This Data Processing Addendum (“DPA“) forms part of, and is subject to, the terms and conditions of the Master Subscription Agreement/Terms of Subscription between the FourKites Group entity specified in the Order Form (“FourKites”), and the company identified in the Order Form (“Company“) for subscriptions for the use of FourKites’ Platform and related services (collectively, the “Agreement“) to reflect the parties’ agreement with regard to the processing of Personal Data.  All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

The DPA is effective as of the effective date of the Agreement.

Company enters into this DPA on behalf of itself and, to the extent required under applicable Privacy Laws, in the name and on behalf of its Affiliates permitted to use the Platform and the related services pursuant to the Agreement between Company and FourKites and provided that such Affiliates have not signed their own separate agreement with FourKites. For the purposes of this DPA only, and except where indicated otherwise, the term “Company” shall include Company and such Affiliates.

FourKites may amend this DPA as may be necessary, for example, to comply with changes in applicable laws and/or to reflect changes to the Platform. FourKites shall notify Company electronically of any updates to this DPA. Company’s continued access or use of the Platform thereafter shall constitute acceptance of, and consideration for, such amendments.

In the course of providing the Services to Company pursuant to the Agreement, FourKites may process Company Personal Data and thus the parties agree to comply with the following provisions with respect to any Company Personal Data.

1. Definitions.

a. “Affiliate” means any entity under the control of a party where “control” means ownership of or right to control greater than 50% of the voting securities of such entity.

b. “Aggregate Data” means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device.

c. “Europe” means for the purposes of this DPA, the European Economic Area (which comprises the member states of the European Union, Norway, Iceland and Liechtenstein) (“EEA”), Switzerland and the United Kingdom.

d. “Company Personal Data” means any Personal Data contained in Company Data that is processed by FourKites on behalf of Company in connection with the provision of the Services to Company, as more particularly described in Schedule A to this DPA. For clarity with respect to Company Personal Data from Europe, Latin America, and any other jurisdictions whose Privacy Laws recognise the concept of a data processor, that means any Personal Data that is processed by FourKites, as a processor, on behalf of Company.

e. “controller” has the meaning given to it in the applicable Privacy Law or if such term is not defined in the relevant Privacy Laws, it means the entity which determines the purposes and means of the processing of Personal Data.

f. “data subject” has the meaning given to it in the relevant Privacy Laws or, where there is no meaning, means in any case the individual natural person to whom the Personal Data relates in that case.

g. “Group” means any and all Affiliates that are part of an entity’s corporate group.

h. “Latin America” means for the purposes of this DPA, countries from Central and South America with privacy laws that recognize the concept of a data processor, including without limitation Argentina, Brazil, Chile, Colombia, Mexico, Panama, Peru and Uruguay.

i. “Personal Data” means any “personal information” or “personal data” as that term is defined in applicable Privacy Laws which is processed in connection with the provision of the Services.

j. “Privacy Laws” means all laws relating to privacy and applicable to the processing of Company Personal Data that may exist in any relevant jurisdiction, including the following, without limitation and as amended or replaced from time to time: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) the UK General Data Protection Regulation (“UK GDPR”) and Data Protection Act 2018, and (v) the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (“CCPA”).

k. “Data Privacy Framework” means the EU-U.S. Data Privacy Framework, and UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework self-certification program operated by the U.S. Department of Commerce; as may be amended, superseded or replaced from time to time.

l. “Data Privacy Framework Principles” or “DPF Principles” means Data Privacy Framework Principles, including the Supplemental Principles and Annex I of the Principles (i.e., an annex providing the terms under which Data Privacy Framework organizations are obligated to arbitrate certain residual claims as to personal data covered by the principles), as may be amended, superseded or replaced.

m. “processing” or “process” has the meaning given to it in the relevant Privacy Laws or if such term is not defined in the relevant Privacy Laws it shall mean  any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, accessing, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

n. “processor” has the meaning given to it in the applicable Privacy Law or such equivalent term under applicable Privacy Law such as “data intermediary” and “service provider” or if such term is not defined in the relevant Privacy Laws, it means the entity which processes Personal Data on behalf of the controller.

o. “Restricted Transfer” means: (i) where the GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss FADP applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.

p. “Security Incident” means:

i. a confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Company Personal Data transmitted, stored or otherwise processed by FourKites in connection with the provision of the Services. This does not include unsuccessful attempts or activities that do not compromise the security of Company Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of Services attacks, and other network attacks on firewalls or networked systems or an incident that is caused by Company or Company’s Authorized Users; and

ii. with respect to Company Personal Data from Australia or New Zealand, any breach which is an eligible data breach for the purposes of the Privacy Laws in Australia or New Zealand.

q. “Services” means, for purposes of this DPA, the Platform features and related services provided by FourKites to Company pursuant to and as more particularly described in the Agreement.

r. “Standard Contractual Clauses” or “EU SCCs” means where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

s. “Sub-processor” means any third party engaged by FourKites or its Affiliates that processes Company Personal Data to assist in fulfilling FourKites’ obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or members of the FourKites Group but shall exclude any FourKites employee or consultant.

2. Scope. This DPA applies where and only to the extent that FourKites processes Company Personal Data on behalf of the Company in the course of providing the Services to Company (and for clarity for Personal Data from Europe, Latin America, and any other jurisdictions whose Privacy Laws recognise the concept of a processor, where FourKites is a processor) and such Company Personal Data is subject to Privacy Laws.

3. Role of the Parties. Company and FourKites agree that FourKites is a Processor, or Sub-processor where applicable, and Company is the Controller. Any processing of Company Personal Data under the Agreement shall be performed in accordance with applicable Privacy Laws. However, FourKites is not responsible for compliance with any Privacy Laws applicable to Company or Company’s industry that is not generally applicable to FourKites in its provision of the Services.

4. Company Obligations. Company shall comply with its obligations under Privacy Laws with respect to the Company Personal Data, including,

a. Company’s instructions for the processing of Company Personal Data shall comply with Privacy Laws.

b. Company shall have sole responsibility for determining the types of Personal Data and categories of data subjects it provides to FourKites under the Agreement, ensuring the accuracy, quality, and legality of Company Personal Data.

c. Company shall ensure all Company Personal Data it provides to FourKites for use in connection with the Services shall be collected and transferred to FourKites in accordance with Privacy Laws. For the avoidance of doubt, it shall be Company’s responsibility to (i) ensure it provides a privacy notice to the data subjects, which shall comply with Privacy Laws including in particular any processing information requirements relating to the processing of the Company Personal Data by FourKites, (ii) ensure it obtains, where required, all necessary and appropriate consents from the data subjects for the processing of the Company Personal Data, and (iii) to ensure it has a legal basis for the processing of the Company Personal Data by FourKites.

5. FourKites Processing of Company Personal Data.

a. FourKites shall process Company Personal Data  only for the following purposes: (i) processing to provide the Services in accordance with the Agreement; (ii) processing to perform any steps necessary for the performance of the Agreement; (iii) processing initiated by end users in their use of the Platform or the Services; (iv) processing to comply with other reasonable instructions provided by Company (e.g. via email or support tickets) that are consistent with the terms of this DPA and the Agreement and only in accordance with Company’s documented lawful instructions; and (v) anonymizing data, resulting in Aggregate Data, in accordance with the instruction included in the Agreement (individually and collectively, the “Purpose”). The parties agree that the Agreement (including this DPA and each Subscription Order Form and Statement of Work) set out the Company’s complete and final instructions to FourKites in relation to the processing of Company Personal Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Company and FourKites. FourKites will notify Company immediately if, in FourKites’ opinion, an instruction for the processing of Company Personal Data given by Company infringes applicable Privacy Laws.

b. FourKites will not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate Company Personal Data to any third party for monetary or other valuable consideration.

6. Details of Data Processing. The subject matter of the processing of Company Personal Data by FourKites is the Purpose. Unless otherwise agreed in writing between the parties, with respect to the Company Personal Data, the duration of processing, the nature and purpose of the processing, the types of Personal Data and the categories of data subjects processed under the Agreement are further specified in Schedule A to this DPA.

7. Sub-processing.

a. Authorized Sub-processors. Company agrees that FourKites may engage Sub-processors to process Company Personal Data on Company’s behalf for purposes of providing the Services. The Sub-processors currently engaged by FourKites and authorized by the Company are set forth in FourKites’ Sub-Processor List available in the Platform in the User Account. FourKites shall notify Company via the Platform or Sub-processor Portal if it adds or replaces Sub-processors at least 10 days prior to authorizing any new Subprocessor to process Company Personal Data.

b. Objection to Sub-processors. If granted by applicable Privacy Laws, Company reserves the right to object in writing to FourKites’ appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying FourKites promptly in writing within five (5) calendar days of receipt of FourKites notice in accordance with (a) above. Such notice shall explain the reasonable grounds for the objection.  In such event, the parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution.  If no such resolution can be reached, FourKites will, at its sole discretion, either not appoint Sub-processor, or permit Company to suspend or terminate the affected Services in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Company prior to suspension or termination). If no objection has been raised by within the applicable notice period, FourKites will deem Company to have authorized the new Sub-processor or updated Sub-processor, as applicable.

c. Sub-processor obligations. FourKites shall: (i) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Company Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-processor; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause FourKites to breach any of its obligations under this DPA.

8. Security. 

a. Security Measures. FourKites will implement and maintain appropriate and reasonable technical and organisational measures to protect Company Personal Data against Security Incidents and to preserve the security and confidentiality of Company Personal Data in accordance with the FourKites security standards described in https://www.fourkites.com/legal/fourkites-technical-and-organizational-security-measures/ (“Security Measures“).  

b. Updates to Security Measures. Company acknowledges that the Security Measures are subject to technical progress and development and that FourKites may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Company.

c. Confidentiality of Processing. FourKites shall ensure that any person that it authorises to process Company Personal Data (including FourKites’ staff, agency and Sub-processors) shall be subject to a duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to process Company Personal Data who is not under such a duty of confidentiality.

d. Company Responsibilities. Notwithstanding the above, Company agrees that except as provided by this DPA, Company is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Company Personal Data when in transit to and from the Services (as applicable) and taking any appropriate steps to securely encrypt or backup any Company Personal Data processed in connection with the Services.

9. Rights of Data Subjects and Cooperation.

a. Data Subject Requests and DPIAs.

i. FourKites shall (at Company’s expense), taking into account the nature of the processing and to the extent required by Privacy Laws, take all reasonable steps to assist Company in meeting Company’s obligations under applicable Privacy Laws, including Company’s obligations to:

i. respond to requests by data subjects to exercise their rights with respect to Company Personal Data;

ii. investigate and remediate Security Incidents involving Company Personal Data;

iii. notify affected individuals in relation to Security Incidents where required by Privacy Laws;

iv. conduct data protection impact assessments where required by Privacy Laws; and

v. consult with supervisory authorities to the extent that such obligations relate to the processing of Company Personal Data under the Agreement.

ii. FourKites will promptly inform Company in writing if it receives: (i) a request from a data subject concerning the processing of Company Personal Data; or (ii) a complaint, communication, or request relating to Company’s obligations under Privacy Laws. FourKites shall not respond to such request, complaint or communication directly (except to direct the data subject to contact the Company) without Company’s prior authorization, unless legally compelled to do so.

b. Return and Deletion of Personal Data. FourKites shall not retain or process Company Personal Data for longer than necessary to carry out the Purpose unless otherwise instructed by Customer. Upon termination of the Services, FourKites will securely destroy all Company Personal Data (including copies) in its possession or control within 90 days of termination. This requirement shall not apply to the extent FourKites is required or permitted by applicable law to retain some or all of the Company Personal Data or to Company Personal Data it has archived on back-up systems, which Company Personal Data FourKites shall securely isolate and protect from any further processing and eventually delete or anonymize in accordance with FourKites’ deletion policies, except to the extent required or permitted by applicable law.

10. Data Transfers. 

a. Location of Processing. Company Personal Data that FourKites processes under the Agreement may be processed in any country in which FourKites, its Affiliates and authorized Sub-processors maintain facilities to perform the Services.  With respect to Company Personal Data collected within Europe or Latin America, FourKites shall not transfer (directly or via onward transfer) or otherwise process Company Personal Data outside of the country where it was collected unless it first takes such measures as are necessary to ensure the transfer is in compliance with applicable Privacy Laws, and the DPF Principles where applicable.

b. Europe. This Section 10(b) shall only apply if FourKites, Inc. is the contracting party in the Agreement with the Company; otherwise, this is not applicable. The parties agree that when the transfer of Company Personal Data from Company (as “data exporter”) directly to FourKites, Inc. (as “data importer”) is a Restricted Transfer and Privacy Laws require that appropriate safeguards are put in place, such transfer shall be subject to E.U.-U.S. Data Privacy Framework. In case the DPF is invalidated or not applicable, the Standard Contractual Clauses shall be deemed incorporated by reference and form an integral part of this DPA as set out in Schedule B to this DPA.

c. Data Privacy Framework. FourKites, Inc is self-certified to the E.U.–U.S. Data Privacy Framework. FourKites shall process Company Personal Data in compliance with the DPF Principles and notify Company if it makes a determination that it can no longer meet its obligations to provide the level of protection as is required by the DPF Principles

d. Latin America. To the extent Company shall transfer to FourKites Company Personal Data protected by Privacy Laws applicable to countries in Latin America, Company represents that it has given all necessary notices, and obtained all necessary consents, including as set forth in section 4.c. above, and undertaken such other compliance steps, each in accordance with applicable Privacy Laws to transfer the Company Personal Data to FourKites, and to enable the collection, use, disclosure, overseas transfer and other processing of the Company Personal Data by FourKites and its permitted Sub-processors and other transferees, as described or anticipated in this DPA.  For international transfers of Company Personal Data, FourKites shall also follow the standard provisions of the applicable law, and any instructions to be specified, updated, amended, replaced or superseded from time to time by the applicable regulatory authority, including, if applicable, any standard contractual models approved by the regulatory authority, which for Argentina and Brazil include the Standard Contractual Clauses as set forth in Section 10(b).  FourKites agrees to abide by and process Company Personal Data from these countries in accordance with such Standard Contractual Clauses.

e. Canada, Hong Kong, Japan, Malaysia, Singapore, Taiwan, Thailand, The Philippines, and Turkey. To the extent Company shall transfer to FourKites Company Personal Data protected by Privacy Laws applicable to Canada, Hong Kong, Japan, Malaysia, Singapore, Taiwan, Thailand, the Philippines or Turkey, Company confirms that it has given all necessary notices, and obtained all necessary consents, and undertaken such other compliance steps, each in accordance with applicable Privacy Laws to transfer the Company Personal Data to FourKites, and to enable the collection, use, disclosure, overseas transfer and other processing of the Company Personal Data by FourKites and its permitted Sub-processors and other transferees, as described or anticipated in this DPA.

f. Alternative transfer arrangements. If FourKites adopts an alternative data export mechanism (including any new version of or successor to the Standard Contractual Clauses or Privacy Framework adopted pursuant to applicable Privacy Laws) for the transfer of Company Personal Data not described in this DPA (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with applicable Privacy Laws and extends to the territories to which Company Personal Data is transferred) and Company agrees to execute such other and further documents and take such other and further actions as may be reasonably necessary to give legal effect to such Alternative Transfer Mechanism.

g. Disclosures. Each party acknowledges that the other party may disclose this DPA (including where applicable, the Standard Contractual Clauses) and any relevant privacy provisions in the Agreement to the US Department of Commerce, the Federal Trade Commissions, a Canadian or European data protection authority, or any other US, Canadian, or European judicial regulatory body upon their request.

11. Security Audits.

a. Audit Rights.  FourKites shall make available to Company all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections by Company in order to assess compliance with this DPA. Company acknowledges and agrees that it shall exercise its audit rights under this DPA (including this Section 11 and where applicable, the Standard Contractual Clauses) by instructing FourKites to comply with the audit measures described in Sections 11(b) below.

b. Security Reports.  Company acknowledges that FourKites is regularly audited against SSAE 18 SOC II standards by independent third-party auditors and/or internal auditors respectively. Upon written request, FourKites shall supply (on a confidential basis) a summary copy of its most current audit report(s) (“Report”) to Company, so that Company can verify FourKites’ compliance with the audit standards against which it has been assessed and Part A of this DPA. If the Report does not, in Company’s reasonable judgement, provide sufficient information to confirm FourKites’ compliance with this DPA, then FourKites shall also provide written responses (on a confidential basis) to all reasonable requests for information made by Company, including responses to information security and audit questionnaires that are necessary to confirm FourKites’ compliance with this DPA, provided that Company shall not exercise this right more than once per calendar year.

12. Security Incident Response. In the event of a Security Incident, FourKites shall: (i) notify Company without undue delay; (ii) provide Company with timely information relating to the Security Incident as it becomes known or as is reasonably requested by Company; and (iii) promptly take all reasonable steps to contain, investigate, and mitigate the Security Incident. FourKites’ notification of or response to a Security Incident under this paragraph (Security Incident Response) will not be construed as an acknowledgment by FourKites of any fault or liability with respect to the Security Incident.  FourKites shall not make any data breach notification under this paragraph directly to the competent supervisory authority or data subject (except to direct the data subject to contact the Company) without Company’s prior authorization, unless legally compelled to do so.

13. Limitation of Liability.

a. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA (including the Standard Contractual Clauses if applicable) whether in contract, tort (including negligence) or under any other theory of liability, shall be subject to the limitations and exclusions of liability in the Agreement, and any reference in provisions to the liability of a party means the aggregate liability of that party and all of its Affiliates under and in connection with the Agreement and this DPA together.

b. Except where applicable Privacy Laws require a Company Affiliate to exercise a right or seek any remedy under this DPA against FourKites directly by itself, the parties agree that (i) solely the Company that is the contracting party to the Agreement shall exercise any right or seek any remedy any Company Affiliate may have under this DPA on behalf of its Affiliates, and (ii) the Company that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Affiliate individually but in a combined manner for all of its Affiliates together.

14. Miscellaneous.

a. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect.  If there is any conflict or inconsistency between this DPA and the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) for Company Personal Data from Europe, the Standard Contractual Clauses (where applicable); then (b) this DPA; and then (c) the main body of the Agreement.

b. This DPA shall be deemed a part of and incorporated into the Agreement so that references in the Agreement to “Agreement” shall be interpreted to include this DPA.

c. This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Privacy Laws.

Schedule A

Description of the Processing Activities / Description of the Transfer

Annex I of Standard Contractual Clauses

This schedule describes the processing of Personal Data by the parties in connection with the Services.  To the extent the Standard Contractual Clauses apply as described in section 10 of this DPA, the information in this schedule shall also be used to populate Annex I of the Standard Contractual Clauses.

Annex 1(A) List of Parties:

Data Exporter	Data Importer
Name: Company as defined in the Order Form	Name: FourKites entity as defined in the Order Form
Address: As identified in the Order Form	Address: As identified in the Order Form
Contact Person’s Name, position and contact details: As identified in Company’s Order Form	Contact Person’s Name, position and contact details:  Lisa Van Den Hoven, Privacy and Compliance Counsel [email protected]
Activities relevant to the transfer:  See Annex 1(B) below	Activities relevant to the transfer: See Annex 1(B) below
Role: Controller	Role: Processor

Annex 1(B) Description of Processing / Transfer:

Categories of Data Subjects	Company may submit Personal Data to FourKites, the extent of which is determined and controlled by the Company in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects: Company personnel including employees; Personnel of Company’s customers, prospective customers, and business partners; Personnel of Company’s vendors and contractors, including drivers transporting Company’s loads; and Any individual users authorized by Company to use the Services.
Categories of Personal Data	Company may submit Personal Data to FourKites, the extent of which is determined and controlled by Company in its sole discretion, and which may include, but is not limited to, Identification Data: name, email address, telephone number, mobile telephone number, or any other identifier by which a user may be contacted online or offline; Location Data: GPS; and Profession and Job: work title, department information, role, and other information related to a user’s work or employer. In addition, Company may submit the following categories of Personal Data to Dynamic Yard: Driver information: driver’s license and truck license plate.
Sensitive data (if appropriate)	FourKites does not intentionally collect or process special category data.
Frequency of the transfer (one-off or continuous):	Continuous
Nature and subject matter of the processing:	Performance of the Services pursuant to the Agreement, and as further instructed by Company in its use of the Services.
Purposes of the transfer and further processing	The transfer is made for the Purpose (as defined in the DPA).
Duration of processing:	The duration of the processing is the term of the Agreement plus the period from expiration of the Agreement until the return or deletion of the personal data by FourKites in accordance with the DPA.
Retention period (or, if not possible to determine, the criteria used to determine that period):	The duration of the Agreement plus the period from the expiry of the Agreement until deletion of the Company Personal Data in accordance with Section 9(b) of the DPA.

 

Annex 1(C): Competent supervisory authority:

The competent supervisory authority, in accordance with Clause 13 of the EU SCCs, must be (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter’s EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located.

Schedule B

Standard Contractual Clauses

In relation to the Standard Contractual Clauses, the parties agree as follows:

(a) In relation to transfers of Company Personal Data protected by the EU GDPR the EU SCCs shall apply, completed as follows: (i) Module Two (controller to processor) terms will apply; (ii) in Clause 7,  the optional docking clause will apply; (iii) in Clause 9, Option 2 will apply and the time period for prior notice of Sub-processor changes will be as set out in Section 7(a) of this DPA; (iv) in Clause 11, the optional language will not apply; (v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Dutch law; (vi) in Clause 18(b), disputes shall be resolved before the courts of the Netherlands; (vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule A to this DPA; and (viii) subject to Section 8 of this DPA, Annex II of the EU SCCs shall be deemed completed with the information set out in the Security Measures.

(b) In relation to transfers of Company Personal Data protected by the UK GDPR, the EU SCCs shall apply as amended by Part 2 of the UK Addendum and Part 1 of the UK Addendum applies as follows: (i) in Table 1, the details of the parties are set out in Schedule A to this DPA; (ii) in Table 2, the selected modules and clauses are set out in paragraph (a) above; (iii) in Table 3, the appendix information is set out in Schedule A to this DPA, and (iv) in Table 4, “Importer” and “Exporter” are selected.  The term “UK Addendum” means the UK Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018.

(c) In relation to transfers of Company Personal Data protected by the Swiss FADP, the EU SCCs shall also apply in accordance with paragraph (a) above, with the following modifications: (i) any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss FADP; (ii) references to “EU”, “Union”, “Member State” and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be; (iii) references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland; (iv) Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Commissioner; (v) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland; and (vi) Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland).

(d) It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provisions of the Agreement (including this DPA) the Standard Contractual Clauses shall prevail to the extent of such conflict.