The Data Processing Agreement of Ltd
for the Online Solution

This Data Processing Agreement (“DPA”/ “Agreement”) of Ltd, is prepared pursuant to Article 28 of the EU General Data Protection Regulation (“GDPR”) and it is a legally binding agreement between Ltd and You (the User of the Software Solution). It is recommended that You read this document carefully, together with:

  • our online Terms and Conditions;
  • our Privacy Policy and GDPR Compliance Statement;
  • our Security Package (where made available);
  • any other legally binding document or agreement as a whole or part therein, which is relevant to this subject matter for any services and/or products You use as offered and delivered by Ltd.

Where you use the enterprise solutions of any of our products and/or services, unless a separate data processing agreement has been signed as part of the legal agreement for that product or service, the provisions herein shall apply appropriately.

For the purposes of ensuring compliance with the GDPR and/or identity changes to our business operations, we may make any reasonable changes to the provisions below. You will be notified where key changes come into effect.

Version: 3.0

Last updated: 07/03/2024

Effective date: 07/03/2024


1. 具體定義

1.1. In addition to the terms defined elsewhere in this Agreement and the Main Agreement, for all the purposes of the subject matter hereof, the terms included in Annex 1 (the “Definitions”) herein shall have the meanings set forth therein.

1.2. The Parties mutually agree and understand that for the purposes of this Agreement, all the definitions of the European Data Protection Laws are adopted.

2. Responsibilities of You

2.1. In line with the provisions of this DPA and Main Agreement, You are responsible to comply as Data Controller with all requirements applicable to your operations under applicable Data Protection Laws, for the Processing of Personal Data.

2.2. You agree and acknowledge that, without prejudice to the generality of the below; that you are responsible for: (i) the accuracy, quality and legality of the Personal Data provided by You to the Company for the purposes of the Services as well as the means and methods of acquiring that; (ii) compliance with with all necessary transparency and lawfulness requirements under applicable Data Protection Laws, including European Data Protection Laws; (iii) for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations, particularly for use by the User for marketing purposes; (iv) ensuring that You have the right to transfer or provide access to, the Personal Data to us for Processing in accordance with the terms of this DPA and Main Agreement; (v) ensuring that You comply with any laws applicable to You, including but not limited to Data Protection Laws, for any emails or other content created, sent or otherwise managed through our Services.

2.3. You hereby confirm and agree to inform the Company promptly and without any undue delay, if You are not able to comply with your obligations herein, and specifically under the applicable Data Protection Laws.

2.4. You hereby acknowledge and understand that the provisions herein and any relevant provisions of the Main Agreement and any additional written request under Your capacity as a Data Subject; shall constitute the complete and final Instructions of You as Data Controller for the purposes of this DPA for and in relation to the Processing of Your Personal Data.

2.5.You hereby acknowledge, understand and agree that, any additional Instructions outside the scope herein, shall require Your prior written request.

3. Responsibilities of the Company

3.1. The Company shall only Process Personal Data for the purpose of described in this DPA and in line with Annex 2 herein (the “Details of Processing”) or as otherwise agreed within the scope of your lawful Instructions, except where and to the extent otherwise required by the Data Protection Laws, including but not limited to European Data Protection Laws and other applicable laws and regulations relevant to the Parties.

3.2. The Company shall not be held responsible and liable for compliance with applicable Data Protection Laws which apply solely to You and/or Your industry and are not legally applicable to Ltd’s operations.

3.3. The Company shall notify You immediately and without any undue delay, to the extent permitted by law; where it is deemed the latter is unable to Process Personal Data in accordance with the provisions of this DPA and due to legal requirements of applicable laws and/or regulations.

3.4. The Company shall ensure that Processing of Personal Data as part of the Group is in compliance with the provisions of our internal Global Data Sharing Framework and solely for improving the coordination and resource allocation by sharing data internally between the several brands and subsidiaries, specifically for marketing statistics, internal administration, and reporting purposes, but only in an amount necessary for the intended use and with proper Security Measures in place to prevent unauthorised access or disclosure.


3.5. By considering the state of art, the costs of implementing and the nature, scope, context and purposes of Processing of Personal Data pursuant to the provisions of this DPA, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons; the Company shall implement and maintain appropriate technical and organisational measures to ensure the appropriate level of security to that risk, as per provisions of Annex 3 herein (collectively the “Security Measures”).

3.6. The Company shall ensure that the Security Measures form part of its implemented Information Security Management System (the “ISMS”), in line with the ISO/IEC 27001 standard and issued certificate by an accredited certifying body.

3.7. Notwithstanding any provision to the contrary, the Company may modify or update the Security Measures at our discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures and/or comply with relevant laws and legal obligations.


3.8. The Company hereby ensures that any worker or appointed person authorised to Process Personal Data for and on our behalf is subject to appropriate confidentiality obligations, contractual and statutory obligations with respect to that Personal Data.

Personal data breaches

3.9. The Company hereby agrees to notify prompt and without undue delay once becoming aware of any Personal Data Breach, following the provisions of applicable Data Protection Laws and where necessary provide You with information as it becomes known or reasonably requested by You.

3.10. The Company hereby agrees to promptly provide You with such reasonable assistance as necessary to enable notifying relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, pursuant to the applicable Data Protection Laws and subject to your written request.

Delection or return of personal data

3.11. The Company hereby agrees to delete or return to You all Personal Data relating to the Main Agreement and this DPA, including but not limited to copies of Personal Data which was Processed for the purpose of this DPA, on termination or expiration of Services, in line with the relevant provisions of the Main Agreement.

3.12. The requirement herein shall be exercised pursuant to any applicable law which may require to retain some or all Personal Data, subject to additional security measures such as isolation and protection from further Processing.

4. Data Subject Requests

4.1. You hereby acknowledge, agree and accept that the Company shall provide You with controls in the Software via which You can retrieve, correct, delete or restrict Personal Data in order to assist You in connection with the requirements of Data Protection Laws.

4.2. The Company may, subject to a written request by You, provide reasonable assistance for responding to any Data Subject Requests or requests from Data Protection Authorities relating to the Processing of Personal Data under this DPA, subject to any reimbursement deemed necessary.

4.3. You undertake the whole, exclusive and sole responsibility to respond to Data Subject Request(s) or other communication regarding the Processing of Personal Data from individual(s) who is/are identified as Your client and may be addressed to the Company, subject to prompt notification of such a request from us to You.

5. Sub-Processors

5.1. You hereby acknowledge, agree, accept and authorise the appointment of the Sub-Processors for the Process of Personal Data pursuant to this DPA and Main Agreement included in Annex 4 herein, the Sub-Processors’ List, based on which some Sub-Processors will apply as default, and some Sub-Processors will apply only if you integrate them to Your Account, as per section of the official website:

5.2. The Company hereby ensures that where a Sub-Processor is appointed, the relevant legal agreement to be concluded between those shall include appropriate data protection terms subject to appropriate Data Protection Laws and impose at least the same level of protection for Personal Data, as the provisions of this DPA and where deemed necessary, include the last version of Standard Contractual Clauses, as issued by the European Commission.

5.3. The Company shall not engage other Sub-Processo(s) and/or remove already appointed Sub-Processo(s) which relate to their business operations and not as part of an integration offered; where You are notified for the change in our List of Sub-Processors and You can submit an objection within 15 (fifteen) days by sending an email to or which is accepted by the Company.

5.4. The Company shall remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and and for any acts or omissions of such Sub-Processor that cause us to breach any of its obligations under this DPA.

6. Data Transfers

6.1. You hereby acknowledge, consent and authorise the Company, subject to provisions herein; to perform necessary Data Transfers for internal and external business operations to third parties identified as Sub-Processors herein which may be located outside the EU and/or the EEA.

6.2. Pursuant to clause 6.1. above, both Parties hereby confirm and agree that any Data Transfers will be performed solely for the purpose of the Main Agreement, this DPA and any additional written Instructions communicated from You to the Company, only for the subject matter.

6.3. The Partie hereby mutually agrees that pursuant to clause 6 herein, the Company shall perform any and all Data Transfers subject to the provisions of Chapter 5 (Article 44-50) of the GDPR and always in compliance with the requirements of applicable Data Protection Laws for the duration of this DPA and the Main Agreement.

6.4. Pursuant to clause 6.3 above, the Company shall not not perform any Data Transfer of European Data to any country or recipient not recognised as providing an adequate level of protection for Personal Data, in accordance with the provisions of the European Data Protection Laws; unless such measures are first taken to ensure the transfer is in compliance with applicable European Data Protection Laws.

Adequate level of protection

6.5. Pursuant to clause 6.4 above, the Company shall not authorise any Data Transfer to a country which is not recognized as providing an adequate level of protection via:

6.5.1. 根據 GDPR 第 45 條,由歐盟委員會發佈的有效充分決定,將可能在歐盟委員會官網上進行說明(充分決定); 和/或

6.5.2. approved and authorised Binding Corporate Rules, subject to Article 47 of the GDPR; and/or

6.5.3. 根據相關的歐盟數據保護法規及歐盟委員會的 標準合約條款(SCC) 的官網內容所示,結論及信賴已批准 標準合約條款(SCC)

6.6. The Parties hereby acknowledge and agree that shall not rely on the EU-US Privacy Shield and related principles for the purposes of transferring Personal Data and ensure appropriate measures are taken to comply with applicable Data Protection Laws as may be amended from time to time, relying on the Data Privacy Framework, to the extent applicable and valid.

Standard Contractual Clauses for the Parties

6.7. Where required, the parties hereby conclude Standard Contractual Clauses which shall be incorporated by reference and form part of this Agreement, as per applicable relevant provisions of Annex 5 below and subject matter herein.

7. Additional Provisions

European data

7.1. This part of the DPA applies to European Data for the purposes of the Main Agreement.

7.2. The Parties hereby agree that when Processing European Data in accordance with the Instructions, You are the Controller of European Data and Ltd is the Processor.

7.3. reserves the right to inform You where Instructions infringes European Data Protection Laws, as and when applicable, without undue delay.

7.4. The Company will make any necessary changes to Annex 4 regarding the appointed Sub-Processors and give you the opportunity to be notified via your Account, in which case You have the opportunity to object to the engagement on reasonable grounds relating to this DPA and within 15 (fifteen) days after such notification.

7.5. The Company shall, to the extent that the required information is reasonably available and you do not otherwise have access to the required information; provide reasonable assistance to You with any Data Protection Impact Assessments (“DPIA”), and prior consultations with Supervisory Authorities or other competent Data Privacy Authorities to the extent required by European Data Protection Laws.

7.6. shall make all information reasonably necessary to demonstrate compliance with provisions herein, available to You and may allow for audits including but not limited to inspections.

7.7. The Data Processor has appointed a Data Protection Officer (“DPO”) in line with the European Data Protection Laws and can be contacted for the purposes of this DPA and Main Agreement via email:

Other data

7.8. This part of the DPA applies to Personal Data other than European Data, under the provisions of applicable Data Protection Laws.

7.9. The Parties agree that Ltd shall Process such Personal Data strictly in accordance with applicable Data Protection Laws and solely for the purposes of providing the Services under the provisions of the Main Agreement.

7.10. The Parties shall enter into any additional agreements required by law for the purpose complying with the applicable Data Protection Laws.

8. Parties to the DPA

8.1. When You sign-up and accept the Terms & Conditions, and/or legal provisions for the Software Solution, You as a User of the System enter into this DPA on behalf of Yourself and where applicable and to the extent permitted by law and applicable Data Protection Laws, in the name and on behalf of Your Permitted Affiliates, establishing a separate DPA between us and each such Permitted Affiliate subject to the Agreement and provisions herein.

8.2. You hereby agree and acknowledge that each Permitted Affiliate agrees to be bound by the obligations of this DPA and as applicable to the Main Agreement.

8.3. You hereby agree and acknowledge that to the extent permitted by law, for the purposes of this DPA and except as otherwise provided herein, “User”, “You” and “Your” will include You and such Permitted Affiliates.

8.4. The legal entity agreeing to this DPA as User represents that it is authorised to agree to and enter into this DPA for and on behalf of itself and, as applicable, each of its Permitted Affiliates.

9. General Provisions

9.1. This DPA will remain in force from the Effective Date and until the Data Controller or Data Processor terminates the Main Agreement, in line with applicable provisions.

9.2. This DPA may be terminated by either party with a 30 (thirty) days written notice, pursuant to the provisions of the Main Agreement and by cancelling the system in system settings.

9.3. Notwithstanding anything else to the contrary in this DPA and Main Agreement, reserves the right to make any updates and amendments to this DPA subject to any additional terms herein.

9.4. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.

9.5. Neither party may, without the prior written consent of the other party assign, transfer, charge, licence or otherwise deal in or dispose of any contractual rights or obligations under this Agreement.

9.6. The Parties and Permitted Affiliates' liability arising out of or related to this DPA in whole whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the Main Agreement.

9.7. The Parties hereby agree and accept the choice of the jurisdiction indicated in the Main Agreement in respect of this DPA.


Annex 1: Definitions

This Annex 1: Definitions forms part of the DPA.

Data Controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

Data Processor”: means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Data Controller.

Data Protection Laws”: means all applicable worldwide legislation relating to data protection and privacy which applies to the respective Party in the role of Processing Personal Data in question under the Agreement, including without limitation: (1) the European Data Protection Laws; (2) the California Consumer Privacy Act of 2018 (“CCPA”); (3) the data protection and privacy laws of Australia and Singapore; (4) and other; in each case as amended, repealed, consolidated or replaced from time to time.

Data Subject”: means the individual to whom Personal Data relates.

EU-US Privacy Shield”: the self-certification program operated by the U.S. Department of Commerce and approved by the European Commission, as may be amended, superseded or replaced.

"Europe": means the European Union, the European Economic Area and/or their member states.

"European Data Protection Laws": means data protection laws applicable in Europe, including: (1) Regulation 2016/679 - the EU General Data Protection Regulation ("GDPR"); (2) Directive 2002/58/EC - the Directive on privacy and electronic communications; (3) applicable national implementations of 1 and 2 points above; (4) any applicable national legislation that replaces or converts in domestic law the GDPR; (5) the Data Protection Act 2018 of the United Kingdom (the “UK GDPR”); in each case, as may be amended, superseded or replaced.

European Data”: means Personal Data that is subject to the protection of European Data Protection Laws, defined below.

Instructions”: any written, documented instructions issued by the Data Controller to the Data Processor, and directing the same to perform a specific or general action with regard to Personal Data, including, but not limited to, depersonalising, blocking, deletion, making available.

"Permitted Affiliates": shall include any of Your Affiliates that is permitted to obtain the Services on your behalf, pursuant to the Main Agreement, but have not signed their own separate agreement with us and are not users and qualify as a Controller of Personal Data Processed by us, and can be subject to European Data Protection Laws.

Personal Data Breach”: shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Services but does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

Personal Data”: means any information relating to an identified or identifiable individual where such information is contained within the Account (as defined in the Main Agreement) and is protected as other personal information or personally identifiable information under applicable Data Protection Laws.

Processing”: shall mean any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data and the terms “Process”, “Processes” and “Processed” will be construed accordingly.

Services”: shall have the same meaning as in the Main Agreement.

Standard Contractual Clauses”: means the standard contractual clauses for Data Processors approved pursuant to the European Commission’s relevant decision and as included in Annex 5 herein which forms part of the Agreement and as may be amended, superseded or replaced.

Sub-Processor”: means any Data Processor engaged by us to assist fulfilling our obligations with respect to the provision of the Services under the Main Agreement and may include third parties, excluding any employee or consultant of Ltd.

UK IDTA” shall mean the template addendum issued by the UK Information Commissioner's Office (“ICO”) and here: International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, and as made available in the official website of ICO International data transfer agreement and guidance | ICO, and as may be amended, suspended or replaced.

Annex 2: Details of processing

This Annex 2: Details of Processing forms part of the DPA.

Nature and Purposes of the Process: the Company will Process Personal Data as required for the purposes of providing the Services, pursuant to the Main Agreement and as may further be specified in additional documentation which forms part of the Main Agreement and DPA.

Duration of the Processing: subject to any provisions contained herein specifying otherwise, Processing of Personal Data shall occur for the duration of the Main Agreement, unless otherwise agreed in writing.

Categories of Data Subjects: pursuant to the provisions of the Main Agreement, Data Subjects shall include any type of User’s clients and therefore may vary by the system usage from the Data Controller.

Categories of Personal Data: pursuant to the provisions of the Main Agreement, categories of Personal Data may vary in accordance with the usage of the System and bookings made by the User’s clients and may include name, surname, email address and phone number.
To the extent applicable and as may be requested by the User when using the System, various information such as when completing additional fields, adding comment(s) which are/is linked to booking(s) for a relevant individual, details on the status of bookings, whether they attended, or paid for booking may fall under the definition of Personal Data for which You are acting as the Data Controller pursuant to the provisions of this Agreement. The above list is not exhaustive and does necessarily apply to every User.
Special Categories of Personal Data may include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Such information may be submitted by Your clients via the System, at Your sole discretion and request, as notes/additional fields information and/or comments. Note that where You have our SOAP custom feature, data at rest will be encrypted.

Processing Operations: include the standardised internal processes in which system users’ data are continuously or systematically collected, stored and used for the provision of the Services, in line with the Main Agreement. The Data Processor will Process Personal Data on behalf of the Data Controller for the purpose of using the Appointment Scheduling System and accept appointments, send reminders, process payments, sell products, make promotions and other related activities allowed by our custom features.

Annex 3: Security Measures

1. This Annex 3 Security Measures forms part of the DPA and all capitalised terms, not otherwise defined herein, shall have the same meaning set forth in the Main Agreement.

2. The measures herein form part of the ISMS which shall be maintained in accordance with best practices and standards and this section shall be read in conjunction with the official Security page of the Company (see Security - and/or documents of our Security Package, where that was made available.

A. Access control and management

In line with internal Access Control Policy which are part of our ISMS, access rights and permissions internally are role-based and commensurate with their functional responsibilities, in line with the “need-to-know” and “need-to-use” principles. In order to minimise information being disclosed or accessed prematurely, accidentally or unlawfully, the authorisation infrastructure described below has been implemented as part of our system too and:

access to internal information from unauthorised users is prohibited by default and privileged access/activities, (un)authorised access attempts are logged and managed;

where available, 2FA authentication must be enabled by all personnel when accessing system for Processing of Personal Data and otherwise.

For users of our system, 2FA secure login is available with “Google Authenticator” and “HIPAA” custom features for the User; and Password Management is available with the “Strict Password” custom feature for the User.

B. Encryption

The Company use appropriate encryption technologies to protect Personal Data and where applicable and:

for data in transit, all external communications are supported via via encrypted channels secured with standard protocols (up to TLS 1.3 with AES-128 / AES-256 encryption), depending on the software(s) involved and allowed compatibility circumstances; and

for data at rest (available for SOAP data and medical history with “SOAP with Data Encryption” custom feature).

C. Information classification and handling

The Company shall have in place an appropriate Record of Processing Operations, an Asset Handling Procedure and an Acceptable Use Policy all of which ensure that all information, including Personal Data are classified in accordance with its criticality and sensitivity to unauthorised access, disclosure or modification.

D. Human resources security

TThe Company has taken reasonable measures to ensure that its employees and contractors, which have access to Personal Data are aware of and adhere to the security and privacy policies and procedures.

The measures include: (a) background verification checks, such as criminal records checking for all employees and contractors with access to Personal Data; (b) conclusion of Non-Disclosure and Confidentiality Agreement and Data Processing Agreement for all employees and contractors; (c) participation in training and awareness programs by employees and contractors, focused on the protection of personal data, privacy and security.

E. Operational security

The Company is committed to ensure that correct and secure facilities for the Processing of Personal Data by:

controlling the changes to the processing systems and facilities by implementing and maintaining procedures in line with the internal Change Management Policy;

performing regular back-ups and test of back-ups, by implementing and maintaining procedures in line with the internal Back-Up Policy;

maintaining event logging with records of user activities, exceptions, errors and information security events;

ensure clock synchronisation for all relevant Information Processing Systems.

F. Network security

The Company has implemented a Firewall Protection, an Intrusion Detection System and is regularly monitoring the Network Activity.

G. Secure development

The Company performs software development and relevant support processes according to adopted secure system engineering principles such as:

Security by design;

Security testing shall be performed for any changes or new developments;

Development/testing/production environments shall be separated.

H. Supplier security and privacy assessments

The Company performs security and privacy assessments of when engaging new suppliers and and then every year forward, in relation to the services they provide and acknowledges the responsibility to inform the Data Controller for any changes to the provision of Services pursuant to the Main Agreement.

I. Business continuity and incident management

The Company ensures a consistent approach to the management of privacy and security incidents, including communication on security breaches and weaknesses. Specifically, a Business Continuity and Incident Management Procedures is in place and is tested regularly. Additionally, we have in place a Personal Data Breach Notification Procedure which is reviewed annually.

J. Internal security audits

The Company performs periodic assessments of risks to Personal Data and reviews the effectiveness of the implemented security policies and procedures.

ANNEX 4: List of Sub-Processors

1. Read this Annex 4 in conjunction with Clause 5 and other applicable provisions of the DPA.

2. Where applicable, respective Sub-Processors will apply when you enable and/or integrate their systems to Your Account as made available to the system and the official website of Ltd here:

Entity Purpose of Processing/Service Location & Measure
Live Agent Services & Support: live chat services via our website Slovakia (EU)
Slack Services & Support: internal communication messaging system 美國
Linode Services & Support: emails provider outbound UK
PandaDoc Services & Support: electronic signatures - where you sign our DPA or other agreements electronically 美國
Accountable HQ Services & Support: electronic signatures functionality for BAA 美國
Twilio Inc. Services & Support: SMS provider 美國
Brevo (Sendinblue) Services & Support: emails provider France
Nexmo (Vonage Holdings Corp.) Services & Support: SMS provider UK
Hubspot Services & Support: CRM for enterprise users Germany Services & Support: feedback management Canade
Google Inc. Hosting & Infrastructure: servers - either location applicable USA, Canada, Belgium & Australia
OVH Hosting & Infrastructure: servers - either location applicable UK, Canada, France & Singapore, Australia
MaxMind, Inc. Services & Support & Statistics & Analytics: IP address intelligence services 美國
Matomo Statistics & Analytics: self hosted serves with Google Cloud UK
Leadinfo Statistics & Analytics: website optimisation for enterprise users Netherlands

Payment Service Providers (PSP):

Nuvei (previously Safecharge) Key PSP: payments processing Canada
PayPal Key PSP: payments processing 美國
JCC Key PSP: payments processing for Cyprus based users Cyprus

Key integrations/features:

Meta (Facebook) Hosting & Infrastructure: add widget options with Facebook & Instagram Booking feature 美國
Instagram Hosting & Infrastructure: add widget options with Facebook & Instagram Booking feature 美國
Outlook 郵件管理 (Microsoft) Hosting & Infrastructure: use of Outlook Calendar 2-way sync feature 美國

Other entities as per specific feature is enabled to Your Account may apply as per available integrations.

Annex 5: Standard contractual clauses & UK IDTA

1. Under and for the purposes of GDPR, the latest version of the Standard Contractual Clauses available on the official website of the European Commission (found here), is implemented by reference herein, followed for the subject matter and forms part of this DPA, and as may be amended, suspended or replaced and the Parties hereby mutually understand and agree that:

(a) the Company undertakes the rights and obligations of the Data Importer and You the rights and obligations of the Data Exporter, as defined in the Standard Contractual Clauses and those shall come into effect on the later of either Party becoming a party to them and the commencement of the relevant data transfer;

(b) Module Two: Transfer between Controller to Processor is adopted;

(c) in Clause 7, the optional docking clause applies;

(d) in Clause 9, Option 2 applies and changes to Sub-Processors will be notified in accordance with the ‘Sub-Processors’ section of this DPA and Annex 4 above;

(e) in Clause 11, the optional language is deleted;

(f) in Clauses 17 and 18, the parties agree that the governing law and forum for disputes for the Standard Contractual Clauses will be determined in accordance with the 'Contracting Entity; Applicable Law; Notice’ section of the Jurisdiction Specific Terms or, if such section does not specify an EU Member State, the Republic of Ireland (without reference to conflicts of law principles);

(g) the Annexes of the Standard Contractual Clauses will be deemed completed with the information for the User as relevant and set out in the Annexes of this DPA;

(h) the supervisory authority that will act as competent supervisory authority will be determined in accordance with GDPR;

(i) if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA the Standard Contractual Clauses will prevail to the extent of such conflict.

2. Under the Swiss Federal Data Protection Act and its Ordinance ("Swiss DPA"), in line with point 1 above, and below points, the Standard Contractual Clauses will apply and references to "Regulation (EU) 2016/679" will be interpreted as references to the Swiss DPA, to "EU", "Union" and "Member State law" will be interpreted as references to Swiss law, to the "competent supervisory authority" and "competent courts" will be replaced with the "the Swiss Federal Data Protection and Information Commissioner " and the "relevant courts in Switzerland".

3. Under and for the purposes of UK GDPR, in line with point 1 above, and below sub-points 2.1. to 2.3., the latest version of the UK IDTA, as may be amended, suspended or replaced and currently made available on the official website of the UK Information Commissioner's Office (“ICO”) (found here), shall be implemented by reference herein, followed for the subject matter and forming part of this DPA.

2.1. The Standard Contractual Clauses are hereby modified and interpreted to align with the UK IDTA, incorporated by reference and form an integral part.

2.2. Information of Annexes to this DPA complete the information required at Tables 1, 2 and 3 of the UK IDTA and Table 4 will be deemed completed by selecting “neither party”.

4. Any conflict between the terms of the Standard Contractual Clauses and the UK IDTA will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

Get the full signed version of our DPA - this will contain the full version of the latest SCC- here.