Enterprise Terms (OEM)
This agreement (this “Agreement”) is a binding contract between the entity on whose behalf the individual accepting this Agreement accepts this Agreement (“Customer”) and Deduce, Inc. (“Deduce”), effective as of the date on which you click a button or check a box (or something similar) acknowledging your acceptance of this Agreement (the “Effective Date”). You represent and warrant that you are authorized to bind such entity to the terms of this Agreement. This Agreement includes and incorporates any order form executed previously, presently or subsequently by and between Customer and Authorized Reseller (as defined below) (“Order Form”).
- Order Forms; Access to the Service. Upon mutual execution, each Order Form shall be incorporated into and form a part of the Agreement. For each Order Form, subject to Customer’s compliance with the terms and conditions of this Agreement (including any limitations and restrictions set forth on the applicable Order Form) Deduce grants Customer a worldwide, non-exclusive, royalty-free, fully paid-up, nonsublicensable, nontransferable (except to the extent this Agreement is transferred in accordance with Section 18) license to internally access and use the Deduce product(s) and/or service(s) specified in such Order Form (collectively, the “Service,” or “Services”) during the applicable Order Form Term (as defined below) for the internal business purposes of Customer, only as provided herein and only in accordance with Deduce’s applicable official user documentation for such Service.
- Reserved.
- Service Updates. From time to time, Deduce may provide upgrades, patches, enhancements, or fixes for the Services to its customers generally without additional charge (“Updates”), and such Updates will become part of the Services and subject to this Agreement; provided that Deduce shall have no obligation under this Agreement or otherwise to provide any such Updates. Customer understands that Deduce may make improvements and modifications to the Services at any time in its sole discretion; provided that Deduce shall use commercially reasonable efforts to give Customer reasonable prior notice of any major changes.
- Ownership; Feedback. As between the parties, Deduce retains all right, title, and interest in and to the Services, and all software, products, works, and other intellectual property and moral rights related thereto or created, used, or provided by Deduce for the purposes of this Agreement, including any copies and derivative works of the foregoing. All Product Data, together with any software which is distributed or otherwise provided to Customer hereunder (including without limitation any software identified on an Order Form) shall be deemed a part of the “Services” and subject to all of the terms and conditions of this Agreement. No rights or licenses are granted except as expressly and unambiguously set forth in this Agreement. Customer may (but is not obligated to) provide suggestions, comments or other feedback to Deduce with respect to the Service (“Feedback”). Deduce acknowledges and agrees that all Feedback is provided “AS IS” and without warranty of any kind. Notwithstanding anything else, Customer shall, and hereby does, grant to Deduce a nonexclusive, worldwide, perpetual, irrevocable, transferable, sublicensable, royalty-free, fully paid up license to use and exploit the Feedback for any purpose. Nothing in this Agreement will impair Deduce’s right to develop, acquire, license, market, promote or distribute products, software or technologies that perform the same or similar functions as, or otherwise compete with any products, software or technologies that Customer may develop, produce, market, or distribute.
- Mutual Representations and Warranties. Each party represents and warrants to the other that: (a) it is a corporation duly organized and validly existing under the laws of the jurisdiction in which it is incorporated; (b) it has full corporate power and authority, and has obtained all approvals, permissions and consents necessary, to enter into this Agreement and to perform its obligations hereunder; (c) this Agreement is legally binding upon it and enforceable in accordance with its terms; (d) the execution, delivery and performance of this Agreement does not and will not conflict with any agreement, instrument, judgment or understanding, oral or written, to which it is a party or by which it may be bound; and (e) it will comply with all applicable laws and regulations with respect to its performance under this Agreement.
- Reserved.
- Restrictions. Except as expressly set forth in this Agreement, Customer shall not (and shall not permit any third party to), directly or indirectly: (i) reverse engineer, decompile, disassemble, or otherwise attempt to discover the source code, object code, or underlying structure, ideas, or algorithms of the Service (except to the extent applicable laws specifically prohibit such restriction); (ii) modify, translate, or create derivative works based on the Service; (iii) copy, rent, lease, distribute, pledge, assign, or otherwise transfer or encumber rights to the Service; (iv) use the Service for the benefit of a third party; (v) remove or otherwise alter any proprietary notices or labels from the Service or any portion thereof; (vi) use the Service to build an application or product that is competitive with any Deduce product or service; (vii) interfere or attempt to interfere with the proper working of the Service or any activities conducted on the Service; (viii) bypass any measures Deduce may use to prevent or restrict access to the Service (or other accounts, computer systems or networks connected to the Service). Customer is responsible for all of Customer’s activity in connection with the Service, including but not limited to uploading Customer Data (as defined below) onto the Service. Customer (a) shall use the Service in compliance with all applicable local, state, national and foreign laws, treaties and regulations in connection with Customer’s use of the Service (including those related to data privacy, international communications, export laws and the transmission of technical or personal data laws), and (b) shall not use the Service in a manner that violates any third party intellectual property, contractual or other proprietary rights.
- Customer Data. For purposes of this Agreement, “Customer Data” shall mean any data, information or other material provided, uploaded, or submitted by Customer to the Service in the course of using the Service. Customer shall retain all right, title and interest in and to the Customer Data, including all intellectual property rights therein. Customer, not Deduce, shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness, and intellectual property ownership or right to use all Customer Data. Customer represents and warrants that it has all rights necessary to provide the Customer Data to Deduce as contemplated hereunder, in each case without any infringement, violation or misappropriation of any third party rights (including, without limitation, intellectual property rights and rights of privacy). Deduce shall use commercially reasonable efforts to maintain the security and integrity of the Service and the Customer Data. Deduce is not responsible to Customer for unauthorized access to Customer Data or the unauthorized use of the Service unless such access is due to Deduce’s gross negligence or willful misconduct. Customer is responsible for the use of the Service by any person to whom Customer has given access to the Service, even if Customer did not authorize such use. To the extent applicable, the Parties agree to comply with the Data Related Terms attached in Exhibit B hereto. Customer agrees and acknowledges that Customer Data may be irretrievably deleted if Customer’s account is ninety (90) days or more delinquent. Notwithstanding anything to the contrary, Customer acknowledges and agrees that Deduce may internally use Customer Data for to provide Services on an optimized basis to Customer (including, improvement of such services).
- Third Party Integrations. Customer acknowledges and agrees that (i) the Service may operate on, with or using application programming interfaces (APIs) and/or other services operated or provided by third parties (e.g., other vendors of Customer) (“Third Party Integrations”), (ii) the availability and operation of the Service or certain portions thereof may be dependent on Deduce’s ability to access such Third Party Integrations, and (iii) Customer’s failure to provide adequate access or any retraction of permissions relating to such Third Party Integrations may result in a suspension or interruption of the Service. Customer hereby represents and warrants that it has all rights, licenses, permissions and consents necessary to connect, use and access any Third Party Integrations that it integrates with the Service, and Customer shall indemnify, defend and hold harmless Deduce for all claims, damages and liabilities arising out of Customer’s use of any Third Party Integrations in connection with or through the Service. Deduce cannot and does not guarantee that the Service shall incorporate (or continue to incorporate) any particular Third Party Integrations and does not make any representations or warranties with respect to Third Party Integrations. Customer is solely responsible for procuring any and all rights necessary for it to access Third Party Integrations (including any Customer Data or other information relating thereto) and for complying with any applicable terms or conditions thereof. Any exchange of data or other interaction between Customer and a third party provider is solely between Customer and such third party provider and is governed by such third party’s terms and conditions.
- Fair Credit Reporting Act. Customer acknowledges and agrees that the purpose of the Services and any data obtained therefrom (“Product Data”) is for (a) fraud detection and prevention and (b) verifying or authenticating an individual’s identity (collectively, the “Permitted Use”) and Customer represents, warrants and covenants that they will only use the Services for its Permitted Use. Deduce is not a “credit reporting agency” and neither the Service nor Product Data nor any analysis of Product Data constitutes “consumer reports” as those terms are defined in the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq., or any similar state statute (“FCRA”). Without limiting the foregoing, Customer shall not use the Service or Product Data, in whole or in part, in any manner that violates applicable law, including without limitation for the purpose of serving as a factor in establishing a person’s eligibility for credit, insurance, employment, or another purpose in connection with which a consumer report may be used under the FCRA. Specifically, Customer hereby certifies that it will not use the Service or Product Data to determine, in whole or in part, an individual’s eligibility for any of the following products, services or transactions: (a) credit or insurance to be used primarily for personal, family or household purposes; (b) employment purposes; (c) benefits, tenancy (including, without limitation, deciding whether to lease a commercial or residential property) or educational admission considerations; (d) in connection with a business transaction initiated by an individual consumer for personal, family or household purposes, including whether an individual meets the terms of a customer account; or (e) any other product, service or transaction in connection with which a consumer report may be used under the FCRA, including, without limitation, check-cashing or the opening of a deposit or transaction account. Deduce makes no representation or warranty as to the credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living of any person. Customer shall not use the Services in order to take any “adverse action” as that term is defined in the FCRA.
- Term; Termination. This Agreement shall commence upon the date of the first Order Form, and, unless earlier terminated in accordance herewith, shall last until the expiration of all Order Form Terms. For each Order Form, unless otherwise specified therein, the “Order Form Term” shall begin as of the Effective Date set forth on such Order Form, and unless earlier terminated as set forth herein, (x) shall continue for the initial term specified on such Order Form (the “Order Form Initial Term”), and (y) following the Order Form Initial Term, shall automatically renew for additional successive periods of equal duration to the Order Form Initial Term (each, a “Order Form Renewal Term”) unless either party notifies the other party of such party’s intention not to renew no later than thirty (30) days prior to the expiration of the Order Form Initial Term or then-current Order Form Renewal Term, as applicable. In the event of a material breach of this Agreement by either party, the non-breaching party may terminate this Agreement by providing written notice to the breaching party, provided that the breaching party does not materially cure such breach within thirty (30) days of receipt of such notice. Without limiting the foregoing, Deduce may suspend or limit Customer’s access to or use of the Service if (i) reserved, or (ii) Customer’s use of the Service results in (or is reasonably likely to result in) damage to or material degradation of the Service which interferes with Deduce’s ability to provide access to the Service to other customers; provided that in the case of subsection (ii): (a) Deduce shall use reasonable good faith efforts to work with Customer to resolve or mitigate the damage or degradation in order to resolve the issue without resorting to suspension or limitation; (b) prior to any such suspension or limitation, Deduce shall use commercially reasonable efforts to provide notice to Customer describing the nature of the damage or degradation; and (c) Deduce shall reinstate Customer’s use of or access to the Service, as applicable, if Customer remediates the issue within thirty (30) days of receipt of such notice. All provisions of this Agreement which by their nature should survive termination shall survive termination, including, without limitation, accrued payment obligations, ownership provisions, warranty disclaimers, indemnity and limitations of liability.
- Indemnification. Each party (“Indemnitor”) shall defend, indemnify, and hold harmless the other party, its affiliates and each of its and its affiliates’ employees, contractors, directors, suppliers and representatives (collectively, the “Indemnitee”) from all liabilities, claims, and expenses paid or payable to an unaffiliated third party (including reasonable attorneys’ fees) (“Losses”), that arise from or relate to any claim (i) in the case of Deduce as Indemnitor, that the Service infringes, violates, or misappropriates any third party intellectual property or proprietary right (“Third Party Right”), or (ii) in the case of Customer as Indemnitor (A) that the Customer Data or Customer’s use of the Service infringes, violates, or misappropriates any Third Party Right, or (B) relating to Customer’s actual or alleged breach of Section 10 (Fair Credit Reporting Act). Each Indemnitor’s indemnification obligations hereunder shall be conditioned upon the Indemnitee providing the Indemnitor with: (x) prompt written notice of any claim (provided that a failure to provide such notice shall only relieve the Indemnitor of its indemnity obligations if the Indemnitor is materially prejudiced by such failure); (y) the option to assume sole control over the defense and settlement of any claim (provided that the Indemnitee may participate in such defense and settlement at its own expense); and (z) reasonable information and assistance in connection with such defense and settlement (at the Indemnitor’s expense). The foregoing obligations of Deduce do not apply with respect to the Service or any information, technology, materials or data (or any portions or components of the foregoing) to the extent (i) not created or provided by Deduce (including without limitation any Customer Data), (ii) made in whole or in part in accordance to Customer specifications, (iii) modified after delivery by Deduce, (iv) combined with other products, processes or materials not provided by Deduce (where the alleged Losses arise from or relate to such combination), (v) where Customer continues allegedly infringing activity after being notified thereof or after being informed of modifications that would have avoided the alleged infringement, or (vi) Customer’s use of the Service is not strictly in accordance herewith.
- Disclaimer. EXCEPT AS EXPRESSLY SET FORTH HEREIN, THE SERVICE IS PROVIDED “AS IS” AND “AS AVAILABLE” AND ARE WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES IMPLIED BY ANY COURSE OF PERFORMANCE, USAGE OF TRADE, OR COURSE OF DEALING, ALL OF WHICH ARE EXPRESSLY DISCLAIMED.
- Limitation of Liability. EXCEPT FOR THE PARTIES’ INDEMNIFICATION OBLIGATIONS AND FOR CUSTOMER’S BREACH OF SECTION 7, IN NO EVENT SHALL EITHER PARTY, NOR ITS DIRECTORS, EMPLOYEES, AGENTS, PARTNERS, SUPPLIERS OR CONTENT PROVIDERS, BE LIABLE UNDER CONTRACT, TORT, STRICT LIABILITY, NEGLIGENCE OR ANY OTHER LEGAL OR EQUITABLE THEORY WITH RESPECT TO THE SUBJECT MATTER OF THIS AGREEMENT (I) FOR ANY LOST PROFITS, DATA LOSS, COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR SPECIAL, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES OF ANY KIND WHATSOEVER, SUBSTITUTE GOODS OR SERVICES (HOWEVER ARISING), (II) FOR ANY BUGS, VIRUSES, TROJAN HORSES, OR THE LIKE (REGARDLESS OF THE SOURCE OF ORIGINATION), OR (III) FOR ANY DIRECT DAMAGES IN EXCESS OF (IN THE AGGREGATE) THE FEES PAID (OR PAYABLE) BY CUSTOMER TO DEDUCE HEREUNDER IN THE TWELVE (12) MONTHS PRIOR TO THE EVENT GIVING RISE TO A CLAIM HEREUNDER.
- Reserved.
- Insurance. Each party will maintain insurance (that is reasonable in scope of coverage and policy limits) with reputable carriers that is commensurate with such party’s size and obligations hereunder.
- Authorized Reseller. You may purchase or access the Services from an authorized Deduce reseller or channel partner (“Authorized Reseller”). In accordance with and as further described in the relevant agreement between you and such Authorized Reseller, (i) such Authorized Reseller will provide any support or training for the Services that you may need and (ii) you will pay such Authorized Reseller any fees owed for the Services.
- Miscellaneous. This Agreement (including all Order Forms) represents the entire agreement between Customer and Deduce with respect to the subject matter hereof, and supersedes all prior or contemporaneous communications and proposals (whether oral, written or electronic) between Customer and Deduce with respect thereto. In the event of any conflict between these terms and an Order Form, the Order Form shall control. The Agreement shall be governed by and construed in accordance with the laws of the State of New York, excluding its conflicts of law rules, and the parties consent to exclusive jurisdiction and venue in the state and federal courts located in New York, New York. All notices under this Agreement shall be in writing and shall be deemed to have been duly given when received, if personally delivered or sent by certified or registered mail, return receipt requested; when receipt is electronically confirmed, if transmitted by facsimile or e-mail; or the day after it is sent, if sent for next day delivery by recognized overnight delivery service. Notices must be sent to the contacts for each party set forth on the Order Form. Either party may update its address set forth above by giving notice in accordance with this section. Except as otherwise provided herein, any provision of this Agreement may be amended or waived only by a writing executed by both parties. Except for payment obligations, neither party shall be liable for any failure to perform its obligations hereunder where such failure results from any cause beyond such party’s reasonable control, including, without limitation, the elements; fire; flood; severe weather; earthquake; vandalism; accidents; sabotage; power failure; denial of service attacks or similar attacks; Internet failure; acts of God and the public enemy; acts of war; acts of terrorism; riots; civil or public disturbances; strikes lock-outs or labor disruptions; any laws, orders, rules, regulations, acts or restraints of any government or governmental body or authority, civil or military, including the orders and judgments of courts. Neither party may assign any of its rights or obligations hereunder without the other party’s consent; provided that (i) either party may assign all of its rights and obligations hereunder without such consent to a successor-in-interest in connection with a sale of substantially all of such party’s business relating to this Agreement, and (ii) Deduce may utilize subcontractors in the performance of its obligations hereunder. No agency, partnership, joint venture, or employment relationship is created as a result of this Agreement and neither party has any authority of any kind to bind the other in any respect. In any action or proceeding to enforce rights under this Agreement, the prevailing party shall be entitled to recover costs and attorneys’ fees. If any provision of this Agreement is held to be unenforceable for any reason, such provision shall be reformed only to the extent necessary to make it enforceable. The failure of either party to act with respect to a breach of this Agreement by the other party shall not constitute a waiver and shall not limit such party’s rights with respect to such breach or any subsequent breaches.
Exhibit A
Reserved
Exhibit B
Data Related Terms
This Exhibit is entered into by and between Deduce and Customer (each, a “Party”, and together, the “Parties”) and may be updated from time to time in Deduce’s sole discretion. In consideration of the mutual covenants and agreements set forth herein and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties, intending to be legally bound, hereby covenant and agree to the following, as applicable:
- Definitions
- “Data Protection Law(s)” means any applicable laws, rules, and regulations in any relevant jurisdiction applicable to the use or processing of Personal Data, including: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”) and the EU GDPR as it forms part of the law of England and Wales by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”) (together, collectively, the “GDPR”), (ii) the Swiss Federal Act on Data Protection, (iii) the UK Data Protection Act 2018; and (iv) the Privacy and Electronic Communications (EC Directive) Regulations 2003, (v) the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020 (“CCPA”), and (vi) the Virginia Consumer Data Protection Act (“VCDPA”); in each case, as updated, amended or replaced from time to time, including any superseding regulation, and any implementing legislation of each nation in the European Economic Area to the extent applicable to the processing by a Party. The terms “Data Subject”, “Personal Data”, “Personal Data Breach”, “processing”, “processor,” “controller,” and “Supervisory Authority” shall have the meanings set forth in the GDPR.
- “EU SCCs” means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of Personal data to countries not otherwise recognized as offering an adequate level of protection for Personal data by the European Commission (as amended and updated from time to time), as modified by this Exhibit B.
- “ex-EEA Transfer” means the transfer of Personal Data, which is processed in accordance with the GDPR, from the Customer (as Data Exporter) to Deduce (as Data Importer) (or its premises) outside the European Economic
Area (the “EEA”), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR. - “ex-UK Transfer” means the transfer of Personal Data, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Customer (as Data Exporter) to Deduce (as Data Importer) (or its premises) outside the United Kingdom (the “UK”), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
- “Standard Contractual Clauses” means the EU SCCs and the UK SCCs.
- “UK Addendum” has the meaning set forth in Exhibit C and Exhibit D of this Agreement.
- “UK SCCs” means the EU SCCs, as amended by the UK Addendum.
- Processing of Personal Data
- Independent Controllers. Each Party may receive Personal Data in connection with this Agreement, which may be subject to Data Protection Law. The Parties acknowledge and agree that, unless expressly agreed otherwise in writing with respect to a Personal Data set, each Party is a separate and independent controller subject to all obligations imposed by Data Protection Laws on controllers with respect to such Personal Data and shall independently determine the purposes and means of its processing of such Personal Data. Customer agrees to provide Data Subjects whose Personal Data is provided to Deduce with a privacy notice that complies with Data Protection Law and that identifies Deduce as a recipient of Personal Data. Each Party shall be independently liable for its own processing of Personal Data to the extent such processing does not comply with Data Protection Laws.
- Deduce as a Processor. The Parties acknowledge and agree that with respect to certain specifically agreed Personal Data sets, Deduce may act as a processor pursuant to the GDPR and VCDPA (and, as applicable, a service provider pursuant to the CCPA), subject to Deduce’s express prior written agreement for each such Personal Data set. In the event Deduce acts as a processor and service provider in connection with this Agreement, Sections 4 and 7.2 shall apply.
- Transfers of Personal Data
- Ex-EEA Transfers. The parties agree that, except when Deduce processes Personal Data as a processor pursuant to Section 2.2, ex-EEA Transfers are made pursuant to Module One (Controller-to-Controller) of the EU SCCs, which are deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
- The optional docking clause in Clause 7 does not apply.
- In Clause 11, the optional language does not apply;
- All square brackets in Clause 13 are hereby removed;
- In Clause 17 (Option 1), the EU SCCs will be governed by the laws of Ireland;
- In Clause 18(b), disputes will be resolved before the courts of Ireland;
- Annex I to Exhibit B to this Agreement contains the information required in Annex I of the EU SCCs;
- Annex II to Exhibit B to this Agreement contains the information required in Annex II of the EU SCCs; and
- By entering into this Addendum, the parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes.
- Ex-UK Transfers. The parties agree that ex-UK Transfers are made pursuant to the UK SCCs, which are deemed entered into and incorporated into this Addendum by reference, and amended and completed in accordance with the UK Addendum, which is incorporated herein as Exhibit C of this Agreement.
- Transfers from Switzerland. The Parties agree that transfers from Switzerland are made pursuant to the EU SCCs with the following modifications:
- The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 1992 (the “FADP,” and as revised as of 25 September 2020, the “Revised FADP”) with respect to data transfers subject to the FADP.
- The terms of the EU SCCs shall be interpreted to protect the data of legal entities until the effective date of the Revised FADP.
- Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU Supervisory Authority shall have authority over data transfers governed by the GDPR. Subject to the foregoing, all other requirements of Clause 13 shall be observed.
- The term “EU Member State” as utilized in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs.
- Ex-EEA Transfers. The parties agree that, except when Deduce processes Personal Data as a processor pursuant to Section 2.2, ex-EEA Transfers are made pursuant to Module One (Controller-to-Controller) of the EU SCCs, which are deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
- Deduce as a Processor
- Processing of Personal Data. This Section 4 applies if and to the extent Deduce has expressly agreed in writing to process a Personal Data set as a processor pursuant to the GDPR.
- Customer shall, in its use of the Services, at all times process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Data Protection Laws. Customer shall ensure that the processing of Personal Data in accordance with Customer’s instructions will not cause Deduce to be in breach of Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Deduce by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to Deduce regarding the processing of such Personal Data. Customer shall not provide or make available to Deduce any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Deduce from all claims and losses in connection therewith.
- Deduce shall process the Personal Data in a manner that is consistent with the documented instructions provided by Customer. Customer hereby instructs Deduce to process Personal Data to provide the Services to Customer. Deduce shall not process Personal Data in a manner inconsistent with the documented instructions provided by Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by an applicable law to which Deduce is subject; in such a case, Deduce shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
- Deduce shall ensure that any person it authorizes to process Personal Data has agreed to protect Personal Data in accordance with Deduce’s confidentiality obligations in the Agreement. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Deduce shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data. Annexes IV and VI sets forth additional information about Deduce’s technical and organizational security measures.
- Deduce shall, to the extent permitted by law, notify Customer upon receipt of a request by a Data Subject to exercise the Data Subject’s right of: access, rectification, erasure, data portability, restriction or cessation of processing, withdrawal of consent to processing, and/or objection to being subject to processing that constitutes automated decision-making (such requests individually and collectively “Data Subject Request(s)”). If Deduce receives a Data Subject Request in relation to Customer’s data, Deduce will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of processing, or withdrawal of consent to processing of any Personal Data are communicated to Deduce, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Data Subject.
- Deduce shall, at the request of the Customer, and taking into account the nature of the processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Customer in complying with Customer’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Customer is itself unable to respond without Deduce’s assistance and (ii) Deduce is able to do so in accordance with all applicable laws, rules, and regulations. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Deduce.
- Deduce shall, taking into account the nature of the processing and the information available to it, provide Customer with reasonable cooperation and assistance where necessary for Customer to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Customer does not otherwise have access to the relevant information. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Deduce.
- Deduce shall, taking into account the nature of the processing and the information available to Deduce, provide Customer with reasonable cooperation and assistance with respect to Customer’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Deduce.
- Deduce shall maintain records sufficient to demonstrate its compliance with its obligations under this Exhibit, and retain such records for a period of three (3) years after the termination of the Agreement. Customer shall, with reasonable notice to Deduce, have the right to review, audit and copy such records at Deduce’s offices during regular business hours.
- Upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Deduce shall, either (i) make available for Customer’s review copies of certifications or reports demonstrating Deduce’s compliance with prevailing data security standards applicable to the processing of Customer’s Personal Data, or (ii) if the provision of reports or certifications pursuant to (i) is not reasonably sufficient under Data Protection Laws, allow Customer’s independent third party representative to conduct an audit or inspection of Deduce’s data security infrastructure and procedures that is sufficient to demonstrate Deduce’s compliance with its obligations under Data Protection Laws, provided that (a) Customer provides reasonable prior written notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Deduce’s business; (b) such audit shall only be performed during business hours and occur no more than once per calendar year; and (c) such audit shall be restricted to data relevant to Customer. Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Deduce for any time expended for on-site audits. If Customer and Deduce have entered into Standard Contractual Clauses, the parties agree that the audits described in Clause 8.9 of the EU SCCs shall be carried out in accordance with this Section.
- Deduce shall immediately notify Customer if an instruction, in Deduce’s opinion, infringes the Data Protection Laws or Supervisory Authority.
- In the event of a Personal Data Breach, Deduce shall, without undue delay, inform Customer of the Personal Data Breach and take such steps as Deduce in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Deduce’s reasonable control).
- In the event of a Personal Data Breach, Deduce shall, taking into account the nature of the processing and the information available to Deduce, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay.
- Following completion of the Services, at Customer’s choice, Deduce shall return or delete Customer’s Personal Data, unless further storage of such Personal Data is required or authorized by applicable law. If return or destruction is impracticable or prohibited by law, rule or regulation, Deduce shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control. If Customer and Deduce have entered into Standard Contractual Clauses, the parties agree that the certification of deletion of Personal Data that is described in Clause 8.1(d) and Clause 8.5 of the EU SCCs (as applicable) shall be provided by Deduce to Customer only upon Customer’s request.
- Authorized Sub-Processors. Customer acknowledges and agrees that Deduce may (1) engage its affiliates and the authorized sub-processors listed in Annex III or V to this Exhibit to access and process Personal Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Data. By way of this Exhibit, Customer provides general written authorization to Deduce to engage sub-processors as necessary to perform the Services.
- A list of Deduce’s current authorized sub-processors (the “List”) will be made available to Customer, at a link provided to Customer, via email or through another means made available to Customer. Such List may be updated by Deduce from time to time. Deduce may provide a mechanism to subscribe to notifications of new authorized sub-processors and Customer agrees to subscribe to such notifications where available. At least ten (10) days before enabling any third party other than existing authorized sub-processors to access or participate in the processing of Personal Data, Deduce will add such third party to the List and notify Customer via email. Customer may object to such an engagement by informing Deduce within ten (10) days of receipt of the aforementioned notice by Customer, provided such objection is in writing and based on reasonable grounds relating to data protection. Customer acknowledges that certain sub-processors are essential to providing the Services and that objecting to the use of a sub-processor may prevent Deduce from offering the Services to Customer.
- If Customer reasonably objects to an engagement in accordance with Section 4.1.10, and Deduce cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Service by providing written notice to Deduce. Discontinuation shall not relieve Customer of any fees owed under the Agreement.
- If Customer does not object to the engagement of a third party in accordance with Section 4.1.10 within ten (10) days of notice by Deduce, that third party will be deemed an authorized sub-processor for the purposes of this Exhibit.
- Deduce will enter into a written agreement with the authorized sub-processor imposing data protection obligations comparable to those imposed on Deduce under this Exhibit with respect to the protection of Personal Data. In case an authorized sub-processor fails to fulfill its data protection obligations under such written agreement with Deduce, Deduce will remain liable to Customer for the performance of the authorized sub-processor’s obligations under such agreement.
- If Customer and Deduce have entered into Standard Contractual Clauses, (i) the above authorizations will constitute Customer’s prior written consent to the subcontracting by Deduce of the processing of Personal Data if such consent is required under the Standard Contractual Clauses, and (ii) the parties agree that the copies of the agreements with authorized sub-processors that must be provided by Deduce to Customer pursuant to Clause 9(c) of the EU SCCs may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by Deduce beforehand, and that such copies will be provided by Deduce only upon request by Customer.
- Processing of Personal Data. This Section 4 applies if and to the extent Deduce has expressly agreed in writing to process a Personal Data set as a processor pursuant to the GDPR.
-
- Transfers of Personal Data.
- Ex-EEA Transfers. If and to the extent Deduce has agreed in writing to process a Personal Data set as a processor, the parties agree that ex-EEA Transfers are made pursuant to Module Two (Controller-to-Processor) or Module Three (Processor-to-Processor) of the EU SCCs, which are deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
- The optional docking clause in Clause 7 does not apply.
- In Clause 11, the optional language does not apply;
- All square brackets in Clause 13 are hereby removed;
- In Clause 17 (Option 1), the EU SCCs will be governed by the laws of Ireland;
- In Clause 18(b), disputes will be resolved before the courts of Ireland;
- Annex III to Exhibit B to this Agreement contains the information required in Annex I of the EU SCCs for Module Two;
- Annex IV to Exhibit B to this Agreement contains the information required in Annex II of the EU SCCs for Module Two;
- Annex V to Exhibit B to this Agreement contains the information required in Annex I of the EU SCCs for Module Three;
- Annex VI to Exhibit B to this Agreement contains the information required in Annex II of the EU SCCs for Module Three; and
- By entering into this Addendum, the parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes.
- Ex-UK Transfers. The parties agree that ex-UK Transfers are made pursuant to the UK SCCs, which are deemed entered into and incorporated into this Addendum by reference, and amended and completed in accordance with the UK Addendum, which is incorporated herein as Exhibit D of this Agreement.
- Transfers from Switzerland. The Parties agree that transfers from Switzerland are made pursuant to the EU SCCs with the following modifications:
- The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 1992 (the “FADP,” and as revised as of 25 September 2020, the “Revised FADP”) with respect to data transfers subject to the FADP.
- The terms of the EU SCCs shall be interpreted to protect the data of legal entities until the effective date of the Revised FADP.
- Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU Supervisory Authority shall have authority over data transfers governed by the GDPR. Subject to the foregoing, all other requirements of Clause 13 shall be observed.
- The term “EU Member State” as utilized in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs.
- Ex-EEA Transfers. If and to the extent Deduce has agreed in writing to process a Personal Data set as a processor, the parties agree that ex-EEA Transfers are made pursuant to Module Two (Controller-to-Processor) or Module Three (Processor-to-Processor) of the EU SCCs, which are deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
- Transfers of Personal Data.
- Supplementary Measures. In respect of any ex-EEA Transfer or ex-UK Transfer made pursuant to the Standard Contractual Clauses, the following supplementary measures shall apply:
-
- Deduce (as the data importer) has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the Personal Data is being exported, for access to (or for copies of) Customer’s Personal Data (“Government Agency Requests”);
- If Deduce receives any Government Agency Requests, Deduce shall attempt to redirect the law enforcement or government agency to request that data directly from Customer. As part of this effort, Deduce may provide Customer’s basic contact information to the government agency. If compelled to disclose Customer’s Personal Data to a law enforcement or government agency, Deduce shall give Customer reasonable notice of the demand and cooperate to allow Customer to seek a protective order or other appropriate remedy unless Deduce is legally prohibited from doing so. Deduce shall not voluntarily disclose Personal Data to any law enforcement or government agency. Customer and Deduce shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of Personal Data pursuant to this Exhibit should be suspended in light of the such Government Agency Requests; and
- Customer and Deduce will meet regularly to consider whether:
- the protection afforded by the laws of the country of Deduce to Data Subjects whose Personal Data is being transferred is sufficient to provide broadly equivalent protection to that afforded in the EEA or the UK, whichever the case may be;
- additional measures are reasonably necessary to enable the transfer to be compliant with the Data Protection Laws; and
- it is still appropriate for Personal Data to be transferred to Deduce, taking into account all relevant information available to the parties, together with guidance provided by the supervisory authorities.
- If Data Protection Laws require Customer to execute the Standard Contractual Clauses applicable to a particular transfer of Personal Data to Deduce as a separate agreement, Deduce shall, on request of the Customer, promptly execute such Standard Contractual Clauses incorporating such amendments as may reasonably be required by the Customer to reflect the applicable appendices and annexes, the details of the transfer and the requirements of the relevant Data Protection Laws.
-
- If either (i) any of the means of legitimizing transfers of Personal Data outside of the EEA or UK set forth in this Exhibit cease to be valid or (ii) any Supervisory Authority requires transfers of Personal Data pursuant to those means to be suspended, then Deduce may by notice to the Customer, with effect from the date set out in such notice, amend or put in place alternative arrangements in respect of such transfers, as required by Data Protection Laws.
- U.S. State Privacy Laws
- Unless otherwise expressly agreed in writing, Deduce shall process Personal Information as a third party under the CCPA and as a controller under the VCDPA. For the purposes of this Section 7, “Personal Information,” “commercial purpose,” “third party,” “service provider,” “sell,” “share,” “consumer,” “verifiable consumer request,” “controller” and “processor” shall have the meanings set forth in the CCPA and VCDPA, as applicable.
- CCPA. Deduce, as a third party for the purposes of the CCPA, shall (i) process Personal Information provided by Customer for the purposes set forth in Section 8 (“Customer Data”), (ii) comply with all applicable sections of the CCPA and its regulations, including by providing the level of privacy protection required of businesses by the CCPA and its regulations, (iii) provide Customer with information required for Customer to take reasonable and appropriate steps to ensure that Deduce uses Personal Information in a manner consistent with its obligation under the CCPA and its regulations, (iv) grant Customer the right, upon reasonable notice to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information made available to Deduce, and (v) notify Customer after it makes a determination that it can no longer meet its obligations under the CCPA and its regulations.
- VCDPA. Deduce, as a controller, shall (i) process Personal Information provided by Customer for the purposes set forth in Section 8 (“Customer Data”), (ii) comply with all applicable sections of the VCDPA and its regulations, (iii) provide Customer with information required for Customer to take reasonable and appropriate steps to ensure that Deduce uses Personal Information in a manner consistent with its obligation under the VCDPA and its regulations, and (iv) grant Customer the right, upon reasonable notice to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information made available to Deduce, and (v) notify Customer after it makes a determination that it can no longer meet its obligations under the VCDPA and its regulations.
- If Deduce has expressly agreed in writing to process a Personal Information set as a service provider under the CCPA and a processor under the VCDPA, then the following terms apply solely with respect to that Personal Information set:
- CCPA. Deduce, as a service provider, shall (i) process Personal Information provided by Customer for the purposes set forth in Section 8 (“Customer Data”), (ii) comply with all applicable sections of the CCPA and its regulations, including by providing the level of privacy protection required by the CCPA and its regulations, (iii) provide Customer with information required for Customer to take reasonable and appropriate steps to ensure that Deduce uses Personal Information in a manner consistent with its obligation under the CCPA and its regulations, (iv) grant Customer the right, upon reasonable notice to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information made available to Deduce, and (v) notify Customer after it makes a determination that it can no longer meet its obligations under the CCPA and its regulations. Deduce shall not retain, use, or disclose Personal Information provided by Customer pursuant to the Agreement for any purpose, including a commercial purpose, other than as necessary for the specific purpose of performing the Services for Customer pursuant to the Agreement, or as otherwise set forth in the Agreement or as permitted by the CCPA. Deduce shall not retain, use, or disclose Personal Information provided by Customer pursuant to the Agreement outside of the direct business relationship between Deduce and Customer, except where and to the extent permitted by the CCPA. Deduce shall not sell or share Personal Information provided to Deduce by Customer pursuant to this Section. Deduce shall assist Customer in responding to verifiable consumer requests to exercise the consumer’s rights under the CCPA. To the extent required by the CCPA, Deduce shall allow Customer to conduct inspections or audits in accordance with this Exhibit. Deduce shall only engage a new sub-processor to assist Deduce in providing the Services to Customer under the Agreement in accordance with Section 4.1.10 of this Exhibit, including, without limitation, by: (i) notifying Customer of such engagement via the relevant notification mechanism at least ten (10) days before enabling a new sub-processor; and (ii) entering into a written contract with the sub-processor requiring sub-processor to observe all of the applicable requirements set forth in the CCPA.
- VCDPA. Deduce, as a processor, shall (i) adhere to Customer’s instructions with respect to the processing of Customer Personal data, (ii) comply with all applicable sections of the VCDPA and its regulations, (iii) provide Customer with information required for Customer to take reasonable and appropriate steps to ensure that Deduce uses Personal Information in a manner consistent with its obligation under the VCDPA and its regulations, (iv) grant Customer the right, upon reasonable notice to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information made available to Deduce, and (v) notify Customer after it makes a determination that it can no longer meet its obligations under the VCDPA and its regulations. Deduce shall maintain the confidentiality of Personal Information provided by Customer and require that each person processing such Personal Information be subject to a duty of confidentiality with respect to such processing. Upon Customer’s written request, Deduce shall delete or return all Personal Information provided by Customer pursuant to this Section 7, unless retention of such Personal Information is required or authorized by law or the Exhibit and/or Agreement. In the event that Deduce engages any other person or a sub-processor to assist Deduce in providing the Services to Customer under the Agreement, Deduce shall enter into a written contract with the sub-processor requiring sub-processor to observe all of the applicable requirements of a processor set forth in the VCDPA. Upon Customer’s written request at reasonable intervals, Deduce shall, as set forth in this Exhibit, (i) make available to Customer all information in its possession that is reasonably necessary to demonstrate Deduce’s compliance with its obligations under the VCDPA; and (ii) allow and cooperate with reasonable inspections or audits as required under the VCDPA.
- Unless otherwise expressly agreed in writing, Deduce shall process Personal Information as a third party under the CCPA and as a controller under the VCDPA. For the purposes of this Section 7, “Personal Information,” “commercial purpose,” “third party,” “service provider,” “sell,” “share,” “consumer,” “verifiable consumer request,” “controller” and “processor” shall have the meanings set forth in the CCPA and VCDPA, as applicable.
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
Name: Customer, as set forth in Order Form
Address: As set forth in Order Form
Contact person’s name, position and contact details: As set forth in Order Form
Activities relevant to the data transferred under these Clauses: As set forth in Order Form
Role (controller/processor): Controller
Data importer(s):
Name: Deduce
Address: As set forth in Order Form
Contact person’s name, position and contact details: As set forth in Order Form
Activities relevant to the data transferred under these Clauses: As set forth in Order Form
Role (controller/processor): Controller
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Customer’s end users.
Categories of personal data transferred: Full name, personal address, business address, shipping address, billing address, phone number, email address, IP address, useragent, referrer, application ID
Sensitive data transferred (if applicable): None.
The frequency of the transfer: Continuous
Nature of the processing: As set forth in Order Form
Purpose(s) of the data transfer and further processing: As set forth in Order Form
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: As needed to provide the Services to Deduce customers or to improve the Services, subject to any retention periods prescribed by Data Protection Law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: N/A
C. COMPETENT SUPERVISORY AUTHORITY
The Supervisory Authority shall be the Supervisory Authority of the Data Exporter, as determined in accordance with Clause 13 of the EU SCCs. The Supervisory Authority for the purposes of the UK Addendum shall be the UK Information Commissioner’s Officer.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
- Internal risk assessments
- Deduce Privacy Policy
- NIST guidance; and
- SOC2 Type II (or successor standard) audits annually performed by accredited third-party auditors (“Audit Report”)
ANNEX III
A. LIST OF PARTIES
Data exporter(s):
Name: Customer, as set forth in Order Form
Address: As set forth in Order Form
Contact person’s name, position and contact details: As set forth in Order Form
Activities relevant to the data transferred under these Clauses: As set forth in Order Form
Role (controller/processor): Controller
Data importer(s):
Name: Deduce
Address: As set forth in Order Form
Contact person’s name, position and contact details: As set forth in Order Form
Activities relevant to the data transferred under these Clauses: As set forth in Order Form
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Customer’s end users.
Categories of personal data transferred: Full name, personal address, business address, shipping address, billing address, phone number, email address, IP address, useragent, referrer, application ID
Sensitive data transferred (if applicable): None.
The frequency of the transfer: Continuous
Nature of the processing: As set forth in Order Form
Purpose(s) of the data transfer and further processing: As set forth in Order Form
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: As needed to provide the Services to Deduce customers or to improve the Services, subject to any retention periods prescribed by Data Protection Law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: [__]
C. COMPETENT SUPERVISORY AUTHORITY
The Supervisory Authority shall be the Supervisory Authority of the Data Exporter, as determined in accordance with Clause 13 of the EU SCCs. The Supervisory Authority for the purposes of the UK Addendum shall be the UK Information Commissioner’s Officer.
D. LIST OF AUTHORIZED SUBCONTRACTORS
Name of Authorized Subcontractor |
Address |
Contact Person Name, position, contact information |
Description of processing |
Country in which subprocessing will take place |
ANNEX IV
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
- Internal risk assessments
- Deduce Privacy Policy
- NIST guidance; and
- SOC2 Type II (or successor standard) audits annually performed by accredited third-party auditors (“Audit Report”)
ANNEX V
A. LIST OF PARTIES
Data exporter(s):
Name: Customer, as set forth in Order Form
Address: As set forth in Order Form
Contact person’s name, position and contact details: As set forth in Order Form
Activities relevant to the data transferred under these Clauses: As set forth in Order Form
Role (controller/processor): Processor
Data importer(s):
Name: Deduce
Address: As set forth in Order Form
Contact person’s name, position and contact details: As set forth in Order Form
Activities relevant to the data transferred under these Clauses: As set forth in Order Form
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Customer’s end users.
Categories of personal data transferred: Full name, personal address, business address, shipping address, billing address, phone number, email address, IP address, useragent, referrer, application ID
Sensitive data transferred (if applicable): None.
The frequency of the transfer: Continuous
Nature of the processing: As set forth in Order Form
Purpose(s) of the data transfer and further processing: As set forth in Order Form
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: As needed to provide the Services to Deduce customers or to improve the Services, subject to any retention periods prescribed by Data Protection Law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: [__]
C. COMPETENT SUPERVISORY AUTHORITY
The Supervisory Authority shall be the Supervisory Authority of the Data Exporter, as determined in accordance with Clause 13 of the EU SCCs. The Supervisory Authority for the purposes of the UK Addendum shall be the UK Information Commissioner’s Officer.
D. LIST OF AUTHORIZED SUBCONTRACTORS
Name of Authorized Subcontractor |
Address |
Contact Person Name, position, contact information |
Description of processing |
Country in which subprocessing will take place |
ANNEX VI
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
- Internal risk assessments
- Deduce Privacy Policy
- NIST guidance; and
- SOC2 Type II (or successor standard) audits annually performed by accredited third-party auditors (“Audit Report”)
Exhibit C
UK Addendum
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
Part 1: Tables
Table 1: Parties
Start Date |
This UK Addendum shall have the same effective date as the Agreement |
|
The Parties |
Exporter |
Importer |
Parties’ Details |
Customer |
Deduce |
Key Contact |
See Order Form |
See Order Form |
Table 2: Selected SCCs, Modules and Selected Clauses
EU SCCs |
The Version of the Approved EU SCCs which this UK Addendum is appended to as defined in Exhibit B and completed by Section 3.1 of Exhibit B. |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this UK Addendum is set out in:
Annex 1A: List of Parties |
As per Table 1 above |
Annex 2B: Description of Transfer |
See Annex I of Exhibit B of this Agreement |
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: |
See Annex II of Exhibit B of this Agreement |
Annex III: List of Sub processors (Modules 2 and 3 only): |
N/A |
Table 4: Ending this UK Addendum when the Approved UK Addendum Changes
Ending this UK Addendum when the Approved UK Addendum changes |
☒ Importer ☐ Exporter ☐ Neither Party |
Part 2: Mandatory Clauses
- Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.
Exhibit D
UK Addendum
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
Part 1: Tables
Table 1: Parties
Start Date |
This UK Addendum shall have the same effective date as the Agreement |
|
The Parties |
Exporter |
Importer |
Parties’ Details |
Customer |
Deduce |
Key Contact |
See Order Form |
See Order Form |
Table 2: Selected SCCs, Modules and Selected Clauses
EU SCCs |
The Version of the Approved EU SCCs which this UK Addendum is appended to as defined in Exhibit B and completed by Section 4.2.1 of Exhibit B. |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this UK Addendum is set out in:
Annex 1A: List of Parties |
As per Table 1 above |
Annex 2B: Description of Transfer |
See Annex I of Exhibit B of this Agreement |
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: |
See Annex II of Exhibit B of this Agreement |
Annex III: List of Sub processors (Modules 2 and 3 only): |
[___] |
Table 4: Ending this UK Addendum when the Approved UK Addendum Changes
Ending this UK Addendum when the Approved UK Addendum changes |
☒ Importer ☐ Exporter ☐ Neither Party |
Part 2: Mandatory Clauses
- Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.