Data Processing Addendum

Effective: October 19, 2023

This Data Processing Addendum, including the Standard Contractual Clauses referenced herein, (collectively, “DPA”) amends and supplements any existing and currently valid Main Agreement (defined below) either previously or concurrently made between:

Partner Fleet Inc., a company incorporated under the laws of the State of Delaware, USA, having its principal place of business at P.O. Box 277, Bristol, WI 53104 (USA) (the “Data Processor”)

and

The other party to the Main Agreement, as defined below, (the “Data Controller”).

Data Processor and Data Controller are also individually referred to herein as a “Party” and collectively as the “Parties”. Defined terms used in this DPA but not otherwise defined herein shall have the meanings ascribed to them in the Main Agreement.

RECITALS

I. Data Processor and Data Controller agreed to the Main Agreement (as defined below).

II. Pursuant to the Main Agreement, Data Processor may Process Personal Data in connection with the Service (as defined below) on behalf of Data Controller.

III. The Parties agree to comply with the following provisions with respect to any Personal Data transferred to Data Processor in connection with Data Processor’s provision of the Service to Data Controller.‍

NOW, THEREFORE, THE PARTIES AGREE AS FOLLOWS:

1. Definitions

“Affiliate” has the meaning ascribed to it in the Main Agreement.

“CCPA” means the California Consumer Privacy Act.

“Data Controller” means the Party that determines the purposes and means of the Processing of Personal Data, namely, the other Party to the Main Agreement, as noted above.

“Data Processor” means the Party who Processes Personal Data on behalf of Data Controller, namely, Partner Fleet Inc., as noted above.

“Data Protection Law(s)” means all applicable laws relating to the Processing of Personal Data and privacy that may exist in any relevant jurisdiction, including, where applicable, guidance, formal directives, applicable regulations, and codes of practice issued by the applicable Supervisory Authority, and including, without limitation to the extent applicable: (i) CCPA; (ii) GDPR; (iii) UK GDPR; and (iv) FADP. Data Protection Law(s) exclude, without limitation, consent decrees.

“Data Subject” means the person to whom the Personal Data relates.

“Effective Date” means March 21, 2022, or, if later, the date on which the Main Agreement between the Parties became effective.

“European Economic Area” means a Member State of the European Union, together with Norway, Iceland, and Liechtenstein, (jointly referred to as “EEA”).

“EU Personal Data” means Personal Data which is, or has been, subject to the Data Protection Laws of a Member State of the EEA.

“EU SCC” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clause, Module II, for the transfer of personal data to third countries pursuant to GDPR, where GDPR applies.

“FADP” means the Swiss Federal Act on Data Protection as updated on 25 September 2020.

“GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).

“Main Agreement’’ means the Master Subscription Agreement, its contractual documents including Order Form(s) thereto, as well as any exhibits or amendments or add-on Order Form(s), as entered into between Data Controller and Data Processor.

“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person that Data Processor has received from Data Controller on or after the Effective Date for Processing pursuant to the Main Agreement when such data is protected as “personal data” or “personally identifiable information” or a similar term under applicable Data Protection Laws. Personal Data processed pursuant to the Main Agreement explicitly excludes Prohibited Data.

“Personal Data Breach” means any accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to Personal Data where such compromise of the Personal Data meets the definitions of both “personal data” (or like term) and “security breach” (or like term) under applicable Data Protection Law(s) governing the particular circumstances.

“Process” or “Processing” or “Processed” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, blocking, erasure or destruction.

“Prohibited Data” has the meaning ascribed to it in Section 3.5.

“Service” has the meaning ascribed to “Service” in the Main Agreement.

“Standard Contractual Clauses” means the EU SCC or the UK SCC together as means to safeguard the transfer of personal data outside of, respectively, the EU, the UK, or Switzerland.

“Sub-processor” means any processor engaged by Data Processor or by any other Sub-processor of Data Processor who receives Personal Data exclusively intended for Processing activities to be carried out on behalf of Data Controller in connection with the Service.

“Supervisory Authority” has the meaning set forth under the applicable Data Protection Laws. When the EU Personal Data are involved, the Supervisory Authority is the French CNIL.

“Swiss Personal Data” means Personal Data which is, or has been, subject to the Data Protection Laws of Switzerland. Swiss Personal Data shall encompass, in addition to data relating to identified or identifiable individuals, data relating to identified and identifiable legal entities if and as long as such data is considered personal data under the FADP.

“UK GDPR” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

“UK Personal Data” means Personal Data which is, or has been, subject to the Data Protection Laws of the United Kingdom.

“UK SCC” means the UK International Data Transfer Addendum to the EU SCC issued by the UK ICO, where the UK GDPR applies.‍

2. Scope of the DPA‍

2.1. The Personal Data to be transferred or collected for Processing pursuant to the Main Agreement may consist of the following categories of data:

First and last name, email address, title, phone number, business address, employer’s company name, localization data, and/or information related to selections made through the Service, including online orders placed thereby and, if elected by Data Controller or its Affiliate, such information about prospective customers of the products and services of Data Controller, its Affiliates, and/or Data Controller’s or its Affiliate’s partners.

2.2. The categories of Data Subjects whose Personal Data may be Processed are:

Data Controller’s or its Affiliate’s employees or contractors involved in Data Controller’s and/or its Affiliate’s receipt of the Service, Data Controller’s or its Affiliate’s authorized users of the Service, and/or the employees or contractors of Data Controller’s or its Affiliate’s customers and/or prospective customers.

2.3. The nature and purpose of Processing activities to be undertaken by Data Processor are:

Providing the Service to Data Controller.‍

3. Obligations of Data Controller

3.1. In accordance with the applicable Data Protection Law(s), Data Controller remains responsible for ensuring the rights of the concerned Data Subjects, including but not limited to, (i) access to their data, (ii) rectification of inaccurate or incomplete data, (iii) erasure of their data, (iv) when applicable, limitation of the use of their data, (v) when data is processed in an automated way, right to transfer their data to a third party under a standard interoperable format (right to portability), (vi) when applicable, opposition to the data processing, or (vii) consent withdrawal. A Data Subject may lodge a complaint with the applicable Supervisory Authority at any time. If the applicable law of the Main Agreement is French law, a Data Subject also has the right to set up directives relating to the use of their data after their death.

3.2. Data Controller will inform its Data Subjects (i) about its use of Data Processor to Process their Personal Data as required by applicable Data Protection Law(s) and (ii) that their Personal Data will be Processed outside of the European Economic Area, the United Kingdom, Switzerland, as required by applicable Data Protection Law(s).

3.3. Data Controller shall without undue delay notify Data Processor in writing (email insufficient) at the address specified above when it discovers errors or irregularities in the Processing of Personal Data in accordance with applicable Data Protection Law(s).

3.4. Data Controller shall respond in a reasonable time to enquiries from any Supervisory Authority regarding the processing of relevant Personal Data by Data Controller. If any Party is required under applicable Data Protection Law(s) to issue information to any Supervisory Authority regarding the collection, processing, or use of Personal Data, the other Party may support the responding Party in its efforts to provide such information.

3.5. Data Controller hereby acknowledges that the Service are intended only to generate 3D and 2D images on websites and platforms, including those of Data Controller and/or third parties with whom Data Controller contracts, and are not intended for storage or use of any data not related to such purpose, including, without limitation, social security numbers, financial account numbers, health information, driver’s license numbers or information, passport or visa numbers, credit card information, or any special categories of personal data (“Prohibited Data”). Data Controller agrees that it will not, and will not permit its Affiliate or any user, to input any Prohibited Data into the Service.

4. Obligations of Data Processor

4.1. In providing the Service, Data Processor shall comply with the instructions of Data Controller for the Processing of Personal Data and Process the Personal Data exclusively in connection with the provision of the Service. The provisions of this DPA are the main source of instructions issued by Data Controller. Any amendments to the Processing requirements shall be agreed between the Parties and documented in writing.

4.2. Data Processor shall assist Data Controller:

(i) in responding to requests by Data Subjects to exercise their rights; and

(ii) in complying with its obligations in relation to security of Personal Data under applicable Data Protection Law(s), including but not limited to, as applicable, data protection impact assessment and prior consultation, taking into account the nature of the Service and the information available to Data Processor.

(iii) carrying out a request from Data Controller to amend, transfer, or delete any of the Personal Data to the extent necessary to allow Data Controller to comply with its responsibilities as a data controller under applicable Data Protection Law(s).

4.3. Notification of Non-Compliance with Data Protection Requirements:

Data Processor shall inform Data Controller without delay if it becomes aware:

(i) That Data Processor’s employees, subcontractors, and/or any third party engaged in the Processing fail to comply with any requirements regarding the protection of Personal Data or any provisions of this DPA; and/or

(ii) Of any other irregularity in the Processing of Personal Data.

4.4. Storage and Erasure of Data

(i) Data Processor shall store the Personal Data as long as it is needed for the provision of the Service and in accordance with applicable Data Protection Law(s).

(ii) Data Processor must store the Personal Data, together with any copies or reproductions made of such Personal Data, with reasonable care and securely so that it is not accessible to third parties.

(iii) Any Personal Data that is no longer required will be deleted in accordance with applicable Data Protection Law(s).

(iv) Upon request by Data Controller or upon termination or expiration of the Main Agreement, Data Processor shall at Data Controller’s choice (a) deliver to Data Controller all Personal Data (and any copies or derivative works of same) in its possession, and/or (b) destroy all Personal Data (and any copies or derivative works of same) in its possession, and certify to Data Controller that it has done so, unless otherwise required under operation of Data Protection Law(s), or as mutually agreed by the Parties, and/or (c) cease any Processing of Personal Data.

4.5. Data Access and Modification

(i) Data Processor shall permit Data Subjects access to their respective Personal Data. In particular, Data Subjects shall be permitted to correct, amend, or delete inaccurate Personal Data at no additional cost.

(ii) Both Parties agree that, in the event of receiving a Data Subject complaint or access request that may involve the other Party, to notify the other Party without delay and to provide such cooperation and assistance as may be reasonably required to enable that Party to deal with any Data Subject complaint or access request in accordance with the provisions of the applicable Data Protection Law(s).

(iii) To the extent that Data Controller does not have the ability to correct, amend, block, or delete already transferred Personal Data, Data Processor shall comply with any reasonable request by Data Controller to facilitate such actions as required by Data Protection Law(s).

(iv) If Data Processor becomes aware of any errors or incorrectness of Personal Data, Data Processor shall notify Data Controller prior to correcting such data. Whenever a situation arises where this may be appropriate and in line with applicable Data Protection Law(s), consideration may be given to blocking data instead of erasing it.

4.6. Upon request by Data Controller with reasonable notice, Data Controller (or a duly qualified independent auditor selected by Data Controller and not unreasonably objected to by Data Processor) may audit Data Processor to ensure that Data Processor is in compliance with this DPA. Data Processor shall provide Data Controller access to the relevant Data Processor personnel and records. Data Processor shall notify Data Controller without delay if Data Processor becomes aware that an instruction for the Processing of Personal Data given by Data Controller violates any applicable Data Protection Law(s).

4.7. To the extent that Data Controller is a “business” as defined under the CCPA, it is the understanding of the Parties that Processor is a “service provider” as defined under CCPA with respect to the Personal Data. Except for usage of Personal Data as necessary to bring and defend claims, to comply with requirements of the legal process, to cooperate with regulatory authorities, and to exercise other similar permissible uses as expressly provided under applicable Data Protection Law(s), Data Processor shall not retain, use, sell, or disclose the Personal Data (that is not de-identified) for any purpose, including other commercial purposes, outside of the direct business relationship with Data Controller.

5. International Data Transfers

5.1. By the Effective Date, Data Controller acknowledges that it will carry out EU Personal Data, Swiss Personal Data, and UK Personal Data transfers to the following country/ies: United States of America.

5.2. Data Processor hereby agrees to comply with the obligations of a data importer as set out in the EU SCC, incorporated by reference in Exhibit 1 hereto, and acknowledges that Data Controller will be a data exporter under such clauses.

5.3. Data Processor also agrees to comply with the obligations of a data importer as set out in the UK SCC, incorporated by reference in Exhibit 2 hereto, and acknowledges that Data Controller will also be a data exporter under such clauses.

5.4. To the extent the FADP is applicable, the Parties agree that (i) the EU SCC will apply to the transfer of Swiss Personal Data between Data Processor as data importer and Data Controller as data exporter in Switzerland, provided that (i) where the EU SCC include references to the GDPR, such references shall be understood as references to the FADP and (ii) such EU SCC include the superseding changes mentioned in Exhibit 1 for the purpose of that transfer.

5.5. The Parties agree that they will provide additional information about the transfer and will co-operate, without delay, where this is required by a Supervisory Authority in any EEA Member State, the United Kingdom, and/or Switzerland. In the event that a Supervisory Authority revokes or adapts the decision that it made approving the EU SCC or the UK SCC, then Data Controller shall have the right forthwith to require Data Processor to cease to Process EU Personal Data outside the EEA or, if Data Processor is unable to do this, to terminate the Processing of EU Personal Data.

5.6. With respect to the Processing of EU Personal Data, UK Personal Data, and Swiss Personal Data, Data Controller grants authorization to Data Processor to appoint as Sub-processors the entities set out in Annex III of the Appendix to Exhibit 1 hereto, and for the sub-processing activities described therein, as it may be updated from time to time. Data Processor shall provide Data Controller thirty (30) days’ notice (email or message through the Service sufficient) of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving Data Controller the opportunity to object to such changes. Data Processor shall be fully liable for the acts and omissions of its Sub-processors’ Processing of EU Personal Data to the same extent Data Processor would be liable if performing the services of each Sub-processor directly under the terms of this DPA.

6. Security Measures

6.1. Data Processor shall implement and adhere to appropriate technical and organizational measures in order to protect Personal Data, in particular where the Processing involves the transmission of data over a network. These measures shall include the requirements established under applicable Data Protection Law(s).

Therefore, Data Processor agrees to undertake appropriate technical and organizational measures with the following purposes:

(i) protect the Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, theft, alteration, or disclosure;

(ii) ensure, to the extent within Data Processor’s control and not that of Data Controller, that Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission, transport, or storage and that it is possible to examine, control, and establish to which parties the transfer of Personal Data by means of data transmission facilities is envisaged (transmission control); and

(iii) ensure that it is possible to retrospectively examine, control, and establish whether and by whom Personal Data has been introduced into data processing systems, including any modifications or removal (input control).

6.2. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful Processing, accidental loss, destruction, damage, or theft of the Personal Data and having regard to the nature of the Personal Data which is to be protected.

At a minimum, these measures should include, but not be limited to:

(i) encrypting sensitive and other Personal Data in transit (but solely to the extent such transit is initiated by Data Processor as opposed to Data Controller and it being understood and agreed by Data Controller that the scope of the Main Agreement does not require or address the Processing of any sensitive data, which Data Controller should not transmit to Data Processor without Data Processor’s express written consent);

(ii) ensuring least privileged access rights on systems containing Data Controller’s Personal Data;

(iii) regularly reviewing access permissions to Data Controller’s Personal Data;

(iv) ensuring the use of complex passwords or two-factor authentication when used;

(v) ensuring proper physical access controls to all systems containing Data Controller’s Personal Data; and

(vi) ensuring proper disposal of any Personal Data, in print or electronic media, properly patching systems containing Data Controller’s Personal Data, and ensuring an up-to-date antivirus application is installed on all systems Processing and/or containing Data Controller’s Personal Data.‍

7. Data Breaches

7.1. Data Processor shall notify Data Controller promptly and in writing if it becomes aware of any actual Personal Data Breach on Data Processor’s equipment or in Data Processor’s facilities, or Sub-processors’, if any.

In particular, Data Processor must notify Data Controller immediately in writing in the event that the property of Data Controller or its Personal Data in the possession or control of Data Processor is endangered by measures undertaken by third parties.

7.2. Immediately after notification, Data Processor will:

(i) investigate the Personal Data Breach and provide Data Controller with a detailed description of the Personal Data Breach, the type of data and other Personal Data that was the subject of the Personal Data Breach and the identity of each affected person, as soon as such information can be collected or otherwise becomes available (as well as periodic updates to this information and any other information Data Controller may reasonably request relating to the Personal Data Breach);

(ii) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach; and

(iii) provide its full assistance and support to Data Controller in the event that Data Controller determines that it is necessary to notify Data Subjects or any concerned Supervisory Authority of such Personal Data Breach.

8. Sub-processors

8.1. Data Processor uses the third-party Sub-processors listed in Annex III of the Appendix to Exhibit 1. Any such Sub-processor will Process Personal Data only in connection with Data Processor’s provision of the Service and will be prohibited from using Personal Data for any other purpose.

8.2. Data Processor ensures the reliability and competence of its Sub-processors and shall agree with its Sub- processors to protect and Process the Personal Data under terms and conditions no less restrictive than those contained in this DPA.

9. Term and Termination

9.1. This DPA shall enter into effect on the Effective Date and its term shall be coextensive with the term of the Main Agreement. The obligations under Section 4.4 shall survive any termination or expiration of the Main Agreement. Any other obligation, excepting those that reasonably or under any applicable laws have to survive a termination or expiration of the Main Agreement, shall terminate upon termination or expiration of the Main Agreement.

9.2. Data Controller shall deem any breach of this DPA as a breach of the Main Agreement and thus the same provisions for the termination of this DPA shall be applicable.

10. Miscellaneous

10.1This DPA is intended to ensure the adequate level of protection of Personal Data and does not otherwise affect the rights and obligations under any other agreements between the Parties, including, without limitation, the Main Agreement.

2. Nothing in this DPA shall be construed as an exclusion of Data Protection Laws or export regulations that may be applicable to the Service provided by Data Processor under the Main Agreement and that must be observed by the Parties.

3. If any term or provision of this DPA shall be held to be illegal or unenforceable in whole or in part, the validity of the remaining provisions of this DPA shall remain unaffected. The same shall apply in the event that this DPA is incomplete.

‍

Exhibit 1
EU SCC
Controller to Processor

The transfer of EU Personal Data is made in accordance with the EU SCC, or in accordance with any successor thereof or an alternative lawful data transfer mechanism, and as follows:

In Clause 7, the optional docking clause will apply;
If applicable, in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes will be as set out in section 5.6 of the DPA;
In Clause 11, the optional language will not apply;
In Clause 17, Option 1 will apply, and the EU SCC will be governed by French law; and
In Clause 18(b), disputes will be resolved before the courts of France.

The transfer of Swiss Personal Data is made in accordance with these EU SCCs provided the Parties agree on the following superseding changes, limited to the cross-border disclosure of Swiss Personal Data:

In Clause 13 and Annex I.C of the Appendix below, the Supervisory Authority is the Swiss Federal Data Protection and Information Commissioner;
In Clause 17, Option 1 will apply and the EU SCC will be governed by Swiss law;
In Clause 18(b), disputes will be resolved before the courts of Switzerland; and
In Clause 18(c), the term "member state" shall not be interpreted in such a way that Data Subjects in Switzerland are excluded from exercising their rights, if any, at their place of habitual residence.

In both cases, the Appendix of the EU SCC is completed by the following Annexes:

‍

APPENDIX

ANNEX I

‍

A. LIST OF PARTIES

Data exporter(s):

Name: See Main Agreement (“You”)

Address: See Main Agreement

Contact person’s name, position and contact details: See Main Agreement

Activities relevant to the data transferred under these Clauses:

Activities relevant to the data transferred under these clauses may include storage, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available data exporter’s data as necessary to provide the Service in accordance with the Main Agreement, including related internal purposes (such as quality control, troubleshooting, and product development).

Signature and date: See Main Agreement Role (controller/processor): Controller

Data importer(s):

Name: Partner Fleet Inc.

Address: P.O. Box 277, Bristol, WI 53104 (USA)

Contact person’s name, position and contact details: Kenny Browne (CEO) kenny@partnerfleet.com

Activities relevant to the data transferred under these Clauses:

Signature and date: See Main Agreement Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Categories of personal data transferred

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous basis, through term of Main Agreement.

Nature of the processing

Processing may include storage, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available data exporter’s data as necessary to provide the Service in accordance with the Main Agreement, including related internal purposes (such as quality control, troubleshooting, and product development).

Purpose(s) of the data transfer and further processing

To provide the Service, as described in the Main Agreement and this Data Processing Addendum.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Criteria used to determine retention periods include the status of fulfillment of the purpose of the data processing, as specified above, the data retention periods specified in each Party’s disaster recovery plan and/or business continuity plan, the term of the Main Agreement, and data subject request.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

See Annex III and above descriptions regarding duration of processing.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The data protection commission for the Republic of Ireland, located at 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING
TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF DATA

Security Measures

Data Processor shall implement and maintain appropriate technical and organizational security measures that are designed to protect Customer Data from Security Incidents and designed to preserve the security and confidentiality of Customer Data.

Security Organizational Structure

Information Security responsibility and authority is delegated by Data Processor to its CEO (“DPO”). Along with the DPO, a Security Steering Committee will act as an advisory board and a channel to communicate security issues from and to the DPO.

Information Classification and Sensitivity

Data Processor categorizes all information into two main classifications: Public and Confidential. Within the classification of Confidential information, there is a continuum, in that it is understood that some information is more sensitive than other information and should be protected in a more secure manner.

Personal Data Encryption

Data Processor shall encrypt personal data both at rest and in transit. Personal data decryption is limited to employees who have passed appropriate background checks and have undergone training.

Access Control

Data Processor employs role-based access control. Access to Data Processor’s information assets is restricted and will be granted to Data Processor’s employees and contractors to fulfill their duties on a need-to-use basis. Data Processor employees and contractors will not be granted access to any information asset that is not directly needed in regard to their work, in line with the principles of least privilege.

Security Review and Testing

Data Processor shall review all policies and practices at least once per year. Data Processor shall have third-party vulnerability scans conducted and shall commission a third-party penetration report at least once per year.

Data Storage and Deletion

Wherever possible, data is stored electronically, restricted to authorized users only, and as secure as practically possible to protect from misuse or loss. The data will be stored while taking into consideration the period of retention required and the frequency with which access will be made to the record. The degree of security required for file storage will reflect the sensitivity and confidential nature of any material recorded, and due regard to security must also be given to archived filing. Data and records should not be kept for longer than is necessary. All information of a confidential or sensitive nature on paper or electronic media must be securely destroyed when it is no longer required. Deletion should ultimately mean the complete destruction of the electronic record. This implies rendering data non-recoverable even when using forensic data recovery techniques.

Physical Security

The physical security of Data Processor’s corporate offices is maintained as part of Data Processor’s overall security level requirements. Data Processor's employees and subcontractors are subject to Data Processor’s physical security requirements. Data Processor relies upon third-party hosting and cloud providers to host its online, Web-based applications and platform.

Information Logging

Logging from critical systems, applications, and services can provide key information and potential indicators of compromise. Although logging information may not be viewed on a daily basis, it is critical to have from a forensics standpoint. Accordingly, Data Processor applies logging principles to Data Processor’s network(s).

Disaster Recovery

Data Processor maintains a written disaster recovery plan to mitigate the effects of a disaster. The intent is to restore operations as quickly as possible with the latest and most up-to-date data available. Data Processor’s disaster recovery team tracks changes to personnel, hardware, software, vendors, or any other item documented in the plan in an effort to keep this document current and relevant.

ANNEX III

LIST OF SUB-PROCESSORS

Entity Name

Purpose

Address

Entity Processing Location

Heroku

Web Hosting and Infrastructure

415 Mission Street
Suite 300
San Francisco, CA
94105

United States

AWS

Web Hosting and Infrastructure

410 Terry Avenue North, Seattle, WA

United States

Middle

Data Automation

Middle (by Perkville)

C/O Port Workspaces

344 Thomas L. Berkley Way

Oakland, CA 94612

United States

Postmark

Transactional Email

222 South Riverside Plaza Suite 810

Chicago, IL

60606

United States

Exhibit 2

UK SCC

Controller-to-Processor

Part 1: Tables

Table 1: Parties

Start date

The Effective Date as defined in the DPA

The Parties

Exporter (who sends the Restricted Transfer)

Importer (who receives the Restricted Transfer)

Parties’ details

See Exhibit 1 EU SCC, Annex I.A.

Key Contact

See Exhibit 1 EU SCC, Annex I.A.

Table 2: Selected SCCs, Modules, and Selected Clauses

Addendum EU SCCs

The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:

As set forth in the DPA to which this Exhibit is attached.

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: See Exhibit 1 EU SCC, Annex I.A.

Annex 1B: Description of Transfer: See Exhibit 1 EU SCC, Annex I.B.

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Exhibit 1 EU SCC, Annex II

Annex III: List of Sub processors (Modules 2 and 3 only): See Exhibit 1 EU SCC, Annex III

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes

Amendments shall follow the amendment procedures as set forth in the Main Agreement.

Part 2: Mandatory Clauses

Mandatory Clauses

Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.

Data Processing Addendum

Ready to get started? Book a demo today!

Ready to get started?
Book a demo today!