DATA PROCESSING ADDENDUM
This Data Processing Addendum (this “Addendum”) is incorporated into and forms part of the SaaS Agreement between you and us (the “Agreement”).
Capitalized terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms used but not otherwise defined herein shall have the meanings given to them in the Agreement. Except as expressly modified below, the terms of the Agreement shall remain in full force and effect.
The parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement. The following obligations shall only apply to the extent required by Data Protection Laws with regard to the relevant Customer Personal Data, if applicable.
1.1. “Canadian Data Protection Laws” means, in each case to the extent applicable: (a) Canada’s Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) (“PIPEDA”); and (b) any other applicable law or regulation related to the protection of Customer Personal Data in Canada that is already in force or that will come into force during the term of this Addendum.
1.2. “Controller” means an entity that determines the purposes and means of the Processing of Personal Data.
1.3. “Customer Personal Data” means Personal Data Processed by Seller on behalf of Customer to perform the Services under the Agreement.
1.4. “Data Protection Laws” means the data privacy and security laws and regulations of any jurisdiction applicable to the Processing of Customer Personal Data under the Agreement including, in each case to the extent applicable, Canadian Data Protection Laws, European Data Protection Laws and United States Data Protection Laws.
1.5. “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.
1.6. “European Data Protection Laws” means, in each case to the extent applicable: (a) the EU General Data Protection Regulation 2016/679 (“GDPR”); (b) the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), the Data Protection Act of 2018, and all other laws relating to data protection, the processing of personal data, privacy, or electronic communications in force from time to time in the United Kingdom (collectively, “UK Data Protection Laws”); (c) the Swiss Federal Act on Data Protection (“Swiss FADP”); and (d) any other applicable law, rule, or regulation related to the protection of Customer Personal Data in the European Economic Area, United Kingdom, or Switzerland that is already in force or that will come into force during the term of this Addendum.
1.7. “Personal Data” means information that constitutes “personal information,” “personal data,” “personally identifiable information,” or similar term under Data Protection Laws.
1.8. “Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.
1.9. “Processor” means an entity that Processes Personal Data on behalf of a Controller.
1.10. “Security Incident” means a breach of Seller’s security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data in Seller’s possession, custody, or control. “Security Incident” does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
1.11. “Services” means the services that Seller has agreed to provide to Customer under the Agreement.
1.12. “Standard Contractual Clauses” means, as applicable, Module Two (Transfer controller to processor) or Module Three (Transfer processor to processor) of the standard contractual clauses approved by the European Commission’s implementing decision (C(2021)3972) of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/678 or the European Parliament and of the Council (available at: https://eur- lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en), as supplemented or modified by Appendix 3.
1.13. “Subprocessor” means any Processor appointed by Seller to Process Customer Personal Data on behalf of Customer under the Agreement.
1.14. “Supervisory Authority” means an independent competent public authority established or recognized under Data Protection Laws.
1.15. “United States Data Protection Laws” means, in each case to the extent applicable: (a) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, when effective, and its implementing regulations (collectively, “CCPA”); (b) the Virginia Consumer Data Protection Act (“VCPDA”), when effective; (c) the Colorado Privacy Act and its implementing regulations (“CPA”), when effective; (d) the Utah Consumer Privacy Act (“UCPA”), when effective; (e) Connecticut SB6, An Act Concerning Personal Data Privacy and Online Monitoring (“CTDPA”); and (f) any other applicable law or regulation related to the protection of Customer Personal Data in the United States that is already in force or that will come into force during the term of this Addendum.
2.1. Roles of the Parties; Compliance. The parties acknowledge and agree that, as between the parties, with regard to the Processing of Customer Personal Data under the Agreement, Customer is a Controller and Seller is a Processor. In some circumstances, the parties acknowledge that Customer may be acting as a Processor to a third-party Controller in respect of Customer Personal Data, in which case Seller will remain a Processor with respect to the Customer in such event. Each party will comply with the obligations applicable to it in such role under Data Protection Laws with respect to the Processing of Customer Personal Data.
2.2. Customer Instructions. Seller will Process Customer Personal Data only in accordance with Customer’s documented instructions unless otherwise required by applicable law, in which case Seller will inform Customer of such Processing unless notification is prohibited by applicable law. Customer hereby instructs Seller to Process Customer Personal Data: (a) to provide the Services to Customer; (b) to perform its obligations and exercise its rights under the Agreement and this Addendum; and (c) as necessary to prevent or address technical problems with the Services. Seller will notify Customer if, in its opinion, an instruction of Customer infringes upon Data Protection Laws. Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. Customer shall be responsible for: (i) giving adequate notice and making all appropriate disclosures to Data Subjects regarding Customer’s use and disclosure and Seller’s Processing of Customer Personal Data; and (ii) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Customer Personal Data to Seller to permit the Processing of such Customer Personal Data by Seller for the purposes of performing Seller’s obligations under the Agreement or as may be required by Data Protection Laws. Customer shall notify Seller of any changes in, or revocation of, the permission to use, disclose, or otherwise Process Customer Personal Data that would impact Seller’s ability to comply with the Agreement, this Addendum, or Data Protection Laws.
2.3. Details of Processing. The parties acknowledge and agree that the nature and purpose of the Processing of Customer Personal Data, the types of Customer Personal Data Processed, the categories of Data Subjects, and other details regarding the Processing of Customer Personal Data are as set forth in Appendix 1.
2.4. Processing Subject to the CCPA. As used in this Section 2.4, the terms “Sell,” “Share,” “Business Purpose,” and “Commercial Purpose” shall have the meanings given in the CCPA and “Personal Information” shall mean any personal information (as defined in the CCPA) contained in Customer Personal Data. Seller will not: (a) Sell or Share any Personal Information; (b) retain, use, or disclose any Personal Information (i) for any purpose other than for the Business Purposes specified in the Agreement, including for any Commercial Purpose other than the Business Purposes specified in the Agreement, or as otherwise permitted by the CCPA, or (ii) outside of the direct business relationship between Customer and Seller; or (c) combine Personal Information received from, or on behalf of, Customer with Personal Data received from or on behalf of any third party, or collected from Seller’s own interaction with Data Subjects, except to perform any Business Purpose permitted by the CCPA. Seller hereby certifies that it understands the foregoing restrictions under this Section 2.4 and will comply with them. The parties acknowledge that the Personal Information disclosed by Customer to Seller is provided to Seller only for the limited and specified purposes set forth in the Agreement and this Addendum. Seller will comply with applicable obligations under the CCPA and provide the same level of privacy protection to Personal Information as is required by the CCPA. Customer has the right to take reasonable and appropriate steps to help ensure that Seller uses the Personal Information transferred in a manner consistent with Customer’s obligations under the CCPA by exercising Customer’s audit rights in Section 8. Seller will notify Customer if it makes a determination that Seller can no longer meet its obligations under the CCPA. If Seller notifies Customer of unauthorized use of Personal Information, including under the foregoing sentence, Customer will have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use by limiting the Personal Information shared with Seller, terminating the portion of the Agreement relevant to such unauthorized use, or such other steps mutually agreed between the parties in writing.
4.1. Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Seller shall implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, in accordance with the security standards in Appendix 2 (the “Security Measures”). Customer acknowledges that the Security Measures may be updated from time to time upon reasonable notice to Customer to reflect process improvements or changing practices, provided that the modifications will not materially decrease Seller’s security obligations hereunder.
4.2. Security Incidents. Upon becoming aware of a confirmed Security Incident, Seller will: (a) notify Customer of the Security Incident without undue delay after becoming aware of the Security Incident; and (b) take reasonable steps to identify the cause of such Security Incident, minimize harm, and prevent a recurrence. Seller will take reasonable steps to provide Customer with information available to Seller that Customer may reasonably require to comply with its obligations under Data Protection Laws. Seller’s notification of or response to a Security Incident under this Section 4.2 will not be construed as an acknowledgement by Seller of any fault or liability with respect to the Security Incident.
4.3. Customer Responsibilities. Customer agrees that, without limitation of Seller’s obligations under this Section 4, Customer is solely responsible for its use of the Services, including: (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Personal Data; and (b) securing any account authentication credentials, systems, and devices Customer uses to access or connect to the Services, where applicable. Without limiting Seller’s obligations hereunder, Customer is responsible for reviewing the information made available by Seller relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws.
9.1. Data Processing Facilities. Seller may, subject to Sections 9.2 and 9.3, Process Customer Personal Data in the United States or anywhere Seller or its Subprocessors maintains facilities. Customer is responsible for ensuring that its use of the Services complies with any cross-border data transfer restrictions of Data Protection Laws.
9.2. European Transfers. If Customer transfers Customer Personal Data to Seller that is subject to European Data Protection Laws, and such transfer is not subject to an alternative adequate transfer mechanism under European Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then Customer (as “data exporter”) and Seller (as “data importer”) agree that the applicable terms of the Standard Contractual Clauses shall apply to and govern such transfer and are hereby incorporated herein by reference. In furtherance of the foregoing, the parties agree that: (a) the execution of this Addendum shall constitute execution of the applicable Standard Contractual Clauses as of the Addendum Effective Date; (b) the relevant selections, terms, and modifications set forth in Appendix 3 shall apply, as applicable; and (c) the Standard Contractual Clauses shall automatically terminate once the Customer Personal Data transfer governed thereby becomes lawful under European Data Protection Laws in the absence of such Standard Contractual Clauses on any other basis.
9.3. Other Jurisdictions. If Customer transfers Customer Personal Data to Seller that is subject to Data Protection Laws other than European Data Protection Laws which require the parties to enter into standard contractual clauses to ensure the protection of the transferred Customer Personal Data, and the transfer is not subject to an alternative adequate transfer mechanism under Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then the parties agree that the applicable terms of any standard contractual clauses approved or adopted by the relevant Supervisory Authority pursuant to such Data Protection Laws shall automatically apply to such transfer and, where applicable, shall be completed on a mutatis mutandis basis to the completion of the Standard Contractual Clauses as described in Section 9.2.
APPENDIX 1A: DETAILS OF PROCESSING – SELLER AS PROCESSOR
A. LIST OF PARTIES
Data exporter:
Name: The Customer, as defined in the Seller’s Customer Terms of Service (on behalf of itself and Permitted Affiliates)
Address: The Customer's address, as set out in the Order Form
Contact person’s name, position and contact details: The Customer's contact details, as set out in the Order Form and/or as set out in the Customer’s Seller account
Activities relevant to the data transferred under these Clauses: Processing of Customer Personal Data in connection with Customer's use of the Seller’s Subscription Services under the Seller’s Customer Terms of Service
Role (controller/processor): Controller (either as the Controller; or acting in the capacity of a Controller, as a Processor, on behalf of another Controller)
Data importer:
Name: Valsoft Corporation Inc. dba Aysling Software
Address: 137 Keveling Drive, Saline MI 48176
Contact person’s name, position and contact details: Rudolph Pataro, Managing Director, 137 Keveling Drive, Saline MI 48176
Activities relevant to the data transferred under these Clauses: Processing of Customer Personal Data in connection with Customer's use of the Seller’s Subscription Services under the Seller’s Customer Terms of Service
Role (controller/processor): Processor
B.
DESCRIPTION OF TRANSFER
Categories of Data Subjects whose Personal Data is Transferred
You may submit Customer Personal Data in the course of using the Subscription Service, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to Customer Personal Data relating to the following categories of Data Subjects:
Your Contacts and other end users including your employees, contractors, collaborators, customers, prospects, suppliers and subcontractors. Data Subjects may also include individuals attempting to communicate with or transfer Customer Personal Data to your end users.
Categories
of Personal Data Transferred
You may submit Personal Data to the Subscription Services, the extent of which
is determined and controlled by you in your sole discretion, and which may
include but is not limited to the following categories of Personal Data:
1.
Contact
Information which refers to a single individual, other than a User, whose
information is stored by you in the Subscription Service. This information
means the name, email address, phone number, online user name(s) and similar
information uploaded by you to the Subscription Service.
2. Any other Personal Data submitted by, sent to, or received by you, or your
end users, via the Subscription Service.
Sensitive
Data Transferred and Applied Restrictions or Safeguards
The processing of Sensitive Data is subject to the scope limitations,
restrictions, and safeguards mutually agreed upon by the parties, as reflected
in the Agreement.
Frequency
of the Transfer
Continuous
Nature
of the Processing
Customer Personal Data will be Processed in accordance with the Agreement
(including this DPA) and may be subject to the following Processing
activities:
1. Storage and other Processing necessary to provide, maintain and improve the Subscription Services provided to you; and/or
2. Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.
Purpose of the Transfer and Further Processing
We will Process Customer Personal Data as necessary to provide the Subscription Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by you in your use of the Subscription Services.
Period for which Personal Data will be retainedSubject to the 'Deletion or Return of Customer Personal Data' section of this DPA, we will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
APPENDIX 1B: DETAILS OF PROCESSING – SELLER AS PROCESSOR
A. LIST OF PARTIES
Data exporter/importer: Customer
Name: The Customer, as defined in the Seller’s Customer Terms of Service (on behalf of itself and Permitted Affiliates)
Address: The Customer's address, as set out in the Order Form
Contact person’s name, position, and contact details, including email: The Customer’s contact details, as set out in the Order Form and/or as set out in the Customer’s Seller account
Activities relevant to the data transferred under these Clauses: Processing of Controller Personal Data in connection with Customer’s use of enrichment products and the Seller’s Tracking Code
Role (controller/processor): Controller
Data exporter/importer: Valsoft Corporation Inc. dba Aysling Software
Name: Valsoft Corporation Inc. dba Aysling Software
Address: 137 Keveling Drive, Saline MI 48176
Contact person’s name, position and contact details: Rudolph Pataro, Managing Director, 137 Keveling Drive, Saline MI 48176
Activities
relevant to the data transferred under these Clauses: Processing of Controller
Personal Data in connection with Customer’s use of enrichment products and the
Seller’s tracking code
Role (controller/processor): Controller
B. DESCRIPTION OF TRANSFER
Categories
of Data Subjects whose Personal Data is Transferred
Individuals associated with a company or other institution
Categories
of Personal Data Transferred
Professional data, which may include, but is not limited to, first and last
name, business email address, business employer, business role, professional
title, IP address, online identifiers, and other similar information
Sensitive
Data Transferred and Applied Restrictions or Safeguards
The parties do not anticipate the transfer of sensitive data.
Frequency
of the Transfer
Continuous
Nature
of the Processing
Controller Personal Data will be Processed in accordance with the Agreement and
may be subject to the following Processing activities: (1) storage and other
Processing of Website Data (such as IP addresses and other online identifiers)
and Professional Enrichment Data (such as business email addresses) by Seller
necessary to provide, maintain, append, improve, and develop Seller’s
commercial dataset and the Subscription Services; and/or(2) disclosure in accordance with the
Agreement and/or as compelled by applicable laws.
Purpose(s)
of the Transfer and Further Processing
Controller Personal Data will be transferred for the purposes contemplated in
the Agreement, including to provide Customer with business information and to
provide, maintain, append, improve, enhance, and develop Seller’s commercial
dataset and the Subscription Services.
Period for which Personal Data will be Retained
Controller Personal Data will be Processed and retained by the parties in accordance with their respective data retention policies or as otherwise set out under the Agreement.
APPENDIX 2: SECURITY MEASURES
1. ACCESS CONTROL
1.1 Preventing Unauthorized Product Access. Outsourced processing: We host our Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers. We do not own or maintain hardware located at the outsourced infrastructure providers’ data centers. Production servers and client-facing applications are logically and physically secured from our internal corporate information systems. The infrastructure providers' physical and environmental security controls are audited for SOC 2 Type II compliance.
Authentication: We implement a uniform password policy for our customer products. Customers who interact with the products via the user interface must authenticate before accessing Customer Personal Data in their Seller account.
Authorization: Customer Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Application Programming Interface (API) access: Public product APIs may be accessed using Oauth authorization or public/private key combinations.
1.2 Preventing Unauthorized Product Use. We implement industry standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
Static code analysis: Code stored in our source code repositories is checked for best practices and identifiable software flaws using automated tooling.
Endpoint Harding: Endpoints are hardened in accordance with industry standard practice. Workstations are protected using anti-malware and endpoint detection & response tools, receiving regular definition and signature updates.
1.3 Limitations of Privilege and Authorization Requirements. Privileged Access Management: Privileged access in our product environment is controlled, monitored, and removed in a timely fashion as determined by the Change Control process(es). Non-personal accounts used for system access are stored in a secure vault, BitWarden, with additional controls governing privilege elevation and account check out processes.
Product access: A subset of our employees has access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, product development and research, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through JITA requests for access; all such requests are logged. Employees are granted access by role, and reviews of high-risk privilege grants are initiated monthly. Administrative or high-risk access permissions are reviewed at least once every six months.
2. TRANSMISSION CONTROL
In-transit: We require HTTPS encryption (also referred to as SSL or TLS) on all login interfaces and for free on every customer site hosted on the Seller products. Our HTTPS implementation uses industry standard algorithms and certificates.
At-rest: We store user passwords following policies that follow industry standard practices for security. We take a layered approach of at-rest encryption technologies to ensure Customer Data and Customer-identified Permitted Sensitive Data are appropriately encrypted.
3. INCIDENT MANAGEMENT, LOGGING, AND MONITORING
Incident Response Plan: We maintain a written Incident Response Plan, and other necessary processes and procedures to fulfill the standards and obligations reflected therein.
Detection: We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to you will be in accordance with the terms of the Agreement.
4. AVAILABILITY CONTROL
Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.8% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and heating, ventilation and air conditioning (HVAC) services.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary instance. All databases are backed up and maintained using at least industry standard methods.
Disaster Recovery Plans: We maintain and regularly test disaster recovery plans to help ensure availability of information following interruption to, or failure of, critical business processes.
Our products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.
5. VULNERABILITY MANAGEMENT PROGRAM
Vulnerability Remediation Schedule: We maintain a vulnerability remediation schedule aligned with industry standards. We take a risk-based approach to determining a vulnerability’s applicability, likelihood, and impact in our environment.
Vulnerability scanning: We perform daily vulnerability scanning on our products using technology and detection standards aligned with industry standards.
Penetration testing: We maintain relationships with industry-recognized penetration testing service providers for penetration testing of both the Seller web application at least monthly. The intent of these penetration tests is to identify security vulnerabilities and mitigate the risk and business impact they pose to the in-scope systems.
6. PERSONNEL MANAGEMENT
We staff qualified personnel to develop, maintain, and enhance our security program. We train all employees on security policy, processes, and standards relevant to their role and in accordance with industry practice.
Background checks: Where permitted by applicable law, Seller employees may undergo a third-party background or reference check. All Seller employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
APPENDIX 3: STANDARD CONTRACTUAL CLAUSES
1. Application of Modules. If Customer is acting as a Controller with respect to Customer Personal Data, “Module Two: Transfer controller to processor” of the Standard Contractual Clauses shall apply. If Customer is acting as a Processor to a third-party Controller with respect to Customer Personal Data, Seller is a sub-Processor and “Module Three: Transfer processor to processor” of the Standard Contractual Clauses shall apply.
2. Sections I-V. The parties agree to the following selections in Sections I-IV the Standard Contractual Clauses: (a) the parties select Option 2 in Clause 9(a) and the specified time period shall be the notification time period set forth in Section 5 of the Addendum; (b) the optional language in Clause 11(a) is omitted; (c) the parties select Option 1 in Clause 17 and the governing law of the Netherlands will apply; and (d) in Clause 18(b), the parties select the courts of the Netherlands.
3. Annexes. The name, address, contact details, activities relevant to the transfer, and role of the parties set forth in the Agreement and the Addendum shall be used to complete Annex I.A. of the Standard Contractual Clauses. The information set forth in Appendix 1 to the Addendum shall be used to complete Annex I.B. of the Standard Contractual Clauses. The competent supervisory authority in Annex I.C. of the Standard Contractual Clauses shall be the relevant supervisory authority determined by Clause 13 and the GDPR, unless otherwise set forth in Sections 5 or 6 of this Appendix 3. If such determination is not clear, then the competent supervisory authority shall be the Dutch Data Protection Authority. The technical and organizational measures in Annex II of the Standard Contractual Clauses shall be the measures set forth in Appendix 2 to the Addendum.
4. Supplemental Business-Related Clauses. In accordance with Clause 2 of the Standard Contractual Clauses, the parties wish to supplement the Standard Contractual Clauses with business-related clauses, which shall neither be interpreted nor applied in such a way as to contradict the Standard Contractual Clauses (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of Data Subjects. Seller and Customer therefore agree that the applicable terms of the Agreement and the Addendum shall apply if, and to the extent that, they are permitted under the Standard Contractual Clauses, including without limitation the following:
(a) Instructions. The instructions described in Clause 8.1 are set forth in Section 2.2 of the Addendum.
(b) Protection of Confidentiality. In the event a Data Subject requests a copy of the Standard Contractual Clauses or the Addendum under Clause 8.3, Customer shall make all redactions reasonably necessary to protect business secrets or other confidential information of Seller.
(c) Deletion or Return. Deletion or return of Customer Personal Data by Seller under the Standard Contractual Clauses shall be governed by Section 10 of the Addendum. Certification of deletion of Customer Personal Data under Clause 8.5 or Clause 16(d) will be provided by Seller upon the written request of Customer.
(d) Onward Transfers. Seller shall be deemed in compliance with Clause 8.8 to the extent such onward transfers occur in accordance with Article 4 of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
(e) Audits and Certifications. Any information requests or audits provided for in Clause 8.9 shall be fulfilled in accordance with Section 8 of the Addendum.
(f) Liability. The relevant terms of the Agreement which govern indemnification or limitation of liability shall apply to Seller’s liability under Clauses 12(a), 12(d), and 12(f).
(g) Termination. The relevant terms of the Agreement which govern termination shall apply to a termination pursuant to Clauses 14(f) or 16.
5. Transfers from the United Kingdom. If Customer transfers Customer Personal Data to Seller that is subject to UK Data Protection Laws, the parties acknowledge and agree that: (a) the template addendum issued by the Information Commissioner’s Office of the United Kingdom and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (available at: https://ico.org.uk/media/for-organisations/documents/4019539/international- data-transfer-addendum.pdf), as it may be revised from time to time by the Information Commissioner’s Office (the “UK Addendum”) shall be incorporated by reference herein; (b) the UK Addendum shall apply to and modify the Standard Contractual Clauses solely to the extent that UK Data Protection Laws apply to Customer’s Processing when making the transfer; (c) the information required to be set forth in “Part 1: Tables” of the UK Addendum shall be completed using the information provided in this Appendix 3 and the Addendum; and (d) either party may end the UK Addendum in accordance with section 19 thereof.
6. Transfers from Switzerland. If Customer transfers Customer Personal Data to Seller that is subject to the Swiss FADP, the following modifications shall apply to the Standard Contractual Clauses to the extent that the Swiss FADP applies to Customer’s Processing when making that transfer: (a) the term “member state” as used in the Standard Contractual Clauses shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from suing for their rights in their place of habitual residence in accordance with Clause 18(c) of the Standard Contractual Clauses; (b) the Standard Contractual Clauses shall also protect the data of legal entities until the entry into force of the revised Swiss FADP on or about 1 January 2023; (c) references to the GDPR or other governing law contained in the Standard Contractual Clauses shall also be interpreted to include the Swiss FADP; and (d) the parties agree that the supervisory authority as indicated in Annex I.C of the Standard Contractual Clauses shall be the Swiss Federal Data Protection and Information Commissioner.