Get a Demo

Data Processing Addendum

Last updated and effective as of January 6, 2026 (the “DPA Effective Date”).

You can find archived versions of the 3Play Media Data Processing Addendum on our website.

This Data Processing Addendum (“DPA”), forms part of the 3Play Media Master Services Agreement or the applicable Master Services Agreement (as applicable, the “Agreement”) between 3Play Media, Inc., together with its Affiliates (collectively, “Company” or “3Play Media”), and the entity that has engaged Company to provide the Services (“Customer”). Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the Agreement. In the event of a conflict between this DPA and any other terms in the Agreement, the terms of this DPA will govern. Each of Company and Customer is referred to in this DPA individually as a “party”, collectively the “parties.” By entering into the Agreement, the parties are deemed to have signed all Attachments, Exhibits, Annexes, Schedules, and Appendices, including those incorporated by reference, to this DPA where applicable.

  1. Definitions.
    1. “Affiliates” means any corporation, partnership, or other entity now existing or hereafter organized that directly or indirectly controls, is controlled by, or under common control with a party. For purposes of this definition, “control” means the direct possession of a majority of the outstanding voting securities of an entity. As of the DPA Effective Date, 3Play Media, Inc.’s Affiliates include 3Play Media Canada, Inc. and Captionmax, LLC.
    2. “CCPA” means (to the extent applicable) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, together with any regulations promulgated thereunder.
    3. “Customer Data” means any information processed or generated by Company solely on behalf of Customer, including, without limitation, any EU Personal Data, UK Personal Data, California Personal Data, and/or State Laws Data.
    4. “European Data Protection Laws” means, collectively, the GDPR and the UK Data Protection Laws, as applicable.
    5. “GDPR” means the General Data Protection Regulation (EU) 2016/679.
    6. “Personal Data” means any information relating to, or linked to, or reasonably linkable to any identified or identifiable individual, household, or device.
    7. “Processing” (including any grammatically inflected forms thereof) means any operation or set of operations which is performed on data or on sets of data, whether or not by automated or manual means, including without limitation collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure (including by transmission), analysis, deletion, modification, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, including the actions of a person directing a third party to Process data on behalf of such person.
    8. “State Data Protection Laws” means (in each case to the extent effective and applicable and together with any regulations promulgated thereunder): (i) the Colorado Privacy Act; (ii) the Connecticut Act Concerning Personal Data Privacy and Online Monitoring; (iii) the Utah Consumer Privacy Act; (iv) the Virginia Consumer Data Protection Act; (v) the Delaware Personal Data Privacy Act; (vi) the Indiana Consumer Data Protection Act; (vii) the Iowa Consumer Data Protection Act; (viii) the Montana Consumer Data Privacy Act; (ix) the Oregon Consumer Privacy Act; (x) the Tennessee Information Protection Act; (xi) the Texas Data Privacy and Security Act; (xii) New Jersey SB 332; (xiii) New Hampshire SB 255; (xiv) the Nebraska Data Privacy Act; (xv) the Kentucky Consumer Data Protection Act; (xvi) the Maryland Online Data Privacy Act; (xvii) the Minnesota Consumer Data Privacy Act; (xviii) the Rhode Island Data Transparency and Privacy Protection Act; and/or (xix) other U.S. state laws that are substantially similar in all respects to items (i) through (xviii) that may become effective from time to time.
    9. “State Laws Data” means any Personal Data regulated by any State Data Protection Laws and Processed by Company solely on behalf of Customer.
    10. “UK” means the United Kingdom.
    11. “UK Data Protection Laws” means the UK GDPR and the UK’s Data Protection Act 2018 (“UK DPA 2018”).
    12. “UK GDPR” means the UK equivalent of the GDPR, as defined in section 3(10) (and as supplemented by section 205(4)) of the UK DPA 2018.
  2. EU Personal Data Controller. To the extent Company Processes Personal Data regulated by the GDPR solely on behalf of Customer (“EU Personal Data”), and to the extent Customer is a controller (as defined in the GDPR) and the Company is a processor (as defined in the GDPR) on behalf of Customer with regard to such EU Personal Data, then to the extent required by the GDPR, Module 2 of the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (the “Controller to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Customer to the Company and to the Company’s Processing of such EU Personal Data and the parties hereby agree to comply with such Controller to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety, as set forth in Exhibit A. In the event of a conflict between the Agreement and the Controller to Processor Standard Contractual Clauses, the Controller to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.
  3. EU Personal Data Processor. To the extent Company Processes EU Personal Data, and to the extent Customer is a processor (as defined in the GDPR) on behalf of a third party with respect to EU Personal Data and the Company is a processor on behalf of Customer with regard to such EU Personal Data, then to the extent required by the GDPR, Module 3 of the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (the “Processor to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Customer to the Company and to the Company’s Processing of such EU Personal Data and the parties hereby agree to comply with such Processor to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety, as set forth in Exhibit B. In the event of a conflict between the Agreement and the Processor to Processor Standard Contractual Clauses, the Processor to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.
  4. UK Personal Data. To the extent Company Processes Personal Data regulated by the UK Data Protection Laws solely on behalf of Customer (“UK Personal Data”), then, to the extent required by the UK Data Protection Laws, the UK’s ‘International Data Transfer Addendum to the EU Commission Standard Contractual Clauses’, Version B1.0, in force from March 21, 2022, available at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf (the “UK DTA”) will apply to the transfer of such UK Personal Data by Customer to the Company and to the Company’s Processing of such UK Personal Data and the parties hereby agree to comply with such UK DTA, which is hereby incorporated into the Agreement in its entirety and as set forth in Exhibit C. In the event of a conflict between the Agreement and the UK DTA, the UK DTA will control to the extent applicable to the UK Personal Data.
  5. California Personal Data. To the extent Customer makes available to Company Personal Data regulated by the CCPA for a business purpose pursuant to the Agreement and/or to the extent Company Processes Personal Data regulated by the CCPA solely on behalf of Customer (collectively, “California Personal Data”), then, to the extent required by the CCPA, the California Data Exhibit (attached hereto as Exhibit D, the “California Data Exhibit”) will apply to the Company’s Processing of such California Personal Data and the parties hereby agree to comply with such California Data Exhibit, which is hereby incorporated into the Agreement in its entirety. In the event of a conflict between the Agreement and the California Data Exhibit, the California Data Exhibit will control to the extent applicable to the California Personal Data.
  6. Other States Data. To the extent Company Processes State Laws Data, then to the extent required by State Data Protection Laws, the Other States Data Exhibit (attached hereto as Exhibit E, the “Other States Data Exhibit”) will apply to the Company’s Processing of such State Laws Data and the parties hereby agree to comply with such Other States Data Exhibit, which is hereby incorporated into the Agreement in its entirety. In the event of a conflict between the Agreement and the Other States Data Exhibit, the Other States Data Exhibit will control to the extent applicable to the State Laws Data.
  7. Customer Data. Customer represents, warrants, and covenants that: (i) it has (and will have) Processed, collected, and disclosed all Customer Data in compliance with applicable law and provided any notice and obtained all consents and rights required by applicable law to enable Company to lawfully Process Customer Data as permitted by the Agreement and/or this DPA; (ii) it has (and will continue to have) full right and authority to make the Customer Data available to Company under the Agreement and this DPA; and (iii) Company’s Processing of the Customer Data in accordance with the Agreement, this DPA, and/or Customer’s instructions does and will not infringe upon or violate any applicable law or any rights of any third party. Customer shall indemnify, defend, and hold Company harmless against any claims, actions, proceedings, expenses, damages, and liabilities (including, without limitation, any governmental investigations, complaints, and actions) and reasonable attorneys’ fees arising out of Customer’s violation of this Section 7. Notwithstanding anything to the contrary in the Agreement, Customer’s indemnification obligations under this Section 7 shall not be subject to any limitations of liability set forth in the Agreement.
  8. Customer Data Retrieval. Retrieval of Customer Data will be subject to Company’s system access procedures and document retention policies (unless prohibited by applicable law); Customer Data will be subject to destruction in accordance with such procedures and policies; and Customer hereby directs Company to destroy such Customer Data in accordance with such procedures and policies.
  9. CCPA. Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that Company shall have a right to use and disclose data relating to the operation, support, and/or use of the Services for its legitimate business purposes, such as product development and sales and marketing. To the extent any such data is considered personal data (as defined in, and regulated by the European Data Protection Laws), then, to the extent Company is subject to the European Data Protection Laws as a controller (as defined in the European Data Protection Laws), Company is the controller (as defined in the European Data Protection Laws) of such data and accordingly shall Process such data in accordance with the European Data Protection Laws. To the extent any such data is considered personal information (as defined in, and regulated by, the California Privacy Laws), then, to the extent Company is subject to the CCPA as a business (as defined in the CCPA), Company is the business (as defined in the CCPA) with respect to such data and accordingly shall Process such data in accordance with the CCPA.
  10. Entire Agreement. This DPA (together with the Agreement) constitutes the entire agreement between the parties and supersedes all prior undertakings and agreements between the parties, whether written or oral, with respect to the subject matter of this DPA. Company reserves the right, in its sole discretion, to change, modify, replace, add to, supplement or delete any terms and conditions of this DPA at any time by posting an updated version of this DPA on this webpage, provided, however, that Company will use reasonable efforts to provide Customer with notification of any material changes (as determined in Company’s sole discretion) by email, postal mail, website posting, pop-up screen, or in-service notice.
  11. Conflict. In this DPA, unless a clear contrary intention appears: (i) where not inconsistent with the context, words used in the present tense include the future tense and vice versa and words in the plural number include the singular number and vice versa; (ii) reference to any person includes such person’s successors and assigns but, if applicable, only if such successors and assigns are not prohibited by the Agreement; (iii) reference to any gender includes each other gender; (iv) reference to any agreement, document or instrument means such agreement, document or instrument as amended or modified and in effect from time to time in accordance with the terms thereof and includes all addenda, exhibits and schedules thereto; (v) the titles and subtitles used in this DPA are used for convenience only and are not to be considered in construing or interpreting this DPA; (vi) “hereunder,” “hereof,” “hereto,” and words of similar import shall be deemed references to this DPA as a whole and not to any particular Section or Subsection of this DPA; (vii) “including” (including grammatically inflected forms thereof) means including without limiting the generality of any description preceding such term; (viii) all references to “days” refer to calendar days; and (ix) the word “or” is not exclusive. This DPA has been executed in English, and the English language version shall control notwithstanding any translations of this DPA.

Exhibit A
Module 2 – Controller to Processor Standard Contractual Clauses

For the purposes of the Controller to Processor Standard Contractual Clauses:

  1. Clause 7. The parties agree that the optional language in Clause 7 is included.
  2. Clause 9(a). The parties agree that under Option 2, Company has Customer’s general authorization to subcontract its processing activities to the list of sub-processors set out in Section (a)(11)(i). Company will inform Customer in writing of any intended changes to the list of sub-processors set out in Section (a)(11)(i) at least 10 days prior to engaging with any other sub-processor.
  3. Clause 11. The parties agree that the optional language in Clause 11 is excluded.
  4. Clause 13. The parties agree that the brackets are removed in the provisions in Clause 13(a), such that the appropriate provision will apply as applicable.
  5. Clause 17. Option 1 shall apply, and the Controller to Processor Standard Contractual Clauses shall be governed by the laws of Ireland.
  6. Clause 18. The parties agree that any dispute arising from the Controller to Processor Standard Contractual Clauses shall be resolved by the courts of Ireland.
  7. Annex I.A.
    1. The name and address of Customer, and the name, position, and contact details of the contact person of Customer (which is the data exporter) are as follows:
      1. Name: Customer
      2. Address: The address specified in Customer’s Services account or, if no address is specified in Customer’s Services account, the address specified in the applicable order.
      3. Contact person’s name, position, and contact details: The billing contact specified in Customer’s Services account or, if there is no billing contact specified in Customer’s Services account, the contact specified in the applicable order.
    2. The name and address of Company, and the name, position, and contact details of the contact person of Company (which is the data importer) are as follows:
      1. Name: 3Play Media
      2. Address: 255 State St, Floor 6, Boston, MA 02109
      3. Contact person’s name, position, and contact details: Asya Calixto, General Counsel Asya@3PlayMedia.com
    3. The activities relevant to the data transferred are the provision and receipt of the Services as described in the Agreement.
    4. The signature and date are the signature and date set forth in the Agreement.
    5. The roles of the parties are as follows: Company is a processor and Customer is a controller.
  8. Annex I.B.
    1. The categories of data subjects are:
      1. Representatives of the data exporter; and
      2. Individuals whose data is contained in Source Materials, as further specified in the Agreement.
    2. The categories of personal data transferred are:
      1. Representatives of the data exporter:
        1. Name, postal address, email address, and, if applicable, confirmation of authentication from Facebook.
      2. Individuals whose data is contained in Source Materials:
        1. Any personal data uploaded to the 3Play Media Portal or otherwise provided to the data importer by the data exporter and its representatives, on behalf of the data exporter and/or its customers and any other third party for whom the data exporter submits materials for use in connection with the Services, including data contained in videos, content, files, data and other materials.
        2. Upon data exporter’s request, in connection with dubbing Services, voice clones generated by the data importer on behalf of the data exporter.
    3. The categories of sensitive data include: any sensitive data included in videos, content, files, data and other materials uploaded to the 3Play Media Portal or otherwise provided by the data exporter and/or its representatives, the extent of which is determined and controlled by the data exporter in its sole discretion, including, but not limited to: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions or offenses.
    4. The frequency of the transfer shall be on a continuous basis.
    5. The nature of the processing is such that the personal data will be subject to basic processing, including but not limited to collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services by data importer to the data exporter in accordance with the terms of the Agreement.
    6. The purpose of the data transfer and further processing is provision of the Services by data importer to data exporter.
    7. The duration of the processing under these Controller to Processor Standard Contractual Clauses shall continue as long as data importer carries out personal data processing operations on behalf of data exporter or until the termination of the Agreement (and all personal data has been returned or deleted in accordance with these Controller to Processor Standard Contractual Clauses and Section 8 of the DPA).
    8. For transfers to sub-processors, personal data will be transferred to sub-processors in order for the data importer to provide the Services to the data exporter. The nature of the processing by such sub-processors will be as follows: the personal data will be subject to basic processing, which may include without limitation collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure (including by transmission), analysis, deletion, modification, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction for the purpose of providing the Services to the data exporter in accordance with the terms of the Agreement. The duration of the processing by such sub-processors shall continue as long as such sub-processors carry out personal data processing operations on behalf of the data importer.
  9. Annex I.C. The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
  10. Annex II.
    1. The data importer employs the following technical and organizational measures:
      Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data importer has implemented appropriate technical and organizational measures intended to ensure a level of security appropriate to the risk, as follows:
      1. Pseudonymization. Pseudonymization is a technical and organizational measure that can be implemented by 3Play Media as follows:
        1. Encryption of additional information for identification; and
        2. Management and documentation of differentiated authorizations concerning additional information for identification.
      2. Measures for encryption.
        1. Encryption of laptops;
        2. Encryption of files;
        3. Encryption of systems/plants;
        4. Encrypted storage of passwords;
        5. Secured data sharing (e.g., SSL, FTPS, TLS); and
        6. Secured WLAN,
      3. Measures to ensure confidentiality.
        1. Measures that ensure that unauthorized persons do not have access:
          1. Access control system, document reader (magnetic / chip card);
          2. Door protections (electric door opener, number lock, etc.);
          3. Safety doors/windows;
          4. Key management/documentation of key assignment;
          5. Protection of facilities, guards;
          6. Alarm system;
          7. Video surveillance;
          8. Special protective measures for the server room;
          9. Special protective measures for storage of back-ups and/or other data carriers;
          10. Employee and authorization documents; and
          11. Prohibited areas.
        2. Measures that prevent unauthorized persons from using the processing systems:
          1. Personal and individual user log-in for registration in the systems or company network;
          2. Authorization process for access authorizations;
          3. Limitation of authorized users;
          4. Single sign-on;
          5. Two-factor authentication;
          6. Logging of access;
          7. Additional system log-in for certain applications; and
          8. Firewall.
        3. Measures which ensure that only authorized persons have access to the processing systems and that personal data cannot be read, copied, modified, or removed without authorization:
          1. Management and documentation of differentiated authorizations;
          2. Profiles/roles; and
          3. Segregation of functions “segregation of duties.”
        4. Measures that ensure that data collected for different purposes can be processed separately:
          1. Access authorizations by functional responsibility;
          2. Separate data processing by differentiating access rules; and
          3. Separation of development and production environments.
      4. Measures to ensure integrity.
        1. Access rights;
        2. System-side logging;
        3. Security/logging software; and
        4. Functional responsibilities, organizationally specified responsibilities.
      5. Measures to ensure and restore availability.
        1. Security concept for software and IT applications;
        2. Back-up procedures;
        3. Ensuring data storage in secured network;
        4. Need-based installation of security updates;
        5. Set-up of an uninterrupted power supply;
        6. Fire extinguisher protection for the server room;
        7. Fire extinguisher protection for the archiving facilities;
        8. Air-conditioned server room;
        9. Virus protection;
        10. Firewall;
        11. Emergency plan;
        12. Successful emergency exercises; and
        13. Redundant, locally separated data storage (off-site storage).
      6. Measures to ensure resilience.
        1. Emergency plan in case of machine breakdown/business recovery plan;
        2. Redundant power supply;
        3. Sufficient capacity of IT systems and plants;
        4. Redundant systems/plants; and
        5. Resilience and error management.
      7. Procedure for regular review, assessment, and evaluation of the effectiveness of the technical and organizational measures.
        1. Procedures for regular controls/audits;
        2. Concept for regular review, assessment, and evaluation;
        3. Reporting system;
        4. Penetration tests; and
        5. Emergency tests.
      8. “Control of instructions/assignment control.”
        1. Process of issuing and/or following instructions;
        2. Control/examination that the assignment is executed in accordance with instructions;
        3. Commitment of employees to maintain confidentiality;
        4. Data protection manager/coordinator;
        5. Keeping records of processing activities as required by art. 30, para. 2 GDPR;
        6. Documentation and escalation process for personal data breaches;
        7. Guidelines/instructions that guarantee technical-organizational measures for the security of the processing; and
        8. Process for forwarding requests of data subjects.
    2. In addition, pursuant to Clause 10(b), taking into account the nature of the processing, data importer will use commercially reasonable efforts to assist data exporter, at data exporter’s expense, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of data exporter’s obligation to respond to requests for exercising the data subjects’ rights with respect to their personal data under the GDPR.
  11. Annex III.
    1. Customer hereby authorizes the use of the sub-processors listed at the following link: https://www.3PlayMedia.com/account-terms/DPA/Subprocessors/
    2. Data exporter may register to receive email notifications regarding sub-processor modifications here: https://Go.3PlayMedia.com/Subprocessor-Change-Notification. Provided that data exporter is registered to receive such notifications, data importer shall inform data exporter via email of any intended changes concerning the addition or replacement of sub-processors at least ten (10) days before the new subprocessor processes personal data.

Exhibit B
Module 3 – Processor to Processor Standard Contractual Clauses

For the purposes of the Processor to Processor Standard Contractual Clauses:

  1. Clause 7. The parties agree that the optional language in Clause 7 is included.
  2. Clause 9(a). The parties agree that under Option 2, Company has Customer’s general authorization to subcontract its processing activities to the list of sub-processors set out in Section (a)(11)(i). Company will inform Customer in writing of any intended changes to the list of sub-processors set out in Section (a)(11)(i) at least 10 days prior to engaging with any other sub-processor.
  3. Clause 11. The parties agree that the optional language in Clause 11 is excluded.
  4. Clause 13. The parties agree that the brackets are removed in the provisions in Clause 13(a), such that the appropriate provision will apply as applicable.
  5. Clause 17. Option 1 shall apply, and the Processor to Processor Standard Contractual Clauses shall be governed by the laws of Ireland.
  6. Clause 18. The parties agree that any dispute arising from the Processor to Processor Standard Contractual Clauses shall be resolved by the courts of Ireland.
  7. Annex I.A.
    1. The name and address of Customer, and the name, position, and contact details of the contact person of Customer (which is the data exporter) are as follows:
      1. Name: Customer
      2. Address: The address specified in Customer’s Services account or, if no address is specified in Customer’s Services account, the address specified in the applicable order.
      3. Contact person’s name, position, and contact details: The billing contact specified in Customer’s Services account or, if there is no billing contact specified in Customer’s Services account, the contact specified in the applicable order.
    2. The name and address of Company, and the name, position, and contact details of the contact person of Company (which is the data importer) are as follows:
      1. Name: 3Play Media
      2. Address: 255 State St, Floor 6, Boston, MA 02109
      3. Contact person’s name, position, and contact details: Asya Calixto, General Counsel, Asya@3PlayMedia.com
    3. The activities relevant to the data transferred are the provision and receipt of the Services as described in the Agreement.
    4. The signature and date are the signature and date set forth in the Agreement.
    5. The roles of the parties are as follows: Company is a processor and Customer is a controller.
  8. Annex I.B.
    1. The categories of data subjects are:
      1. Representatives of the data exporter; and
      2. Individuals whose data is contained in Source Materials as further specified in the Agreement.
    2. The categories of personal data transferred are:
      1. Representatives of the data exporter:
        1. Name, postal address, email address, and, if applicable, confirmation of authentication from Facebook.
      2. Individuals whose data is contained in Source Materials:
        1. Any personal data uploaded to the 3Play Media Portal or otherwise provided to the data importer by the data exporter and its representatives, on behalf of the data exporter and/or its customers and any other third party for whom the data exporter submits materials for use in connection with the Services, including data contained in videos, content, files, data and other materials; and
        2. Upon data exporter’s request, in connection with dubbing Services, voice clones generated by the data importer on behalf of the data exporter.
    3. The categories of sensitive data include: any sensitive data included in videos, content, files, data and other materials uploaded to the 3Play Media Portal or otherwise provided by the data exporter and/or its representatives, the extent of which is determined and controlled by the data exporter in its sole discretion, including, but not limited to: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions or offenses.
    4. The frequency of the transfer shall be on a continuous basis.
    5. The nature of the processing is such that the personal data will be subject to basic processing, including but not limited to collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services by data importer to the data exporter in accordance with the terms of the Agreement.
    6. The purpose of the data transfer and further processing is provision of the Services by data importer to data exporter.
    7. The duration of the processing under these Processor to Processor Standard Contractual Clauses shall continue as long as data importer carries out personal data processing operations on behalf of data exporter or until the termination of the Agreement (and all personal data has been returned or deleted in accordance with these Processor to Processor Standard Contractual Clauses and Section 8 of the DPA).
    8. For transfers to sub-processors, personal data will be transferred to sub-processors in order for the data importer to provide the Services to the data exporter. The nature of the processing by such sub-processors will be as follows: the personal data will be subject to basic processing, which may include without limitation collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure (including by transmission), analysis, deletion, modification, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction for the purpose of providing the Services to the data exporter in accordance with the terms of the Agreement. The duration of the processing by such sub-processors shall continue as long as such sub-processors carry out personal data processing operations on behalf of the data importer.
  9. Annex I.C. The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
  10. Annex II. Section 10 of Exhibit A is incorporated herein by reference.
  11. Annex III. Section 11 of Exhibit A is incorporated herein by reference.

Exhibit C
UK DTA

For the purposes of the UK DTA:

  1. For the purposes of Table 1 of the UK DTA, the start date shall be the later of the DPA Effective Date or the date the Agreement is entered into by the parties, and the names of the parties, their roles, and their details shall be as set out in Exhibit A Section 7 and Exhibit B Section 7, respectively;
  2. For the purposes of Tables 2 and 3 of the UK DTA, the Controller to Processor Standard Contractual Clauses and the Processor to Processor Standard Contractual Clauses, including the information set out in Exhibit A Sections 8, 10, and 11 and Exhibit B Sections 8, 10, and 11, respectively, shall apply; and
  3. For the purposes of Table 4 of the UK DTA, either party may end the UK DTA.

Exhibit D
California Data Exhibit

  1. This California Data Exhibit (this “Exhibit”) forms part of the DPA. Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the DPA or the Agreement (as applicable). The types of California Personal Data subject to processing hereunder are: as set out in Exhibit A Section 8(a) and Exhibit B Section 8(a), as applicable.
  2. CCPA Provisions.
    1. In this Exhibit, the following terms have the meanings given in the CCPA: “business purpose,”, “personal information,” “processing,” “service provider,” “contractor,” “person,” “share,” “sharing,” “shared,” “sell,” “selling,” “sale,” and “sold.”
    2. Except as otherwise required by applicable law or as otherwise permitted by the CCPA, Company shall:
      1. Not sell or share California Personal Data;
      2. Not retain, use, or disclose California Personal Data for any purpose other than for the business purposes of provision of the Services as specified in the Agreement for the Customer, nor retain, use, or disclose California Personal Data for a commercial purpose other than the business purposes specified in the Agreement, or as otherwise permitted by the CCPA;
      3. Not retain, use, or disclose California Personal Data outside of the direct business relationship between the parties;
      4. Not combine California Personal Data, which Company receives pursuant to the Agreement or from or on behalf of Customer, with personal information which it receives from or on behalf of another person or persons, or collects from its own interaction with the individual to whom such California Personal Data relates, except as otherwise expressly permitted by the CCPA;
      5. Reasonably cooperate with Customer in responding to any requests from any individual regarding California Personal Data relating to such individual, including reasonably assisting Customer in deletion, correction, or limitation of the use of such California Personal Data where required under the CCPA, and including instructing Company’s service providers and/or contractors (if any) to so reasonably cooperate in such response;
      6. Reasonably assist Customer through appropriate technical and organizational measures in Customer’s complying with the requirements of subdivisions (d) to (f), inclusive, of Section 1798.100 of the CCPA, taking into account the nature of the California Personal Data processing by Company;
      7. Implement and maintain commercially reasonable security procedures and practices appropriate to the nature of the California Personal Data intended to protect such California Personal Data from unauthorized access, destruction, use, modification, or disclosure;
      8. Comply with all applicable obligations under the CCPA and provide the same level of privacy protection with respect to California Personal Data as required by the CCPA; and
      9. Notify Customer if Company determines it can no longer meet its obligations under the CCPA.

To the extent Company is a contractor, Company certifies that Company understands the restrictions provided in Sections 2(b)(i), 2(b)(ii), 2(b)(iii), and 2(b)(iv) and will comply with them.

  1. Company acknowledges and agrees that the California Personal Data has been disclosed to it for the limited and specified purposes set forth in the Agreement and Company further acknowledges and agrees Customer shall have the right: (i) to take reasonable and appropriate steps to ensure that Company uses California Personal Data in a manner consistent with Customer’s obligations under the CCPA; and (ii) upon notice from Customer to Company, to take reasonable and appropriate steps to stop and remediate unauthorized use of California Personal Data.
  2. To the extent required by the CCPA and to the extent Company is a contractor, Company shall permit, subject to agreement of the parties, Customer to monitor Company’s compliance with this Exhibit through measures, including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing once every twelve (12) months (each, an “Audit”), upon reasonable prior notice from Customer, provided that no third-party auditor (each an “Auditor”) shall be a competitor of Company, nor shall any Auditor be compensated on a contingency basis, and provided further that in no event shall Customer or any Auditor have access to the information of any other client of Company and the disclosures made pursuant to this Section 2(d) (“Audit Information”) shall be held in confidence as Company’s confidential information and subject to any confidentiality obligations in the Agreement, and provided further that no Audit shall be undertaken unless or until Customer has requested, and Company has provided, information about Company’s data protection practices and Customer reasonably determines that an Audit remains necessary to demonstrate material compliance with the obligations laid down in this Exhibit. Without limiting the generality of any provision in the Agreement, Customer shall employ the same degree of care to safeguard Audit Information that it uses to protect its own confidential and proprietary information and in any event, not less than a reasonable degree of care under the circumstances, and Customer shall be liable for any improper disclosure or use of Audit Information by Customer or its agents.
  3. If Company engages any other person to assist Company in processing California Personal Data for a business purpose on behalf of Customer, Company shall notify Customer of such engagement, and the engagement shall be pursuant to a written contract binding the other person to observe substantially similar requirements to those set forth in this Exhibit. Company hereby notifies Customer that Company may engage the persons listed in Section 11 of Exhibit A to this DPA to assist Company in processing California Personal Data for a business purpose on behalf of Customer.

Exhibit E
Other States Data Exhibit

  1. State Data Protection Laws. This Other States Data Exhibit forms part of the DPA. Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the DPA or the Agreement (as applicable).
    1. Instructions. Customer hereby instructs Company to Process State Laws Data to the extent necessary to provide the Services.
    2. Nature of the Processing; Purpose of the Processing. The nature of the Processing of State Laws Data is such that the State Laws Data will be subject to basic processing, including but not limited to collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, analysis, deletion, modification, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, including the actions of a person directing a third party to Process data on behalf of such person for the purpose of providing the Services by Company to Customer in accordance with the terms of the Agreement. The purpose of the Processing of State Laws Data hereunder is the provision of the Services by Company to Customer.
    3. Types of State Laws Data. The types of State Laws Data subject to Processing hereunder are: as set out in Section 8(a) of Exhibit A to this DPA and Section 8(a) of Exhibit B to this DPA, as applicable.
    4. Duration of Processing. The duration of the State Laws Data Processing shall continue as long as Company carries out State Laws Data Processing operations on behalf of Customer or until the termination of the Agreement (and all State Laws Data has been returned or deleted in accordance with this Other States Data Exhibit and Section 8 of the DPA).
    5. Rights, Duties, and Obligations. Except as otherwise required or permitted by applicable law, Company shall:
      1. Ensure that each person Processing State Laws Data on behalf of Company is subject to a duty of confidentiality with respect to such State Laws Data;
      2. At Customer’s choice and direction, delete or return all State Laws Data to Customer as requested at the end of the provision of the Services, unless retention of such State Laws Data is required by applicable law;
      3. Make available to Customer all information necessary to demonstrate Company’s compliance with the obligations in the State Data Protection Laws with respect to State Laws Data;
      4. Taking into account the context of Processing, Company shall implement appropriate technical and organizational measures designed to ensure a level of security with respect to the State Laws Data appropriate to the risk in accordance with the Agreement and this DPA;
      5. Allow for, contribute to, and cooperate with reasonable audits, inspections, and/or assessments (each a “State Audit”) by Customer or Customer’s designated third-party representative (each, a “State Auditor”), provided that, to the extent permitted by State Data Protection Laws, as an alternative, Customer hereby consents that Company may arrange for a qualified and independent auditor or assessor to conduct (at least annually and at Customer’s expense (except to the extent State Data Protection Laws require such expense to be borne by Company)) a State Audit of Company’s policies and technical and organizational measures in support of the obligations under the State Data Protection Laws using an appropriate and accepted control standard or framework and State Audit procedure for the State Audits as applicable and Company shall provide a report of such State Audit (and the results thereof) to Customer upon request. No third-party State Auditor appointed by Customer shall be a competitor of Company, nor shall any such State Auditor be compensated on a contingency basis. In no event shall Customer or any State Auditor have access to the information of any other customer of Company and the disclosures made pursuant to this Section 1(e)(v) (“State Audit Information”) shall be held in confidence as Company’s Confidential Information and subject to the confidentiality obligations in the Agreement, and provided further that no State Audit under this Section 1(e)(v) shall be undertaken unless or until Customer has requested, and Company has provided, information about Company’s data protection practices and Customer reasonably determines that such a State Audit remains necessary to demonstrate material compliance with the obligations laid down in the State Data Protection Laws. Without limiting the generality of any provision in the Agreement, Customer shall employ the same degree of care to safeguard State Audit Information that it uses to protect its own confidential and proprietary information and in any event, not less than a reasonable degree of care under the circumstances, and Customer shall be liable for any improper disclosure or use of State Audit Information by Customer or its agents; 
      6. Engage a subcontractor to Process State Laws Data on behalf of Company only after providing Customer with an opportunity to object, and Company shall bind each such subcontractor to a written contract in accordance with State Data Protection Laws that requires such subcontractor to comply with obligations of processors (as defined in the State Data Protection Laws) under the State Data Protection Laws and to meet equivalent obligations with respect to such State Laws Data as are set forth in this Other States Data Exhibit. Customer hereby consents to Company’s engagement of the subcontractors listed in Section 11 of Exhibit A to this DPA to Process State Laws Data; and
      7. Stop Processing State Laws Data on Customer’s request made in accordance with an individual’s authenticated request.