Menu Icon

Customer Data Processing Addendum

RubyLaw, LLC
Customer Data Processing Addendum

This Data Processing Addendum, including the Standard Contractual Clauses referenced herein and the Annex appended hereto (collectively, the “Addendum” or “DPA”), is incorporated into the Terms of Service (the “Principal Agreement”) either previously or concurrently made between you, an individual participant accessing the (the “Customer”) and RubyLaw, LLC ("Vendor”) and sets forth additional terms that apply to the extent any information you provide to Vendor pursuant to the Agreement includes Personal Information (as defined below). This DPA is effective as set forth in the Principal Agreement.

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the applicable Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.

  1. Definitions
    • In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
      • "Customer Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Customer, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
      • "Customer Personal Information" means any Personal Information Processed by Vendor on behalf of a Customer pursuant to or in connection with the Principal Agreement and according to Customer instructions.
      • "Data Protection Laws" means all applicable federal, state, and foreign laws and regulations relating to the processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. This includes, but is not limited to, the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).
      • "EEA" means the European Economic Area.
      • "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
      • "GDPR" means EU General Data Protection Regulation 2016/679.
      • "Personal Information" means any information defined as “personal information” or “personal data” under Data Protection Laws including data (i) relating to an identified or identifiable natural person; or (ii) that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, regardless of the media in which it is maintained, that may be:
        • processed at any time by Vendor in anticipation of, in connection with or incidental to the performance of the Services under the Principal Agreement and this DPA; or
        • derived by Vendor from such information.
      • "Restricted Transfer" means:
        • a transfer of Customer Personal Information from Customer to Vendor; or
        • an onward transfer of Customer Personal Information from Vendor to a Subprocessor, or between two establishments of Vendor and Subprocessor,
          in each case, where such transfer would be prohibited by Data Protection Laws defined above (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses to be established under Schedule 1 below or, on a case by case basis, such other lawful transfer mechanism referred to in Article 46 of the GDPR or derogation referred to in Article 49 of the GDPR as may apply.
      • "Services" means the services and other activities to be supplied to or carried out by or on behalf of Vendor for Customer pursuant to the Principal Agreement.
      • "Standard Contractual Clauses" means the model clauses for the transfer of Personal Information to processors established in third countries approved by the European Commission, the approved version of which is set out in the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 and at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=e, which clauses are incorporated herein by this reference.
      • "Subprocessor" means any person (including any third party, but excluding an employee of Vendor) appointed by or on behalf of Vendor to Process Personal Information on behalf of Customer in connection with the Principal Agreement.
      • "UK Data Protection Laws" means (a) the UK Data Protection Act 2018 incorporating the GDPR (as may be amended by The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019); (b) the GDPR, read in conjunction with and subject to any Member State law that provides for specifications or restrictions of its rules; and (c) any other applicable UK or EU data protection or privacy law to the extent that such law applies to a Customer, Vendor Affiliate or Vendor, in each case as amended, replaced or superseded from time to time.
    • The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
    • The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
  2. Processing of Customer Personal Information
    • Vendor shall:
      • comply with all applicable Data Protection Laws in the Processing of Customer Personal Information;
      • not Process Customer Personal Information other than on Customer’s documented instructions unless Processing is required by Data Protection Laws to which the Vendor is subject, in which case Vendor shall to the extent permitted by Data Protection Laws inform the Customer of that legal requirement before the relevant Processing of that Personal Information.
      • maintain the confidentiality of all Personal Information, will not sell it to anyone, and will not disclose it to third parties unless the Customer or this DPA specifically authorizes the disclosure, or as required by law. If a law requires the Vendor to process or disclose Personal Information, the Vendor must first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
      • reasonably assist the Customer with meeting the Customer's compliance obligations under the Data Protection Laws, taking into account the nature of the Vendor's processing and the information available to the Vendor.
      • promptly notify the Customer of any changes to Data Protection Laws that may adversely affect the Vendor's performance of the Principal Agreement.
      • if additional Processing requirements are necessary for any specific jurisdiction in order for the Processing by Vendor or its authorized Subprocessors to be compliant with Data Protection Laws, Vendor and Customer shall negotiate in good faith to amend this Addendum to include such requirements and implement these provisions accordingly.
    • Customer:
      • instructs Vendor (and authorizes Vendor to instruct each Subprocessor) to:
        • Process Customer Personal Information; and
        • in particular, transfer Customer Personal Information to any country or territory, provided it is to a country that provides an adequate level of protection as determined by the standard defined by applicable Data Protection Laws or safeguards are in place to provide an adequate level of protection such as standard contractual clauses approved by the relevant government or commissioned bodies or the transfer is otherwise permitted under Data Protection Law,
          to the extent and in such a manner as is reasonably necessary for the provision of the Services and consistent with the Principal Agreement; and
      • warrants and represents that it is and, unless it provides written notice to the Vendor to the contrary, will remain duly and effectively authorized to give the instruction set out in section 2.2.1 on behalf of each relevant Customer Affiliate.
      • retains control of the Customer Personal Information and remains responsible for its compliance obligations under the applicable Data Protection Laws, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Vendor.
  3. Vendor Personnel
    • Vendor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of Vendor who may have access to the Customer Personal Information, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Information, as strictly necessary for the purposes of the Principal Agreement, and to comply with Data Protection Laws in the context of that individual's duties to the Vendor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
  4. Security
    • Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vendor shall in relation to the Customer Personal Information implement appropriate physical, technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
    • In assessing the appropriate level of security, Vendor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Information Breach.
  5. Subprocessing
    • Customer authorizes Vendor to appoint (and permit each Subprocessor appointed in accordance with this section 5 to appoint) Subprocessors in accordance with this section 5 and any restrictions in the Principal Agreement.
    • Vendor may continue to use those Subprocessors already engaged by Vendor as at the date of this Addendum and add new Subprocessors, subject to in each case as soon as practicable meeting the obligations set out in section 5.3 and 5.4.
    • Vendor shall ensure that each Subprocessor performs the obligations under the applicable sections of this DPA, as they apply to Processing of Customer Personal Information carried out by that Subprocessor, as if it were party to this Addendum in place of Vendor.
    • Vendor will provide Customer with written notice of the addition of any new Subprocessor or replacement of an existing Subprocessor (a “New Subprocessor Notice”). Such notice will be delivered by email to an address designated by Customer or by posting an updated version of this DPA, which includes the new or replacement Subprocessor, on Vendor's publicly accessible website. If Customer has a reasonable basis to object to Vendor’s use of a new or replacement Subprocessor, Customer must notify Vendor in writing within thirty (30) days of receipt of the New Subprocessor Notice, specifying the grounds for objection in reasonable detail. In the event of such reasonable objection, the parties will discuss in good faith to find a commercially reasonable solution. If no resolution is reached within a reasonable time, either party may terminate the portion of any agreement relating to the Services that cannot be reasonably provided without the objected-to Subprocessor (which may, at Vendor’s discretion, involve termination of the entire agreement) with immediate effect by providing written notice to the other party. Such termination shall not entitle Customer to any refund for fees prepaid for the period following termination.
  6. Data Subject Rights
    • Taking into account the nature of the Processing, Vendor shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customers' obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
    • Vendor shall:
      • promptly notify Customer if Vendor receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Information; and
      • ensure that Vendor does not respond to that request except on the documented instructions of Customer or the relevant Customer Affiliate or as required by applicable Data Protection Laws to which Vendor is subject, in which case Vendor shall to the extent permitted by applicable Data Protection Laws inform Customer of that legal requirement before the Vendor responds to the request.
    • Customer Shall:
      • Promptly notify Vendor if Customer receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Information;
      • Assist Vendor as necessary to fulfill Data Subject requests.
  7. Personal Information Breach
    • Vendor shall notify Customer without undue delay upon Vendor or any Subprocessor becoming aware of a Personal Information Breach affecting Customer Personal Information, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Information Breach under the Data Protection Laws.
    • Vendor shall cooperate with Customer and Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Information Breach.
    • Customer shall cooperate with Vendor and take such reasonable commercial steps as are directed by Vendor to assist in the investigation, mitigation, and remediation of each such Personal Information Breach as necessary.
  8. Data Protection Impact Assessment and Prior Consultation
    • Upon request, Vendor shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required of any Customer by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Information by, and taking into account the nature of the Processing and information available to, Vendor.
  9. Deletion or return of Customer Personal Information
    • Subject to sections 9.2 and 9.3, Vendor shall promptly after the date of cessation of any Services involving the Processing of Customer Personal Information (the "Cessation Date"), delete and procure the deletion of all copies of those Customer Personal Information unless otherwise required by applicable Data Protection Laws or other regulations.
    • Subject to section 9.3, Customer may in its absolute discretion by written notice to Vendor within 30 days of the Cessation Date require Vendor to (a) return a complete copy of all Customer Personal Information to Customer by secure file transfer in such format as is reasonably notified by Customer to Vendor; and (b) delete and procure the deletion of all other copies of Customer Personal Information Processed by Vendor. Vendor shall comply with any such written request within 30 days of the Cessation Date unless otherwise required by applicable Data Protection Laws or other regulations.
    • Vendor may retain Customer Personal Information to the extent required by applicable Data Protection Laws and only to the extent and for such period as required by applicable Data Protection Laws and always provided that Vendor shall ensure the confidentiality of all such Customer Personal Information and shall ensure that such Customer Personal Information is only Processed as necessary for the purpose(s) specified in the applicable Data Protection Laws requiring its storage and for no other purpose.
    • Vendor shall, if requested in writing by Customer, provide written certification to Customer that it has fully complied with this section 9 within 30 days of the Cessation Date.
  10. Audit rights
    • Within thirty (30) days of Customer’s written request, and no more than once annually (except in the event of a Personal Information Breach), Vendor shall make available to Customer (or a mutually agreed upon independent auditor, at Customer’s cost) information reasonably necessary to demonstrate compliance with this DPA. Any such audit shall be conducted during Vendor’s normal business hours, in a manner that minimizes disruption to Vendor’s operations, and subject to reasonable confidentiality and security measures. The scope of the audit shall be limited to information relevant to the Processing of Customer Personal Information under this DPA.
  11. Restricted Transfers
    • Subject to section 11.3, Customer (as "data exporter") and Vendor, as appropriate, (as "data importer") hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from that Customer to Vendor.
    • The Standard Contractual Clauses shall come into effect under section 11.1 on the later of:
      • the data exporter becoming a party to them;
      • the data importer becoming a party to them; and
      • commencement of the relevant Restricted Transfer.
    • Section 11.1 shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Laws.
  12. General Terms

    Governing law and jurisdiction

    • Without prejudice to Clause 17 of the Standard Contractual Clauses:
      • the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
      • this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.

      • Order of precedence

    • Nothing in this Addendum reduces Vendor's obligations under the Principal Agreement in relation to the protection of Personal Information or permits Vendor to Process (or permit the Processing of) Personal Information in a manner which is prohibited by the Principal Agreement. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
    • Subject to section 12.2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.

      • Changes in Data Protection Laws, etc.

    • Customer may:
      • by at least 60 (sixty) calendar days' written notice to Vendor from time to time make any variations to the Standard Contractual Clauses (including any Standard Contractual Clauses entered into under section 11.1), as they apply to Restricted Transfers which are subject to a particular Data Protection Law, which are required, as a result of any change in, or decision of a competent authority under, that Data Protection Law, to allow those Restricted Transfers to be made (or continue to be made) without breach of that Data Protection Law; and
      • propose any other variations to this Addendum which Customer reasonably considers to be necessary to address the requirements of any Data Protection Law.
    • If Customer gives notice under section 12.4.1:
      • Vendor shall promptly co-operate (and ensure that any affected Subprocessors promptly co-operate) to ensure that equivalent variations are made to any agreement put in place under section 5.3; and
      • Customer shall not unreasonably withhold or delay agreement to any consequential variations to this Addendum proposed by Vendor to protect the Vendor against additional risks associated with the variations made under section 12.4.1 or 12.5.1.
    • If Customer gives notice under this section, the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Customer's notice as soon as is reasonably practicable.
    • Neither Customer nor Vendor shall require the consent or approval of any Customer Affiliate to amend this Addendum pursuant to this section or otherwise.

      • Severance

    • Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
  13. Term and Termination
    • This DPA will remain in full force and effect so long as:
      • the Principal Agreement remains in effect; or
      • Vendor retains any Personal Information related to the Principal Agreement in its possession or control (the "Term").
    • Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Principal Agreement in order to protect Personal Information will remain in full force and effect.
    • If a change in any Data Protection Laws prevents either party from fulfilling all or part of its Principal Agreement obligations, the parties will suspend the processing of Personal Information until that processing complies with the new requirements. If the parties are unable to bring the Personal Information processing into compliance with the Data Protection Laws, they may terminate the Principal Agreement upon written notice to the other party.
  14. Limitation of Liability
    • Each party’s liability and the liability of its affiliates, employees, agents, and subcontractors (including Subprocessors) under this DPA shall be subject to the limitations and exclusions of liability set forth in the Principal Agreement.
  15. Changes to this DPA
    • The Vendor reserves the right, at its sole discretion, to modify or replace this DPA at any time.
    • If a revision is material, which is to be determined by the Vendor at its sole discretion, the Vendor will provide at least thirty (30) days’ notice on the website prior to any new terms taking effect. The Customer’s continued access to or use of the Services after any revisions become effective, will mean that you accept and agree to be bound by the revised terms. If the Customer does not agree to the new terms, the Customer is no longer authorized to use the Website and Services and should refrain from doing so.

SCHEDULE I – Standard Contractual Clauses

  1. To the extent legally required, the signatories to the Agreement are deemed to have signed the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=e (the “2021 Standard Contractual Clauses”), which form part of this DPA and will be deemed completed as follows:
    • Module 2 of the 2021 Standard Contractual Clauses applies to transfers of Personal Data from Customer to Vendor and Module 4 of the 2021 Standard Contractual Clauses applies to transfers of Personal Data from Vendor to Customer;
    • Clause 7 of Modules 2 and 4 (the optional docking clause) is not included;
    • Under Clause 9 of Module 2 (Use of sub-processors). the parties select Option 2 (general authorization). The contents of Annex III (the list of sub-processors already authorized by Customer) are attached hereto as Schedule 3 to this DPA;
    • Under Clause 11 of Modules 2 and 4 (Redress). the optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
    • Under Clause 17 of Modules 2 and 4 (Governing law). the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the laws of Ireland;
    • Under Clause 18 of Modules 2 and 4 (Choice of forum and jurisdiction). the parties select the courts of Ireland.

This Annex forms part of the Standard Contractual Clauses

Annex I

Annex I

Data exporter
Data exporter is Customer.
Address: the Customer’s address set out in the Principal Agreement.
Contact person’s name, position, and contact details: the Customer’s contact details as set out in the Principal Agreement or order form.

Activities relevant to the data transferred under these Clauses: activities necessary to provide the Services described in the Principal Agreement.

Data importer
The data importer is RubyLaw, LLC

Email: srubenstein@rubylaw.com

Activities relevant to the data transferred under these Clauses: activities necessary to provide the Services described in the Principal Agreement.

Categories of data subjects whose personal data is transferred

End users /customers of the Company

Categories of personal data transferred

  1. Identifiers
    • Full Name (including prefix, suffix, nickname, pronouns)
    • Email Addresses
    • Phone Numbers
    • IP Address
    • Cookie Identifiers
    • External System Unique Identifier
  2. Professional and Employment-Related Information
    • Job Title / Position
    • Professional Biography
    • Professional Affiliations
    • Representative Matters (if linked to specific individuals)
  3. Online Identifiers / Social Media
    • LinkedIn, Twitter, Facebook URLs
    • Website Search Name / Keywords (if tied to identifiable individuals)
  4. Photographs and Audio
    • Profile Image (if depicting the individual)
    • Pronunciation Audio (if tied to identity)
  5. Geolocation
    • Office Location (if associated with an individual)
  6. Education and Credentials
    • Education History (School, Degree, Year)
    • Bar and Court Admissions
    • Clerkships
  7. Authentication and Account Access
    • Username
    • Password
    • API Secret
    • SAML SSO Configuration Data
  8. Interaction / Usage Data
    • RubyLaw Usage Logs (to the extent tied to individuals)
    • Website API Logs (if identifiable)
    • Routing and clickstream data (when tied to a specific user)
    • Email interaction history
    • Chat function entries (Name, Email, Company)

Sensitive data transferred (if applicable)

N/A

The Frequency of the Transfer

Continuous

Nature of the processing

The processing is carried out by the Vendor for the purposes of fulfilling its obligations under the Master Agreement and as further instructed in writing by the Customer.

Purpose(s) if the data transfer and further processing

The processing is carried out by the Vendor for the purposes of fulfilling its obligations under the Master Agreement and as further instructed in writing by the Customer.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.

Personal data is retained for so long as is reasonably necessary to fulfill the purposes for which the data was collected, to perform Vendor’s contractual and legal obligations, and for any applicable statute of limitations periods for the purposes of bringing and defending claims, or as long as legally required by a relevant authority or law.

Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13

Irish Data Protection Commission

Annex II: Technical And Organizational Measures Including Technical And Organizational Measures To Ensure The Security Of The Data

The description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) are as follows:

  1. Information Security Program
    • Processor maintains a documented information security program that includes administrative, technical, and physical safeguards to protect personal data against unauthorized access, disclosure, alteration, and destruction.
  2. Access Control
    • Logical access to systems is restricted based on role and necessity (“least privilege”).
    • User authentication requires strong passwords and multi-factor authentication (MFA) where supported.
    • Access rights are reviewed periodically and promptly revoked upon termination or role change.
  3. Physical Security
    • Production systems are hosted in secure data centers or cloud environments with industry-standard physical safeguards.
    • Remote work access is secured through VPN or similar secure channels.
  4. Data Encryption
    • Personal data is encrypted in transit using TLS and at rest using industry-standard encryption algorithms.
    • Encryption keys are managed securely and access is limited to authorized personnel.
  5. Vulnerability and Patch Management
    • Systems are regularly monitored for vulnerabilities.
    • Security patches and updates are applied within a reasonable timeframe, based on severity.
  6. Backup and Business Continuity
    • Regular backups of critical systems and data are performed.
    • Backups are encrypted and stored in a secure, geographically separate location.
    • Disaster recovery and business continuity procedures are documented and tested periodically.
  7. Incident Response
    • A documented incident response plan is maintained.
    • Security incidents involving personal data are investigated promptly and reported to the controller without undue delay if required by law or contract.
  8. Personnel Security
    • Employees receive training on data protection and security policies during onboarding and periodically thereafter.
    • All employees are subject to confidentiality obligations.
  9. Subprocessor Management
    • Subprocessors are subject to written agreements imposing data protection and security obligations no less protective than those in this DPA.
    • The processor conducts due diligence before onboarding subprocessors.
  10. Audit and Review
    • The effectiveness of these measures is reviewed at least annually and updated as necessary to address changing risks or legal requirements.

Annex III: Processor’s Sub-Processors

The Customer has authorized the use of the listed Sub-processors effective as of the date of this DPA. They are as follows:

Google (US) – Gemini AI Features
Amazon AWS (US) – Hosting Services

Schedule II: UK Addendum to the EU Standard Contractual Clauses

Entering into this Addendum

  1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
  2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

    Table 1 (Parties): As set out in Schedule I to this DPA.

    Table 2 (Selected SCCs): Module 2 and Module 4 of the 2021 EU Standard Contractual Clauses, as set out in Schedule I.

    Table 3 (Appendix Information)

    The Appendix Information is as set out in:

    • Annex I (Sections A and B) of the Standard Contractual Clauses in Schedule I to this DPA (as applicable to the UK Addendum)
    • Annex II (Technical and Organisational Measures) of the Standard Contractual Clauses in Schedule I to this DPA
    • Annex III (List of Sub-processors) of the Standard Contractual Clauses in Schedule I to this DPA

    Table 4 (Ending the Addendum): Neither Party may end this Addendum pursuant to Section 19.

    Interpretation of this Addendum

  3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
    AddendumThis International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
    Addendum EU SCCsThe version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.
    Appendix InformationAs set out in Table 3.
    Appropriate SafeguardsThe standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
    Approved AddendumThe template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 28 January 2022, as it is revised under Section 18.
    Approved EU SCCsThe Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
    ICOThe Information Commissioner.
    Restricted TransferA transfer which is covered by Chapter V of the UK GDPR.
    UKThe United Kingdom of Great Britain and Northern Ireland.
    UK Data Protection LawsAll laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
    UK GDPRAs defined in section 3 of the Data Protection Act 2018.
  4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
  5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
  6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
  7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
  8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

    9. Hierarchy

  9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
  10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
  11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

    12. Incorporation of and changes to the EU SCCs

  12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
    1. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
    2. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
    3. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
  13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
  14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
  15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
    1. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
    2. In Clause 2, delete the words:
      “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
    3. Clause 6 (Description of the transfer(s)) is replaced with:
      “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
    4. Clause 8.7(i) of Module 1 is replaced with:
      “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
    5. Clause 8.8(i) of Modules 2 and 3 is replaced with:
      “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
    6. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
    7. References to Regulation (EU) 2018/1725 are removed;
    8. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
    9. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
    10. Clause 13(a) and Part C of Annex I are not used;
    11. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
    12. In Clause 16(e), subsection (i) is replaced with:
      “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
    13. Clause 17 is replaced with:
      “These Clauses are governed by the laws of England and Wales.”;
    14. Clause 18 is replaced with:
      “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
    15. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.

    16. Amendments to this Addendum

  16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
  17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
  18. From time to time, the ICO may issue a revised Approved Addendum which:
    1. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
    2. reflects changes to UK Data Protection Laws;

      The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
  19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
    1. its direct costs of performing its obligations under the Addendum; and/or
    2. its risk under the Addendum,

      and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
  20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.