Data Processing Addendum

1. 1. Scope, Order of Precedence, and Term

      This Data Processing Addendum (“DPA”) is part of the ExpressPlay Agreement between Intertrust Cloud Services Company (ICSC) and COMPANY, the signatory to the Agreement. By entering into the Agreement, the Company enters into this DPA.
      1. This DPA is part of any and all agreements, purchase orders, statements of work and other contractual documents between COMPANY and ICSC (individually and collectively, the “Agreement”). COMPANY and ICSC are individually a “party” and, collectively, the “parties.”
      2. The effective date of the DPA is the date of the Agreement, or the date that COMPANY first begins using the Services, whichever is earlier.
      3. This DPA applies only to the extent that ICSC receives, stores, or processes Personal Data in connection with the Services.
      4. In the event of a conflict between this DPA and the Agreement, the DPA will control to the extent necessary to resolve the conflict. In the event the parties use an International Data Transfer Mechanism and there is a conflict between the obligations in that International Data Transfer Mechanism and this DPA, the International Data Transfer Mechanism will control.
      5. The term of this DPA is coterminous with the Agreement, except for obligations that survive past termination as specified below.
      6. ICSC may update the terms of this DPA from time to time, provided, however, that ICSC will provide at least thirty (30) days prior written notice to COMPANY when any update. Updates may be required as a result of (a) changes in Data Protection Law; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or services or material changes to any of the existing Services.
      7. The Parties acknowledge that this DPA includes additional or distinct confidentiality, information security, and use obligations with respect to certain categories of information. In the event of any conflict between the obligations and restrictions set forth in this DPA and those set forth in the Agreement, the terms of this DPA shall apply.

   2. DEFINITIONS

      1. Capitalized terms not defined in this DPA will have the meanings set forth in the Agreement, to the extent that meanings for such capitalized terms are set forth in the Agreement.
      2. Capitalized terms for which meanings are not set forth below in this section and which are defined in the European Union General Data Protection Regulation (GDPR) shall have the meanings set forth in said GDPR.
      3. Certain common terms are defined, but not capitalized, for ease of reading.
      4. “Business,” “Sale,” “Service Provider,” and “Third Party have the definitions given to them in the California Consumer Privacy Act (CCPA).
      5. The following terms have the meanings set forth below.
      6. “Aggregated Data” means information that relates to a group or category of data subjects, from which individual data subject identities have been removed, that is not linked and cannot reasonably be linked to any individual data subject.
      7. “consent” means a data subject’s freely given, specific, informed, and unambiguous indication of the data subject’s wishes by a statement or by a clear affirmative action signifying agreement to the processing of personal data relating to him or her.
      8. “Controller” means the entity that determines the purposes and means of the processing of personal data. “Controller” includes analogous terms in other Data Protection Law, such as the CCPA-defined term “Business” or “Third Party,” as context requires.
      9. “Data Exporter” means the party that (1) has a corporate presence or other stable arrangement in a jurisdiction that requires an International Data Transfer Mechanism and (2) transfers personal data, or makes personal data available to, the Data Importer. This term also describes a party that receives personal data from a third party and further discloses that personal data to the Data Importer (an “onward transfer”). For example, if COMPANY obtains personal data from a third party, located in the EEA, and then further discloses that personal data to ICSC in the United States, then the disclosure from COMPANY to ICSC is a transfer of personal data from a Data Exporter (COMPANY) to a Data Importer (ICSC).
      10. “Data Importer” means the party that is (1) located in a jurisdiction that is not the same as the Data Exporter’s jurisdiction and (2) receives personal data from the Data Exporter or is able to access personal data made available by the Data Exporter. This term includes a party that receives personal data from the Data Exporter in an onward transfer.
      11. “Data Protection Law” means all data protection and privacy laws applicable to the processing of personal data under the Agreement, including Regulation (EU) 2016/679 (General Data Protection Regulation) (“GDPR”), UK Data Protection Act 2018 (c. 12) (UK GDPR), and Cal. Civ. Code 100 et seq. (California Consumer Privacy Act) (“CCPA”).
      12. “data subject” means an identified or identifiable natural person.
      13. “De-identified Data” means a data set that does not contain any personal data. Aggregated data is De-identified Data. To “De-identify” means to create De-identified Data from personal data.
      14. “EEA” means the European Economic Area.
      15. “Inquiry” means any type of request (including a request to obtain a copy of personal data) or inquiry related to the Services from a governmental, legislative, judicial, law enforcement, or regulatory authority (e.g. the Federal Trade Commission, the Attorney General of a U.S. state, a European data protection authority, a law enforcement authority, or an agency that is part of a government’s surveillance or intelligence apparatus); or an actual or potential claim, inquiry, or complaint in connection with the parties’ processing of personal data.
      16. “International Data Transfer Mechanism” means the special protections that some jurisdictions require two or more parties that transfer information across international borders to adopt to make the transfer lawful, e.g., Standard Contractual Clauses, Binding Corporate Rules, or statutory obligations that require the parties to adopt certain technical, organizational, or contractual measures. “Transfer,” in the context of an International Data Transfer Mechanism, means to disclose or move personal data from a storage location in one jurisdiction to another, or to permit a party in one jurisdiction to access personal data that the other party stores in another jurisdiction that requires an International Data Transfer Mechanism.
      17. “personal data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a data subject. “Personal Data” includes the subject matter within the definitions of analogous terms in any Data Protection Law, including the CCPA-defined term “Personal Information,” as context requires.
      18. “personnel” means a party’s employees, agents, temporary workers, or contractors.
      19. “process” or “processing” means any operation or set of operations that a party performs on data, including collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
      20. “Processor” means an entity that processes personal data on behalf of another entity. “Processor” includes the subject matter within the definitions of analogous terms in any Data Protection Law, including the CCPA-defined term “Service Provider,” as context requires.
      21. “Pseudonymized Data” means information that cannot be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and subject to appropriate technical and organizational measures to ensure that it is not identified to the individual.
      22. “Security Incident” means a suspected or confirmed event that is related to ICSC information systems or the processing of personal data by ICSC or its sub processors in connection with the Agreement, that could cause or has caused an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to data, or an event that qualifies as a reportable data breach under applicable Data Protection Law.
      23. “Sensitive Data” means the following types and categories of data: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data; data concerning health, including protected health information governed by the Health Insurance Portability and Accountability Act; data concerning a natural person’s sex life or sexual orientation; government identification numbers (e.g., SSNs, driver’s license); payment card information; nonpublic personal information governed by the Gramm-Leach-Bliley Act; an unencrypted identifier in combination with a password or other access code that would permit access to a data subject’s account; and precise geolocation.
      24. “Sub-processor” means a Processor engaged by a party who is acting as a Processor.

   3. DESCRIPTION OF THE PARTIES’ PERSONAL DATA PROCESSING ACTIVITIES AND STATUSES OF THE PARTIES

      1. Schedule 1 describes the purposes of the parties’ processing, the types or categories of personal data involved in the processing, and the categories of data subjects affected by the processing.
      2. Schedule 1 lists the parties’ statuses under relevant Data Protection Law for each processing activity relevant to the Services.

   4. INTERNATIONAL DATA TRANSFER

      1. Before COMPANY transfers personal data to ICSC, or permits ICSC to access personal data located in a jurisdiction that requires an International Data Transfer Mechanism, COMPANY will notify ICSC of the relevant requirement and the parties will work together in good faith to fulfill the requirements of that International Data Transfer Mechanism.
      2. The parties will comply with any International Data Transfer Mechanism that may be required by applicable Data Protection Law. The parties agree to abide by the transfer mechanisms in Schedule 1, which describe the International Data Transfer Mechanisms that the parties anticipate using at the outset of the Agreement.
      3. If the International Data Transfer Mechanism on which the parties rely is invalidated or superseded, the parties will work together in good faith to find an alternative. If the parties are unable to find an alternative within 60 days, or another period as agreed in writing, either of them may terminate the Agreement.

   5. DATA PROTECTION GENERALLY

      1. Compliance. The parties will comply with their respective obligations under Data Protection Law.
      2. ICSC’s Lawful Basis of Processing of Personal Data. COMPANY represents and warrants that it has the consent or other lawful basis necessary to collect and transfer to ICSC all personal data used or transferred in connection with the Services. COMPANY represents and warrants that it will not send (or cause to be sent) Sensitive Data to ICSC. If a data subject revokes consent to ICSC’s processing of their personal data, or otherwise exercises a right to opt out or object, then, consistent with its obligations under Data Protection Law, COMPANY will be responsible for ceasing disclosure of that data subject’s personal data to ICSC (if that would be the result of compliance with the data subject’s request).
      3. Cooperation.
         • Data Subject Requests. The parties will provide each other with reasonable assistance to enable each to comply with their obligations to respond to data subjects’ requests to exercise the rights to which those data subjects may be entitled under Data Protection Law.
         • Governmental and Investigatory Requests. If either party receives or becomes aware of an Inquiry, the receiving party will notify the other party without undue delay, unless such notification is prohibited by applicable law, and if the Inquiry is a request for a copy of personal data, seek to limit its response to only the personal data necessary to fulfill the Inquiry. If notification is prohibited by applicable law, the receiving party will use reasonable efforts to obtain a waiver of the prohibition. In any event, the receiving party will document the Inquiry (including any reasons why it is unable to provide relevant information to the other party), be prepared to make such documentation available to a relevant governmental authority and retain such documentation at least for the duration of the Agreement, unless doing so is prohibited by applicable law or regulation. If requested by the receiving party, the other party will provide the receiving party with information relevant to the Inquiry to enable the receiving party to respond to the Inquiry.
         • Other Requirements of Data Protection Law. Upon request, the parties will provide relevant information to each other to fulfill their respective obligations (if any) to conduct data protection impact assessments or prior consultations with data protection authorities.
      4. Confidentiality. The parties will ensure that their employees, independent contractors, and agents are subject to an obligation to keep personal data confidential and have received training on data privacy and security that is commensurate with their responsibilities and the nature of the personal data.
      5. De-identified, Anonymized, or Aggregated Data. The parties may create Anonymized Data, Aggregated Data, or De-identified Data from personal data and process the Anonymized Data, Aggregated Data, or De-identified Data for any purpose.
      6. Retention. A party will retain personal data for as long as it has a business purpose or for the longest time allowable by applicable law.

   6. DATA SECURITY

      1. Security Controls. Each party will maintain a written information security policy that defines security controls that are based on the party’s assessment of risk to personal data that the party processes and the party’s information systems. When a party chooses security controls, it will consider the state of the art; cost of implementation; the nature, scope, context, and purposes of personal data processing; and the risk to data subjects of a security incident or Personal Data Breach affecting personal data. ICSC’s security controls are described in Schedule 2.

   7. ICSC’S OBLIGATIONS AS A PROCESSOR, SUBPROCESSOR, OR SERVICE PROVIDER

      1. ICSC will have the obligations set forth in this Section 7 if it processes the personal data of data subjects in its capacity as COMPANY’s Processor or Service Provider; for clarity, these obligations do not apply to ICSC in its capacity as a Controller, Business, or Third party, to the extent, if any, to which it acts in such role.
      2. Scope of Processing.
         • ICSC will process personal data solely to provide Services to COMPANY and carry out its obligations under the Agreement and COMPANY’s instructions, which are contained in the Agreement and this DPA. ICSC will not process personal data for any other purpose, unless required by applicable law. ICSC will notify COMPANY if it believes that it cannot follow COMPANY’s instructions or fulfill its obligations under the Agreement because of a legal obligation to which it is subject, unless ICSC is prohibited by law from making such notification.
         • ICSC is prohibited from: (a) Selling personal data; (b) retaining, using, or disclosing personal data for any purpose other than for the specific business purpose of performing COMPANY’s documented instructions for the business purposes defined in this Agreement, including retaining, using, or disclosing the personal data for a commercial purpose other than performing COMPANY’s instructions; or (c) retaining, using, or disclosing the personal data outside of the direct business relationship between the parties as defined in this Agreement. ICSC certifies that it understands these restrictions.
         • COMPANY agrees that ICSC may De-identify personal data and use such data for ICSC’s own commercial purposes; provided that to the extent ICSC fails to fully De-identify personal data and continues to process it, ICSC will be a Controller with respect to such personal data and agrees that, notwithstanding anything to the contrary in the Agreement, COMPANY will have no liability for ICSC’s processing of such data.
         • Regardless of the foregoing prohibitions, the parties agree that ICSC may, and COMPANY instructs ICSC to, process personal data for the following activities that are necessary to support the Services: detect data security incidents; protect against fraudulent or illegal activity; effectuate repairs; and maintain or improve the quality of the Services.
         • Processing any personal data outside the scope of the Agreement will require prior written agreement between ICSC and COMPANY by way of written amendment to the Agreement.
         • With regard to processing subject to the CCPA, ICSC will not combine the personal data received by ICSC pursuant to the Agreement with personal data received outside of the scope of the Agreement.
      3. Data Subjects’ Requests to Exercise Rights. ICSC will promptly inform COMPANY if ICSC receives a request from a data subject to exercise their rights with respect to their personal data under applicable Data Protection Law. COMPANY will be responsible for responding to such requests. ICSC will not respond to such data subjects except to acknowledge their requests. ICSC will provide COMPANY with commercially reasonable assistance, upon request, to help COMPANY to respond to a data subject’s request.
      4. ICSC’s Sub-processors.
         • Existing Sub-processors. COMPANY agrees that ICSC may use the Sub-processors listed in Exhibit 1.
         • Use of Sub-processors. COMPANY grants ICSC general authorization to engage sub-processors if ICSC and those sub-processors enter into an agreement that requires the sub-processor to meet obligations that are similar to the protections of this DPA (including any applicable International Data Transfer Mechanism) and include at least the following elements: the sub-processors are prohibited from (1) processing personal data for any purpose other than carrying out ICSC’s obligations under this Agreement, (2) Selling personal data; (3) retaining, using, or disclosing personal data for any purpose other than for the specific business purpose of performing COMPANY’s documented instructions for the business purposes defined in this Agreement, including retaining, using, or disclosing the personal data for a commercial purpose other than performing COMPANY’s instructions; or (4) retaining, using, or disclosing the personal data outside of the direct business relationship between the parties as defined in this Agreement.
         • Notification of Additions or Changes to Sub-processors. ICSC will notify COMPANY of any additions to or replacements of its sub-processors at the address provided for notice to the Company in relation to the Agreement and make that list available on COMPANY’s request. ICSC will provide COMPANY with at least 30 days to object to the addition or replacement of sub-processors in connection with ICSC’s performance under the Agreement, calculated from the date ICSC provides notice to COMPANY. If COMPANY reasonably objects to the addition or replacement of ICSC’s sub-processor, ICSC will immediately cease using that sub-processor in connection with ICSC’s Services under the Agreement, and the parties will negotiate in good faith to resolve the matter. If the parties are unable to resolve the matter within 15 days of COMPANY’s reasonable objection (which deadline the parties may extend by written agreement), COMPANY may terminate the Agreement and/or any statement of work, COMPANY purchase order or other written agreements. The parties agree that ICSC has sole discretion to determine whether COMPANY’s objection is reasonable; however, the parties agree that COMPANY’s objection is presumptively reasonable if the sub-processor is a competitor of COMPANY and COMPANY has a reason to believe that competitor could obtain a competitive advantage from the personal data ICSC discloses to it, or COMPANY anticipates that ICSC’s use of the sub-processor would be contrary to law applicable to COMPANY.
         • Liability for Sub-processors. ICSC will be liable for the acts or omissions of its sub-processors to the same extent as ICSC would be liable if performing the services of the sub-processor directly under the DPA.
      5. Security Incident. .
         • ICSC will notify COMPANY without undue delay but no later than twenty-four (24) hours of a Security Incident affecting any data ICSC processes in connection with the Agreement. Notifications will be delivered to COMPANY contact information as provided pursuant to the Agreement.
         • ICSC will provide COMPANY with the following information about the Security Incident as soon as practicable and on an ongoing basis until the Security Incident has been contained: (a) the nature of the Security Incident; (b) the number and categories of data subjects and data records affected; (c) the name and contact details for the relevant contact person at ICSC; and (d) information necessary for COMPANY to fulfill any obligations it has to investigate or notify authorities, except that ICSC reserves the right to redact information that is confidential or competitively sensitive.
         • Immediately following ICSC’s notification, the parties will coordinate with each other to investigate the Security Incident. ICSC agrees to reasonably cooperate with COMPANY in the conduct of its investigation, including making available all relevant records, logs, files, data reporting and other materials required to comply with applicable law, regulation, industry standards or as otherwise reasonably required by COMPANY.
         • ICSC will take reasonable steps to identify the root cause of any Security Incident and take reasonable steps to prevent any further Security Incident, at Service Provider’s expense, in accordance with applicable privacy rights, laws, regulations, and standards.
      6. Deletion and Return of Personal Data. At the expiration or termination of the Agreement and upon written request by COMPANY to ICSC (which may occur via email to the E-mail address for notice to ICSC in relation to the Agreement), ICSC will, without undue delay, (1) return all COMPANY personal data (including copies thereof) to COMPANY and/or (ii) destroy all COMPANY personal data (including copies thereof), unless applicable law requires otherwise or the parties otherwise expressly agree in writing. For any COMPANY personal data that ICSC retains after expiration or termination of this Agreement (for example, because ICSC is legally required to retain the information), ICSC will continue to comply with the data security and privacy provisions of this DPA and ICSC will De-identify such personal data (if any) to the extent feasible and consistent with the requirements or agreements referenced in this paragraph.
      7. Audits.
         • Scope. The terms of this Section 7.7 apply notwithstanding anything to the contrary. COMPANY agrees that ICSC’s obligations under this Section 7.7 are limited to the personal data ICSC processes in connection with the Services pursuant to the Agreement.
         • Request. Upon written request that includes a statement of reasons for the request, ICSC will make available to COMPANY applicable documentation that is responsive to COMPANY’s reasonable request, including third-party audit reports or certifications to the extent they are available. To the extent that such audit reports or certifications do not satisfy COMPANY’s reasonable request, ICSC will provide COMPANY or COMPANY’s designated third party (which COMPANY agrees may not be a competitor to ICSC) with the information and reasonable and commensurate access to facilities necessary to demonstrate compliance with Data Protection Law.
         • Access to Facilities. If COMPANY is entitled to access to ICSC’s facilities pursuant to the provisions of this Subparagraph 7.7 (the “Inspection”), COMPANY will provide ICSC with written notice at least 60 days in advance. Such written notice will specify the things, people, places, or documents to be made available, and justify the need for such availability. Such written notice, and anything produced in response to it (including any derivative work product such as notes of interviews), will be considered confidential information and will remain confidential information in perpetuity or the longest time allowable by applicable law after termination of the Agreement. Such materials and derivative work product produced in response to the Inspection will not be disclosed to anyone without the prior written permission of ICSC unless such disclosure is required by applicable law. If disclosure is required by applicable law, COMPANY will give ICSC prompt written notice of that requirement and, if feasible, an opportunity to seek a protective order to prohibit or restrict such disclosure except to the extent such notice is prohibited by applicable law or order of a court or governmental agency. COMPANY agrees to negotiate in good faith with ICSC before seeking to exercise the right to conduct an audit or on-site inspection more frequently than once per twelve (12) month period. COMPANY will make every effort to cooperate with ICSC to schedule the Inspection at a time that is convenient to ICSC. COMPANY agrees that if it uses a third party to conduct the Inspection, the third party will sign a non-disclosure agreement. COMPANY agrees that the Inspection will only examine ICSC’s architecture, systems, policies, records of processing, data protection impact assessments, and procedures relevant to its obligations as set forth in the Agreement and the processing of personal data carried out by ICSC to provide the Services to COMPANY. COMPANY agrees that ICSC shall be allowed to protect or redact the names and identifying or proprietary information of other ICSC customers during the Inspection.
      8. ICSC’s and its Affiliates’ liability arising out of or related to this DPA, and all DPAs between COMPANY and ICSC, whether in contract, tort, or under any other theory of liability, is subject to the ‘Limitation/ Exclusions of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.

Schedule 1: Description of the Processing; Sub processors; Jurisdiction-Specific Clauses

1. 1. DESCRIPTION OF THE PROCESSING

      1. Scope and Roles. This DPA applies when Personal Data is Processed by ICSC on behalf of Company, as part of ICSC’s provision of the Services. For processing subject to the GDPR or UK GDPR, Company is the data Controller and ICSC is the data Processor. For processing that is subject to the CCPA, Company is the Business and ICSC is the Service Provider.
      2. Subject Matter, Duration, Nature, and Purpose of Processing. ICSC Processes Company’s Personal Data to fulfill ICSC’s obligations under the Agreement.
      3. Type of Personal Data and Categories of Data Subjects. The personal data processed by ICSC in the course of performing their obligations under the Agreement may include E-mail addresses, names, telephone numbers and other contact information, IP addresses, user identification numbers, content identification numbers, device identification numbers, and any other personal data that the Company may provide to ICSC in the course of the performance by the parties of their obligations under the Agreement. The data subjects may include ICSC personnel, Company personnel, and end-users of the services provided by the Company.
      4. Company’s Instructions for Processing of Personal Data. Company shall only instruct that Personal Data be Processed as permitted by applicable Data Protection Laws. ICSC will only Process Personal Data at the instruction of the Company. Company instructs ICSC to Process Personal Data for the following purposes: (i) to provide the Services in accordance with the Agreement; (ii) to comply with other reasonable instructions by Company that are consistent with the Agreement and applicable Data Protection Laws; (iii) to anonymize Personal Data; and (iv) to comply with any applicable laws to which ICSC is subject, including any requirements or orders of a court of competent jurisdiction or other competent governmental or quasi-governmental authority.
      5. Company’s instructions for the Processing of Personal Data shall comply with applicable Data Protection Laws. Company shall have sole responsibility for the accuracy, quality, and legal basis for its acquisition and instructions on the Processing of the Personal Data processed by ICSC pursuant to the Agreement and this DPA. Without limitation, Company will provide all necessary notices to relevant Data Subjects, including a description of the Services, and secure all necessary permissions and consents, or other applicable lawful grounds for Processing Personal Data pursuant to this DPA, and shall indemnify, defend, and hold harmless ICSC against any claim, damages, or fine against ICSC arising from any failure to acquire or use the Personal Data with legal consent, legitimate business purpose, or other legal basis, or in violation of any data protection law or regulation. ICSC will inform Company if, in ICSC’s opinion, processing pursuant to an instruction would violate any provision under any Data Protection Laws, in which event ICSC will be under no obligation to follow such instruction.
      6. No Sale of Personal Data. ICSC certifies that it will not sell any personal data subject to the CCPA and that is transferred to ICSC pursuant to the Agreement, without Company’s prior written consent.
      7. 6. Sensitive Data. The Parties agree that the Services are not intended for the processing of Sensitive Data, and that Company will not expose any sensitive data to ICSC without first obtaining ICSC’s explicit prior written consent.

   2. JURISDICTION-SPECIFIC OBLIGATIONS AND INFORMATION FOR INTERNATIONAL TRANSFERS

      1. Generally. The parties agree that, for any jurisdiction not listed below that requires an International Data Transfer Mechanism, they hereby enter into and agree to be bound by the EEA Standard Contractual Clauses for transfers of personal data from that jurisdiction unless (1) the parties otherwise agree in writing or (2) a jurisdiction promulgates its own International Data Transfer Mechanism, in which case the parties hereby agree to negotiate an update to this DPA to incorporate such International Data Transfer Mechanism.
      2. European Economic Area.
         • “EEA Standard Contractual Clauses” means the European Union standard contractual clauses for international transfers from the European Economic Area to third countries, Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
         • For transfers from the EEA that are not subject to an adequacy decision or exception, the parties hereby incorporate the EEA Standard Contractual Clauses by reference and, by entering into this DPA, also enter into and agree to be bound by the EEA Standard Contractual Clauses. The parties agree to select the following options made available by the EEA Standard Contractual Clauses.
           • Clause 7: The parties opt to include Optional Clause 7.
           • Clause 9, Module 2(a): The parties select Option 2. The time period is five days
           • Clause 9, Module 3(a): The parties select Option 2. The time period is five days.
           • Clause 11(a): The parties do not select the independent dispute resolution option.
           • Clause 17: The parties select Option 1. The parties agree that the governing jurisdiction is Ireland.
           • Clause 18: The parties agree that the forum is Ireland.
           • Annex I(A): The data exporter is the Data Exporter (defined above). The data importer is the Data Importer (defined above). The statuses of the parties as Controllers or Processors are described in Schedule 1.
           • Annex I(B): The parties agree that Schedule 1 describes the transfer.
           • Annex I(C): The competent supervisory authority is the Irish Data Protection Commission.
           • Annex II: The parties agree that Schedule 2 describes the technical and organizational measures applicable to the transfer.
           • Annex III: The parties agree that Schedule 1 describes the relevant sub processors and their roles in processing personal data.
         • Switzerland. The parties agree to the following modifications to the EEA Standard Contractual Clauses to make them applicable to transfers of personal data from Switzerland.
           • The parties adopt the GDPR standard for all data transfers from Switzerland.
           • Clause 13 and Annex I(C): The competent authorities under Clause 13, and in Annex I(C), are the Federal Data Protection and Information Commissioner and, concurrently, the EEA member state authority identified above.
           • Clause 17: The parties agree that the governing jurisdiction is Ireland.
           • Clause 18: The parties agree that the forum is Ireland. The parties agree to interpret the EEA Standard Contractual Clauses so that data subjects in Switzerland are able to sue for their rights in Switzerland in accordance with Clause 18(c).
           • The parties agree to interpret the EEA Standard Contractual Clauses so that “data subjects” includes information about Swiss legal entities until the revised Federal Act on Data Protection becomes operative.
         • United Kingdom.
           • “IDTA” means the International Data Transfer Agreement issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as modified by the UK Information Commissioner’s Office from time to time.
           • For transfers from the United Kingdom that are not subject to an adequacy decision or exception, the parties hereby incorporate the IDTA by reference and, by entering into this DPA, also enter into and agree to be bound by the Mandatory Clauses of the IDTA.
           • Pursuant to Sections 5.2 and 5.3 of the IDTA, the parties agree that the following information is relevant to Tables 1 – 4 of the IDTA and that by changing the format and content of the Tables neither party intends to reduce the Appropriate Safeguards (as defined in the IDTA).
             • Table 1: The parties’ details, key contacts, data subject contacts, and signatures are as included in the Agreement.
             • Table 2:
               • The UK country’s law that governs the IDTA is: England and Wales
               • The primary place for legal claims to be made by the parties is: England and Wales.
               • The statuses of the Data Exporter and Data Importer are described in Schedule 1.
               • The Data Importer represents and warrants that the UK GDPR does apply to its processing of personal data under the Agreement.
               • The relationship among the agreements setting forth data protection terms among the parties, including this Section, the DPA, and the Agreement, is described in Section 1 of the DPA.
               • The duration that the parties may process personal data is set forth in the DPA.
               • The IDTA is coterminous with the DPA. Neither party may terminate the IDTA before the DPA ends unless one of the parties breaches the IDTA or the parties agree in writing.
               • The Data Importer may transfer personal data to another organization or person (who is a different legal entity) if such transfer complies with the IDTA’s applicable Mandatory Clauses.
               • The parties will review the Security Requirements listed in Table 4, and the supplementary measures described in Schedule 3, to this DPA each time there is a change to the Transferred Data, Purposes, Importer Information, transfer impact assessment, transfer risk assessment, or risk assessment.
             • Table 3:
               • The categories of personal data, Sensitive Data, data subjects, and purposes of processing are described in Schedule 1. Such description may only be updated by written agreement of the parties.
             • Table 4:
               • The security measures adopted by the parties are described in Schedule 2 of this DPA. Such security measures may only be updated by written agreement of the parties.
      3. The parties agree to adopt the additional technical, organizational, and/or contractual protections that may be required by their transfer impact assessment described in Schedule 3 of this DPA.

Schedule 2: Technical and Organizational Security Measures

Description of the technical and organisational security measures implemented by the data importer in accordance with Clause 8 of the Standard Contractual Clauses:

1. 1. 1. 1. Purpose: This Appendix sets forth the information security program and infrastructure policies that ICSC will meet and maintain in order to protect Company Personal Data from unauthorized use, access or disclosure, during the Term of the Agreement.
         2. Information Security Management Program (the “ISMP”): ICSC represents that it will maintain throughout the term of the Agreement a written information security management program designed to protect and secure Company Personal Data from unauthorized access or use. The ISMP will be documented and updated based on changes in applicable legal and regulatory requirements related to privacy and data security practices and industry standards.
         3. Standards: ICSC incorporates commercially reasonable and appropriate methods and safeguards to protect the security, confidentiality, and availability of Company Personal Data.
         4. Information Security Policies: ICSC will implement, maintain, and adhere to its internal information security and privacy policies that address the roles and responsibilities of ICSC’s personnel who have access to Company Personal Data in connection with providing the Services. All ICSC personnel with access to Company Personal Data will receive regular (at least annual) training on the ISMP.
         5. Information Security Infrastructure:
            1. Access Controls: ICSC will ensure appropriate access controls are in place to protect Company Personal Data. ICSC agrees that it shall maintain, throughout the term of the Agreement and at all times while ICSC has access to or possession of Company Personal Data, appropriate access controls (physical, technical, and administrative) and shall maintain such access controls in accordance with ICSC’s policies and procedures.
            2. Authorized Persons: ICSC will limit access to Company Personal Data solely to ICSC personnel who have a need to access the Company Personal Data in connection with the Services or as otherwise required by applicable law.
            3. Access Justification/Authorization Process: ICSC has a process in place that is designed to ensure that only authorized persons (technical and non-technical) are granted access to Company Personal Data.
            4. Encryption: ICSC will encrypt Company Personal Data that is at rest, should it be at rest outside of the production security zone. ICSC will use at a minimum AES algorithm for encryption of such Company Personal Data at rest with a default value of 256-bit strength. For Company Personal Data in transit, ICSC agrees to use encryption unless the Company uses a method of transmission which does not support encryption (such as unencrypted FTP, email, etc.).
            5. Network and Host Security: ICSC has commercially reasonable network intrusion detection and firewalls in place. ICSC uses reasonable efforts to ensure that the systems it uses to provide the Services are patched or secured to mitigate the impact of security vulnerabilities within a reasonable time after ICSC has actual or constructive knowledge of any critical or high-risk security vulnerabilities.
            6. Data Management: ICSC will have adequate information security infrastructure controls in place for Company Personal Data obtained, transported, and retained by ICSC. ICSC will destroy, delete, or otherwise make irrecoverable Company Personal Data upon the disposal or repurposing of storage media containing such Company Personal Data. Company Personal Data is logically separated from the content of other ICSC customers.
            7. Physical Security: Physical security safeguards include physical safety and security safeguards at any facilities operated by ICSC or used in the course of providing the Services.
         6. Disaster Recovery. ICSC implements and maintains disaster recovery capabilities designed to minimize disruption to the Services in accordance with the Service Agreement and the SLA.
         7. Furthermore, ICSC uses a secure, third-party solution to facilitate transfers of Personal and confidential data to and from its clients.

Schedule 3: Supplementary Measures

1. 1. ADOPTION AND MAINTENANCE OF SUPPLEMENTARY MEASURES

      1. The parties agree to adopt the supplementary measures identified in this Schedule 3 (if any).
      2. If the provisions in this Schedule 3 conflict with an International Data Transfer Mechanism, the terms that are more protective of data subjects will apply.
      3. Data Importer represents and warrants that, prior to transferring personal data:
         • It will notify Data Exporter of changes to relevant laws or facts and circumstances applicable to Data Importer that could cause Data Exporter to no longer comply with an applicable International Data Transfer Mechanism; and
         • It will keep a record of its processing of personal data in connection with the processing activities described in Schedule 1 and provide that record to Data Exporter upon request.
      4. Data Exporter represents and warrants that, prior to transferring personal data:
         • It conducted any “transfer impact assessment,” “transfer risk assessment,” or other assessment required by applicable Data Protection Law to determine whether it can lawfully transfer personal data to Data Importer (collectively “TIA”);
         • It will cooperate with a relevant data protection authority, at that authority’s request, in connection with the parties’ personal data processing activities under their chosen International Data Transfer Mechanism, including by providing the authority with its TIA and any relevant supporting information;
         • It will assist Data Importer with Data Importer’s reasonable requests for assistance with passing on notices or other information to and from relevant data subjects; and
         • It will notify Data Importer of changes to relevant facts and circumstances that could affect the lawfulness of the personal data transfers described in Schedule 1.
      5. Data Exporter agrees that it is solely responsible for carrying out a TIA. Unless Data Importer violates a representation or warranty in Section 1.3, Data Importer will not be liable to Data Exporter for third-party claims (including claims by regulatory authorities) against Data Exporter in connection with Data Exporter’s TIA.

   2. SUPPLEMENTARY MEASURES

      1. The Data Importer represents and warrants that it has adopted the following supplementary measures to ensure that the personal data it processes is protected in a manner that is equivalent to the protections available to data subjects in the country from which the personal data originated.
         • ICSC applies encryption to Personal Data in transit and at rest.

Exhibit 1, Sub processor List

Vendor	Purpose of processing	Categories of Data Subjects	Categories of Personal Data Categories
Atlassian (Confluence, Jira, Bitbucket, OpsGenie)	Development and operations management and monitoring services	Customer, End-user	Names, email addresses, IP addresses, device and content IDs, location data
AWS	Cloud infrastructure provider	Customer, End-user	Names, email addresses, IP addresses, device and content IDs, location data
Azure	Cloud infrastructure provider	Customer, End-user	Names, email addresses, IP addresses, device and content IDs, location data
Backblaze	Backup service	Customer, End-user	Names, email addresses, IP addresses, device and content IDs, location data
Gong	Marketing and sales analytics	Customer, End-user	Names, email addresses, IP addresses, device and content IDs, location data
Google Workspace	Productivity software	Customer, End-user	Names, email addresses, IP addresses, device and content IDs, location data
LatLong	ExpressPlay service user geolocation verification service	Customer, End-user	Names, email addresses, IP addresses, device and content IDs, location data
Microsoft Office 365	Productivity and communication software	Customer, End-user	Names, email addresses, IP addresses, device and content IDs, location data
Salesforce	Sales management software	Customer	Names, email addresses, IP addresses, device and content IDs, location data
Slack	Productivity and communication software	Customer, End-user	Names, email addresses, IP addresses, device and content IDs, location data
Splunk	Transaction logs management	Customer, End-user	Names, email addresses, IP addresses, device and content IDs, location data
TrueNAS	Network-attached storage operating system	Customer, End-user	Names, email addresses, IP addresses, device and content IDs, location data
Zendesk	Customer support	Customer, End-user	Names, email addresses, IP addresses, device and content IDs, location data
Zoho 24×7	Alert monitoring service	Customer, End-user	Names, email addresses, IP addresses, device and content IDs, location data
Zoom	Communication software	Customer, End-user	Names, email addresses, IP addresses, device and content IDs, location data