Textricks Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) is incorporated into the Textricks Terms and Conditions of Service (the “Agreement”) between Textricks and the undersigned customer (“Customer”) with respect to the “Services” as defined in the Agreement.

1. Definitions

All capitalized terms used but not otherwise defined in this DPA shall have the meaning ascribed to such terms in the Agreement. The following definitions and rules of interpretation below apply to this DPA:

Adequate” in relation to the level of protection given to Personal Data in countries outside the European Economic Area (“EEA”) or United Kingdom means a decision made by the European Commission under Article 25(6) of Directive 95/46/EC (as amended or replaced from time to time) or Information Commissioner’s Office finding that the relevant third country provides an adequate level of protection by reason of its domestic law or of the international commitments it has entered into.

Applicable Data Protection Law(s)” refers to all laws and regulations applicable in relation to the processing of Personal Data under the Agreement.

Controller”, “Processor”, “Data Subject”, and “Processing” (and “Process”) have the meanings given in accordance with Applicable Data Protection Law.

Customer Account Data” means (a) Personal Data that relates to Customer’s relationship with Textricks including the names, phone numbers, and/or contact information of individuals authorized by Customer to access Customer’s Textricks account and/or use the Services and billing information; and (b) Personal Data processed by Textricks for the purposes of storing, transmitting, or exchanging Customer Content, sending goods, and to provide the Services that may include shipping address data used to trace and identify the source and destination of a communication, such as individual data subjects’ telephone numbers, data on the location of the device generated in the context of providing the Services, and the date, time, duration, and type of communication and/or data provided by the channels used by the Customer to communicate with their customers.

Customer Content” means Personal Data exchanged by use of the Services such as text, call recording, message bodies, conversation transcriptions, voicemail recordings, voicemail transcription, video recording, video files, images, and sound.

Employees” with respect to any entity refers to such entity’s employees and contractors.

Personal Data” or “personal data” means any information relating to an identified or identifiable natural person where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Security Incident” means a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data transmitted, stored, or otherwise processed.

Sensitive Personal Data” means Personal Data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person's sex life or sexual orientation, or any other data that falls within the definition of “special categories of data” under Applicable Data Protection Law.

Standard Contractual Clauses” or “SCC” means (a) for the transfer of data from the EEA outside the EEA to a non-adequate country, the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission in the decision (EU) 2021/914 of 4 June 2021 (“EEA SCCs”); (b) for the transfer of data from the United Kingdom to a non-adequate country, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner Version B1.0 in force 21 March 2022 ("UK International Data Transfer Addendum").

Sub-processor” means any processor engaged by Textricks for the purposes of the provision of the Services under the Agreement.

2. Relationship of the Parties

2.1 Customer Content

The parties acknowledge and agree that with regard to the processing of Customer Content, Customer may act either as a controller or processor, and Textricks acts as a processor (where Customer is a controller) or sub-processor (where Customer is a processor); and an independent data controller (and the Customer is a controller) for the purpose of improving and enhancing the Services.

2.2 Customer Account Data

The parties acknowledge that with regard to the processing of Customer Account Data, Customer is a controller, and Textricks is an independent controller, not a joint controller with Customer.

3. Processing of Personal Data

3.1 Purpose Limitation

Textricks shall process Customer Content as a data processor (a) for the performance of the Services in accordance with Customer’s instructions as set forth in the Agreement and this DPA and in accordance with Applicable Data Protection Law, (b) as otherwise necessary to provide the Services (which may include responding to support requests and prevention and resolution of security, fraud, and technical issues, the latter may include engaging and providing access to Customer Content to telecommunication carriers to diagnose and solve the issue), (c) as initiated through the use of the Service, and (d) as further instructed by the Customer in writing. Textricks shall process Customer Content as a data controller to improve and enhance the Services. Textricks will process Customer Account Data as a data controller in accordance with Applicable Data Protection Law, the Privacy Policy, and the Agreement for the purposes detailed in Schedule 1 of this DPA.

3.2 Customer Instructions

Customer will ensure that its instructions comply with Applicable Data Protection Laws and that Textricks’s processing of the Customer Content in accordance with Customer’s instructions will not cause Textricks to violate Applicable Data Protection Laws. Textricks will notify Customer to the extent permitted by law if it becomes aware or reasonably believes that Customer’s data processing instructions would violate Applicable Data Protection Law.

3.3 Customer Compliance

Customer shall ensure that (a) it has and will continue to comply with Applicable Data Protection Law in its use of the Services; (b) its customers and end users are provided adequate notice of Textricks’s processing activities for which Textricks acts as a controller to fulfill the requirements of Applicable Data Protection Laws; (c) it has and will continue to have the right to transfer or provide access to its customers’ and end users’ Personal Data (including as applicable Sensitive Personal Data) to Textricks for processing in accordance with the terms of the Agreement and this DPA; and (d) appropriate technical and organizational measures and suitable safeguards are in place before transmitting or processing Sensitive Personal Data and/or before permitting Customer’s end users to transmit or process any Sensitive Personal Data via the Services.

3.4 Processing Information

Schedule 1 of this DPA details the duration of processing, the nature and purpose of processing, the type of Personal Data, and the categories of data subjects processed by Textricks.

4. Sub-processors

4.1 Sub-processors List and Engagement

Customer acknowledges that Textricks engages Sub-processors in connection with the provision of the Services and Customer provides general consent for Textricks to appoint Sub-processors subject to this clause 4. The engagement by Textricks of any such Sub-processor shall be on written terms which impose upon the Sub-processor data protection obligations to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, including providing sufficient guarantees to implement appropriate technical and organizational measures. Textricks’s up-to-date sub-processors list is set forth at www.Textricks.com/legal/subprocessors (the “Sub-processors List”).

4.2 General Consent for Textricks Sub-processors

Customer grants a general authorization to Textricks to appoint other entities of Textricks as Sub-processors, conditional on the requirements detailed in Section 4.1.

4.3 Notification Mechanism

When a Sub-processor is replaced or a new one appointed, the Sub-Processors List may be modified pursuant to a notification mechanism (“Notification Mechanism”). In the event Customer subscribes, Textricks will provide notification of any new or replacement Sub-processor.

4.4 Objection to New Sub-processors

If Customer objects to Textricks’s appointment or replacement of a Sub-processor based on reasonable grounds relating to data protection, it shall notify Textricks in writing within 10 days of receipt of notice. In such event, Textricks will use reasonable efforts to provide the Services to Customer in accordance with the Agreement without using the Sub-processor.

4.5 Sub-Processor Liability

Textricks shall be liable for its Sub-processors’ processing of Customer Content to the same extent that Textricks would be liable if performing the processing activities of each Sub-processor directly under the terms of this DPA.

4.6 Communications Sent Through the Services and Payment Gateways

Customer acknowledges that Textricks may use telecommunication providers in the provision of the Services. Customer further acknowledges that in order to send communications for the provision of the Services, Textricks may need to transmit Customer’s communications through existing telecommunications networks and suppliers via companies bound to comply with applicable telecommunications and privacy laws but who may not all have direct contracts with Textricks and/or Customer. Customer further acknowledges that Textricks may use payment gateways in the provision of Services via companies bound to comply with data protection laws but who may not have direct contracts with Textricks. Customer hereby instructs Textricks to transmit the communications through existing telecommunications networks and to use payment gateways as necessary to provide the Services, and acknowledges and agrees that telecommunications networks and payment gateway suppliers are not considered Sub-processors under either the DPA or the Agreement.

4.7 Call Quality

When Customer reports potential issues with the quality of the Services, the Customer instructs Textricks to engage its relevant telecommunication suppliers for assistance, including by providing them with access to communications data (for example, CDRs or call recordings), which may contain personal data for the purpose of diagnosing and resolving the reported issues.

5. Data Transfers

5.1 Textricks Data Transfer

To the extent that any Personal Data is transferred from the European Economic Area, the United Kingdom, and/or Switzerland (either directly or via onward transfer) to any country that, according to the European Commission or the competent authority for the UK and Switzerland, does not provide an adequate level of protection for personal data, the parties agree that the Standard Contractual Clauses incorporated by reference to this DPA will apply in respect of the processing of such Personal Data. The Standard Contractual Clauses and this Clause 5 will not apply to Personal Data that is not transferred either directly or via onward transfer outside the EEA, the United Kingdom, and/or Switzerland. In relation to the Standard Contractual Clauses, Textricks will comply with the obligations of the 'data importer' in the Standard Contractual Clauses, and the Customer will comply with the obligations of the 'data exporter.' Appendices of the EEA SCCs shall be deemed completed as set forth in Schedule 2 of this DPA in relation to the transfer of personal data outside the EEA. The UK International Data Transfer Addendum applicable to the transfer of personal data outside the United Kingdom shall be deemed completed as set forth in Schedule 3.

5.2 In the event of any conflict or inconsistency between the EU Standard Contractual Clauses (Schedule 2) or UK International Data Transfer Addendum (Schedule 3) and the terms of this DPA, the EU Standard Contractual Clauses or UK International Data Transfer Addendum (Schedule 3) as applicable shall prevail.

5.3 Request for Personal Data

5.3.1 If Textricks receives a civil or criminal subpoena, search warrant, or other official and written request that is legally binding (“Request”) by a public authority that is not from an EEA country, the UK, or a country considered Adequate (“Requesting Party”) for disclosure of Customer’s personal data, Textricks may respond to such Requesting Party with respect to any Request that Textricks reasonably deems to be valid and appropriate in scope. Otherwise, Textricks may, insofar as legally permissible, redirect the Requesting Party to request that Personal Data directly from Customer instead.

5.3.2 In the event that the information is provided, Textricks will (a) ensure that the disclosed Personal Data is the minimum required to satisfy the Request, and (b) take all commercially reasonable steps to ensure that such Customer information is afforded confidential treatment by the authorities.

5.4 Sub-processors Data Transfer

If in the performance of the Services, Textricks permits processing of any Personal Data by a Sub-processor outside the EEA, except if in an Adequate country, without prejudice to Section 4, Textricks shall in advance of any such transfer ensure that a legal mechanism to achieve adequacy in respect of that processing is in place such as:

5.4.1 Standard Contractual Clauses;

5.4.2 affirmative representation or covenant regarding compliance with applicable law; or

5.4.3 the existence of any other specifically approved safeguard for data transfers as recognized under Applicable Data Protection Law and/or a European Commission or Information Commissioner’s Office finding of adequacy.

5.5 Processing in the United States

Customer acknowledges that as of the date hereof, Textricks’s primary processing facilities are in the United States of America.

6. Security of Personal Data

6.1 Security Measures

Textricks has implemented and will maintain appropriate administrative, technical, and organizational measures to protect Personal Data from a Security Incident, having regard to the state of technological development and the cost of implementing such measures as well as the nature, scope, context, and purposes of processing and the likelihood and severity of harm to the interests of data subjects that may be expected to result from any such Security Incident.

6.2 Employee Access

Textricks shall ensure that only such of its employees who may be required by it to provide the Services to Customer or assist Textricks in meeting its obligations under this DPA shall have access to Personal Data. Textricks will ensure that the employees accessing Customer Content are under confidentiality obligations to protect such personal information.

7. Security Incidents

7.1 Security Incident Involving Personal Data

Upon confirming a Security Incident involving personal data for which Textricks acts as a data processor, Textricks will:

7.1.1 To the extent permitted by applicable law, notify Customer without undue delay. Such notice shall be delivered in accordance with Section 13 of this DPA;

7.1.2 To the extent such Security Incident is caused by Textricks’s violation of its obligations under this DPA, take such reasonable remedial steps to address such Security Incident and prevent any further incidents; and

7.1.3 Promptly provide the Customer with all relevant information in its possession as reasonably required by Applicable Data Protection Law to comply with any reporting obligations of a relevant regulatory authority concerning such Security Incident.

7.2 Notification to the Supervisory Authority

If Customer determines that a Security Incident must be notified to any supervisory authority and/or data subjects and/or the public or portions of the public pursuant to the Applicable Data Protection Law, Customer will, to the extent commercially feasible, notify Textricks before the communication is made (and where not commercially feasible, as soon as is commercially feasible after such communication) and supply Textricks with copies of any written documentation to be filed with the supervisory authority and of any notification Customer proposes to make (whether to any supervisory authority, data subjects, the public, or portions of the public) which directly or indirectly references Textricks, its security measures, and/or role in the Security Incident, whether or not by name. Subject to Customer’s compliance with any mandatory notification deadlines under Applicable Data Protection Law, Customer will consult with Textricks in good faith and take account of any clarifications or corrections Textricks reasonably requests to such notifications and which are consistent with Applicable Data Protection Law. In the event that impacted data subjects are required to be notified of the Security Incident, Customer will provide reasonable assistance to Textricks to effectuate appropriate notice to such impacted data subjects.

8. Audits

8.1 Demonstrated Compliance

Upon Customer’s written request no more than once annually and subject to adequate confidentiality provisions, Textricks shall, in accordance with Applicable Data Protection Laws, make available to Customer such reasonable information in Textricks’s possession or control to demonstrate Textricks’s compliance with its obligations as a data processor of Customer Content to satisfy Customer’s audit rights granted by Applicable Data Protection Law (including where applicable the Standard Contractual Clauses).

9. Personal Data on Expiry or Termination

9.1 Deletion of Personal Data

In respect of the Customer Content that Textricks processes as a data processor pursuant to the Agreement, Textricks shall cease to process such personal data and will promptly arrange for its deletion on expiry or termination of the Agreement unless otherwise agreed by the parties in writing, in which case Textricks shall hold Customer Content in accordance with the data retention term agreed by the parties. Notwithstanding anything to the contrary in this Section 9, Textricks may retain Customer Content or any portion of it if required by applicable law, in which case Textricks shall comply with Applicable Data Protection Law regarding the deletion and retention of Personal Data.

10. Data Protection Impact Assessment

10.1 Textricks shall provide reasonable assistance to Customer (taking into account the nature of processing and the information available to Textricks and at Customer's expense) with respect to data protection impact assessments or consultations with supervisory authorities that may be required in accordance with Applicable Data Protection Law.

11. Data Subject Requests

11.1 Self-service Features

As part of certain Services, Textricks may, but is not obligated to, provide Customer with self-service features to delete, retrieve, or restrict use of Customer Content, which the Customer may use to assist in its compliance with its obligations under Applicable Data Protection Law with respect to responding to requests from data subjects.

11.2 Additional Assistance

In addition, upon written request, Textricks will provide reasonable additional and timely assistance in relation to Customer Content at Customer’s expense to assist Customer in complying with its data protection obligations to respond to requests for exercising the rights of data subject under Applicable Data Protection Law.

12. Liability

12.1 Liability

This DPA is without prejudice to the rights and obligations of the parties under the Agreement, which shall continue to have full force and effect, including any limitations on liability contained therein, which shall apply to this DPA as if fully set forth herein. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data.

12.2 Penalties

Notwithstanding anything to the contrary in this DPA or in the Agreement, neither party will be responsible for any fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.

13. Notification

13.1 All notices given by Textricks to Customer under or in connection with this DPA shall be validly served by email. Where Customer has subscribed to the Notification Mechanism, Customer shall receive notifications pursuant to Clause 4.3 of this DPA. All other notices given by Textricks to Customer under or in connection with this DPA shall be sent to Customer’s email address associated to their Textricks account; and any notice given by Customer to Textricks shall be sent to enquiry@textricks.com.

14. Indemnification

14.1 Customer further agrees to indemnify and hold harmless Textricks for any data minimization or other record retention rules violations related to Customer's retention of data under the General Data Protection Regulation ("GDPR") or any other comparable legislation.

15. Miscellaneous

15.1 Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the law and the jurisdiction of the country or territory which governs the Agreement except as otherwise specified in this DPA, including its Schedules, or required by Applicable Data Protection Law.

15.2 Jurisdiction Specific Terms

To the extent Textricks processes Personal Data protected by Applicable Data Protection Laws in a jurisdiction listed in Schedule 4, then the terms specified in Schedule 4 (“Jurisdiction Specific Terms”) apply, and in case of any conflict between the Jurisdiction Specific Terms and any term of this DPA, the applicable Jurisdiction Specific Terms will take precedence.

15.3 Updates

Textricks may update the terms of this DPA from time to time where the changes (a) are required to comply with Applicable Data Protection Law, applicable regulation, a court order, or guidance issued by a regulator or agency; (b) do not have a material adverse impact on Customer’s rights under the DPA; or (c) are required as a result of new products or services or material changes to any of the existing Services.

Schedule 1

Details of Processing

1. Nature and Purpose of Processing

1.1 Customer Content

Textricks will process Customer Content in accordance with Section 3.1 of this DPA.

1.2 Customer Account Data

Textricks will process Customer Account Data as a controller to perform the functions as a communications service provider, which may include but are not limited to:

(a) managing the relationship with the Customer;

(b) carrying out Textricks’s business operations such as accounting, tax, billing, audit, and compliance;

(c) investigating security issues, fraud, unauthorized or unlawful use of the service, and other misuses;

(d) improving the Services; and

(e) as required by applicable law, rule, or regulation, including but not limited to Applicable Data Protection Law.

2. Duration of Processing

2.1 Textricks Acting as Processor for Customer Content

Textricks will process Customer Content for the duration outlined in Section 9 of this DPA.

2.2 Textricks Acting as Controller

Textricks will process personal data as a controller for as long as needed to provide the Services. Upon termination of the Agreement, Textricks may retain personal data

(a) for the purposes outlined in Section 1.2 of this Schedule 1; or

(b) as required by law. Textricks will promptly delete or anonymize such personal data when Textricks no longer requires it for the herein mentioned purposes.

3. Types of Personal Data

Textricks processes personal data contained in Customer Content and Customer Account Data as defined in Section 1 of this DPA.

4. Categories of Data Subjects

4.1 Customer Content

Customer Content may concern the following categories of data subjects:

  • Customer’s authorized users, who are those individuals that are authorized by the Customer to use the Services on behalf of the Customer.
  • Customer’s customers and end users.

4.2 Customer Account Data

Customer Account Data may concern the following categories of data subjects:

  • Customer’s employees and agents.
  • Customer’s authorized users.
  • Customer’s customers and end users.

Schedule 2

Standard Contractual Clauses Decision (EU) 2021/914

Terms applicable to the EEA SCCs:

(i) Clause 7 - the optional docking clause will not apply.

(ii) Clause 9 - Option 2 will apply and the time period for prior notice of sub-processor changes will be as set forth in Section 4 (Sub-processors) of this DPA.

(iii) Clause 11 (a) - the optional language will not apply.

(iv) Clause 17 - Option 1 will apply and the Clauses will be governed by the law of Ireland.

(v) Clause 18 - disputes will be resolved before the courts of Ireland.

(vi) Module One (Controller to Controller) of the EEA SCCs applies where Customer is a controller and Textricks is an independent controller.

(vii) Module Two (Controller to Processor) of the EEA SCCs applies where Customer is a controller and Textricks is a processor.

(viii) Module Three (Processor to Processor) of the EEA SCCs applies where Customer is a processor and Textricks is a processor.

Annex I

A. List of Parties

Data exporter(s):

Name: The company defined as Customer who is a party to the Agreement.

Address: The address of the Customer as provided in the Agreement.

Contact details: Customer’s email address associated with their Textricks account.

Activities relevant to the data transferred under these Clauses: purchase of Textricks Services.

Signature and date: By entering into the Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses, including their Annexes, as of the date the parties entered into the Agreement or this DPA, whichever is later.

Role: The Data Exporter’s role is as set forth in Section 2 (Relationship of the Parties) of this DPA.

Data importer(s):

Name: Textricks

Address: Textricks’s address specified in the Agreement.

Contact details: enquiry@textricks.com

Activities relevant to the data transferred under these Clauses: Provision of the Services, which includes but is not limited to communications services that enable communications features and capabilities to be embedded into web, desktop, and mobile software applications.

Signature and date: By entering into the Agreement, Data Importer is deemed to have signed the Standard Contractual Clauses, including their Annexes, as of the date the parties entered into the Agreement or this DPA, whichever is later.

Role: The Data Importer’s role is as set forth in Section 2 (Relationship of the Parties) of this DPA.

B. Description of Transfer

Categories of data subjects whose personal data is transferred: As described in Section 4 of Schedule 1 (Details of Processing) of this DPA.

Categories of personal data transferred: Textricks processes personal data contained in Customer Content and Customer Account Data as defined in Section 1 (Definitions) of this DPA.

Sensitive data: N/A

The frequency of the transfer: The data is transferred on a continuous basis.

Nature of the processing: As per Section 1 of Schedule 1 (Details of Processing) of this DPA.

Purpose(s) of the data transfer and further processing: Textricks processes personal data for the purposes described in Section 1 of Schedule 1 (Details of Processing) of this DPA.

The period for which the personal data will be retained: Textricks retains data for the duration described in Section 2 of Schedule 1 (Details of Processing) of this DPA.

For transfers to (sub-) processors, the subject matter, nature, and duration of the processing is set forth in the Sub-processors List (refer to Section 4.1 of this DPA).

C. Competent Supervisory Authority

Identify the competent supervisory authority/ies: The Irish supervisory authority is the competent supervisory authority.

Annex II

Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data

Description of the technical and organizational security measures implemented by the data importer are as set forth in Section 6.1 of this DPA. The data importer may update its security document from time to time, provided that there is no material degradation to the security and/or privacy of the services.

Annex III – List of Sub-Processors

Module Two: Transfer Controller to Processor

As per the Sub-Processors List (in Section 4.1 of this DPA).

Schedule 3

UK International Data Transfer Addendum

Standard Data Protection International Data Transfer Addendum to the EU Commission

Standard Contractual Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018

VERSION B1.0 in force 21 March 2022

PART 1: Tables

Table 1: Parties

Start date: As set forth in the order or Agreement that incorporates these Standard Contractual Clauses by reference or as set forth in the DPA, whichever is later

The Parties Exporter (who sends the Restricted Transfer) Importer (who receives the Restricted Transfer)

Parties' details

Full legal name: The company defined as Customer who is party to the Agreement.

Trading name (if different): Main address (if a company registered address): The address of the Customer as provided in the Agreement.

Official registration number (if any) (company number or similar identifier): As provided in the Agreement.

Full legal name: Textricks

Trading name (if different): Main address (if a company registered address): The Textricks address specified in the Agreement.

Official registration number (if any) (company number or similar identifier):

Key Contact

Full Name (optional): Job Title: Contact details including email: Customer’s email address associated to their Textricks account

Full Name (optional): Job Title: Contact details including email: enquiry@textricks.com

Signature (if required for the purpose of Section 2)

By entering into the Agreement, the parties are deemed to have signed this UK International Data Transfer Addendum

By entering into the Agreement, the parties are deemed to have signed this UK International Data Transfer Addendum

Table 2: Selected SCCs Modules and Selected Clauses

Addendum EU SCCs: The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:

Date: As provided in Table 1 above

Module Module in operation Clause 7 (Docking Clause) Clause 11 (Option) Clause 9a (Prior Authorization or General Authorization) Clause 9a (Time period)
1 Yes Does Not Apply Optional language does not apply
2 Yes Does Not Apply Optional language does not apply Option 2 applies - general authorization As set forth in Section 4 of the DPA
3 Yes Does Not Apply Optional language does not apply Option 2 applies - general authorization As set forth in Section 4 of the DPA

Table 3: Appendix Information

Appendix Information means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties (as set forth in Annex I.A of Schedule 2 of this DPA).

Annex 1B: Description of Transfer (as set forth in Annex I.B of Schedule 2 of this DPA).

Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data (as set forth in Annex II of Schedule 2 of this DPA).

Annex III: List of Sub-processors (Modules 2 and 3 only, as set forth in Annex II of Schedule 2 of this DPA).

Table 4: Ending this Addendum when the Approved Addendum Changes

Which Parties may end this Addendum as set out in Section 19: Importer & Exporter

PART 2: Mandatory Clauses

Mandatory Clauses:

Part 2: Mandatory Clauses of the Approved Addendum being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 as it is revised under Section 18 of those Mandatory Clauses.

Schedule 4

Jurisdiction Specific Terms

Australia

  • The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles (APPs) and the Australian Privacy Act (1988).
  • The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.
  • The definition of “Sensitive Data” includes “Sensitive Information” as defined under Applicable Data Protection Law.

Brazil

  • The definition of “Applicable Data Protection Law” includes the Lei Geral de Proteção de Dados (LGPD).
  • The definition of “Processor” includes “Operator” as defined under Applicable Data Protection Law.
  • The definition of “Security Incident” includes a security incident that may result in any relevant risk or damage to the data subjects.

California

  • The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) (collectively the “CCPA”).
  • The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.
  • The definition of “Data Subject” includes “Consumer” as defined under Applicable Data Protection Law.
  • The definition of “Controller” includes “Business” as defined under Applicable Data Protection Law.
  • The definition of “Processor” includes “Service Provider” as defined under Applicable Data Protection Law.
  • Data Subject Rights include Consumer rights as provided in the CCPA. Textricks will provide reasonable additional and timely assistance to assist Customer in complying with its obligations with respect to consumer requests as provided in Section 11 of the DPA.
  • Textricks will process, retain, use, and disclose Personal Data only as necessary to provide the Services under the Agreement, which constitutes a business purpose. Textricks agrees not to sell or share Customer’s Personal Data or Customer end users’ Personal Data; retain, use, or disclose Customer’s Personal Data for any commercial purpose other than providing the Services; or retain, use, or disclose Customer’s Personal Data outside of the scope of the Agreement.
  • Textricks understands its obligations under the Applicable Data Protection Law and will comply with them.
  • Textricks certifies that its Sub-processors, as described in Section 4 of the DPA, are Service Providers under Applicable Data Protection Law with whom Textricks has entered into a written contract that includes terms substantially similar to this DPA. Textricks conducts appropriate due diligence on its Sub-processors.
  • Textricks will implement and maintain the reasonable security procedures and practices appropriate to the nature of the Personal Data it processes as set forth in Section 6 of the DPA.
  • Textricks shall notify the Customer if it makes a determination that it can no longer meet its obligations as Service Provider under the CCPA.
  • Upon notice, including if Textricks notifies the customer that it can no longer meet its obligations, Customer will have the right to take reasonable and appropriate steps in accordance with the Agreement to stop and remediate unauthorized use of personal information.
  • Textricks shall not combine Customer Content that it receives from Customer or on behalf of Customer with personal information that it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer, provided that Textricks may combine personal information to perform any business purpose as defined in the regulations adopted pursuant to paragraph (10) of subdivision (a) of Section 1798.185 of the CPRA, except as provided for in paragraph (6) of subdivision (e) of the CPRA and in regulations adopted by the California Privacy Protection Agency.
  • The engagement of Textricks of a sub-processor/service provider to process personal data will be on written terms which impose upon the service provider data protection obligations to the standard required by Applicable Data Protection Law as provided in Section 4.1 of this DPA.

Canada

  • The definition of “Applicable Data Protection Law” includes the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).
  • Textricks’s Sub-processors, as described in Section 4 of the DPA, are third parties under Applicable Data Protection Law with whom Textricks has entered into a written contract that includes terms substantially similar to this DPA. Textricks has conducted appropriate due diligence on its Sub-processors.
  • Textricks will implement technical and organizational measures as set forth in Section 6 of the DPA.

European Union

  • The definition of “Applicable Data Protection Law” includes the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”).

Israel

  • The definition of “Applicable Data Protection Law” includes the Protection of Privacy Law (PPL).
  • The definition of “Controller” includes “Database Owner” as defined under Applicable Data Protection Law.
  • The definition of “Processor” includes “Holder” as defined under Applicable Data Protection Law.
  • Textricks will require that any personnel authorized to process Customer Content comply with the principle of data secrecy and have been duly instructed about Applicable Data Protection Law. Such personnel sign confidentiality agreements with Textricks in accordance with Section 6 of the DPA.
  • Textricks must take sufficient steps to ensure the privacy of data subjects by implementing and maintaining the security measures as specified in Section 6 of the DPA and complying with the terms of the Agreement.
  • Textricks must ensure that the Personal Data will not be transferred to a Sub-processor unless such Sub-processor has executed an agreement with Textricks pursuant to Section 4.1 of this DPA.

Japan

  • The definition of “Applicable Data Protection Law” includes the Act on the Protection of Personal Information (APPI).
  • The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.
  • The definition of “Controller” includes “Business Operator” as defined under Applicable Data Protection Law. As a Business Operator, Textricks is responsible for the handling of Personal Data in its possession.

Nevada

  • The definition of “Applicable Data Protection Law” includes the Nevada Revised Statutes Chapter 603A.
  • The definition of “Personal Data” includes “Personal Information” as defined under the Nevada Revised Statutes Chapter 603A.

Singapore

  • The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 (PDPA).
  • Textricks will process Personal Data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in Section 6 of the DPA and complying with the terms of the Agreement.

United Kingdom

  • The definition of “Applicable Data Protection Law” includes the Data Protection Act 2018.
  • References in this Addendum to GDPR will be deemed to be references to the corresponding laws of the United Kingdom, this is UK GDPR and Data Protection Act 2018

Virginia

  • The definition of “Applicable Data Protection Law” includes the Virginia Consumer Data Protection Act 2023 (“VCDPA”)
  • The definition of “Data Subject” includes “Consumer” as defined under the VCDPA
.