Data Processing Agreement

Symprex Limited

Last Updated: 17 February 2021

1. Interpretation

1.1 In this Data Processing Agreement:

“CCPA” means the California Consumer Privacy Act of 2018 (California Civil Code Sec. 1798.100 et seq);

“Customer” is the legal entity that has entered into the relevant Services Agreement with the Supplier;

“Customer Group Company” shall mean Customer and any entity that, directly or indirectly, controls, is controlled by, or is under common control with Customer, where “control” means the power (directly or indirectly) to appoint or remove a majority of the directors of that entity;

“Customer Personal Data” means all personal data (as defined in the GDPR Data Protection Laws) or to the extent the CCPA applies, then all Personal Information as defined therein, controlled by the Customer which is processed by the Supplier on behalf of the Customer;

“Data Processing Agreement” or “DPA” shall mean this Data Processing Agreement, including its appendices;

“Data Protection Laws” means as applicable the GDPR Data Protection Laws and the CCPA in each case as may be amended, repealed or replaced from time to time;

“Effective Date” shall mean the date on which the Services Agreement was entered into between the Customer and the Supplier, or, if different, either the date on which the Customer indicated its acceptance to the terms of the DPA or the parties otherwise entered into the DPA (as applicable);

“GDPR Data Protection Laws” shall mean the EU General Data Protection Regulation (2016/679) (“GDPR“) and its implementing national legislation, the EU Privacy and Electronic Communications Directive 2002/58/EC as implemented in each jurisdiction, the UK Data Protection Act 2018, the UK Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, and any amending or replacement legislation of any of the above from time to time;

“Model Clauses” shall mean the standard contractual clauses for the transfer of personal data to processors, approved by Commission Decision C(2010)593 as attached to Appendix 3 of this DPA, or any replacement clauses approved by the Commission from time to time;

“Security Incident” shall have the meaning given in clause 6;

“Services” shall mean the services provided by the Supplier to Customer pursuant to and specified in the Services Agreement;

“Services Agreement” means the contract entered into between the Supplier and the Customer under which the Supplier provides the Services to the Customer;

“Sub-processor” shall have the meaning given in clause 5.1;

“Supervisory Authority” shall mean the relevant supervisory authority with responsibility for privacy or data protection matters in the jurisdiction of Customer and/or a Customer Group Company; and

“Supplier” means Symprex Limited (company number 03884240), whose principal place of business is at 2 Guildford Business Park, Guildford, UK GU2 8XG.

1.2 In this DPA, the terms “personal data”, “controller”, “processor” and “data subject” shall have the meanings set out in the GDPR Data Protection Laws and “processing” means processing as defined in the GDPR Data Protection Laws, or where and to the extent the CCPA applies, then as defined therein.

2. Appointment

2.1 Under the Services Agreement, the Supplier has been appointed by Customer to provide the Services to the Customer, on behalf of and for the benefit of Customer and any other Customer Group Companies.

2.2 The parties agree that this DPA will be incorporated as an addendum to the Services Agreement. The DPA will apply to the extent that Supplier’s processing of personal data under the Services Agreement is subject to the GDPR and/or Customer is a Business (as defined in the CCPA) under the CCPA.

2.3 The parties acknowledge that for the purposes of the GDPR Data Protection Laws, the Customer is the controller acting on behalf of itself and other Customer Group Companies as applicable and the Supplier is the processor. The Customer hereby instructs the Supplier to process Customer Personal Data on behalf of Customer (or a Customer Group Company, as applicable) as the Supplier considers reasonably necessary to provide the Services and in accordance with such other written instructions as Customer may issue from time to time (provided that such instructions do not result in processing that is outside the scope of the Services).

2.4 The Supplier acknowledges that Customer Personal Data may include personal data in respect of which one or more Customer Group Companies are the controller and that Customer may be issuing processing instructions on their behalf. Notwithstanding any other provisions of this Data Processing Agreement, such Customer Group Companies shall be entitled to enforce this Data Processing Agreement as third party beneficiaries.

3. Duration

3.1 This Data Processing Agreement shall commence on the Effective Date and shall continue in full force and effect until the later of the termination or expiry of the Services Agreement.

3.2 Notwithstanding clause 3.1, the Supplier’s obligations under clauses 4, 5, 6, 7 and 8 (and any other clauses which by implication ought to survive) shall survive the expiry of this Data Processing Agreement if and to the extent that Supplier continues to process (including without limitation by way of storage) any Customer Personal Data.

4. Data Protection

4.1 Each party shall comply with its obligations under the applicable Data Protection Laws in respect of Customer Personal Data. Without prejudice to the foregoing, neither party shall process Customer Personal Data in a manner that will, or is likely to, result in the other party breaching its obligations under the Data Protection Laws.

4.2 The Customer warrants that its disclosures of, and instructions to the Supplier in relation to, Customer Personal Data are lawful.

4.3 The scope, nature and purpose of processing by the Supplier, the duration of the processing, the types of Customer Personal Data and categories of data subject are set out in Appendix 1 to this Data Processing Agreement.

4.4 Subject at all times to the Supplier’s obligations under the Services Agreement, the Supplier undertakes to:

4.4.1 only process Customer Personal Data in accordance with its documented instructions which may include instructions given on behalf of other Customer Group Companies, including with regard to transfers, unless required to do otherwise by applicable law. In which event, the Supplier shall, unless prohibited by law, inform Customer of the legal requirement before processing Customer Personal Data other than in accordance with Customer’s instructions;

4.4.2 notify the Customer as soon as practicable if in its reasonable opinion it has been given an instruction which doesn’t comply with applicable GDPR Data Protection Law;

4.4.3 implement the technical and organisational measures to protect Customer Personal Data processed by it against unauthorised and unlawful processing and against accidental loss, destruction, disclosure, damage or alteration set out in Appendix 2. The Customer agrees that it is solely responsible for determining whether such technical and organisational measures are appropriate, taking into account the nature, scope, context and purposes of the processing;

4.4.4 ensure that its personnel who have access to Customer Personal Data are bound by appropriate obligations of confidentiality;

4.4.5 at Customer’s cost, provide reasonable cooperation and assistance to the Customer, taking into account the nature of the Services and the information available to the Supplier, as the Customer may require to allow the Customer to comply with its obligations as a controller, including in relation to data security; data breach notification; data protection impact assessments; prior consultation with supervisory authorities; the fulfilment of data subject’s rights; and any enquiry, notice or investigation by a Supervisory Authority; and

4.4.6 following termination of this Agreement either (at the option of the Customer) return to the Customer or destroy all Customer Personal Data in the possession or control of the Supplier.

4.5 The liability of each party to the other in relation to all and any claims, losses, proceedings, actions or regulatory penalties arising under or in connection with this Data Protection Agreement shall be governed by the provisions relating to exclusion and limitation of liability in the Services Agreement.

5. Sub-Processing

5.1 The Customer hereby expressly authorises the Supplier to appoint third parties as further processors on behalf of the Supplier to process Customer Personal Data (each a “Sub-processor“), subject to the requirements set out in the remaining subparagraphs of this clause.

5.2 The Customer hereby authorises the appointment of the Sub-processors listed at https://www.signature365.com/legal/subprocessor-list.

5.3 Should the Supplier appoint any further Sub-processors, the Supplier shall engage them in writing on terms that:

5.3.1 provide the same level of protections as those set out in this DPA; and

5.3.2 grant the Customer the right to perform on the Sub-processor the audits mentioned at clause 8.

5.4 The Supplier shall provide the Customer with reasonable written notification of the proposed addition or replacement of any Sub-processor.

5.5 The Customer shall have 15 days from the date of such notification to object to the proposed appointment or replacement of the Sub-processor, on reasonable grounds, by giving written notice to the Supplier.

5.6 Neither any delay, omission or failure by the Customer to object to any proposed Sub-processor, nor any approval by the Customer of any Sub-processor (if given), shall relieve the Supplier from any liability or obligation under this Data Processing Agreement.

5.7 The Supplier shall be responsible for the acts, omissions and defaults of any Sub-processor as if they were the Supplier’s acts, omissions or defaults.

5.8 If the Customer objects to the appointment or replacement of any proposed Sub-processor, then, if reasonably practicable taking into account the Supplier’s commercial interests including its provision of services to its other customers, the Supplier may at its sole discretion propose a reasonable change to the Services to accommodate (in whole or part) the Customer’s objections to the proposed Sub-processor. If the Supplier does not propose such a change, or the Customer refuses any such proposed change within 30 days of the date the Customer’s notice in clause 5.4, the Customer may terminate this Agreement, which shall be Customer’s sole and exclusive remedy to Customer’s objection of the proposed Sub-processor.

6. Security Incidents

The Supplier shall notify the Customer without undue delay of any accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Customer Personal Data (“Security Incident“). The Supplier shall also provide the Customer with a description of the Security Incident, the type of data that was the subject of the Security Incident and (to the extent known to the Supplier) the identity of each affected person, as soon as such information can be collected or otherwise becomes available, as well as all other information and co-operation which the Customer may reasonably request relating to the Security Incident.

7. Data Transfers

7.1 The Model Clauses apply to all transfers (including by way of remote access) of Customer Personal Data collected within the European Economic Area (“EEA”) to the Supplier.

7.2 Subject to clause 7.1, the Supplier must not transfer or otherwise process Customer Personal Data protected by the GDPR Data Protection Laws to outside of the EEA or the UK (as applicable) without obtaining the Customer’s prior written consent unless:

7.2.1 the transfer is to a territory which is subject to a current finding by a regulatory authority under applicable GDPR Data Protection Laws that the territory provides adequate protection for the privacy rights of individuals; or

7.2.2 the Supplier participates in a valid cross-border transfer mechanism under applicable GDPR Data Protection Laws, so that the Supplier can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals.

8. Audit

8.1 The Supplier shall make available to the Customer all information reasonably necessary to demonstrate compliance with this Data Processing Agreement and allow for and contribute to audits, including physical inspections, conducted by the Customer or its representatives (bound by appropriate obligations of confidentiality), provided such an audit is carried out:

8.1.1 during the Supplier’s normal business hours;

8.1.2 in manner that causes minimal disruption to the Supplier’s business and excludes from its scope any internal pricing information, information relating to other customers of the Supplier or other the Supplier’s own internal reports; and

8.1.3 at the Customer’s own cost.

9. Further Assurance

9.1 The parties shall, and shall ensure that their agents, employees and subcontractors shall, do all things reasonably necessary, including executing any additional documents and instrument, to give full effect to the terms of this Data Processing Agreement and to otherwise fulfil the provisions of this Data Processing Agreement in accordance with its terms.

10. Conflict

To the extent of any conflict between this Data Processing Agreement and the Services Agreement, this Data Processing Agreement will prevail.

11. Governing Law

This DPA and any dispute or claim arising out of or in connection with this DPA (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement (including non-contractual disputes or claims).

Appendix 1 : Description of Services and Personal Data Processing

The data processing activities carried out by the Supplier under this Data Processing Agreement are as follows:

Description of Services:

The Services provided by the Supplier to the Customer pursuant to the Services Agreement.

Subject-matter of Processing:

The performance of the Services pursuant to the Services Agreement.

Duration of Processing:

Subject to the deletion or return of Personal Data section of this DPA, the Supplier will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

Nature and purpose of Processing:

The Supplier will Process Personal Data to provide the Services pursuant to the Services Agreement, as may be further specified in any order form completed by the Customer when entering into the Services Agreement, and may be as further instructed by the Customer in its use of the Services.

Type of Personal Data:

Data provided by the Customer or collected by the Supplier to be able to manage the Customer’s account:

• Contact information including name, email address, job title, business address and telephone number
• Credit card information (collected and stored by sub-processor Stripe)

Where Services process user data, the data provided or made available by the Customer or collected by the Supplier to be able to provide the Services:

• Contact information including name, email address, job title, department, company, business address and telephone number
• Any other information provided via custom attributes exposed by the Customer

Where Services process email, the content of the emails provided to the Services for processing.

Categories of Data Subjects:

Customer personnel including users in the Customer’s Microsoft 365 tenancy or Google Workspace tenancy, as applicable, or otherwise added to the Services by Customer or any agent of Customer.

Where Services process email, data subjects include Customer representatives and end-users including employees, contractors, collaborators, and customers. Data subjects may also include individuals attempting to communicate or transfer personal information to users of the Services.

Appendix 2 : Security Measures

The Supplier observes the Security Measures described below. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Services Agreement. References to “we”, and “our” refer to the Supplier, and references to “you” refer to the Customer.

Confidentiality

The Supplier has controls in place to maintain the confidentiality of Customer Data, in accordance with the Services Agreement. All Supplier employees and contract personnel are bound by the Supplier’s internal policies regarding maintaining confidentiality of Customer Data and contractually commit to these obligations.

Access Control

Preventing Unauthorized Product Access

Outsourced processing: We host our Signature 365 Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide the Signature 365 Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.

Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.

Authentication: We implement a uniform password policy for our customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.

Authorization: Customer Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through OAuth authorization.

Preventing Unauthorized Product Use

We implement industry standard access controls and detection capabilities for the internal networks that support our products.

Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.

Static code analysis: Security reviews of code stored in our source code repositories is performed, checking for coding best practices and identifiable software flaws.

Penetration testing: We maintain relationships with industry recognized penetration testing service providers. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.

Vulnerability disclosure policy: A vulnerability disclosure policy invites and incentivizes independent security researchers to ethically discover and disclose security flaws. We implement a vulnerability disclosure policy in an effort to widen the available opportunities to engage with the security community and improve the product defences against sophisticated attacks.

Limitations of Privilege & Authorization Requirements

Product access: A subset of our employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.

Background checks: All Symprex employees undergo a third-party background check prior to being extended an employment offer, in accordance with and as permitted by the applicable laws. All Symprex employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

Employee training: At least once a year, employees must complete our security and privacy training which covering our security policies, security best practices, and privacy principles.

Transmission Control

In-transit: We encrypt all data in transit using TLS 1.2 or higher using industry standard algorithms and certificates.

At-rest: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that stored data is encrypted at rest.

Input Control

Detection: We designed our infrastructure to log extensive information about the system behaviour, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.

Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to you will be in accordance with the terms of the Services Agreement and DPA.

Availability Control

Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.

Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer Data is backed up to multiple durable data stores and replicated across multiple availability zones.

Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.

Our products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.

Appendix 3 : Model Clauses

STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of Personal Data to Processors established in third countries which do not ensure an adequate level of data protection.

The Customer (the “Data Exporter“)

And

The Supplier (the “Data Importer“)

each a “Party“; together the “Parties“,

HAVE AGREED on the following contractual clauses (the “Clauses“) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Data Exporter to the Data Importer of the Personal Data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

(a) “Personal Data“, “Special Categories of Data“, “Process/Processing“, “Controller“, “Processor“, “Data Subject” and “Supervisory Authority” shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data;

(b) the “Data Exporter” means the Controller who transfers the Personal Data;

(c) the “Data Importer” means the Processor who agrees to receive from the Data Exporter Personal Data intended for Processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) the “Sub-processor” means any Processor engaged by the Data Importer or by any other Sub-processor of the Data Importer who agrees to receive from the Data Importer or from any other Sub-processor of the Data Importer Personal Data exclusively intended for Processing activities to be carried out on behalf of the Data Exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) “Applicable Data Protection Law” means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the Processing of Personal Data applicable to a Data Controller in the Member State in which the Data Exporter is established;

(f) “Technical and Organisational Security Measures” means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the Special Categories of Data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1. The Data Subject can enforce against the Data Exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2. The Data Subject can enforce against the Data Importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the Data Exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the Data Exporter, in which case the Data Subject can enforce them against such entity.

3. The Data Subject can enforce against the Sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the Data Exporter, in which case the Data Subject can enforce them against such entity. Such third-party liability of the Sub-processor shall be limited to its own Processing operations under the Clauses.

4. The Parties do not object to a Data Subject being represented by an association or other body if the Data Subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the Data Exporter

The Data Exporter agrees and warrants:

(a) that the Processing, including the transfer itself, of the Personal Data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the Data Exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the Personal Data Processing services will instruct the Data Importer to Process the Personal Data transferred only on the Data Exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the Data Importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing, and that these measures ensure a level of security appropriate to the risks presented by the Processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves Special Categories of Data, the Data Subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the Data Importer or any Sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection Supervisory Authority if the Data Exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the Data Subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of sub-processing, the Processing activity is carried out in accordance with Clause 11 by a Sub-processor providing at least the same level of protection for the Personal Data and the rights of Data Subjects as the Data Importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the Data Importer

The Data Importer agrees and warrants:

(a) to Process the Personal Data only on behalf of the Data Exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the Data Exporter of its inability to comply, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the Data Exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the Data Exporter as soon as it is aware, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before Processing the Personal Data transferred;

(d) that it will promptly notify the Data Exporter about:

(i) any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

(ii) any accidental or unauthorised access; and

(iii) any request received directly from the Data Subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the Data Exporter relating to its Processing of the Personal Data subject to the transfer and to abide by the advice of the Supervisory Authority with regard to the Processing of the data transferred;

(f) at the request of the Data Exporter to submit its data Processing facilities for audit of the Processing activities covered by the Clauses which shall be carried out by the Data Exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the Data Exporter, where applicable, in agreement with the Supervisory Authority;

(g) to make available to the Data Subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the Data Subject is unable to obtain a copy from the Data Exporter;

(h) that, in the event of sub-processing, it has previously informed the Data Exporter and obtained its prior written consent;

(i) that the Processing services by the Sub-processor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any Sub-processor agreement it concludes under the Clauses to the Data Exporter.

Clause 6

Liability

1. The Parties agree that any Data Subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any Party or Sub-processor is entitled to receive compensation from the Data Exporter for the damage suffered.

2. If a Data Subject is not able to bring a claim for compensation in accordance with paragraph 1 against the Data Exporter, arising out of a breach by the Data Importer or his Sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the Data Exporter has factually disappeared or ceased to exist in law or has become insolvent, the Data Importer agrees that the Data Subject may issue a claim against the Data Importer as if it were the Data Exporter, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law, in which case the Data Subject can enforce its rights against such entity.

The Data Importer may not rely on a breach by a Sub-processor of its obligations in order to avoid its own liabilities.

3. If a Data Subject is not able to bring a claim against the Data Exporter or the Data Importer referred to in paragraphs 1 and 2, arising out of a breach by the Sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, the Sub-processor agrees that the Data Subject may issue a claim against the data Sub-processor with regard to its own Processing operations under the Clauses as if it were the Data Exporter or the Data Importer, unless any successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law, in which case the Data Subject can enforce its rights against such entity. The liability of the Sub-processor shall be limited to its own Processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1. The Data Importer agrees that if the Data Subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the Data Importer will accept the decision of the Data Subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the Supervisory Authority;

(b) to refer the dispute to the courts in the Member State in which the Data Exporter is established.

2. The Parties agree that the choice made by the Data Subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. The Data Exporter agrees to deposit a copy of this contract with the Supervisory Authority if it so requests or if such deposit is required under the applicable data protection law.

2. The Parties agree that the Supervisory Authority has the right to conduct an audit of the Data Importer, and of any Sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the Data Exporter under the applicable data protection law.

3. The Data Importer shall promptly inform the Data Exporter about the existence of legislation applicable to it or any Sub-processor preventing the conduct of an audit of the Data Importer, or any Sub-processor, pursuant to paragraph 2. In such a case the Data Exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9

Governing law

The Clauses shall be governed by the law of the Member State in which the Data Exporter is established.

Clause 10

Variation of the contract

The Parties undertake not to vary or modify the Clauses. This does not preclude the Parties from adding clauses on business related issues where required as long as they do not contradict the Clauses.

Clause 11

Sub-processing

1. The Data Importer shall not subcontract any of its Processing operations performed on behalf of the Data Exporter under the Clauses without the prior written consent of the Data Exporter. Where the Data Importer subcontracts its obligations under the Clauses, with the consent of the Data Exporter, it shall do so only by way of a written agreement with the Sub-processor which imposes the same obligations on the Sub-processor as are imposed on the Data Importer under the Clauses. Where the Sub-processor fails to fulfil its data protection obligations under such written agreement the Data Importer shall remain fully liable to the Data Exporter for the performance of the Sub-processor’s obligations under such agreement.

2. The prior written contract between the Data Importer and the Sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the Data Subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the Data Exporter or the Data Importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law. Such third-party liability of the Sub-processor shall be limited to its own Processing operations under the Clauses.

3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the Data Exporter is established.

4. The Data Exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the Data Importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the Data Exporter’s data protection Supervisory Authority.

Clause 12

Obligation after the termination of Personal Data Processing services

1. The Parties agree that on the termination of the provision of data Processing services, the Data Importer and the Sub-processor shall, at the choice of the Data Exporter, return all the Personal Data transferred and the copies thereof to the Data Exporter or shall destroy all the Personal Data and certify to the Data Exporter that it has done so, unless legislation imposed upon the Data Importer prevents it from returning or destroying all or part of the Personal Data transferred. In that case, the Data Importer warrants that it will guarantee the confidentiality of the Personal Data transferred and will not actively Process the Personal Data transferred anymore.

2. The Data Importer and the Sub-processor warrant that upon request of the Data Exporter and/or of the Supervisory Authority, it will submit its data Processing facilities for an audit of the measures referred to in paragraph 1.

Appendix 1

to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the Parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data Exporter

The Data Exporter is (please specify briefly your activities relevant to the transfer): the Customer.

Data Importer

The Data Importer is (please specify briefly activities relevant to the transfer): the Supplier.

Data Subjects

The Personal Data transferred concern the following categories of Data Subjects (please specify): Please see Appendix 1 to the DPA.

Categories of data

The Personal Data transferred concern the following categories of data (please specify): Please see Appendix 1 to the DPA.

Special categories of data (if appropriate)

The Personal Data transferred concern the following Special Categories of Data (please specify): N/A

Processing operations

The Personal Data transferred will be subject to the following basic Processing activities (please specify): Please see Appendix 1 to the DPA.

Appendix 2

to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the Parties.

Description of the technical and organisational security measures implemented by the Data Importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Please refer to the Security Measures described in Appendix 2 to the DPA.