Data Processing Agreement

Table of Contents

• 1. Definitions and Interpretation
• 2. Scope, Relationship with the Agreement, and Order of Precedence
• 3. Subject Matter, Duration, Nature, and Purpose of Processing
• 4. Roles of the Parties
• 5. Customer Instructions and Responsibilities
• 6. Provider Obligations
• 7. Subprocessors UPDATED
• 8. International Transfers UPDATED
• 9. Assistance with Data Subject Rights and Compliance
• 10. Personal Data Breaches UPDATED
• 11. Return, Deletion, and Retention UPDATED
• 12. Audit and Information Rights
• 13. Confidentiality
• 14. U.S. State Privacy Laws NEW
• 15. Liability
• 16. Term and Termination
• 17. Changes to this DPA
• 18. Governing Law and Jurisdiction
• 19. Execution
• Schedule 1 — Description of Processing
• Schedule 2 — Technical and Organisational Measures Summary
• Schedule 3 — Subprocessor List NEW
• Schedule 4 — Standard Contractual Clauses Reference NEW

1. Definitions and Interpretation

In this DPA, unless the context requires otherwise, the following terms have the meanings set out below.

• "Agreement" means the main services agreement between Customer and Provider, including the Terms of Service, the applicable Order, Order Confirmation, Statement of Work, service‑specific schedule, and this DPA.
• "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including, where applicable, the EU GDPR, the UK GDPR, the UK Data Protection Act 2018, the CCPA/CPRA, other U.S. State Privacy Laws, and any legislation implementing or supplementing the foregoing.
• "CCPA/CPRA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations.
• "Customer Content" means any data, text, code, files, databases, emails, images, software, and other materials uploaded, stored, transmitted, processed, or otherwise made available by Customer or its users through the Services.
• "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Personal Data Breach", and "Supervisory Authority" have the meanings given to them under Applicable Data Protection Law.
• "Restricted Transfer" means a transfer of Personal Data to a country or recipient for which Applicable Data Protection Law requires appropriate safeguards.
• "Services" means the hosting, infrastructure, platform, migration, backup, restoration, support, monitoring, security, and related services supplied by Provider to Customer under the Agreement.
• "Subprocessor" means any third party appointed by or on behalf of Provider to process Personal Data on behalf of Customer in connection with the Services.
• "SCCs" means the European Commission's standard contractual clauses for the transfer of personal data to third countries pursuant to Commission Implementing Decision (EU) 2021/914, as updated, replaced, or superseded from time to time.
• "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0) issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018, or any successor or replacement instrument recognised under Applicable Data Protection Law.
• "U.S. State Privacy Laws" means the CCPA/CPRA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and other comparable U.S. state privacy and data protection statutes, as applicable.

References to "including" mean "including without limitation". Headings are for convenience only and do not affect interpretation. Where Customer acts as a processor on behalf of a third‑party controller, Customer warrants that it is duly authorised to appoint Provider as a subprocessor and to give the instructions set out in this DPA.

2. Scope, Relationship with the Agreement, and Order of Precedence

This DPA applies only to the extent that Provider processes Personal Data on behalf of Customer in connection with the Services.

This DPA does not apply to processing for which Provider acts as an independent controller, including processing relating to account administration, billing, fraud prevention, verification, abuse handling, support communications, legal compliance, and Provider's own operational records. Provider's processing as controller is described in the Privacy Policy.

Except as expressly stated in this DPA, the Agreement remains in full force and effect. In the event of a conflict between this DPA and another part of the Agreement, this DPA shall prevail in relation to the subject matter of data processing and data protection. For all other matters, the Agreement shall continue to apply.

3. Subject Matter, Duration, Nature, and Purpose of Processing

The subject matter, duration, nature, purpose, and categories of processing covered by this DPA are described in Schedule 1.

Provider shall process Personal Data only for the duration of the Services and for any reasonable operational period required to return, delete, archive, secure, or otherwise manage Personal Data in accordance with the Agreement, this DPA, and Applicable Law.

4. Roles of the Parties

As between the parties, Customer is the Controller (or "business" under CCPA/CPRA) of Personal Data contained in Customer Content, unless Customer is itself acting as a processor on behalf of another controller, in which case Provider shall act as Customer's subprocessor.

Provider shall act as Processor (or "service provider" under CCPA/CPRA) only in relation to such Personal Data and only for the limited purposes described in the Agreement and this DPA.

Customer remains solely responsible for determining whether the Services are appropriate for its intended processing activities, for establishing a lawful basis for processing, for complying with transparency obligations, and for responding to Data Subjects, except to the extent Provider is required to assist under this DPA.

5. Customer Instructions and Responsibilities

Customer instructs Provider to process Personal Data only:

• to provide, maintain, secure, and support the Services;
• to perform migrations, troubleshooting, restoration, backup, monitoring, and related support activities requested or authorised by Customer;
• to take steps necessary to prevent fraud, abuse, or material security risks affecting the Services;
• to disclose data where required by Applicable Law, a court of competent jurisdiction, or a legally binding order of a competent authority; and
• as otherwise documented in the Agreement, the client portal, or Customer's written instructions accepted by Provider.

Customer is responsible for:

• the lawfulness of the Personal Data and the means by which it was collected;
• the accuracy, quality, and legality of Customer Content and all processing instructions given to Provider;
• providing all notices and obtaining all consents, permissions, and authorisations required under Applicable Data Protection Law;
• ensuring that its use of the Services, including any security settings selected or omitted by Customer, complies with Applicable Law;
• implementing appropriate safeguards at the application, database, credential, and account‑access levels; and
• ensuring that no instruction given to Provider causes Provider to breach Applicable Law.

Customer shall not instruct Provider to process Personal Data in a manner that is unlawful, disproportionate, or outside the scope of the Services.

6. Provider Obligations

6.1 Processing on documented instructions

Provider shall process Personal Data only on Customer's documented instructions, unless Provider is required to do otherwise by Applicable Law. Where Provider is required by Applicable Law to process Personal Data other than on Customer's instructions, Provider shall, unless prohibited by law, inform Customer of that legal requirement before carrying out the relevant processing.

6.2 Confidentiality

Provider shall ensure that persons authorised to process Personal Data are subject to appropriate duties of confidentiality, whether by contract, law, or internal policy, and that access to Personal Data is limited to those who need such access for the performance of the Services.

6.3 Security of processing

Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to the rights and freedoms of natural persons, Provider shall implement and maintain appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. A summary of such measures is set out in Schedule 2.

6.4 No unauthorised independent use

Provider shall not: (a) sell Customer Personal Data; (b) share Customer Personal Data for cross‑context behavioural advertising; (c) retain, use, or disclose such Personal Data for any purpose other than the purposes permitted by the Agreement, this DPA, or Applicable Law; or (d) retain, use, or disclose such Personal Data outside the direct business relationship between Provider and Customer, except as permitted by Applicable Law.

6.5 Compliance information

Provider shall make available to Customer such information as is reasonably necessary to demonstrate Provider's compliance with this DPA, subject always to confidentiality, security, privilege, and the protection of other customers' information and systems.

6.6 Notification of inability to comply NEW

Provider shall promptly notify Customer if Provider determines that it can no longer meet its obligations under Applicable Data Protection Law (including U.S. State Privacy Laws) and shall take reasonable steps to stop and remediate any unauthorised processing of Personal Data.

7. Subprocessors UPDATED

7.1 General authorisation

Customer grants Provider a general written authorisation to appoint Subprocessors in connection with the provision of the Services.

7.2 Subprocessor obligations

Provider shall:

• exercise reasonable care in selecting and appointing Subprocessors;
• impose data protection obligations on each Subprocessor by way of a written contract that are materially no less protective than those set out in this DPA, to the extent applicable to the services performed by that Subprocessor; and
• remain responsible for the performance of its Subprocessors' data protection obligations to the extent required by Applicable Data Protection Law.

7.3 Current Subprocessor list

The current list of Subprocessors (including entity name, purpose, and processing location) is set out in Schedule 3 and published at my.yhost.io/legal/dpa. Customer may also request the current list at any time by contacting [email protected].

7.4 Notification of changes

Provider shall notify Customer at least 30 days before engaging a new Subprocessor or materially changing the processing activities of an existing Subprocessor. Notification may be given via email to the address on the Account, the client portal, or by publishing the updated Subprocessor list.

7.5 Objection right

Customer may object to a new or changed Subprocessor on reasonable and documented data protection grounds within 15 days of receiving notification by contacting [email protected]. The parties shall discuss the objection in good faith. If Provider cannot reasonably accommodate the objection (for example, by using an alternative Subprocessor or implementing additional safeguards), Customer may terminate the affected Service without penalty by giving written notice within 30 days of Provider's final response. Provider will refund any prepaid Fees for the unused portion of the terminated Service.

8. International Transfers UPDATED

8.1 Transfer locations

Customer acknowledges that Provider may process Personal Data in the United Kingdom, the European Economic Area, and other jurisdictions in which Provider, its affiliates, infrastructure partners, or Subprocessors operate. The current processing locations for each Subprocessor are set out in Schedule 3.

8.2 Transfer safeguards

Where a Restricted Transfer occurs, Provider shall ensure that such transfer is made subject to an appropriate transfer mechanism recognised under Applicable Data Protection Law, which may include:

• an adequacy decision by the European Commission or UK Secretary of State;
• the SCCs (specifically Module 2: Controller to Processor) for transfers from the EU/EEA, completed as described in Schedule 4;
• the UK Addendum for transfers from the UK, completed as described in Schedule 4;
• binding corporate rules; or
• another lawful mechanism recognised under Applicable Data Protection Law.

8.3 Incorporation of SCCs and UK Addendum

To the extent required, the SCCs (Module 2) and, where applicable, the UK Addendum are deemed incorporated into this DPA by reference and completed as set out in Schedule 4. In the event of a conflict between this DPA and the SCCs or UK Addendum, the SCCs or UK Addendum shall prevail to the extent of the conflict.

8.4 Supplementary measures

Where required by the circumstances of the transfer (for example, following a transfer impact assessment), Provider shall implement supplementary measures such as encryption in transit and at rest, pseudonymisation, access controls, and contractual provisions to ensure an essentially equivalent level of protection for Personal Data.

9. Assistance with Data Subject Rights and Compliance

Taking into account the nature of the processing and to the extent reasonably possible, Provider shall provide reasonable assistance to Customer in enabling Customer to respond to requests from Data Subjects exercising rights under Applicable Data Protection Law (including access, rectification, erasure, restriction, portability, and objection requests).

If Provider receives a request directly from a Data Subject relating to Personal Data processed on behalf of Customer, Provider shall promptly notify Customer and redirect the Data Subject to Customer. Provider shall not respond substantively except as required by Applicable Law.

Taking into account the nature of the processing and the information available to Provider, Provider shall provide reasonable assistance to Customer with:

• security of processing obligations (Article 32 EU GDPR / UK GDPR);
• notification and investigation of Personal Data Breaches (Articles 33–34 EU GDPR / UK GDPR);
• data protection impact assessments (Article 35 EU GDPR / UK GDPR); and
• prior consultations with Supervisory Authorities (Article 36 EU GDPR / UK GDPR),

in each case only to the extent required under Applicable Data Protection Law and only where Customer cannot reasonably fulfil such obligations without Provider's assistance.

Unless the assistance is required because Provider has breached this DPA or Applicable Data Protection Law, Provider may charge reasonable fees for substantial or repeated assistance requests requiring legal, engineering, or specialist compliance resources. Provider will notify Customer of such fees before commencing the work.

10. Personal Data Breaches UPDATED

10.1 Notification

Provider shall notify Customer without undue delay, and in any event within 72 hours of becoming aware, of a Personal Data Breach affecting Personal Data processed by Provider on behalf of Customer.

10.2 Content of notification

Such notification shall, to the extent known at the time, include:

• a description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned;
• the name and contact details of Provider's point of contact for further information;
• the likely consequences of the Personal Data Breach, where reasonably assessable;
• the measures taken or proposed to address the Personal Data Breach and to mitigate its possible adverse effects.

10.3 Phased information

Provider may provide information in phases as it becomes available. Where it is not possible to provide all information within 72 hours, Provider shall provide the information without undue delay in subsequent communications.

10.4 Cooperation

Provider shall cooperate with Customer and take commercially reasonable steps to assist in investigating, mitigating, and remediating the breach. Provider shall preserve evidence and maintain records related to the breach as may be necessary for Customer's compliance obligations.

10.5 No admission

Notification under this Section does not constitute an admission of fault or liability.

11. Return, Deletion, and Retention UPDATED

11.1 Customer responsibility

Customer is responsible for exporting Customer Content before termination of the Services. Provider will make reasonable export mechanisms available through the Services (for example, file manager, database export, backup download where available).

11.2 Post‑termination actions

Upon termination or expiry of the affected Services, Provider shall, at Customer's choice communicated before termination or within any period reasonably specified by Provider:

• make Customer Content available for export or return by reasonable means supported by the Services; and/or
• delete or render inaccessible Personal Data within 30 days of the effective date of termination.

11.3 Certification of deletion

Upon Customer's written request following deletion, Provider shall confirm in writing that it has deleted Personal Data in accordance with this Section, except for data retained under Section 11.4.

11.4 Permitted retention

Provider may retain Personal Data to the extent required by Applicable Law, for fraud prevention, billing compliance, the establishment, exercise or defence of legal claims, or where retention is technically necessary in secure archives, logs, or backups for a limited period, provided that:

• such retained data remains protected in accordance with this DPA;
• Provider does not actively process the retained data except for the permitted retention purpose; and
• Provider deletes or anonymises the retained data when the retention purpose no longer applies.

12. Audit and Information Rights

12.1 Information requests

Customer may, no more than once in any twelve‑month period, request information reasonably necessary to demonstrate Provider's compliance with this DPA. Provider shall respond within a reasonable timeframe.

12.2 Audit right

Where such information is not reasonably sufficient and Customer has a reasonable basis to believe that Provider is in material breach of this DPA, Customer may request an audit, subject to the following conditions:

• the audit shall, where possible, be carried out first by documentary review, certifications (such as SOC 2 or ISO 27001 reports), questionnaires, or remote review;
• any on‑site audit shall require at least 30 days' prior written notice and shall be conducted during normal business hours;
• the audit shall not unreasonably interfere with Provider's operations or compromise the confidentiality, security, or integrity of Provider's systems or those of other customers;
• Customer and its auditors shall be bound by confidentiality obligations acceptable to Provider; and
• Customer shall bear its own costs and reimburse Provider's reasonable internal costs unless the audit reveals a material breach of this DPA by Provider.

12.3 Supervisory Authority audits

Where an audit is required by a Supervisory Authority or competent data protection authority, Provider shall cooperate to the extent required by Applicable Law, irrespective of the frequency limitation above.

12.4 Limitations

Nothing in this Section requires Provider to disclose information subject to legal privilege, trade secrecy, infrastructure security restrictions, or confidentiality obligations owed to third parties or other customers.

13. Confidentiality

Each party shall keep confidential all non‑public information received from the other in connection with this DPA that is marked or reasonably understood to be confidential, and shall use such information only to perform, exercise, or enforce rights under the Agreement and this DPA.

This clause does not apply to information that:

• is or becomes public through no breach of confidentiality;
• was lawfully known to the receiving party without restriction before disclosure;
• is independently developed without use of the disclosing party's confidential information; or
• must be disclosed by law, court order, or competent authority, provided that, where legally permitted, the receiving party gives prior notice of such requirement.

14. U.S. State Privacy Laws NEW

14.1 Applicability

This Section applies to the extent that U.S. State Privacy Laws apply to Provider's processing of Personal Data (or "personal information") on Customer's behalf. The terms "business", "service provider", "consumer", "personal information", "sell", "share", and "business purpose" in this Section have the meanings given under the applicable U.S. State Privacy Law.

14.2 Service provider / processor role

With respect to personal information contained in Customer Content, Provider acts as a "service provider" (CCPA/CPRA) or "processor" (other U.S. State Privacy Laws) on Customer's behalf. Provider processes such personal information solely for the business purposes described in the Agreement and this DPA.

14.3 Restrictions

Provider shall not:

• sell personal information received from or on behalf of Customer;
• share personal information for cross‑context behavioural advertising;
• retain, use, or disclose personal information for any commercial purpose other than providing the Services as specified in the Agreement;
• retain, use, or disclose personal information outside the direct business relationship between Provider and Customer, except as permitted by Applicable Law;
• combine personal information received from Customer with personal information received from or on behalf of another person or collected from Provider's own interactions with the consumer, except as permitted by Applicable Law for the purposes of detecting data security incidents or protecting against fraudulent activity.

14.4 Compliance certification

Provider certifies that it understands and will comply with the restrictions and obligations set forth in this Section and will treat personal information in accordance with the requirements of U.S. State Privacy Laws as applicable.

14.5 Consumer rights assistance

Provider shall reasonably assist Customer in responding to verifiable consumer requests exercising rights under U.S. State Privacy Laws (such as requests to know, access, delete, correct, or opt out), including by providing mechanisms to facilitate data retrieval and deletion as described in the Agreement.

14.6 Notification of inability to comply

Provider shall promptly notify Customer if Provider determines that it can no longer meet its obligations under U.S. State Privacy Laws. In such event, Customer may take reasonable steps to stop and remediate any unauthorised processing, including terminating the affected Service.

14.7 Right to monitor

Customer has the right to take reasonable and appropriate steps to ensure that Provider uses personal information in a manner consistent with Customer's obligations under U.S. State Privacy Laws, including the audit and information rights set out in Section 12.

15. Liability

The liability of each party arising out of or in connection with this DPA shall be subject to the exclusions, limitations, disclaimers, remedies, and liability caps set out in the Agreement, to the maximum extent permitted by Applicable Law.

Nothing in this DPA excludes or limits liability where such exclusion or limitation is prohibited by Applicable Law, including any non‑waivable rights or remedies under Applicable Data Protection Law.

Where Applicable Data Protection Law gives a Data Subject a direct right of action against either party, each party shall remain responsible for the portion of damage for which it is legally responsible, and nothing in this DPA shall be interpreted to remove rights of recourse available under Applicable Data Protection Law.

16. Term and Termination

This DPA shall commence on the date Customer first accepts it or first uses the Services involving processing by Provider on Customer's behalf, whichever occurs earlier, and shall remain in force for so long as Provider processes Personal Data on behalf of Customer under the Agreement.

Termination or expiry of the Agreement shall automatically terminate this DPA, except that clauses intended to survive termination (including Sections 10, 11, 12, 13, 14, 15, and 18) shall continue for so long as Provider retains Personal Data processed on Customer's behalf.

17. Changes to this DPA

Provider may update this DPA where reasonably necessary to reflect changes in Applicable Law, regulatory guidance, Subprocessors, transfer mechanisms, security practices, or the Services. Provider shall publish the updated version on its website or client portal and update the effective date and version.

No update shall materially reduce the level of protection afforded to Personal Data processed under this DPA except to the extent required by Applicable Law or a binding regulatory or judicial decision. Where changes are material, Provider shall provide notice at least 30 days before the effective date through the client portal, website notice, or email.

18. Governing Law and Jurisdiction

This DPA shall be governed by the same governing law and dispute framework as the Agreement. For customers outside the United States, and subject to mandatory rights under Applicable Law, this DPA shall be governed by the laws of England and Wales and the courts of England and Wales shall have exclusive jurisdiction.

Where the SCCs apply, the governing law of the SCCs shall be the law of an EU Member State that allows for third‑party beneficiary rights (Clause 17 of the SCCs). The parties agree that this shall be the law of Ireland. The competent courts for the purposes of Clause 18 of the SCCs shall be the courts of Ireland.

19. Execution

This DPA may be executed electronically, including by click acceptance in the client portal, digital signature, or other electronic method permitted by Applicable Law. Such execution shall be legally binding to the same extent as a signed paper copy. Customers who require a signed PDF copy may request one through the client portal or at [email protected].

Schedule 1 — Description of Processing

1. Subject Matter

The provision of hosting, infrastructure, platform, migration, backup, restoration, support, monitoring, security, and related services under the Agreement.

2. Duration

For the term of the relevant Services and any reasonable operational period (not exceeding 30 days unless Applicable Law requires otherwise) required to export, return, delete, secure, archive, or otherwise manage Personal Data in accordance with the Agreement, this DPA, and Applicable Law.

3. Nature of the Processing

Collection, recording, organisation, structuring, storage, hosting, adaptation, retrieval, consultation, transmission, disclosure by transmission where initiated by Customer, restriction, alignment, backup, restoration, deletion, and other processing strictly necessary to provide and secure the Services.

4. Purpose of the Processing

To provide the Services to Customer; to host and make available Customer Content; to maintain service continuity, resilience, and security; to provide support requested by Customer; to perform migration and restoration activities where requested; and to comply with Applicable Law.

5. Categories of Data Subjects

• Customer's end users and website or application users;
• Customer's employees, contractors, agents, and representatives;
• Customer's clients, prospects, subscribers, members, patients, students, donors, or other users, depending on Customer's business activities;
• visitors to websites, applications, stores, portals, or services operated by Customer through the Services.

6. Categories of Personal Data

• identity and contact data such as names, usernames, postal addresses, phone numbers, and email addresses;
• account, profile, and authentication data;
• transactional, order, billing, or subscription information stored by Customer in its own applications;
• website, application, email, database, or CMS content uploaded by or on behalf of Customer;
• device, connection, usage, and log data processed within Customer's own environment;
• support or migration data provided by Customer to Provider in connection with service requests;
• any other Personal Data included in Customer Content at Customer's discretion and under Customer's responsibility.

7. Special Categories and Sensitive Data

Provider does not require Customer to upload special category data (as defined in Article 9 EU GDPR / UK GDPR) or other highly sensitive data to use the Services. If Customer chooses to process such data through the Services, Customer remains solely responsible for ensuring that the Services, security configuration, encryption, and lawful basis are appropriate for such use. Customer acknowledges that the standard Services are not specifically designed or certified for the processing of special category data.

Schedule 2 — Technical and Organisational Measures Summary

The following measures describe Provider's general security approach. Specific controls may vary by service tier, purchased features, infrastructure design, and the role of authorised infrastructure partners and Subprocessors.

• Access control and least privilege — access to systems and support functions is restricted based on role and operational need.
• Authentication and account security — administrative access is protected through credential controls, multi‑factor authentication where supported, and related account protection measures.
• Network and platform security — infrastructure safeguards may include firewalling, segmentation, filtering, and platform hardening appropriate to the service model.
• Transmission security — encrypted connections in transit (TLS 1.2 or higher) are used for portals, APIs, and administrative interfaces.
• Storage security — sensitive data (such as KYC documents) is encrypted at rest where supported. Customer Content storage encryption varies by service tier.
• Monitoring and logging — operational logging, security event monitoring, audit logging, abuse detection, and incident investigation procedures are maintained to protect service integrity.
• Malware and abuse protection — anti‑malware, anti‑abuse, quarantining, or related protective controls may be applied where enabled, available, or appropriate to the affected service.
• Vulnerability and patch management — Provider maintains processes intended to address relevant vulnerabilities in Provider‑managed systems, taking into account the service scope and any self‑managed boundaries.
• Resilience and continuity — measures support availability, service recovery, and operational resilience, including backups or snapshots where included in the purchased service or separately ordered.
• Personnel confidentiality and training — authorised personnel are subject to confidentiality obligations and internal practices intended to promote secure handling of information.
• Subprocessor governance — relevant Subprocessors and infrastructure partners are managed through contractual and operational controls appropriate to their role, including data processing agreements with obligations no less protective than this DPA.
• Secure deletion and retention controls — processes are maintained to delete, restrict, or render inaccessible data after service termination within 30 days, subject to technical limitations, backups, legal obligations, and reasonable operational retention windows.
• Incident response — Provider maintains documented procedures for identifying, escalating, containing, investigating, and notifying relevant incidents affecting Personal Data, with initial notification within 72 hours.

Schedule 3 — Subprocessor List NEW

This Schedule lists the Subprocessors currently authorised by Provider to process Personal Data on behalf of Customer. Provider will update this list and notify Customer in accordance with Section 7.4 before engaging new Subprocessors.

Schedule 4 — Standard Contractual Clauses Reference NEW

1. EU Standard Contractual Clauses (SCCs)

Where a Restricted Transfer of Personal Data is made from the EU/EEA to a country not subject to an adequacy decision, the parties agree that the SCCs (Commission Implementing Decision (EU) 2021/914) are incorporated by reference and completed as follows:

• Module: Module 2 (Controller to Processor). Where Customer acts as a processor on behalf of a third‑party controller, Module 3 (Processor to Processor) shall apply instead.
• Clause 7 (Docking clause): included — third parties may accede to the SCCs as a data exporter or data importer.
• Clause 9(a) (Subprocessor authorisation): Option 2 (general written authorisation) applies, with notification period of 30 days as described in Section 7.4.
• Clause 11(a) (Redress): optional redress clause is not included.
• Clause 13(a) (Supervision): where the data exporter is established in an EU Member State, the supervisory authority of that Member State shall act as competent supervisory authority. Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR, the supervisory authority of Ireland shall act as competent supervisory authority.
• Clause 17 (Governing law): the laws of Ireland.
• Clause 18 (Choice of forum and jurisdiction): the courts of Ireland.
• Annex I.A (List of parties): Data exporter is Customer (as identified in the Agreement). Data importer is Provider (as identified in this DPA).
• Annex I.B (Description of transfer): as set out in Schedule 1 of this DPA.
• Annex I.C (Competent supervisory authority): as set out in Clause 13(a) above.
• Annex II (Technical and organisational measures): as set out in Schedule 2 of this DPA.
• Annex III (List of subprocessors): as set out in Schedule 3 of this DPA.

2. UK International Data Transfer Addendum

Where a Restricted Transfer of Personal Data is made from the UK, the UK Addendum (Version B1.0, in force 21 March 2022, or its successor) is incorporated by reference, with the following completion:

• Part 1, Table 1: parties as identified in Annex I.A of the SCCs above.
• Part 1, Table 2: the Approved EU SCCs referenced are those described in Section 1 of this Schedule 4, including Module 2 (or Module 3 where applicable).
• Part 1, Table 3: as set out in Schedules 1, 2, and 3 of this DPA.
• Part 1, Table 4: either party may end the UK Addendum in accordance with Section 19 of the UK Addendum.
• Part 2: Mandatory Clauses of the Approved Addendum (as set out in the template UK Addendum) are incorporated.

Contact

If you require a signed PDF copy of this DPA, additional compliance information, or an up‑to‑date subprocessor list, please contact us via the client portal or at [email protected].