Data Processing Addendum

This Data Processing Addendum (“DPA”) is incorporated by reference as part of the Juphy Terms of Service available at www.juphy.com/legal as updated from time to time (the “Terms”) between Juphy, Inc. (“Juphy”) and the entity entering the Terms as a client of Juphy Platform (the “Client”).

This DPA sets out the roles and obligations that apply when Juphy processes Personal Data falling within the scope of EU/UK Data Protection Law or Personal Information falling within the scope of the CCPA on behalf of Client in the course of providing the Juphy services (“Juphy Services” or “Services”).

This DPA consists of two sections:

1. Data Processing Terms
2. Standard Contractual Clauses

SECTION I

DATA PROCESSING TERMS

• Parties

1. 1. This DPA is concluded between the Client and Juphy. The Client and Juphy are hereinafter collectively referred to as the “Parties”, and individually as the “Party”.

• Background

• The Client and Juphy have entered into an agreement for the provision of Juphy Services under the online Terms.

• In the course of providing Services under the Terms, Juphy may, on behalf of the Client process Personal Data/Personal Information, in connection with the Services.

• Accordingly, the Parties are entering into this DPA in order to comply with applicable data protection laws and other legal commitments.

• Definitions

• Within the context of herein DPA, the following expressions shall bear the meanings ascribed to them below. All capitalized terms not defined in this DPA shall have the meanings set forth in the Terms.

For the avoidance of doubt;

• the terms “Controller“, “Processor“, “Personal Data“, “processing“, “special categories of data” and “data subject” have the meanings given to them in the EU GDPR and UK GDPR.

• The terms “Business”, “Service Provider”, “Third Party”, “Personal Information”, “Consumer”, “sell”, and “Business Purposes” have the meanings given to them in the CCPA.

• “Data Subject” shall also mean and refer to “Consumer” as such term is defined in the CCPA.

1. “Personal Data” shall also mean “Personal Information” for the purpose of this DPA.

• Applicability of this DPA

• To the extent that Juphy processes Personal Data falling within the scope of EU/UK Data Protection Law on behalf of Client in the course of providing the Juphy Services, the relevant provisions of this DPA apply.

• To the extent that Juphy processes Personal Information falling within the scope of the CCPA on behalf of Client in the course of providing the Juphy Services, the relevant provisions of this DPA apply.

• For the avoidance of doubt, where it is not clear whether EU/UK Data Protection Law, the CCPA, or both apply, all provisions of this DPA shall apply.

• Relationship of the Parties

• As between Juphy and Client, Client is the Controller for purposes of EU/UK Data Protection Law of the Personal Data, and the Business for purposes of the CCPA with respect to the Personal Information, that is provided to Juphy for processing under the Terms and as described in Annex 1 to this DPA and Juphy shall process the Personal Data and/or Personal Information as a Processor and/or Service Provider on behalf of Client.

• Details of the Processing

• The purpose, subject matter, and duration of the Processing carried out by Juphy on behalf of the Client, the nature and purpose of the Processing, the type of Personal Data, and categories of Data Subjects are described in Annex 1 which forms and integral part of the DPA.

• Client’s Processing of Personal Data

• The Client shall be responsible for:

• Complying with all applicable laws relating to privacy and data protection in respect of its use of the Juphy Services, its processing of the Personal Data, and any processing instructions it issues to Juphy;

• Ensuring it has the right to transfer, or provide access to, the Personal Data to Juphy for processing pursuant to the Terms and this DPA; and

• Ensuring that it shall not disclose (nor permit any data subject to disclose) any special categories of data to Juphy for processing.

• The Client represents and warrants that the Processing of Client Data is in compliance with Data Protection Laws, including by establishing a lawful basis if and as required, and that the instructions provided to Juphy shall comply with applicable Data Protection Law.

• In the event EU Data Protection or CCPA do not apply to the Client, then Client must abide by whatever other Data Protection Laws and data security laws and regulations applicable to it, and at a minimum: (i) obtain and maintain any and all authorizations, permissions and informed consents, as may be necessary under applicable laws and regulations, in order to allow Juphy to lawfully process and use the Client Data within the scope of the Services;  and (ii) have, properly publish and abide by an appropriate privacy policy that complies with all applicable Data Protection Laws.

• Juphy’s Processing of Personal Data

• Juphy shall process the Personal Data and/or Personal Information only for the purposes described in the Terms and in accordance with the lawful, documented instructions of Client (including the instructions of any Authorized Users accessing the Services on Client’s behalf) as set out in the Terms and this DPA.

• Juphy shall not;

• sell the Personal Information;

• retain, use, or disclose Personal Information for any purpose other than for the specific purpose of performing the Services;

• retain, use, or disclose the Personal Information for a commercial purpose other than providing the Services; or

• retain, use, or disclose the information outside of the direct business relationship between Juphy and the Client.

• Juphy shall only Process Personal Data on behalf of and in accordance with Client’s documented instructions for purposes of (i) Processing for business purposes, in accordance with the Terms; (ii) Processing initiated by Authorized Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Client (e.g., emails) as further set out in Juphy Privacy Policy. Juphy shall not be obliged to act in accordance with any instructions outside the scope of the Terms except with the prior written agreement of both Parties.

1. 1. 1. Juphy represents and warrants that (i) it shall process the Personal Data on behalf of Client, solely for the purpose of providing the Services and for the pursuit of a Business Purpose as set forth under the CCPA, all in accordance with Client’s written instructions including as set forth in the Terms and this DPA; and (ii) in the event the Juphy is required under applicable laws to Process Client Data other than as instructed by Client, Juphy shall make its best efforts to inform Client of such requirement prior to Processing such Client Data unless prohibited under applicable law.

• Juphy will promptly inform Client if, in its opinion, Client’s instructions infringe EU/UK Data Protection Law, or if Juphy is unable to comply with Clients’ instructions. Juphy shall inform Client of any applicable legal requirement under applicable laws that prevents Juphy from complying with Client’s instructions, unless that law prohibits such information on important grounds of public interest.

• Juphy shall take reasonable steps to instruct and train any of its and/or its Sub-processors’ employees who have access to Personal Data to maintain the confidentiality and security of the Personal Data and shall limit access to Personal Data on a need-to-know basis. Within this context, Juphy shall take reasonable steps to ensure (i) the reliability of its staff and any other person acting under its supervision who may come into contact with or otherwise have access to and Process the Client Data; (ii) that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and (iii) ensure that such personnel is aware of their responsibilities under this DPA and any applicable Data Protection Laws.

• Data Subjects’ Rights Requests

• Juphy shall, to the extent legally permitted, promptly notify Client if Juphy receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“DSR Request”).

• Taking into account the nature of the Processing, Juphy shall assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Client’s obligation to respond to a DSR Request under the applicable laws.

• To the extent Client, in its use of the Services, does not have the ability to address a DSR Request, Juphy shall, upon Client’s request, provide commercially reasonable efforts to assist Client in responding to such a DSR Request, to the extent Juphy is legally permitted to do so and the response to such DSR Request is required under applicable data protection legislation. To the extent legally permitted, Client shall be responsible for any costs arising from Juphy’s provision of such assistance.

1. 1. When Juphy receives a request from an authority, with respect to Client Data, Juphy will, unless otherwise required under applicable laws, direct the authority to the Client in order to enable the Client to respond directly.
   2. Both Parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of DSR Requests or authority requests.

• “Do Not Sell” Personal Information

1. 1. It is hereby agreed that any Processing of Personal Data between the Parties is done solely in order to fulfill a Business Purpose and shall not be considered a “sale” under the CCPA.

• Sub-processor

1. 1. 1. A list of Service Provider’s current Sub-Processors is available at Annex 3. Juphy may continue to use those Sub-Processors already engaged by Juphy, as listed in Annex 3, and Juphy may engage an additional or replace an existing Sub-Processor to process Personal Data subject to providing a 30-day prior notice to the Client. In case the Client has not objected to the adding or replacement of a Sub-Processor, such Sub-Processor shall be considered as approved by the Client. Client’s objection should be sent to privacy@juphy.com and explain the reasonable grounds for the objection.

• In such event, the Parties shall cooperate in good faith to reach a resolution and if such resolution cannot be reached, then Juphy, at its discretion, will either not appoint or replace the Sub-processor or, will permit Client to suspend or terminate the affected Service or -if applicable- the Terms (without prejudice to any fees incurred by Client prior to suspension or termination).

• Juphy shall, where it engages any Sub-Processor, impose, through a legally binding contract between Juphy and the Sub-Processor, data protection obligations no less onerous than those set out in this DPA on the Sub-Processor. Juphy shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Data Protection Law.

• Juphy shall remain fully responsible for the performance of the Sub-Processors obligations and shall notify the Client of any failure by the Sub-Processor to fulfill its contractual obligations.

• Technical and Organizational Measures

• Taking into account state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the Parties, Juphy shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and in accordance with best industry practices to protect data from a Personal Data Breach.

• Parties acknowledge that security requirements are constantly evolving, and that effective security requires frequent evaluation and regular improvements of outdated security measures.

• Technical and organizational measures implemented by Juphy to ensure an appropriate level of security are further detailed in Annex 2.

• Personal Data Breach

• Juphy will notify Client upon becoming aware of any confirmed Personal Data Breach involving Client Data, as determined by Juphy in its sole discretion. Juphy will, in connection with any Personal Data Breach affecting Client Data;

• take needed steps to contain, remediate, minimize any effects of and investigate any Personal Data Breach and to identify its cause;

• cooperate with the Client and provide Client with needed assistance and information as it may reasonably require in connection with the Personal Data Breach;

• notify Client in writing of any request, inspection, audit or investigation by a supervisory authority or other authority;

• keep the Client informed of all material developments in connection with the Personal Data Breach and execute a response plan to address the Personal Data Breach; and

• cooperate with the Client and assist Client, in the Client’s expense, with the Client’s obligation to notify affected individuals in if required.

• Juphy’s notification regarding or response to a Personal Data Breach under this Section 13 shall not be construed as an acknowledgment by the Juphy of any fault or liability with respect to the Personal Data Breach.

• Audit Rights

• Juphy shall respond to inquiries from the Client regarding the Processing of Personal Data in accordance with this DPA, further, shall make available to the Client all information necessary to demonstrate compliance with the obligations under the EU Data Protection Laws.

• Juphy shall make available, solely upon prior written notice and no more than once per year, unless in the event of a Personal Data Breach, to a reputable auditor nominated by Client, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Client Data (“Audit”) in accordance with the terms and conditions hereunder.

• The Audit shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties). Juphy may object to an auditor appointed by Client in the event Juphy reasonably believes the auditor is not suitably qualified or independent, is a competitor of Juphy, or otherwise unsuitable (“Objection Notice”).

• The Client will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from Juphy. The Client shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall), over the course of such Audit, avoid causing any damage, injury, or disruption to Juphy’s premises, equipment, personnel, and business. Any and all conclusions of such an Audit shall be confidential and reported back to Juphy immediately.

• Any information obtained under this Section 14 shall be deemed Confidential Information and are subject to the confidentiality obligations set forth in the Terms.

• International Transfers

1. 1. 1. The Client acknowledges and agrees that Client Data will be processed by Juphy in the European Economic Area (EEA).
      2. The Parties agree that when the Processing includes transferring of Personal Data from the EEA to other countries and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Juphy for the lawful transfer of processing Personal Data outside the EEA as applicable or is not exempt under Article 49 of the GDPR (collectively “Restricted Transfer”), it shall be subject to the appropriate Standard Contractual Clauses as follows:
         1. In order to maintain the integrity, security and confidentiality of the Personal Data, a Restricted Transfer shall be subject, in addition to the terms of this DPA, to the terms and obligations of the Module IV (processor-to-controller) of the Standard Contractual Clauses in which Juphy shall be deemed as the Data Exporter and the Client shall be deemed as the Data Importer.
         2. In relation to Personal Data that is protected by the EU GDPR, the EU SCC will apply completed as follows:
            1. Module IV (processor-to-controller) (EU SCC, as stipulated under SECTION II) will apply ;
         3. In relation to Personal Data that is protected by the UK GDPR, the UK SCCs (as stipulated under (Supplementary Terms for UK GDPR Transfers Only) will apply completed as follows:

• In the event that any provision of this Data Processing Terms contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

• If compliance with EU Data Protection Law and the US Data Privacy Laws applicable to international data transfers is affected by circumstances outside of the Parties’ control, including if an instrument for international data transfers is invalidated, amended, or replaced, then Client and Juphy will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative EEA or UK SCC are approved by the relevant EEA or UK authorities, the Parties reserve the right to amend the Terms of Service and this DPA by adding to, changing or replacing, the EEA or UK SCC that form part of it at the date of signature in order to ensure continued compliance with EU/UK Data Protection Law.

• The Client further agrees that where Juphy engages Sub-processors, and those processing activities include a Restricted Transfer, Juphy and the Sub-Processor shall be bound by the Standard Contractual Clauses in which Juphy shall be deemed as the Data Exporter and the Sub-Processor shall be deemed as the Data Importer. For the purposes of such engagement, Juphy and the Sub-Processor will enter into Module III of the Standard Contractual Clauses available at here.

• Conflict with the Terms

• In the event of a conflict between the provisions of this DPA and those of the Terms in respect of the Processing and protection of Personal Data, the provisions of this DPA will prevail. Except as expressly modified herein, all terms and conditions of the Terms shall remain in full force and effect

• Term and Termination

• The data entrusted to the Processor will be processed by them only for the period necessary in this regard. The Parties also agree that this DPA shall be effective from the date of its conclusion to the moment of termination of the Terms. For the avoidance of any doubt Parties agree that this DPA shall be terminated upon the termination of the Terms.

• The Client shall be entitled to suspend the Processing of Client Data in the event Juphy is in breach of Data Protection Laws, this DPA or a binding decision of a competent court or the competent supervisory authority.

• Juphy shall be entitled to terminate this DPA or terminate the Processing of Client Data in the event the Processing of Personal Data under the Client’s instructions or this DPA infringe applicable legal requirements. Such termination shall be subject to informing the Client and the Client insists on compliance with the instructions.

• Upon termination or expiration of the Terms, the parties acknowledge and agree that the return or destruction of the Personal Data processed by Juphy shall be achieved via the Client initiating the export or deletion (as the case may be) of such Personal Data via the user interface made available by Juphy. Once initiated by the Client, a requested deletion shall be finalised on completion of the next routine clean-up cycle. The parties agree that, upon the request of the Client, Juphy shall provide confirmation of the completion of the relevant clean-up cycle as certification of destruction of the Personal Data.

• At the written request of the Client, following termination of this DPA and unless applicable law or regulatory requires the storage of the Client’s Personal Data, Juphy shall delete all Client’s Personal Data processed on behalf of the Client and certify to the Client that it has done so, or return all the Client’s Personal Data to the Client and delete existing copies. Until the data is deleted or returned, Juphy shall continue to ensure compliance with this DPA.

• Miscellaneous Provisions

• Except as amended by this DPA, the Terms will remain in full force and effect.

• Any claims brought under this DPA shall be subject to the Terms, including but not limited to the exclusions and limitations of liability set forth in the Terms.

• This DPA is incorporated into and forms part of the Terms. For matters not addressed under this DPA, the terms of the Terms of Service apply.

• In the event of a conflict between the terms of the DPA and the Standard Contractual Clauses, the Standard Contractual Clauses (UK SCC and EU SCC) will prevail.

• This DPA shall be governed by, and construed in accordance with, the laws of the State of Deleware and the courts of Delaware shall have exclusive jurisdiction to hear any dispute or other issue arising out of, or in connection with, this DPA, except where otherwise required by applicable data protection law or by the jurisdictional provisions set forth in the applicable Standard Contractual Clauses.

• The Client agrees that Juphy may modify this DPA at any time provided Juphy may only modify the Standard Contractual Clauses in SECTION II (i) to incorporate any new version of the Standard Contractual Clauses (or similar model clauses) that may be adopted under EU/UK Data Protection Law or (ii) to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency.

• If Juphy makes any material modifications to this DPA, Juphy shall provide Client with at least thirty (30) days-notice (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect by either: (i) sending an email to the email address of the designated account owner in Client’s Juphy Platform account; or (b) alerting Client via the user interface. If Client reasonably objects to any such change, Client may terminate the Terms and accordingly this DPA, by giving written notice to Juphy within thirty (30) days of notice from Juphy of the change.

• If any provision of the DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of the DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

IN WITNESS WHEREOF, the Parties acknowledge their agreement to the foregoing by due execution of the DPA by their respective authorized representatives.

SECTION II
STANDARD CONTRACTUAL CLAUSES

(Module 4: Processor to Controller)

Capitalized terms used but not defined in these Clauses (including the Appendix) have the meanings given to them in the DPA into which these Clauses are incorporated (the DPA“).

EU SCC

SECTION I

Clause 1

Purpose and scope

1. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
2. The Parties:

1. the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex 1.A.2 (hereinafter each ‘data exporter’), and
2. the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex 1.A.1 (hereinafter each ‘data importer’)

have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

1. These Clauses apply with respect to the transfer of personal data as specified in Annex 1.B.1.
2. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

• These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

• These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

• Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

1. Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
2. Clause 8 – Clause 8.1(b) and Clause 8.3(b);
3. Clause 9 – Not applicable;
4. Clause 12 – Not applicable;
5. Clause 13 – Not applicable;
6. Clause 15.1(c), (d) and (e);
7. Clause 16(e);
8. Clause 18 .

1. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

1. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
2. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
3. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex 1.B.

Clause 7 – Not used

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organizational measures, to satisfy its obligations under these Clauses.

8.1 Instructions

1. The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.
2. The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member State data protection law.
3. The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of sub-processing or as regards cooperation with competent supervisory authorities.
4. After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies.

8.2 Security of processing

1. The Parties shall implement appropriate technical and organisational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.
2. The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach.
3. The data exporter shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

1. Documentation and compliance

1. The Parties shall be able to demonstrate compliance with these Clauses.
2. The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits

Clause 9 – Not applicable

Clause 10

Data subject rights

The Parties shall assist each other in responding to enquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under Regulation (EU) 2016/679.

Clause 11

Redress

1. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

Clause 12

Liability

1. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
2. Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.
3. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
4. The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
5. The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

Clause 13 – Not Applicable

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

1. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
2. The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

1. the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
2. the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards
3. any relevant contractual, technical or organizational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

1. The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
2. The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
3. The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
4. Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

Transfer processor to controller (where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)

15.1 Notification

1. 1. The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary, with the help of the data exporter) if it:

• receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

• becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

1. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
2. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
3. The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
4. Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(5) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimization

1. The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
2. The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
3. The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

1. 1. The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
   2. In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
   3. The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

• the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

• the data importer is in substantial or persistent breach of these Clauses; or

• the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

1. Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
2. Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

Clause 18

Choice of forum and jurisdiction

Any dispute arising from these Clauses shall be resolved by the courts of Ireland.

SUPPLEMENTARY TERMS FOR SWISS FDPA TRANSFERS ONLY

The following terms supplement the Clauses only if and to the extent the Clauses apply with respect to data transfers subject to the Federal Data Protection Act of 19 June 1992 (Switzerland):

1. The term ’Member State’ will be interpreted in such a way as to allow data subjects in Switzerland to exercise their rights under the Clauses in their place of habitual residence (Switzerland) in accordance with Clause 18(3) of the Clauses.
2. If the relevant data transfers are exclusively subject to the Federal Data Protection Act of 19 June 1992 (Switzerland), the competent supervisory authority/ies for purposes of Annex 1.C (Competent Supervisory Authority) of the Clauses will be the Federal Data Protection and Information Commissioner in Switzerland (or its replacement or successor).

SUPPLEMENTARY TERMS FOR UK GDPR TRANSFERS ONLY

The following UK International Data Transfer Addendum to the European Commission Standard Contractual Clauses supplements the Clauses only if and to the extent the Clauses apply with respect to transfers of personal data subject to the UK GDPR.

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part I: Tables

Table 1: Parties

Table 2: Selected SCCs, Modules and Selected Clauses

Table 3: Appendix Information

Table 4: Ending this Addendum when the Approved Addendum Changes

Either Party may end this Addendum when the approved Addendum changes.

Part 2: Mandatory Clauses

APPENDIX

EXPLANATORY NOTE: It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can be achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used.

Annex 1
Description and Details of Data Processing

This Annex 1 forms an integral part of the DPA and describes the Processing that Juphy will perform on behalf of the Client. In addition, this Annex 1 includes certain details of the Processing of Client Data as required by Article 28(3) GDPR and details of transferring Personal Data subject to the EU SCC and the UK SCC.

• List of Parties

• Controller/Data Importer

• Processor/Data Exporter

• Description of Transfer

Juphy will Process Personal Data to provide its Services as described in the Terms and only for the purpose of providing such Services, in particular publishing your content on social platforms, allowing you to track metrics for analytical purposes, and engaging with your Customers through public replies and private conversations (e.g., DMs) (“Purposes”).

• Competent Supervisory Authority

Annex 2
Technical & Organizational Measures Including Technical and Organizational Measures to Ensure The Security of the Data

These standards form part of the DPA including to the Standard Contractual Clauses between Client and Juphy. They describe the technical and organizational measures implemented by Juphy to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

In addition, this Annex 2 sets out the measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services, the measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident, the measures taken for user identification and authorization as well as the measures taken for the protection of data during storage and during transmission.

The following policies are maintained by the Company in order to ensure the measures set forth above, the policies are updated on an ongoing basis and reviewed periodically for gaps:

• System Access Policy

Juphy grant access to data under the principle of least privilege. Juphy’s database is accessible only by authorized Juphy personnel. The personal data processed and stored by Juphy is based on cloud services and access granted through personal user authentication. Access to systems is restricted and is based on procedures to ensure appropriate approvals are provided solely to the extent required. In addition, remote access and wireless computing capabilities are restricted and require that both user and system safeguards. The systems are also protected, and solely authorized employees may access the systems by using a designated password.

• Physical Access Policy

The measures for ensuring physical security of locations at which Personal Data are processed include security measures implemented in Juphy’s office (alarm system, security cards, CCTV, etc.) and the physical security measures taken by Juphy hosting providers. Juphy secures access to its offices and ensures that solely authorized persons have access such as employees. All visitors which visit the Juphy facilities are accompanied by Juphy personnel at all times.

Juphy products are hosted by Digital Ocean. Digital Ocean provides highly secure facilities that are highly available and redundant, with compliance to Cloud Security Alliance Star Level 1, ISO/IEC 27001; PCI DSS Level 1, and SOC 2, and 3. Digital Ocean undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations.

• Data Access Policy

All access to a database, system or storage is solely with authorization hierarchy and password protection. Further, the access to the Personal Data is restricted to solely the employees on a “need to know” basis and is protected by passwords and user names. Access to the Personal Data is secured and is highly managed by access control policies. Juphy uses high level security measures to ensure that the Personal Data will not be accessed, modified, copied, used, transferred or deleted without specific authorization. Moreover, Juphy audits any and all access to the database and any authorized access is immediately reported and handled. Each employee is able to perform actions solely according to the permissions determined by Juphy. Each access is logged and monitored, and any unauthorized access is automatically reported. Further, Juphy has ongoing review of which employees’ have authorizations, to assess whether access is still required. Juphy implements various access levels (view – moderate etc.) at different levels of authorizations. Juphy revokes access immediately upon termination of employment. Authorized individuals can solely access Personal Data that is established in their individual authorization.

Juphy contracts with penetration testing vendors to perform external penetration testing of the Juphy Platform. A public bug bounty program is maintained, and submissions are reviewed by the Juphy IT team, escalated to the appropriate engineering team, and tracked to resolution.

• Organizational and Operational Policy

Juphy employs appropriate technical and organizational measures to ensure personnel, subcontractors, vendors, and agents who have access to Personal Data conduct themselves in accordance with established company guidelines and policies. As part of the employment process, employees undergo a screening and are provided with access to the database solely upon training to ensure he or she are well educated and responsible to handle the Personal Data. Employees, Clients, vendors and applicable processors are all signed on binding agreements all of which include applicable data provisions and data security obligations. To ensure the employees stay educated and up to date with applicable policies and legislation the Company holds annual compliance training which include data security education. Disciplinary process is applied if personnel fail to adhere to relevant policies and procedures. Further measures for internal IT and IT security governance and management have been taken and the Juphy IT team ensures security of all hardware and software by installing all updates needed, installing anti-malware software on computers to protect against malicious use and malicious software as well as virus detection on endpoints, email attachment scanning, system compliance scans, information handling options for the data exporter based on data type, network security, and system and application vulnerability scanning, use secured email transfer, etc.

Juphy has ensured all documents, including without limitations, agreements, privacy policies online terms, etc. are compliant with the EU/UK Data Protection Law and US Data Protection Law, including by implementing Data Processing Addendum and where needed Standard Contractual Clauses (either pursuant to the EU GDPR or UK GDPR).

• Availability Policy

Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident were implemented by Juphy and include an automated backup procedure. Juphy has a backup concept which includes automated daily backups. Periodical checks are preformed to determine that the backup have occurred. Juphy has also implemented Business Continuity plans and Disaster Recovery policies so that in the event of a disaster Juphy will be able to continue to provide the services. These step-bystep procedures help ensure the security and legal teams, in conjunction with Juphy management or other stakeholders, handle such incidents with consistency and in accordance with our commitment to data privacy and data protection.

• Data Retention Policy

Personal Data and raw data are all deleted as soon as possible or legally applicable. Usually, the data is provided by the Client for the purpose of providing the services by Juphy and is deleted upon termination of the contractual obligations. However, certain data, such as financial data is required to be retained for a longer period of time due to our legal obligations.

• Data Subject Request Policy

Juphy has implemented an online mechanism to enable individuals to submit a data subject request directly through the Juphy Platform, further, Juphy has implemented internal policies to handle the DSR subject to applicable data protection laws and contractual obligations.

• Sub-processor Policy

Before engagement, new Sub-processors go through an internal vendor review and approval process which includes the security, legal, and finance teams. Once assessed, the Sub-processors are required to enter into appropriate contractual agreements outlining their commitment to confidentiality, integrity, and availability. The security and legal team perform due diligence of our Sub-processors and critical third-party vendors on an annual basis to ensure compliance with service-level agreements, contractual obligations, and information security controls.

Annex 3
List of Sub-Processors

The controller has authorized the use of the following Sub-processors: