DiligenceVault Data Processing Agreement

  • Home
  • DiligenceVault Data Processing Agreement

DiligenceVault Data Processing Agreement

Current as of December 17, 2023 (Version 2023.v2)

This Data Protection Agreement (“DPA”) forms a part of the Terms and Conditions entered between Customer (as defined below) and DiligenceVault Corp. (“DiligenceVault”) (the “Agreement”), unless the parties have entered into a superseding DPA agreement.

 In the course of providing the Services, DiligenceVault may process certain Personal Data (defined below), and where DiligenceVault processes such Personal Data, the parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.

 DEFINITIONS

“Authorized Users” means an employee, client, or contractor whom Customer has authorized to use the Services.

“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et. Seq

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“Customer” means an entity or natural person that signed an Agreement with DiligenceVault.

“Customer Data” means all information, data, content and other materials, in any form or medium, that is submitted, posted, collected, transmitted or otherwise provided by or on behalf of Customer through the Services or to DiligenceVault in connection with the use of the Services.

“Data Exporter” means a Controller which is transferring Customer Data directly or via onward transfer to a country that triggers additional requirements for the protection of Personal Data being transferred in accordance with Data Protection Laws.

“Data Importer” means a Processor which receives Personal Data directly from a Data Exporter, or via onward transfer, and that is located in a country that triggers additional requirements for the protection of Customer Data being transferred in accordance with Data Protection Laws.

“Data Protection Laws” means all laws and regulations applicable to DiligenceVault’s processing of Personal Data while providing Services.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“EEA” means the European Economic Area.

“EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, completed as set forth in Annex 1 to this DPA.

“European Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).

“Non-European Data Protection Legislation” means data protection or privacy legislation in force outside the European Economic Area and Switzerland.

“Personal Data” means any information that relates to an identified or identifiable natural person, to the extent that such information is protected as personal data under applicable Data Protection Laws.

“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means the entity which processes Personal Data on behalf of the Controller.

“Services” means the use of any of DiligenceVault’s software modules, related sites, apps, communications or any other services provided by DiligenceVault.

“Sub-processor” means third-party service providers Processors used by DiligenceVault to process Personal Data on behalf of Controller.

“Terms and Conditions” means the terms and conditions agreed to in order to use the Services.

“UK SCC Addendum” means the United Kingdom International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for international data transfers version B1.0 issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act of 2018 and entered into force on 21 March 2022, as updated, amended, or replaced from time to time.

“User(s)”  means any user of our Services, either (i) employees, contractors, agents, affiliates or any authorized users of Customer’s, (ii) a Person on a Services trial, or (iii) a Person who received an invitation to use DiligenceVault’s Services free of cost.

 

  1. PROCESSING OF PERSONAL DATA

1.1 Roles of the Parties

DiligenceVault acts as a Processor to the Customer, who can act either as Controller or Processor of Personal Data. For the purposes of the CCPA (and to the extent applicable), Customer is the “Business” and DiligenceVault is the “Service Provider” (as such terms are defined in the CCPA).

1.2 Processor’s Processing of Personal Data

DiligenceVault may process the following categories of Personal Data: (a)Information provided by User directly to DiligenceVault, including personal identification data or characteristics, such as your name, email address and IP address; (b) Information collected or generated by DiligenceVault, including information obtained through emails, call recordings, and website usage data (and other related data); (c) User’s data as collected or processed in conjugation with the provision of the Services.

User’s Personal Data may be stored and processed by DiligenceVault for the purposes of providing the Services.

1.3 Sub-processors

Customer acknowledges and agrees that (a) DiligenceVault’s affiliates may be retained as Sub- processors through written agreement with DiligenceVault and (b) DiligenceVault and DiligenceVault’s affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services.

Customer provides general authorization to DiligenceVault’s use of Sub-Processors. The list of Sub-processors that are currently engaged by DiligenceVault is available via this link: https://diligencevault.com/sub-processors

Before DiligenceVault engages a new Sub-processor, DiligenceVault will update the Sub-processor list and notify Customer. To object to a Sub-processor, Customer should follow the process stated in the next section “1.4 Objection Right for New Sub-processors”.

 1.4 Objection Right for New Sub-processors

Customer may reasonably object to DiligenceVault’s use of a new Sub-processor, for reasons relating to the protection of Personal Data intended to be processed by such Sub-processor, by notifying DiligenceVault (privacy@diligencevault.com) promptly in writing within five (5) business days after receipt of DiligenceVault’s notice. Such written objection shall include the reasons for objecting the use of such new Sub-processor. Failure to object to such new Sub-processor in writing within five (5) business days following DiligenceVault’s notice shall be deemed as acceptance of the new Sub-Processor.

In the event Customer reasonably objects to a new Sub-processor, as permitted in the preceding sentences, DiligenceVault will discuss concerns with Customer in good faith with a view to achieving commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If no resolution can be reached within sixty (60) days of Customer’s objection written notice, DiligenceVault may, at its sole discretion, either not appoint the new Sub-Processor or will permit the Customer, as a sole remedy, to terminate the applicable Agreement pursuant to its terms with respect only to those Services which cannot be provided without the use of the objected-to new Sub-processor.

 

  1. INTERNATIONAL DATA TRANSFERS

The EU SCCs shall be deemed entered into by the parties as at the date of this DPA and shall take precedence over the terms of this DPA and shall be supplemented as follows:

  • EEA Transfers. In relation to European Data that is subject to the GDPR (i) Customer is the “data exporter” and DiligenceVault is the “data importer”; (ii) the Module Two terms apply to the extent the Customer is a Controller of European Data and DiligenceVault is a Processor; (iii) in Clause 7, the optional docking clause applies; (iv) in Clause 9, Option 2 applies and changes to Sub-Processors will be notified in accordance with the ‘Sub-processors’ section of this DPA; (v) in Clause 11, the optional language is deleted; (vi) in Clauses 17 and 18, the parties agree that the governing law and forum for disputes for the Standard Contractual Clauses will be determined in accordance with the EEA country in which the data exporter is established section of the Jurisdiction Specific Terms, if such section does not specify an EU Member State or as otherwise agreed between the parties,, the governing law and the competent courts are those described in the order form related to the Agreement (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers); (vii) the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA; and (viii) if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA the Standard Contractual Clauses will prevail to the extent of such conflict.
  • UK Transfers. In relation to European Data that is subject to the UK GDPR, the EU SCC will apply in accordance with sub-section (a) and the following modifications (i) the Standard Contractual Clauses will be modified and interpreted in accordance with the UK-SCC Addendum as set out in Annex 4 of this DPA, and (ii) any conflict between the terms of the EU SCC and the UK SCC Addendum will be resolved in accordance with Section 10 and Section 11 of the UK SCC Addendum.
  • Swiss Transfers. In relation to European Data that is subject to the Swiss DPA, the Standard Contractual Clauses will apply in accordance with sub-section (a) and the following modifications (i) references to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA; (ii) references to “EU”, “Union” and “Member State law” will be interpreted as references to Swiss law; and (iii) references to the “competent supervisory authority” and “competent courts” will be replaced with the “the Swiss Federal Data Protection and Information Commissioner ” and the “relevant courts in Switzerland”.

 

  1. DATA DELETION

On expiry of the applicable term or in case of termination of the Agreement, Customer may instruct DiligenceVault to delete all Customer’s Personal Data (data singularly owned by the Customer) from DiligenceVault’s systems in accordance with applicable law. DiligenceVault will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless obligation under applicable law requires storage. Customer acknowledges and agrees that Customer will be responsible for exporting, before the applicable term expires, any Customer’s Personal Data it wishes to retain afterwards.

 

  1. SECURITY RESPONSIBILITIES AND ASSESSMENT

4.1 Customer is solely responsible for its use of the Services, including:

  • making appropriate use of the Services and the additional security controls to ensure a level of security appropriate to the risk in respect of the Personal Data;
  • securing the account authentication credentials, systems and devices Customer uses to access the Services; and
  • retaining copies of its Personal Data as appropriate

4.2 DiligenceVault has no obligation to protect copies of Personal Data that Customer elects to store or transfer outside of DiligenceVault’s and its Sub-processors’ systems (for example, offline or on-premise storage), or to protect Personal Data by implementing or maintaining additional security controls except to the extent Customer has opted to use them and notified DiligenceVault in writing.

4.3 Customer is responsible for reviewing the security documentation and evaluating for itself whether the Services, the measures, the additional security controls will meet Customer’s needs, including with respect to any security obligations of Customer under the European Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable.

 

  1. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION

DiligenceVault maintains security incident management policies and procedures. DiligenceVault shall notify Customer without undue delay of any breach relating to Personal Data (within the meaning of applicable Data Protection Law) of which DiligenceVault becomes aware. DiligenceVault shall provide commercially reasonable cooperation and assistance in identifying the cause of such Personal Data Incident and take commercially reasonable steps to remediate the cause to the extent the remediation is within DiligenceVault’s control. Except as required by applicable data protection law, the obligations herein shall not apply to incidents that are caused by Customer, its Authorized Users and/or any non-DiligenceVault products.

 

  1. DEMONSTRATION OF COMPLIANCE

DiligenceVault will make all information reasonably necessary to demonstrate compliance with this DPA available to Customer and allow for and contribute to audits, including inspections conducted by or your auditor in order to assess compliance with this DPA. Customer acknowledges and agrees to exercise audit rights under this DPA and Clause 8.9 of the Standard Contractual Clauses by instructing DiligenceVault to comply with the audit measures described in this ‘Demonstration of Compliance’ section. Customer acknowledges that the Service is hosted by our hosting Sub-Processors who maintain independently validated security programs (including SOC 2 and ISO 27001) and that our systems are audited annually as part of SOC 2 compliance and regularly tested by independent third party penetration testing firms. Upon request, DiligenceVault will supply (on a confidential basis) our SOC 2 report and summary copies of our penetration testing report(s) to Customer  to verify our compliance with this DPA.

 

  1. LIMITATION OF LIABILITY

Each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Customer  and affiliates and DiligenceVault, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement or the electronically accepted Terms and Conditions, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its affiliates under the Agreement and all DPAs together.

DiligenceVault’s and its affiliates’ total liability for all claims from the Customer and all of its affiliates arising out of or related to the Services and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the agreement, including by Customer and all affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any affiliate that is a contractual party to any such DPA.

 

  1. TERM

This DPA will commence on the same date of the Agreement between Customer and DiligenceVault, or as otherwise provided explicitly under a mutually agreed document signed between the parties, and will continue until the agreement expires or is terminated, pursuant to the terms therein.

 

Annex 1:

A. List of Parties, Description of Transfer and Competent Supervisory Authority

Data exporter:

Name: The Customer’s entity name

Address: The Customer address

Contact person’s name, position and contact details: The Customer’s contact details, as provided to DiligenceVault.

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer’s use of the DiligenceVault Services.

Role (controller/processor): Controller

Data importer:

Name: Diligence Vault Corp.

Address: 1230 6th Avenue, 16th Fl, New York, NY 10020

Contact person’s name, position and contact details: Chief Executive Officer or Data Protection Officer, legal@diligencevault.com

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer’s use of the DiligenceVault Services.

Role (controller/processor): Processor

  1. Description of Transfer

Categories of Data Subjects whose Personal Data is Transferred

As set out in Clause 1.2 of the DPA.

Categories of Personal Data Transferred

Personal Data as described in Clause 1.2 of the DPA.

Sensitive Data transferred and applied restrictions or safeguards

To the parties’ knowledge, no sensitive data is transferred.

Frequency of the transfer

Continuous. Personal data is transferred in accordance with the standard functionality of the Services, or as otherwise agreed upon by the parties.

Nature of the Processing

Personal Data will be Processed in accordance with the Agreement between the parties and/or the Terms and Conditions (including this DPA) and may be subject to the following Processing activities:

  1. Storage and other Processing necessary to provide, maintain and improve the Services provided to User; and/or
  2. Disclosure in accordance with the Agreement (including this DPA),Terms and Conditions and/or as compelled by applicable laws.

Purpose of the transfer and further processing

DiligenceVault will Process Personal Data as necessary to provide the Services pursuant to the Agreement between the parties and/or the Terms and Conditions, or as further specified in the Order Form, and as further instructed by Customer in their use of the Services.

Period for which Personal Data will be retained

Subject to the ‘Data Deletion’ section of this DPA, DiligenceVault will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

  1. Competent Supervisory Authority

For the purposes of the Standard Contractual Clauses, the supervisory authority that will act as competent supervisory authority will be determined in accordance with GDPR.

Annex 2: Security Measures

Please refer to DiligenceVault’s Data Security Overview

Existing Customers and Prospective Customers with an NDA can request DiligenceVault’s ISO 27001, SOC 2 Type II and Independent Penetration Tests by contacting us at legal@diligencevault.com

Annex 3: Sub-processor List

Please refer to DiligenceVault’s Sub-processors list here: www.diligencevault.com/sub-processors

Annex 4: UK SCC Addendum

Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Same information as provided in Annex 1, Section A.

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs ☐ The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:

Date: The effective date of the Agreement between DiligenceVault and Customer.

Reference (if any): N/A

Other identifier (if any): N/A

Or

the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:
Module Module in operation Clause 7 (Docking Clause) Clause 11
(Option)		 Clause 9a (Prior Authorisation or General Authorisation) Clause 9a (Time period) Is personal data received from the Importer combined with personal data collected by the Exporter?
1 Module 2 Applies deleted General Authorization according to DPA No
2
3
4

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: As set forth in Annex IA of the Approved EU SCCs which this Addendum is appended to
Annex 1B: Description of Transfer: As set forth in Annex IB of the Approved EU SCCs which this Addendum is appended to.
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As set forth in Annex II of the Approved EU SCCs which this Addendum is appended to.
Annex III: List of Sub processors (Modules 2 and 3 only): As set forth in Annex III of the Approved EU SCCs which this Addendum is appended to

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes Which Parties may end this Addendum as set out in Section ‎19:

☐ Importer

☐ Exporter

neither Party

Part 2: Mandatory Clauses

Entering into this Addendum

  1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
  2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

Interpretation of this Addendum

  1. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
Addendum This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
Addendum EU SCCs The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.
Appendix Information As set out in Table ‎3.
Appropriate Safeguards The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
Approved Addendum The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18.
Approved EU SCCs The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
ICO The Information Commissioner.
Restricted Transfer A transfer which is covered by Chapter V of the UK GDPR.
UK The United Kingdom of Great Britain and Northern Ireland.
UK Data Protection Laws All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
UK GDPR As defined in section 3 of the Data Protection Act 2018.

 

  1. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
  2. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
  3. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
  4. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
  5. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

Hierarchy

  1. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section ‎10 will prevail.
  2. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
  3. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

Incorporation of and changes to the EU SCCs

  1. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
    a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
    b. Sections ‎9 to ‎11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
    c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
  2. Unless the Parties have agreed alternative amendments which meet the requirements of Section ‎12, the provisions of Section ‎15 will apply.
  3. No amendments to the Approved EU SCCs other than to meet the requirements of Section ‎12 may be made.
  4. The following amendments to the Addendum EU SCCs (for the purpose of Section ‎12) are made:
    a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
    b. In Clause 2, delete the words:

“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;

c. Clause 6 (Description of the transfer(s)) is replaced with:

“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;

d. Clause 8.7(i) of Module 1 is replaced with:

“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;

e. Clause 8.8(i) of Modules 2 and 3 is replaced with:

“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”

f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;

g. References to Regulation (EU) 2018/1725 are removed;

h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;

i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;

j. Clause 13(a) and Part C of Annex I are not used;

k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;

l. In Clause 16(e), subsection (i) is replaced with:

“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;

m. Clause 17 is replaced with:

“These Clauses are governed by the laws of England and Wales.”;

n. Clause 18 is replaced with:

“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and

o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.

Amendments to this Addendum

  1. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
  2. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
  3. From time to time, the ICO may issue a revised Approved Addendum which:
    a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
    b. reflects changes to UK Data Protection Laws;

The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.

  1. If the ICO issues a revised Approved Addendum under Section ‎18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
    a. its direct costs of performing its obligations under the Addendum; and/or
    b. its risk under the Addendum,

and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

  1. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.

Alternative Part 2 Mandatory Clauses:

Mandatory Clauses Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.