This Data Processing Agreement (DPA) and its Attachments form a formal contract between Auth-Analytics(“Supplier”) and any recipient of Supplier Products (“Customer”) through a written or electronic Agreement governing these product provisions.
The DPA comes into effect when Supplier processes Personal Data on behalf of Customer, as referenced or signed in the Agreement. It’s a vital part of the Agreement, activated upon signature or integration into the Agreement as specified.
In case of conflicting terms, this DPA takes precedence over the Agreement, ensuring clarity and consistency. Its duration aligns with the Agreement’s Terms, with defined terms following those in the Agreement for uniform interpretation.
1. Definitions
When we mention “California Personal Information,” we’re talking about Personal Data regulated by the CCPA.
“Canadian Privacy Laws” encompass data protection regulations in Canada and its provinces, including:
(i) The Personal Information Protection and Electronic Documents Act of 2000 (“PIPEDA”);
(ii) In Quebec: the Act to Modernize Legislative Provisions As Regards the Protection of Personal Information, also known as Law 25 (formerly known as Bill 64), and the Act Respecting the Protection of Personal Information in the Private Sector, CQLR P-39.1, which is amended thereby (collectively “Law 25”);
(iii) In Alberta: the Personal Information Protection Act [of Alberta] (“PIPA Alberta”); and
(iv) In British Columbia: the Personal Information Protection Act [of British Columbia] (“PIPA BC”).
We adhere to CCPA’s definitions for terms like “Consumer,” “Business,” “Sell,” and “Service Provider.”
When we mention a “Controller,” we’re referring to the entity responsible for determining how Personal Data is processed, whether that’s an individual, organization, or public authority.
“Data Protection Laws” encompass all global regulations governing data protection and privacy, including European Data Protection Laws, US Data Privacy Laws, and Canadian Data Privacy Laws. This ensures compliance and security in all our data processing activities.
A “Data Subject” is the individual whose Personal Data is being processed.
“European Data” refers to Personal Data subject to European Data Protection Laws.
“European Data Protection Laws” encompass the data protection regulations applicable within the European Union, the European Economic Area (“EEA“), their member states, Switzerland, and the United Kingdom. These laws, subject to revisions or replacements, include:
(i) Regulation 2016/679 of the European Parliament and of the Council (GDPR), focusing on safeguarding personal data and its free movement;
(ii) Directive 2002/58/EC, amended by Directive 2009/136/EC, addressing personal data processing and privacy in electronic communications;
(iii) National implementations of these regulations, such as the Data Protection Act of 2018 and the UK GDPR integrated into UK domestic law;
(iv) Swiss Federal Act on Data Protection of 19 June 1992, alongside its Ordinance (FADP), updated as of 25 September 2020.
“Instructions” are explicit, written directives from Customers to suppliers, guiding actions related to personal data.
“Onward Transfer” signifies the transfer of Personal Data from one third-party, like a Processor, to another, such as a Sub-Processor, or beyond.
“Permitted Affiliates” are our customers’ Affiliates (as defined in the Agreement):
(i) They use our Products under the Agreement without a separate contract;
(ii) We process Personal Data for them;
(iii) They adhere to Data Protection Laws.
“Personal Data” includes information collected or provided by our customers, concerning an identifiable individual, protected under relevant Data Protection Laws.
“Personal Data Breach” denotes a security breach resulting in accidental or unlawful access, alteration, or disclosure of Personal Data processed by the Supplier, subject to Data Protection Laws.
“Processing” encompasses operations performed on Personal Data, such as collection, storage, or erasure, as defined by relevant Data Protection Laws.
A “Processor” is an entity processing Personal Data on behalf of the Controller.
“Products” are the goods and services offered by Auth-Analytics to customers under our Agreement.
“Standard Contractual Clauses” (SCCs) are protocols for handling Personal Data under GDPR regulations. These follow the standard contractual clauses approved by the European Commission in decision (EU) 2021/914 dated 4 June 2021. You can find these clauses at http://data.europa.eu/eli/dec_impl/2021/914/oj. Additionally, for Personal Data processing governed by the UK GDPR, our SCCs include the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses. You can access this addendum at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/.
Within our Data Processing Agreement (DPA), a “Sub-Processor” refers to any third-party entity engaged by Supplier for specific Processing tasks as outlined in the DPA, conducted in accordance with instructions and within defined limitations.
For data processing under GDPR, UK GDPR, or FADP, a “Third Country” is any country outside the EEA, United Kingdom, or Switzerland, respectively. These countries are not deemed to offer an adequate level of protection for Personal Data under relevant European Data Protection Laws.
“US Privacy Laws” encompass data protection regulations applicable within the United States of America and its states. These laws are continually evolving and include:
(i) California: Consisting of the California Consumer Privacy Act of 2018, amended by the California Privacy Rights Act (CCPA).
(ii) Colorado: Encompassing the Colorado Privacy Act (CoPA).
(iii) Connecticut: Including the Connecticut Personal Data Privacy and Online Monitoring Act (CPDP).
(iv) Utah: Involving the Utah Consumer Privacy Act, effective from December 31, 2023 (UCPA).
(v) Virginia: Covering the Virginia Consumer Data Protection Act (VCDPA).
2. Roles of the Parties
a. European Data Protection Laws: Regarding European Data processed under this DPA, both parties acknowledge that Supplier acts as a Processor while Customer acts as either a Controller or a Processor, representing a Controller not party to the Agreement or this DPA.
b. CCPA: Concerning California Personal Information, both parties agree that Customer operates as a Business and Supplier as a Service Provider, unless Attachment 1, Section A specifies Supplier processing Personal Data as a ‘third party’ as per CCPA’s definition, in which case Supplier is designated as a CCPA Third Party.
c. US Privacy Laws (excluding CCPA): Regarding Personal Data governed by US Privacy Laws other than CCPA, both parties acknowledge that Supplier acts as a Processor while Customer acts as either a Controller or a Processor, representing a Controller not part of the Agreement or this DPA.
d. Canadian Privacy Laws: Concerning Personal Data governed by Canadian Privacy Laws, both parties agree that Supplier processes Personal Data on behalf of Customer and complies with obligations under applicable Canadian Privacy Laws in that capacity. Customer, through its Instructions to Supplier, determines the purposes and methods of Personal Data Processing and assumes corresponding obligations under Canadian Privacy Laws.
3. Customer Responsibilities
a) Compliance with Laws: Customers are expected to follow all requirements set forth in relevant Data Protection Laws. If they are unable to fulfill these obligations for any reason, they should promptly inform Auth-Analytics. Specifically, customers are responsible for:
i. Data Accuracy and Legality: Ensuring that Personal Data is accurate, obtained legally, and of high quality.
ii. Transparency and Lawfulness: Abiding by transparency and lawfulness standards as mandated by Data Protection Laws, including obtaining necessary consents, especially for marketing-related Personal Data.
iii. Data Transfer Rights: Confirming their right to transfer or grant access to Personal Data to Auth-Analytics for Processing per the Agreement.
iv. Instruction Compliance: Ensuring that all provided Instructions to Auth-Analytics regarding Personal Data Processing comply with applicable laws, including Data Protection Laws.
v. Content and Communication: Adhering to all laws, including Data Protection Laws, regarding generated, sent, or managed content through Auth-Analytics’ Products. This includes obtaining required consents for communications, ensuring content complies with regulations, and following proper communication deployment practices.
b) Guidelines: Your instructions to Auth-Analytics regarding Personal Data handling are governed by:
(i) The terms in the Agreement, this DPA, and any Attachments.
(ii) Your guidance through Product usage aligned with the Agreement.
(iii) An overarching approval allowing Auth-Analytics to utilize Personal Data for operational needs related to delivering Products.
Any additional instructions require mutual agreement through the appropriate process for modifying the Agreement or DPA.
c) Security Assurance: It’s your responsibility to ensure that our data security measures within the Products align with your obligations under relevant Data Protection Laws. You’re also accountable for securely using our Products, including safeguarding account access and securing Personal Data during transit to and from our Products (including secure backup or encryption of such data).
4. Supplier Responsibilities
a. Guideline Adherence: Suppliers must process Personal Data strictly for the purposes outlined in this Data Processing Agreement (DPA), including Attachment 1, or as directed within lawful instructions from the Customer. Exceptions apply only where permitted by applicable laws. Suppliers are not responsible for ensuring Customer’s compliance with Data Protection Laws unless these laws generally apply to Suppliers.
b. Legal Compliance: If a Supplier cannot fulfill its obligations under Data Protection Laws or process Personal Data according to Customer’s instructions due to legal obligations, the Supplier will:
(i) Promptly notify the Customer, as allowed by law, of such legal obligations; and
(ii) Temporarily cease processing activities (except for data storage and security) until new compliant instructions are provided by the Customer. The Supplier will not be liable for service interruptions under the Agreement until new lawful instructions are received.
c. Data Security Measures: Suppliers will implement suitable technical and organizational measures to protect Personal Data from breaches, as detailed in Attachment 2 (Technical and Organizational Measures) of this DPA. Suppliers may adjust Attachment 2 as necessary, provided the measures are not substantially reduced.
d. Confidentiality: Suppliers will ensure that authorized personnel processing Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.
e. Personal Data Breaches: In case of a Personal Data Breach, Auth-Analytics will promptly notify customers and comply with timelines specified by relevant Data Protection Laws. Customers acknowledge that Auth-Analytics may notify authorities and affected individuals about breaches, with customers having the opportunity to suggest reasonable changes to these notifications. Auth-Analytics will offer support for customer-issued notifications to ensure legal compliance.
f. Data Deletion or Return: Upon termination or expiration of services, Auth-Analytics will securely delete or return all processed Personal Data, unless retention is required by law or for backup purposes. Archived data will be isolated, protected, and deleted according to established practices.
g. Compliance Demonstration: Auth-Analytics will provide necessary information to demonstrate compliance with the Data Protection Agreement and laws. Customers can request audits, including confidential security program reports or written confirmations of compliance. Audit requests are limited to once per year.
h. Supplier Assistance to Customer: Auth-Analytics will assist customers with their obligations under Data Protection Laws primarily through product features. Customers agree to utilize these features before seeking additional assistance from Auth-Analytics.
5. Data Subject Requests
As part of our commitment mentioned in Section 4(f) above, Auth-Analytics will assist you in managing requests from data protection authorities and individuals exercising their rights under relevant Data Protection Laws (“Data Subject Requests”), as mandated by law. For efficient handling, Data Subject Requests must include sufficient information for identity verification.
There may be reasonable charges for additional assistance beyond our standard services.
If a Data Subject Request or any communication regarding Personal Data processing under our Agreement is directed to Auth-Analytics, and we can confirm your identity through our usual procedures, we will promptly inform you of the request and advise the Data Subject to contact you directly. Otherwise, you are responsible for addressing any Data Subject Requests.
6. Data Security Assessments
In compliance with applicable laws, Auth-Analytics will provide reasonable support to customers for conducting and documenting data security assessments, subject to the availability of necessary information and provided customers do not already possess such information.
7. Sub-Processing Partners
Customers authorize Auth-Analytics to engage Sub-Processors for processing Personal Data on their behalf, endorsing the listed entities as Sub-Processors. Any changes to this list must follow the amendment process in Section 11(a) of our Data Processing Agreement (DPA).
When engaging Sub-Processors, Auth-Analytics will establish written agreements mandating data protection terms ensuring at least the same level of security for Personal Data as outlined in this DPA. Auth-Analytics remains accountable for ensuring Sub-Processors comply with the obligations of this DPA and rectifying any breaches resulting from Sub-Processor actions or inactions.
8. Global Data Handling
You acknowledge and consent to Auth-Analytics processing your personal data globally as necessary for delivering our products according to our agreement. We ensure that these data transfers adhere to all relevant data protection regulations.
9. Special Considerations for European Data
a. Scope: These provisions specifically pertain to data originating from Europe. If any terms in this section conflict with others in the agreement, these terms take precedence.
b. Compliance Assistance: In accordance with European data protection laws, Auth-Analytics will support you in conducting data protection impact assessments and engaging with regulatory authorities, provided that we have reasonable access to the required information.
c. Cross-Border Data Transfers:
(i) We undertake not to transfer European data to non-European countries without ensuring compliance with applicable data protection laws. This may involve using approved frameworks, binding corporate rules, or standard contractual clauses.
(ii) Standard Contractual Clauses are employed when transferring personal data to non-European countries:
- (A) For transfers from EEA/Switzerland: Part 1 of Attachment 3 is applicable.
- (B) For transfers from the UK: Part 2 of Attachment 3 is applicable.
(iii) Exceptions may apply if Auth-Analytics has established Binding Corporate Rules or another recognized standard for lawful transfers.
(iv) In the event of a conflict between the Standard Contractual Clauses and this agreement, the Standard Contractual Clauses take precedence.
10. Special Terms for California Personal Information
a. Applicability: This Section 10, addressing Additional Provisions for California Personal Information, is specifically for transactions involving California Personal Information. If there are conflicting terms between this Section 10 and other sections of this DPA, the terms in this Section 10 will take precedence.
b. Supplier’s Duties as a Service Provider:
i. As a Service Provider, we agree to:
- Handle California Personal Information strictly for the purposes outlined in Attachment 1 of this DPA and as allowed by the CCPA, including the Business Purposes specified in Section 1798.140(e).
- We won’t merge California Personal Information received from or on behalf of the Customer with data from other sources unless necessary for permitted Business Purposes under the CCPA. We may aggregate, de-identify, or anonymize California Personal Information for research, development, or other CCPA-compliant purposes.
- We won’t sell or share California Personal Information as defined by the CCPA.
- We won’t use or disclose California Personal Information for any non-Business Purpose or unauthorized commercial use.
- We won’t use or disclose California Personal Information outside the direct business relationship between Customer and Supplier unless permitted by the CCPA.
ii. As a Service Provider, we will:
- Adhere to all applicable CCPA obligations.
- Ensure privacy protection in line with CCPA requirements.
- Implement reasonable security measures to safeguard California Personal Information.
- Act promptly on Customer requests regarding California Personal Information.
- Address unauthorized use of California Personal Information appropriately.
- Notify Customer promptly of any CCPA-related complaints, notices, or communications, including verifiable consumer requests under the CCPA within seven (7) business days.
c. Responsibilities as a CCPA Third Party: When Auth-Analytics acts as a CCPA Third Party (as outlined in Section 2(a)), we handle California Personal Information strictly for the purposes detailed in Attachment 1 of our Data Processing Agreement (DPA). These purposes include Business Purposes and any specific CCPA Third Party purposes mentioned therein, as allowed by the CCPA.
In this role:
- We use California Personal Information solely for CCPA Third Party Purposes.
- We adhere to all CCPA obligations.
- We ensure the same level of privacy protection mandated by the CCPA as required by our customers.
- We implement appropriate security measures to safeguard California Personal Information.
- We allow our customers to take reasonable steps to address unauthorized use of California Personal Information and ensure our use aligns with their CCPA obligations.
- We promptly inform our customers of any complaints, notices, or communications related to CCPA compliance, including verifiable consumer requests, within a notification timeframe of seven (7) business days.
d. Certification: Auth-Analytics affirms its understanding of and commitment to adhere to the limitations outlined in Section 9(b) (Responsibilities as a Service Provider) and Section 9(c) (Responsibilities as a CCPA Third Party).
11. General Provisions
a. Amendments: Auth-Analytics reserves the right to update and modify this DPA or list of Sub-Processors, with changes taking effect thirty (30) days after notification through a specific URL or direct communication to Customers. Customers are responsible for reviewing and understanding these updates. If a Customer objects before the effective date, Auth-Analytics will either negotiate in good faith or terminate the DPA with a pro-rata refund for affected Product Fees.
b. Severability: If any provision in this DPA is found invalid or unenforceable, it won’t affect the validity of other provisions.
c. Limitation of Liability: Each party’s liability, including Customer’s Affiliates if applicable, under this DPA will follow the limitations and exclusions outlined in the Agreement, except regarding individual Data Subject’s data protection rights.
d. Governing Law: This DPA follows the governing law specified in the Agreement unless Data Protection Laws require otherwise.
12. Parties Involved in this Data Processing Agreement
a. Permitted Affiliates: By entering this DPA, the Customer represents itself and its Permitted Affiliates as required by Data Protection Laws. This establishes individual DPAs between the Supplier and each Permitted Affiliate, with “Customer” including both the Customer and its Permitted Affiliates.
b. Authorization: The Customer warrants its authority to consent and engage in this agreement on behalf of itself and its Permitted Affiliates.
c. Remedies: Where a Permitted Affiliate enforces a right under this DPA, only the Customer entity in the Agreement will exercise such rights collectively for all Permitted Affiliates. The Customer entity is responsible for all communication regarding this DPA on behalf of its Permitted Affiliates.
Attachment 1 – Data Processing Details
A. Objective and Nature of Data Processing
At Auth-Analytics, we manage Personal Data for specific purposes outlined in our Agreement. This involves delivering Products as per the terms in Order Forms or SOWs and adhering to Customer instructions for Product usage.
B. Data Processing Duration
Auth-Analytics processes Personal Data solely during the Agreement duration unless a different arrangement is confirmed in writing. However, in accordance with Data Protection Laws, we may retain Personal Data beyond the Agreement period for legal obligations, fraud prevention, tax compliance, and honoring contractual commitments to third parties. Such processing aligns with our DPA and applicable Data Protection Laws.
C. Categories of Data Subjects
Customers may provide Personal Data concerning various Data Subjects while utilizing our Products. These Data Subjects encompass Customer’s employees, contractors, collaborators, customers, partners, prospects, suppliers, subcontractors, and individuals interacting with or supplying Personal Data to Customer’s end users.
D. Types of Personal Data
Customers utilizing Auth-Analytics’ Products may share the following Personal Data categories with us, based solely on their discretion:
Contact Information: Including details like name, email address, phone number, online usernames, IP address, user agent, and similar identifiers.
Financial Information: Covering bank account and credit card details.
Any other Personal Data: Referring to additional information submitted, transmitted, or received by the customer, their partners, advertisers, or end users through our Products.
E. Special Data Categories
Neither Auth-Analytics nor its customers expect to handle special categories of Personal Data or sensitive information as defined by relevant Data Privacy Laws.
F. Data Processing Operations
All Personal Data is processed in accordance with the Agreement and our DPA. Processing activities may involve:
a. Storage and other necessary processing for providing, maintaining, and improving the Products offered to the customer.
b. Disclosure as per the Agreement, our DPA, and/or mandated by applicable laws.
Attachment 2 – Technical and Organizational Security Measures
At Auth-Analytics, we are committed to upholding a robust level of protection for Personal Data, as outlined in this Attachment 2. Our measures are carefully tailored to suit the specific nature, scale, context, and purpose of our data processing activities, ensuring the safeguarding of individuals’ rights and freedoms.
a) Access Control
- Preventing Unauthorized Product Access
Outsourced processing: We partner with trusted cloud infrastructure providers to host our Cloud Services. Our contractual agreements with these vendors ensure alignment with our Data Processing Agreement, backed by robust contractual frameworks, privacy policies, and vendor compliance programs.
Physical and environmental security: Our product infrastructure is hosted with reputable outsourced providers adhering to stringent physical and environmental security controls. These controls undergo regular audits for compliance with industry standards such as SOC 2 Type II and ISO 27001.
Authentication: A standardized password policy is implemented across our customer products. Users must authenticate themselves before accessing non-public customer data via the user interface.
Authorization: Customer Data is securely stored in multi-tenant storage systems accessible only through authorized interfaces. Direct access to the infrastructure is restricted, and our authorization framework ensures that only authorized individuals can access relevant features and data sets.
API Access: Access to our public product APIs requires authentication using an API key or through Auth authorization.
Preventing Unauthorized Use: We employ industry-standard access controls and detection capabilities within our internal networks to prevent unauthorized protocols and ensure data security.
Access Controls: Our network access controls include Virtual Private Cloud (VPC) setups, security group assignments, and firewall rules to block unauthorized access.
Intrusion Detection and Prevention: A Web Application Firewall (WAF) solution is in place to protect customer websites and applications from attacks.
Static Code Analysis: Regular security reviews of our code repositories identify and address software flaws.
Penetration Testing: Annual penetration tests by recognized service providers help identify and mitigate potential attack vectors.
- Limitations of Privilege & Authorization:
Product Access: Access to products and customer data is limited to specific employees through controlled interfaces. Access is based on roles, logged through “just in time” requests, and monitored daily.
Background Checks: All employees undergo third-party background checks before employment, ensuring adherence to company guidelines and ethical standards.
b) Transmission Control:
During transit: We use HTTPS encryption (SSL/TLS) for all login interfaces, providing this service free of charge for customer sites hosted on our products.
While at rest: User passwords are stored securely according to industry standards, with data encryption technologies implemented for data at rest.
c. Input Management:
Detection: Our infrastructure is set up to comprehensively log system activities, incoming traffic, authentication processes, and application requests. We analyze these logs internally to swiftly identify and alert relevant team members about any suspicious, unintended, or irregular activities. Our dedicated teams, including security, operations, and support, proactively address known issues.
Response and Tracking: Auth-Analytics maintains detailed records of security incidents, including descriptions, timestamps, and actions taken. Our security, operations, or support teams thoroughly investigate suspected incidents, promptly document resolutions, and take necessary steps to minimize any potential damage or unauthorized access. We adhere to our Data Processing Agreement or Agreement regarding customer notifications in case of incidents.
d) Ensuring System Availability
Infrastructure Uptime: Our infrastructure guarantees a minimum uptime of 99.95% through robust efforts by our providers. They ensure redundancy across power, network, and HVAC services for uninterrupted operations.
Fault Tolerance: We implement fault tolerance strategies, including backup and replication mechanisms, to handle processing failures. Customer data is securely stored across multiple durable data stores and replicated across different zones for added security.
Online Replicas and Backups: We maintain online replicas and backups for our production databases, ensuring data integrity and availability. Standard backup methods are consistently applied to safeguard your data.
Our architecture prioritizes redundancy and seamless failover to prevent disruptions. Server instances supporting our products are designed to eliminate single points of failure, ensuring smooth operations during updates and maintenance.
e) Certifications
We offer independently validated reports of our security programs, including SOC 2 Type II, ISO 27001, upon request. These certifications underscore our commitment to maintaining high security and compliance standards for our customers.
Attachment 3: Part 1 – Data Transfers from EEA/Switzerland
1. Both parties acknowledge and confirm that the Standard Contractual Clauses, along with this Part 1, are included in this agreement and are relevant to the transfer of Personal Data from the European Economic Area (EEA) or Switzerland to Third Countries.
2. Module Two (Controller to Processor) of the Standard Contractual Clauses applies when Customer, acting as the Controller of Personal Data, transfers data to a Third Country where Supplier acts as the Processor.
3. Module Three (Processor to Processor) of the Standard Contractual Clauses applies when Customer, acting as the Processor of Personal Data, transfers data to a Third Country where Supplier acts as a Sub-Processor.
4. Both parties acknowledge that specific clauses in the Standard Contractual Clauses necessitate input from both parties. The agreed responses for Module Two and Module Three (where applicable) are as follows:
a) Clause 7 of the SCCs is inapplicable.
b) For Clause 9(a), Option 2 (general written authorization) is chosen, with a thirty (30) day prior notice period for changes in Sub-Processors.
c) The optional language in Clause 11 is not applied, and Data Subjects cannot file complaints with an independent dispute resolution body.
d) Clause 17 is governed by the laws of the Republic of Ireland.
e) For Clause 18(b), the parties select the courts of the Republic of Ireland as the forum and jurisdiction.
5. Annex I.A of the SCCs: For Module Two and Module Three, please complete Annex I.A as detailed below:
a) Data Exporter:
i) Name: The entity identified as “Customer” in the Data Processing Agreement (DPA).
ii) Address: The address associated with the Customer’s account or as specified in the DPA or Agreement.
iii) Contact Person’s Name, Position, and Contact Details: Contact details linked to Customer’s account or as specified in the DPA or Agreement.
iv) Activities Relevant to Data Transfer: Activities outlined in Attachment 1 of the DPA.
v) Role (Controller/Processor): For Module Two, Controller; for Module Three, Processor.
b) Data Importer:
i) Name: Auth-Analytics
ii) Address:
iii) Contact Person’s Name, Position, and Contact Details:
iv) Activities Relevant to Data Transfer: Activities specified in Attachment 1 of the DPA.
v) Role (Controller/Processor): For Module Two and Module Three, Processor.
c) Signature and Date:
By entering into the DPA, both data exporter and data importer are considered to have signed these Standard Contractual Clauses, including their Annexes, as of the Effective Date of the DPA.
6) Annex I.B of the SCCs Details
- Data Subject Categories: The types of individuals whose personal data is transferred are detailed in Attachment 1 of the DPA.
- Types of Personal Data: Specific information about the personal data can be found in Attachment 1 of the DPA.
- Sensitive Data Transfer: If sensitive Personal Data is transferred (as indicated in Section E of Attachment 1 to the DPA), appropriate precautions and safeguards will be applied, such as strict purpose limitations, limited access, access logs, restrictions on further transfers, or enhanced security measures, in accordance with Data Protection Laws.
- Data Transfer Frequency: Personal data is transferred continuously.
- Nature of Processing: The processing nature is specified in Attachment 1 of the DPA.
- Purpose of Data Transfer and Processing: The purpose of processing is outlined in Attachment 1 of the DPA.
- Data Retention Duration: Personal data will be retained until either requested for deletion by the data exporter per DPA or Agreement terms, or as permitted by Data Protection Laws.
- Transfers to Sub-Processors: Details regarding subject matter, nature, and duration of processing by sub-processors are provided in Attachment 1 of the DPA.
7) Annex I.C Completion
For Annex I.C of the SCCs, the relevant supervisory authority is determined as per Clause 13 of the Standard Contractual Clauses, based on the Member State outlined in Section 4(d) of Attachment 3.
8) Attachment 2 and SCCs
Attachment 2 of this DPA (Technical and Organizational Measures) is considered Annex II of the SCCs.
9) Sub-Processors and SCCs
Section 7 of this DPA regarding Sub-Processors is treated as Annex III of the SCCs
Part 2 – UK Transfers:
1. We both recognize that the Standard Contractual Clauses, complemented by Part 1 and amended by the UK Addendum detailed in Exhibit 1 of Attachment 3 of this DPA, are included by reference and are applicable to the transfer of Personal Data from the United Kingdom to Third Countries. These clauses, along with the UK Addendum, are tailored to ensure legal transfers under UK Data Protection Laws and to provide necessary safeguards as per Articles 46 of the UK GDPR.
2. Part 2 is to be interpreted in harmony with the provisions of the UK GDPR, guaranteeing the intended safeguards outlined in Article 46, and must not contradict the rights and responsibilities under the UK GDPR.
3. Any mentions of legislation, including the UK Addendum, indicate that legislation as updated from time to time is taken into account (including any revisions or replacements post the Effective Date of this DPA).
4. In the event of a conflict between the Standard Contractual Clauses along with the UK Addendum and other terms in this DPA or the Agreement, the provisions of the Standard Contractual Clauses along with the UK Addendum shall take precedence.
Exhibit 1 to Attachment 3 – International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
Part 1: Tables
| Start date | Upon the effective date of the DPA. | |
|---|---|---|
| The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
| Parties’ details | Full legal name: As stated in Part I, Section 5(a) of Attachment 3 to the DPA | Full legal name: As stated in Part I, Section 5(b) of Attachment 3 to the DPA |
| Trading name (if different): | Trading name (if different): | |
| Main address (if a company registered address): As stated in Part I, Section 5(a) of Attachment 3 to the DPA | Main address (if a company registered address): As stated in Part I, Section 5(b) of Attachment 3 to the DPA | |
| Official registration number (if any) (company number or similar identifier): | Official registration number (if any) (company number or similar identifier): | |
| Key Contact | As stated in Part I, Section 5(a) of Attachment 3 to the DPA | As stated in Part I, Section 5(b) of Attachment 3 to the DPA |
| Signature (if required for the purposes of Section 2) | NOT REQUIRED | NOT REQUIRED |
Table 2: Selected SCCs, Modules and Selected Clause
| Addendum EU SCCs | ☑ The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: |
| Date: June 4, 2021 template, effective on the Start Date listed above | |
| Reference (if any): | |
| Other identifier (if any): Or ☐ the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum: |
| Module | Module in operation | Clause 7 (Docking Clause) | Clause 11 (Option) | Clause 9a (Prior Authorisation or General Authorisation) | Clause 9a (Time period) | Is personal data received from the Importer combined with personal data collected by the Exporter? |
| 1 |
| 2 |
| 3 |
| 4 |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
| Annex 1A: List of Parties: As stated in Part I, Section 5 of Attachment 3 to the DPA |
| Annex 1B: Description of Transfer: As stated in Part I, Section 6 of Attachment 3 to the DPA |
| Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As stated in Part I, Section 8 of Attachment 3 to the DPA |
| Annex III: List of Sub processors (Modules 2 and 3 only): As stated in Part I, Section 9 of Attachment 3 to the DPA |
Table 4: Ending this Addendum when the Approved Addendum Changes
| Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 16: |
| ☑ Importer | |
| ☐ Exporter | |
| ☐ neither Party |
Part 2: Mandatory Clauses
| Mandatory Clauses | Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses |