Data Processing Addendum

This data processing addendum (“DPA”) is incorporated into the Agreement and is entered into as of the date of the Agreement. To the extent this DPA conflicts with any other agreement, including the terms of the Service Agreement, this DPA shall prevail.

  1. Definitions. Capitalized terms used but not defined in this DPA shall have the meanings set forth in the Agreement. For the purpose of this DPA, the following terms have the following definitions:

a. “Agreement” means the Master Services Agreement entered into between the parties for purchase of ThinkLP’s Services.

b. “Controller”, “Processor”, “Service Provider” and “processing” shall have the meanings given to them in the Applicable Data Protection Laws.

c. “Data Subject” means a natural person that can be identified, directly or indirectly, or as otherwise defined by Applicable Data Protection Laws.

d. “Personal Data” means any information relating to an identified or identifiable living individual or as otherwise defined by the Applicable Data Protection Laws which is processed by ThinkLP on behalf of the Customer in accordance with this DPA for the provision of the Services.

e. “Applicable Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal Data and privacy that may exist in the relevant jurisdictions, including, where applicable, the EU Data Protection Laws and the Non-EU Data Protection Laws. 

f. “EU Data Protection Law” means all data protection laws and regulations applicable to Europe, including, without limitation and to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the UK GDPR from December 31st, 2020 and the United Kingdom Data Protection Act of 2018 (together “UK Law”) and the Swiss Federal Act on Data.

g. “Non-EU Data Protection Laws” means the US States Data Laws (as defined herein) and Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”).

h. “Security Incident” means a breach of security leading to the unauthorized disclosure of, or access to, destruction, loss, or alteration of the Personal Data transmitted, stored, or otherwise Processed as defined by Applicable Data Protection Laws. 

i. “SCCs” means the Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

j. “Sub-processor” means any third party that ThinkLP engages to Process Personal Data on behalf of ThinkLP to provide the Services.

  1. Provision of Services. In the course of providing Services to Customer pursuant to the Agreement, ThinkLP may Process Customer Personal Data on behalf of Customer. The parties agree and acknowledge that the Applicable Data Protection Laws may apply to the processing of Personal Data on behalf of the Customer. Each party agrees to comply with the following provisions with respect to any Customer Personal Data Processed during the provision of the Services. The parties acknowledge and agree that with regards to such Processing of Personal Data, Customer is Controller and ThinkLP is Processor, or Service Provider, as applicable
  1. Processing of Personal Data. The following provisions apply to the Processing of Personal Data pursuant to this DPA:

a. ThinkLP shall treat Customer Personal Data as Confidential Information and will only Process Personal Data in accordance with Applicable Data Protection Laws directly applicable to the Services. ThinkLP will Process Personal Data as necessary to perform the Services pursuant to the Agreement.

b. ThinkLP will Process Customer Personal Data (i) only for the purpose of providing, supporting, and improving ThinkLP’s Services using appropriate technical and organizational security measures; and (ii) for the purposes set forth in the Agreement. The parties agree that this DPA and the Agreement set out the Customer’s complete instructions to ThinkLP in relation to the processing of Customer Personal Data and processing outside the scope of these instructions (if any) require prior written agreement between Customer and ThinkLP. ThinkLP will not use or process Customer Personal Data for any other purpose. ThinkLP will promptly inform Customer in writing if it cannot comply with the requirements under this DPA, in which case Customer may terminate the Agreement or take any other reasonable action, including suspending data processing operations.

c. ThinkLP will inform Customer promptly if, in ThinkLP’s determination, an instruction from Customer violates Applicable Data Protection Laws.

3. Customer’s Obligations. Customer, in its use of the Services, agrees to: 

a. Comply with its protection, security, and other obligations with respect to Customer Personal Data prescribed by the Applicable Data Protection Laws by: (a) establishing and maintaining a procedure for the exercise of the rights of the individuals whose Personal Data is processed on behalf of Customer; (b) processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses, including, but not limited to, providing notice and obtaining all consents and rights necessary to process Customer Personal Data and provide the Services pursuant to this DPA and the Agreement; and (c) ensuring compliance with the provisions of the Agreement and this DPA by its personnel or by any third-party accessing or using Customer Personal Data. Customer acknowledges that Customer will have administrative controls over the ThinkLP Services and ThinkLP will have no control over the type of Customer Personal Data inputted outside of the scope of this DPA.

b. Delete Customer Personal Data as requested by the Data Subject through the deletion capability in the ThinkLP Services, in accordance with Applicable Data Protection Laws. If requested by ThinkLP, provide such information to ThinkLP as is reasonable and necessary, including, but not limited to, user IDs associated with such Data Subject, for ThinkLP to unambiguously identify the Data Subject requesting such deletion.

4. Data Subject Request. ThinkLP shall, to the extent legally permitted, promptly notify Customer if it receives a request from (i) a Data Subject to access, correct or delete that person’s Personal Data or if a Data Subject objects to the Processing of Data Subject’s Personal Data (“Data Subject Request”) or (ii) a law enforcement authority with a legally binding request for disclosure of Customer Personal Data by, unless ThinkLP is otherwise forbidden by law to inform Customer. ThinkLP shall not respond to a Data Subject Request without Customer’s prior written consent except to confirm that such request relates to Customer, to which Customer hereby agrees. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request or if the Customer fails to address a Data Subject Request within seven (7) days of ThinkLP’s request, ThinkLP shall provide commercially reasonable assistance to facilitate such Data Subject Request to the extent ThinkLP is legally permitted and/or required to do so, technically can provide assistance and provided that such Data Subject Request is exercised in accordance with Applicable Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from ThinkLP’s provision of such assistance.

    5. Security of Personal Data. ThinkLP shall:

    a. Maintain SOC2 certification, which is deemed sufficient to comply with the terms of this DPA with regards to the security, confidentiality, and integrity of Personal Data. Upon reasonable request by the Customer, but no more than once per calendar year, ThinkLP shall provide its SOC 2 Type II audit report to the Customer.

    b. Implement and maintain an appropriate information security program with technical and organizational measures to protect the security of Personal Data to a level of security appropriate to the risk; in particular, against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. Process will not materially decease its overall security of Customer Personal Data during the term of the Agreement and, upon request by the Customer, supply details of such technical and organizational measures.

    6. Sub-processors.

    a. ThinkLP currently utilizes the Sub-processors set forth in Annex III. ThinkLP shall (i) provide an up-to-date list of the Sub-processors it has appointed upon written request from Customer; and (ii) notify Customer (email is sufficient) if it adds or removes Sub-processors prior to any such changes provided that Customer registers to receive such notices. ThinkLP will (i) enter into contractual arrangements with such Sub-processors binding them to provide the same level of data protection and information security to that provided for in this DPA and (ii) be liable for the acts and omissions of its Sub-processors to the same extent ThinkLP would be liable if performing the Services of each Sub-processor directly under the terms of the Agreement.

      b. Customer may object in writing to ThinkLP’s appointment of a new Sub-processor within ten (10) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving resolution. If this is not possible, the Customer may terminate the part of the service performed under the Service Agreement that cannot be performed by ThinkLP without use of the objectionable Sub-processor. ThinkLP shall refund any pre-paid fees to the Customer in respect of the terminated part of the service on a pro-rated basis, provided that the Customer provides ThinkLP with written notice of termination with at least ten (10) days’ notice prior to the relevant billing period.

      7. ThinkLPPersonnel.

      a. ThinkLP will take reasonable measures to inform and train its personnel engaged in the Processing of Customer Data about relevant privacy legislation and data security and ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and ensure that all personnel and Sub-processors are informed of the confidential nature of the Personal Data and are aware of ThinkLP’s duties under this DPA and their personal duties and obligations under Applicable Data Protection Laws.

      b. The Customer has administrative controls and the ability to customize, and shall be responsible for such customization, of all the data security settings, controls, and configurations within the Customer-specific Salesforce.com environment, including data encryption requirements. Unless authorized by the Customer in writing, ThinkLP Personnel will not control or configure any Customer Data or Customer security settings and shall not be responsible for the protection of Personal Data based on the security or administrative settings selected or set by the Customer.

      8. Security Incident

      a. If ThinkLP becomes aware of a Security Incident, ThinkLP shall, at its own expense, (i) immediately notify (and in any event within 48 hours) the Customer (“Notice”) (ii) fully co-operate with the Customer and assist the Customer, in dealing with a Security Incident and in ensuring compliance with its obligations under Applicable Data Protection Law with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators as soon as reasonably practicable and (iii) take reasonable steps to mitigate the effects and minimize any damage resulting from the Security Incident.

      b. The Notice shall include, to the extent available to ThinkLP at the time: (i) a description of the nature of the Security Incident, including where possible the categories and approximate number of data subjects concerned, (ii) a description of the likely consequences of the Security Incident and (iii) a description of the measures taken or proposed to be taken by ThinkLP to address the Security Incident.

      c. ThinkLP’s obligation to report or respond to a Security Incident under this section is not and will not be construed as an acknowledgement by ThinkLP of any fault or liability of ThinkLP with respect to the Security Incident.

      9. Audit. The following provisions establish the obligations and rights of each party in the event of an audit under this DPA:

      a. Upon reasonable request from the Customer, ThinkLP shall make available to the Customer and/or its designated agents an annual (no more than once every 12 months) remote audit to verify ThinkLP’s compliance with obligations under Applicable Data Protection Laws (each an “Audit”) to be carried out either: (i) by an independent third party audit firm bound by a duty of confidentiality selected by the Customer and approved by ThinkLP (which approval will not unreasonably be withheld or delayed) and where applicable, in agreement with the competent data protection authority; or (ii) by a competent data protection authority.

      b. The parties shall agree upon the scope and duration of, and the data protection controls applicable to, the Audit. The Customer will notify ThinkLP in writing with a minimum of ten (10) business days prior to any Audit being carried out. Any Audit or inspection shall be conducted within ThinkLP’s regular business hours.

      c. All expenses and costs in relation to any Audit conducted under this section, including ThinkLP personnel time, shall be the sole responsibility of, and compensated by, the Customer. If the Customer requests ThinkLP to incur out-of-pocket costs to assist the Customer in the Audit, then ThinkLP is entitled to a reasonable reimbursement for its costs of the Audit incurred by ThinkLP, to be paid by the Customer.

      d. Under no circumstances shall the Customer be allowed to conduct any physical Audit or inspection of ThinkLP’s or its Subprocessors’ onsite premises.

      e. The provisions set out in Section 11(a)-(d) above shall satisfy any requirement under Applicable Data Protection Laws granting the Customer the right to take reasonable and appropriate steps to ensure that ThinkLP uses the Personal Data that it collected pursuant to this DPA and the Service Agreement in a manner consistent with ThinkLP’s obligations under Applicable Data Protection Laws.

      f. Nothing in the Service Agreement or this DPA will require ThinkLP either to disclose to an independent auditor or the Customer, or to allow an independent auditor or the Customer to access: (i) any data of any other customer of ThinkLP; (ii) ThinkLP’s internal accounting or financial information; (iii) any trade secret of ThinkLP; (iv) any premises or equipment not controlled by ThinkLP; or (v) any information that, in ThinkLP’s reasonable opinion, could: (a) compromise the security of ThinkLP’s systems or premises; (b) cause ThinkLP to breach its obligations under Applicable Data Protection Laws or the rights of any third party; or (c) any information that an independent auditor seeks to access for any reason other than the good faith fulfillment of the Customer’s obligations under Applicable Data Protection Laws. The Customer shall contractually impose, and designate ThinkLP as a third party beneficiary of, contractual terms that prohibit any independent auditor from disclosing the existence, nature, or results of any audit to any party other than the Customer unless such disclosure is required by applicable law.

      10. Transfers of Personal Data.

      a. The Customer acknowledges that ThinkLP may transfer and process Customer Personal Data to ThinkLP affiliates, or its Sub-processors in the course of performing the Services. ThinkLP shall, at all times, ensure that such transfers are made in compliance with the requirements of all Applicable Data Protection Laws including GDPR chapter V.

      b. To the extent Personal Data includes personal data protected by EU Data Protection Laws, the parties are deemed to have signed the SCCs, including their annexes, attached hereto.

      c. To the extent the SCCs are entered into, the following options for Module 2 of the SCCs shall be used:

      I. Clause 7. The optional docking shall apply.
      II. Clause 9. Use of sub-processors Option 2: General written authorization shall apply with a 10-day period to object to the sub-processor. Section 5 shall control the notification process. See Annex 3 for the list of current sub-processors.
      III. Clause 11. The optional language does not apply.
      IV. Clause 17. Option 1 shall apply and shall reference the laws of Ireland.
      V. Clause 18 (b). Courts of Dublin, Ireland.
      VI. Clause 13. All square brackets in are hereby removed;
      VII. The parties will complete Schedule 1, which includes the information called for in the SCCs Annexes I, II, and III. By executing the Agreement, the parties hereby execute Annexes I-III, to the extent applicable.

      d. To the extent Personal Data includes data from Switzerland clause 11(b) and the Switzerland Addendum applies.

        e. To the extent Personal Data includes data from the UK the UK data transfer addendum applies.

          f. To the extent Personal Data includes data of Data Subjects residing in the US, the US States Privacy Laws Addendum applies.

          11. Indemnification and Limitation of Liability. To the extent applicable by Applicable Data Protection Law, ThinkLP shall indemnify and keep indemnified the Customer against direct damages, claims, and losses incurred by the Customer which arise directly from ThinkLP’s data processing activities under this DPA. To the extent permissible by Applicable Data Protection Law, each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement. For the avoidance of doubt, ThinkLP’s and its affiliates’ total liability for all claims from the Customer arising out of the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement.

            12. Deletion. On the expiration or termination of the Agreement (or, if applicable on expiration of any post- termination period during which ThinkLP may agree to continue providing access to the Services), ThinkLP will delete any Customer Personal Data then in its possession and/or control within a maximum period of 90 days, unless applicable legislation or legal process prevents it from doing so.

              13. Access; Export of Data. To the extent Customer, in its use and administration of the Services during the term of the Agreement, does not have the ability to amend or delete Customer Personal Data (as required by Applicable Data Protection Laws), or migrate Customer Personal Data to another system or service provider, ThinkLP will, at Customer’s reasonable expense, comply with any reasonable requests from Customer to assist in facilitating such actions to the extent ThinkLP is legally permitted to do so and has reasonable access to the relevant Customer Personal Data.

                THINKLP
                By:
                Name:
                Title:
                Date:                		CUSTOMER
                By:
                Name:
                Title:
                Date:

                        ANNEX I

                        A. LIST OF PARTIES
                        Data exporter(s)
                        Name:                         The Customer as defined in the Agreement
                        Address: The address for the Customer as defined in the Agreement
                        Contact person’s name, position and contact details: The contact person for the Customer as defined in the Agreement
                        Activities relevant to the data transferred under these Clauses: The use of the ThinkLP Services as defined in the Agreement
                        Role: Controller

                        Data importer(s)
                        Name: The ThinkLP contracting entity as defined in the Agreement
                        Address: The address for the ThinkLP contracting entity as defined in the Agreement
                        Contact person’s name, position and contact details: The contact person for the ThinkLP contracting entity as defined in the Agreement
                        Activities relevant to the data transferred under these Clauses: The provision of theThinkLP Services as defined in the Agreement.
                        Role: Processor

                        2. DESCRIPTION OF TRANSFER

                          Categories of data subjects whose personal data is transferred– The Customer’s employees (including temporary or casual workers, volunteers, assignees, trainees, retirees, pre-hires and applicants)
                          – The Customer’s affiliates employees (including temporary or casual workers, volunteers, assignees, trainees)
                          – The Customer’s (potential) customers (if those (potential) customers are individuals)
                          – The Customer’s business partners (if those business partners are individuals)Employees of the Customer’s business partners 
                          – The Customer’s suppliers and subcontractors (if those suppliers and subcontractors are individuals)
                          – Employees of the Customer’s suppliers and subcontractors
                          Categories of personal data transferredContact details (name, email address and telephone number), employment location, employment title and IP addresses used to login to the ThinkLP software of Customer’s employees or personnel authorized to use the software. Customer that integrate OSHA will have the option to provide additional information as determined by the Customer. 

                          Given the nature of the Services, Customer acknowledges that ThinkLP is not able to review data provided by Customer to determine if it contains any Customer Personal Data outside the lists set out in the Categories of Data Subjects above or as may be provided by Customer.

                          Therefore, Customer is responsible to provide ThinkLP with, and keep updated, lists of Types of Customer Personal Data and Special Categories of Personal Data that ThinkLP can have access to during the Service. Customer will notify ThinkLP about any required changes of the lists above by contacting ThinkLP’s Data Protection Officer at [email protected]

                          In the absence of other instructions from Customer, it will be assumed that during the Services ThinkLP can have access, even incidentally, to all types of data provided by Customer. The technical and organizational measure below will be used by ThinkLP to safeguard all type of Customer Personal Data.  If changes to the above lists require changes of the agreed Processing, Customer shall provide Additional Instructions to ThinkLP as set out in the DPA.
                          Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.The Parties agree that the Services are not intended for the processing of Sensitive Data, and that if Customer wishes to use the Services to process Sensitive Data, it will remain responsible for such Sensitive Data.
                          The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). (e.g. whether the data is transferred on a one-off or continuous basis).Continuous basis
                          Nature of the processingCollection
                          – Data collection on behalf of Customer directly from individuals by manual or automated means
                          – Data collection from Customer
                          – Data collection (acquired or received) on behalf of Customer from third parties (other than the individual or Customer)

                          Transformation
                          – Manipulation (cleansing, parsing, formatting, aggregating or transformation) of data
                          – Adding, updating, for example, to keep data current

                          Use
                          – Reading data only
                          – Presenting, accessing, using, or copying data

                          Storage of data including backups.
                          Transfer. 
                          Copying.  
                          Deletion.
                          Monitoring – Applications, networks, systems, or infrastructure logging, auditing or monitoring.
                          Operations – Provision, maintenance, or management (including security management) of applications, networks, systems, or infrastructure.
                          Hosting – Storage or other computing resources. 
                          Cacheing – Online processing or manipulation of data without persistent storage.
                          Development – Design, development, build, test or deploy.
                          Consulting – Advisory, analytics, or other consulting. 
                          Services – Business or data processing on behalf of Customer. 
                          Purpose(s) of the data transfer and further processingPersonal data will be transferred from and uploaded by Customer to ThinkLP for ThinkLP to provide the Services. 
                          The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that periodFor 90 days from termination or expiration of the Agreement. 

                          C. COMPETENT SUPERVISORY AUTHORITY

                          Identify the competent supervisory authority/ies in accordance with Clause 13
                          The Irish Data Protection Commission will be the competent supervisory authority.

                          .
                          ANNEX II


                          TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

                          Measures taken by the Data Importer:

                          ThinkLP is System and Organization Controls (SOC) 2 Type II certified. A copy of ThinkLP’s SOC 2 Type II report is available upon request.

                          Identify the competent supervisory authority/ies in accordance with Clause 13
                          The Irish Data Protection Commission will be the competent supervisory authority.
                          .
                          ANNEX II


                          TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

                          Measures taken by the Data Importer:

                          ThinkLP is System and Organization Controls (SOC) 2 Type II certified. A copy of ThinkLP’s SOC 2 Type II report is available upon request.

                          ANNEX III

                          LIST OF SUB-PROCESSORS
                          The Customer has authorized the use of the sub-processors listed on

                          1. Name: Salesforce.com, Inc.
                            Incorporation Location: Delaware, USA
                            Location of Processing: United States of America
                            Description of Processing: Cloud Application Platform-as-a-Service (aPaaS) Provider
                          2. Name: Action Verb LLC (d/b/a Files.com)
                            Incorporation Location: California, USA
                            Location of Processing: United States of America
                            Description of Processing: S-FTP File Transfer Hosting (if utilized by Data Exporter)
                          3. Name: Amazon Web Services (AWS)
                            Incorporation Location: USA
                            Location: United States of America
                            Description of Processing: Secure data transfer, processing and storage for large data sets
                          4. Name: Microsoft Azure
                            Incorporation Location: USA
                            Location: United States of America
                            Description of Processing: Secure data transfer, processing and storage for large data sets

                          Addendum for Transfers from Switzerland

                          For the purposes of localizing the SCCs to Swiss law, the parties agree to the following:

                          1. The parties adopt the GDPR standard for all data transfers, or the standard under Swiss law where higher. 
                          2. The parties agree that the references to provisions of the GDPR in the SCCs are to be understood as references to the corresponding provisions of the Swiss Federal Data Protection Act in the version applicable at the moment of initiation of any dispute.
                          3. The term Member State where used in the SCCs also applies to Switzerland. In particular, this shall ensure that data subjects are not excluded from the possibility to sue for their rights in their place of habitual residence.
                          4. Clause 13 and Annex I(C): The competent authorities under Clause 13, and in Annex I(C), are the Federal Data Protection and Information Commissioner and, concurrently, the EEA member state authority identified above.
                          5. Clause 17: The Parties agree that the governing jurisdiction is the Member State in which the data exporter is established for claims under the GDPR and the substantive laws of Switzerland for claims under the Swiss Federal Data Protection Act.
                          6. Clause 18:
                          • Any dispute arising from these Clauses shall be resolved by the courts of Zurich, Switzerland.
                          • A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
                          • The Parties agree to submit themselves to the jurisdiction of such courts.

                          7. The parties agree to interpret the SCCs so that “data subjects” includes legal entities until the revised Swiss Federal Act on Data Protection enters into force.

                          Addendum For Transfers from The United Kingdom

                          For the purposes of localizing the SCCs to United Kingdom law, the parties agree to the following:

                          The parties agree that the SCCs are deemed amended to the extent necessary that they operate for transfers from the United Kingdom to a third country and provide appropriate safeguards for transfers according to Article 46 of the UK GDPR. Such amendments include changing references to the GDPR to the UK GDPR and changing references to EU Member States to the United Kingdom.

                          Part 1: Tables

                          Table 1: Parties

                          Start date: The date the DPA is signed.

                          The Parties: Exporter and Importer as per the Intercompany Agreement to which the Approved EU SCCs and this Addendum are appended.

                          Table 2: Selected SCCs, Modules and Selected Clauses

                          Addendum EU SCCs: The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information Date: SCC version released on June 4th 2021, as in force on July 1st 2022.

                          Table 3: Appendix Information

                          Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in the following Annexes to the Approved EU SCCs to which this Addendum is appended:

                          Annex 1A: List of Parties

                          Annex 1B: Description of Transfer

                          Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data

                          Annex III: List of Sub processors (Modules 2 and 3 only)

                          Table 4: Ending this Addendum when the Approved Addendum Changes

                          Ending this Addendum when the Approved Addendum changes: Which Parties may end this Addendum as set out in Section ‎19: Importer Exporter

                          Part 2: Mandatory Clauses

                          Entering into this Addendum

                          1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
                          2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

                          Interpretation of this Addendum

                          Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:

                          • Addendum: This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
                          • Addendum EU SCCs: The version(s) of the Approved EU SCCs to which this Addendum is appended, as set out in Table 2, including the Appendix Information.
                          • Appendix Information: As set out in Table ‎3.
                          • Appropriate Safeguards: The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
                          • Approved Addendum: The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18.
                          • Approved EU SCCs: The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
                          • ICO: The UK Information Commissioner.
                          • Restricted Transfer: A transfer which is covered by Chapter V of the UK GDPR.
                          • UK: The United Kingdom of Great Britain and Northern Ireland.
                          • UK Data Protection Laws: All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the UK Data Protection Act 2018.
                          • UK GDPR: As defined in section 3 of the UK Data Protection Act 2018.
                          1. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards. 
                          2.  If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
                          3.  If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
                          4. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies. 
                          5. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

                          Hierarchy 

                          1. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section ‎10 will prevail.
                          2.  Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
                          3. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

                          Incorporation of and changes to the EU SCCs

                          1. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:

                          a. Together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers.

                          b. Sections ‎9 to ‎11 override Clause 5 (Hierarchy) of the Addendum EU SCCs.

                          c. This Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.

                          2. Unless the Parties have agreed alternative amendments which meet the requirements of Section ‎12, the provisions of Section ‎15 will apply.

                          3. No amendments to the Approved EU SCCs other than to meet the requirements of Section ‎12 may be made.

                          4. The following amendments to the Addendum EU SCCs (for the purpose of Section ‎12) are made: 

                          a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs.

                          b. In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”.

                          c. Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfer(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”

                          d. Clause 8.7(i) of Module 1 is replaced with: “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”.

                          e. Clause 8.8(i) of Modules 2 and 3 is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer.”

                          f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws.

                          g. References to Regulation (EU) 2018/1725 are removed.

                          h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”.

                          i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”.

                          j. Clause 13(a) and Part C of Annex I are not used.

                          k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”.

                          l. In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply.”

                          m. Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”

                          n. Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”

                          o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10, and 11.

                          Amendments to this Addendum 

                          1. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
                          2. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
                          3. From time to time, the ICO may issue a revised Approved Addendum which:
                            a. Makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
                            b. Reflects changes to UK Data Protection Laws.

                          The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.

                          If the ICO issues a revised Approved Addendum under Section ‎18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in: 

                          a. its direct costs of performing its obligations under the Addendum; and/or 

                          b. its risk under the Addendum, and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

                            The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.

                            US States Data Laws Addendum

                            This US States Data Laws Addendum is entered into as of the date below, and is incorporated into and forms a part of the DPA


                            This US States Data Laws Addendum sets forth the terms and conditions relating to compliance with the following US States Privacy Laws and any regulations, amendments and/or updates thereto:  

                            a. The California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act

                            b. The Virginia Consumer Data Privacy Act

                            c. The Colorado Data Privacy Act

                            d. The Connecticut Data Privacy Act

                            e. Utah Consumer Privacy Act

                            f. Oregon Consumer Privacy Act

                            g. Texas Data Privacy and Security Act

                            h. Delaware Personal Data Privacy Act

                            In the event of a conflict between this US States Data Laws Addendum and the DPA, this US States Data Laws Addendum will prevail. Customer shall be responsible for complying with its own obligations as a business to the extent applicable under the US States Privacy Laws.

                            California

                            A. To the extent that ThinkLP is Processing on behalf of Customer any personal information in scope of the CCPA:  

                              1. ThinkLP is prohibited from selling or sharing personal information it collects (as those terms are defined in the CCPA) pursuant to the Agreement;
                              2. The specific business purpose (as that term is defined in the CCPA) for which ThinkLP is processing personal information pursuant to the Agreement is to provide, manage, operate and secure the Services, and Customer is disclosing the personal information to ThinkLP only for the limited and specified business purpose set forth in the Agreement;
                              3. ThinkLP is prohibited from retaining, using, or disclosing the personal information that it collected pursuant to the Agreement for any purpose other than for the business purpose specified in the Agreement or as otherwise permitted by the CCPA;
                              4. ThinkLP is prohibited from retaining, using, or disclosing the personal information that it collected pursuant to the Agreement for any commercial purpose (as that term is defined in the CCPA) other than the business purposes specified in the Agreement, unless expressly permitted by the CCPA;
                              5. ThinkLP is prohibited from retaining, using, or disclosing the personal information that it collected pursuant to the Agreement outside the direct business relationship between ThinkLP and Customer, unless expressly permitted by the CCPA;
                              6. ThinkLP is required to comply with all applicable sections of the CCPA, including – with respect to the personal information that ThinkLP collected pursuant to the Agreement – providing the same level of privacy protection as required of businesses by the CCPA;
                              7. ThinkLP grants Customer the right to take reasonable and appropriate steps to ensure that ThinkLP uses the personal information that it collected pursuant to the Agreement in a manner consistent with Customer’s obligations under the CCPA;
                              8. ThinkLP is required to notify Customer after it makes a determination that it can no longer meet its obligations under the CCPA;
                              9. ThinkLP grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate ThinkLP’s unauthorized use of personal information; and
                              10. ThinkLP is required to enable Customer to comply with consumer requests made pursuant to the CCPA or Customer is required to inform ThinkLP of any consumer request made pursuant to the CCPA that they must comply with and provide the necessary information to ThinkLP to comply with the request.

                              B. To the extent that either party sells to or shares with the other any personal information in scope of the CCPA:

                              1. The purposes for which the personal information is made available to and by ThinkLP is to provide, manage, operate and secure the Services under the Agreement subject to the applicable party’s applicable privacy policy;
                              2. The personal information is made available to the receiving party only for the limited and specified purposes set forth in the Agreement and is required to be used only for those limited and specified purposes;
                              3. The receiving party is required to comply with applicable sections of the CCPA, including – with respect to the personal information that is made available to the receiving party – providing the same level of privacy protection as required of businesses by the CCPA;
                              4. The disclosing party is granted the right – with respect to the personal information that is made available to ThinkLP – to take reasonable and appropriate steps to ensure that the receiving party uses the personal information in a manner consistent with the disclosing party’s obligations under the CCPA;
                              5. The disclosing party is granted the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information made available to the receiving party; and
                              6. The receiving party is required to notify the other party after it makes a determination that it can no longer meet its obligations under the CCPA.

                              Other US States

                              To the extent that ThinkLP is processing on behalf of Customer any personal data in scope of Virginia Consumer Data Privacy Act, Colorado Data Privacy Act, the Connecticut Data Privacy Act, Utah Consumer Privacy Act, Oregon Consumer Privacy Act, Texas Data Privacy and Security Act or Delaware Personal Data Privacy Act, the following provisions shall apply:

                              a. Instruction. Customer hereby instructs Service Provider to process Personal Information solely for purposes of performing the Processing Services during the term of the Agreement and any applicable survival period for which Service Provider has obligations under such Agreement.

                              b. Confidentiality Agreements. All employees and personnel of Service Provider must be subject to a written duty of confidentiality with respect to the Processing Services, including but not limited to the Personal Information and its processing.

                              c. Service Provider Obligations. Upon Customer’s reasonable request, Service Provider shall cooperate with Customer and provide information in a timely manner to:
                              i. Enable Customer to conduct and document data protection assessments and cooperate with reasonable audits by Customer or a qualified independent auditor;
                              ii. Demonstrate Service Provider’s compliance with its obligations under the applicable US State Act;
                              iii. Take appropriate technical and organizational measures to fulfill consumer rights requests made to Customer; and
                              iv. Help meet Customer’s obligations regarding any data security and/or data breach notification.

                              d. De-Identified Information. If Customer provides any de-identified information to Service Provider, then Service Provider shall take reasonable measures to ensure that such information cannot be associated with an individual and shall publicly commit to maintain and use such information in de-identified form only and not attempt to re-identify the information.

                              e. Sub-Processors. If Service Provider engages any sub-processors of Personal Information, then Service Provider shall notify Customer of such engagement in writing and ensure (and confirm to Customer) that there is a written contract between Service Provider and the sub-processor that binds the sub-processor to all of the contractual requirements and obligations imposed on the Service Provider under the Agreement and/or this Addendum. Service Provider shall be responsible for any breach of this Addendum by its sub-processors as if such breach were a breach by Service Provider.

                              f. Return and Delete. Upon Customer’s request, Service Provider shall delete or return all Personal Information to Customer as requested at the end of the performance of Processing Services, unless retention of the Personal Information is required by Laws and then only to the extent required.