SafeGuard Cyber Data Processing Addendum

EFFECTIVE DATE: September 1, 2023

This Data Processing Addendum, including its annexes, exhibits, or appendices (“Addendum”) forms part of the Subscription Service Terms or any other agreement about the delivery of the contracted services (the “Agreement”) between SOCIAL SAFEGUARD Inc. (“SafeGuard Cyber”) and the Customer named in such Agreement or identified below to reflect the parties’ agreement about the Processing of Customer Personal Data (as those terms are defined below).

In the event of a conflict between the terms and conditions of this Addendum, or the Agreement, an Order, or any other documentation, the terms and conditions of this Addendum shall prevail with respect to the subject matter of Processing of Customer Personal Data.

All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

Definitions

1.1. “Affiliate” means, with respect to a party, any entity that directly or indirectly controls, is controlled by, or is under common control with that party. For purposes of this Addendum, “control” means an economic or voting interest of at least fifty percent (50%) or, in the absence of such economic or voting interest, the power to direct or cause the direction of the management and set the policies of such entity.

1.2. “Anonymized Data” means, having regard to the guidance published by the European Data Protection Board, Personal Data which does not relate to an identified or identifiable natural person or rendered anonymous in such a manner that the data subject is not or no longer identifiable.

1.3. “Applicable Data Protection Law” means any applicable legislative or regulatory regime enacted by a recognized government, or governmental or administrative entity with the purpose of protecting the privacy rights of natural persons or households consisting of natural persons, in particular the General Data Protection Regulation 2016/679 (“GDPR”) and supplementing data protection law of the European Union Member States, the United Kingdom’s Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR“), the Swiss Federal Data Protection Act (“Swiss DPA“), Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) S.C. 2000, ch. 5, and any provincial legislation deemed substantially similar to PIPEDA under the procedures set forth therein, and the California Consumer Privacy Act (“CCPA”) of 2018, the Brazilian Law No. 13,709/2018 – Brazilian General Data Protection Law (“LGPD”), the ePrivacy Directive 2002/58/EC (the “Directive”), together with any European Union Member national implementing the Directive.

1.4. “Authorized Subprocessor” means a subprocessor engaged by SafeGuard Cyber to process Customer Personal Data on behalf of the Customer per the Customer’s Instructions under the terms of the Agreement and this Addendum. Authorized Subprocessors may include SafeGuard Cyber Affiliates but shall exclude SafeGuard Cyber employees, contractors, and consultants.

1.5. “Controller” means the entity that determines as a legal person alone or jointly with others the purposes and means of the Processing of Personal Data.

1.6. “Customer Personal Data” means the Personal Data, including but not limited to: (a) all text, sound, video, or image files that are part of profile and User information and/or exchanged between Users (including guest users participating in Customer-hosted meetings and webinars) and with SafeGuard Cyber via the Services; (b) name, screen name and email address; (c) Support Data (as defined in Annex I to the Standard Contractual Clauses); (d) Websites data (including cookies); and (e) data from applications (including browsers) installed on User devices, Services generated server logs (with for example meeting metadata and User settings) and SafeGuard Cyber internal security logs, that are generated by, or provided to, SafeGuard Cyber by, or on behalf of, Customer through use of the Services as further defined in Annex I of the Standard Contractual Clauses.

1.7. “Data Subject” means the identified or identifiable person to whom Personal Data relates.

1.8. “Legitimate Business Purposes” means the exhaustive list of specific purposes for which SafeGuard Cyber is allowed to process Personal Data as Controller as specified in Section 2.4.

1.9. “Personal Data” means any information relating to a Data Subject; an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. This includes any special categories of Personal Data defined in Art. 9 of the GDPR, data relating to criminal convictions and offences, or related security measures defined in Art. 10 of the GDPR and national security numbers defined in Art. 87 of the GDPR and national supplementing law.

1.10. “Processor” means the entity that processes Personal Data on behalf of the Controller.

1.11. “Personal Data Breach” means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by SafeGuard Cyber or SafeGuard Cyber’s Authorized Subprocessor.

1.12. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. For the avoidance of doubt: this includes processing of personal data to disclose, aggregate, pseudonymize, de-identify or anonymize Personal Data, and to combine personal data with other personal data, or to derive any data or information from such Personal Data.

1.13. “Services” means the Services as set forth in the Agreement or associated SafeGuard Cyber Terms of Use.

1.14. “Standard Contractual Clauses” means: (i) where the GDPR applies the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the “UK SCCs”); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”)(the “Swiss SCCs“).

1.15. “Supervisory Authority” means an independent public authority responsible for monitoring the application of Applicable Data Protection Law, including the Processing of Personal Data covered by this Addendum.

1.16. “UK Addendum” means the addendum in Annex 4.

2. Processing of Personal Data: Roles, Scope and Responsibility

2.1. The Parties acknowledge and agree to the following: (a) Customer is the Controller of Customer Personal Data; (b) SafeGuard Cyber is the Processor of Customer Personal Data, except where SafeGuard Cyber or a SafeGuard Cyber Affiliate act as a Controller processing Customer Personal Data in accordance with the exhaustive list of Legitimate Business Purposes in Section 2.4.

2.2. Only to the extent necessary and proportionate, Customer as Controller instructs SafeGuard Cyber to perform the following activities as Processor on behalf of Customer: (a) provide and update the Services as licensed, configured, and used by Customer and its Users, including through Customer’s use of SafeGuard Cyber settings, administrator controls or other Services functionality; (b) secure and real-time monitor the Services; (c) resolve issues, bugs, and errors; (d) provide Customer requested support, including applying knowledge gained from individual customer support requests to benefit all SafeGuard Cyber customers but only to the extent such knowledge is anonymized; and (e) process Customer Personal Data as set out in the Agreement and Annex I to the Standard Contractual Clauses (subject matter, nature, purpose, and duration of Personal Data Processing in the controller to processor capacity and any other documented instruction provided by Customer and acknowledged by SafeGuard Cyber as constituting instructions for purposes of this Addendum (collectively, the “Instructions”).

2.3. SafeGuard Cyber shall immediately notify the Customer, if, in SafeGuard Cyber’s opinion, an Instruction of the Customer infringes Applicable Data Protection Law and request that Customer withdraw, amend, or confirm the relevant Instruction. Pending the decision on the withdrawal, amendment, or confirmation of the relevant Instruction, SafeGuard Cyber shall be entitled to suspend the implementation of the relevant Instruction.

2.4. Regardless of its role as Processor or Controller, SafeGuard Cyber shall process all Customer Personal Data in compliance with Applicable Data Protection Laws, the “Security Measures” referenced in Section 6 of this Addendum and Annex I to the Standard Contractual Clauses. SafeGuard Cyber will follow European Data Protection Board guidance on completing a data transfer impact assessment (“DTIA”) and maintain an up to date DTIA applicable to the Services.

2.5. Customer shall ensure that its Instructions to SafeGuard Cyber comply with all laws, rules, and regulations applicable to the Customer Personal Data, and that the Processing of Customer Personal Data per Customer’s Instructions will not cause SafeGuard Cyber to be in breach of Applicable Data Protection Law. Customer is solely responsible for the accuracy, quality, and legality of (i) the Customer Personal Data provided to SafeGuard Cyber by or on behalf of Customer; (ii) how Customer acquired any such Customer Personal Data; and (iii) the Instructions it provides to SafeGuard Cyber regarding the Processing of such Customer Personal Data. Customer shall not provide or make available to SafeGuard Cyber any Customer Personal Data in violation of the Agreement or this Addendum, or otherwise in violation of SafeGuard Cyber’s Subscription Service Terms of Use (currently published at https://www.safeguardcyber.com/safeguard-product-terms-use and as updated from time to time) and shall indemnify SafeGuard Cyber from all claims and losses in connection therewith.

2.6. Following the completion of the Services, at Customer’s choice, SafeGuard Cyber shall either enable Customer to delete some of Customer’s Personal Data (for example a user’s personal data) or all of Customer’s Personal Data, shall return to Customer the specified Customer Personal Data, or shall delete the specified Customer Personal Data, and delete any existing copies in compliance with its data retention and deletion policy. If return or destruction is impracticable or incidentally prohibited by a valid legal order law, SafeGuard Cyber shall take measures to inform the Customer and block such Customer Personal Data from any further Processing (except to the extent necessary for its continued hosting or Processing required by applicable law) and shall continue to appropriately protect the Customer Personal Data remaining in its possession, custody, or control and, where any authorized Sub processor continues to possess Customer Personal Data, require the authorized Sub processor to take the same measures that would be required of SafeGuard Cyber.

3. Privacy by design and by default. SafeGuard Cyber will comply with the privacy by design and data minimization principles from the GDPR, and SafeGuard Cyber agrees to minimize Processing to the extent necessary to meet its obligations and rights under the Agreement. This includes minimization of data retention periods and offering end to end encryption when technically feasible.

4. Authorized Persons. SafeGuard Cyber shall ensure that all persons authorized to Process Customer Personal Data and Customer Content are made aware of the confidential nature of Customer Personal Data and Customer Content and have committed themselves to confidentiality (e.g., by confidentiality agreements) or are under an appropriate statutory obligation of confidentiality.

5. Authorized Sub processors. To the extent that SafeGuard Cyber is a Processor:

5.1. The Customer hereby generally authorizes SafeGuard Cyber to engage subprocessors in accordance with this Section 5.

5.2. Customer approves the Authorized Subprocessors listed in Annex 3 to this Addendum.

5.3. SafeGuard Cyber may remove, replace, or appoint suitable and reliable further sub processors in accordance with this Section 5.3: (a) SafeGuard Cyber shall, at least thirty (30) days before the new subprocessor starts processing any Customer Personal Data, notify Customer of the intended engagement (including the name and location of the relevant subprocessor, and the activities it will perform and a description of the Personal Data it will process). SafeGuard Cyber will provide notice to Customer in each case, and the Customer may object to such an engagement in writing within fifteen (15) business of receipt of the aforementioned notice by SafeGuard Cyber.

5.4. If the Customer objects to the engagement of a new subprocessor, SafeGuard Cyber shall have the right to cure the objection through one of the following options (to be selected at SafeGuard Cyber’s sole discretion): (a) SafeGuard Cyber cancels its plans to use the subprocessor with regard to Customer Personal Data; (b) SafeGuard Cyber will take the corrective steps requested by Customer in its objection (which remove Customer’s objection) and proceed to use the subprocessor with regard to Customer Personal Data; (c) SafeGuard Cyber may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of the Services that would involve the use of such subprocessor with regard to Customer Personal Data. SafeGuard Cyber provides Customer with a written description of commercially reasonable alternative(s), if any, to such engagement, including without limitation modification to the Services. If SafeGuard Cyber, in its sole discretion, cannot provide any such alternative(s), or if Customer does not agree to any such alternative(s) if provided, SafeGuard Cyber and Customer may terminate the Agreement including the Addendum with prior written notice. Termination shall not relieve Customer of any fees or charges owed to SafeGuard Cyber for Services provided up to the effective date of the termination under the Agreement. If Customer does not object to a new subprocessor’s engagement within 15 days of notice issuance from SafeGuard Cyber, that new subprocessor shall be deemed accepted.

5.5. SafeGuard Cyber shall ensure that Authorized Subprocessors have executed confidentiality agreements that prevent them from unauthorized Processing of Customer Personal Data and Customer Content both during and after their engagement by SafeGuard Cyber.

5.6. SafeGuard Cyber shall, by way of contract or other legal act, impose on the Authorized Subprocessor the equivalent data protection obligations as set out in this Addendum and detailed in the GDPR. The Parties acknowledge and agree that notice periods shall be deemed equivalent regardless of disparate notification periods. If personal data are transferred to an Authorized Subprocessor in a third country, SafeGuard Cyber will ensure the transferred data are processed with the same GDPR transfer guarantees as agreed with Customer (such as Standard Contractual Clauses). SafeGuard Cyber will also perform a case-by-case assessment if supplementary measures are required in cases of onward transfers to third countries in order to bring the level of protection of the transferred data up to the EU standard of essential equivalence.

5.7. SafeGuard Cyber shall be fully liable to Customer where that Authorized Subprocessor fails to fulfil its data protection obligations for the performance of that Authorized Subprocessor’s obligations to the same extent that SafeGuard Cyber would itself be liable under this Addendum had it conducted such acts or omissions.

6. Security of Personal Data

6.1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, SafeGuard Cyber shall maintain appropriate technical and organizational measures with regard to Customer Personal Data and to ensure a level of security appropriate to the risk, including, but not limited to, the “Security Measures” set out in Annex II to the Standard Contractual Clauses (attached here as Annex 2).

6.2. Customer acknowledges that the Security Measures are subject to technical progress and development and that SafeGuard Cyber may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the Services.

7. International Transfers of Personal Data

7.1. Customer acknowledges and agrees that SafeGuard Cyber may transfer and process Customer Personal Data to third countries (including those outside of the EEA without an adequacy statement from the European Commission) to Affiliates, its professional advisors or its Authorized Subprocessors when a User knowingly connects to data processing operations supporting the Services from such locations (such as when the User travels outside of the territory of the EU). SafeGuard Cyber shall ensure that such transfers are made in compliance with Applicable Data Protection Law and this Addendum.

7.2. Any transfer of Customer’s Personal Data made subject to this Addendum from member states of the European Union, the European Economic Area (Iceland, Liechtenstein, Norway), Switzerland or the United Kingdom to any countries where the European Commission, the FDIPC or the UK Information Commissioner’s Office has not decided that this third country or more specified sectors within that third country in question ensures an adequate level of protection, shall be undertaken, in particular, through the Standard Contractual Clauses, in connection with which the Parties agree the following:

(a) EU SCCs (Controller to Processor Transfers). In relation to Personal Data that is protected by the EU GDPR and processed in accordance with Sections 2.2 of this Addendum, the EU SCCs shall apply, completed as follows: (i) Module Two will apply (as applicable); (ii) in Clause 7, the optional docking clause will apply; (iii) in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 5.3 of this Addendum; (iv) in Clause 11, the optional language will not apply; (v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Section C of Annex 1 to this Addendum; (v) in Clause 18(b), disputes shall be resolved in accordance with Section C of Annex 1 to this Addendum; (vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this Addendum; and (viii) subject to Section 6.2 of this Addendum, Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this Addendum.

(b) Transfers from the UK. In relation to Personal Data that is originating from the United Kingdom or otherwise protected by the UK GDPR, the EU SCCs will apply in accordance with the UK Addendum, attached hereto as Annex 4, and with the following modifications: (i) any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the UK GDPR; references to specific Articles of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK GDPR; (ii) references to “EU”, “Union” and “Member State law” are all replaced with “UK”; Clause 13(a) and Part C of Annex I of the EU SCCs are not used; references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Information Commissioner and the courts of England and Wales; (iii) Clause 17 of the EU SCCs is replaced to state that “The Clauses are governed by the laws of England and Wales” (iv) Clause 18 of the EU SCCs is replaced to state “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts”.

(c) Transfers from Switzerland. In relation to Personal Data that is protected by the Swiss DPA, the EU SCCs will apply in accordance with Sections 7.3(a)-(b), with the following modifications: (i) any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA; (ii) references to “EU”, “Union”, “Member State” and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be; and (iii) references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the FDIPC and competent courts in Switzerland, unless the EU SCCs as implemented above cannot be used to lawfully transfer such Personal Data in compliance with the Swiss DPA, in which event the Swiss SCCS shall instead be incorporated by reference and form an integral part of this Addendum and shall apply to such transfers. Where this is the case, the relevant Annexes of the Swiss SCCs shall be populated using the information contained in Annex 1 and Annex 2.

7.3. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this Addendum) the Standard Contractual Clauses shall prevail to the extent of such conflict.

7.4. SafeGuard Cyber may adopt a replacement data export mechanism (including any new version of or successor to the Standard Contractual Clauses or alternative mechanisms adopted pursuant to Applicable Data Protection Law) (“Alternative Transfer Mechanism”), so long as the Alternative Transfer Mechanism complies with Applicable Data Protection Law and extends to the territories to which Customer Personal Data is transferred on behalf of the Customer. Customer agrees to execute documents and take other reasonably necessary actions to give legal effect to such Alternative Transfer Mechanism.

8. Rights of Data Subjects. To the extent that SafeGuard Cyber is a Processor:

8.1. SafeGuard Cyber shall promptly notify Customer upon receipt of a request by a Data Subject to exercise Data Subject rights under Applicable Data Protection Law. SafeGuard Cyber will advise the Data Subject to submit his or her request to Customer, and Customer will be responsible for responding to such request.

8.2. SafeGuard Cyber shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Data Subject’s rights (regarding information, access, rectification and erasure, restriction of Processing, notification, data portability, objection and automated decision-making) under Applicable Data Protection Law.

9. Disclosure of Personal Data

9.1. SafeGuard Cyber will not disclose or provide access to any Customer Personal Data except: (a) as Customer directs; (b) as described in this Addendum; or (c) as required by law.

9.2. If a court, law enforcement authority or intelligence agency contacts SafeGuard Cyber with a demand for Customer Personal Data, SafeGuard Cyber will first assess if it is a legitimate order consistent with SafeGuard Cyber’s internal processes and applicable law. If so, SafeGuard Cyber will attempt to redirect this third party to request those data directly from Customer. If compelled to disclose or provide access to any Customer Personal Data to law enforcement, SafeGuard Cyber will promptly notify Customer and provide a copy of the demand unless legally prohibited from doing so, for example, through a so-called “gag order”. If SafeGuard Cyber is prohibited by law from fulfilling its obligations under Section 9.2, SafeGuard Cyber shall represent the reasonable interests of the Controller. This is in all cases understood to mean:

(a) SafeGuard Cyber shall document a legal assessment of the extent to which: (i) SafeGuard Cyber is legally obliged to comply with the request or order; and (ii) SafeGuard Cyber is effectively prohibited from complying with its obligations in respect of the Controller under this Addendum.

(b) SafeGuard Cyber shall only cooperate with the US issued request or order if legally obliged to do so and, where possible, SafeGuard Cyber shall judicially object to the request or order or the prohibition to inform the Controller about this or to follow the instructions of the Controller.

(c) SafeGuard Cyber shall not provide more Customer Personal Data than is strictly necessary for complying with the request or order.

(d) If SafeGuard Cyber becomes aware of a situation where it has reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by SafeGuard Cyber, its Affiliates and Authorized Subprocessors, including any requirements to disclose personal data or measures authorizing access by public authorities, will prevent SafeGuard Cyber from fulfilling its obligations under this Addendum, SafeGuard Cyber will inform Customer without undue delay after SafeGuard Cyber becomes aware of such a situation.

10. Compliance Auditing

10.1. SafeGuard Cyber will: (a) conduct at least one audit annually; (b) audits will be performed according to the standards and rules of the regulatory or accreditation body for the applicable control standard or framework; and (c) audits will be performed by qualified security auditors at SafeGuard Cyber’s selection and expense.

10.2. Each audit will result in the generation of an audit report (“SafeGuard Cyber Audit Report”), which SafeGuard Cyber will make available to Customer upon request, which will be SafeGuard Cyber’s Confidential Information and subject to a separately executed nondisclosure agreement or the Agreement’s confidential information provisions. SafeGuard Cyber will promptly remediate issues raised in any SafeGuard Cyber Audit Report in accordance with industry best practices.

10.3. Nothing in this Addendum will require SafeGuard Cyber to provide Personal Data of other SafeGuard Cyber customers or access to any SafeGuard Cyber systems or facilities that are not involved in the provision of the contracted Services.

11. Cooperation. SafeGuard Cyber shall provide the Controller with all required assistance and cooperation in enforcing the obligations of the Parties under Applicable Data Protection Law. To the extent that such assistance relates to the Processing of Customer Personal Data for the purpose of the performance of the Agreement, the Processor shall in any event provide the Controller with such assistance relating to: (a) the security of Customer Personal Data; (b) performing checks and audits; (c) performing Data Protection Impact Assessments (“DPIA”); (d) prior consultation with the Supervisory Authority; (e) responding to requests from the Supervisory Authority or another government body; (f) responding to requests from Data Subjects; and (g) reporting Customer Personal Data Breaches.

12. Security incidents and data breaches

12.1. In the event of a confirmed Personal Data Breach (at SafeGuard Cyber or at a subprocessor of SafeGuard Cyber), SafeGuard Cyber shall, without undue delay, inform Customer of the Personal Data Breach and take such steps as SafeGuard Cyber in its sole discretion deems necessary and reasonable to remediate such violation. In the event of such a Personal Data Breach, SafeGuard Cyber shall, taking into account the nature of the Processing and the information available to SafeGuard Cyber, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under Applicable Data Protection Law with respect to notifying (i) the relevant Supervisory Authority and/or (ii) Data Subjects affected by such Personal Data Breach without undue delay.

12.2. In the event of a large scale, as determined by SafeGuard Cyber, confirmed Personal Data Breach (with SafeGuard Cyber or an Authorized Subprocessor of SafeGuard Cyber), Customer allows SafeGuard Cyber to independently alert and consult the relevant Supervisory Authorities in order to better inform Customer what steps the Supervisory expect.

12.3. The obligations described in Sections 12.1 and 12.2 shall not apply if a Personal Data Breach results from the actions or omissions of Customer, except where required by Applicable Data Protection Law. SafeGuard Cyber’s obligation to report or respond to a Personal Data Breach under Sections 12.1 and 12.2 will not be construed as an acknowledgement by SafeGuard Cyber of any fault or liability with respect to the Personal Data Breach.

13. General

13.1. This Addendum may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.

13.2. Customer and SafeGuard Cyber acknowledge that the other party may disclose the Standard Contractual Clauses, this Addendum, and any privacy-related provisions in the Agreement to any Supervisory Authority upon request.

13.3. Except for the changes made by this Addendum, the Agreement remains unchanged and in full force and effect. If there is any conflict between this Addendum and the Agreement, Terms of Use, or any other documentation, with regard to the subject matter of this Addendum, this Addendum shall prevail to the extent of that conflict.

13.4. In the event of a change in Applicable Data Protection Law or a determination or order by a Supervisory Authority or competent court affecting this Addendum or the lawfulness of any Processing activities under this Addendum, SafeGuard Cyber may propose amendments to this Addendum. Customer will determine if the amendments are reasonably necessary to ensure continued compliance with Applicable Data Protection Law and/or the Processing instructions herein. In that case Parties will agree the proposed amendments in writing.

13.5. The provisions of this Addendum are severable. If any phrase, clause or provision or Exhibit (including the Standard Contractual Clauses) is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of this Addendum or the remainder of the Exhibit, shall remain in full force and effect.

13.6. This Addendum shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Law.

ANNEX 1 – Details of Processing

1. List of Parties

Data exporter(s):

The individual or entity that has entered into the Primary Agreement with data importer for the provision of the products and services as described in the Primary Agreement and/or applicable order form.

Activities relevant to the data transferred under these Clauses:

Uploading, transmitting, and otherwise processing the data through cybersecurity products or services of processor.

Role (controller/processor): Controller

Data importer(s):

Name: SafeGuard Cyber Inc.

Address: 977 Seminole Trail, #373 Charlottesville, Virginia, United States

Contact: Data Protection Officer, privacy@safeguardcyber.com

Activities relevant to the data transferred under these Clauses:

Uploading, transmitting, and otherwise processing the data through cybersecurity products or services of processor.

Role (controller/processor): Processor

1. Description of Transfer

Categories of data subjects whose personal data is transferred

You may submit Personal Data while using the Services, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

• Your contacts
• Other end users including your employees, contractors, collaborators, customers, prospects, suppliers, and subcontractors.
• Other individuals attempting to communicate with or transfer Personal Data to your end users.

Categories of personal data transferred

You may submit Personal Data to the Service, the extent of which is determined and controlled by you in your sole discretion, and which may include but is not limited to the following categories of Personal Data:

• Contact Information (as defined in the Services Agreement).
• Any other Personal Data submitted by, sent to, or received by you, or your end users, via the Service.

Sensitive data transferred (if applicable) and applied restrictions or safeguards

The parties do not anticipate the transfer of sensitive data.

Frequency of the transfer

Continuous

Nature of the Processing

Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:

• Storage and other Processing necessary to provide, maintain and improve the Services provided to you; and/or
• Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.

Purpose of the transfer and further processing

We will Process Personal Data as necessary to provide the Services pursuant to the Agreement, as further specified in the Terms of Use, and as further instructed by you in your use of the Services.

Period for which Personal Data will be retained

Subject to this DPA, we will only process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

1. Competent Supervisory Authority

For the purposes of the Standard Contractual Clauses, the supervisory authority that shall act as competent supervisory authority is either (i) where Customer is established in an EU Member State, the supervisory authority responsible for ensuring Customer’s compliance with the GDPR; (ii) where Customer is not established in an EU Member State but falls within the extra-territorial scope of the GDPR and has appointed a representative, the supervisory authority of the EU Member State in which Customer’s representative is established; or (iii) where Customer is not established in an EU Member State but falls within the extra-territorial scope of the GDPR without having to appoint a representative, the supervisory authority of the EU Member State in which the Data Subjects are predominantly located. In relation to Personal Data that is subject to the UK GDPR or Swiss DPA, the competent supervisory authority is the UK Information Commissioner or the Swiss Federal Data Protection and Information Commissioner (as applicable).

ANNEX 2 – Security Measures

Data Processor shall:

1. ensure that the Personal Data can be accessed only by authorized personnel for the purposes set forth in Annex 2 of this Data Processing Agreement.
2. take all reasonable measures to prevent unauthorized access to the Personal Data through the use of appropriate physical and logical (passwords) entry controls, securing areas for data processing, and implementing procedures for monitoring the use of data processing facilities.
3. build in system and audit trails.
4. use secure passwords, network intrusion detection technology, encryption and authentication technology, secure logon procedures and virus protection.
5. account for all the risks that are presented by processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorised or unlawful storage, processing, access or disclosure of Personal Data.
6. ensure pseudonymisation and/or encryption of Personal Data, where appropriate.
7. maintain the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
8. maintain the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
9. implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing of Personal Data.
10. monitor compliance on an ongoing basis.
11. implement measures to identify vulnerabilities with regard to the processing of Personal Data in systems used to provide services to the Data Controller.
12. provide employee and contractor training to ensure ongoing capabilities to carry out the security measures established in policy.

ANNEX 3 – Subprocessors

ANNEX 4 – UK Addendum

International Data Transfer Addendum to the EU SCCs

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Table 2: Selected SCCs, Modules and Selected Clauses

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Table 4: Ending this Addendum when the Approved Addendum Changes

Part 2: Mandatory Clauses

Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0, in force 21 March 2022, issued by the ICO, as it is revised under Section ‎‎18 of those Mandatory Clauses, are hereby incorporated.