customer to audit Provider’s compliance with this DPA. If a third party is to conduct the audit, Provider may object to the auditor if the auditor is, in Provider’s reasonable opinion, not independent, a competitor of Provider, or otherwise manifestly unsuitable. Such objection by Provider will require Customer to appoint another auditor or conduct the audit itself. To request an audit, Customer must submit a proposed audit plan to Provider at least two weeks in advance of the proposed audit date and any third-party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Provider will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Provider security, privacy, employment or other relevant policies). Provider will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 8 shall require Provider to breach any duties of confidentiality. If the controls or measures to be assessed in the requested audit are addressed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request and Provider has confirmed there have been no known material changes in the controls audited since the date of such report, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures. The audit must be conducted during regular business hours, subject to the agreed final audit plan and Provider’s safety, security or other relevant policies, and may not unreasonably interfere with Provider business activities. Customer will promptly notify Provider of any non-compliance discovered during the course of an audit and provide Provider the audit reports generated in connection with the audit(s) under this Section 8, unless prohibited by Applicable Data Protection Laws. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA. Any audits are at Customer’s sole expense. Customer shall reimburse Provider for any time expended by Provider and any third parties in connection with any audits or inspections under this Section 8 at Provider’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.

9. Return and Deletion

  1. Subject to Sections 9(b) and 9(c), upon the date of cessation of any Services involving the Processing of Personal Data (the ”Cessation Date“), Provider shall promptly cease all Processing of Personal Data for any purpose other than for storage or as otherwise permitted or required under this DPA.

  2. Subject to Section 9(d), to the extent technically possible in the circumstances (as determined in Provider’s sole discretion), on Customer’s written request to Provider (to be made no later than fourteen (14) days after the Cessation Date (”Post-cessation Storage Period“)), Provider shall within fourteen (14) days of such request, at Customer’s election either: (i) return a complete copy of all structured Personal Data within Provider’s possession to Customer by secure file transfer, promptly following which Provider shall delete or anonymize all other copies of such Personal Data, or (ii) either (at Provider’s option) delete or anonymize all structured Personal Data within Provider’s possession.

  3. In the event that during the Post-cessation Storage Period, Customer does not instruct Provider in writing to either delete or return Personal Data pursuant to Section 9(b), Provider shall, subject to Section 9(d), promptly after the expiry of the Post-cessation Storage Period either (at its option) delete; or render anonymous, all structured Personal Data then within Provider possession to the fullest extent technically possible in the circumstances.

  4. Notwithstanding the above, Provider may retain Personal Data, where permitted or required by applicable law, for such period as may be permitted or required by such applicable law, provided that Provider shall (i) maintain measures designed to protect all such Personal Data, and (ii) Process the Personal Data only as necessary for the purpose(s) specified in the applicable law permitting or requiring such retention.

10. Service Data

  1. Customer acknowledges that Provider may collect, use and disclose Service Data for its own business purposes: (i) for accounting, tax, billing, audit, and compliance purposes; (ii) to provide, improve, develop, optimise, market and maintain the Services; (iii) to investigate fraud, spam, wrongful or unlawful use of the Services; (iv) to combine Service Data with other data; (v) to de-identify Personal Data so the de-identified data can be used and disclosed by Provider for lawful business purposes; and/or (vi) as otherwise permitted or required by applicable law.

  2. In respect of any such Processing described in Section 10(b), Provider: (i) independently determines the purposes and means of such Processing; (ii) shall comply with Applicable Data Protection Laws (if and as applicable in the context); (iii) shall process consumer sale/share opt-out requests that are forwarded to Provider by Customer to the extent required by Applicable Data Protection Laws and upon request provide documentation to Customer that it has done so; (iv) shall Process such Service Data as described in Provider’s relevant privacy notices/policies, as updated from time to time; and (v) where possible, shall apply technical and organizational safeguards to any relevant Personal Data that are no less protective than the Security Measures.

11. Miscellaneous

  1. Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect. Notwithstanding anything in the Agreement or any order form entered in connection therewith to the contrary, the parties acknowledge and agree that Provider’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by Provider to Customer under this DPA may be given (i) in accordance with any notice clause of the Agreement; (ii) to Provider’s primary points of contact with Customer; or (iii) to any email provided by Customer for the purpose of providing it with Services-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.

  2. Provider agrees to cooperate in good faith with Customer concerning any amendments as may be reasonably necessary to address compliance with the Applicable Data Protection Laws.

  3. Provider may on notice vary this DPA to the extent that (acting reasonably) it considers necessary to address the requirements of Applicable Data Protection Laws from time to time, including by varying or replacing the SCCs in the manner described in Paragraph 3.3 of Annex 2 (European Annex).

  4. In the event of any conflict or inconsistency between (i) this DPA and the Agreement, this DPA shall prevail, or (ii) any SCCs entered into pursuant to Paragraph 2 of Annex 2 (European Annex) and this DPA and/or the Agreement, the SCCs shall prevail in respect of the Restricted Transfer to which they apply.

12. Limitation of Liability

THE TOTAL AGGREGATE LIABILITY OF EITHER PARTY TOWARDS THE OTHER PARTY, HOWSOEVER ARISING, UNDER OR IN CONNECTION WITH THE AGREEMENT, THIS DPA AND THE SCCS (IF AND AS THEY APPLY) WILL UNDER NO CIRCUMSTANCES EXCEED ANY LIMITATIONS OR CAPS ON, AND SHALL BE SUBJECT TO ANY EXCLUSIONS OF, LIABILITY AND LOSS AGREED BY THE PARTIES IN THE AGREEMENT; PROVIDED THAT, NOTHING IN THIS SECTION WILL AFFECT ANY PERSON’S LIABILITY TO DATA SUBJECTS UNDER THE THIRD-PARTY BENEFICIARY PROVISIONS OF THE SCCS (IF AND AS THEY APPLY).

Annex 1: Data Processing Details

Provider / ‘Data Importer’ Details

  • Name: Paper is a U.S. corporation
  • Address: 6789 Quail Hill Parkway #2017, Irvine, CA 92603
  • Contact Details for Data Protection: operations@paper.design
  • Provider Activities: Provider is a developer and operator of a collaborative digital design platform that enables users to create visual content and connect teams, third-party AI agents, code, and data.
  • Role: Processor (and Controller of Service Data)

Customer / ‘Data Exporter’ Details

  • Name: The entity or other person who is a counterparty to the Agreement
  • Customer’s address is: [INSERT]
  • Customer’s Contact Details for Data Protection: [Role] [Email]
  • Customer Activities: Customer’s activities relevant to this DPA are the use and receipt of the Services under and in accordance with, and for the purposes anticipated and permitted in, the Agreement as part of its ongoing business operations.
  • Role: Controller

Categories of Data Subjects and Personal Data

Relevant Data Subjects include any Data Subjects of Personal Data that Customer causes Provider to process as part of the provisions of the Service, including Authorized Users, employees, job candidates, and customers.

Relevant Personal Data includes any Categories of Personal Data Customer causes Provider to process as part of the provisions of the Service, including:

  • Personal details -- for example any information that identifies the Data Subject, including name, and contact information.
  • Authentication details -- for example username, password or PIN code, security questions and other access protocols.
  • Technological details -- for example internet protocol (IP) addresses, unique identifiers and numbers (including unique identifier in tracking cookies or similar technology), pseudonymous identifiers, precise and imprecise location data, internet / application / program activity data, and device IDs and addresses.

Sensitive Categories of Data

  • Categories of sensitive data: None -- as noted in Section 6(b) of the DPA, Customer agrees that Restricted Data, which includes ‘sensitive data’ (as defined in Clause 8.7 of the SCCs), must not be submitted to the Services.
  • Additional safeguards for sensitive data: N/A

Additional Details

  • Frequency of transfer: Ongoing -- as initiated by Customer in and through its use, or use on its behalf, of the Services.
  • Nature of the Processing: Processing operations required in order to provide the Services in accordance with the Agreement.
  • Purpose of the Processing: As necessary to provide the Services as initiated by Customer in its use thereof, and to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA, including to provide and operate the collaborative design platform.
  • Duration of Processing / Retention Period: For the period determined in accordance with the Agreement and DPA, including Section 9 of the DPA.
  • Transfers to (sub)processors: Transfers to Subprocessors are as, and for the purposes, described from time to time in the Subprocessor Site.

Annex 2: European Annex

1. Processing of Personal Data

  1. Where Provider receives an instruction from Customer that, in its reasonable opinion, infringes the GDPR, Provider shall inform Customer.

  2. Customer acknowledges and agrees that any instructions issued by Customer with regards to the Processing of Personal Data by or on behalf of Provider pursuant to or in connection with the Agreement shall be in strict compliance with the GDPR and all other applicable laws.

2. Data Protection Impact Assessment and Prior Consultation

  1. Provider, taking into account the nature of the Processing and the information available to Provider, shall provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments and prior consultations with Supervisory Authorities which Customer reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Personal Data by Provider.

  2. Except to the extent prohibited by applicable law, Customer shall be fully responsible for all time spent by Provider (at Provider’s then-current professional services rates) in Provider’s provision of any cooperation and assistance provided to Customer under Paragraph 2.1, and shall on demand reimburse Provider any such costs incurred by Provider.

3. Restricted Transfers

3.1 EU Restricted Transfers

To the extent that any Processing of Personal Data under this DPA involves an EU Restricted Transfer from Customer to Provider, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be:

  1. populated in accordance with Part 1 of Attachment 1 to Annex 2 (European Annex); and
  2. entered into by the Parties and incorporated by reference into this DPA.

3.2 UK Restricted Transfers

To the extent that any Processing of Personal Data under this DPA involves a UK Restricted Transfer from Customer to Provider, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be:

  1. varied to address the requirements of the UK GDPR in accordance with UK Transfer Addendum and populated in accordance with Part 2 of Attachment 1 to Annex 2 (European Annex); and
  2. entered into by the Parties and incorporated by reference into this DPA.

3.3 Swiss Restricted Transfers

To the extent that any Processing of Personal Data under the DPA involves a Swiss Restricted Transfer from Customer to Provider, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be:

  1. varied to address the requirements of the FADP and populated in accordance with Part 3 of Attachment 1; and
  2. entered into by the Parties and incorporated by reference in the DPA.

Nothing in any applicable SCCs (as deemed amended pursuant to this Section 3.3) should be interpreted or construed in such a way as would limit or exclude the rights of Data Subjects under Clause 18(c) of those SCCs (as deemed amended pursuant to this Section 3.3) to bring legal proceedings before the courts in Switzerland where Switzerland is that Data Subject’s place of habitual residence.

3.4 Adoption of new transfer mechanism

Provider may on notice vary this DPA and replace the relevant SCCs with:

  1. any new form of the relevant SCCs or any replacement therefor prepared and populated accordingly (e.g., standard data protection clauses adopted by the European Commission for use specifically in respect of transfers to data importers subject to Article 3(2) of the EU GDPR); or
  2. another transfer mechanism, other than the SCCs, that enables the lawful transfer of Personal Data to Provider under this DPA in compliance with Chapter V of the GDPR.

3.5 Provision of full-form SCCs

In respect of any given Restricted Transfer, if requested of Customer by a Supervisory Authority, Data Subject or further Controller (where applicable) -- on specific written request (made to the contact details set out in Annex 1 (Data Processing Details); accompanied by suitable supporting evidence of the relevant request), Provider shall provide Customer with an executed version of the relevant set(s) of SCCs responsive to the request made of Customer (amended and populated in accordance with Attachment 1 to Annex 2 (European Annex) in respect of the relevant Restricted Transfer) for countersignature by Customer, onward provision to the relevant requestor and/or storage to evidence Customer’s compliance with Applicable Data Protection Laws.

3.6 Operational clarifications

When complying with its transparency obligations under Clause 8.3 of the SCCs, Customer agrees that it shall not provide or otherwise make available, and shall take all appropriate steps to protect, Provider’s and its licensors’ trade secrets, business secrets, confidential information and/or other commercially sensitive information.

Where applicable, for the purposes of Clause 10(a) of Module Three of the SCCs, Customer acknowledges and agrees that there are no circumstances in which it would be appropriate for Provider to notify any third-party controller of any Data Subject Request and that any such notification shall be the sole responsibility of Customer.

For the purposes of Clause 15.1(a) of the SCCs, except to the extent prohibited by applicable law and/or the relevant public authority, as between the Parties, Customer agrees that it shall be solely responsible for making any notifications to relevant Data Subject(s) if and as required.

The terms and conditions of Section 7 of the DPA apply in relation to Provider’s appointment and use of Subprocessors under the SCCs. Any approval by Customer of Provider’s appointment of a Subprocessor that is given expressly or deemed given pursuant to that Section 7 constitutes Customer’s documented instructions to effect disclosures and onward transfers to any relevant Subprocessors if and as required under Clause 8.8 of the SCCs.

The audits described in Clauses 8.9(c) and 8.9(d) of the SCCs shall be subject to any relevant terms and conditions detailed in Section 8 of the DPA.

Certification of deletion of Personal Data as described in Clauses 8.5 and 16(d) of the SCCs shall be provided only upon Customer’s written request.

Attachment 1 to Annex 2: Population of SCCs

Note:

  • In the context of any EU Restricted Transfer, the SCCs populated in accordance with Part 1 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraph 3.1 of Annex 2 (European Annex) to the DPA).
  • In the context of any UK Restricted Transfer, the SCCs as varied by the UK Transfer Addendum and populated in accordance with Part 2 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraph 3.2 of Annex 2 (European Annex) to the DPA).
  • In the context of any Swiss Restricted Transfer, the SCCs as varied and populated by Part 3 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Section 3.3 of Annex 2 (European Annex) to the DPA).

Part 1: Population of the SCCs

1. Signature of the SCCs:

Where the SCCs apply in accordance with Paragraph 3.1 of Annex 2 (European Annex) to the DPA each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs.

2. Modules

The following modules of the SCCs apply in the manner set out below (having regard to the role(s) of Customer set out in Attachment 1 to Annex 2 (European Annex) to the DPA):

  1. Module Two of the SCCs applies to any EU Restricted Transfer and/or Swiss Restricted Transfer involving Processing of Personal Data in respect of which Customer is a Controller in its own right; and/or
  2. Module Three of the SCCs applies to any EU Restricted Transfer and/or Swiss Restricted Transfer involving Processing of Personal Data in respect of which Customer is itself acting as a Processor on behalf of any other person.

3. Population of the Body of the SCCs

For each Module of the SCCs, the following applies as and where applicable to that Module and the Clauses thereof:

  1. The optional ‘Docking Clause’ in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.

  2. In Clause 9:

    • OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time period for advance notice of the addition or replacement of Subprocessors shall be the advance notice period set out in Section 7(d) of the DPA; and
    • OPTION 1: SPECIFIC PRIOR AUTHORISATION is not used and that optional language is deleted; as is, therefore, Annex III to the Appendix to the SCCs.

  3. In Clause 11, the optional language is not used and is deleted.

  4. In Clause 13, all square brackets are removed and all text therein is retained.

  5. In Clause 17:

    • OPTION 1 applies, and the Parties agree that the SCCs shall be governed by the law of Ireland in relation to any EU Restricted Transfer; and
    • OPTION 2 is not used and that optional language is deleted.

  6. For the purposes of Clause 18, the Parties agree that any dispute arising from the SCCs in relation to any EU Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.

4. Population of Annexes to the Appendix to the SCCs

  1. Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Annex 1 (Data Processing Details) to the DPA, with:

    • Customer being ‘data exporter’; and
    • Provider being ‘data importer’.

  2. Part C of Annex I to the Appendix to the SCCs is populated as below:

    The competent supervisory authority shall be determined as follows:

    • Where Customer is established in an EU Member State: the competent supervisory authority shall be the supervisory authority of that EU Member State in which Customer is established.
    • Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies and Customer has appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State in which Customer’s EU representative relevant to the processing hereunder is based (from time-to-time).
    • Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies, but Customer has not appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State notified in writing to Provider’s contact point for data protection identified in Attachment 1 to Annex 2 (European Annex) to the DPA, which must be an EU Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located.

  3. Annex II to the Appendix to the SCCs is populated as below:

    General:

    • Please refer to Section 4 of the DPA and Annex 4 (Security Measures) to the DPA.
    • In the event that Customer receives a Data Subject Request under the EU GDPR and requires assistance from Provider, Customer should email Provider’s contact point for data protection identified in Annex 1 (Data Processing Details) to the DPA.

    Subprocessors: When Provider engages a Subprocessor under these Clauses, Provider shall enter into a binding contractual arrangement with such Subprocessor that imposes upon them data protection obligations which, in substance, meet or exceed the relevant standards required under these Clauses and the DPA -- including in respect of:

    • applicable information security measures;
    • notification of Information Security Incidents to Provider;
    • return or deletion of Personal Data as and where required; and engagement of further Subprocessors.

Part 2: UK Restricted Transfers

1. UK Transfer Addendum

Where relevant in accordance with Paragraph 3.2 of Annex 2 (European Annex) to the DPA, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below:

  1. Part 1 to the UK Transfer Addendum. As permitted by Section 17 of the UK Transfer Addendum, the Parties agree:

    • Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data Processing Details) and the foregoing provisions of this Attachment 1 (subject to the variations effected by the Mandatory Clauses described in (b) below); and
    • Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked.

  2. Part 2 to the UK Transfer Addendum. The Parties agreed to be bound by the Mandatory Clauses of the UK Transfer Addendum.

In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Paragraph 1.1 of this Part 2.

Part 3: Swiss Restricted Transfers

1. Variations for Swiss Restricted Transfers

Where applicable in accordance with Section 6.4 of the DPA, the SCCs also apply in the context of Swiss Restricted Transfers with the following terms deemed to have the following substituted meanings:

  1. "GDPR“ means the FADP;
  2. "European Union“, ”Union“ and ”Member State(s)“ each mean Switzerland; and
  3. "supervisory authority“ means the FDPIC.

In relation to any Swiss Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Section 1.1 of this Part 3.

Annex 3: State Privacy Laws Annex

  1. For purposes of this Annex 3, the terms “business,” “commercial purpose,” “sell,” “share,” “targeted advertising” and “service provider” shall have the respective meanings given thereto in the State Privacy Laws, and “personal information” shall mean Personal Data that constitutes personal information governed by the State Privacy Laws.

  2. It is the parties’ intent that with respect to any personal information, Provider is a service provider. Provider (a) acknowledges that personal information is disclosed by Customer only for limited and specified purposes described in the Agreement; (b) shall comply with applicable obligations under the State Privacy Laws and shall provide the same level of privacy protection to personal information as is required by the State Privacy Laws; (c) agrees that Customer has the right to take reasonable and appropriate steps to help to ensure that Provider’s use of personal information is consistent with Customer’s obligations under the State Privacy Laws; (d) shall notify Customer in writing of any determination made by Provider that it can no longer meet its obligations under the State Privacy Laws; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

  3. Provider shall not (a) sell or share any personal information or use it for targeted advertising; (b) retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the personal information for a commercial purpose other than the provision of the Services; (c) retain, use or disclose the personal information outside of the direct business relationship between Provider and Customer; or (d) combine personal information received pursuant to the Agreement with personal information (i) received from or on behalf of another person, or (ii) or collected from Provider’s own interaction with any Consumer to whom such personal information pertains, except in each case (a) through (d) as and to the extent necessary as a part of Provider’s provision of the Services or as otherwise permitted by a service provider or processor under the State Privacy Laws. Provider hereby certifies that it understands its obligations under this Section 2 and will comply with them.

  4. Giving Customer notice of Subprocessor engagements in accordance with Section 7 of the DPA shall satisfy Provider’s obligation under the State Privacy Laws to give notice of and an opportunity to object to such engagements.

  5. Provider agrees that Customer may conduct audits, in accordance with Section 8 of the DPA, to help ensure that Provider’s use of personal information is consistent with Provider’s obligations under the State Privacy Laws.

  6. The parties acknowledge that Provider’s retention, use and disclosure of personal information authorized by Customer’s instructions documented in the DPA are integral to Provider’s provision of the Services and the business relationship between the parties.

Annex 4: Security Measures

  1. Organizational management and dedicated staff responsible for the Provider’s information security program.

  2. Data security controls which include, at a minimum, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available industry standard technologies for Personal Data that is transmitted over public networks (i.e., the internet).

  3. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.

  4. Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords.

  5. Monitoring and maintenance of technology and information systems, including secure disposal of systems and media prior to final disposal or release from the Provider’s possession.

  6. Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to the Provider’s technology and information assets.

  7. Incident management procedures designed to allow Provider to investigate, respond to, mitigate and notify of events related to the Provider’s technology and information assets.

  8. Network security controls that provide for the use of enterprise firewalls and intrusion detection systems designed to protect systems from intrusion and limit the scope of any successful attack.

  9. Vulnerability assessment, patch management and threat protection technologies designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.

  10. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.