Data Protection and Security Addendum

This Data Protection and Security Addendum (this "Addendum" or "DPA") is part of and incorporated into the hapily Terms of Service (the "Agreement") entered into by hapily, Inc. ("Company") and the party to the Agreement ("Customer"). This Addendum shall be effective as of the effective date of the Agreement. The terms of this Addendum are not intended to limit any data protection or other obligations of either party as provided in the Agreement. Any capitalized term not defined in this Addendum will have the meaning given it in the Agreement. In the event of any conflict between the terms of this Addendum and the Agreement, this Addendum will control.

Whereas, Company provides the services described in the Agreement (the "Services") to Customer pursuant to the terms and conditions of the Agreement, and as a result, Company may access and process certain personal data controlled by Customer; and

Whereas this Addendum describes specific data protection and security commitments concerning the processing of such data in addition to those found in the Agreement.

Now, therefore, in consideration of the mutual covenants and agreements in this Addendum and the Agreement, and for other good and valuable consideration, the sufficiency of which is hereby acknowledged, the parties agree as follows:

1. Certain Definitions

"Affiliate" means entity controlling, controlled by or under common control with a party, where control and its corollaries (including "controlled by" and "under common control with") means the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of such person or entity, whether through the ownership of voting securities or other ownership interests, by contract or otherwise.

"Company Account Data" means that data that relates to Customer’s relationship with Company, including the names or contact information of individuals authorized by Customer to access Customer’s account and billing information that individuals that Customer has associated with its account. Company Account Data also includes any data Company may need to collect for the purpose of managing its relationship with Customer, identity verification, or as otherwise required by applicable laws and regulations.

"Company Usage Data" means Service usage collected and processed by Company in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the services, and to investigate and prevent system abuse.

"Data Protection Laws" means any applicable privacy and data protection laws, statutes or regulations, including EU Data Protection Laws (as defined in Exhibit A) and the CCPA and Additional US Privacy Laws (as defined in Exhibit B).

"Personal Data" means any information that identifies or can be used to identify an individual, and includes "personal data" as defined under EU Data Protection Laws (as defined in Exhibit A), and "personal information" and "personal data" as defined under the CCPA and Additional US Privacy Laws, respectively (as defined in Exhibit B).

"Security Incident" means any actual or suspected accidental or unlawful destruction, loss, alteration, unauthorized access or deletion of any portion of the Personal Data, or any security compromise reasonably likely to result to any of the foregoing occurrences.

1. Standard of Care

Company agrees that it shall (a) keep and maintain all Personal Data in confidence, using such degree of care as is appropriate to avoid unauthorized access, use or disclosure, and (b) use Personal Data solely for the purposes of providing the Services to Customer.

2. Security Obligations
1. Security Program. Company will develop and maintain a comprehensive security program including without limitation appropriate administrative, technical, organizational and physical security measures to protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized access or disclosure. Company will limit access to the Personal Data to personnel whose roles reasonably require such access and who have agreed contractually in writing to maintain the confidentiality and security of the Personal Data in keeping with the terms of this Addendum. Company will maintain written policies relevant and appropriate to its business, including without limitation, an information security policy, security and privacy guidelines, an internal acceptable use policy, and internal procedural documentation, and provide Customer with reasonable evidence of its policies and guidelines upon request. Company’s personnel will receive training in the security and handling of Personal Data and will agree in writing to adhere to Company’s privacy and security guidelines and policies. Company will remain responsible for and liable for its personnel’s compliance with the terms of this Addendum.
2. Specific Safeguards and Reporting. Without limiting the generality of the foregoing, Company will perform appropriate risk assessments and maintain appropriate organizational controls, data confidentiality protections, and security procedures for, and vetting of, Company’s personnel (including contractors). In addition, with respect to those systems on which Personal Data is maintained, Company’s safeguards will include secure user authentication, secure access control measures, anonymization and encryption of Personal Data where appropriate, reasonable change management processes, regular monitoring and testing of the effectiveness of system security, highly available and redundant systems architecture, and the ability to restore availability and access to Personal Data in a reasonably practical time period when disrupted. Customer will have the right no more than once per year (unless in response to a Security Incident) to verify Company’s compliance with the terms of this Addendum by an audit or inspection by an independent third party, of Company’s facilities, systems, policies and other documentation on reasonable notice and without undue interference with Company’s normal course of business. All such information will be treated as Company’s confidential information as set forth in the Agreement.
3. Security Incidents. In the event of any Security Incident, Company will promptly investigate the Security Incident and will take all necessary and advisable actions to promptly contain, resolve, and repair the issues underlying the Security Incident and to prevent a recurrence or any further compromise. Company will provide notice to Customer within 72 hours of becoming aware of the Security Incident, which notice will summarize the effect on the Personal Data and the corrective action taken or to be taken by Company. In addition, within a reasonable period as determined by Customer, Company will provide detailed assurances to Customer concerning the steps taken to prevent of any further compromise of the security of the Personal Data. Company will not make any public announcement or filing concerning the Security Incident without Customer’s prior approval unless required by law or legal process. Company will promptly comply with all applicable Data Protection Laws and Customer’s direction in its response to the Security Incident, which may include the preparation and transmission of notifications or other communications to regulators, consumers, employees or others, in accordance with the time periods required by applicable Data Protection Law. Notwithstanding the foregoing, Customer will be entitled to take any reasonable steps Customer believes are necessary to respond to the Security Incident to further protect Customer, its employees, customers and others.

3. Deletion or Return of Personal Data

Following the completion of the Services, at Customer’s written request, Company shall return or delete Customer’s Personal Data, unless further storage of such Personal Data is required or authorized by applicable law. If Customer and Company have entered into SCCs, the parties agree that the certification of deletion of Personal Data that is described in Clause 8.1(d) and Clause 8.5 of the SCCs (as applicable) shall be provided by Company to Customer only upon Customer’s request.

4. Additional Commitments

Company and Customer agree to the commitments concerning the processing of Personal Data in Exhibit A (EEA, UK, and Swiss Data Protection Addendum and Security Addendum) and Exhibit B (US Privacy Law Data Protection and Security Addendum).

5. Cooperation

Upon request, each party will reasonably cooperate with the other in any activities contemplated by this Addendum.

6. Company’s Role as a Controller

The parties acknowledge and agree that with respect to Company Account Data and Company Usage Data, Company is an independent controller, not a joint controller with Customer. Company will process Company Account Data and Company Usage Data as a controller (i) to manage the relationship with Customer; (ii) to carry out Company’s core business operations, such as accounting, audits, tax preparation and filing and compliance purposes; (iii) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Services, and to prevent harm to Customer; (iv) for identity verification purposes; (v) to so comply with legal or regulatory obligations applicable to the processing and retention of Personal Data to which Company is subject; and (vi) as otherwise permitted under Data Protection Laws and in accordance with this DPA and the Agreement. Company may also process Company Usage Data as a controller to provide, optimize, and maintain the Services, to the extent permitted by Data Protection Laws. Any processing by Company as a controller shall be in accordance with Company’s privacy policy as set forth at https://hapily.com/privacy.

7. Conflict

In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms in the Standard Contractual Clauses; (2) the terms of this Addendum; (3) the Agreement; and (4) Company’s privacy policy. Any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Agreement.

8. Miscellaneous

Company’s obligations under this Addendum shall survive the termination of the Agreement and the completion of all Services subject thereto. The jurisdiction of this Addendum shall be the jurisdiction set forth and agreed to in the Agreement. This Addendum, together with the Agreement, represent the entire agreement between the parties related to the Services rendered by Company to Customer. If any provision of this Addendum is held to be unenforceable, such provision will be reformed to the extent necessary to make it enforceable, and such holding will not impair the enforceability of the remaining provisions. This Addendum is binding upon successors and assigns of the parties. The failure by a party to exercise any right hereunder or to enforce strict performance of any provision of this Addendum will not waive such party’s right to exercise that or any other right in the future.

Exhibit A: EU Addendum

EEA, UK and Swiss Data Protection and Security Addendum

1. Certain Definitions

"Data Privacy Framework" ("DPF") means the EU-US Data Privacy Framework, the Swiss-US Data Privacy Framework and the UK Extension to the EU-US Data Privacy Framework self-certification programs (as applicable) operated by the US Department of Commerce; as may be amended, superseded or replaced.

"Data Privacy Framework Principles" means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework, as may be amended, superseded or replaced.

"EU Data Protection Laws" means any privacy and data protection laws, statutes or regulations applicable to the Personal Data in question including, as applicable, the EU General Data Protection Regulation 2016/679 ("GDPR"), the EU e-Privacy Directive (Directive 2002/58/EC), the EU Universal services and E-privacy directives (Directive 2009/136), and any EU Member State laws made under or pursuant to the foregoing (in each case as may be amended, extended or re-enacted from time to time).

"Standard Contractual Clauses" or "SCC" shall mean the Standard Contractual Clauses annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (as may be amended from time to time).

"Sub-processor" means any third party (including any Company Affiliate) Processor engaged directly or indirectly by Company, which Processes any Personal Data. The term "Sub-processor" shall also include any third party appointed by Sub-processor, which Processes Personal Data.

"UK SCC Addendum" means the International Data Transfer Addendum to the EU Commission   Standard Contractual Clauses issued by the UK’s Information Commissioner’s Office under S119A(1) Data Protection Act 2018, as modified by the Information Commissioner’s office from time to time, available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/.

The terms "controller", "personal data", "processor" and "processing" shall have the meaning given to them in the GDPR and "process", "processes" and "processed" shall be interpreted accordingly. Such terms are capitalized in this Addendum.

2. Processing
1. Company will, at all times during the Term of the Agreement, comply with the terms and conditions of this Addendum. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and Company is the Processor.
2. Company will Process Personal Data as directed by Customer per the Agreement and solely on behalf of and for the benefit of Customer in compliance with the Agreement. Customer will have the exclusive authority to determine the purposes for and means of Processing the Personal Data. In connection with the provision of the Services and the Processing of Personal Data, Company will comply with (i) EU Data Protection Laws and (ii) all industry standards concerning data protection, privacy and information security. In addition, Company will not disclose Personal Data to any third party apart from Sub-processors authorized by Customer under this Addendum, unless required to do so under the EU Data Protection Laws to which Company is subject.

3. International Transfers of Data
1. To the extent that the processing of Personal Data by Company involves the transfer of such Personal Data from the European Economic Area ("EEA") to a country or territory outside the EEA, other than a country or territory that has received a binding adequacy decision as determined by the European Commission (an "EEA Transfer"), such EEA Transfer shall be subject to the protections and provisions of the Standard Contractual Clauses (for which the SCC Appendix is attached to this Addendum in Attachment B or other binding and appropriate transfer mechanisms that provide an adequate level of protection in compliance with Data Protection Laws.
2. Should the parties cease using the SCCs, such bring and appropriate transfer mechanisms may alternatively include (without limitation) transferring such data to a recipient in a country that has been designated by the European Commission, Switzerland or United Kingdom law (as applicable) as providing an adequate level of protection for Personal Data (as described in applicable EU Data Protection Laws), to a recipient that is self-certified to the Data Privacy Framework, or to a recipient that has achieved binding corporate rules authorization in accordance with applicable EU Data Protection Laws.
3. The controller to processor Standard Contractual Clauses shall apply to transfers under subsection (a) above and for these purposes, Company shall enter into the Standard Contractual Clauses on behalf of itself and its Affiliates located outside of Europe who are processing European Data as Sub-processors (collectively, for the purposes of the descriptions in the Standard Contractual Clauses, the "data importer") and Customer shall be the "data exporter". Module Two or Module Three of the SCC shall apply to the transfer depending on whether Customer is a controller of the Personal Data (for Module Two) or a processor of the Personal Data on behalf of its end customer(s) (for Module Three). If Module Three applies, Customer hereby notifies Company that Customer is a processor and the instructions shall be as set forth above. For purposes of Clauses 17 and 18 of the SCCs, the Parties select Ireland. If, in Customer's reasonable discretion, Company is not providing the same level of protection to the Personal Data as is required by the Data Privacy Framework or the Standard Contractual Clauses, Customer will notify Company and Company will cease processing the Personal Data.
4. Where Personal Data originating from the United Kingdom specifically is processed by Company outside of the United Kingdom, in a territory that has not been designated by the UK Information Commissioner’s Office as ensuring an adequate level of protection pursuant to Data Protection Laws, and to the extent such processing and transfer  would be subject to the SCC and Data Protection Laws applicable in the United Kingdom ("UK Data Protection Laws"), the Parties hereby incorporate the UK SCC Addendum by reference, and by signing this DPA, also enter into and agree to be bound by the Mandatory Clauses of the UK SCC Addendum. The parties agree the following information is relevant to Tables 1 – 4 of the UK SCC Addendum and that by changing the format and content of the Tables neither party intends to reduce the Appropriate Safeguards (as defined in the UK SCC Addendum). 
• Table 1: The parties’ details, key contacts, data subject contacts, and signatures are in the signature block of the DPA.
• Table 2: The selected SCCs, Modules and Selected Clauses are described in paragraph 3(c).
• Table 3: The list of parties, description of transfer, and list of Sub-processors are described in Annex 1 and Annex 3. The Technical and Organizational measures to ensure the security of the data are described in Annex 2. 
• Table 4: Neither party may end the UK SCC Addendum.

For purposes of Clauses 17 and 18 of the SCCs, the Parties select the United Kingdom.

1. To the extent that Personal Data is protected by Swiss Federal Data Protection Act ("Swiss DPA"), the EU SCCs will apply in accordance with Section 3(c), with the following modifications (i) references to "Regulation (EU) 2016/679" will be interpreted as references to the Swiss DPA; (ii) references to "EU", "Union" and "Member State law" will be interpreted as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" will be replaced with the "Swiss Federal Data Protection and Information Commissioner" and the "relevant courts in Switzerland".

4. Third Party Transfers
1. Company will not share, transfer, disclose or otherwise provide access to any Personal Data to any third party, including Sub-processors, or subcontract any of its rights or obligations under the Agreement (each, a "Third Party Transfer") without the prior written consent of Customer. Where Customer consents to such Third Party Transfer, Company will ensure the applicable third party is subject to contractual duties and obligations that comply with applicable EU Data Protection Laws and are at least as strict as those contained in this Addendum. Company is and shall remain responsible for and be liable for the acts of any Sub-processor in connection with Personal Data.
2. Customer authorizes the Company to engage the Sub-processors listed in Annex III ("Sub-processor List"). Company shall inform Customer of any addition or replacement of such Sub-processors giving Customer an opportunity to object to such changes. If Customer timely sends Company a written objection notice, setting forth a reasonable basis for objection, the Parties will make a good-faith effort to resolve Customer’s objection. In the absence of a resolution, the Company will make commercially reasonable efforts to provide Customer with the same level of service described in the Agreement, without using the Sub-processor to process Customer’s Personal Data. If Company’s efforts are not successful within a reasonable time, each Party may terminate the portion of the service which cannot be provided without the Sub-processor, and Customer will be entitled to a pro-rated refund of the applicable service fees.

5. Response to Inquiries

Company will notify Customer promptly in writing of any inquiry from any third party, including, to the extent not prohibited by law or legal process, receipt of any judicial or administrative order or request from a data subject concerning the Processing of Personal Data and will not respond to such request without the prior written consent of Customer. To the extent permitted by law or legal process, Company will follow all of Customer’s reasonable instructions with respect to such requests, including providing status updates and other information as requested by Customer. In the event that a data subject makes a valid request under applicable EU Data Protection Laws to delete or opt-out of Customer’s sale or provision of Personal Data to Company, Company shall reasonably assist Customer in honoring such request in compliance with such applicable laws. Company will cooperate with and provide reasonable assistance to Customer in any legal response or other procedural action taken by Customer in connection with any third party inquiry, at Customer’s expense.

6. Data Protection Impact Assessments

Taking into account the nature of the Processing and Personal Data made available to Company under the Agreement, Company will, where required of Company by EU Data Protection Laws, provide reasonable assistance to Customer to carry out any data protection impact assessments and consultations with data protection authorities that are required to be carried out by Customer under EU Data Protection Laws.

Exhibit B: US Privacy Law Addendum

US Privacy Law Data Protection and Security Addendum

Pursuant to the Agreement, and in furtherance of obligations under the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 to 1798.199) and its implementing regulations, as amended or superseded from time to time ("CCPA"), and Additional US States Protection Law (as defined below), the parties hereby adopt this US Privacy Law Addendum for so long as Company maintains Personal Information (as defined below) on behalf of Customer. This US Privacy Law Addendum prevails over any conflicting terms of the Agreement, but does not otherwise modify the Agreement.

California (the "California Addendum")

1. Definitions

For the purposes of this California Addendum, the capitalized terms used in this Addendum and not otherwise defined in this Addendum shall have the definitions set forth in the CCPA.

2. Roles and Scope

This California Addendum applies to the collection, retention, use, disclosure, and sale of Personal Information provided by Customer to Company ("the Personal Information") to provide the Services to Customer pursuant to the Agreement. Except with respect to Company Account Data and Company Usage Data (as defined in the DPA), the parties acknowledge and agree that Company is a "Service Provider" for purposes of the CCPA (to the extent it applies).

3. Restrictions on Processing

Company is prohibited from retaining, using, or disclosing the Personal Information for any purpose other than for the specific purpose of performing the Services as specified in the Agreement for Customer, as set out in this Addendum, or as otherwise permitted by the CCPA. Company shall not further collect, sell, or use the Personal Information except as necessary to perform the Business Purpose.

Company shall not Sell or Share Personal Information provided by Customer under the Agreement, as the terms "sell" or "share" are defined in the CCPA, as amended. Company will not collect, retain, use or disclose Personal Information provided by Customer: (i) for targeted and/or cross-context behavioral advertising, (ii) outside the business purposes specified in the Agreement, or (iii) outside the direct business relationship with Customer. Company shall not combine Personal Information provided by Customer with other data if and to the extent this would be inconsistent with limitations on Service Providers under the CCPA or other laws.

4. Consumer Rights

Company shall provide reasonable assistance to Customer in facilitating compliance with Consumer rights requests. Upon direction by Customer, and in any event no later than 30 days after receipt of a request from Customer, Company shall promptly delete the Personal Information as directed by Customer. Company shall not be required to delete any of the Personal Information to comply with a Consumer’s request directed by Customer if it is necessary to maintain such information in accordance with Cal. Civ. Code 1798.105(d), in which case Company shall promptly inform Customer of the exceptions relied upon under 1798.105(d) and Company shall not use the Personal Information retained for any other purpose than provided for by that exception.

5. Deidentified Information

In the event that either party shares Deidentified Information with the other party, the receiving party warrants that it: (i) has implemented technical safeguards that prohibit reidentification of the Consumer to whom the information may pertain; (ii) has implemented business processes that specifically prohibit reidentification of the information; (iii) has implemented business processes to prevent inadvertent release of Deidentified Information; and (iv) will make no attempt to reidentify the information.

6. Mergers, Sales, or Other Asset Transfers

In the event that either party transfers to a Third Party the Personal Information of a Consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the Third Party assumes control of all or part of such party to the Agreement, that information shall be used or shared consistently with applicable law. If a Third Party materially alters how it uses or shares the Personal Information of a Consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the Consumer in accordance with applicable law.

7. As Required by Law

Notwithstanding any provision to the contrary of the Agreement or this California Addendum, Company may cooperate with law enforcement agencies concerning conduct or activity that it reasonably and in good faith believes may violate federal, state, or local law.

Additional US States Addendum ("Virgina, Colorado, Connecticut, Utah & Other States")

1. Definitions

For purposes of this section Additional US States Addendum, the terms "Consumer," "Controller," "Personal data," "Processing," and "Processor" shall have the meanings set forth in the Additional US States Data Protection Laws. All references to "Data Subject" shall be deemed to be references to "Consumer" as defined in the Additional US States Data Protection Laws.

"Additional US States Data Protection Law" means the Colorado Privacy Act of 2021 ("CPA"); the Virginia Consumer Data Protection Act of 2021 ("VCDA"); the Connecticut Data Privacy Act ("CTDPA"), the Utah Consumer Privacy Act of 2022, as amended ("UCPA"), and any other US state laws that may be enacted that adheres to the same of substantially the same requirements of the above laws in this definition. 

2. Roles and Scope

Except with respect to Company Account Data and Company Usage Data (as defined in this DPA), the parties acknowledge and agree that Customer is a Controller and Company is a Processor for the purposes of the Additional US States Data Protection Laws (to extent it applies). The nature, purpose, and duration of Processing, as well as the types of Personal Data and categories of Consumers are described in Annex 1 to this DPA.

3. Restrictions On Processing

The nature, purpose, and duration of Processing, as well as the types of Personal Data and categories of Consumers are described in Annex 1 to this DPA. In the event that Company engages a new sub-processor to assist Company in providing the Services to Customer under the Agreement, Company shall enter into a written contract with the sub-processor requiring sub-processor to observe all of the applicable requirements of a Processor set forth in the Additional US States Data Protection Laws.

4. Obligations

Company shall adhere to Customer’s instructions with respect to the Processing of Customer Personal Data and shall assist Customer in meeting its obligations under the Specific US State Data Protection Laws by: (1) assisting Customer in responding to Consumer rights requests under the Additional US States Data Protection Law as set forth in section 6 of the DPA; (2) complying with section 3 ("Security") of the DPA with respect to Personal Data provided by Customer; (3) in the event of a Personal Data Breach, providing information sufficient to enable Customer to meet its obligations pursuant to the Additional US States Data Protection Laws; and (4) providing information sufficient to enable the Customer to conduct and document data protection assessments to the extent required by the Additional US States Data Protection Laws. Company shall maintain the confidentiality of Personal Data provided by Customer and require that each person Processing such Personal Data be subject to a duty of confidentiality with respect to such Processing.

5. Consumer Rights

Upon Customer’s written request, Company shall delete or return all Personal Data provided by Customer in accordance with section 4 of the DPA, unless retention of such Customer Personal Data is required or authorized by law or the DPA and/or Agreement.

6. Audit Rights

Upon Customer’s written request at reasonable intervals, Company shall, as set forth in section 3(b) of the DPA, (i) make available to Customer all information in its possession that is reasonably necessary to demonstrate Customer’ compliance with its obligations under the Additional US States Data Protection Law; and (ii) allow and cooperate with reasonable inspections or audits as required under the Additional US States Data Protections.

Attachment A: Security Measures

Description of the technical and organisational security measures implemented by the data importer:

1. Personnel

Company personnel will not process Customer’s Personal Data without authorization. Personnel are obligated to maintain the confidentiality of any Personal Data in accordance with the Agreement.

2. Technical and Organizational Measures

Company has implemented, and will continue to maintain, appropriate physical, technical and administrative controls and procedures intended to protect Personal Data against accidental loss, destruction, alteration or unauthorized disclosure or access.

Attachment B: Standard Contractual Clauses

ANNEX 1

1. List of Parties

Data Exporter:

• Name: The party to the Stripe Services Agreement with Stripe or its Affiliate (as applicable).
• Address: The data exporter’s address.
• Contact person’s name, position and contact details: The name, position and contact details provided by the data exporter.
• Activities relevant to the data transferred under these Clauses: Processing Personal Data in connection with the data exporter’s use of the Services under the Stripe Services Agreement.
• Role (controller/processor): Controller
• Signature and date: By using the Services to transfer Personal Data to the data importer, the data exporter will be deemed to have signed this Annex I.

Data Importer:

• Name:  A8 Ventures, Inc., dba "hapily"
• Address: 1 North 4th Place, #34K, Brooklyn NY, 11249
• Contact details: hapily Privacy Team, privacy@hapily.com
• Activities relevant to the data transferred under these Clauses: Processing Personal Data in connection with the data exporter’s use of the Services under the Agreement.
• Role (controller/processor): Processor
• Signature and date: The data importer will be deemed to have signed this Annex I on the transfer of Personal Data by the data exporter in connection with the Services.

2. Description of Transfer
1. Categories of Data subjects whose personal data is transferred:

Any individual accessing and/or using the Services through the Customer’s account ("Users"); and any individual whose information is stored or collected via the Services.  

2. Categories of personal data transferred:

Company processes personal data contained in Company Account Data, Company Usage Data and any Personal Data provided by Customer (including any Personal Data Customer collects from its end users and processes thoughts is use of the Services) or collected by Company in order to provide the Services or as otherwise set forth in the Agreement or this DPA. Categories of Personal Data include identification and contact data (name, address, title, contact details, username); financial information (account details, excluding credit card information; transaction information); employment details (employer, job title geographic location, area of responsibility) or any additional Personal Data Provided by Customer.

3. Sensitive categories of data (if appropriate):  

None

4. Purposes of the data transfer and further Processing:

Company will process Customer’s Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this DPA, and in accordance with Customer’s instruction as set forth in this DPA.

5. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:  

Company will process Customer’s Personal Data as long as required (i) to provide the Services to Customer under the Agreement; (ii) for Company’s legitimate business needs; or (iii) by applicable law or regulation. Company Account Data and Company Usage Data will be processed and stored as set forth in Company’s privacy policy.

3. Competent Supervisory Authority

If Customer is established in an EU Member state, the competent supervisory authority shall be the supervisory authority applicable to the establishment location of Customer. If Customer is not established in an EU Member state, the competent supervisory authority shall be the supervisory authority located where Customer has appointed its EU Representative. If Customer is not established in an EU Member state and is not required to appoint an EU Representative, the competent supervisory authority shall be the supervisory authority applicable to the location of the Data Subject whose data is at issue.

ANNEX 2

Description of the technical and organisational security measures implemented by the data importer:

1. Personnel

Company personnel will not process Customer’s Personal Data without authorization. Personnel are obligated to maintain the confidentiality of any Personal Data in accordance with the Agreement.

2. Technical and Organizational Measures

Company has implemented, and will continue to maintain, appropriate physical, technical and administrative controls and procedures intended to protect Personal Data against accidental loss, destruction, alteration or unauthorized disclosure or access.

ANNEX 3: List of Sub-Processors

The following Sub-Processors are authorized by the data controller to process customer data, which may contain personally identifiable information, in order to provide and operate the services to which data controller has subscribed to under the Agreement.

On commencement of the Agreement, the data controller authorizes the engagement of the sub-processors listed on the Zaybra Security page.