CookieChimp Logo
Get Started
Legal

Data Processing Agreement

For any questions or to request your data to be deleted, email [email protected].
Terms & Conditions Privacy Policy Cookie Policy Data Processing Agreement Sub-Processors

This DPA is entered into between Identity Square Limited T/A CookieChimp (“Processor”) and the Customer (“Controller”) and is incorporated into and governed by the terms of the Agreement.

1. Definitions

Any capitalized term not defined in this DPA shall have the meaning assigned to it in the Agreement.

  • “Affiliate”: Refers to any entity that directly or indirectly controls, is controlled by, or is under common control with a party. For this definition, "control" means direct or indirect ownership or control of more than 50% of the voting interests of a party.
  • “Agreement”: The agreement between the Controller and the Processor for the provision of the Services.
  • “CCPA”: The California Consumer Privacy Act of 2018, along with its regulations and any amendments made to it over time.
  • “Data Protection Law”: Encompasses all laws and regulations related to the processing of Personal Data, including those of the European Union, the EEA, their member states, the United Kingdom, and any subsequent amendments or replacements. This includes the EU GDPR, UK GDPR, UK Data Protection Act 2018, FDPA, CCPA, and other applicable national laws, along with the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003.
  • “Data Subject”: As defined under Data Protection Law, or a "Consumer" as defined by the CCPA.
  • “DPA”: This Data Processing Agreement, including Exhibits A, B, and C.
  • “EEA”: The European Economic Area.
  • “EU GDPR”: Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and the free movement of such data.
  • “FDPA”: The Swiss Federal Act on Data Protection of 19 June 1992 (SR 235.1), as amended over time.
  • “Personal Data”: As defined under Data Protection Law.
  • “Processor”: The Company, including any “Service Provider” as defined by the CCPA.
  • “Restricted Transfer”:
    (i) Where the EU GDPR applies, a transfer of Personal Data via the Services from the EEA, either directly or through onward transfer, to any country or recipient outside the EEA not subject to an adequacy determination by the European Commission.
    (ii) Where the UK GDPR applies, a transfer of Personal Data via the Services from the UK, either directly or through onward transfer, to any country or recipient outside the UK not based on adequacy regulations under Section 17A of the UK Data Protection Act 2018.
    (iii) A transfer of Personal Data via the Services from Switzerland, either directly or through onward transfer, to any country or recipient outside the EEA and/or Switzerland not subject to an adequacy determination by the European Commission.
  • “Services”: All services, software applications, and solutions provided by the Processor to the Controller as described in the Agreement.
  • “Security Policy”: The Processor’s security document, updated periodically, as outlined in Exhibit B of this DPA.
  • “SCCs”:
    (i) Where the EU GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914, accessible at EU SCCs.
    (ii) Where the UK GDPR applies, standard data protection clauses adopted under Article 46(2)(c), as detailed in Exhibit C of this DPA (“UK SCCs”).
    (iii) Where Personal Data is transferred from Switzerland outside of Switzerland or the EEA, the EU SCCs as amended in accordance with Swiss Data Protection Authority guidance (“Swiss SCCs”).
  • “Sub-Processor”: Any third party, including the Processor’s Affiliates, engaged directly or indirectly by the Processor to process Personal Data under this DPA in providing Services to the Controller.
  • “Supervisory Authority”: A governmental or regulatory body with binding legal authority over a party.
  • “UK GDPR”: The EU GDPR as incorporated into UK law by Section 3 of the European Union (Withdrawal) Act 2018.

2. Purpose

The Processor agrees to deliver the Services to the Controller as outlined in the terms of the Agreement. In the course of providing these Services, the Processor will process Customer Data on behalf of the Controller. Customer Data may include Personal Data. The Processor commits to processing and protecting such Personal Data in compliance with the terms specified in this DPA.

3. Scope

In delivering the Services to the Controller under the terms of the Agreement, the Processor shall process Personal Data only as necessary to provide the Services in compliance with the Agreement, this DPA, and the Controller’s documented instructions as outlined and updated from time to time.

Both the Controller and the Processor shall ensure that any individual acting under their authority who has access to Personal Data only processes it in accordance with the Controller’s instructions unless required to do so by applicable Data Protection Law.

4. Processor Obligations

  1. Scope of Processing:
    The Processor shall collect, process, and use Personal Data strictly within the boundaries of this DPA and in accordance with the documented instructions of the Controller.

  2. Compliance with Data Protection Law:
    The Processor shall promptly notify the Controller if it believes any instructions provided by the Controller for processing Personal Data violate Data Protection Law.

  3. Confidentiality Obligations:
    The Processor shall ensure that all personnel involved in handling Personal Data:

    • (i) Are aware of the confidential nature of Personal Data and are contractually obligated to maintain its confidentiality.
    • (ii) Have received appropriate training on their data protection responsibilities.
    • (iii) Are bound by the terms of this DPA.

  4. Technical and Organisational Measures:
    The Processor shall implement appropriate technical and organisational measures to protect Personal Data, taking into account:

    • The state of the art.
    • Costs of implementation.
    • Nature, scope, context, and purposes of processing.
    • Risk severity and likelihood to the rights and freedoms of natural persons.

  5. Security Measures:
    The Processor shall adopt security measures appropriate to the risks, including:

    • (i) Pseudonymisation and encryption of Personal Data.
    • (ii) Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems.
    • (iii) Ability to restore timely access to Personal Data in case of incidents.
    • (iv) Regular testing and assessment of technical and organisational measures to ensure effective security.

  6. Exhibit B Adherence:
    The technical and organisational measures detailed in Exhibit B shall serve as the minimum security standard. The Processor may update these measures, provided the updates maintain at least an equivalent level of security and comply with the obligations in clauses 4.5 and 4.6.

  7. Access for Service Purposes:
    The Controller acknowledges that the Processor may need to access Personal Data to address technical issues or Controller queries and to ensure the Services function properly. Such access will be limited to these purposes.

  8. Support for Data Subject Rights:
    The Processor shall assist the Controller by implementing appropriate technical and organisational measures to support:

    • The Controller’s obligation to respond to Data Subject requests.
    • The Controller’s compliance with data protection obligations.

  9. Restrictions on Use of Personal Data:
    The Processor shall not:

    • (i) Sell Personal Data.
    • (ii) Retain, use, or disclose Personal Data for commercial purposes other than providing the Services as outlined in the Agreement.
    • (iii) Retain, use, or disclose Personal Data outside the scope of the Agreement.

5. Controller Obligations

The Controller represents and warrants that:

  1. Compliance:

    • (i) It shall comply with this DPA and its obligations under Data Protection Law.
    • (ii) It has obtained all necessary permissions and authorizations to allow the Processor, its Affiliates, and Sub-Processors to perform their rights and obligations under this DPA.
    • (iii) All Affiliates of the Controller using the Services shall adhere to the obligations of the Controller outlined in this DPA.

  2. Technical and Organisational Measures:
    The Controller shall implement appropriate technical and organisational measures to protect Personal Data, considering:

    • The state of the art.
    • Costs of implementation.
    • Nature, scope, context, and purposes of processing.
    • Risks to the rights and freedoms of natural persons, accounting for likelihood and severity.
    • Measures shall include, as appropriate: (i) Pseudonymisation and encryption of Personal Data. (ii) Ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services. (iii) Restoring timely availability and access to Personal Data in case of physical or technical incidents. (iv) Regular testing, assessing, and evaluating the effectiveness of technical and organisational measures to secure processing.

  3. Risk Assessment:
    The Controller shall evaluate risks associated with processing, particularly risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data transmitted, stored, or otherwise processed.

  4. Additional Costs:
    The Controller acknowledges that specific instructions, such as the destruction or return of data, conducting audits or inspections, performing DPIAs, or providing other assistance under this DPA, may incur additional fees. The Processor is entitled to charge the Controller reasonable costs and expenses for such assistance.

6. Sub-Processors

  1. Acknowledgment and Authorization:
    The Controller acknowledges and agrees that:

    • (i) Affiliates of the Processor may act as Sub-Processors.
    • (ii) The Processor and its Affiliates may engage Sub-Processors in connection with the provision of the Services.

  2. Sub-Processor Compliance:
    All Sub-Processors processing Personal Data for the provision of Services to the Controller must adhere to the obligations of the Processor as outlined in this DPA.

  3. List of Sub-Processors:
    The Controller authorizes the Processor to utilize the Sub-Processors listed in the provided List of Sub-Processors for processing Personal Data. The Processor shall notify the Controller via email at least 30 days in advance of any additions or changes to the List of Sub-Processors before authorizing new or replacement Sub-Processors.

  4. Objection to Sub-Processors:
    The Controller may object to the use of a new or replacement Sub-Processor by providing written notice to the Processor within ten (10) Business Days of receiving the Processor’s notice. If the Controller objects, they may terminate the Agreement for the affected Services that cannot be provided without the use of the new or replacement Sub-Processor. The Processor shall refund any prepaid fees for the remaining term of the Agreement related to the terminated Services.

  5. Contractual Requirements for Sub-Processors:
    Before a Sub-Processor processes Personal Data, the Processor shall:

    • (i) Enter into a written agreement with the Sub-Processor that includes obligations materially similar to those in this DPA, enforceable by the Processor.
    • (ii) Ensure the Sub-Processor complies with those obligations.

  6. Restricted Transfers:
    The Controller agrees that the Processor and its Sub-Processors may make Restricted Transfers of Personal Data to provide the Services in accordance with the Agreement. The Processor confirms that such Sub-Processors:

    • (i) Are located in a country or territory recognized by the EU Commission or a Supervisory Authority as providing an adequate level of protection.
    • (ii) Have entered into the applicable SCCs with the Processor.
    • (iii) Have other legally recognized appropriate safeguards in place.

7. Restricted Transfers

  1. Applicability of SCCs:
    The parties agree that any Restricted Transfer of Personal Data from the Controller to the Processor or from the Processor to a Sub-Processor shall be subject to the applicable SCCs.

  2. EU SCCs:

    • The EU SCCs shall apply to Restricted Transfers from the EEA.
    • The EU SCCs are deemed entered into and incorporated into this DPA with the following terms:
      • (i) Module Two (Controller to Processor) applies when the Controller transfers Customer Data to the Processor.
      • (ii) Module Three (Processor to Processor) applies when the Processor transfers Customer Data to a Sub-Processor.
      • (iii) Clause 7 (optional docking clause) does not apply.
      • (iv) Clause 9 (Option 2) applies, with the notice period for Sub-Processor changes as set out in Clause 6.3 of this DPA.
      • (v) Clause 11 (optional language) does not apply.
      • (vi) Clause 17 (Option 1) applies, with the EU SCCs governed by Irish law.
      • (vii) Clause 18(b) applies, with disputes resolved by the courts of Ireland.
      • (viii) Annex I of the EU SCCs is completed using the information in Exhibit A of this DPA.
      • (ix) Annex II of the EU SCCs is completed using the information in Exhibit B of this DPA.

  3. Adjustments for FDPA:
    Where the FDPA applies to a Restricted Transfer, the EU SCCs are adjusted as follows:

    • (i) The Swiss Federal Data Protection and Information Commissioner (FDPIC) is the sole Supervisory Authority for Restricted Transfers exclusively subject to the FDPA.
    • (ii) Restricted Transfers subject to both the FDPA and EU GDPR are handled by the EU Supervisory Authority named in Exhibit A of this DPA.
    • (iii) The term "member state" shall not exclude Swiss Data Subjects from enforcing their rights in Switzerland under Clause 18(c) of the EU SCCs.
    • (iv) References to the GDPR in the EU SCCs are interpreted as references to the FDPA for transfers exclusively subject to the FDPA.
    • (v) References to the GDPR in the EU SCCs are interpreted as references to the FDPA for transfers subject to both the FDPA and the EU GDPR, insofar as the transfers are subject to the FDPA.
    • (vi) The Swiss SCCs protect the Personal Data of legal entities until the revised FDPA comes into effect.

  4. UK SCCs:
    The UK SCCs shall apply to Restricted Transfers from the UK and are deemed entered into and incorporated into this DPA as set out in Exhibit C of this DPA.

  5. Prevailing Terms:
    In the event of any contradiction between the terms of this DPA and the provisions of the applicable SCCs, the provisions of the SCCs shall prevail.

8. Data Subject Access Requests

  1. Controller's Requests:
    The Controller may request correction, deletion, blocking, or access to Personal Data during or after the termination of the Agreement. The Processor agrees to process such requests to the extent lawful and will reasonably fulfill them following its standard operational procedures, as far as possible.

  2. Requests from Data Subjects:

    • If the Processor receives a request directly from a Data Subject regarding their Personal Data, the Processor shall refer the Data Subject to the Controller unless prohibited by law.
    • The Controller shall reimburse the Processor for any costs incurred in providing reasonable assistance in responding to a Data Subject's request.

  3. Legal Obligations:
    If the Processor is legally required to respond directly to a Data Subject, the Controller shall fully cooperate with the Processor to ensure compliance with applicable laws.

9. Audit

  1. Audit Rights:
    The Processor shall provide the Controller with all information reasonably necessary to demonstrate compliance with its processing obligations and will allow and contribute to audits and inspections.

  2. Scope of Audit:

    • Audits shall primarily involve the examination of the most recent reports, certificates, and/or extracts prepared by an independent auditor bound by confidentiality provisions similar to those in the Agreement.
    • If the Controller reasonably deems these documents insufficient, a more extensive audit may be conducted, subject to the following conditions:
      • (i) The audit will be at the Controller’s expense.
      • (ii) The audit will be limited in scope to matters relevant to the Controller and agreed upon in advance.
      • (iii) The audit will be conducted during the Processor’s usual business hours and with at least 4 weeks’ prior notice, unless an identifiable material issue has arisen.
      • (iv) The audit must be conducted in a manner that does not disrupt the Processor’s day-to-day operations.

  3. Purpose of Clause:
    This clause does not modify or limit the Controller’s rights to audit but is intended to clarify the procedures for audits conducted under this DPA.

10. Personal Data Breach

  1. Notification:
    The Processor shall notify the Controller without undue delay, and no later than 72 hours after discovering any accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data (a "Personal Data Breach").

  2. Mitigation and Assistance:
    The Processor shall take all commercially reasonable measures to:

    • Secure the affected Personal Data.
    • Limit the impact of the Personal Data Breach.
    • Assist the Controller in fulfilling its obligations under applicable law.

11. Compliance, Cooperation, and Response

  1. Notifications:

    • The Processor shall promptly notify the Controller of any request or complaint related to the processing of Personal Data that adversely impacts the Controller unless prohibited by applicable law or a court order.
    • The Processor may retain and/or copy Personal Data to comply with legal or regulatory requirements, including retention obligations.

  2. Assistance with DPIAs:
    The Processor shall reasonably assist the Controller in conducting Data Protection Impact Assessments (DPIAs), considering the nature of the processing and the information available to the Processor.

  3. Changes in Data Protection Laws:

    • The Controller shall inform the Processor within a reasonable timeframe of any changes to applicable data protection laws, codes, or regulations that may affect the Processor’s contractual obligations.
    • The Processor shall respond within a reasonable timeframe to implement any necessary changes to the terms of this DPA or to its technical and organisational measures to maintain compliance.
    • If the Processor cannot accommodate required changes, the Controller may terminate the affected parts of the Services causing non-compliance. Services unaffected by such changes will continue to be provided.

  4. Cooperation with Authorities:
    The Controller, the Processor, and their respective representatives, where applicable, shall cooperate with supervisory data protection authorities as required to fulfill their obligations under this DPA and applicable Data Protection Law.

12. Liability

  1. Applicability of Limitations:
    The limitations on liability outlined in the Agreement shall apply to all claims arising from any breach of the terms of this DPA.

  2. Processor Liability:
    The Processor shall be liable for breaches of this DPA caused by the acts, omissions, or negligence of its Sub-Processors to the same extent as if the Processor had performed those services directly, subject to the liability limitations set forth in the Agreement.

  3. Controller Liability:
    The Controller shall be liable for breaches of this DPA caused by the acts, omissions, or negligence of its Affiliates as though such actions were performed by the Controller itself.

  4. No Double Recovery:
    The Controller may not recover more than once for the same loss.

13. Term and Termination

  1. Processing Duration:
    The Processor shall process Personal Data only for the duration of this DPA.

  2. Term of the DPA:
    The term of this DPA begins with the commencement of the Agreement and shall terminate automatically upon the termination or expiry of the Agreement.

14. Deletion and Return of Personal Data

  1. Controller's Choice:
    Upon written request from the Controller, received within 30 days of the end of the provision of the Services, the Processor shall either delete or return the Personal Data to the Controller.

  2. Automatic Deletion:
    The Processor shall delete all copies of Personal Data in its systems within 60 days of the effective termination date of the Agreement, except in the following cases:

    • (i) Applicable laws or regulations require the retention of Personal Data beyond termination.
    • (ii) Partial Personal Data is stored in backups, in which case such data will be deleted from backups within 1 year of the effective termination date of the Agreement.

15. General

  1. Entire Agreement:
    This DPA represents the entire understanding between the parties regarding its subject matter.

  2. Severability:
    If any provision of this DPA is or becomes invalid, the remaining provisions shall remain unaffected. A valid provision that closely reflects the parties' original commercial intent shall replace the invalid provision. The same applies to any omissions.

  3. Governing Law and Jurisdiction:
    Subject to any conflicting provisions in the SCCs:

    • This DPA shall be governed by the laws of England and Wales.
    • The courts of England shall have exclusive jurisdiction for resolving disputes arising under this DPA.

  4. Incorporation into the Agreement:
    The parties agree that this DPA is incorporated into and governed by the terms of the Agreement.

Exhibit A

List of Parties, Description of Processing and Transfer of Personal Data, Competent Supervisory Authority

MODULE TWO: CONTROLLER TO PROCESSOR

A. LIST OF PARTIES

The Controller:

  • Definition: The Customer.
  • Address: As specified for the Customer in the Agreement.
  • Contact Details: Provided by the Customer in their account for notification and invoicing purposes.
  • Activities Relevant to Data Transfer: Use of the Services.
  • Signature and Date: By entering into the Agreement, the Controller is deemed to have signed the SCCs incorporated into this DPA, including their Annexes, as of the Effective Date of the Agreement.
  • Role: Data Exporter.
  • Representative Name (if applicable): Any UK or EU representative named in the Controller’s privacy policy.

The Processor:

  • Definition: Identity Square Limited.
  • Address: Lytchett House, 13 Freeland Park, Wareham Road, Poole, Dorset, BH16 6FA, United Kingdom.
  • Contact Details: Daniel P, Director, [email protected].
  • Activities Relevant to Data Transfer: Provision of cloud computing solutions, where the Processor processes Personal Data based on the Controller's instructions under the terms of the Agreement.
  • Signature and Date: By entering into the Agreement, the Processor is deemed to have signed the SCCs incorporated into this DPA, including their Annexes, as of the Effective Date of the Agreement.
  • Role: Data Importer.

B. DESCRIPTION OF PROCESSING AND TRANSFERS

  • Categories of Data Subjects:

    • Employees, agents, advisors, consultants, freelancers of the Controller (natural persons).
    • Affiliates and Authorized Users of the Controller using the Services under the Agreement.

  • Categories of Personal Data:
    The Controller may submit Personal Data to the Services, the extent of which is determined and controlled by the Controller. The Personal Data includes but is not limited to:

    • Personal details: email addresses of Authorized Users.
    • Unique identifiers: Username, account number or other unique identifiers.
    • Metadata: Sent, to, from, date, time, subject (may include Personal Data).
    • IP address of website visitors.
    • Geolocation based on IP address.
    • Data provided by Authorized Users for Data Subject requests.
    • Additional data as added by the Controller over time.

  • Sensitive Data:

    • No sensitive or special category data will be processed or transferred and should not be included in email content or attachments.

  • Frequency of Processing and Transfer:

    • Continuous for the duration of the Agreement.

  • Nature of the Processing:

    • Includes, but is not limited to, providing the Services to the Customer.

  • Purpose of Data Transfer and Further Processing:

    • Personal Data is transferred to subcontractors who must process some Personal Data to deliver services to the Processor as part of the Processor’s Services to the Controller.

  • Retention Period:

    • Unless otherwise agreed in writing, Personal Data will be retained for the duration of the Agreement, subject to clause 14 of the DPA.

  • Sub-Processor Details:

    • Refer to the List of Sub-Processors for specifics on the Personal Data processed and services provided by each Sub-Processor.

C. COMPETENT SUPERVISORY AUTHORITY

  • EU GDPR: Irish Data Protection Authority – Data Protection Commission (DPC).
  • UK GDPR: UK Information Commissioner’s Office (ICO).
  • FDPA: Swiss Federal Data Protection and Information Commissioner (FDPIC).

MODULE THREE: PROCESSOR TO PROCESSOR

A. LIST OF PARTIES

The Data Exporter:

  • The Company.

The Data Importers:

  • The Sub-Processors listed in the Sub-Processor list, including the name, address, contact details, and activities relevant to the data transferred to each Data Importer.

B. DESCRIPTION OF PROCESSING AND TRANSFERS

The List of Sub-Processors includes the following details for each Data Importer:

  • Categories of Data Subjects.
  • Categories of Personal Data.
  • Nature of the Processing.
  • Purposes of the Processing.

Details of Processing:

  • Personal Data is processed by each Data Importer:
    • On a continuous basis.
    • To the extent necessary to provide the Services in compliance with the Agreement and the Data Exporter’s instructions.
    • For the duration of the Agreement, subject to clause 14 of the DPA.

C. COMPETENT SUPERVISORY AUTHORITY

The competent Supervisory Authority of the Data Exporter shall be:

  • EU GDPR: Irish Data Protection Authority – Data Protection Commission (DPC).
  • UK GDPR: UK Information Commissioner’s Office (ICO).
  • FDPA: Swiss Federal Data Protection and Information Commissioner (FDPIC).

Exhibit B

Technical and Organisational Security Measures
(including Technical and Organisational Measures to Ensure the Security of Data)

This Exhibit outlines the technical and organisational measures implemented by the Processor to ensure an appropriate level of security, considering the nature, scope, context, and purpose of the processing, and the associated risks for the rights and freedoms of individuals.

Where applicable, this Exhibit B serves as Annex II to the SCCs.

  • Measures of Pseudonymisation and Encryption:
    The Controller's data is encrypted at rest using AES256 bit encryption. Data in transit is secured with Transport Layer Security (TLS).

  • Measures for Ensuring Confidentiality, Integrity, Availability, and Resilience:
    Role-based access control is implemented, adhering to "least privilege" and "need-to-know" principles. State-of-the-art encryption protects sensitive data as needed.

  • Measures for Restoring Availability and Access:
    IT infrastructure redundancy minimizes downtime, and backups are performed hourly and daily according to established procedures.

  • Processes for Regular Testing and Evaluation:
    Automated vulnerability scans and assessments are conducted at varying frequencies (e.g., daily, weekly, or upon code changes). Annual third-party penetration tests and industry-standard security audits are also performed.

  • Measures for User Identification and Authorization:
    Logical access controls manage electronic access based on roles and job functions, including unique IDs and passwords. Access is promptly revoked upon employment termination.

  • Measures for Data Protection During Transmission:
    Data in transit is protected using TLS.

  • Measures for Data Protection During Storage:
    Personal Data is stored internally and on third-party servers (e.g., AWS) that maintain certifications like ISO 27001. Archived data is encrypted at rest using AES256 bit encryption.

  • Measures for Ensuring Physical Security:
    Third-party data centers used by the Processor maintain ISO 27001 or equivalent certifications. The Processor's office is secured with keypad entry requiring a secure PIN.

  • Measures for Event Logging:
    System inputs are recorded in log files, enabling retrospective reviews of data entry, modification, or deletion activities.

  • Measures for System Configuration:
    Configuration management tools ensure system configurations meet specifications and remain consistent.

  • Measures for Internal IT Governance:
    Employees are trained to process data within the scope of their duties. Logical separation of customer data and separation between testing and production systems are maintained.

  • Measures for Certification/Assurance:
    The Processor's third-party data centers maintain ISO 27001 or SSAE 16 SOC certifications. Certification or attestation reports are available upon written request once per year.

  • Measures for Data Minimisation:
    Unnecessary Personal Data is deleted promptly. Data is initially locked before permanent deletion to prevent accidental or malicious actions.

  • Measures for Data Quality:
    The Controller is responsible for providing accurate data. The Processor offers reporting tools to help validate stored data.

  • Measures for Limited Data Retention:
    A data classification scheme governs retention policies. Deleted records are removed from active databases and backups as per the retention policy.

  • Measures for Accountability:
    Employees handling sensitive data are trained annually on security policies and are subject to disciplinary action for non-compliance.

  • Measures for Data Portability and Erasure:
    Built-in tools enable the Controller to export and permanently erase data as needed.

  • Sub-Processor Assistance Measures:
    Personal Data is transferred to third parties only under contracts and for specific purposes. Transfers outside the EEA comply with EU data protection standards (e.g., through SCCs).

Exhibit C

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (SCCs)

This Addendum, issued by the Information Commissioner, provides Appropriate Safeguards for Restricted Transfers when entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

  • Exporter (who sends the Restricted Transfer):
    • Full Legal Name: The Customer named in the Agreement.
    • Main Address: As set out in Annex I of the Approved EU SCCs.
    • Official Registration Number (if applicable): Where specified in the Agreement.
  • Importer (who receives the Restricted Transfer):
    • Full Legal Name: Identity Square Limited.
    • Main Address: Lytchett House, 13 Freeland Park, Wareham Road, Poole, Dorset, BH16 6FA, United Kingdom.
    • Official Registration Number: 13813151.
  • Key Contact Information:
    • Exporter: Details as set out in Annex I of the Approved EU SCCs.
    • Importer: Director, [email protected].
  • Signature: No signature required.

Table 2: Selected SCCs, Modules, and Selected Clauses

  • Addendum EU SCCs: The Approved EU SCCs, including Appendix Information and with the following provisions activated:
    • Module 2 (Controller to Processor): Clause 11 (not used), Clause 9a (General Authorisation – Yes), Clause 9a (Time Period – 30 days).
    • Module 3 (Processor to Processor): Clause 11 (not used), Clause 9a (General Authorisation – Yes), Clause 9a (Time Period – 30 days).
    • Modules 1 and 4: Not in operation.

Table 3: Appendix Information

  • Appendix Information includes details required for the selected modules in the Appendix of the Approved EU SCCs, as follows:
    • Annex 1A: List of Parties for Module 2 and Module 3.
    • Annex 1B: Description of Transfer for Module 2 and Module 3.
    • Annex II: Technical and Organisational Measures for Module 2.

Table 4: Ending this Addendum when the Approved Addendum Changes

  • Which Parties May End This Addendum: The Exporter, as per Section 19.

Part 2: Mandatory Clauses

Entering into this Addendum

1. Each Party agrees to the terms and conditions set out in this Addendum, which becomes binding in exchange for the mutual agreement of the other Party.

2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signatures, the Parties may enter into this Addendum in any legally binding manner that ensures data subjects can enforce their rights. Entering into this Addendum has the same effect as signing the Approved EU SCCs or any part thereof.

Interpretation of this Addendum

3. Terms used in this Addendum have the same meanings as defined in the Approved EU SCCs, with additional definitions as follows:

  • Addendum: This International Data Transfer Addendum, incorporating the Addendum EU SCCs.
  • Addendum EU SCCs: The Approved EU SCCs as appended to this Addendum, as specified in Table 2.
  • Appendix Information: Details specified in Table 3.
  • Appropriate Safeguards: Protection standards required by UK Data Protection Laws for Restricted Transfers under Article 46(2)(d) of the UK GDPR.
  • Approved Addendum: The template issued by the ICO under the Data Protection Act 2018.
  • Approved EU SCCs: Standard Contractual Clauses from the EU Commission Implementing Decision (EU) 2021/914.
  • ICO: The Information Commissioner.
  • Restricted Transfer: A transfer subject to Chapter V of the UK GDPR.
  • UK: United Kingdom of Great Britain and Northern Ireland.
  • UK Data Protection Laws: All applicable UK data protection laws, including the UK GDPR and the Data Protection Act 2018.
  • UK GDPR: Defined in Section 3 of the Data Protection Act 2018.

4. This Addendum must align with UK Data Protection Laws and provide the Appropriate Safeguards.

5. If any part of the Addendum EU SCCs conflicts with the Approved SCCs or this Addendum, the original provisions of the Approved SCCs will take precedence.

6. In case of inconsistency or conflict with UK Data Protection Laws, the UK Data Protection Laws will prevail.

7. If the Addendum's meaning is unclear or ambiguous, the interpretation most consistent with UK Data Protection Laws will apply.

8. References to legislation include any future amendments, re-enactments, or replacements.

Hierarchy

9. While Clause 5 of the Approved EU SCCs states that the SCCs take precedence over related agreements, the hierarchy in Section 10 of this Addendum prevails for Restricted Transfers.

10. In cases of conflict, the Approved Addendum takes precedence over the Addendum EU SCCs, unless the SCCs provide greater protection for data subjects, in which case the SCCs will prevail.

11. This Addendum does not affect Addendum EU SCCs protecting transfers under the General Data Protection Regulation (EU) 2016/679.

Incorporation of and Changes to the EU SCCs

12. This Addendum incorporates the Addendum EU SCCs, amended as necessary to comply with the requirements of UK Data Protection Laws.

13. If alternative amendments meeting the requirements of Section 12 are agreed upon, they will apply; otherwise, Section 15 applies.

14. No amendments may be made to the Approved EU SCCs except to meet the requirements of Section 12.

15. Amendments for compliance with Section 12 are incorporated automatically.

Amendments to this Addendum

16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to reference Scottish or Northern Irish law and courts.

17. Changes to the format of Part 1: Tables may be made with mutual written agreement, provided they do not reduce the Appropriate Safeguards.

18. The ICO may issue a revised Approved Addendum, specifying an effective date and indicating whether the Parties need to review the Addendum. Changes take effect automatically as specified.

19. If a revised Approved Addendum results in a substantial, disproportionate, and demonstrable increase in costs or risks for one Party, that Party may terminate the Addendum with reasonable notice before the effective date of the revision.

20. The Parties may make changes to this Addendum without third-party consent, provided such changes comply with the Addendum's terms.