DATA PROTECTION ADDENDUM

THIS DATA PROTECTION ADDENDUM (the “Addendum”) is entered into as of the Addendum Effective Date by and between: (1) Century Games Pte. Ltd.(“Company” or “Customer”); and (2) [PARTNER], (the “Business Partner”), hereinafter referred to as also individually “Party” or jointly “Parties“.

1. Preamble

1.1 Company and Partner have entered into [name of Agreement], involving the Processing of certain Personal Data (the “Agreement”).
1.2 This Date Protection Addendum (“Addendum”) between the Parties is incorporated into and forms part of the Agreement and consists of (a) the main body of the Addendum; (b) Attachment 1 (Subject Matter and Details of the Data Processing); (c) Attachment 2 (EU and UK Restricted Transfers); and (d) Attachment 3 (California Annex).
The parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.

1. Definitions

1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1.1 “Authorised Subprocessors” means (a) those Subprocessors set out in Annex 5 (Authorised Subprocessors); and (b) any additional Subprocessors consented to in writing by the Customer in accordance with section 6.1;
1.1.2 “Process/Processing”, “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach” and “Special Categories of Personal Data” shall have the same meaning as in the Data Protection Laws;
1.1.3 “CCPA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and any binding regulations promulgated thereunder;
1.1.4 “Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations as well as government-issued rules, guidelines, directives and requirements pertaining to the Processing of Personal Data under the Agreement currently in effect and as they become effective that may exist in any relevant jurisdiction, including, without limitation, security breach notification laws, Personal Data security laws and Personal Data disposal laws. For the avoidance of doubt, Applicable Data Protection Laws include, but are not limited to, the GDPR and the CCPA;
1.1.5 “EEA” means the European Economic Area;
1.1.6 “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;
1.1.7 “GDPR” means the UK GDPR and/or EU GDPR (as applicable), together with any applicable implementing or supplementary legislation in any member state of the EEA or the UK (including the UK Data Protection Act 2018). References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly;
1.1.8 “Customer Personal Data” means the data described in Annex 1 and any other Personal Data Processed by Business Partner or any Business Partner Affiliate on behalf of the Customer or any Affiliate pursuant to or in connection with the Agreement;
1.1.9 “Relevant Body”:
(a) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office and/or UK Government (as and where applicable); and/or
(b) in the context of the EEA and EU GDPR, means the European Commission;
1.1.10 “Restricted Country”:
(a) in the context of the UK, means a country or territory outside the UK; and
(b) in the context of the EEA, means a country or territory outside the EEA,
that the Relevant Body has not deemed to provide an ‘adequate’ level of protection for Personal Data pursuant to a decision made in accordance Article 45(1) of the GDPR;
1.1.11 “Restricted Transfer” means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EU Restricted Transfer”); and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR;
1.1.12 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, the current form of which is attached as Annex 3;
1.1.13 “Subprocessor” means any Data Processor (including any third party and any Business Partner Affiliate) appointed by Business Partner to Process Customer Personal Data on behalf of the Customer or any Affiliate;
1.1.14 “Supervisory Authority” means an independent public authority responsible for the enforcement of applicable Data Protection Laws which is established pursuant to applicable Data Protection Laws;
1.1.15 “Transfer Solution(s)” means the SCCs as set out in Annex 3, and/or the UK Transfer Addendum as set out in Annex 4, as applicable to the relevant Restricted Transfer;
1.1.16 “UK GDPR” means the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019);
1.1.17 “UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the Mandatory Clauses included in Part 2 thereof, the current form of which is attached as Annex 4;

2. Data Processing Terms

2.1 In the course of providing the Services to the Customer pursuant to the Agreement, Business Partner may Process Customer Personal Data on behalf of the Customer or any Affiliate as per the terms of this Addendum. Business Partner agrees to comply with the following provisions with respect to any Customer Personal Data submitted by or for the Customer or any Affiliate to the Services or otherwise collected and Processed by or for the Customer or any Affiliate by Business Partner or any Business Partner Affiliate.
2.2 To the extent that Business Partner Processes Customer Personal Data protected by the CCPA, then the terms specified in Annex 8 (California Annex) to this Addendum shall apply in addition to the terms of this Addendum.

3. Processing of the Customer Personal Data

3.1 Business Partner shall only Process the types of Customer Personal Data relating to the categories of Data Subjects for the purposes of the Agreement and for the specific purposes in each case as set out in Annex 1 to this Addendum and shall not Process, transfer, modify, amend or alter the Customer Personal Data or disclose or permit the disclosure of the Customer Personal Data to any third party other than in accordance with the Customer’s documented instructions (whether in the Agreement or otherwise) unless Processing is required by EU or Member State law to which Business Partner is subject, in which case Business Partner shall to the extent permitted by such law inform the Customer of that legal requirement before Processing that Personal Data.
3.2 For the purposes set out in section 3.1. above, the Customer hereby instructs Business Partner to transfer Customer Personal Data to the recipients in the Third Countries listed in Annex 6 (Authorised Transfers of Customer Personal Data) always provided that Business Partner shall comply with section 6 (Subprocessing) and 12 (International Transfers of Customer Personal Data).

4. Business Partner Personnel

4.1 Business Partner shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to access the relevant Customer Personal Data, as strictly necessary for the purposes set out in section 3.1 above in the context of that individual’s duties to Business Partner, ensuring that all such individuals:
4.1.1 are informed of the confidential nature of the Customer Personal Data and are aware of Business Partner’s obligations under this Addendum and the Agreement in relation to the Customer Personal Data;
4.1.2 have undertaken appropriate training in relation to the Data Protection Laws;
4.1.3 are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; and
4.1.4 are subject to user authentication and log on processes when accessing the Customer Personal Data.

5. Security

5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Business Partner shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
5.1.1 the pseudonyimisation and encryption of the Customer Personal Data;
5.1.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
5.1.3 the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; and
5.1.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
5.2 Without limitation to section 5.1, Business Partner shall implement and maintain each of the technical and organisational measures listed in Annex 2 (Technical and Organisational Measures).
5.3 In assessing the appropriate level of security, Business Partner shall take account in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
5.4 Customer may also provide written notice to Business Partner if in the reasonable opinion of Customer the technical and organisational measures set out in Annex 2 need to be changed to take account of a change of Data Protection Law and Business Partner shall implement such changes at no additional cost to Customer. Such written notice shall include a description of the change of law and details of the required change to Annex 2.
5.5 Business Partner shall make changes to the technical and organisational measures set out in Annex 2, as necessary to ensure ongoing compliance with clause 5.1, including without limitation following receipt of a written notice from Customer pursuant to clause 5.4 above, by providing at least 10 days written notice to Customer

6. Subprocessing

6.1 Subject to section 6.3, Business Partner shall not engage any Subprocessors to Process Customer Personal Data other than with the prior written consent of the Customer, which the Customer may refuse in its absolute discretion.
6.2 With respect to each Subprocessor, Business Partner shall:
6.2.1 provide the Customer with full details of the Processing to be undertaken by the each Subprocessor;
6.2.2 carry out adequate due diligence on each Subprocessor to ensure that it is capable of providing the level of protection for the Customer Personal Data as is required by this Addendum including without limitation sufficient guarantees to implement appropriate technical and organisational measures in such a manner that Processing will meet the requirements of GDPR and this Addendum;
6.2.3 include terms in the contract between Business Partner and each Subprocessor which are the same as those set out in this Addendum. Upon request, Business Partner shall provide a copy of its agreements with Subprocessors to the Customer for its review;
6.2.4 insofar as that contract involves the transfer of Customer Personal Data outside of the EEA and/or the UK (as applicable), incorporate the Transfer Solution(s) or such other mechanism as directed by the Customer into the contract between Business Partner and each Subprocessor to ensure the adequate protection of the transferred Customer Personal Data; and
6.2.5 remain fully liable to the Customer for any failure by each Subprocessor to fulfil its obligations in relation to the Processing of any Customer Personal Data.
6.3 As at the Addendum Effective Date, the Customer hereby authorises Business Partner to engage those Subprocessors set out in Annex 5 (Authorised Subprocessors).

7. Data Subject Rights

7.1 Business Partner shall promptly notify the Customer if it receives a request from a Data Subject under any Data Protection Laws in respect of Customer Personal Data.
7.2 Business Partner shall co operate as requested by the Customer to enable the Customer to comply with any exercise of rights by a Data Subject under any Data Protection Laws in respect of Customer Personal Data and comply with any assessment, enquiry, notice or investigation under any Data Protection Laws in respect of Customer Personal Data or this Addendum, which shall include:
7.2.1 the provision of all data requested by the Customer within any reasonable timescale specified by the Customer in each case, including full details and copies of the complaint, communication or request and any Customer Personal Data it holds in relation to a Data Subject;
7.2.2 where applicable, providing such assistance as is reasonably requested by the Customer to enable the Customer to comply with the relevant request within the timescales prescribed by the Data Protection Laws; and
7.2.3 implementing any additional technical and organisational measures as may be reasonably required by the Customer to allow the Customer to respond effectively to relevant complaints, communications or requests.

8. Personal Data Breach

8.1 Business Partner shall notify the Customer upon becoming aware of or reasonably suspecting a Personal Data Breach providing the Customer with sufficient information which allows the Customer to meet any obligations to report a Personal Data Breach under the Data Protection Laws. Such notification shall as a minimum:
8.1.1 describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
8.1.2 communicate the name and contact details of Business Partner’s data protection officer or other relevant contact from whom more information may be obtained;
8.1.3 describe the likely consequences of the Personal Data Breach; and
8.1.4 describe the measures taken or proposed to be taken to address the Personal Data Breach.
8.2 Business Partner shall co-operate with the Customer and take such reasonable commercial steps as are directed by the Customer to assist in the investigation, mitigation and remediation of each Personal Data Breach.
8.3 In the event of a Personal Data Breach, Business Partner shall not inform any third party without first obtaining the Customer’s prior written consent, unless notification is required by applicable laws to which Business Partner is subject, in which case Business Partner shall to the extent permitted by such law inform the Customer of that legal requirement, provide a copy of the proposed notification and consider any comments made by the Customer before notifying the Personal Data Breach.

9. Data Protection Impact Assessment and Prior Consultation

9.1 Business Partner shall provide reasonable assistance to the Customer with any data protection impact assessments which are required under Article 35 GDPR and with any prior consultations to any supervisory authority of the Customer or any Affiliate which are required under Article 36 GDPR, in each case solely in relation to Processing of Customer Personal Data by Business Partner on behalf of the Customer and taking into account the nature of the Processing and information available to Business Partner.

10. Deletion or return of Customer Personal Data

10.1 Subject to section 10.2, Business Partner shall promptly and in any event within 90 (ninety) calendar days of the earlier of: (i) cessation of Processing of Customer Personal Data by Business Partner; or (ii) termination of the Agreement, at the choice of the Customer (such choice to be notified to Business Partner in writing) either:
10.1.1 return a complete copy of all Customer Personal Data to the Customer by secure file transfer in such format as notified by the Customer to the Business Partner and securely wipe all other copies of Customer Personal Data Processed by Business Partner or any Authorised Subprocessor; or
10.1.2 Securely Wipe all copies of Customer Personal Data Processed by Business Partner or any Authorised Subprocessor,
and in each case provide written certification to the Customer that it has complied fully with this section 10.
10.2 Business Partner may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Business Partner shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the Union or Member State law requiring its storage and for no other purpose.

11. Audit rights

11.1 Business Partner shall make available to the Customer on request all information necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections by the Customer or another auditor mandated by the Customer of any premises where the Processing of Customer Personal Data takes place. Business Partner shall permit the Customer or another auditor mandated by the Customer to inspect, audit and copy any relevant records, processes and systems in order that the Customer may satisfy itself that the provisions of this Addendum are being complied with. Business Partner shall provide full co operation to the Customer in respect of any such audit and shall at the request of the Customer, provide the Customer with evidence of compliance with its obligations under this Addendum. Business Partner shall immediately inform the Customer if, in its opinion, an instruction pursuant to this section 11 (Audit Rights) infringes the GDPR or other Data Protection Laws.

12. International Transfers of Customer Personal Data

12.1 Business Partner shall not Process the Customer Personal Data nor permit any Authorised Subprocessor to Process the Customer Personal Data in a Restricted Country, other than in respect of those recipients in Restricted Countries (if any) listed in Annex 6 (Authorised Transfers of Customer Personal Data), unless authorised in writing by the Customer in advance via an amendment to this Addendum.
EU Restricted Transfers
12.2 To the extent that any Processing of Personal Data under this Addendum involves an EU Restricted Transfer from Customer to Business Partner, the Parties shall comply with their respective obligations set out in the SCCs as set out in Annex 3, which are hereby deemed to be entered into by the Parties and incorporated into this Addendum. The Parties agree that the body of this Addendum supplements the provisions of Annex 3 and that the provisions of Annex 3 shall prevail in case of contradiction.
12.3 The Parties acknowledge and agree that Customer is acting as the data exporter and Business Partner is acting as the data importer under this Addendum and for the purposes of Annex 3.
UK Restricted Transfers
12.4 To the extent that any Processing of Personal Data under this Addendum involves a UK Restricted Transfer from Customer to Business Partner, the Parties shall comply with their respective obligations set out in the UK Transfer Addendum as set out in Annex 4, which is hereby deemed to be: (i) entered into by the Parties and incorporated into this Addendum; and (ii) the Parties agree that the manner of the presentation of the information included in the UK Transfer Addendum shall not operate or be construed so as to reduce the Appropriate Safeguards (as defined in Section 3 of Part 2 of the UK Addendum).
General Restricted Transfer Provisions
12.5 Customer may on notice vary this Addendum and replace the relevant Transfer Solution(s) with:
12.5.1 any new form of the relevant Transfer Solution(s) or any replacement therefor prepared and populated accordingly; or
12.5.2 another transfer mechanism, other than the SCCs and/or UK Transfer Addendum,
that enables the lawful transfer of Personal Data under this Addendum in compliance with Chapter V of the GDPR.

13. Codes of Conduct and Certification

13.1 Business Partner shall at the request of the Customer comply with any Code of Conduct approved pursuant to Article 40 GDPR and obtain any certification approved by Article 42 GDPR from time to time, to the extent that they relate to the Processing of Customer Personal Data.

14. Indemnity

14.1 Business Partner shall indemnify and hold harmless the Customer against all losses, fines and sanctions arising from any claim by a third party or Supervisory Authority arising from any breach of this Addendum.

15. General Terms

15.1 Subject to section 15.2, the parties agree that this Addendum and the Standard Contractual Clauses shall terminate automatically upon termination of the Agreement or expiry or termination of all service contracts entered into by Business Partner with the Customer pursuant to the Agreement, whichever is later.
15.2 Any obligation imposed on Business Partner under this Addendum in relation to the Processing of Personal Data shall survive any termination or expiration of this Addendum.
15.3 Any breach of this Addendum shall constitute a material breach of the Agreement.
15.4 With regard to the subject matter of this Addendum, in the event of inconsistencies between
15.4.1 the provisions of this Addendum and any other agreements between the parties, including but not limited to the Agreement, the provisions of this Addendum shall prevail, or
15.4.2 any Transfer Solution(s) entered and this Addendum and/or the Agreement, the Transfer Solution(s) (as applicable) shall prevail in respect of the Restricted Transfer to which they apply.
15.5 Compliance by Business Partner with the provisions of this Addendum will be at no additional cost to the Customer.
15.6 An Affiliate may enforce any term of this Addendum which is expressly or implicitly intended to benefit it.
15.7 The rights of the Parties to rescind or vary this Addendum are not subject to the consent of any other person.
15.8 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

IN WITNESS WHEREOF, this Addendum is entered into and becomes a binding part of the Agreement with effect from the Addendum Effective Date first set out above.

ANNEX 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

Attachment 1

Subject Matter and Details of the Data Processing

This Attachment 1 includes certain details of the Processing of Personal Data under the Agreement; and is used to populate Annex I to the SCCs and the UK Transfer Addendum.

Company details

Name: Century Games Pte. Ltd.
Address: As set out in the pre-amble to the Addendum
Contact Details: Email: [NTD – to be inserted]
Company Activities: Game developer and publisher
Role: Controller (data exporter)

Partner Details

Name: [Partner – to be inserted]
Address: As set out in the pre-amble to the Addendum
Contact Details: [NTD – to be inserted]
Company Activities: [NTD – to be inserted]
Role: Processor (data importer)

DETAILS OF PROCESSING

Categories of Data Subjects: End-users
Categories of Personal Data: Relevant Personal Data includes:
• [Personal details – for example any information that identifies the Data Subject and their personal characteristics, name, age, date of birth, sex, and physical description.]
• [Contact details – for example home and/or business address, email address, telephone details and other contact information such as social media identifiers/handles.]
• [Authentication details – for example username, password or PIN code, security questions and other access protocols.]
• [Technological details – for example internet protocol (IP) addresses, unique identifiers and numbers (including unique identifier in tracking cookies or similar technology), pseudonymous identifiers, precise and imprecise location data, internet / application / program activity data, and device IDs and addresses.]
Sensitive Categories of Data, and associated additional restrictions/safeguards: Categories of sensitive data:
None
Additional safeguards for sensitive data:
N/A
Frequency of transfer: Ongoing – as initiated by Company in and through its use, or use on its behalf, of the Services.
Nature of the Processing: Processing operations required in order to provide the Services in accordance with the Agreement.
Purpose of the Processing: Personal Data will be processed: (i) as necessary to provide the Services as initiated by Company in its use thereof, and (ii) to comply with any other reasonable instructions provided by Company in accordance with the terms of this Addendum.
Duration of Processing / Retention Period: For the period determined in accordance with the Agreement and Addendum.

Attachment 2

EU and UK Restricted Transfers

Notes:

  • In the context of any Restricted Transfer, the SCCs and/or UK Transfer Addendum (as applicable) populated in accordance with this Attachment 2 are incorporated by reference into and form an effective part of the Addendum.

Part 1: EU Restricted Transfers

  1. SIGNATURE OF THE SCCs:

    Where the SCCs apply in accordance with Paragraph 6 to the Addendum each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs.

  2. MODULE TWO

    Module Two of the SCCs applies to any Restricted Transfer involving Processing of Personal Data in respect of which Company is a Controller and data exporter, and Partner is a Processor and data importer.

  3. POPULATION OF THE BODY OF THE SCCs

    1. 3.1 The following applies as and where applicable to Module One and the Clauses thereof:

      1. 3.1.1 The optional ‘Docking Clause’ in Clause 7 is used and the language of the body of that Clause 7 is retained.

      2. 3.1.2 The language in Clause 9 is not used and the body of that Clause 9 is left intentionally blank.

      3. 3.1.3 In Clause 11, the optional language is not used and is deleted.

      4. 3.1.4 In Clause 13, the following wording is retained “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.” and all other square brackets and all text therein is removed.

      5. 3.1.5 In Clause 17: OPTION 1 applies, and the Parties agree that the SCCs shall be governed by the law of Ireland in relation to any Restricted Transfer; and OPTION 2 is not used and that optional language is deleted.

      6. 3.1.6 For the purposes of Clause 18, the Parties agree that any dispute arising from the SCCs in relation to any Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.

    2. 3.2 In this Paragraph 3, references to “Clauses” are references to the Clauses of the SCCs.

  4. POPULATION OF ANNEXES TO THE APPENDIX TO THE SCCs

    1. 4.1 Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Attachment 1 to the Addendum, with: Company being ‘data exporter’; and Partner being ‘data importer’.

    2. 4.2 Annex II to the Appendix to the SCCs is populated as below:

      Partner will implement and maintain the Security Measures as set out below.

      • Policy. Implement and maintain an information security policy, which accords with the requirements of GDPR and good industry practice.

      • Personnel. Organizational management and dedicated staff responsible for the development, implementation and maintenance of Partner’s information security program.

      • Audits. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Partner’s organization, monitoring and maintaining compliance with Partner’s policies and procedures, in each case conducted by a suitably-qualified and reputable third-party provider, and associated reporting of the condition of its information security and compliance to internal senior management.

      • Separation, access control and permissions. Data security controls which include at a minimum logical segregation of data, restricted (e.g., role based) access and monitoring. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.

      • Encryption. At a minimum, Personal Data shall encrypted on all occasions where it is:

        • ptransmitted over public networks (i.e. the Internet), using modern Transport Layer Security protocols; and

        • at rest, using Advanced Encryption Standard (AES) 256 bit encryption.

        Policies shall be maintained and enforced that prohibit storage or transmission unless required encryption has been applied

      • Password management. Password controls designed to manage and control password strength, expiration and usage – including, at a minimum, requiring passwords controlling access to Personal Data to have minimum complexity requirements, be at least 8 characters in length, and be changed frequently (and at least every 90 days); maintaining a secure method for selecting and assigning passwords and requiring use of multi-factor authentication and other reasonable authentication technologies; and assignment of unique user identifications and passwords, which are not vendor-supplied default passwords.

      • Logging. System audit or event logging and related monitoring procedures to proactively record user access and system activity (including systems storing or that may be used to access Personal Data).

      • Physical Security. Physical and environmental security of data centers, server room facilities and other areas containing Personal Data designed to protect information assets from unauthorized physical access or damage.

      • Technology configuration and data destruction. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Partner’s possession.

      • Change management. Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to Partner’s technology and information assets.

      • Personal Data Breach Management. Personal Data Breach management procedures that allow Partner to investigate, respond to, mitigate and notify events related to Personal Data and associated technology and information assets, which, at a minimum, are sufficient to enable Partner to comply with its relevant obligations under GDPR.

      • Firewalls. Network security controls that provide for the use of enterprise firewalls and intrusion detection systems designed to protect systems from intrusion and limit the scope of any successful attack.

      • Testing. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.

      • BC; DR. Business resiliency/continuity and disaster recovery procedures to ensure the availability of Personal Data and associated technology and information assets, and to maintain service and/or recovery from emergency situations or disasters.

      Partner may update or modify these Security Measures, on written notice to Company, from time to time; provided that such updates and modifications do not decrease the overall security of the Personal Data and associated technology and information systems or assets, nor prejudice the warranty and representation set out in this Addendum.

Part 2: UK Restricted Transfers

  1. Where relevant in accordance with Paragraph 6 to the Addendum, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below –
    1. 1.1 Part 1 to the UK Transfer Addendum. The Parties agree:

      1. 1.1.1 Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Attachment 1 to the Addendum and the foregoing provisions of this Attachment 2 (subject to the variations effected by the UK Mandatory Clauses described in (b) below); and

      2. 1.1.2 Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Exporter’ being deemed to have been ticked.

    2. 1.2 Part 2 to the UK Transfer Addendum. The Parties agree to be bound by the UK Mandatory Clauses of the UK Transfer Addendum.

  2. As permitted by Section 17 of the UK Mandatory Clauses, the Parties agree to the presentation of the information required by ‘Part 1: Tables’ of the UK Transfer Addendum in the manner set out in Paragraph 1 of this Part 2; provided that the Parties further agree that nothing in the manner of that presentation shall operate or be construed so as to reduce the Appropriate Safeguards (as defined in Section 3 of the UK Mandatory Clauses).

  3. In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the Addendum to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Paragraph 1 of this Part 2.

Attachment 3

California Annex

  1. Order of Precedence. To the extent that the terms in this California Annex conflict with the terms in the rest of the Agreement, the terms in this California Annex prevail. Furthermore, the Parties hereby agree that the terms of this California Annex supersede and replace any respective obligations of the Parties that relate to the Processing of Personal Data to the extent that such processing is subject to the CCPA.

  2. Definitions. CCPA and other capitalized terms not defined in this California Annex are defined in the Addendum.

    1. 2.1. “Business,” “sell,” “share,” and “third party” shall have the meanings given in the CCPA.

    2. 2.2. The definition of “Personal Data” includes “personal information” as defined in the CCPA.

  3. Obligations.

    1. 3.1. Company is providing Personal Data to Partner under the Agreement for the limited and specified purposes described in Attachment 1

      (Subject Matter and Details of the Data Processing).

    2. 3.2. Where the provision of Personal Data by Company to Partner pursuant to the Agreement constitutes a sell and/or sharing of Personal Data under the CCPA, Partner:

      1. a. shall comply with its applicable obligations under the CCPA and provide the same level of privacy protection to Personal Data as is required by the CCPA;

      2. b. acknowledges that Company has the right to take reasonable and appropriate steps to ensure that Partner’s use of Personal Data is consistent with Company’s obligations under the CCPA;

      3. c. shall notify Company in writing, no later than five (5) business days, after it makes a determination that it can no longer meet its obligations under the CCPA; and

      4. d. acknowledges that the Company has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate Partner’s unauthorized use of Personal Data.