DATA PROCESSING ADDENDUM

Last Updated: February 28, 2026


This Data Processing Addendum, including its Exhibits (“DPA”) forms part of the Main Services Agreement or other such entitled written agreement between Customer and Seismic addressing use of Seismic products and services (identified either as “Services” or otherwise in the applicable agreement (the “Agreement”) and is intended to reflect the Parties’ agreement with regard to the Processing of Personal Data.


Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations (defined below), in the name and on behalf of its Affiliates also using or benefitting from the Services, if any. This DPA incorporates the terms of the Agreement, and any terms not defined in this DPA shall have the meaning set forth in the Agreement or under applicable Data Protection Laws and Regulations. In providing the Services to Customer pursuant to the Agreement, Seismic may Process Personal Data on behalf of Customer, and the parties agree to comply with the following provisions with respect to any Personal Data processed by Seismic in accordance with Customer’s documented instructions, the Agreement, and this DPA.


How this DPA applies

This DPA is an addendum to and forms part of the Agreement. Accordingly, the Seismic entity that is party to the Agreement is party to this DPA.


If the Customer entity has executed an Order Form with Seismic or its Affiliate pursuant to the Agreement, but is not itself a party to the Agreement, this DPA is an addendum to that Order Form and applicable renewal Order Form(s), and the Seismic entity that is party to such Order Form is party to this DPA.


If the Customer entity is neither a party to an Order Form nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity who is a party to the Agreement executes an Order Form or an Agreement. For clarity, Seismic shall have no obligations under this DPA toward any entity that is not a valid contracting party.

  1. Definitions

    Capitalized terms used in this DPA but not otherwise defined herein shall have the respective meanings ascribed to them in the Agreement, unless this DPA expressly provides otherwise.

    1. "Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is established in or otherwise subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Seismic, but has not signed its own Order Form with Seismic.
    2. "Authorized Employee” means an employee of Seismic who has a need to know or otherwise access Personal Data to enable Seismic to perform its obligations under this DPA or the Agreement.
    3. "Authorized Sub-Processor” means a Sub-Processor engaged by Seismic in accordance with Section 6 of this DPA to Process Customer Personal Data on behalf of Customer.
    4. “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act, and its implementing regulations as amended or replaced from time to time.
    5. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
    6. “Customer” means the entity that executed the Agreement. Affiliates shall be included only to the extent they have executed an Order Form or qualify as Authorized Affiliates under this DPA. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and its Authorized Affiliates.
    7. “Customer Personal Data” means any Personal Data that is included within “Customer Content” (as defined in the Agreement) and that is submitted by or for Customer to the Services. For clarity, Customer Personal Data consists only of Personal Data relating to Customer or Customer’s personnel, representatives, end users, or other individuals whose Personal Data is provided by or on behalf of Customer. This DPA does not apply to Third-Party Content or Non-Seismic Materials as defined in the Agreement or, if not defined in the Agreement, as defined in the Main Services Agreement at www.seismic.com/terms.
    8. “Customer Usage Data” means Service usage data collected and processed by Seismic in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse. Customer Usage Data is processed by Seismic solely as an independent Controller, and not on behalf of Customer. For the avoidance of doubt, Customer Usage Data does not constitute Customer Personal Data, is not processed pursuant to Customer instructions, and is outside the scope of this DPA.
    9. “Data Protection Laws and Regulations” mean all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, and the United States and its states and any binding guidance or codes of practice issued by a competent Supervisory Authority applicable to the Processing of Personal Data under the Agreement and this DPA.
    10. “Data Subject” means the identified or identifiable person to whom Personal Data relates.
    11. “Deidentified Data” means data that cannot, taking into account all means reasonably likely to be used by Seismic or any other person to identify the Data Subject directly or indirectly, be linked to a Data Subject and where such data is Processed only in accordance with applicable Data Protection Laws and Regulations.
    12. "Europe" means the European Union, the European Economic Area, Switzerland and the United Kingdom.
    13. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and, where applicable, as incorporated into United Kingdom law as the UK GDPR.
    14. “Processing” (including its root word, “Process”) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    15. “Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined in the CCPA.
    16. “Public Authority” means a government agency or law enforcement authority, including judicial authorities.
    17. “Information Security Documentation” means the Trust & Compliance Documentation applicable to the specific Services purchased by Customer, as updated from time to time in accordance with Section 15 of this DPA, and accessible via Seismic’s Legal Terms Hub or as otherwise made reasonably available by Seismic.
    18. “Seismic” means the Seismic entity which is a party to this DPA, as specified in the section “How this DPA applies” above, being Seismic Software, Inc., a company incorporated in Delaware or an Affiliate of Seismic, as applicable. For the avoidance of doubt, references to Seismic include its Affiliates to the extent they act as Data Importer or Sub-Processor under this DPA.
    19. “Seismic Group” means Seismic and its Affiliates engaged in the Processing of Personal Data.
    20. “Standard Contractual Clauses” or “EU SCCs” means the standard contractual clauses approved by the European Commission pursuant to Article 46(2)(c) GDPR, including Modules One (Controller to Controller), Two (Controller to Processor), Three (Processor to Processor), and Four (Processor to Controller), as applicable.
    21. “Sub-Processor” means any Processor engaged by Seismic or a member of the Seismic Group.
    22. “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
  2. Processing of Personal Data
    1. Customer’s Processing of Personal Data. To the extent that Seismic delivers services to the Customer and the Customer is a Controller of the Personal Data, then the Customer, as Controller, appoints Seismic as a Processor to Process that Personal Data. Customer, in its capacity as Controller or Processor, shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations, including any applicable requirement to provide notice to Data Subjects of the use of Seismic as Processor (including where the Customer is a Processor, by ensuring that the ultimate Controller does so). Customer represents and warrants that all instructions provided to Seismic are documented, lawful, and consistent with the purposes described in Exhibit A, comply with Data Protection Laws and Regulations, and do not place Seismic in breach thereof. Customer, as Controller, shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject, including those that have opted out from sales or other disclosures of Personal Data, to the extent applicable under Data Protection Laws and Regulations. For clarity, this Section 2.1 applies solely to Customer Personal Data processed by Seismic as a Processor and does not apply to Customer Usage Data processed by Seismic as a Controller. Customer shall ensure that it has a valid lawful basis under applicable Data Protection Laws and Regulations for all Processing of Personal Data provided to Seismic. Nothing in this DPA shall be construed as creating a relationship of joint controllership between the parties.
    2. Seismic’s Processing of Personal Data. Seismic shall Process Personal Data on behalf of and only in accordance with Customer’s documented, lawful, and reasonable instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email or other written or electronic means capable of being retained and evidenced) only to the extent such instructions are consistent with the Agreement, this DPA, and Seismic’s standard technical functionality. Seismic shall have no obligation to comply with instructions that require material changes to the Services, are inconsistent with Seismic’s standard technical functionality, impose obligations beyond those required by applicable Data Protection Laws and Regulations, or materially increase Seismic’s risk, cost, or regulatory exposure.
    3. Details of the Processing. The subject matter of Processing of Personal Data by Seismic is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Exhibit A (Description of Processing/Transfer) to this DPA.
  3. Customer Instructions. Seismic shall inform Customer without undue delay (i) if, in its opinion, an instruction from Customer constitutes a breach of applicable Data Protection Laws and Regulations and/or (ii) if Seismic is unable to follow Customer’s instructions for the Processing of Personal Data. Seismic’s obligation is limited to providing such notice; Seismic shall not be required to provide legal advice or assess Customer’s compliance obligations. Seismic shall have no liability arising from any failure to follow Customer instructions where such instructions are unlawful or inconsistent with this DPA or the Agreement. Where required by applicable law, Seismic shall suspend the relevant Processing until the issue is resolved.
  4. Rights of Data Subjects
    1. Data Subject Request. Seismic shall, to the extent legally permitted, promptly and in any event within the timeframe required by applicable Data Protection Laws and Regulations notify Customer of any complaint, dispute or request it has received from a Data Subject such as a Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making, each such request being a “Data Subject Request”. Seismic shall not respond to a Data Subject Request itself, except to the extent required by applicable Data Protection Laws and Regulations, unless Customer authorizes Seismic to redirect the Data Subject Request as necessary to allow Customer to respond directly. Customer acknowledges that Seismic’s notification obligation does not reset, toll, or otherwise extend any statutory deadline applicable to Customer.
    2. Required Assistance. Taking into account the nature of the Processing, Seismic shall assist Customer by appropriate technical and organizational measures, insofar as this is technically feasible within the Services as provided and without requiring material modification for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations.
    3. Additional Assistance. Where required under applicable Data Protection Laws and Regulations and to the extent legally permitted, Seismic shall, upon Customer’s written instructions, use commercially reasonable efforts to assist Customer in responding to Data Subject Requests relating to the Processing of Personal Data under the Services. Such assistance shall be limited to what is reasonably necessary and shall not require Seismic to develop new functionality, re-engineer the Services, or take actions disproportionate to the nature of the Processing. To the extent legally permitted, Customer shall be responsible for paying for any costs arising from Seismic’s provision of such assistance, which shall be at Seismic’s then current professional services rates unless otherwise agreed in writing.
  5. Seismic Personnel and Data Protection Officer
    1. Confidentiality, Reliability, Limitation of Access. Seismic shall ensure that any person it authorizes to Process Personal Data has agreed to protect Personal Data in accordance with Seismic’s confidentiality obligations in the Agreement. Customer agrees that Seismic may disclose Personal Data to its advisers, auditors or other third-parties as reasonably required in connection with the performance of its obligations under this DPA, the Agreement, or the provision of Services to Customer. Seismic shall take commercially reasonable steps to ensure the reliability and appropriate training of any Authorized Employee. Seismic shall take commercially reasonable steps to limit access to Personal Data to only Authorized Employees or Sub-Processors.
    2. Data Protection Officer. Seismic’s Data Protection Officer may be reached at Privacy@seismic.com.
  6. Sub-Processors
    1. Seismic's Sub-Processors. Customer has instructed or authorized the use of Sub-Processors to assist Seismic with respect to the performance of Seismic's obligations under the Agreement pursuant to a written contract that binds each Sub-Processor to comply with applicable Data Protection Laws and Regulations and with terms no less protective of privacy than the terms in this DPA. Seismic shall be liable for the acts and omissions of its Sub-Processors only to the extent required under Article 28(4) GDPR and other applicable Data Protection Laws and Regulations, and subject always to the limitations and exclusions of liability set forth in the Agreement. Seismic is not responsible for the acts or omissions of Sub-Processors caused by Customer’s instructions or configurations.
    2. List of Seismic’s Sub-Processors and Notification of New Sub-Processors. A list of Seismic’s current Sub-Processors, including a description of their Processing activities and locations, is made available upon Customer’s request. Customer acknowledges and agrees that (a) Seismic’s Affiliates may be retained as Sub-Processors; and (b) Seismic and Seismic’s Affiliates respectively may engage third-party Sub-Processors in connection with the provision of the Service.
    3. Right to object to a new Sub-Processor. In order to exercise its right to object to Seismic’s use of a new Sub-Processor, Customer shall notify Seismic promptly in writing within ten (10) business days after receipt of Seismic’s notice. In the event Customer objects to a new Sub-Processor within such time period, and that objection is reasonable, Seismic will use reasonable efforts to make available to Customer a change in the Service or recommend a commercially-reasonable change to Customer’s configuration or use of the Service to avoid Processing of Personal Data by the objected-to new Sub-Processor without unreasonably burdening the Customer. If Seismic is unable to make available such change within a reasonable time period, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to those aspects of the Service which cannot be provided by Seismic without the use of the objected-to new Sub-Processor by providing written notice to Seismic. Seismic will refund Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Service. Customer’s termination right as set forth in this Section 6.3 is Customer’s sole and exclusive remedy with respect to any objection to a new Sub-Processor, and Seismic shall not be liable for any claims arising from Seismic’s use of a Sub-Processor to which Customer did not timely object or for which Customer’s objection was not based on reasonable grounds relating to Data Protection Laws and Regulations. In the event of no objection from Customer within such ten (10) day time period, the Sub-Processor will be deemed accepted and authorized.
    4. Sub-Processors and the Standard Contractual Clauses. Customer acknowledges and agrees that Seismic may engage Sub-Processors as described in this section for the fulfilment of Seismic’s obligations under Clause 9 of the Standard Contractual Clauses, as applicable. The parties agree that the copies of the Sub-Processor agreements that must be provided by Seismic to Customer pursuant to Clause 9(c) of the Standard Contractual Clauses may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by Seismic beforehand to protect business secrets or other confidential information; and, that such copies will be provided by Seismic, in a manner to be determined in its discretion, only upon written request by Customer and solely to the extent required under the Standard Contractual Clauses or applicable Data Protection Laws and Regulations.
  7. Security, Certifications and Audit
    1. Controls for the Protection of Customer Personal Data to the extent it contains Personal Data. Seismic shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data), confidentiality and integrity of Customer Personal Data, as set forth in Information Security Documentation. Seismic periodically monitors compliance with these measures. Seismic will not materially decrease the overall security of the Services during an Order Form term.
    2. Third-Party Certifications and Audits. Seismic has obtained the third-party certifications and audits set forth in the Information Security Documentation for each applicable Service. Where Seismic has obtained ISO 27001 certifications and SSAE 18 Service Organization Control (SOC) 2 reports for a particular Service as described in the Information Security Documentation, Seismic agrees to maintain these certifications or standards, or appropriate and comparable successors thereof, for the duration of the Agreement.
    3. Audit Program. Seismic shall maintain an audit program to help ensure compliance with the obligations set out in this DPA and shall make available to Customer information to demonstrate compliance with the obligations set out in this DPA, including those obligations required by applicable Data Protection Laws and Regulations, as set forth in this section 7.
      1. Access to Third-Party Certifications and Audits Information. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Seismic shall: (i) make available to Customer (or Customer’s Third-Party Auditor - as defined below in section 7.3.4) information regarding Seismic’s compliance with the obligations set forth in this DPA in the form of a copy of Seismic’s then most recent third-party audits or certifications set forth in the Information Security Documentation. Such third-party audits or certifications may also be shared with Customer’s competent supervisory authority on its request; (ii) provide Customer with a report and/or confirmation of Seismic's audits of third-party Sub-Processors’ compliance with the data protection controls set forth in this DPA and/or a report of third-party auditors’ audits of third-party Sub-Processors that have been provided by those third-party Sub-Processors to Seismic, to the extent such reports or evidence may be shared with Customer (“Third-party Sub-Processor Audit Reports”). Customer acknowledges that (i) Third-party Sub-Processor Audit Reports shall be considered Confidential Information as well as confidential information of the third-party Sub-Processor and (ii) certain third-party Sub-Processors to Seismic may require Customer to execute a non-disclosure agreement with them in order to view a Third-party Sub-Processor Audit Report.
      2. On-Site Audit. Customer can request an on-site audit of Seismic’s Processing activities covered by this DPA (“On-Site Audit”) only where strictly required by Data Protection Laws and Regulations and where no less intrusive means are reasonably available. An On-Site Audit may be conducted by Customer either itself or through a Third-Party Auditor selected by Customer when: (i) Customer has identified in writing specific, documented deficiencies in the third-party certifications or audits provided pursuant to Section 7.2 (Third-Party Certifications and Audits) that indicate potential non-compliance with specific obligations set out in this DPA and its Exhibits; (ii) Customer has received a notice from Seismic of a Customer Personal Data Incident (as defined below in section 8); or (iii) such an audit is required by Data Protection Laws and Regulations or by Customer’s competent supervisory authority. Any On-Site Audits will be limited to Customer Personal Data Processing and storage facilities operated by Seismic or any of Seismic’s Affiliates strictly to verify Seismic’s compliance with the specific obligations set forth in this DPA and shall not be used to assess Seismic’s general security posture or practices beyond those obligations or include access to Seismic’s internal corporate systems, non-relevant environments, or other customers’ data. Nothing in this section shall restrict the powers of a competent Supervisory Authority. Under no circumstances shall Customer or its auditor be permitted to conduct penetration testing, vulnerability scanning, or access source code.
      3. Reasonable Exercise of Rights. An On-Site Audit shall be conducted by Customer or its Third-Party Auditor: (i) acting reasonably, in good faith, and in a proportional manner, taking into account the nature and complexity of the Services used by Customer; (ii) up to one time per year with at least three weeks’ advance written notice per Customer group, regardless of the number of Authorized Affiliates. If an emergency justifies a shorter notice period, Seismic will use good faith efforts to accommodate the On-Site Audit request; and (iii) during Seismic's normal business hours, under reasonable duration and shall not unreasonably interfere with Seismic’s day-to-day operations. Customer acknowledges that Seismic operates in a multi-tenant cloud environment. Before any On-Site Audit commences, Customer and Seismic shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by or on behalf of Seismic including Seismic personnel time, administrative costs, and reasonable overhead incurred in connection with the audit. Seismic shall have the right to reasonably adapt the scope of any On-Site Audit to avoid or mitigate risks with respect to, and including, service levels, availability, and confidentiality of other Seismic customers’ information.
      4. Third-Party Auditor. A Third-Party Auditor means a third-party independent contractor that is not a competitor of Seismic. An On-Site Audit can be conducted through a Third-Party Auditor if: (i) prior to the On-Site Audit, the Third-Party Auditor enters into a non-disclosure agreement containing confidentiality provisions no less protective than those set forth in the Agreement to protect Seismic’s proprietary and confidential information; and (ii) the costs of the Third-Party Auditor are at Customer’s sole expense. Seismic may reasonably reject auditors whose access would pose a security or confidentiality risk.
      5. Findings. Customer must promptly provide Seismic with all information discovered during the course of an On-Site Audit.
    4. Data Protection Impact Assessment. Upon Customer’s written request, Seismic shall provide Customer with reasonable cooperation limited to information already available to Seismic and documented in the Information Security Documentation or this DPA needed to fulfil Customer’s obligation under Data Protection Laws and Regulations to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Seismic. Seismic does not provide Customer with legal advice or determine whether a DPIA is required.
  8. Customer Personal Data Incident Management and Notification Seismic maintains security incident management policies and procedures specified in the Information Security Documentation and shall notify Customer without undue delay and in accordance with the timelines set out in the Information Security Documentation after becoming aware of any confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data, including Personal Data, transmitted, stored or otherwise Processed by Seismic or its Sub-Processors of which Seismic becomes aware while acting as Processor. Seismic’s notification obligations are informational only and do not constitute an acknowledgment of fault, liability, or violation of Data Protection Laws and Regulations.

  9. Government Requests

    1. Seismic requirements. As a Processor, Seismic shall maintain appropriate measures to protect Personal Data in accordance with the requirements of Data Protection Laws and Regulations, including by implementing appropriate technical and organizational safeguards to protect Personal Data against any interference that goes beyond what is necessary in a democratic society to safeguard national security, defence and public security. If Seismic receives a legally binding request to access Personal Data from a Public Authority, Seismic shall, unless otherwise legally prohibited, use commercially reasonable efforts to notify Customer including a summary of the nature of the request. To the extent Seismic is prohibited by law from providing such notification, Seismic shall use commercially reasonable efforts to obtain a waiver of the prohibition to enable Seismic to communicate as much information as possible, without undue delay. Further, Seismic shall challenge the request if, after careful assessment, acting reasonably and in good faith, it concludes that there are reasonable grounds to consider that the request is unlawful. Seismic shall pursue appeals where available where commercially reasonable and proportionate. When challenging a request, Seismic shall seek interim measures to suspend the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the Personal Data requested until required to do so under the applicable procedural rules. Seismic agrees it will provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request. Seismic shall promptly notify Customer if Seismic becomes aware of any direct access by a Public Authority to Personal Data and provide information available to Seismic in this respect, to the extent permitted by law. Seismic represents, based on reasonable internal inquiry as of the Effective Date that (1) it has not created back doors or similar programming for the purpose of allowing access to the Services and/or Personal Data by any Public Authority; (2) it has not created or changed its business processes in a manner that facilitates access to the Services and/or Personal Data by any Public Authority; and (3) at the Effective Date is not currently aware of any national law or government policy requiring Seismic to create or maintain back doors, or to facilitate access to the Services and/or Personal Data, to keep in its possession any encryption keys or to hand-over the encryption key to any third-party. If Seismic receives an order from a government to suspend or cease cloud operations in Europe, Seismic will use commercially reasonable efforts to promptly contest such a measure using all legal avenues available, including by pursuing litigation in court where such action is viable and does not impose disproportionate burden.
    2. Sub-Processors requirements. Seismic shall ensure that Sub-Processors involved in the Processing of Personal Data are subject to the relevant commitments regarding Government Access Requests in the Standard Contractual Clauses.
  10. Return and Deletion of Customer Personal Data Seismic shall, to the extent allowed by applicable law, return Customer Personal Data to Customer or delete or anonymise Customer Personal Data in a manner that irreversibly prevents identification of Data Subjects in accordance with applicable Data Protection Laws and Regulations and in accordance with the procedures and timeframes specified in the Information Security Documentation. Notwithstanding the foregoing, Seismic may retain Customer Personal Data to the extent required under applicable law or permitted for legitimate compliance, security, audit, or dispute resolution purposes. Until Customer Personal Data is deleted or returned, Seismic shall continue to comply with this DPA and its Exhibits.
  11. Authorized Affiliates
    1. Contractual Relationship. The parties acknowledge and agree that Customer enters into this DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Seismic and each such Authorized Affiliate subject to the provisions of the Agreement and this section 11. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement and is a party only to this DPA. All access to and use of the Services and Content by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Customer. For clarity, no Authorized Affiliate shall obtain rights exceeding those granted to Customer under the Agreement, and Seismic’s obligations shall not expand due to the addition of Authorized Affiliates. Customer is responsible for ensuring that all Authorized Affiliates comply with Customer’s obligations under this DPA and the Agreement.
    2. Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with Seismic under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
    3. Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to this DPA with Seismic, it shall, to the extent required under applicable Data Protection Laws and Regulations, be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
      1. Except where applicable Data Protection Laws and Regulations require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against Seismic directly by itself, the parties agree that (i) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA, not separately for each Authorized Affiliate individually, but in a combined manner for itself and all of its Authorized Affiliates together (as set forth, for example, in section 11.3.2, below).
      2. The parties agree that the Customer that is the contracting party to the Agreement shall, when carrying out an On-Site Audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on Seismic and its Sub-Processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of itself and all of its Authorized Affiliates in one single audit.
  12. Limitation of Liability

    Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Seismic, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, Seismic’s and its Affiliates’ total liability for all claims from Customer and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Customer and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPA. Nothing in this section shall limit liability to the extent such limitation is prohibited by applicable Data Protection Laws and Regulations. For the avoidance of doubt, nothing in this DPA creates statutory liability where none would otherwise exist under applicable Data Protection Laws and Regulations.

  13. Europe Specific Provisions
    1. Definitions. For the purposes of this section 13 and Exhibit A these terms shall be defined as follows:
      1. “European Personal Data” means the Personal Data subject to European Data Protection Laws and Regulations. “European Data Protection Laws and Regulations” means the Data Protection Laws and Regulations applying in Europe.
      2. "SCC Module 2" means Module Two (Controller-to-Processor) of the EU SCCs, including the applicable Clauses and Annexes.
      3. "SCC Module 3" means Module Three (Processor-to-Processor) of the EU SCCs, including the applicable Clauses and Annexes.
    2. GDPR. Seismic will Process Personal Data in accordance with the GDPR requirements directly applicable to Seismic’s provision of its Services.
    3. Transfers of Personal Data
      1. The parties agree that Seismic may transfer Personal Data processed under this DPA outside Europe as necessary to provide the Services. Customer acknowledges that Seismic’s primary Processing operations take place in the United States, and that the transfer of Customer’s Personal Data to the United States is necessary for the provision of the Services to Customer. If Seismic transfers Personal Data protected under this DPA to a jurisdiction for which the European Commission has not issued an adequacy decision, Seismic will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with Data Protection Laws and Regulations. Customer acknowledges that transfer mechanisms may be updated or replaced by Seismic as permitted under Data Protection Laws and Regulations.
      2.  Ex-EEA Transfers. The parties agree that ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
        1. Module One (Controller to Controller) of the EU SCCs apply when Seismic is Processing Personal Data as a controller pursuant to Section 9 of this DPA only where Seismic independently determines the purposes and means of Processing. Module One (Controller to Controller) applies where Seismic processes Customer Usage Data as an independent controller.
        2. Module Two (Controller to Processor) of the EU SCCs apply when Customer is a controller and Seismic is Processing Personal Data for Customer as a processor pursuant to Section 2 of this DPA.
        3. Module Three (Processor to Processor) of the EU SCCs apply when Customer is a processor and Seismic is Processing Personal Data on behalf of Customer as a Sub-Processor.
      3.  For each module, where applicable the following applies:
        1. The optional docking clause in Clause 7 does not apply;
        2. In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of Sub-Processor changes shall be as set forth in Section 6.2 of this DPA;
        3. In Clause 11, the optional language does not apply;
        4. All optional bracketed selections are deemed completed as specified in this Section 13.3;
        5. In Clause 17 (Option 1), the EU SCCs will be governed by laws of the Republic of Ireland;
        6. In Clause 18(b), disputes will be resolved before the courts with jurisdiction located at Dublin, Ireland;
        7. Exhibit B to this DPA contains the information required in Annex I of the EU SCCs;
        8. Exhibit C to this DPA contains the information required in Annex II of the EU SCCs; and
        9. By entering into this DPA, the parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes.
      4.  Ex-UK Transfers. The parties agree that ex-UK Transfers are made pursuant to the UK SCCs, which are deemed entered into and incorporated into this DPA by reference, and amended and completed in accordance with the UK Addendum, which is incorporated herein as Exhibit D of this DPA. In the event of any conflict or inconsistency between the EU SCCs and the UK Addendum in relation to such transfers, the UK Addendum shall prevail.
      5.  Transfers from Switzerland. The parties agree that transfers from Switzerland are made pursuant to the EU SCCs with the following modifications:
        1. The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 1992 (the “FADP,” and as revised as of 25 September 2020, the “Revised FADP”) with respect to data transfers subject to the FADP.
        2. The terms of the EU SCCs shall be interpreted to protect the data of legal entities until the effective date of the Revised FADP.
        3. Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU supervisory authority shall have authority over data transfers governed by the GDPR. Subject to the foregoing, all other requirements of Section 13 shall be observed.
        4. The term “EU Member State” as utilized in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs.
      6.  Supplementary Measures. In respect of any ex-EEA Transfer or ex-UK Transfer, the following supplementary measures shall apply:
        1. As of the date of this DPA, the Data Importer has not received any known formal legal requests that would, in Seismic’s reasonable assessment, prevent compliance with the Standard Contractual Clauses or from any government intelligence or security service/agencies in the country to which the Personal Data is being exported, for access to (or for copies of) Customer’s Personal Data (“Government Agency Requests”);
        2. If, after the date of this DPA, the Data Importer receives any Government Agency Requests, Seismic shall attempt to redirect the law enforcement or government agency to request that data directly from Customer. Any redirection efforts shall be limited to what is lawful and commercially reasonable. As part of this effort, Seismic may provide Customer’s basic contact information to the government agency. If compelled to disclose Customer’s Personal Data to a law enforcement or government agency, Seismic shall give Customer reasonable notice of the demand and cooperate to allow Customer to seek a protective order or other appropriate remedy unless Seismic is legally prohibited from doing so. Seismic shall not voluntarily disclose Personal Data to any law enforcement or government agency. Data Exporter and Data Importer shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of Personal Data pursuant to this DPA should be suspended in the light of such Government Agency Requests; and
        3. The Data Exporter and Data Importer will meet regularly to consider whether:

          A. the protection afforded by the laws of the country of the Data Importer to data subjects whose Personal Data is being transferred is sufficient to provide broadly equivalent protection to that afforded in the EEA or the UK, whichever the case may be;
          B. additional measures are reasonably necessary to enable the transfer to be compliant with the Data Protection Laws and Regulations; and
          C. it is still appropriate for Personal Data to be transferred to the relevant Data Importer, taking into account all relevant information available to the parties, together with guidance provided by the supervisory authorities.

        4. If Data Protection Laws and Regulations require the Data Exporter to execute the Standard Contractual Clauses applicable to a particular transfer of Personal Data to a Data Importer as a separate agreement, the Data Importer shall, on request of the Data Exporter, promptly execute such Standard Contractual Clauses incorporating such amendments as may reasonably be required by the Data Exporter to reflect the applicable appendices and annexes, the details of the transfer and the requirements of the relevant Data Protection Laws and Regulations.

        7. If either (i) any of the means of legitimizing transfers of Personal Data outside of Europe set forth in this DPA cease to be valid or (ii) any supervisory authority requires transfers of Personal Data pursuant to those means to be suspended, then Data Importer may by notice to the Data Exporter, with effect from the date set out in such notice, amend or put in place alternative arrangements in respect of such transfers, as required by Data Protection Laws and Regulations.

  14. Conflict. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms in the Standard Contractual Clauses; (2) the terms of this DPA; (3) the Agreement; and (4) Seismic’s privacy policy set forth at https://seismic.com/legal/policies/privacy-policy/. Any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Agreement and no provision of this DPA shall be interpreted to expand Seismic’s liability or obligations beyond what is expressly provided in the Agreement.

  15. Amendments. Seismic may update this DPA from time to time to reflect changes in applicable Data Protection Laws and Regulations, industry standards, or Seismic’s data processing practices, provided that such updates do not materially reduce the level of protection afforded to Customer under this DPA during the applicable subscription term. If the update is material, Seismic will provide notice to Customer by reasonable means. If Customer objects to a material update, Customer must notify Seismic in writing within ten (10) business days of such notice. The parties will discuss the objection in good faith. If the parties are unable to resolve the objection within a reasonable period, Customer may terminate the affected Services upon written notice, and Seismic will refund any prepaid fees covering the remainder of the applicable subscription term for the terminated Services. Updates required to comply with applicable Data Protection Laws and Regulations shall not be subject to objection.

List of Exhibits
Exhibit A: Description of Processing/Transfer
Exhibit B: Transfer Mechanisms for European Data Transfers
Exhibit C: Description of the Technical and Organizational Security Measures implemented by the Data Importer
Exhibit D: International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (UK Addendum)


Exhibit A – Description of Processing/Transfer

Details of Processing are disclosed for all platforms but are only applicable to platforms Customer has licensed.

  1. Nature and Purpose of Processing: Seismic will Process Customer’s Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this DPA, and in accordance with Customer’s instructions as set forth in this DPA.
  2. Duration of Processing: Seismic will Process Customer’s Personal Data as long as required (i) to provide the Services to Customer under the Agreement; (ii) for Seismic’s legitimate business needs where such Processing is conducted as an independent Controller and outside the scope of this DPA, including internal analytics, security, compliance, and service improvement purposes, where such Processing is permitted by law and, where required, performed on de-identified or aggregated data; or (iii) by applicable law or regulation. Customer Account Data and Customer Usage Data will be processed and stored as set forth in Seismic’s privacy policy which may be updated from time to time.
  3. Categories of Data Subjects: The Personal Data transferred may concern:
    a. Authorized End Users of data exporter and its Affiliates (employees, agents and third-party representatives)
    b. Customer and clients, as well as potential customers and clients of data exporter and its Affiliates
  4. Categories of Personal Data: Seismic processes and any Personal Data provided by Customer (including any Personal Data Customer collects from its end users and processes through its use of the Services) or collected by Seismic in order to provide the Services or as otherwise set forth in the Agreement or this DPA. Categories of Personal Data include:
    a. Authorized User first and last name
    b. Authorized User email address
    c. Authorized User phone number
    d. Authorized User job title
    e. Authorized User employer name
    f. Authorized User username
    g. Authorized User password
    h. Authorized User video recordings
    i. Names of Customer’s existing and potential customers
    j. Email addresses of Customer’s existing and potential customers
    k. Phone numbers of Customer’s existing and potential customers
    l. Job title of Customer’s existing and potential customers
    m. Employer name of Customer’s existing and potential customers
    n. Metrics regarding customer access
    o. OAuth2 Tokens
    p. Social Handles
    q. IP Addresses
  5. Sensitive Data or Special Categories of Data: None unless uploaded by Customer in violation of the Agreement, in which case Seismic shall have no obligation to Process such data and may delete it without notice.

Exhibit B – Transfer Mechanisms for European Data Transfers

The following includes the information required by Annex I and, where applicable, Annex III of the EU SCCs, and Table 1, Annex 1A, and Annex 1B of the UK Addendum.

  1. The Parties

    Data exporter(s): The Customer
    Contact details: As designated by Customer in notice section of the Agreement.
    Signature and date: By entering into the Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, as of the Effective Date of the Agreement.
    Role (controller/processor): The Data Exporter’s role is set forth in Section 2 of this DPA.

    Data importer(s): Seismic Software, Inc. and its Affiliates
    Address: 11455 El Camino Real STE 350, San Diego, CA 92130
    Tel.: 855-466-8748 fax: n/a; e-mail: privacy@seismic.com
    Signature and date: By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses incorporated herein, as of the Effective Date of the Agreement.
    Role (controller/processor): The Data Importer’s role is set forth in Section 2 of this DPA.
  2. Description of the Transfer
    Data Subjects As described in Exhibit A to the DPA.
    Categories of Personal Data As described in Exhibit A to the DPA.
    Special Category Personal Data (if applicable) N/A.
    Nature of the Processing As described in the Agreement and this DPA.
    Purposes of Processing To provide the Services and to perform all other obligations under the Agreement and DPA.
    Duration of Processing and Retention (or the criteria to determine such period) As described in Exhibit A to the DPA.
    Frequency of the transfer As necessary to provide the Services and to perform all other obligations under the Agreement and DPA.
    Recipients of Personal Data Transferred to the Data Importer As listed in Seismic’s Sub-Processor list made available in accordance with Section 6.2 of this DPA.

  3. Competent Supervisory Authority

    The supervisory authority shall be the supervisory authority of the Data Exporter, as determined in accordance with Clause 13 of the EU SCCs. The supervisory authority for the purposes of the UK Addendum shall be the UK Information Commissioner’s Office.

Exhibit C
Description of the Technical and Organizational Security Measures implemented by the Data Importer

The following includes the information required by Annex II of the EU SCCs and Annex II of the UK Addendum.


Seismic maintains security incident management policies and procedures specified in the Information Security Documentation.


Seismic shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data), confidentiality and integrity of Customer Personal Data, as set forth in the Information Security Documentation.


Seismic periodically monitors compliance with these measures and will not materially decrease the overall security of the Services during a subscription term. Seismic has obtained the third-party certifications and audits set forth in the Information Security Documentation for each applicable Service. Where Seismic has obtained ISO 27001 certifications and SSAE 18 Service Organization Control (SOC) 2 reports for a particular Service as described in the Information Security Documentation, Seismic agrees to maintain these certifications or standards, or appropriate and comparable successors thereof, for the duration of the Agreement.


Further technical and organizational measures include, without limitation, access controls, encryption at rest and in transit, logging, and incident response governance, as further detailed in the Information Security Documentation. Further details of Seismic’s technical and organizational security measures are set out in the Information Security Documentation applicable to the specific Services purchased by Customer, as updated from time to time and made available via Seismic’s Trust and Compliance webpage or as otherwise made reasonably available by Seismic.

Exhibit D
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (UK Addendum)
The following UK Addendum is incorporated into this DPA in accordance with Section 13.3.4.

Part 1: Tables
Table 1: Parties

 

Start Date This UK Addendum shall have the same effective date as the DPA.
The Parties Exporter Importer
Parties’ Details Customer Seismic
Key Contact See Exhibit B of this DPA See Exhibit B of this DPA

Table 2: Selected SCCs, Modules and Selected Clauses

EU SCCs The Version of the Approved EU SCCs which this UK Addendum is appended to as defined in the DPA and completed by 13.3 of the DPA.

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this UK Addendum is set out in:

Annex 1A: List of Parties As per Table 1 above
Annex 1B: Description of Transfer See Exhibit B of this DPA
Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: See Exhibit C of this DPA
Annex III: List of Sub-Processors (Modules 2 and 3 only): See Exhibit B of this DPA

Table 4: Ending this UK Addendum when the Approved UK Addendum Changes

Ending this UK Addendum when the Approved UK Addendum changes  Importer
 Exporter
 Neither Party

Entering into this UK Addendum:

  1. Each party agrees to be bound by the terms and conditions set out in this UK Addendum, in exchange for the other party also agreeing to be bound by this UK Addendum.
  2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making ex-UK Transfers, the Parties may enter into this UK Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this UK Addendum. Entering into this UK Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

    3. Interpretation of this UK Addendum

  3. Where this UK Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
    UK Addendum means this International Data Transfer Addendum incorporating the EU SCCs, attached to the DPA as Exhibit D.
    EU SCCs means the version(s) of the Approved EU SCCs which this UK Addendum is appended to, as set out in Table 2, including the Appendix Information.
    Appendix Information shall be as set out in Table 3.
    Appropriate Safeguards means the standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws and Regulations when you are making an ex-UK Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
    Approved UK Addendum means the template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as may be revised under Section 18 of the UK Addendum.
    Approved EU SCCs means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time).
    ICO means the Information Commissioner of the United Kingdom.
    ex-UK Transfer shall have the same definition as set forth in the DPA.
    UK means the United Kingdom of Great Britain and Northern Ireland.
    UK Data Protection Laws and Regulations means all laws and regulations relating to data protection, the Processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
    UK GDPR shall have the definition set forth in the DPA.

  4. The UK Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and Regulations so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
  5. If the provisions included in the UK Addendum amend the Approved EU SCCs in any way which is not permitted under the Approved EU SCCs or the Approved UK Addendum, such amendment(s) will not be incorporated in the UK Addendum and the equivalent provision of the Approved EU SCCs will take their place.
  6. If there is any inconsistency or conflict between UK Data Protection Laws and Regulations and the UK Addendum, UK Data Protection Laws and Regulations applies.
  7. If the meaning of the UK Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws and Regulations applies.
  8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after the UK Addendum has been entered into.

    9. Hierarchy

  9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for ex-UK Transfers, the hierarchy in Section 10 below will prevail.
  10. Where there is any inconsistency or conflict between the Approved UK Addendum and the EU SCCs (as applicable), the Approved UK Addendum overrides the EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved UK Addendum.
  11. Where this UK Addendum incorporates EU SCCs which have been entered into to protect ex-EU Transfers subject to the GDPR, then the parties acknowledge that nothing in the UK Addendum impacts those EU SCCs.

    12. Incorporation and Changes to the EU SCCs:

  12. This UK Addendum incorporates the EU SCCs which are amended to the extent necessary so that:
    a) together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws and Regulations apply to the data exporter’s Processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
    b) Sections 9 to 11 above override Clause 5 (Hierarchy) of the EU SCCs; and
    c) the UK Addendum (including the EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales.
  13. Unless the parties have agreed alternative amendments which meet the requirements of Section 12 of this UK Addendum, the provisions of Section 15 of this UK Addendum will apply.
  14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 of this UK Addendum may be made.
  15. The following amendments to the EU SCCs (for the purpose of Section 12 of this UK Addendum) are made:
    a) References to the “Clauses” means this UK Addendum, incorporating the EU SCCs;
    b) In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
    c) Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfer(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws and Regulations apply to the data exporter’s Processing when making that transfer”;
    d) Clause 8.7(i) of Module 1 is replaced with: “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
    e) Clause 8.8(i) of Modules 2 and 3 is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
    f) References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws and Regulations”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws and Regulations;
    g) References to Regulation (EU) 2018/1725 are removed;
    h) References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
    i) The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
    j) Clause 13(a) and Part C of Annex I are not used;
    k) The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
    l) In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
    m) Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales;”
    n) Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales.” A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The parties agree to submit themselves to the jurisdiction of such courts.”; and
    o) The footnotes to the Approved EU SCCs do not form part of the UK Addendum, except for footnotes 8, 9, 10 and 11.

    16. Amendments to the UK Addendum

  16. The parties may agree to change Clauses 17 and/or 18 of the EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
  17. If the parties wish to change the format of the information included in Part 1: Tables of the Approved UK Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
  18. From time to time, the ICO may issue a revised Approved UK Addendum which:
    a) makes reasonable and proportionate changes to the Approved UK Addendum, including correcting errors in the Approved UK Addendum; and/or
    b) reflects changes to UK Data Protection Laws and Regulations;

    The revised Approved UK Addendum will specify the start date from which the changes to the Approved UK Addendum are effective and whether the parties need to review this UK Addendum including the Appendix Information. This UK Addendum is automatically amended as set out in the revised Approved UK Addendum from the start date specified.

  19. If the ICO issues a revised Approved UK Addendum under Section 18 of this UK Addendum, if a party will as a direct result of the changes in the Approved UK Addendum have a substantial, disproportionate and demonstrable increase in:
    a) its direct costs of performing its obligations under the UK Addendum; and/or
    b) its risk under the UK Addendum,

    and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that party may end this UK Addendum at the end of a reasonable notice period, by providing written notice for that period to the other party before the start date of the revised Approved UK Addendum.

  20. The parties do not need the consent of any third-party to make changes to this UK Addendum, but any changes must be made in accordance with its terms.