Data Protection Addendum

SCOPE

  1. The individual or entity using the Services under the Terms of Services available at [https://www.getport.io/legal/terms-of-service] ("Customer") and Port IO Ltd, and Getport Inc, (the "Service Provider"), are parties to the Agreement, as defined below, to which this Data Protection Addendum applies.
  2. If Service Provider processes personal data, or if Service Provider has access to personal data in the course of its performance under the Agreement, Service Provider shall comply with the terms and conditions of this Data Protection Addendum ("Data Protection Addendum"). 
  3. By using the Services, Service Provider shall qualify as the Data Processor, as this term is defined under Data Protection Laws. Customer acknowledges and agrees that as the Controller, it is responsible for the legal basis of Processing hereunder, including obtaining any necessary consents in accordance with the requirements of Data Protection Laws. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

DEFINITIONS

All capitalized terms not defined in this Data Protection Addendum have the meanings set forth in the Agreement.

  1. "Agreement" means the agreement between Customer and the Service Provider which involves Service Provider having access to or otherwise processing personal data;
  2. "Approved Jurisdiction" means a member state of the European Economic Area ("EEA"), or other jurisdiction as may be approved as having adequate legal protections for data by the European Commission currently found here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions _en
  3. "Breach Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  4. "Data Protection Laws" means any and/or all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state or deferral or national level, pertaining to data privacy, data security and/or the protection of personal data, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR"), and the Privacy and Electronic Communications Directive 2002/58/EC (and local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), including any amendments or replacements to them.
  5. "Standard Contractual Clauses" the standard contractual clauses for the transfer of personal data to third countries adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council pursuant to GDPR art. 46.
  6. The terms "personal data", "process", "processing" and "Special Categories of Data" herein shall have the meaning ascribed to them in the GDPR.

DATA PROTECTION AND PRIVACY

If Service Provider has access to or otherwise processes personal data, then Service Provider shall:

  1. only process the personal data in accordance with Customer's documented instructions and on its behalf, and in accordance with the Agreement and this Data Protection Addendum;
  2. take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and process, personal data; ensure persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and ensure that such personnel are aware of their responsibilities under this Data Protection Addendum and any Data Protection Laws (or Service Provider’s own written binding policies are at least as restrictive as this Data Protection Addendum);
  3. assist Customer as needed to cooperate with and respond to requests from supervisor authorities, data subjects, customers, or others to provide information (including details of the services  provided  by  Service Provider) related to  Service Provider’s processing  of personal data;
  4. notify the Customer without undue delay, and no later than forty eight (48) hours, after becoming aware of a Breach Incident;
  5. provide full, reasonable cooperation and assistance to Customer in: allowing data subjects to exercise their rights under the Data Protection Laws, including (without limitation) the right of access, right to rectification, restriction of processing, erasure (“right to be forgotten”), data portability, object to the processing, or the right not to be subject to an automated individual decision making; ensuring compliance with any notification obligations of personal data breach to the supervisory authority and communication obligations to data subjects, as required under Data Protection Laws; Ensuring compliance with its obligation to carry out data protection impact assessments with respect to the processing of personal data, and with its prior consultation with the supervisory authority obligation (as applicable).
  6. only process or use personal data on its systems or facilities to the extent necessary to perform its obligations under the Agreement;
  7. as required under Data Protection Laws, maintain accurate written records of any and all the Processing activities of any personal data carried out under the Agreement (including the categories of Processing carried out and, where applicable, the transfers of personal data), and shall make such records available to the applicable supervisory authority on request;
  8. make all reasonable efforts to ensure that personal data are accurate and up to date at all times while in its custody or under its control, to the extent Service Provider has the ability to do so;
  9. not lease, sell or otherwise distribute personal data;
  10. promptly notify Customer of any investigation, litigation, arbitrated matter or other dispute relating to Service Provider’s information security or privacy practices as it relates to the processing of personal data;
  11. promptly notify Customer in writing and provide Customer an opportunity to intervene in any judicial or administrative process if Service Provider is required by law, court order,  warrant, subpoena, or  other  legal or  judicial process to  disclose any personal data to any person other than Customer;
  12. upon termination of the Agreement, or upon Customer's written request at any time during the term of the Agreement, Service Provider shall cease to process any personal data received from Customer, and within a reasonable period will at the request of Customer: (1) return the personal data; or (2) securely and completely destroy or erase all personal data in its possession or control (including any copies thereof), unless and solely to the extent the foregoing conflicts with any applicable laws. At Customer’s request, Service Provider shall certify to Customer that it has fully complied with this clause.

SUBCONTRACTING

  1. Service Provider may subcontract its obligations under this Data Protection Addendum to another person or entity ("Contractor(s)"), as stated in Annex A attached hereto, provided that Service Provider shall inform the Customer of any intended changes concerning the addition/replacement of other processors at least 30 days prior to such change, and the Customer may notify Service Provider that it objects to such change and terminate the Agreement by written notice to the Customer. 
  2.  Service Provider will execute  a  written  agreement  with  such  approved  Contractor containing equivalent terms to this Data Protection Addendum.
  3. Service Provider shall have a written security policy that provides guidance to its Contractors to ensure the security, confidentiality and integrity of personal data and systems maintained or processed by Service Provider.
  4. Customer may require Service Provider to provide Customer with full details of the proposed Contractor’s involvement including but not limited to the identity of the Contractor, its data security record, the location of its processing facilities and a description of the access to personal data proposed.
  5. Service Provider shall be responsible for the acts or omissions of Contractors to the same extent it is responsible for its own actions or omissions under this Data Protection Addendum.

THE TRANSFER OF PERSONAL DATA

  1. Personal data may be transferred from the EEA, Switzerland and the United Kingdom (“UK“) to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, Switzerland, and/or the UK as relevant (“Adequacy Decisions“), as applicable, without any further safeguard being necessary.
  2. If the Processing of Personal Data by Processor includes a transfer (either directly or via onward transfer):
  • from the EEA or Switzerland to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Processor for the lawful transfer of personal data (as defined in the GDPR) outside the EEA or Switzerland (“EEA Transfer“), the terms set forth in Part 1 of Annex C (EEA Cross Border Transfers) shall apply.
  • from the UK to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Processor for the lawful transfer of personal data (as defined in the UK GDPR) outside the EEA or UK (“UK Transfer“), the terms set forth in Part 2 of Annex C (UK Cross Border Transfers) shall apply.
  • the terms set forth in Part 3 of Annex C (Additional Safeguards) shall apply to an EEA Transfer and a UK Transfer.

SECURITY STANDARDS

  1. Service Provider shall implement and maintain commercially reasonable and appropriate physical, technical and organizational security measures to protect personal data against accidental or unlawful destruction; accidental loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed; all other unlawful forms of processing; including (as appropriate): (i) the pseudonymisation and encryption of personal data; (ii)  the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
  2. To the extent that Service Provider processes Special Categories of Data, the security measures referred to in this Data Protection Addendum shall also include, at a minimum (i) routine risk assessments of Service Provider’s information security program, (ii) regular monitoring to measure and confirm the effectiveness of the information security program’s key controls, systems, and procedures, and (iii) encryption of Special Categories of Data while “at rest” and during transmission (whether sent by e-mail, fax, or otherwise), and storage (including when stored on mobile devices, such as a portable computer, flash drive,  PDA,  or  cellular  telephone).

GENERAL

  1. If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this Data Protection Addendum, and Service Provider will promptly begin complying with such Data Protection Laws.
  2. Any ambiguity in this Data Protection Addendum shall be resolved to permit Customer to comply with all Data Protection Laws. In the event and to the extent that the Data Protection Laws impose stricter obligations on the Service Provider than under this Data Protection Addendum, the Data Protection Laws shall prevail.
  3. If this Data Protection Addendum does not specifically address a particular data security or privacy standard or obligation, Service Provider will use appropriate, generally accepted practices to protect the confidentiality, security, privacy, integrity, availability, and accuracy of personal data.
  4. Service Provider agrees that, in the event of a breach of this Data Protection Addendum, neither Customer nor any relevant Customer's customer will have an adequate remedy in damages and therefore either Customer or an affected customer shall be entitled to seek injunctive or equitable relief to immediately cease or prevent the use or disclosure of personal data not contemplated by the Agreement and to enforce the terms of this Data Protection Addendum or ensure compliance with all Data Protection Laws.
  5. If Service Provider is unable to provide the level of protection as required herein, Service Provider shall immediately notify Customer and cease processing. Any non-compliance with the requirements herein shall be deemed a material breach of the Agreement and Customer shall have the right to terminate the Agreement immediately without penalty.
  6. Customer, shall have the right to: (a) require from Service Provider all information necessary to, and (b) conduct its own audit and/or inspections of Service Provider in order to: demonstrate compliance with the Data Protection Addendum. Such audit and/or inspection shall be conducted with reasonable advanced notice to Service Provider, at Customer's expense, no more than once a year, and during normal business hours to reasonably limit any disruption to Service Provider’s business.
  7. Notwithstanding anything to the contrary, with effect from 25 May 2018, Service Provider will process personal data in accordance with the GDPR requirements directly applicable to its activities.

ANNEX A

DETAILS OF PROCESSING ACTIVITIES/DESCRIPTION OF THE TRANSFER

This Annex A includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR/UK GDPR and information required by the EU Standard Contractual Clauses and UK Standard Contractual Clauses.

A.  LIST OF PARTIES

Data exporter(s): 

Name: Customer, as defined in the Agreement

Trading name if different: 

Address: Customer's address, as set out in the Agreement

Contact details: Customer's contact details, as set out in the Agreement

Activities relevant to the data transferred under these Clauses: As described in the Agreement.

Role (controller/processor): Controller

Data importer(s): 

Name: Service Provider, as defined in the DPA

Trading name if different: N/A

Address: Service Provider's address, as set out in the Agreement

Official registration number (if any) (company number or similar identifier):  Service Provider's official registration number (if any) as set out in the Agreement.

Contact person’s name, position and contact details: Service Provider's contact details, as set out in the Agreement

Activities relevant to the data transferred under these Clauses: Processing of personal data in connection with the Services under the Agreement.

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Subject Matter

The subject matter is as set forth in the Agreement. 

Categories of Data Subjects whose Personal Data is transferred

Employees; contractors

Categories of data and Types of Personal Data

Names and email addresses

Special categories of data/Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Sub Processors

NAME OF SUB-PROCESSOR LOCATION PROCESSING ACTIVITIES
 Amazon Web Services  Ireland  Hosting
 Auth0  US Authentication of Authorized Users
 Intercom  US  Support ticketing

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous, as set out in the Agreement

Nature of the processing

Service Provider is engaged to provide services to Customer which involve the processing of Personal Data. The scope of the services is set out in the Agreement. Personal Data will be processed by Service Provider to deliver those Services and to comply with the terms of the Agreement and this DPA. The Services will consist of the processing operations set out in the Agreement.

Purpose of the data transfer and further processing

The purpose of the processing of the Personal Data is set out in the Agreement and this DPA.

Duration

The term of this DPA shall commence and terminate along with the term of the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The Personal Data will be retained for the term of the Agreement.

ANNEX B

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES 

Description of the technical and organizational security measures implemented by the Service Provider, including (as applicable) in accordance with Clauses 4(c), 4(d) and 5(c) of the Standard Contractual Clauses.

Security Management

Service Provider maintains a written information security management system (ISMS), in accordance with this Appendix, that includes policies, processes, enforcement and controls governing all storage/processing/transmitting of Personal Data, designed to (a) secure Personal Data against accidental or unlawful loss, access or disclosure; (b) identify reasonable foreseeable and internal risks to security and authorized access to Service Provider Network, and (c) minimize security risks, including through risk assessment and regular testing. The information security program will include the following measures:

Service Provider actively follows information security trends and developments as well as legal developments with regards to the services provided and especially with regards to Personal Data and uses such insights to maintain its ISMS, as appropriate.

Maintain an Information Security Policy

Service Provider's ISMS is based on its security policies, aligned with industry standard, that are regularly reviewed (at least yearly) and maintained and disseminated to all relevant parties, including all personnel. Security policies and derived procedures clearly define information security responsibilities including responsibilities for:

  • Maintaining security policies and procedures,
  • Secure development, operation and maintenance of software and systems,
  • Security alert handling,
  • Security incident response and escalation procedures,
  • User account administration,
  • Monitoring and control of all systems as well as access to Personal Data.

Personnel is screened prior to hire and trained (and tested) through a formal security awareness program upon hire and annually. 

Secure Networks and Systems

Service Provider has installed and maintains a firewall configuration to protect Personal Data that controls all traffic allowed between Service Provider's (internal) network and untrusted (external) networks, as well as traffic into and out of more sensitive areas within its internal network. This includes current documentation, change control and regular reviews.

Service Provider does not use Service Provider-supplied defaults for system passwords and other security parameters on any systems and has developed configuration standards for all system components consistent with industry-accepted system hardening standards.

Protection of Personal Data

Service Provider keeps Personal Data storage to a minimum and implements data retention and disposal policies to limit data storage to that which is necessary, in accordance with the needs of its customers.

Service Provider uses strong encryption and hashing for Personal Data anywhere it is stored. Service Provider has documented and implemented all necessary procedures to protect (cryptographic) keys used to secure stored Personal Data against disclosure and misuse. All transmission of Personal Data across open, public networks is encrypted using strong cryptography and security protocols.

Vulnerability Management Program

Service Provider protects all systems against malware and regularly updates anti-virus software or programs to protect against malware – including viruses, worms, and Trojans. Anti-virus software is used on all systems commonly affected by malware to protect such systems from current and evolving malicious software threats.

Service Provider develops and maintains secure systems and applications by:

  • Having established and evolving a process to identify and fix (e.g. through patching) security vulnerabilities, that ensures that all systems components and software are protected from known vulnerabilities,
  • Developing internal and external software applications, including web-applications, securely using a secure software development process based on best practices, e.g. such as code reviews and OWASP secure coding practices, that incorporates information security throughout the software-development lifecycle,
  • Implementing a stringent change management process and procedures for all changes to system components that include strict separation of development and test environments from production environments and prevents the use of production data for testing or development.

Implementation of Strong Access Control Measures

"Service Provider Network" means the Service Provider's data center facilities, servers, networking equipment, and host software systems (e.g. virtual firewalls) as employed by the Service Provider to process or store Personal Data.

The Service Provider Network will be accessible to employees, contractors and any other person as necessary to provide the services to the Company. Service Provider will maintain access controls and policies to manage what access is allowed to the Service Provider Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. Service Provider will maintain corrective action and incident response plans to respond to potential security threats

Service Provider strictly restricts access to Personal Data by business need to know to ensure that critical data can only be accessed by authorized personnel. This is achieved by:

  • Limiting access to system components and Personal Data to only those individuals whose job requires such access and
  • Establishing and maintaining an access control system for systems components that restricts access based on a user’s need to know, with a default “deny-all” setting.

Service Provider identifies and authenticates access to all systems components by assigning a unique identification to each person with access. This ensures that each individual is uniquely accountable for their actions and any actions taken on critical data and systems can be traced to known and authorized users and processes. Necessary processes to ensure proper user identification management, including control of addition/deletion/modification/revocation/disabling of IDs and/or credentials as well as lock out of users after repeated failed access attempts and timely termination of idling session, have been implemented.

User authentication utilizes at least passwords that have to meet complexity rules, which need to be changed on a regular basis and which are cryptographically secured during transmission and storage on all system components. All individual non-console and administrative access and all remote access use multi-factor authentication.

Authentication policies and procedures are communicated to all users and group, shared or generic IDs/passwords are strictly prohibited.

Restriction of Physical Access to Personal Data

Any physical access to data or systems that house Personal Data are appropriately restricted using appropriate entry controls and procedures to distinguish between onsite personnel and visitors. Access to sensitive areas is controlled and includes processes for authorization based on job function and access revocation for personnel and visitors.

Media and backups are secured and (internal and external) distribution is strictly controlled. Media containing Personal Data no longer needed for business or legal reasons is rendered unrecoverable or physically destroyed.

Regular Monitoring and Testing of Networks

All access to network resources and Personal Data is tracked and monitored using centralized logging mechanisms that allow thorough tracking, alerting, and analysis on a regular basis (at least daily) as well as when something does go wrong. All systems are provided with correct and consistent time and audit trails are secured and protected, including file-integrity monitoring to prevent change of existing log data and/or generate alerts in case. Audit trails for critical systems are kept for a year.

Security of systems and processes is regularly tested, at least yearly. This is to ensure that security controls for system components, processes and custom software continue to reflect a changing environment. Security testing includes:

  • Processes to test rogue wireless access points,
  • Internal and external network vulnerability tests that are carried out at least quarterly. An external, qualified party carries out the external network vulnerability tests.
  • External and internal penetration tests using Service Provider's penetration test methodology that is based on industry-accepted penetration testing approaches that cover the all relevant systems and include application-layer as well as network-layer tests

All test results are kept on record and any findings are remediated in a timely manner.

Service Provider does not allow penetration tests carried out by or on behalf of its customers.

In daily operations IDS (intrusion detection system) is used to detect and alert on intrusions into the network and file-integrity monitoring has been deployed to alert personnel to unauthorized modification of critical systems.

Incident Management

Service Provider has implemented and maintains an incident response plan and is prepared to respond immediately to a system breach. Incident management includes:

  • Definition of roles, responsibilities, and communication and contact strategies in the event of a compromise, including notification of customers,
  • Specific incident response procedures,
  • Analysis of legal requirements for reporting compromises,
  • Coverage of all critical system components,
  • Regular review and testing of the plan,
  • Incident management personnel that is available 24/7,
  • Training of staff,
  • Inclusion of alerts from all security monitoring systems,
  • Modification and evolution of the plan according to lessons learned and to incorporate industry developments.

Service Provider has also implemented a business continuity process (BCP) and a disaster recovery process (DRP) that is maintained and regularly tested. Data backup processes have been implemented and are tested regularly.

Physical Security.

Physical Access Controls. Physical components of the Service Provider Network are housed in nondescript facilities ("Facilities"). Physical barrier controls are used to prevent unauthorized entrance to Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.). Employees and contractors are assigned are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the Facilities, and are continually escorted by authorized employees or contractors while visiting the Facilities.

Limited Employee and Contractor Access. Service Provider provides access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of Service Provider of its affiliates.

Physical Security Protections. All access points (other than main entry doors) are maintained in a secured (locked) state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. Service Provider also maintains electronic intrusion detection systems designed to detect unauthorized access to the Facilities, including monitoring points of vulnerability (e.g., primary entry doors, emergency egress doors, etc.) with door contacts, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and contractors is logged and routinely audited.

Continued Evaluation. Service Provider will conduct periodic reviews of the Security of its Service Provider Network and adequacy of its information security program as measured against industry security standards and its policies and procedures. Service Provider will continually evaluate the security of its Service Provider Network to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.

Annex C – CROSS BORDER TRANSFERS

PART 1 – EEA Transfers

  1. The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to an EEA Transfer.
  2. Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the EEA Transfer is effectuated by Customer as the data controller of the Personal Data and Service Provider is the data processor of the Personal Data.
  3. Module Three (Processor to Processor) of the Standard Contractual Clauses shall apply where the EEA Transfer is effectuated by Customer as the data processor of the Personal Data and Service Provider is a Sub-processor of the Personal Data.
  4. Clause 7 of the Standard Contractual Clauses (Docking Clause) shall not apply.
  5. Option 2: GENERAL WRITTEN AUTHORISATION in Clause 9 of the Standard Contractual Clauses shall apply, and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in Section ‎‎10.2 of the DPA.
  6. In Clause 11 of the Standard Contractual Clauses, the optional language will not apply.
  7. In Clause 17 of the Standard Contractual Clauses, Option 1 shall apply, and the Parties agree that the Standard Contractual Clauses shall be governed by the laws of the Republic of Ireland.
  8. In Clause 18(b) of the Standard Contractual Clauses, disputes will be resolved before the courts of the Republic of Ireland.
  9. Annex I.A of the Standard Contractual Clauses shall be completed as follows: Data Exporter: Customer. Contact details: As detailed in the Terms. Data Exporter Role: Module Two: The Data Exporter is a data controller. Module Three: The Data Exporter is a data processor. Signature and Date: By entering into the Terms and DPA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Terms. Data Importer: Service Provider. Contact details: As detailed in the Terms. Data Importer Role: Module Two: The Data Importer is a data processor. Module Three: The Data Importer is a sub-processor. Signature and Date: By entering into the Terms and DPA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
  10. Annex I.B of the Standard Contractual Clauses shall be completed as follows: The categories of data subjects are described in Annex A (Details of Processing) of this DPA. The categories of personal data are described in Annex A (Details of Processing) of this DPA. The Parties do not intend for Sensitive Data to be transferred. The frequency of the transfer is a continuous basis for the duration of the Terms. The nature of the processing is described in Annex A (Details of Processing) of this DPA. The purpose of the processing is described in Annex A (Details of Processing) of this DPA. The period for which the personal data will be retained is for the duration of the Terms, unless agreed otherwise in the Terms and/or the DPA.
  11. Annex I.C of the Standard Contractual Clauses shall be completed as follows: The competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section ‎7 above.
  12. The Security Measures in Appendix A serve as Annex II of the Standard Contractual Clauses.
  13. To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this DPA or the Terms, the provisions of the Standard Contractual Clauses will prevail.

PART 2 – UK Transfers

1. This Part 2 is effective from the same date as the Standard Contractual Clauses.

Background:

2. This Part 2 is intended to provide appropriate safeguards for the purposes of transfers of Personal Data to a third country or an international organisation in reliance on Articles 46 of the UK GDPR and with respect to data transfers from controllers to processors and/or processors to processors.

Interpretation:

3. Where this Part 2 uses terms that are defined in the Standard Contractual Clauses, those terms shall have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:

 UK Data Protection Laws  All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
 UK GDPR The United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
 UK  The United Kingdom of Great Britain and Northern Ireland

4. This Part 2 shall be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR. 

5. This Part 2 shall not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws. 

6. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, reenacted and/or replaced after this DPA has been entered into.

7. In the event of a conflict or inconsistency between this Part 2 and the provisions of the Standard Contractual Clauses or other related agreements between the Parties, existing at the time the DPA is agreed or entered into thereafter, the provisions which provide the most protection to data subjects shall prevail.

7. This Part 2 incorporates the Standard Contractual Clauses which are deemed to be amended to the extent necessary so they operate:

  • For transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that transfer; and
  • to provide appropriate safeguards for the transfers in accordance with Articles 46 of the UK GDPR Laws.

8. The amendments required by Section ‎8 above, include (without limitation):

  • References to the "Clauses" means this Part 2 as it incorporates the Standard Contractual Clauses
  • Clause 6 Description of the transfer(s) is replaced with:"The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred are those specified in Appendix B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer."
  • References to "Regulation (EU) 2016/679" or "that Regulation" are replaced by "UK Data Protection Laws" and references to specific Article(s) of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of UK Data Protection Laws.
  • References to Regulation (EU) 2018/1725 are removed.
  • References to the "Union", "EU" and "EU Member State" are all replaced with the "UK"
  • Clause 13(a) and Part C of Annex II are not used; the "competent supervisory authority" is the Information Commissioner;
  • Clause 17 is replaced to state "These Clauses are governed by the laws of England and Wales".
  • Clause 18 is replaced to state: "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts."
  • The footnotes to the Clauses do not form part of this Part 2.

9. The Parties may agree to change Clause 17 and/or 18 to refer to the laws and/or courts of Scotland or Northern Ireland.

10. The Parties may amend this Part 2 provided it maintains the appropriate safeguards required by Art 46 UK GDPR for the relevant transfer by incorporating the Standard Contractual Clauses and making changes to them in accordance with Section 8 above.

11. The Parties may give force to this Part 2 (incorporating the Standard Contractual Clauses) in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in the Contractual Clauses.

PART 3 – Additional Safeguards 

In the event of an EEA Transfer or a UK Transfer, the Parties agree to supplement these with the following safeguards and representations, where appropriate: 

  1. The Processor shall have in place and maintain in accordance with good industry practice measures to protect the Personal Data from interception (including in transit from the Controller to the Processor and between different systems and services). This includes having in place and maintaining network protection intended to deny attackers the ability to intercept data and encryption of Personal Data whilst in transit and at rest intended to deny attackers the ability to read data.
  2. The Processor will make commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under GDPR or the UK GDPR, including under section 702 of the United States Foreign Intelligence Surveillance Court ("FISA"); 
  3.  If the Processor becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise:
  • The Processor shall inform the relevant government authority that the Processor is a processor of the Personal Data and that the Controller has not authorized the Processor to disclose the Personal Data to the government authority, and inform the relevant government authority that any and all requests or demands for access to the Personal Data should therefore be notified to or served upon the Controller in writing;
  • The Processor will use commercially reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the Processor’s control. Notwithstanding the above, (a) the Controller acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended government authority access, and (b) if, taking into account the nature, scope, context and purposes of the intended government authority access to Personal Data, the Processor has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this subsection (e)(II) shall not apply. In such event, the Processor shall notify the Controller, as soon as possible, following the access by the government authority, and provide the Controller with relevant details of the same, unless and to the extent legally prohibited to do so.

Once in every 12-month period, the Processor will inform the Controller, at the Controller’s written request, of the types of binding legal demands for Personal Data it has received and solely to the extent such demands have been received, including national security orders and directives, which shall encompass any process issued under section 702 of FISA.