Data Processing Addendum

Last Modified: November 2, 2023

This Data Processing Addendum (“DPA”) between Customer and Buildscale, Inc. d/b/a Vidyard (“Vidyard”) is incorporated into and is subject to the terms and conditions of the Agreement between Customer and Vidyard.

All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. For the avoidance of doubt, all references to the “Agreement” shall include this DPA (including the SCCs (where applicable), as defined herein).

  1. Definitions
    1. Agreement” means Vidyard’s standard Terms of Use, or, if you or the organization you represent has subscribed to Vidyard’s Services, the Terms of Service or other written agreement between Vidyard and you or the organization on whose behalf you are using Vidyard’s Services, as such terms or agreement may be updated from time to time.
    2. CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (“CPRA”) and including any further amendments and its implementing regulations that become effective on or after the effective date of this DPA.
    3. Customer” means the individual or entity that is a party to the Agreement.
    4. Data Protection Laws” means all laws and regulations applicable to the processing of Customer Personal Data under the Agreement, including, as applicable to the Personal Data in question: (i) European Data Protection Laws; and (ii) US Data Protection Laws.
    5. Europe” means, for the purposes of this DPA, the European Economic Area (“EEA”), the United Kingdom and Switzerland.
    6. European Data Protection Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively the “UK Privacy Laws”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii) above; and (v) the Swiss Federal Data Protection Act of 2020 and its ordinances (“Swiss FADP”); in each case as may be amended or superseded from time to time.
    7. Internal Audit Report” means a Type II Service Organizational Control (SOC) report (based on the SSAE 16 or ISAE 3402 model) or any successor report thereto.
    8. Personal Data” means information, which is protected as “personal data”, “personally identifiable information” or “personal information” under any Data Protection Laws. For the avoidance of doubt, with respect to US Data Protection Laws, “Personal Data” does not include de-identified data or publicly available information as such terms are defined in Data Protection Laws.
    9. Restricted Transfer” means a transfer (directly or via onward transfer) of Customer Personal Data that is subject to European Data Protection Laws to a country outside Europe which is not subject to an adequacy determination by the European Commission, UK or Swiss authorities (as applicable).
    10. Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data transmitted, stored or otherwise processed by Vidyard in connection with the provision of the Services. A “Security Incident” shall not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
    11. Standard Contractual Clauses” or “EU SCCs” means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
    12. Subprocessor” means any third-party processor (including any Vidyard Affiliates) engaged by Vidyard to process any Customer Personal Data (but shall not include Vidyard employees, contractors or consultants).
    13. UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner’s Office under S119(A) of the UK Data Protection Act 2018, as updated or amended from time to time.
    14. US Data Protection Laws” means the CCPA, the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), and the Virginia Consumer Data Protection Act (“VCDPA”).
    15. The terms “controller”, “data subject”, “processor,” and “processing,” have the meanings given to them in Data Protection Laws and “process”, “processes” and “processed” shall be interpreted accordingly. If and to the extent that Data Protection Laws do not define such terms, then the definitions given in the GDPR will apply.
  2. Applicability of this DPA
    1. The obligations in this DPA apply where and only to the extent that Vidyard processes Customer Personal Data protected by Data Protection Laws as a processor (or functionally equivalent role) on behalf of Customer in the course of providing the Services pursuant to the Agreement.
    2. Notwithstanding expiry or termination of the Agreement, this DPA and any Standard Contractual Clauses (if applicable) will remain in effect until and will automatically expire upon deletion of all Customer Personal Data by Vidyard as described in this DPA.
  3. Role and Scope of Processing
    1. Roles of the Parties. The parties acknowledge and agree that for the purposes of this DPA: (i) Customer is the controller with respect to the processing of Customer Personal Data, and Vidyard shall process Customer Personal Data only as a processor on behalf of Customer, as further described in Annex A of this DPA. Any processing by either party of Personal Data under or in connection with the Agreement shall be performed in accordance with Data Protection Laws. However, Customer acknowledges that Vidyard is not responsible for compliance with Data Protection Laws applicable to Customer that are not generally applicable to Vidyard as a service provider.
    2. Processing Instructions. Vidyard will process Customer Personal Data only in accordance with Customer’s documented lawful instructions and for these purposes, Customer instructs Vidyard to process Customer Personal Data for the purposes described in Annex A of this DPA, unless obligated otherwise by applicable law, including Data Protection Laws. Vidyard shall promptly notify Customer if it makes a determination that Customer’s instructions infringe Data Protection Law(s)) (but without obligation to actively monitor Customer’s compliance with Data Protection Law(s)) and in such event, Vidyard shall not be obligated to undertake such processing until such time as the Customer has updated its processing instructions and Vidyard has determined that the incidence of non-compliance has been resolved.
    3. Customer Responsibilities. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data. Customer represents and warrants that (i) it has provided, and will continue to provide all notices and has obtained, and will continue to obtain, all consents, permissions and rights necessary under applicable laws, including Data Protection Laws, for Vidyard to lawfully process Customer Personal Data for the purposes contemplated by the Agreement (including this DPA and any Sales Order under the Agreement); (ii) it has complied with all applicable laws, including Data Protection Laws in the collection and provision to Vidyard and its Subprocessors of such Customer Personal Data; and (iii) it shall ensure its processing instructions comply with applicable laws (including Data Protection Laws) and that the processing of Customer Personal Data by Vidyard in accordance with Customer’s instructions will not cause Vidyard to be in breach of Data Protection Laws.
  4. Subprocessing
    1. Authorized Subprocessors. Customer agrees that Vidyard may engage Subprocessors to process Customer Personal Data on Customer’s behalf. The Subprocessors currently engaged by Vidyard and authorized by Customer are available here: Vidyard Subprocessor List (or such other URL as may be notified to Customer from time to time). Vidyard shall notify Customer if it adds or removes Subprocessors at least thirty (30) calendar days prior to any such changes if Customer opts-in to receive such notifications for the applicable Services. Customer may opt-in to receive such notifications here: DPA Notice.
    2. Subprocessor Obligations. Vidyard shall: (i) enter into a written agreement with each Subprocessor containing data protection terms that provide at least the same level of protection for Customer Personal Data as those contained in this DPA, to the extent applicable to the nature of the services provided by such Subprocessor; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Vidyard to breach any of its obligations under this DPA.
    3. Objection to Subprocessors. Customer may object in writing to Vidyard’s appointment of a new Subprocessor on reasonable grounds relating to data protection by notifying Vidyard promptly in writing within ten (10) business days’ of receipt of Vidyard’s notice in accordance with Section 4.1. In such case, the parties shall discuss Customer’s concerns in good faith with a view to achieving a commercially reasonable resolution. If the parties cannot reach such resolution, Vidyard shall, at its sole discretion either not appoint the Subprocessor, or permit Customer to suspend or terminate the affected Services in accordance with the Agreement without liability to either party (but without prejudice to Customer’s obligation to pay any fees incurred by Customer prior to suspension or termination). If such objection right is not exercised by Customer in the terms defined above, silence shall be deemed to constitute an approval of such engagement.
  5. Cooperation
    1. Data Subject Rights. Vidyard shall, taking into account the nature of the processing, reasonably assist Customer to enable Customer to respond to any requests, complaints or other communications from data subjects and competent regulatory or judicial bodies relating to the processing of Customer Personal Data, including requests from data subjects seeking to exercise their rights under Data Protection Laws. In the event that any such request, complaint or communication is made directly to Vidyard, Vidyard shall pass this on to Customer and shall not respond to such communication except to direct the data subject to the Customer (unless required to do so in order to comply with applicable law, including Data Protection Laws).
    2. DPIAs. To the extent Vidyard is required under Data Protection Laws, Vidyard shall (at Customer’s request and expense) provide reasonably requested information regarding the Services to enable Customer to conduct a data protection impact assessment or prior consultations with data protection authorities as required by law.
  6. Security
    1. Security Measures. Vidyard will implement and maintain appropriate technical and organizational security measures designed to protect Personal Data from Security Incidents and to preserve the security and confidentiality of Personal Data, in accordance with the security standards described in Annex B (“Security Measures”). Vidyard will ensure that any person who is authorized by Vidyard to process Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
    2. Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that Vidyard may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish overall security of the Services.
    3. Security Incident Response. Upon becoming aware of a Security Incident, Vidyard shall notify Customer without undue delay and shall: (i) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and (ii) promptly take reasonable steps to contain, investigate, and remediate any Security Incident, to the extent that the remediation is within Vidyard’s control. Vidyard’s notification of, or response to, a Security Incident under this Section 6.3 shall not be construed as an acknowledgment by Vidyard of any fault or liability with respect to the Security Incident. The obligations set forth in this Section 6.3 shall not apply to Security Incidents to the extent they are caused by Customer.
  7. Security Reports and Audits
    1. Audit Rights. Upon Customer’s written request, and subject to obligations of confidentiality, Vidyard will make available to Customer a summary of its most recent Internal Audit Report and/or other documentation reasonably required by Customer which Vidyard makes generally available to its customers, so that Customer can verify Vidyard’s compliance with this DPA. Customer acknowledges and agrees that it shall exercise its audit rights under this DPA (including this Section 7.1 and where applicable, the Standard Contractual Clauses) by instructing Vidyard to comply with the audit measures described in Section 7.2 below.
    2. Onsite Audits. While it is the parties’ intention ordinarily to rely on Vidyard’s obligations set forth in Section 7.1 to verify Vidyard’s compliance with this DPA, following a confirmed Security Incident or where a data protection authority requires it, Customer may provide Vidyard with thirty (30) calendar days’ prior written notice requesting that a third-party conduct an audit of Vidyard’s operations and facilities (“Audit”); provided that (i) any Audit shall be conducted at Customer’s expense; (ii) the parties shall mutually agree upon the scope, timing and duration of the Audit; and (iii) the Audit shall not unreasonably impact Vidyard’s regular operations.
  8. Return or Deletion of Data
    1. Upon Customer’s written request, or upon termination or expiry of the Agreement, Vidyard shall destroy or return to Customer the Customer Personal Data in its possession or control in accordance with the Agreement. Notwithstanding the foregoing, Vidyard may retain Customer Personal Data: (i) as required by any applicable law, including Data Protection Laws; or (ii) in accordance with standard backup or record retention policies, provided that, in either case, Vidyard shall (x) maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to, retained Customer Personal Data; and (y) not further process retained Customer Personal Data except for such purpose(s) and eventually delete in accordance with Vidyard’s policies. The parties agree that the certification of deletion that is described in Clauses 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by Vidyard to Customer only upon Customer’s written request.
  9. International Transfers
    1. Location of Processing. Customer Personal Data that Vidyard processes under the Agreement may be processed in any country in which Vidyard, its Affiliates, partners and authorized Subprocessors maintain facilities to perform the Services. Vidyard shall not process or transfer (directly or via onward transfer) Customer Personal Data (nor permit such data to be processed or transferred) outside of its country of origin unless it first takes such measures as are necessary to ensure the transfer is in compliance with Data Protection Laws.
  10. Additional provisions for European Customer Personal Data
    1. Scope and Role of the Parties. This Section 10 shall only apply with respect to Personal Data subject to European Data Protection Laws.
    2. Restricted Transfers to Vidyard. The parties acknowledge that Vidyard is located in Canada and Canada has been recognized as providing an adequate level of data protection by the European Commission (such adequacy decision is available at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32002D0002). However, the parties agree that where and to the extent the transfer of Personal Data from Customer (as “data exporter”) to Vidyard (as “data importer”) is deemed a Restricted Transfer and European Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be subject to the Standard Contractual Clauses, which shall be deemed incorporated by reference and form an integral part of this DPA, as set out in Annex C. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses shall prevail to the extent of such conflict.
  11. Additional provisions for California Customer Personal Data
    1. Scope and Role of Parties. This Section 11 shall only apply with respect to Customer Personal Data subject to the CCPA. When processing Customer Personal Data subject to the CCPA under this DPA, the parties acknowledge and agree that Customer is a Business and Vidyard is a Service Provider for the purposes of the CCPA. For the purpose of this Section 11, “Business”, “Business Purpose”, “Commercial Purpose”, “Consumer,” “Personal Information”, “Process,” “Sell”, “Service Provider”, and “Share” have the meanings given to them in the CCPA.
    2. Responsibilities. The parties agree that all Customer Personal Data that is subject to the CCPA is disclosed to Vidyard by Customer for one or more Business Purpose(s) and its use or sharing by Customer with Vidyard is necessary to perform such Business Purpose(s). Vidyard will: (i) Process all Customer Personal Data that is subject to the CCPA as directly related to the relationship with the Customer; (ii) assist Customer in responding to any request from a Consumer to exercise rights under the CCPA; and (iii) not further Collect, Sell, Share or use such Customer Personal Data that is subject to the CCPA except as necessary to perform the Business Purpose(s) or as otherwise permitted by the CCPA.
  12. Limitation of Liability
    1. Each party’s and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA (including, where applicable, the Standard Contractual Clauses) shall be subject to the exclusions and limitations of liability set forth in the main body of the Agreement.
    2. Any claims against Vidyard or its Affiliates under or in connection with this DPA (including, where applicable, the Standard Contractual Clauses) shall be brought solely by the Customer entity that is a party to the Agreement.
  13. Relationship with the Agreement
    1. The parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Services.
    2. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict or inconsistency between this DPA and the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) Standard Contractual Clauses (where applicable); then (b) this DPA; and then (c) the main body of the Agreement.
    3. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.

Annex A
Description of Data Processing / Transfer

Annex A(A) List of Parties

Data Exporter Data Importer
Name: The party identified as the “Customer” in the DPA. Name: Buildscale, Inc.
Trading name (if different): Vidyard
Address: The address for the Customer specified in the Agreement. Address: 1 Queen Street North, Unit #301, Kitchener, ON N2H 2G7, Canada
Contact person’s name, position and contact details: The contact as set out in the Sales Order. Contact person’s name, position and contact details:
Matt Hodgson
Chief Accounting Officer
privacy@vidyard.com
Activities relevant to the transfer: See Annex A(B) below. Activities relevant to the transfer: See Annex A(B) below.
Signature and date: This Annex A shall automatically be deemed executed when the Agreement (which incorporates the DPA) is executed by the Customer. Signature and date: This Annex A shall automatically be deemed executed when the Agreement (which incorporates the DPA) is executed by Vidyard.
Role: Controller Role: Processor

Annex A(B) Description of Processing / Transfer

Module 2
Categories of Data Subjects whose personal data is transferred: Data subjects include individuals about whom Personal Data is processed by Vidyard via the Services by or at the direction of the Customer. The Personal Data transferred concern the following categories of data subjects:
  • Customer employees, contractors, agents, and/or representatives authorized to use the Services for the Customer’s benefit and have unique user identifications and passwords for the Services (“Users”);
  • Customer’s contacts, website visitors, prospects, leads and customers and their respective affiliates, employees, contractors, agents and representatives (some of which may be Users and Viewers) (“Customer Contacts”);
  • Individuals who view or use the Customer Content published on or distributed via the Vidyard Platform (“Viewers”).
Categories of personal data transferred:

In connection with the Services, Vidyard may process certain Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which will depend on the particular Services, but may include:

Customer Contacts

  • Standard contact information such as name, job title, business email address, physical address, phone number, etc.
  • Any other category of Personal Data submitted by (or on behalf of) the Customer to the Services or otherwise included in the data or other content provided by Vidyard to Customer in connection with the Services (for example, new contacts, leads and enriched data provided in connection with Vidyard Prospector).

Viewers

  • Standard contact information such as name, job title, business email address, physical address, phone number, etc.
  • Information about an individual’s computer or mobile device or technology usage, including (for example) IP address, MAC address, unique device identifiers, unique identifiers set in cookies, and any information passively captured about a person’s online activities, browsing, application or hotspot usage or device location.

Users

  • Name, contact details, employment details (company and job role), calendar link.
Sensitive data transferred (if appropriate) and applied restrictions or safeguards: N/A
Frequency of the Transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous or one-off depending on the nature of the Services being provided.
Subject matter and nature of the processing: Vidyard provides a global video marketing and sales enablement service, as further described in the Agreement, such as storing, disseminating, making available, copying, summarizing, aggregating and deleting data.
Duration of the processing: The duration of processing shall be as described in the Agreement.
Purpose of the data transfer / processing operations: Customer Personal Data may only be processed by Vidyard on behalf of Customer for the following purposes: (i) processing as necessary to perform the Services and Vidyard’s obligations under and pursuant to the Agreement, which shall include sharing Customer Personal Data with third party service providers where and as necessary for the purposes of delivering the specific Services requested by Customer; (ii) processing initiated by Customer’s Users in their use of the Services; and (iii) any other purposes of processing of Customer Personal Data agreed upon between the parties in writing.
Period for which the personal data will be retained, or if that is not possible the criteria used to determinate that period, if applicable: Vidyard will retain Customer Personal Data in accordance with the retention periods described in the Agreement.

Annex A(C): Competent supervisory authority

Competent supervisory authority The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.

Annex B
Security Measures

Measures of pseudonymisation and encryption of personal data. Vidyard encrypts Customer Personal Data in transit and at rest using industry standards that are appropriate for the manner and method of transfer (e.g. TLS 1.2, AES-256).
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services. Vidyard maintains a risk-based information security program that includes administrative, technical, and organizational safeguards designed to protect the confidentiality, integrity, and availability of Customer Personal Data. Vidyard performs periodic assessments to monitor its information security program to identify risks and ensure controls are operating effectively by performing penetration tests, internal audits, and risk assessments. Vidyard also maintains a risk management program to identify, monitor, and manage risks that may impact the confidentiality, integrity, and availability of Customer Personal Data.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. Vidyard has implemented secure system infrastructure to provide secure backup, retention, and restoration of Customer Personal Data. Processes have been implemented for the backup of critical system components and data. Backups are managed by the Infrastructure team and scheduled on a regular cadence established by the respective component teams. Vidyard maintains a comprehensive business continuity and disaster recovery plan, which is tested annually. From this testing, changes to other policy documents such as the Vidyard Information Security Policy, Cybersecurity Incident Response Plan, Disaster Recovery/Business Continuity Plan (DR/BCP), and various runbooks are generated.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing. Vidyard performs periodic assessments to monitor its information security program to identify risks and ensure controls are operating effectively by performing penetration tests, internal audits, and risk assessments. Vidyard engages qualified external auditors to perform assessments of its information security program against SOC 2 Type 2 Criteria for Security, Availability, and Confidentiality. Assessments are conducted annually and will result in a SOC 2 Type 2 report that will be made available to the Customer in accordance with their Agreement.
Measures for user identification and authorisation. Access to Customer Personal Data is restricted to personnel who are required to access this data in order to perform functions related to the delivery of the Services. Access is secured with unique usernames, passwords, and multifactor authentication methods, and follows the principle of least privilege.
Measures for the protection of data during transmission. Vidyard encrypts Customer Personal Data in transit and at rest using industry standards that are appropriate for the manner and method of transfer (e.g. TLS 1.2, AWS-256).
Measures for the protection of data during storage. Customer Personal Data is stored within AWS infrastructure. Data backups are encrypted. Data is encrypted at rest with industry standards and methods that are appropriate for the method of storage or transfer of data.
Measures for ensuring physical security of locations at which personal data are processed Vidyard reviews third-party security certifications of all third-party cloud hosting providers on at least an annual basis to ensure that appropriate physical controls are in place.
Measures for ensuring events logging. All production endpoints are equipped with logging capabilities. The resulting data is sent to Datadog for troubleshooting and metrics analysis. Critical events are sent over integrations with Slack for incident management and tracking.
Measures for ensuring system configuration, including default configuration. Baseline configurations of employee workstations or production equipment are completed prior to equipment use, and maintained by mobile device management and similar software tools to ensure all systems are compliant with security guidelines and requirements. Systems are managed centrally and configured to detect non-compliance and suspicious activity.
Measures for internal IT and IT security governance and management. Vidyard has a dedicated IT and Security team responsible for implementing, monitoring, maintaining, and enforcing/remediating security safeguards.
Measures for certification/assurance of processes and products. Vidyard’s information security framework covers the following areas: security risk management, policies and procedures, security incident management, access controls, vulnerability management, physical security, operational security, infrastructure security, product security, business continuity disaster recovery, personnel security, security compliance, and vendor security. Vidyard engages qualified external auditors to perform assessments of its information security program against SOC 2 Type 2 Criteria for Security, Availability, and Confidentiality. Assessments are conducted annually and will result in a SOC 2 Type 2 report that will be made available to the Customer in accordance with their respective Agreement.
Measures for ensuring data minimisation. Vidyard only collects information that is necessary in order to provide the Services. Vidyard may collect other information as made available to us by the Customer and its Users.
Measures for ensuring data quality. Vidyard retains log details that include any changes to sensitive configuration settings and files. At minimum, log entries include date, timestamp, action performed, and the user ID, IP address, and/or the device ID related to the action performed. Logs are protected from change.
Measures for ensuring limited data retention. Vidyard will retain information for the period necessary to fulfill the purposes outlined in our Agreement with the Customer, unless a longer retention period is required or permitted by applicable law. The Customer may request deletion of Customer Personal Data at any time and Customer Personal Data is deleted or anonymized upon termination of the Agreement, subject to Vidyard’s archive and backup procedures.
Measures for ensuring accountability. Vidyard has implemented appropriate data protection policies and procedures.
Measures for allowing data portability and ensuring erasure. Vidyard provides a mechanism for customers and other individuals to exercise their privacy and personal information rights in accordance with applicable laws and standards, and as set forth in the Agreement.

Annex C
Standard Contractual Clauses

  1. In relation to transfers of Customer Personal Data that is protected by the GDPR, the Standard Contractual Clauses shall apply, completed as follows:
    1. Module Two (Controller to Processor) will apply;
    2. in Clause 7, the optional docking clause will apply;
    3. in Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes shall be as set out in Section 4.1 of this DPA;
    4. in Clause 11, the optional language will not apply;
    5. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
    6. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
    7. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex A of this DPA; and
    8. Subject to Section 6.2 of this DPA, Annex II of the EU SCCs shall be deemed completed with the information set out in Annex B of this DPA.
  2. In relation to transfers of Personal Data protected by UK Privacy Laws, the Standard Contractual Clauses: (i) shall apply as completed in accordance with paragraph (a) above; and (ii) shall be deemed amended as specified by the UK Addendum, which shall be deemed executed by the parties and incorporated into and form an integral part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annexes A and B of this DPA and Table 4 in Part 1 shall be deemed completed by selecting “neither party”.
  3. In relation to transfers of Personal Data protected by the Swiss FADP, the Standard Contractual Clauses will also apply in accordance with paragraph (a) above, with the following modifications:
    1. references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss FADP;
    2. references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss FADP;
    3. references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”;
    4. the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e. Switzerland);
    5. Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner;
    6. references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”;
    7. in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland; and
    8. with respect to transfers to which the Swiss FADP applies, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.