Data Processing Agreement (DPA)

Effective Date: January 30, 2026

This Data Processing Agreement (DPA) and its Attachments constitute a formal contract between Auth-Analytics ("Supplier") and any recipient of Supplier Products ("Customer") under a written or electronic Agreement governing these product provisions.

The DPA becomes effective when the Supplier processes Personal Data on behalf of the Customer, as referenced or signed in the Agreement. It is an integral part of the Agreement, activated either by signature or by integration into the Agreement as specified.

In the event of any conflicting terms, this DPA takes precedence over the Agreement to ensure clarity and consistency. The DPA’s duration aligns with the terms of the Agreement, with defined terms interpreted consistently with those in the Agreement.

1. Definitions

California Personal Information

Personal Data regulated under the California Consumer Privacy Act (CCPA).

Canadian Privacy Laws

Data protection regulations in Canada and its provinces, including:

• PIPEDA – Personal Information Protection and Electronic Documents Act, 2000.
• Quebec – Law 25 (formerly Bill 64), including the Act Respecting the Protection of Personal Information in the Private Sector (CQLR P-39.1).
• Alberta – Personal Information Protection Act (“PIPA Alberta”).
• British Columbia – Personal Information Protection Act (“PIPA BC”).

For terms like "Consumer," "Business," "Sell," and "Service Provider," CCPA definitions apply.

Controller

The entity that determines the purposes and means of processing Personal Data, which may be an individual, organization, or public authority.

Data Protection Laws

All laws and regulations globally that govern data protection and privacy, including European, US, and Canadian privacy laws.

Data Subject

An individual whose Personal Data is being processed.

European Data

Personal Data subject to European Data Protection Laws.

European Data Protection Laws

Applicable regulations in the EU, EEA, Switzerland, and the UK, including:

• GDPR – Regulation (EU) 2016/679.
• Directive 2002/58/EC, as amended by Directive 2009/136/EC (electronic communications privacy).
• National implementations, e.g., UK Data Protection Act 2018 and UK GDPR.
• Switzerland – Federal Act on Data Protection (FADP, updated Sept 25, 2020).

Instructions

Written directions from Customers to the Supplier regarding actions with Personal Data.

Onward Transfer

The transfer of Personal Data from one third-party (e.g., Processor) to another (e.g., Sub-Processor) or beyond.

Permitted Affiliates

Customer Affiliates using the Products under the Agreement:

• Operate under the Agreement without a separate contract.
• Have their Personal Data processed by Supplier.
• Comply with Data Protection Laws.

Personal Data

Information collected or provided by Customers relating to an identifiable individual, protected under applicable Data Protection Laws.

Personal Data Breach

A security incident leading to accidental or unlawful access, disclosure, or alteration of Personal Data processed by Supplier.

Processing

Operations performed on Personal Data, including collection, storage, modification, or deletion, as defined under applicable Data Protection Laws.

Processor

An entity that processes Personal Data on behalf of the Controller.

Products

Goods and services offered by Auth-Analytics under the Agreement.

Standard Contractual Clauses (SCCs)

Contractual protocols for processing Personal Data under GDPR:

• EU SCC: http://data.europa.eu/eli/dec_impl/2021/914/oj
• UK SCC: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/

Sub-Processor

Any third-party engaged by Supplier to perform specific processing tasks in accordance with the DPA and Customer Instructions.

Third Country

Countries outside the EEA, UK, or Switzerland for GDPR, UK GDPR, or FADP purposes, which do not provide an adequate level of data protection.

US Privacy Laws

Data protection laws applicable in the USA, including:

• California: CCPA and California Privacy Rights Act.
• Colorado: Colorado Privacy Act (CoPA).
• Connecticut: Connecticut Personal Data Privacy and Online Monitoring Act (CPDP).
• Utah: Utah Consumer Privacy Act (UCPA, effective Dec 31, 2023).
• Virginia: Virginia Consumer Data Protection Act (VCDPA).

2. Roles of the Parties

European Data Protection Laws

For European Data processed under this DPA, both parties acknowledge:

• Supplier: acts as a Processor.
• Customer: acts as either a Controller or a Processor representing a Controller not party to the Agreement or this DPA.

CCPA

For California Personal Information, both parties agree:

• Customer: operates as a Business.
• Supplier: operates as a Service Provider, unless Attachment 1, Section A specifies that Supplier is processing Personal Data as a “third party” under the CCPA, in which case Supplier is designated as a CCPA Third Party.

US Privacy Laws (excluding CCPA)

For Personal Data governed by US Privacy Laws other than CCPA:

• Supplier: acts as a Processor.
• Customer: acts as either a Controller or a Processor representing a Controller not party to the Agreement or this DPA.

Canadian Privacy Laws

For Personal Data governed by Canadian Privacy Laws:

• Supplier: processes Personal Data on behalf of Customer and complies with obligations under applicable Canadian Privacy Laws.
• Customer: determines the purposes and methods of Personal Data Processing through its Instructions to Supplier and assumes corresponding obligations under Canadian Privacy Laws.

3. Customer Responsibilities

a) Compliance with Laws

Customers are expected to follow all requirements set forth in relevant Data Protection Laws. If they are unable to fulfill these obligations for any reason, they should promptly inform Auth-Analytics. Specifically, customers are responsible for:

1. Data Accuracy and Legality: Ensuring that Personal Data is accurate, obtained legally, and of high quality.
2. Transparency and Lawfulness: Abiding by transparency and lawfulness standards as mandated by Data Protection Laws, including obtaining necessary consents, especially for marketing-related Personal Data.
3. Data Transfer Rights: Confirming their right to transfer or grant access to Personal Data to Auth-Analytics for Processing per the Agreement.
4. Instruction Compliance: Ensuring that all provided Instructions to Auth-Analytics regarding Personal Data Processing comply with applicable laws, including Data Protection Laws.
5. Content and Communication: Adhering to all laws, including Data Protection Laws, regarding generated, sent, or managed content through Auth-Analytics' Products. This includes obtaining required consents for communications, ensuring content complies with regulations, and following proper communication deployment practices.

b) Guidelines

Your instructions to Auth-Analytics regarding Personal Data handling are governed by:

1. The terms in the Agreement, this DPA, and any Attachments.
2. Your guidance through Product usage aligned with the Agreement.
3. An overarching approval allowing Auth-Analytics to utilize Personal Data for operational needs related to delivering Products.

Any additional instructions require mutual agreement through the appropriate process for modifying the Agreement or DPA.

c) Security Assurance

It's your responsibility to ensure that our data security measures within the Products align with your obligations under relevant Data Protection Laws. You're also accountable for securely using our Products, including safeguarding account access and securing Personal Data during transit to and from our Products (including secure backup or encryption of such data).

4. Supplier Responsibilities

a) Guideline Adherence

Suppliers must process Personal Data strictly for the purposes outlined in this Data Processing Agreement (DPA), including Attachment 1, or as directed within lawful instructions from the Customer. Exceptions apply only where permitted by applicable laws. Suppliers are not responsible for ensuring Customer's compliance with Data Protection Laws unless these laws generally apply to Suppliers.

b) Legal Compliance

If a Supplier cannot fulfill its obligations under Data Protection Laws or process Personal Data according to Customer's instructions due to legal obligations, the Supplier will:

1. Promptly notify the Customer, as allowed by law, of such legal obligations; and
2. Temporarily cease processing activities (except for data storage and security) until new compliant instructions are provided by the Customer. The Supplier will not be liable for service interruptions under the Agreement until new lawful instructions are received.

c) Data Security Measures

Suppliers will implement suitable technical and organizational measures to protect Personal Data from breaches, as detailed in Attachment 2 (Technical and Organizational Measures) of this DPA. Suppliers may adjust Attachment 2 as necessary, provided the measures are not substantially reduced.

d) Confidentiality

Suppliers will ensure that authorized personnel processing Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.

e) Personal Data Breaches

In case of a Personal Data Breach, Auth-Analytics will promptly notify customers and comply with timelines specified by relevant Data Protection Laws. Customers acknowledge that Auth-Analytics may notify authorities and affected individuals about breaches, with customers having the opportunity to suggest reasonable changes to these notifications. Auth-Analytics will offer support for customer-issued notifications to ensure legal compliance.

f) Data Deletion or Return

Upon termination or expiration of services, Auth-Analytics will securely delete or return all processed Personal Data, unless retention is required by law or for backup purposes. Archived data will be isolated, protected, and deleted according to established practices.

g) Compliance Demonstration

Auth-Analytics will provide necessary information to demonstrate compliance with the Data Protection Agreement and laws. Customers can request audits, including confidential security program reports or written confirmations of compliance. Audit requests are limited to once per year.

h) Supplier Assistance to Customer

Auth-Analytics will assist customers with their obligations under Data Protection Laws primarily through product features. Customers agree to utilize these features before seeking additional assistance from Auth-Analytics.

5. Data Subject Requests

As part of our commitment mentioned in Section 4(f) above, Auth-Analytics will assist you in managing requests from data protection authorities and individuals exercising their rights under relevant Data Protection Laws ("Data Subject Requests"), as mandated by law. For efficient handling, Data Subject Requests must include sufficient information for identity verification.

There may be reasonable charges for additional assistance beyond our standard services.

If a Data Subject Request or any communication regarding Personal Data processing under our Agreement is directed to Auth-Analytics, and we can confirm your identity through our usual procedures, we will promptly inform you of the request and advise the Data Subject to contact you directly. Otherwise, you are responsible for addressing any Data Subject Requests.

6. Data Security Assessments

In compliance with applicable laws, Auth-Analytics will provide reasonable support to customers for conducting and documenting data security assessments, subject to the availability of necessary information and provided customers do not already possess such information.

7. Sub-Processing Partners

Customers authorize Auth-Analytics to engage Sub-Processors for processing Personal Data on their behalf, endorsing the listed entities as Sub-Processors. Any changes to this list must follow the amendment process in Section 11(a) of our Data Processing Agreement (DPA).

When engaging Sub-Processors, Auth-Analytics will establish written agreements mandating data protection terms ensuring at least the same level of security for Personal Data as outlined in this DPA. Auth-Analytics remains accountable for ensuring Sub-Processors comply with the obligations of this DPA and rectifying any breaches resulting from Sub-Processor actions or inactions.

8. Global Data Handling

You acknowledge and consent to Auth-Analytics processing your personal data globally as necessary for delivering our products according to our agreement. We ensure that these data transfers adhere to all relevant data protection regulations.

9. Special Considerations for European Data

a. Scope

These provisions specifically pertain to data originating from Europe. If any terms in this section conflict with others in the agreement, these terms take precedence.

b. Compliance Assistance

In accordance with European data protection laws, Auth-Analytics will support you in conducting data protection impact assessments and engaging with regulatory authorities, provided that we have reasonable access to the required information.

c. Cross-Border Data Transfers

1. We undertake not to transfer European data to non-European countries without ensuring compliance with applicable data protection laws. This may involve using approved frameworks, binding corporate rules, or standard contractual clauses.
2. Standard Contractual Clauses are employed when transferring personal data to non-European countries:
   1. For transfers from EEA/Switzerland: Part 1 of Attachment 3 is applicable.
   2. For transfers from the UK: Part 2 of Attachment 3 is applicable.
3. Exceptions may apply if Auth-Analytics has established Binding Corporate Rules or another recognized standard for lawful transfers.
4. In the event of a conflict between the Standard Contractual Clauses and this agreement, the Standard Contractual Clauses take precedence.

10. Special Terms for California Personal Information

a. Applicability

This Section 10, addressing Additional Provisions for California Personal Information, is specifically for transactions involving California Personal Information. If there are conflicting terms between this Section 10 and other sections of this DPA, the terms in this Section 10 will take precedence.

b. Supplier's Duties as a Service Provider

1. As a Service Provider, we agree to:
   • Handle California Personal Information strictly for the purposes outlined in Attachment 1 of this DPA and as allowed by the CCPA, including the Business Purposes specified in Section 1798.140(e).
   • We won't merge California Personal Information received from or on behalf of the Customer with data from other sources unless necessary for permitted Business Purposes under the CCPA. We may aggregate, de-identify, or anonymize California Personal Information for research, development, or other CCPA-compliant purposes.
   • We won't sell or share California Personal Information as defined by the CCPA.
   • We won't use or disclose California Personal Information for any non-Business Purpose or unauthorized commercial use.
   • We won't use or disclose California Personal Information outside the direct business relationship between Customer and Supplier unless permitted by the CCPA.
2. As a Service Provider, we will:
   • Adhere to all applicable CCPA obligations.
   • Ensure privacy protection in line with CCPA requirements.
   • Implement reasonable security measures to safeguard California Personal Information.
   • Act promptly on Customer requests regarding California Personal Information.
   • Address unauthorized use of California Personal Information appropriately.
   • Notify Customer promptly of any CCPA-related complaints, notices, or communications, including verifiable consumer requests under the CCPA within seven (7) business days.

c. Responsibilities as a CCPA Third Party

When Auth-Analytics acts as a CCPA Third Party (as outlined in Section 2(a)), we handle California Personal Information strictly for the purposes detailed in Attachment 1 of our Data Processing Agreement (DPA). These purposes include Business Purposes and any specific CCPA Third Party purposes mentioned therein, as allowed by the CCPA.

• We use California Personal Information solely for CCPA Third Party Purposes.
• We adhere to all CCPA obligations.
• We ensure the same level of privacy protection mandated by the CCPA as required by our customers.
• We implement appropriate security measures to safeguard California Personal Information.
• We allow our customers to take reasonable steps to address unauthorized use of California Personal Information and ensure our use aligns with their CCPA obligations.
• We promptly inform our customers of any complaints, notices, or communications related to CCPA compliance, including verifiable consumer requests, within a notification timeframe of seven (7) business days.

d. Certification

Auth-Analytics affirms its understanding of and commitment to adhere to the limitations outlined in Section 10(b) (Responsibilities as a Service Provider) and Section 10(c) (Responsibilities as a CCPA Third Party).

11. General Provisions

a. Amendments

Auth-Analytics reserves the right to update and modify this DPA or the list of Sub-Processors, with changes taking effect thirty (30) days after notification through a specific URL or direct communication to Customers. Customers are responsible for reviewing and understanding these updates. If a Customer objects before the effective date, Auth-Analytics will either negotiate in good faith or terminate the DPA with a pro-rata refund for affected Product Fees.

b. Severability

If any provision in this DPA is found invalid or unenforceable, it will not affect the validity of the remaining provisions.

c. Limitation of Liability

Each party's liability, including that of Customer's Affiliates if applicable, under this DPA will follow the limitations and exclusions outlined in the Agreement, except with respect to individual Data Subject's data protection rights.

d. Governing Law

This DPA follows the governing law specified in the Agreement unless Data Protection Laws require otherwise.

12. Parties Involved in this Data Processing Agreement

a. Permitted Affiliates

By entering this DPA, the Customer represents itself and its Permitted Affiliates as required by Data Protection Laws. This establishes individual DPAs between the Supplier and each Permitted Affiliate, with "Customer" including both the Customer and its Permitted Affiliates.

b. Authorization

The Customer warrants its authority to consent and engage in this agreement on behalf of itself and its Permitted Affiliates.

c. Remedies

Where a Permitted Affiliate enforces a right under this DPA, only the Customer entity in the Agreement will exercise such rights collectively for all Permitted Affiliates. The Customer entity is responsible for all communication regarding this DPA on behalf of its Permitted Affiliates.

Attachment 1 – Data Processing Details

A. Objective and Nature of Data Processing

At Auth-Analytics, we manage Personal Data for specific purposes outlined in our Agreement. This involves delivering Products as per the terms in Order Forms or SOWs and adhering to Customer instructions for Product usage.

B. Data Processing Duration

Auth-Analytics processes Personal Data solely during the Agreement duration unless a different arrangement is confirmed in writing. However, in accordance with Data Protection Laws, we may retain Personal Data beyond the Agreement period for legal obligations, fraud prevention, tax compliance, and honoring contractual commitments to third parties. Such processing aligns with our DPA and applicable Data Protection Laws.

C. Categories of Data Subjects

Customers may provide Personal Data concerning various Data Subjects while utilizing our Products. These Data Subjects encompass Customer's employees, contractors, collaborators, customers, partners, prospects, suppliers, subcontractors, and individuals interacting with or supplying Personal Data to Customer's end users.

D. Types of Personal Data

Customers utilizing Auth-Analytics' Products may share the following Personal Data categories with us, based solely on their discretion:

• Contact Information: Including details like name, email address, phone number, online usernames, IP address, user agent, and similar identifiers.
• Financial Information: Covering bank account and credit card details.
• Any other Personal Data: Referring to additional information submitted, transmitted, or received by the customer, their partners, advertisers, or end users through our Products.

E. Special Data Categories

Neither Auth-Analytics nor its customers expect to handle special categories of Personal Data or sensitive information as defined by relevant Data Privacy Laws.

F. Data Processing Operations

All Personal Data is processed in accordance with the Agreement and our DPA. Processing activities may involve:

• Storage and other necessary processing for providing, maintaining, and improving the Products offered to the customer.
• Disclosure as per the Agreement, our DPA, and/or mandated by applicable laws.

Attachment 2 – Technical and Organizational Security Measures

At Auth-Analytics, we are committed to upholding a robust level of protection for Personal Data, as outlined in this Attachment 2. Our measures are carefully tailored to suit the specific nature, scale, context, and purpose of our data processing activities, ensuring the safeguarding of individuals' rights and freedoms.

a) Access Control

Preventing Unauthorized Product Access

• Outsourced processing: We partner with trusted cloud infrastructure providers to host our Cloud Services. Our contractual agreements with these vendors ensure alignment with our Data Processing Agreement, backed by robust contractual frameworks, privacy policies, and vendor compliance programs.
• Physical and environmental security: Our product infrastructure is hosted with reputable outsourced providers adhering to stringent physical and environmental security controls. These controls undergo regular audits for compliance with industry standards such as SOC 2 Type II and ISO 27001.
• Authentication: A standardized password policy is implemented across our customer products. Users must authenticate themselves before accessing non-public customer data via the user interface.
• Authorization: Customer Data is securely stored in multi-tenant storage systems accessible only through authorized interfaces. Direct access to the infrastructure is restricted, and our authorization framework ensures that only authorized individuals can access relevant features and data sets.
• API Access: Access to our public product APIs requires authentication using an API key or through Auth authorization.
• Preventing Unauthorized Use: We employ industry-standard access controls and detection capabilities within our internal networks to prevent unauthorized protocols and ensure data security.
• Access Controls: Our network access controls include Virtual Private Cloud (VPC) setups, security group assignments, and firewall rules to block unauthorized access.
• Intrusion Detection and Prevention: A Web Application Firewall (WAF) solution is in place to protect customer websites and applications from attacks.
• Static Code Analysis: Regular security reviews of our code repositories identify and address software flaws.
• Penetration Testing: Annual penetration tests by recognized service providers help identify and mitigate potential attack vectors.

Limitations of Privilege & Authorization

• Product Access: Access to products and customer data is limited to specific employees through controlled interfaces. Access is based on roles, logged through "just in time" requests, and monitored daily.
• Background Checks: All employees undergo third-party background checks before employment, ensuring adherence to company guidelines and ethical standards.

b) Transmission Control

• During transit: We use HTTPS encryption (SSL/TLS) for all login interfaces, providing this service free of charge for customer sites hosted on our products.
• While at rest: User passwords are stored securely according to industry standards, with data encryption technologies implemented for data at rest.

c) Input Management

• Detection: Our infrastructure is set up to comprehensively log system activities, incoming traffic, authentication processes, and application requests. We analyze these logs internally to swiftly identify and alert relevant team members about any suspicious, unintended, or irregular activities. Our dedicated teams, including security, operations, and support, proactively address known issues.
• Response and Tracking: Auth-Analytics maintains detailed records of security incidents, including descriptions, timestamps, and actions taken. Our security, operations, or support teams thoroughly investigate suspected incidents, promptly document resolutions, and take necessary steps to minimize any potential damage or unauthorized access. We adhere to our Data Processing Agreement or Agreement regarding customer notifications in case of incidents.

d) Ensuring System Availability

• Infrastructure Uptime: Our infrastructure guarantees a minimum uptime of 99.95% through robust efforts by our providers. They ensure redundancy across power, network, and HVAC services for uninterrupted operations.
• Fault Tolerance: We implement fault tolerance strategies, including backup and replication mechanisms, to handle processing failures. Customer data is securely stored across multiple durable data stores and replicated across different zones for added security.
• Online Replicas and Backups: We maintain online replicas and backups for our production databases, ensuring data integrity and availability. Standard backup methods are consistently applied to safeguard your data.

Our architecture prioritizes redundancy and seamless failover to prevent disruptions. Server instances supporting our products are designed to eliminate single points of failure, ensuring smooth operations during updates and maintenance.

e) Certifications

We offer independently validated reports of our security programs, including SOC 2 Type II and ISO 27001, upon request. These certifications underscore our commitment to maintaining high security and compliance standards for our customers.

Attachment 3: Part 1 – Data Transfers from EEA/Switzerland

1. Both parties acknowledge and confirm that the Standard Contractual Clauses, along with this Part 1, are included in this agreement and are relevant to the transfer of Personal Data from the European Economic Area (EEA) or Switzerland to Third Countries.
2. Module Two (Controller to Processor) of the Standard Contractual Clauses applies when Customer, acting as the Controller of Personal Data, transfers data to a Third Country where Supplier acts as the Processor.
3. Module Three (Processor to Processor) of the Standard Contractual Clauses applies when Customer, acting as the Processor of Personal Data, transfers data to a Third Country where Supplier acts as a Sub-Processor.
4. Both parties acknowledge that specific clauses in the Standard Contractual Clauses necessitate input from both parties. The agreed responses for Module Two and Module Three (where applicable) are as follows:
   1. Clause 7 of the SCCs is inapplicable.
   2. For Clause 9(a), Option 2 (general written authorization) is chosen, with a thirty (30) day prior notice period for changes in Sub-Processors.
   3. The optional language in Clause 11 is not applied, and Data Subjects cannot file complaints with an independent dispute resolution body.
   4. Clause 17 is governed by the laws of the Republic of Ireland.
   5. For Clause 18(b), the parties select the courts of the Republic of Ireland as the forum and jurisdiction.
5. Annex I.A of the SCCs: For Module Two and Module Three, please complete Annex I.A as detailed below:
   1. Data Exporter:
      • Name: The entity identified as “Customer” in the Data Processing Agreement (DPA).
      • Address: The address associated with the Customer's account or as specified in the DPA or Agreement.
      • Contact Person's Name, Position, and Contact Details: Contact details linked to Customer’s account or as specified in the DPA or Agreement.
      • Activities Relevant to Data Transfer: Activities outlined in Attachment 1 of the DPA.
      • Role (Controller/Processor): For Module Two, Controller; for Module Three, Processor.
   2. Data Importer:
      • Name: Auth-Analytics
      • Address:
      • Contact Person's Name, Position, and Contact Details:
      • Activities Relevant to Data Transfer: Activities specified in Attachment 1 of the DPA.
      • Role (Controller/Processor): For Module Two and Module Three, Processor.
   3. Signature and Date:

      By entering into the DPA, both data exporter and data importer are considered to have signed these Standard Contractual Clauses, including their Annexes, as of the Effective Date of the DPA.

6. Annex I.B of the SCCs Details
   • Data Subject Categories: The types of individuals whose personal data is transferred are detailed in Attachment 1 of the DPA.
   • Types of Personal Data: Specific information about the personal data can be found in Attachment 1 of the DPA.
   • Sensitive Data Transfer: If sensitive Personal Data is transferred (as indicated in Section E of Attachment 1 to the DPA), appropriate precautions and safeguards will be applied, such as strict purpose limitations, limited access, access logs, restrictions on further transfers, or enhanced security measures, in accordance with Data Protection Laws.
   • Data Transfer Frequency: Personal data is transferred continuously.
   • Nature of Processing: The processing nature is specified in Attachment 1 of the DPA.
   • Purpose of Data Transfer and Processing: The purpose of processing is outlined in Attachment 1 of the DPA.
   • Data Retention Duration: Personal data will be retained until either requested for deletion by the data exporter per DPA or Agreement terms, or as permitted by Data Protection Laws.
   • Transfers to Sub-Processors: Details regarding subject matter, nature, and duration of processing by sub-processors are provided in Attachment 1 of the DPA.
7. Annex I.C Completion

   For Annex I.C of the SCCs, the relevant supervisory authority is determined as per Clause 13 of the Standard Contractual Clauses, based on the Member State outlined in Section 4(d) of Attachment 3.

8. Attachment 2 and SCCs

   Attachment 2 of this DPA (Technical and Organizational Measures) is considered Annex II of the SCCs.

9. Sub-Processors and SCCs

   Section 7 of this DPA regarding Sub-Processors is treated as Annex III of the SCCs.

Part 2 – UK Transfers

1. Recognition of UK SCCs and Addendum

We both recognize that the Standard Contractual Clauses, complemented by Part 1 and amended by the UK Addendum detailed in Exhibit 1 of Attachment 3 of this DPA, are included by reference and are applicable to the transfer of Personal Data from the United Kingdom to Third Countries. These clauses, along with the UK Addendum, are tailored to ensure legal transfers under UK Data Protection Laws and to provide necessary safeguards as per Article 46 of the UK GDPR.

2. Interpretation in Harmony with UK GDPR

Part 2 is to be interpreted in harmony with the provisions of the UK GDPR, guaranteeing the intended safeguards outlined in Article 46, and must not contradict the rights and responsibilities under the UK GDPR.

3. Legislative Updates

Any mentions of legislation, including the UK Addendum, indicate that legislation as updated from time to time is taken into account (including any revisions or replacements post the Effective Date of this DPA).

4. Precedence of SCCs with UK Addendum

In the event of a conflict between the Standard Contractual Clauses along with the UK Addendum and other terms in this DPA or the Agreement, the provisions of the Standard Contractual Clauses along with the UK Addendum shall take precedence.