Last Modified: June 10, 2024

These Jurisdiction Specific Terms (the “Jurisdictional Terms”) and its Annexes are supplemental to and forms an integral part of the Data Processing Addendum (the “Addendum”), a schedule to the SciMax Master Licenses and Service Agreement (the “Service Agreement”). These Jurisdictional Terms are effective upon its incorporation into the Addendum. SciMax reserves the right to update these Jurisdictional Terms from time to time by posting a revised version at https://scimaxglobal.com/jurisdiction-specific-terms

To the extent Techsol (and SciMax, as a subsidiary of Techsol) processes Client Personal Data originating from, or otherwise protected by Applicable Laws, in one of the jurisdictions listed in these Jurisdictional Terms, these Jurisdictional Terms will apply in addition to the terms of the Addendum. In the event of any conflict or ambiguity between these Jurisdictional Terms and any terms of the Addendum, the applicable Jurisdictional Terms will take precedent.

Terms not otherwise defined in these Jurisdictional Terms will have the meaning as set forth in the Addendum.

1. European Economic Area.

1.1. “European Economic Area” or “EEA” means the EU Member States, and Iceland, Liechtenstein, and Norway.

1.2. “EU 2021 Standard Contractual Clauses” means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council

1.3. “Restricted Transfer of EEA Personal Data” means any transfer of Client Personal Data Subject to the GDPR which is undergoing Processing or is intended for Processing after transfer to Third Country (as defined below) or an international organization Third Country (including data storage on foreign servers).

1.4. “Third Country” means a country outside of the EEA.

1.5. With regard to any Restricted Transfer of EEA Personal Data from the Client to SciMax within the scope of the Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:

(a) a valid adequacy decision adopted by the European Commission on the basis of Article 45 of the GDPR that provides that the Third Country, a territory or one or more specified sectors within that Third Country, or the international organization in question to which Client Personal Data is to be transferred ensures an adequate level of data protection;

(b) Techsol’s EU-U.S. Data Privacy Framework certification, or any successor to the Data Privacy Framework, only to the extent that any such certification constitutes an “appropriate safeguard” pursuant to Article 46 of the GDPR and provided further that the Services are covered by the certification, if applicable;

(c) the EU 2021 Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Article 46 of the GDPR); or

(d) any other lawful data transfer mechanism, as laid down in Chapter 5 of the GDPR, as the case may be.

1.6. In the event that a Restricted Transfer of EEA Personal Data can be covered by more than one transfer mechanism under Section 1.5 of these Jurisdictional Terms, the transfer of Personal Data will be subject to a single transfer mechanism in accordance with the order of precedence set forth in Section 1.5. For the avoidance of doubt, the EU 2021 Standard Contractual Clauses shall not apply to any Restricted Transfer of EEA Personal Data covered by Techsol’s EU-U.S. Data Privacy Framework certification or similar self-certification, as described in Section 1.5(b).

1.7. EU 2021 Standard Contractual Clauses:

(a) These Jurisdictional Terms hereby incorporates by reference the EU 2021 Standard Contractual Clauses (updated from time to time if required by law or at the choice of SciMax to reflect the latest version promulgated by the European Commission). The Parties are deemed to have accepted, executed, and signed the EU 2021 Standard Contractual Clauses where necessary, in their entirety (including the annexes thereto).

(b) The content of Annex I and Annex II of the EU 2021 Standard Contractual Clauses is set forth in Exhibit A of the Addendum. The content of Annex III of the EU 2021 Standard Contractual Clauses is set forth at: https://scimaxglobal.com/jurisdiction-specific-terms

(c) The text contained in Annex I to these Jurisdictional Terms supplements the EU 2021 Standard Contractual Clauses.

(d) The Parties agree to apply the following modules:

(i) Module Two of the EU 2021 Standard Contractual Clauses when, in accordance with Section 3.1 of the Addendum, Client acts as the “data exporter” and Controller and SciMax acts as the “data importer” and Processor; and

(i) Module Three of the EU 2021 Standard Contractual Clauses when, in accordance with Section 3.1 of the Addendum, Client acts as the “data exporter” and Processor and SciMax acts as the “data importer” and sub-Processor.

(e) For purposes of Annex I.A:

(i) The Parties have provided each other with the identity and contact information required under Annex I.A.

(i) The Parties’ controllership roles are set forth in Section 3.1 of the Addendum.

(f) With respect to Clause 9 of the EU 2021 Standard Contractual Clauses, the Parties select “Option 2: General Written Authorization” and the time period set forth in Section 6.3 of the Addendum.

(g) For purposes of Annex I.C and with respect to Clause 13 of the EU 2021 Standard Contractual Clauses:

(i) where Client is established in an EU Member State, the competent supervisory authority shall be the authority for the EU Member State in which Client is established, as indicated in Section 17 of Exhibit A of the Addendum;

(i) where Client is not established in an EU Member State, but has appointed a representative in an EU Member State pursuant to Article 27(1) of the GDPR, the competent supervisory authority shall be the authority for the EU Member State in which such representative has been appointed, as indicated in Section 18 of Exhibit A of the Addendum; or

(i) where Client is not established in an EU Member State and has not appointed a representative in an EU Member State pursuant to Article 27(1) of the GDPR, the competent supervisory authority shall be as indicated in Section 19 of Exhibit A of the Addendum.

(h) With respect to Clause 17 of the EU 2021 Standard Contractual Clauses, the Parties select “Option 2”. The EU 2021 Standard Contractual Clauses shall accordingly be governed by the law of the EU Member State in which Client is established, as indicated in Section 17 of Exhibit A of the Addendum. Where such law does not allow for third-party beneficiary rights, the EU 2021 Standard Contractual Clauses shall be governed by the law of the Republic of Ireland.

(i) With respect to Clause 18 of the EU 2021 Standard Contractual Clauses, the Parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland.

1.8. To the extent that the EU 2021 Standard Contractual Clauses are applicable to a Restricted Transfer of EEA Personal Data, SciMax shall, if necessary, implement additional safeguards to ensure an adequate level of protection, as required by Applicable Laws.

1.9. In cases where the EU 2021 Standard Contractual Clauses apply, and there is a conflict between the terms of the Addendum, these Jurisdictional Terms, and the terms of the EU 2021 Standard Contractual Clauses, the terms of the EU 2021 Standard Contractual Clauses shall control. For purposes of clarity, terms in the Addendum or these Jurisdictional Terms that supplement, but do not directly contradict or frustrate the purpose of the terms of the EU 2021 Standard Contractual Clauses, shall not be deemed as creating a conflict.

1.10. The European Union Representative of SciMax, pursuant to Article 27 of the GDPR:

VeraSafe Ireland Ltd
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P
Ireland

Contact Form: https://www.verasafe.com/privacy-services/contact-article-27-representative

Tell: +420 228 881 031

2. United Kingdom.

2.1. “Applicable Laws” (as used in the Addendum) includes UK Data Protection Law (as defined below).

2.2. “Third Country” (as used in this Section) means a country outside of the United Kingdom.

2.3. “UK Addendum” means the International Data Transfer Addendum to the EU 2021 Standard Contractual Clauses, issued by the UK Information Commissioner, Version B1.0. in force as of 21 March 2022, as amended from time to time.

2.4. “UK Data Protection Law” means the UK Data Protection Act 2018 and the UK GDPR.

2.5. “UK GDPR” means Regulation (EU) 2016/679 as has been amended and adopted to form a part of the law of England and Wales, Scotland, and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal Agreement) Act 2020.

2.6. “UK Restricted Transfer” includes any transfer of Client Personal Data (including data storage in foreign servers) which is undergoing Processing or is intended for Processing after transfer subject to the Applicable Laws, to a Third Country (as defined below) or an international organization.

2.7. With regard to any UK Restricted Transfer from Client to SciMax within the scope of the Addendum and which is regulated by the Applicable Laws, one of the following Personal Data transfer mechanisms shall apply, in the following order of precedence:

(a) a valid adequacy decision adopted pursuant to Article 45 of the UK GDPR that provides that the Third Country to which the Client Personal Data is to be transferred, a territory or one or more specified sectors within that Third Country, or the international organization in question to which Client Personal Data is to be transferred, ensures an adequate level of data protection;

(b) Techsol’s EU-U.S. Data Privacy Framework certification, or any successor to the Data Privacy Framework, only to the extent that any such certification constitutes an “appropriate safeguard” pursuant to the UK GDPR and that the Client Personal Data transferred to Techsol is covered by the certification, if applicable;

(c) the EU 2021 Standard Contractual Clauses using the UK Addendum to the EU 2021 Standard Contractual Clauses, insofar as their use constitutes an “appropriate safeguard” under UK Data Protection Law; or

(d) any other lawful basis, as laid down in UK Data Protection Law.

2.8. In the event that a UK Restricted Transfer can be covered by more than one transfer mechanism under Section 2.7 of these Jurisdictional Terms, the transfer of Client Personal Data will be subject to a single transfer mechanism in accordance with the order of precedence set forth in Section 2.7. For the avoidance of doubt, the Standard Contractual Clauses shall not apply to any Restricted Transfer covered by Techsol’s EU-U.S. Data Privacy Framework Framework or similar self-certification, as described in Section 2.7(b) above.

2.9. EU 2021 Standard Contractual Clauses:

(a) These Jurisdictional Terms hereby incorporates by reference the EU 2021 Standard Contractual Clauses and the UK Addendum. The Parties are deemed to have accepted, executed, and signed the EU 2021 Standard Contractual Clauses and the UK Addendum where necessary, in their entirety (including the annexes thereto).

(b) The content of Annex I and Annex II of the EU 2021 Standard Contractual Clauses and the tables of the UK Addendum are set forth in Exhibit A of the Addendum. The content of Annex III of the EU 2021 Standard Contractual Clauses is set forth at: https://scimaxglobal.com/jurisdiction-specific-terms.

(c) The text contained in Annex I to these Jurisdictional Terms supplements the EU 2021 Standard Contractual Clauses.

(d) The Parties agree to apply the following modules:

(i) Module Two of the EU 2021 Standard Contractual Clauses when, in accordance with Section 3.1 of the Addendum, Client acts as the “data exporter” and Controller and SciMax acts as the “data importer” and Processor; and

(i) Module Three of the EU 2021 Standard Contractual Clauses when, in accordance with Section 3.1 of the Addendum, Client acts as the “data exporter” and Processor and SciMax acts as the “data importer” and sub-Processor.

(e) For purposes of Annex I.A and the UK Addendum:

(i) The Parties have provided each other with the identity and contact information required under Annex I.A.

(i) The Parties’ controllership roles are set forth in Section 3.1 of the Addendum.

(f) With respect to Clause 9 of the EU 2021 Standard Contractual Clauses, the Parties select “Option 2: General Written Authorization” and the time period set forth in Section 6.3 of the Addendum.

2.10. The Parties agree that neither Party may end the UK Addendum as set out in Section 19 of the UK Addendum.

2.11. To the extent that the EU 2021 Standard Contractual Clauses are applicable to a UK Restricted Transfer, SciMax shall, if necessary, implement additional safeguards to ensure an adequate level of protection, as required by UK Data Protection Law.

2.12. In cases where the EU 2021 Standard Contractual Clauses apply, and there is a conflict between the terms of the Addendum, these Jurisdictional Terms, and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall control. For purposes of clarity, terms in the Addendum or these Jurisdictional Terms that supplement, but do not directly contradict or frustrate the purposes of the terms of the Standard Contractual Clauses, shall not be deemed as creating a conflict.

2.13. The United Kingdom Representative of SciMax, pursuant to Article 27 of the UK GDPR:

VeraSafe United Kingdom
37 Albert Embankment
London
SE1 7TL
United Kingdom

Contact Form: https://www.verasafe.com/privacy-services/contact-article-27-representative

Tell: +44 (20) 4532 2003

3. Switzerland.

3.1. “Applicable Laws” (as used in the Addendum) includes Swiss Data Protection Law.

3.2. “Controller” (as used in the Addendum) includes “Controller of the Data File” as defined under the FADP.

3.3. “Personal Data” (as used in the Addendum) includes “Personal Data” as defined under the FADP.

3.4. “Processing” (as used in the Addendum) includes “Processing” as defined under the FADP.

3.5. “Restricted Transfer of Swiss Personal Data” (as used in this Section) means any transfer of Client Personal Data (including data storage in foreign servers) subject to the FADP to a Third Country (as defined below) or an international organization.

3.6. “Swiss Data Protection Law” included the Federal Act on Data Protection of 19 June 1992 (“FADP”) and the Ordinance to the Federal Act on Data Protection (“OFADP”) as may be amended from time to time.

3.7. “Swiss Standard Contractual Clauses” means the EU 2021 Standard Contractual Clauses (as defined in Section 1 of these Jurisdictional Terms), provided that those clauses are the standard data protection clauses approved for Restricted Transfers of Swiss Personal Data, pursuant to the FADP.

3.8. “Third Country” (as used in this Section) means a country outside of the Swiss Confederation.

3.9. With regard to any Restricted Transfer of Swiss Personal Data from the Client to SciMax within the scope of these Jurisdictional Terms and which is regulated by Swiss Data Protection Law, one of the following transfer mechanisms shall apply, in the following order of precedence:

(a) the inclusion of the Third Country, a territory or one or more specified sectors within that Third Country, or the international organization in question to which Client Personal Data is to be transferred in the list published by the Swiss Federal Data Protection and Information Commissioner of states that provide an adequate level of protection for Client Personal Data within the meaning of the Swiss Data Protection Law;

(b) Techsol’s Swiss-U.S. Data Privacy Framework certification, or any successor to the Data Privacy Framework, only to the extent that any such certification constitutes a valid data transfer mechanism pursuant to the Swiss Data Protection Law and that the Services are covered by the certification, if applicable;

(c) the Swiss Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Swiss Data Protection Law); or

(d) any other lawful any other lawful transfer mechanism, as laid down in the Swiss Data Protection Law, as the case may be.

3.10. In the event that a Restricted Transfer of Swiss Personal Data can be covered by more than one transfer mechanism under Section 3.9 of these Jurisdictional Terms, the transfer of Client Personal Data will be subject to a single transfer mechanism in accordance with the order of precedence set forth in Section 3.9. For the avoidance of doubt, the Swiss Standard Contractual Clauses shall not apply to any Restricted Transfer of Swiss Personal Data covered by Techsol’s Swiss-U.S. Data Privacy Framework Framework or similar self-certification, as described in Section 3.9(b).

3.11. Swiss Standard Contractual Clauses:

(a) These Jurisdictional Terms hereby incorporates by reference the Swiss Standard Contractual Clauses. The Parties are deemed to have accepted, executed, and signed the Swiss Standard Contractual Clauses where necessary, in their entirety (including the annexes thereto).

(b) The content of Annex I and Annex II of the Swiss Standard Contractual Clauses is set forth in Exhibit A of the Addendum. The content of Annex III of the Swiss Standard Contractual Clauses is set forth at: https://test.scimaxglobal.com/scimax-data-subprocessors.

(c) The text contained in Annex I to these Jurisdictional Terms supplements the Swiss Standard Contractual Clauses.

(d) The Parties agree to apply the following modules:

(i) Module Two of the Swiss Standard Contractual Clauses when, in accordance with Section 3.1 of the Addendum, Client acts as the “data exporter” and Controller and SciMax acts as the “data importer” and Processor; and

(i) Module Three of the Swiss Standard Contractual Clauses when, in accordance with Section 3.1 of the Addendum, Client acts as the “data exporter” and Processor and SciMax acts as the “data importer” and sub-Processor.

(e) For purposes of Annex I.A:

(i) The Parties have provided each other with the identity and contact information required under Annex I.A.

(i) The Parties’ controllership roles are set forth in Section 3.1 of the Addendum.

(f) With respect to Clause 9 of the Swiss Standard Contractual Clauses, the Parties select “Option 2: General Written Authorization” and the time period set forth in Section 6.3 of the Addendum.

(g) For purposes of Annex I.C and with respect to Clause 13 of the Swiss Standard Contractual Clauses, the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner, insofar as the data transfer constitutes a Restricted Transfer of Swiss Personal Data.

(h) With respect to Clause 17 of the Swiss Standard Contractual Clauses, the Parties select the law of the Republic of Ireland.

(i) With respect to Clause 18 of the Swiss 2021 Standard Contractual Clauses, the Parties agree that any dispute arising from the Swiss Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland. The Parties choose the Swiss courts as an alternative place of jurisdiction for Data Subjects habitually resident in Switzerland.

3.12. The term “member state” in the Swiss Standard Contractual Clauses must not be interpreted in such a way as to exclude Data Subjects from Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Swiss Standard Contractual Clauses.

3.13. The Swiss Standard Contractual Clauses also protect the data of legal entities until entry into force of the revised FADP.

3.14. In cases where the Swiss Standard Contractual Clauses apply, and there is a conflict between the terms of the Addendum, these Jurisdictional Terms, and the terms of the Swiss Standard Contractual Clauses, the terms of the Swiss Standard Contractual Clauses shall control. For the purpose of clarity, terms in the Addendum or these Jurisdictional Terms that supplement, but do not directly contradict or frustrate the purpose of the terms of the Swiss Standard Contractual Clauses, shall not be deemed as creating a conflict.

4. California.

4.1. “Applicable Laws” (as used in the Addendum) includes the California Consumer Privacy Act of 2018, Assembly Bill 375 of the California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the California Governor on June 28, 2018 (“CCPA”) and the California Consumer Privacy Act Regulations (“CCPA Regulations”) as may be amended from time to time.

4.2. “Business Purpose” (as used in this Section) shall have the same meaning as in the CCPA;

4.3. “Commercial Purpose” (as used in this Section) shall have the same meaning as in the CCPA;

4.4. “Controller” (as used in the Addendum) includes “Business” as defined under the CCPA.

4.5. “Data Subject” (as used in the Addendum) includes “Consumer” as defined under the CCPA.

4.6. “Personal Data” (as used in the Addendum) includes “Personal Information” as defined under the CCPA.

4.7. “Personal Data Breach” (as used in the Addendum) includes “Breach of the Security of the System” as defined under the CCPA.

4.8. “Processor” (as used in the Addendum) includes “Service Provider” as defined under the CCPA.

4.9. Client discloses Client Personal Data to SciMax solely for:

(i) valid Business Purposes; and

(ii) to enable SciMax to perform the Services.

4.10. SciMax shall not: (i) sell Client Personal Data; (ii) retain, use or disclose Client Personal Data for a Commercial Purpose other than providing the Services specified in the Service Agreement or as otherwise permitted by the CCPA; nor (iii) retain, use, or disclose Client Personal Data except where permitted under the Service Agreement between Client and SciMax. SciMax certifies that it understands these restrictions and will comply with them.

5. Virginia.

5.1. “Applicable Laws” (as used in the Addendum) includes the Virginia Consumer Privacy Act, V.. Code Ann 59.1-571 to 59.1-581; relating to privacy and approved by the Virginia Governor on March 2, 2021 (“VCDPA”).

5.2. “Controller” (as used in this Addendum) includes “Controller” as defined under the VCDPA.

5.3. “Data Subject” (as used in this Addendum) includes “Data Subject” as defined under the VCDPA.

5.4. “Personal Data” (as used in this Addendum) includes “Personal Data” as defined under the VCDPA.

5.5. “Personal Data Breach” (as used in this Addendum) includes “Breach of the Security of the System” as defined according to 18.2-186.6 of Article 5 of Chapter 6 of Title 18.2 of the Code of Virginia.

5.6. “Processor” (as used in this Addendum) includes “Processor” as defined under the VCDPA.

5.7. Client discloses Client Personal Data to Techsol solely for the purposes set out in this Addendum and Service Agreement, including but not limited to, enabling Techsol to perform the Services.

5.8. Techsol shall not:

(i) sell Client Personal Data;

(ii) retain, use or disclose Client Personal Data for a purpose other than providing the Services specified in the Service Agreement or as otherwise permitted by the VCDPA; nor

(iii) retain, use, or disclose Client Personal Data except where permitted under the Service Agreement between Client and Techsol. Techsol certifies that it understands these restrictions and will comply with them.

6. Canada.

6.1. “Applicable Laws” (as used in the Addendum) includes the Canadian Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) and, when in full force and effect, the Canadian Consumer Privacy Protection Act (“CPPA”).

6.2. “Personal Data” (as used in the Addendum) includes “Personal Information” as defined under PIPEDA.

6.3. “Personal Data Breach” (as used in the Addendum) includes “Breach of Security Safeguards” as defined under PIPEDA.

6.4. “Subprocessor” (as used in the Addendum) includes “Third Party Organization” as defined under PIPEDA and “Service Providers” as defined under CPPA.

7. Brazil.

7.1. “Applicable Laws” (as used in the Addendum) includes the Lei Geral de Proteção de Dados, Law No. 13.709 of 14 August 2018 (“LGPD”), Brazil’s General Data Protection Law.

7.2. “Brazilian Personal Data” (as used in this Section) means Personal Data Processed by SciMax on behalf of the Client, where such Processing is regulated by the LGPD.

7.3. Each Party is responsible for fulfilling its respective obligations as set out in the LGPD with respect to the Processing of Brazilian Personal Data.

7.4. Deletion over the duration of the Service Agreement: SciMax shall comply with any reasonable request from the Client during the term of the Service Agreement to delete Brazilian Personal Data.

7.5. Deletion on expiry of the Service Agreement: Upon the termination of the Service Agreement, Client may instruct SciMax to delete all Brazilian Personal Data (including any copies) from SciMax’s systems. SciMax shall comply with this instruction as soon as reasonably practicable.

7.6. Verifying Compliance: SciMax shall assist the Client in verifying SciMax’s compliance with the Client’s written instructions, its obligations under the Addendum, and the obligations applicable to SciMax under the LGPD with respect to Processing Brazilian Personal Data. SciMax shall do so by making security documentation available for review by the Client, providing information contained in the Addendum, and providing, or otherwise making available, other materials concerning the nature of the Services stated in the Service Agreement and the Processing of Brazilian Personal Data.

Annex I

SUPPLEMENTAL CLAUSES TO THE STANDARD CONTRACTUAL CLAUSES

By this Annex I (this “Annex”), the Parties provide additional safeguards and redress to the Data Subjects whose Personal Data is transferred to Service Provider pursuant to the EU 2021 Standard Contractual Clauses (the “Standard Contractual Clauses” for purposes of this Annex). This Annex supplements and is made part of, but is not in variation or modification of, the Standard Contractual Clauses that may be applicable to the Restricted International Transfer.

1. Applicability of this Annex.

1.1. This Annex only applies with respect to Restricted International Transfers when the Standard Contractual Clauses apply to such Restricted International Transfers pursuant to the Addendum and the Jurisdictional Terms.

2. Definitions.

2.1. For the purpose of interpreting this Annex, the following terms shall have the meanings set out below:

(a) “Data Importer” and “Data Exporter” shall have the same meaning assigned to them in the Jurisdictional Terms.

(b) “Disclosure Request” means any request from a law enforcement authority or other governmental authority with competent authority and jurisdiction over the Data Importer for disclosure of Client Personal Data processed under the Addendum.

(c) “EO 12333” means the U.S. Executive Order 12333.

(d) “FISA” means the U.S. Foreign Intelligence Surveillance Act.

(e) “Restricted International Transfer” means any transfer of Client Personal Data subject to Applicable Laws to a Third Country (as defined in the Jurisdictional Terms for each type of Restricted International Transfer) or an international organization in a Third Country (including data storage on foreign servers).

(f) “Schrems II Judgment” means the judgment of the European Court of Justice in Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems.

3. Applicability of Surveillance Laws to Data Importer and its Subprocessors

3.1. U.S surveillance laws

(a) Data Importer represents and warrants that, as of the Effective Date, it has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II judgment.

(b) Data Importer represents that it reasonably believes that it is not eligible to be required to provide information, facilities, or assistance of any type under FISA Section 702 because:

i. No court has found Data Importer to be an entity eligible to receive legal process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C. § 1881(b)(4); or (ii) an entity belonging to any of the categories of entities described within that definition.

ii. If Data Importer were to be found eligible for process under FISA Section 702, which it believes it is not, it is nevertheless also not the type of provider that is eligible to be subject to UPSTREAM collection pursuant to FISA Section 702, as described in paragraphs 62 and 179 of the Schrems II judgment.

(c) EO 12333 does not provide the U.S. government the ability to order or demand that Data Importer provide assistance for the bulk collection of information, and Data Importer shall take no action pursuant to U.S. Executive Order 12333.

3.2. General provisions about surveillance laws applicable to Data Importer

(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination of Client Personal Data applicable to the Processing of Client Personal Data by Data Importer, including any requirements to disclose Client Personal Data or measures authorizing access by public authorities, prevent Data Importer from fulfilling its obligations under the Standard Contractual Clauses (where applicable).

(b) Data Importer commits to provide upon request information about the laws and regulations in the destination countries of the transferred Client Personal Data applicable to Data Importer and the Subprocessors directly contracted by Data Importer that would permit access by public authorities to the transferred Client Personal Data, in particular in the areas of intelligence, law enforcement, or administrative and regulatory supervision applicable to the transferred Client Personal Data. In the absence of laws governing the public authorities’ access to Client Personal Data, Data Importer shall provide Data Exporter with information and statistics based on the experience of Data Importer and reports from various sources (such as partners, open sources, national case law, and decisions from oversight bodies) on access by public authorities to Personal Data in a situation of the kind of the data transfer at hand. Data Importer providing the information referred to in this subparagraph may choose the means to provide the information.

(c) Data Importer shall monitor any legal or policy developments that might lead to its inability to comply with its obligations under the Standard Contractual Clauses and this Annex, and promptly inform Data Exporter of any such changes and developments. When possible, Data Exporter shall inform Data Exporter of any such changes and developments ahead of their implementation.

4. Obligation on Data Importer Related to Disclosure Requests

4.1. In the event Data Importer receives a Disclosure Request, Data Importer shall:

(a) Promptly (and, when possible, before disclosing the transferred Client Personal Data to the public authority) notify Data Exporter of the Disclosure Request, and, where possible, the Data Subject, unless prohibited by law, or, if so prohibited from notifying Data Exporter, use all lawful efforts to obtain the right to waive the prohibition to communicate information relating to the Disclosure Request to Data Exporter as soon as possible. This includes, but is not limited to, informing the requesting public authority of the incompatibility of the Disclosure Request with the safeguards contained in Standard Contractual Clauses and the resulting conflict of obligations for Data Importer and documenting this communication.

(b) Ask the public authority that issued the Disclosure Request to redirect its request to the Data Exporter to control conduct of the disclosure.

(c) Use all lawful efforts to challenge the Disclosure Request on the basis of any legal deficiencies under the laws of the requesting party or any relevant conflicts with the law of the European Union or applicable EEA Member State law or any other Applicable Laws and demand that the public authority aims to obtain such information via co-operation with government bodies in each jurisdiction (such as using an alternative established treaty or mechanism to allow government-government sharing of information).

(d) Seek interim measures with a view to suspend the effects of the Disclosure Request until a competent court has decided on the merits.

(e) Not disclose the requested Client Personal Data until required to do so under the applicable procedural rules.

(f) Provide the minimum amount of information permissible when responding to the request, based on a reasonable interpretation of the request.

(g) Document all the steps taken by Data Importer related to the Disclosure Request.

4.2. For the purposes of this Section, lawful efforts do not include actions that would result in civil or criminal penalty, such as contempt of court under the laws of the relevant jurisdiction.

5. Information on Requests for Personal Data by Public Authorities

5.1. Data Importer commits to provide Data Exporter with sufficiently detailed information on all requests for Personal Data by public authorities which Data Importer has received over a specified period of time (if any), in particular in the areas of intelligence, law enforcement, administrative, and regulatory supervision applicable to the transferred data and comprising information about the requests received, the data requested, the requesting body, and the legal basis for disclosure and to what extent Data Importer has disclosed the requested Personal Data. Data Importer may choose the means to provide this information.

6. Backdoors

6.1. Data Importer certifies that:

(a) It has not purposefully created backdoors or similar programming for governmental agencies that could be used to access Data Importer’s Systems or Client Personal Data subject to the Standard Contractual Clauses.

(b) It has not purposefully created or changed its business processes in a manner that facilitates governmental access to Client Personal Data or systems.

(c) National law or government policy does not require Data Importer to create or maintain back doors or to facilitate access to Client Personal Data or systems.

6.2. Data Exporter will be entitled to terminate the contract on short notice in cases in which Data Importer does not reveal the existence of a back door or similar programming or manipulated business processes or any requirement to implement any of these or fails to promptly inform Data Exporter once their existence comes to its knowledge.

7. Information About Legal Prohibitions

7.1. Data Importer will provide Data Exporter information about the legal prohibitions on Data Importer to provide information under this Annex. Data Importer may choose the means to provide this information.

8. Additional Measures to Prevent Authorities from Accessing Client Personal Data

8.1. Notwithstanding the application of the security measures set forth in the Addendum, Data Importer will implement the following technical, organizational, administrative, and physical measures designed to protect the transferred Client Personal Data:

(a) Encryption of the transferred Client Personal Data in transit using the Transport Layer Security (TLS) protocol version 1.2 or higher with a minimum of 128-bit encryption;

(b) Encryption at rest within software applications used by Data Importer using a minimum of AES-256.

(c) Active monitoring and logging of network and database activity for potential security events, including intrusion;

(d) Regular scanning and monitoring of any unauthorized software applications and IT systems for vulnerabilities of Data Importer;

(e) Restriction of physical and logical access to IT systems that Process transferred Client Personal Data to those officially authorized persons with an identified need for such access;

(f) Firewall protection of external points of connectivity in Data Importer’s network architecture;

(g) Expedited patching of known exploitable vulnerabilities in the software applications and IT systems used by Data Importer; and

(h) Internal policies establishing that:

i. Where Data Importer is prohibited by law from notifying Data Exporter or the Data Subject, of a request or order from a public authority for transferred Client Personal Data, Data Importer shall take into account the laws of other jurisdictions and use best efforts to request that any confidentiality requirements be waived to enable it to notify the competent Supervisory Authorities;

ii. Data Importer must require an official, signed document issued pursuant to the applicable laws of the requesting third party before it will consider a request for access to transferred Client Personal Data;

iii. Data Importer’s senior legal team and corporate management shall be notified upon receipt of each request or order for transferred Client Personal Data;

iv. Data Importer shall scrutinize every request for legal validity and, as part of that procedure, will reject any request Data Importer considers to be invalid; and

v. If Data Importer is legally required to comply with an order, it will respond as narrowly as possible to the specific request.

vi. If Data Importer receives a request from public authorities to cooperate on a voluntary basis, Client Personal Data transmitted in plain text may only be provided to public authorities with the express agreement of Data Exporter.

9. Inability to Comply with this Annex and the Standard Contractual Clauses

9.1. If Data Importer determines that it is no longer able to comply with its contractual commitments under this Annex, Data Exporter can swiftly suspend the transfer of Client Personal Data and/or terminate the Service Agreement.

9.2. If Data Importer determines that it can no longer comply with the Standard Contractual Clauses or this Annex, Data Importer shall return or delete Client Personal Data received. If returning or deleting Client Personal Data received is not possible, Data Importer must securely encrypt the data without waiting for Data Exporter’s instructions.

9.3. Data Importer shall provide the Data Exporter with sufficient indications to exercise its duty to suspend or end the transfer of Client Personal Data and/or terminate the Service Agreement.

10. Termination

10.1. This Annex shall automatically terminate with respect to the Processing of Client Personal Data transferred in reliance of the Standard Contractual Clauses if the European Commission or a competent regulator approves a different transfer mechanism that would be applicable to the Restricted International Transfers covered by the Standard Contractual Clauses (and if such mechanism applies only to some of the data transfers, this Annex will terminate only with respect to those transfers) and that does not require the additional safeguards set forth in this Annex.