Data Processing Agreement (DPA)
CAMEYO, INC.
DATA PROCESSING ADDENDUM
Last Updated: June 13, 2024
This Data Processing Addendum (“Addendum”), including its appendices, is incorporated into the Cameyo Master Services Agreement (“MSA”) by and between Cameyo, Inc. (the “Company”) and Client (as defined in the Agreement). Company and Client shall be referred to together as the “parties” and each, a “party.” The MSA, any exhibits attached thereto and this Addendum shall be collectively referred to in this Addendum as the “Agreement”.
1. Commencement
This Addendum describes the parties’ obligations, including under applicable privacy, data security, and data protection laws, with respect to the processing and security of Customer Data (as defined below). This Addendum will be effective on the Addendum Effective Date (as defined below), and will replace any data processing, security and/or privacy terms previously applicable to the Services and/or Software.
2. Definitions
Capitalized terms defined in the MSA apply to this Amendment. In addition, in this Addendum:
“Addendum Effective Date” means the date on which Client accepted, or the parties otherwise agreed to, this Addendum.
“Adequate Country” means:
(a) for data processed subject to the EU GDPR: the European Economic Area, or a country or territory recognized as ensuring adequate protection under the EU GDPR;
(b) for data processed subject to the UK GDPR: the UK, or a country or territory recognized as ensuring adequate protection under the UK GDPR and the Data Protection Act 2018; or
(c) for data processed subject to the Swiss FADP: Switzerland, or a country or territory that is: (i) included in the list of the states whose legislation ensures adequate protection as published by the Swiss Federal Data Protection and Information Commissioner, if applicable; or (ii) recognized as ensuring adequate protection by the Swiss Federal Council under the Swiss FADP;
in each case, other than on the basis of an optional data protection framework.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
“Alternative Transfer Solution” means a solution, other than SCCs, that enables the lawful transfer of personal data to a third country in accordance with European Data Protection Law, for example a data protection framework recognized as ensuring that participating entities provide adequate protection.
“Applicable Privacy Law” means, as applicable to the processing of Customer Personal Data, any national, federal, European Union, state, provincial or other privacy, data security, or data protection law or regulation.
“Customer Data” means data provided to Company by Client or its End Users through use of the Services and Software, and any unique output data that the Services or Software generate for Client or its End Users, derived from that data.
“Customer Personal Data” means the personal data contained within the Customer Data, including any special categories of personal data defined under European Data Protection Law.
“Data Incident” means a breach of Company’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data while processed by Company personnel or Subprocessors under the Agreement.
“Data Subject Request” means requests to exercise data privacy rights under Applicable Privacy Law, including the right to access, delete, correct, and opt-out and object to certain processing, sale or sharing of personal data.
“EEA” means the European Economic Area.
“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“European Data Protection Law” means, as applicable: (a) the GDPR; and/or (b) the Swiss FADP.
“European Law” means, as applicable: (a) EU or EU Member State law (if the EU GDPR applies to the processing of Customer Personal Data); (b) the law of the UK or a part of the UK (if the UK GDPR applies to the processing of Customer Personal Data); or (c) the law of Switzerland (if the Swiss FADP applies to the processing of Customer Personal Data).
“GDPR” means, as applicable: (a) the EU GDPR; and/or (b) the UK GDPR.
“Instructions” has the meaning given in Section 5.2.1 (Client Instructions)
“Non-European Data Protection Law” means data protection or privacy laws in force outside the EEA, Switzerland and the UK.
“SCCs” means the module 2 controller-to-processor standard contractual clauses for the transfer of personal data to third countries that do not ensure an adequate level of data protection, as approved by the European Commission decision 2021/914, dated 4 June 2021, and which are incorporated in this Addendum and available at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.
“Security Measures” has the meaning given in Section 7.1.1 (Company Security Measures).
“Subprocessor” means a third party authorized as another processor under Section 10 (Subprocessors) to have access to and process Customer Personal Data to provide parts of the Service and/or Software in connection with the Agreement.
“Swiss FADP” means, as applicable, the Federal Data Protection Act of 19 June 1992 (Switzerland) (with the Ordinance to the Federal Act on Data Protection of 14 June 1993) or the revised Federal Act on Data Protection of 25 September 2020 (Switzerland) (with the Ordinance to the Federal Act on Data Protection of 31 August 2022).
“UK” means the United Kingdom of Great Britain and Northern Ireland.
“UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.
“UK SCC Addendum” means the International Data Transfer Addendum to the SCCs, in force 21 March 2022, which is incorporated in this DPA and available on the UK Information Commissioner’s Office website at https://ico.org.uk/media/fororganisations/documents/4019539/international-data-transfer-addendum.pdf.
The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” as used in this Addendum have the meanings given in the GDPR irrespective of whether European Data Protection Law or Non-European Data Protection Law applies.
3. Duration
Regardless of whether the MSA has terminated or expired, this Addendum will remain in effect until and automatically expire when Client revokes Company’s access to Customer Personal Data or when Company deletes such data as described in this Addendum (whichever occurs first).
4. Scope of Data Protection Law
4.1. Application of European Law. The parties acknowledge that European Data Protection Law will apply to the processing of Customer Personal Data if, for example:
(a) the processing is carried out in the context of the activities of an establishment of Client in the territory of the EEA or the UK; and/or
(b) the Customer Personal Data is personal data relating to data subjects who are in the EEA or the UK and the processing relates to the offering to them of goods or services in the EEA or the UK or the monitoring of their behavior in the EEA or the UK.
4.2. Application of Non-European Law. The parties acknowledge that Non-European Data Protection Law may also apply to the processing of Customer Personal Data.
4.3. Application of Terms. Except to the extent this Addendum states otherwise, this Addendum will apply irrespective of whether European Data Protection Law or Non-European Data Protection Law applies to the processing of Customer Personal Data.
5. Processing of Data
5.1. Roles and Regulatory Compliance; Authorization.
5.1.1. Processor and Controller Responsibilities. If European Data Protection Law applies to the processing of Customer Personal Data:
(a) the subject matter and details of the processing are described in Annex 1;
(b) Company is a processor of that Customer Personal Data under European Data Protection Law;
(c) Client is a controller or processor, as applicable, of that Customer Personal Data under European Data Protection Law; and
(d) each party will comply with the obligations applicable to it under European Data Protection Law with respect to the processing of that Customer Personal Data.
5.1.2. Authorization by Third Party Controller. If European Data Protection Law applies to the processing of Customer Personal Data and Client is a processor:
(a) Client warrants on an ongoing basis that the relevant controller has authorized: (i) the Instructions, (ii) Client’s appointment of Company as another processor, and (iii) Company’s engagement of Subprocessors as described in Section 10 (Subprocessors);
(b) Client will immediately forward to the relevant controller any notice provided by Company under Sections 5.2.2 (Instruction Notifications), 7.2.1 (Data Incidents) or 10.1 (Subprocessors) or that refers to any SCCs; and
(c) Client may make available to the relevant controller any information made available by Company under Section 10 (Subprocessors).
5.1.3. Responsibilities under Non-European Law. If Non-European Data Protection Law applies to either party’s processing of Customer Personal Data, the relevant party will comply with any obligations applicable to it under that law with respect to the processing of that Customer Personal Data.
5.2. Scope of Processing.
5.2.1. Client Instructions. Unless prohibited by European Law, Company and its Affiliates shall process Customer Personal Data on the documented instructions of Client and only for the limited and specified purposes described in Annex 1, except for processing that is required by laws applicable to the Company (collectively, the “Instructions”).
5.2.2. Instruction Notifications. Company will immediately notify Client if, in Company’s opinion: (a) European Law prohibits Company from complying with an Instruction; (b) an Instruction does not comply with European Data Protection Law; or (c) Company is otherwise unable to comply with an Instruction, in each case unless such notice is prohibited by European Law. This Section does not reduce either party’s rights and obligations elsewhere in the Agreement.
6. Return or Deletion of Customer Personal Data
Upon expiration or termination of the MSA, Client may instruct Company to return or delete all remaining Customer Personal Data (including existing copies) from Company’s systems in accordance with applicable law. After a recovery period of up to 30 days from the date of receipt of this Instruction, Company will comply as soon as reasonably practicable and within a maximum period of 180 days, unless European Law requires storage.
7. Data Security
7.1. Security Measures, Controls and Assistance.
7.1.1. Company Security Measures. Company will implement and maintain technical and organizational measures to protect Customer Personal Data on Company’s infrastructure against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Annex 2 (the “Security Measures”).
7.1.2. Access and Compliance. Company will: (a) authorize its and its Affiliates’ employees, contractors and Subprocessors, to access Customer Personal Data only as strictly necessary to comply with the Instructions; (b) take appropriate steps to ensure its and its Affiliates’ compliance with the Security Measures by its employees, contractors, and Subprocessors to the extent applicable to their scope of performance, and (c) ensure that all persons authorized to process Customer Personal Data are under an obligation of confidentiality.
7.1.3.Security Assistance. Company will (taking into account the nature of the processing of Customer Personal Data and the information available to Company) assist Client in ensuring compliance with its (or, where Client is a processor, the relevant controller’s) obligations under Articles 32 to 34 of the GDPR, by:
(a) implementing and maintaining the Security Measures in accordance with Section 7.1.1 (Company Security Measures);
(b) complying with the terms of Section 7.2 (Data Incidents); and
(c) if the subsections a. and b. above are insufficient for Client (or the relevant controller) to comply with such obligations, upon Client’s request, providing Client with additional reasonable cooperation and assistance.
7.2. Data Incidents.
7.2.1. Company shall without undue delay after becoming aware of a Data Incident involving Customer Personal Data, investigate such Data Incident and notify Client. Company shall also assist Client as reasonably necessary to meet its obligations in relation to providing notice of a Data Incident under Applicable Privacy Law and at Client’s sole cost, unless the Data Incident is accountable to Company. Company shall at least provide the information required by Article 33 (3) of the EU GDPR, and insofar not possible, such information shall be provided without undue further delay.
7.2.2. Company has no obligation to assess Customer Data to identify information subject to any specific legal requirements.
7.2.3. Company’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by Company of any fault or liability with respect to the Data Incident.
7.3. Client’s Security Responsibilities and Assessment.
7.3.1. Client’s Security Responsibilities. Without prejudice to Company’s obligations under Sections 7.1.1 (Company’s Security Measures) and 7.2 (Data Incidents), and elsewhere in the Agreement, Client is responsible for its use of the Services and Software and its storage of any copies of Customer Data outside Company’s or Company’s Subprocessors’ systems, including:
(a) using the Services and/or Software to ensure a level of security appropriate to the risk to the Customer Data;
(b) securing the account authentication credentials, systems and devices Client uses to access the Services and/or Software; and
(c) retaining copies of its Customer Data as appropriate
7.3.2. Client’s Security Assessment. Client acknowledges that the Security Measures provide a level of security appropriate to the risk to the Customer Data (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals).
7.4. Compliance Certification. Company maintains a certificate for ISO 27001 (“Compliance Certifications”) in order to evaluate the continued effectiveness of the Security Measures. Company may at any time (a) add standards, certificates or reports or (b) replace a Compliance Certification with an equivalent or enhanced alternative.
7.5. Reviews and Audits of Compliance.
7.5.1. Reviews of Security Documentation. Company will make the Compliance Certifications available for review by Client to demonstrate compliance with its obligations under this Addendum.
7.5.2. Client’s Audit Rights. Company will, if required under Applicable Privacy Law, allow Client or an independent auditor appointed by Client to conduct audits (including inspections) to verify Company’s compliance with its obligations under this Addendum in accordance with Section 7.5.3 (Additional Business Terms for Reviews and Audits). During an audit, Company will reasonably cooperate with Client or its auditor as described in this Section 7.5 (Reviews and Audits of Compliance).
7.5.3. Additional Business Terms for Reviews and Audits.
(a) Following a request by Client to conduct an audit under Section 7.5.2 (Client’s Audit Rights), Company and Client will discuss and agree in advance on: (i) security and confidentiality controls applicable to any access to the Compliance Certifications by a relevant controller under Section 7.5.1 (Reviews of Security Documentation); and (ii) the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit under Section 7.5.2 (Client’s Audit Rights).
(b) Client shall not exercise its audit rights under this Addendum more than once in any 12 month period, except when necessary under Applicable Privacy Laws (e.g., when a Data Incident occurred on the part of the Company) and Client will use its reasonable efforts to ensure that it does not (i) disrupt Company’s normal business operations; or (ii) cause Company to breach any obligation of confidentiality to any other third party, whether imposed by regulation or contract. Such an audit will be conducted during regular business hours.
(c) Company may charge a fee (based on Company’s reasonable costs) for any audit under Section 7.5.2 (Client’s Audit Rights). Company will provide Client with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Client will be responsible for any fees charged by any auditor appointed by Client to execute any such audit.
(d) Company may object in writing to an auditor appointed by Client to conduct any audit under Section 7.5.2 (Client’s Audit Rights) if the auditor is, in Company’s reasonable opinion, not suitably qualified or independent, a competitor of Company or its Affiliates, or otherwise manifestly unsuitable. Any such objection by Company will require Client to appoint another auditor or conduct the audit itself.
8. Company Assistance to Client; Data Subject Requests
8.1. Assistance to Client. Taking into account the nature of processing and the information available to Company, Company shall, with respect to the Customer Personal Data processed by Company, provide reasonable cooperation and assistance to Client, to comply with its obligations under Applicable Privacy Law.
8.2. Data Subject Requests. If Company receives a Data Subject Request that relates to Customer Personal Data and identifies Client, Company will: (a) advise the data subject to submit their request to Client; (b) promptly notify Client; and (c) not otherwise respond to that data subject’s request without authorization from Client. Client will be responsible for responding to any such request. Company will (taking into account the nature of the processing of Customer Personal Data) reasonably assist Client in fulfilling its (or, where Client is a processor, the relevant controller’s) obligations under Chapter III of the GDPR to respond to Data Subject Requests.
9. Data Transfers
9.1. Data Transfers Generally.
9.1.1. The parties acknowledge that European Data Protection Law does not require SCCs or an Alternative Transfer Solution in order for Customer Personal Data to be processed in or transferred to an Adequate Country.
9.1.2. Client instructs Company (and authorizes the Company to instruct each Subprocessor) to process Customer Personal Data and transfer Customer Personal Data in or to any country or territory, as reasonably necessary for the provision of the services under the Agreement and warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in this Section 9.1 on behalf of any other party on whose behalf Client acts. Company will ensure that any such transfer is made in compliance with the requirements of Applicable Data Protection Laws.
9.1.3. Other than in accordance with this Section 9 (Data Transfers), Customer Personal Data originating from the EEA, Switzerland, or the UK shall not be transferred to, or stored in, any country or territory outside the EEA, Switzerland, or the UK which is not an Adequate Country, .
9.2. Data Transfers to Non-Adequate Countries.
9.2.1. If Customer Personal Data is transferred to a non-Adequate Country and European Data Protection Law applies to the transfers (as certified by Client under Section 9.3) (“Restricted Transfers”), then:
9.2.2. if Company has adopted an Alternative Transfer Solution for any Restricted Transfers, Company will ensure that such Restricted Transfers are made in accordance with it; or
9.2.3. if Company has not adopted an Alternative Transfer Solution for any Restricted Transfers, or informs Customer that Company is no longer adopting, an Alternative Transfer Solution for any Restricted Transfers (without adopting a replacement Alternative Transfer Solution), then:
(a) with respect to transfers from the EEA, that the SCCs will apply and shall be deemed incorporated into this Agreement in accordance with Appendix A, Annex I-III (inclusive) of this Addendum; and
(b)with respect to transfers from the UK, that the UK SCC Addendum shall apply and shall be deemed incorporated into this Agreement.
9.2.4. For the purposes of the SCCs and the UK SCC Addendum:
(a) Clause 7 of the SCCs shall be applicable
(b) In Clause 9 of the SCCs, Option 2: General Written Authorisation, shall be applicable, and the agreed-upon Subprocessor list is provided in Annex 3. The time period shall be specified as thirty (30) days;
(c) The optional language in Clause 11(a) of the SCCs shall not be applicable;
9.2.5. For the purposes of the SCCs:
(a) For Clause 13 of the SCCs (only), the following provision applies: Republic of Ireland;
(b) Option 1 of Clause 17 of the SCCs shall be applicable and shall reference the laws of the Republic of Ireland;
(c) For Clause 18 of the SCCs, any dispute arising from the SCCs shall be resolved by the courts of the Republic of Ireland;
9.3. Certification by non-European Customers. If Client’s billing address is outside of the EEA, Switzerland, or UK, and the processing of Customer Personal Data is subject to European Data Protection Law, then Client will certify as such to Company.
9.4. Precedence of SCCs. Nothing in the Agreement (including this Addendum) is intended to modify or contradict the SCCs or UK SCC Addendum, or prejudice the fundamental rights or freedoms of data subjects under European Data Protection Law. If any term or provision of the Addendum or Agreement is contradictory or inconsistent with any term or provision of the SCCs or UK SCC Addendum (as applicable), then the terms and provisions of the SCCs and UK SCC Addendum (as applicable) shall prevail.
10. Subprocessors
10.1. Company has Client’s general authorization for the engagement of the Subprocessors listed in Annex 3. Company shall specifically inform Company in writing of any intended changes to the list through the addition or replacement of any Subprocessors. Company shall provide Client with the information necessary to enable Client to exercise its right to object. Client shall provide written notice of its intent to object to any addition or replacement of Subprocessor change within 30 days’ of receipt.
10.2. Company shall ensure that each of its Subprocessors are bound by contractual data protection obligations with respect to Customer Personal Data that are the same as, or no lesser than, those contained in this Addendum. Company shall be liable for the acts and omissions of its Subprocessors to the same extent that Company would be if performing the processing directly under this Addendum.
11. Modifications
11.1. Modifications to this Addendum. Company may only update this Addendum where such update is:
(a) required to comply with applicable law, regulation, court order, or guidance issued by a governmental regulator or agency; or
(b) where such update is expressly permitted by the Agreement; or
(c) where such update:
(i) is commercially reasonable; and
(ii) does not result in a material reduction of the security of the Services or Software; and
(iii) does not expand the scope of or remove any restrictions on Company’s processing of Customer Personal Data, as described in this Addendum, unless such expansion or removal is required or permitted in accordance with Sections 11.1(a) or 11.1(b) above; and
(iv) does not otherwise have a material adverse impact on Client’s rights under the Addendum.
11.2. No Modification of SCCs. Nothing in the Agreement (including this Addendum) is intended to modify or contradict SCCs or UK SCC Addendum, or prejudice the fundamental rights or freedoms of data subjects under European Data Protection Law.
APPENDIX A
ANNEX 1
DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
A. LIST OF PARTIES
DATA EXPORTER(S):
Name: Client
Address: As specified in the Agreement
Contact person’s name, position and contact details: Contact details for the data exporter are specified in the Agreement. Details about the data exporter’s data protection officer will be provided to the data importer by the data exporter, upon request.
Activities relevant to the data transferred under these Clauses: The data importer provides the Services and Software, including technical and customer support, to the data exporter in accordance with the Agreement.
Signature and date: The parties agree that execution of the Agreement and certification by the data exporter under Section 9.3 of the Data Processing Addendum, shall constitute execution of these Clauses by both parties.
Role (controller/processor): controller
DATA IMPORTER(S):
Name: Cameyo, Inc.
Address: As specified in the Agreement
Contact person’s name, position and contact details: Contact details for the data importer are specified in the Agreement. Details about the data importer’s data protection officer will be provided to the data exporter by the data importer, upon request.
Activities relevant to the data transferred under these Clauses: The data importer provides the Services and Software, including technical and customer support, to the data exporter in accordance with the Agreement.
Signature and date: The parties agree that execution of the Agreement and certification by the data exporter under Section 9.3 of the Data Processing Addendum, shall constitute execution of these Clauses by both parties.
Role (controller/processor): processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Data subjects include the individuals about whom data is provided via the Services or Software by (or at the direction of) the data exporter. These individuals may include, for example: employees, other staff such as contractors and temporary workers, customers and clients (including their staff), other end users, suppliers (including their staff), relatives and associates of the above, advisers, consultants and other professional experts, shareholders, members or supporters, and students and pupils.
Categories of personal data transferred
Customer Personal Data, including data relating to individuals provided by (or at the direction of) the data exporter. This data may include, for example:
- Personal details, including any information that identifies the data subject and their personal characteristics, including: name, address, contact details, age, date of birth, sex, location data, IP address, and physical description.
- Employment details, including information relating to the employment of the data subject, including employment and career history, recruitment and termination details, attendance records, performance appraisals, training records, and security records.
- Financial details, including information relating to the financial affairs of the data subject, including income, salary, assets and investments, payments, credit worthiness, loans, benefits, grants, insurance details, and pension information.
- Education and training details, including information which relates to the education and any professional training of the data subject, including academic records, qualifications, skills, training records, professional expertise, student and pupil records.
- Personal details issued as an identifier by a public authority, including passport details, national insurance numbers, identity card numbers, driving licence details.
- Family, lifestyle and social circumstances, including any information relating to the family of the data subject and the data subject’s lifestyle and social circumstances, including details of family and other household members, habits, housing, travel details, leisure activities, and membership of charitable or voluntary organisations.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Data exporter agrees that it will not disclose any special categories of personal data or personal data classified as “sensitive” (or similar classification) to data importer.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Customer Personal Data may be transferred on a continuous basis until it is deleted in accordance with the terms of the Data Processing Amendment.
Nature of the processing
The data importer will process Customer Personal Data to provide, secure and monitor the Services and Software in accordance with the Agreement.
Purpose(s) of the data transfer and further processing
The data importer will transfer Customer Personal Data to provide, secure and monitor the Services and Software in accordance with the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of the Agreement until deletion in accordance with the provisions of the Data Processing Addendum.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As above.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The authority identified by the data exporter to the data importer, as its competent supervisory authority.
ANNEX 2
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
A vendor Information Security and Privacy Program shall be published and communicated to all its subcontractors, services providers, and personnel and should include:
- Security governance and security management
- Identity and account management
- Data protection and privacy
- System or platform security
- Network security
- Vulnerability management and detection and response
- Education and awareness
- Software security and physical security
ANNEX 3
LIST OF SUB-PROCESSORS
Sub-processor |
Link to privacy and contact details |
Location |
Description of services provided |
Microsoft Azure | https://azure.microsoft.com/en-us/support/legal/ | USA | Data storage, analytics |
Hubspot | https://legal.hubspot.com/privacy-policy | USA | CRM |
https://policies.google.com/privacy?hl=en-US | USA | Analytics, Security, Data Storage, Technical support, Communications | |
Google Cloud Platform |
https://cloud.google.com/privacy | Per customer’s choice | Data storage |
Mezmo | https://www.mezmo.com/privacy-policy | USA | Data storage (logs) |
Freshdesk | https://freshdesk.com/gdpr | USA | Technical support |
DnsExit | https://dnsexit.com/terms/privacy.htm | USA | Email distribution |
Slack | https://slack.com/trust/privacy/privacy-policy | USA | Internal communication |
ANNEX 4
SUPPLEMENTARY TERMS FOR SWISS FADP TRANSFERS ONLY
The following terms supplement the SCCs only if and to the extent the SCCs apply with respect to data transfers subject to the Swiss FADP:
- References to the GDPR will be interpreted as references to the Swiss FADP, to the extent applicable.
- References to the EU and EU Member States will be interpreted to mean Switzerland, to the extent applicable.
- The term ’Member State’ will be interpreted in such a way as to allow data subjects in Switzerland to exercise their rights under the Clauses in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Clauses.
- The competent supervisory authority/ies for purposes of Annex I.C (Competent Supervisory Authority) of the Clauses will be the Federal Data Protection and Information Commissioner in Switzerland (or its replacement or successor).
ANNEX 5
SUPPLEMENTARY TERMS FOR UK GDPR TRANSFERS ONLY
The following United Kingdom International Data Transfer Addendum to the European Commission Standard Contractual Clauses supplements the Clauses only if and to the extent the Clauses apply with respect to data transfers subject to the UK GDPR.
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
SCHEDULE 1
ADDENDUM TO STANDARD CONTRACTUAL CLAUSES
PART 1: TABLES
- Table 1: Parties
Start date | As per the date of the Addendum. | |
The Parties | Exporter | Importer |
Parties’ details |
Full legal name: Client, as specified in the Agreement Trading name (if different): Main address (if a company registered address): As specified in the Agreement Official registration number (if any) (company number or similar identifier): To be made available by Exporter to Importer. |
Full legal name: Cameyo, Inc. Trading name (if different): Main address (if a company registered address): As specified in the Agreement Official registration number (if any) (company number or similar identifier): EIN 82-3816110 |
Key Contact | Contact details for the data exporter are specified in the Agreement. Details about the data exporter’s data protection officer will be provided upon request. | Contact details for the data importer are specified in the Agreement. Details about the data importer’s data protection officer will be provided upon request. |
Signature (if required for the purposes of Section 2) |
The parties agree that execution of the Agreement and certification by the data exporter under Section 9.3 of the Data Processing Addendum, shall constitute execution of this Addendum by both parties. | The parties agree that execution of the Agreement and certification by the data exporter under Section 9.3 of the Data Processing Addendum, shall constitute execution of this Addendum by both parties. |
- Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs |
☐The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: Reference (if any): Other identifier (if any): |
Or ☑the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum: |
||||||
Module | Module in operation | Clause 7 (Docking Clause) |
Clause 11 (Option) |
Clause 9a (Prior Authorisation or General Authorisation) |
Clause 9a (Time period) |
Is personal data received from the Importer combined with personal data collected by the Exporter? |
1 | ||||||
2 | ✔ | ✔ | ✖ |
Option 2: GENERAL WRITTEN AUTHORISATIO N |
30 days |
|
3 | ||||||
4 |
- Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: Appendix A, Annex 1.A of the Addendum |
Annex 1B: Description of Transfer: Appendix A, Annex 1.B of the Addendum |
Annex 2: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Appendix A, Annex 2 of the Addendum |
Annex 3: List of Sub processors (Modules 2 and 3 only): Appendix A, Annex 3 of the Addendum |
- Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes |
Which Parties may end this Addendum as set out in Section 19 of the Mandatory Clauses: ☑Importer ☐Exporter ☐neither Party |
PART 2: MANDATORY CLAUSES
“Mandatory Clauses” | Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses. |
PART 3: SUPPLEMENTARY CLAUSES
“Supplementary Clauses” |
Part 3: Supplementary Clauses of the Approved Addendum, being the following:
The data importer may not end this Addendum as set out in Section 19 of the Mandatory Clauses unless the data importer has adopted an Alternative Transfer Solution for the Restricted Transfers by the end date. An “Alternative Transfer Solution” for this purpose means a solution, other than Standard Contractual Clauses, that enables the lawful transfer of personal data to a third country in accordance with Chapter V of the UK GDPR.
Any written notice provided by the data exporter pursuant to Section 19 of the Mandatory Clauses in order to end this Addendum will be deemed to terminate the Agreement for convenience. |