Skip to content

ON THE FUZE

Data Processing Addendum

Version 1.0 | Addendum to the Principal Agreement

www.onthefuze.com

This Data Processing Addendum ("DPA") governs the use and protection of Personal Information by OTF while providing Services to the Client under a Principal Agreement.

This DPA is integral to the Services and forms part of any Principal Agreement concluded between OTF and the Client. The Client’s acceptance of OTF’s commercial terms constitutes acceptance of this DPA. In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to the Processing of Personal Information.

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalised terms not defined here have the meanings given in the Terms or the applicable Data Protection Law.

"Data Protection Law" means all applicable laws and regulations relating to the processing of Personal Information, including (as applicable): the EU General Data Protection Regulation (GDPR, Regulation 2016/679); the UK GDPR; the California Consumer Privacy Act as amended by the CPRA (Cal. Civ. Code §1798.100 et seq.); Mexico’s Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP); applicable US federal and state privacy law; and any other applicable data protection or privacy statute in the jurisdictions where the Client operates or where Data Subjects are located.

"Personal Information" means any information relating to an identified or identifiable individual, including "personal data" as defined under the GDPR, "Personal Information" as defined under the CCPA/CPRA, and equivalent terms under other applicable Data Protection Law.

"Processing" (and "Process") means any operation or set of operations performed on Personal Information, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

"Special Category Data" means Personal Information that receives heightened protection under applicable Data Protection Law, including (without limitation): racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used to uniquely identify an individual, health or medical information, sexual orientation, and financial account details. Special Category Data does not include general business contact information.

"Sub-processor" means any third party engaged by OTF to Process Personal Information on behalf of the Client.

"Services" means the HubSpot administration, configuration, data hygiene, and related services provided by OTF to the Client as specified in the applicable Principal Agreement.

"Instruction" means the written, documented instruction issued by the Client as Controller or Processor to OTF as Processor or Sub-processor, directing OTF to perform a specific Processing action with regard to Personal Information.

"Data Breach" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information transmitted, stored, or otherwise Processed by OTF or its Sub-processors.

"Data Subject" means the identified or identifiable individual to whom Personal Information relates.

"Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information.

"Processor" means the natural or legal person, public authority, agency, or other body which Processes Personal Information on behalf of a Controller.

"Principal Agreement" means the written or electronic agreement between OTF and the Client for the provision of the Services, including (without limitation) any quote, order form, statement of work, or master services agreement, together with any applicable terms of service incorporated therein.

2. Scope and Roles

2.1 In the context of this DPA, OTF and the Client may operate in the following roles:

  • Controller to Processor: Where the Client acts as a Controller and OTF acts as a Processor. In this scenario, the Client determines the purposes and means of Processing Personal Information, and OTF Processes Personal Information solely on behalf of and under the documented instructions of the Client.

  • Processor to Sub-processor: Where the Client itself acts as a Processor on behalf of a third-party Controller (for example, the Client's own clients), and OTF acts as a Sub-processor of the Client. In this scenario, the Client warrants that its instructions to OTF, and its appointment of OTF as a Sub-processor, have been authorized by the relevant Controller.

2.2 Both scenarios fall within the scope of this DPA. References to OTF as 'Processor' shall be read as 'Sub-processor' where applicable, and references to 'Client as Controller' shall be read as 'Client as Processor' where applicable, and the obligations set out in this DPA shall apply accordingly.

2.3 The categories of Personal Information, categories of Data Subjects, and the nature and purpose of Processing are described in Annex 1 to this DPA.

2.4 OTF shall not Process Personal Information for any purpose other than as necessary to perform the OTF Services, unless required to do so by applicable law. If OTF becomes aware that an instruction from the Client infringes Data Protection Law, OTF shall promptly notify the Client.

3. Client Obligations

The Client, in its capacity as Controller (or as Processor, where applicable under Section 2.1), undertakes the following:

3.1 The Client assumes responsibility for the instructions given to OTF and warrants that it will always comply with its obligations under applicable Data Protection Law, including law regarding the disclosure and transfer of Personal Information to OTF and the Processing of Personal Information.

3.2 The Client warrants that all Personal Information provided to OTF has been collected lawfully, fairly, and in a transparent manner sufficient to enable OTF to Process it for the purposes set out in the Agreement and this DPA.

3.3 The Client shall have sole responsibility for the accuracy, quality, and legality of Personal Information and the means by which the Client acquired such Personal Information.

3.4 The Client shall inform OTF without undue delay if it becomes aware of any errors, irregularities, or potential infringements related to the Processing of Personal Information under this DPA.

3.5 Authorized Persons. The Client shall ensure that any persons giving Instructions to OTF and making decisions in relation to this DPA are duly authorized to do so by the Client, and that such Instructions are binding upon the Client. OTF shall be entitled to rely on any Instruction received from a person whom OTF reasonably believes to be authorized by the Client. The Client shall promptly notify OTF in writing if any person previously authorized to give Instructions is no longer authorized to do so.

3.6 Special Category Data Notification. The Client shall notify OTF in writing without delay if any Special Category Data is or will be stored in the Client’s HubSpot portal or otherwise shared with OTF in connection with the OTF Services. Upon such notification, the parties shall agree in writing on additional safeguards appropriate to the nature and sensitivity of that data before OTF commences or continues Processing. OTF shall not be liable for the consequences of Processing Special Category Data that the Client has stored without prior notification. Where applicable law (including GDPR Article 9) requires explicit consent from Data Subjects for the Processing of Special Category Data, the Client shall be solely responsible for obtaining, recording, and maintaining such consent.

3.7 The Client warrants that the Agreement and this DPA set out the Client's complete and final instructions to OTF in relation to the Processing of Personal Information. Any additional instructions outside the scope of the Agreement will require prior written agreement between the parties.

3.8 Client Indemnity. The Client shall indemnify and hold harmless OTF and its personnel (including the OTF delivery team) against any and all claims, liabilities, penalties, fines, costs, damages, and reasonable legal expenses arising directly or indirectly from: (a) the Client's failure to comply with applicable Data Protection Law in its role as Controller or Processor; (b) any Processing carried out by OTF in accordance with the Client's documented instructions that is subsequently found to infringe Data Protection Law; (c) the Client's failure to notify OTF of Special Category Data in accordance with Section 3.6; or (d) any breach by the Client of its obligations under this DPA. This indemnity is subject to OTF: (i) notifying the Client promptly of any relevant claim; (ii) giving the Client reasonable opportunity to defend or settle the claim; and (iii) not making any admission of liability without the Client's prior written consent.

4. OTF's Obligations as Processor

4.1 Documented Instructions OTF shall Process Personal Information only in accordance with the Client's documented instructions as set out in the Agreement, this DPA, or as otherwise agreed in writing. Where the CCPA applies, OTF shall not "sell" or "share" Personal Information (as those terms are defined under the CCPA/CPRA) and shall not Process Personal Information for purposes of cross-context behavioral advertising.

4.2 Confidentiality OTF shall ensure that all personnel authorized to Process Personal Information are bound by appropriate confidentiality obligations (whether contractual or statutory). This obligation supplements and does not replace the confidentiality provisions in Section 5 of the Terms. Confidentiality obligations survive the termination of any individual's engagement with OTF.

4.3 Special Category Data Handling OTF does not process Special Category Data as part of its standard services. This is OTF’s default position. OTF reserves the absolute right to refuse to Process any Special Category Data, at its sole discretion and without liability, regardless of whether the Client has provided prior notification under Section 3.6.

In the exceptional circumstance where OTF agrees in writing to Process Special Category Data for a specific, defined purpose, such agreement must be authorized in writing by a director, owner, or C-level officer of OTF and shall not be binding if made by a HubSpot Consultant or other non-leadership personnel. OTF shall: (a) Process such data only to the minimum extent strictly necessary for that agreed purpose; (b) apply enhanced access controls limiting exposure to authorized personnel with a documented need; (c) not store Special Category Data on local devices or unencrypted systems; and (d) require the Client to confirm in writing that all required consents or lawful bases under applicable Data Protection Law (including GDPR Article 9) are in place before Processing commences.

If OTF identifies or reasonably suspects that Special Category Data has been transmitted to OTF or is present in a Client’s HubSpot portal, OTF shall notify the Client and may immediately suspend Processing of that data without penalty, pending written agreement on whether and how to proceed. OTF shall not be liable for any consequences arising from such suspension.

4.4 Security Measures OTF shall implement and maintain appropriate technical and organizational measures to protect Personal Information against Data Breaches, taking into account the state of the art, costs of implementation, the nature, scope, context and purposes of Processing, and the risk to the rights and freedoms of Data Subjects. These measures are described in Annex 2 to this DPA.

4.5 Sub-processors

(a) The Client provides general written authorization for OTF to engage Sub-processors to assist in the provision of the OTF Services. The current list of Sub-processors is set out in Annex 3 to this DPA.

(b) OTF shall notify the Client in writing at least thirty (30) days before engaging any new Sub-processor or replacing an existing Sub-processor. If the Client objects to a new Sub-processor on reasonable grounds related to data protection, the Client shall notify OTF in writing within fifteen (15) days of receiving the notice. The parties shall discuss the objection in good faith. If no resolution is reached within thirty (30) days, the Client may terminate the affected OTF Services without penalty.

(c) OTF shall impose on each Sub-processor data protection obligations no less protective than those set out in this DPA. OTF remains liable for the acts and omissions of its Sub-processors.

4.6 Data Subject Requests OTF shall, taking into account the nature of the Processing, assist the Client by appropriate technical and organizational measures to fulfil the Client's obligation to respond to requests from individuals exercising their rights under applicable Data Protection Law. OTF shall promptly notify the Client if it receives a request directly from a Data Subject and shall not respond to such request except on the Client's documented instructions. The Client shall be solely responsible for responding to Data Subjects. The Client shall reimburse OTF for any reasonable costs arising from this assistance.

4.7 Assistance with Compliance OTF shall provide reasonable assistance to the Client in ensuring compliance with the Client's obligations under Data Protection Law regarding: (a) security of Processing; (b) notification of Data Breaches to regulators and Data Subjects; (c) privacy impact assessments; and (d) consultations with supervisory authorities — taking into account the nature of Processing and the information available to OTF.

 

5. Data Breach Notification

5.1 OTF shall notify the Client of any confirmed Data Breach without undue delay, and in any event within 72 hours of becoming aware of the breach, consistent with the GDPR's notification requirement and to allow the Client sufficient time to fulfil its own regulatory obligations.

5.2 The notification shall include, to the extent reasonably available: (a) a description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and Personal Information records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach and mitigate its effects; and (d) the identity and contact details of OTF's designated contact for further information.

5.3 OTF shall cooperate with the Client and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Data Breach.

5.4 OTF's notification of or response to a Data Breach shall not be construed as an acknowledgment of any fault or liability by OTF.

6. Cross-Border Disclosure of Personal Information

6.1 The Client acknowledges that OTF's delivery team includes personnel located in Colombia. Personal Information may be transferred to and Processed in OTF's country of domicile and Colombia in connection with the OTF Services.

6.2 OTF shall take reasonable steps to ensure that any overseas recipient of Personal Information is bound by data protection obligations no less protective than those set out in this DPA.

6.3 Where Personal Information originating from the European Economic Area (EEA), the United Kingdom, or Switzerland is transferred to a country that does not benefit from an adequacy decision, OTF shall ensure that an appropriate transfer mechanism is in place, such as the Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), which are incorporated by reference into this DPA as applicable. Details are set out in Annex 4.

6.4 For transfers of Personal Information from Mexico, OTF shall comply with the cross-border transfer requirements of the LFPDPPP, including ensuring that the recipient provides comparable levels of data protection.

6.5 OTF shall promptly inform the Client if, in OTF's opinion, a transfer instruction from the Client infringes applicable Data Protection Law regarding cross-border disclosure.

7. Audit Rights

7.1 OTF shall make available to the Client all information reasonably necessary to demonstrate compliance with this DPA and applicable Data Protection Law.

7.2 The Client (or its appointed third-party auditor, subject to reasonable confidentiality obligations) may conduct an audit of OTF's data processing activities no more than once per calendar year, with at least thirty (30) days' prior written notice. Audits shall be conducted during normal business hours and shall not unreasonably interfere with OTF's operations.

7.3 Where a Client-appointed auditor prepares an audit report, a draft shall be provided to OTF within a reasonable period before finalisation. OTF shall have the right to submit comments within a reasonable timeframe, which the auditor shall take into account. The final report shall be treated as Confidential Information under the Terms.

7.4 If an audit reveals a material deficiency in OTF's compliance with this DPA, OTF shall remediate the deficiency at its own cost within a reasonable timeframe agreed by the parties.

7.5 The Client shall bear the costs of any audit unless the audit reveals a material breach of this DPA by OTF, in which case OTF shall bear reasonable audit costs. Where responsibility for any deficiency is shared between the parties, costs shall be allocated proportionately.

8. Data Return and Deletion

8.1 Upon termination or expiration of the Agreement, or upon the Client's written request, OTF shall, at the Client's election: (a) return all Personal Information to the Client in a commonly used, machine-readable format; or (b) securely delete or destroy all Personal Information in its possession and in the possession of its Sub-processors.

8.2 OTF shall complete the return or deletion within thirty (30) days of the request or termination, and shall provide written certification of deletion upon the Client's request.

8.3 OTF may retain Personal Information to the extent required by applicable law, provided that OTF shall ensure the confidentiality of such information and shall Process it only for the purpose of complying with its legal obligations.

9. Liability

9.1 Client Liability. The Client shall be liable to OTF for, and shall indemnify OTF against, any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees), or demand suffered or incurred by OTF arising directly or in connection with: (a) any non-compliance by the Client with applicable Data Protection Law; (b) any Processing carried out by OTF in accordance with the Client's documented instructions that infringes Data Protection Law; (c) the Client's failure to fulfil its obligations under this DPA (including its obligations regarding Special Category Data under Section 3.6); except to the extent that OTF is liable under Section 9.2 below.

9.2 OTF Liability. OTF shall be liable to the Client for any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees), or demand suffered or incurred by the Client arising directly from OTF's Processing of Personal Information under this DPA: (a) only to the extent such liability results from OTF's breach of this DPA; and (b) not to the extent such liability is contributed to by any breach of this DPA by the Client.

9.3 Liability Cap. OTF's aggregate liability to the Client for all claims arising out of or related to this DPA, whether in contract, tort (including negligence), or otherwise, shall not exceed the total fees actually paid by the Client to OTF during the twelve (12) months immediately preceding the event giving rise to the claim. Where a claim arises from the acts or omissions of a Sub-processor, OTF's liability shall not exceed two (2) times the total fees paid by the Client in the preceding twelve (12) months.

9.4 Exclusions. Neither party shall be liable to the other for any indirect, incidental, special, exemplary, punitive, or consequential damages arising out of or related to this DPA, including loss of revenue, loss of data, or loss of goodwill, even if that party has been advised of the possibility of such damages. These exclusions shall not apply to the extent prohibited by applicable Data Protection Law (including GDPR Article 82) or in cases of fraud or wilful misconduct.

9.5 No Admission. OTF's notification of or response to a Data Breach shall not be construed as an acknowledgment of any fault or liability by OTF with respect to such breach.

10. CCPA / CPRA Supplemental Terms

This Section 10 applies only to the extent that the California Consumer Privacy Act (as amended by the CPRA) applies to OTF's Processing of Personal Information under the Agreement.

10.1 OTF is a "Service Provider" (as defined in Cal. Civ. Code §1798.140(ag)) with respect to Personal Information received from the Client.

10.2 OTF shall not sell or share Personal Information, retain, use, or disclose Personal Information for any purpose other than performing the OTF Services specified in the Agreement, or combine Personal Information received from the Client with Personal Information collected from other sources, except as expressly permitted by the CCPA.

10.3 OTF certifies that it understands and will comply with the restrictions in this Section 10 and the CCPA.

10.4 OTF shall cooperate with the Client in responding to verifiable consumer requests under the CCPA, including requests to know, delete, or correct Personal Information.

11. Term, Termination, and Survival

11.1 This DPA is effective from the date the Client accepts OTF’s commercial terms and shall remain in effect for as long as OTF Processes Personal Information on behalf of the Client under the Agreement.

11.2 Either party may terminate this DPA if the other party materially breaches its obligations under this DPA and fails to cure such breach within thirty (30) days of receiving written notice.

11.3 Sections 5 (Data Breach Notification), 7 (Audit Rights), 8 (Data Return and Deletion), 9 (Liability), and any provisions that by their nature should survive, shall survive termination of this DPA.

12. Assignment and Entity Transition

12.1 OTF may assign this DPA to a successor entity (including in connection with a change of domicile, restructure, merger, or acquisition) without the Client's prior consent, provided that the assignee assumes all obligations under this DPA and the Client is notified in writing within thirty (30) days of the assignment.

12.2 The Client may not assign this DPA without OTF's prior written consent, which shall not be unreasonably withheld.

13. General Provisions

13.1 Governing Law

This DPA shall be governed by and construed in accordance with the governing law specified in the Principal Agreement (as updated from time to time). Where Data Protection Law requires the application of the law of another jurisdiction (for example, the GDPR requiring EEA member state law for the Standard Contractual Clauses), that Data Protection Law applies to the extent of any conflict. The parties agree that this DPA shall be interpreted to reflect OTF’s current domicile as notified to the Client, without requiring a separate amendment to this DPA.

13.2 Order of Precedence

In the event of a conflict between this DPA and the Terms, this DPA shall prevail with respect to the Processing of Personal Information. In the event of a conflict between this DPA and mandatory provisions of Data Protection Law, the Data Protection Law shall prevail.

13.3 Amendments

OTF may update this DPA from time to time to reflect changes in Data Protection Law or OTF's processing practices. OTF shall provide the Client with at least thirty (30) days' written notice of any material changes. The Client's continued use of OTF Services after the notice period constitutes acceptance of the updated DPA. OTF may update the Annexes (including the Sub-processor list) in accordance with the procedures set out in this DPA.

13.4 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

13.5 Entire DPA

This DPA, together with its Annexes, constitutes the entire agreement between the parties with respect to data processing and supersedes all prior representations and understandings relating thereto.

This DPA does not require a separate signature. The Client’s acceptance of OTF’s commercial terms constitutes acceptance of this DPA.

 

Annex 1 — Details of Processing

A. Categories of Data Subjects

  • Client's customers, prospects, and leads stored in HubSpot CRM

  • Client's employees and contractors whose information appears in HubSpot

  • Website visitors tracked by HubSpot tracking code

  • Email recipients in Client's HubSpot marketing and sales tools

B. Categories of Personal Information

  • Contact identifiers: names, email addresses, phone numbers, mailing addresses

  • Company and professional information: job titles, company names, industry

  • CRM data: deal information, lifecycle stages, lead scores, notes, activity logs

  • Behavioral data: website page views, email opens/clicks, form submissions

  • Communication data: email content, chat transcripts, call recordings (if enabled)

  • Any other Personal Information stored by the Client in their HubSpot portal

C. Special Category Data

OTF does not intentionally Process Special Category Data (as defined in Section 1 of this DPA). The Client shall not store Special Category Data in HubSpot or share it with OTF without first providing written notification to OTF and receiving written confirmation of additional safeguards, in accordance with Section 3.6 of this DPA. If OTF identifies or reasonably suspects that Special Category Data is present in a Client's HubSpot portal without prior notification, OTF will notify the Client and may suspend Processing of that data pending agreement on appropriate safeguards.

D. Nature and Purpose of Processing

OTF Processes Personal Information for the purpose of providing OTF Services as described in the applicable Principal Agreement, including:

  • CRM configuration, customisation, and optimisation

  • Data hygiene: deduplication, standardisation, validation, and cleanup of contact and company records

  • Workflow and automation setup, testing, and maintenance

  • Report building and dashboard configuration

  • Email template design and marketing automation configuration

  • Integration setup with third-party tools connected to HubSpot

  • Data migration and import/export operations as directed by the Client

E. Duration of Processing

Processing continues for the duration of the Agreement and for the data return/deletion period specified in Section 8 of this DPA.

Annex 2 — Technical and Organizational Security Measures

OTF maintains the following security measures. These may be updated from time to time to reflect industry best practices. Material reductions in security will be notified to the Client.

Access Controls — OTF Internal Systems

  • Individual credentials: each OTF team member uses unique login credentials to access OTF's internal systems, tools, and platforms

  • Shared account credentials are managed through a centralised password management system with access restricted to authorized personnel

  • Access to OTF internal systems is revoked promptly upon personnel offboarding

Access Controls — Client HubSpot Portals

OTF accesses Client HubSpot portals via HubSpot's Partner Access program. The Client grants OTF partner-level access through a designated shared OTF account:

  • The Client controls the level of access granted to OTF via HubSpot's Partner Access permissions and may modify or revoke access at any time

  • OTF recommends that Clients enable MFA for all partner access to their HubSpot portal

  • OTF uses its internal project management system (ClickUp) to assign, track, and document which team member performed specific tasks within each Client's portal

  • OTF shall, upon the Client's request, provide a list of personnel who have accessed the Client's portal in connection with assigned tasks

Data Handling

  • Personal Information is Processed within the HubSpot platform and authorized connected tools; bulk exports are performed only when necessary and with the Client's knowledge

  • Personal Information is not stored on local devices or personal storage beyond what is temporarily necessary for a specific task, and is deleted after task completion

  • All data transfers occur over encrypted connections (TLS 1.2+)

Personnel and Training

  • All OTF personnel with access to Personal Information are bound by written confidentiality obligations

  • OTF provides data protection awareness training to relevant personnel

Incident Response

  • OTF maintains an incident response process to detect, investigate, and respond to potential Data Breaches

  • All incidents are documented with root cause analysis and corrective actions

Platform Reliance

Personal Information may be transmitted or temporarily stored via the following platforms:

  • HubSpot: OTF's primary processing environment. Encryption at rest and in transit, SOC 2 Type II certified.

  • Google Workspace: Clients may send Personal Information via email or shared files. OTF shall delete Client Personal Information from Google Workspace once imported into HubSpot or no longer required.

  • ClickUp: Task descriptions may reference Client data. OTF shall not use ClickUp as a long-term repository for Personal Information.

Destruction and De-identification

Where OTF no longer needs Personal Information for any purpose permitted under this DPA and is not required by law to retain it, OTF shall take reasonable steps to destroy the information or ensure that it is de-identified.

Annex 3 — Authorized Sub-processors

The following Sub-processors are authorized as of the date of this DPA. OTF will update this list in accordance with Section 4.5.

Sub-processor Location Purpose Data Accessed
OTF Colombia Delivery Team Colombia HubSpot administration, configuration, data hygiene, and related technical delivery All categories described in Annex 1 as necessary for service delivery
ClickUp (Mango Technologies, Inc.) United States Project management and task tracking for service delivery Task descriptions may reference Client data issues; no bulk Personal Information stored

Note: HubSpot, Inc. is the Client's own data processor and is not a Sub-processor of OTF. The Client maintains its own agreement with HubSpot governing HubSpot's processing of data within the Client's portal.

Annex 4 — Standard Contractual Clauses (Reference)

This Annex applies only where the transfer of Personal Information from the EEA, UK, or Switzerland to OTF (or its Sub-processors) requires a transfer mechanism under applicable Data Protection Law.

The parties agree that the Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914) shall apply, as follows:

  • Module Two (Controller to Processor) applies where the Client is established in the EEA and OTF acts as a Processor.

  • Module Three (Processor to Sub-processor) applies where the Client is itself a Processor (as described in Section 2.1 of this DPA) and OTF acts as a Sub-processor.

  • Clause 9(a) (Sub-processors): Option 2 (General written authorization) is selected, consistent with Section 4.5 of this DPA.

  • Clause 11 (Redress): The optional clause is not included.

  • Clause 17 (Governing law): The SCCs shall be governed by the law of the EU Member State in which the Client is established, defaulting to the Republic of Ireland if no specific member state applies.

  • Clause 18(b) (Forum): Disputes shall be resolved before the courts of the EU Member State in which the Client is established, defaulting to the Republic of Ireland.

For transfers from the United Kingdom, the International Data Transfer Addendum (UK Addendum B1.0) issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018 shall apply.

For transfers from Switzerland, the SCCs apply with modifications required by the Swiss Federal Data Protection Act (nDSG).

The full text of the SCCs is publicly available from the European Commission and is incorporated herein by reference. A completed copy specifying Client-specific details will be executed as a separate exhibit if required.