Terms of Service

September 2024

Appendices:

1. Appendix A: Privacy Notice
2. Appendix B: Data Processing Agreement
3. Appendix C: Data Processing Agreement Schedule 1

1. PROVISION OF SERVICES 

1.1 Terms governing our services 

The basis on which the Vendor shall provide You with services is set out in the following documents as updated from time to time:-

• Your Order Form
• These terms
• Appendices A to E of these terms (Privacy Notice and Data Processing) which are available on the Vendor’s website.

At all times the most up to date terms and appendices will be available on the Vendor’s website (binderr.com/terms-of-service) and You agree that You will be bound by the terms which are available on the Vendor’s website.

In the event of a conflict between these terms (including appendices) and Your Order Form as updated from time to time, these terms shall prevail.

1.2 Effective date 

These terms are effective as of the date You first click “I  agree” (or similar button or checkbox) or use or access our services.  These terms do not have to be signed in order to be binding.  You indicate Your agreement to these terms by clicking “I agree” (or similar button or checkbox) at the time You complete Your Order Form.

2. FINANCIAL 

2.1 Fees 

You will compensate the Vendor for the services provided at rates detailed in the Order Form.

Fees are variable and the Vendor will inform You of any changes from the initial fees documented on Your Order Form.

2.2 Subscription term and renewals 

The Vendor provides services on a subscription basis for a term or duration which is recorded on the Order Form. 

Except as otherwise specified in the Order Form, unless either party cancels in accordance with these terms prior to expiration of the subscription term, Your term will automatically renew for another period equal to Your initial recorded term.  As noted above, fees may increase and You will be informed of the new fees applicable.

2.3 Invoices

Invoices for our services are payable in the currency indicated in the Order Form within 30 days of the invoice date.  We reserve the right to charge interest at the highest amount permitted by law (currently 8%) on amounts which have been outstanding for more than 30 days.

We can stop providing services to You where an invoice is not paid within 30 days of the invoice date, without prejudice to our right to recover due amounts, however we will seek to discuss this with You before stopping provision of our services.

Payment must only be made to the bank account printed on our invoice.  Any communication received by You and seeking to redirect such a payment is likely to be fraudulent.  Please contact us immediately if You receive any such communication, and only using the telephone number on which You usually contact us (not on any telephone number contained in the  suspect communication).

3. CONFIDENTIALITY

3.1 Your data 

Your signed Order Form and these terms constitute Your instruction to the Vendor to process Your customer data with regards to the services we are providing You.  Data processing shall be regulated in accordance with the terms of the Data Processing Agreement which is in the Appendix.

In addition to You requesting that the Vendor processes Your  customer data, You acknowledge and agree that we will also collect certain data and information about You and Your End Users in connection with You and Your End Users’ use of our services and otherwise in connection with these terms.

Your data is also used to continually develop and improve our services.  We use analytics techniques to better understand how our services are being used.

You retain all right, title and interest in and to Your data in the form submitted to our services.  Subject to these terms, and solely to the extent necessary to provide the services to You, You grant us a worldwide, limited term license to access, use, process, copy, distribute, perform, export, and display Your data.  Solely to the extent that reformatting Your data for display in our services constitutes a modification or derivative work, the foregoing license also includes the right to make modifications and derivative works.  We may also access Your accounts, End User accounts, and Your services with End User permission in order to respond to Your support requests.

3.2 Your data obligations 

You and Your use of the Vendor’s services (including use by Your End Users) must comply at all times with these terms and all Laws.  You represent and warrant that: 

1. 1. 1. 1. 1. You have obtained all necessary rights, releases and  permissions to submit all Your data to the Vendor and to grant the rights granted to us in these terms and 
            2. Your data and its submission and use as You authorise in these terms will not violate (1) any Laws, (2) any third-party intellectual property, privacy, publicity or other rights, or (3) any of Your  or third-party policies or terms governing Your data.

Other than our express obligations under Section 3 (our security and data privacy policies), we assume no responsibility or liability for Your data, and You are solely responsible for Your data and the consequences of submitting and using it with the Vendor’s services.

You will defend, indemnify and hold harmless us (and our affiliates, officers, directors, agents and employees) from and against any and all claims, costs, damages, losses, liabilities and expenses (including reasonable legal fees and costs) resulting from any claim arising from or related to

1. Your breach of the agreed terms regarding End User consent or any claims or disputes brought by Your End Users arising out of their use of our services; and 
2. Your breach (or alleged breach) of Your data obligations.

3.3 Your personal information 

We are committed to protecting and respecting Your privacy and we will only use Your information in accordance with:- 

1. 1. 1. 1. 1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, (General Data Protection Regulation);
            2. Chapter 586 of the Laws of Malta (‘Data Protection Act’);
            3. Chapter 586 of the Laws of Malta (‘Data Protection Act’);
            4. UK law version of the General Data Protection Regulation ((EU) 2016/679), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003; and
            5. all other applicable laws, enactments, regulations, orders, standards and other similar instruments relating to data protection and privacy as may apply in the EU from time to time, each as may be amended or superseded.

Our Privacy Notice explains the basis on which any personal data we collect from You, or that You provide to us, will be processed by us.  Please read it carefully to understand our view and practices regarding Your personal data and how we will treat it.  You can find a copy in the Appendix.  You will be notified of any significant updates to our Privacy Notice.

3.4 Confidentiality

Confidentiality of Your services will be maintained except: 

1. 1. 1. 1. 1. where we are compelled by law or regulation to disclose information;
            2. where we are subject to a duty to the public to disclose;
            3. where our interests require disclosure and it is reasonable for us to do so;
            4. where we use third party IT providers to deliver our services.  In each such case we will ensure an appropriate confidentiality agreement is in place and / or where reasonably practicable any such data will be anonymised;
            5. where disclosure is made with Your consent, or at Your request.  This includes people who provide a service to You or are acting as Your agents such as third-party providers, on the understanding that they will keep the information confidential; and / or
            6. within the Vendor Group.

In all such cases we shall reveal only such information as is considered necessary by us in the circumstances and You consent to the disclosure.

3.5 Data loss 

Where You may ask us to use particular communication apps or social media, hosting, data processing and document storage / sharing technology of Your, rather than our, choice, You will be liable for any consequences of such use, including fines, financial loss, data loss or breach of any confidentiality undertakings You may have given another party.

3.6 Security and certifications 

We implement and maintain physical, technical and administrative security measures designed to protect Your data from unauthorised access, destruction, use, modification, or disclosure.  These measures include, but are not limited to, encryption of data at rest and in transit, regular security audits, access controls, and employee training on data protection.  We also maintain a compliance program that includes independent third-party audits and certifications.

4. OUR SERVICES – ADMINISTRATION

4.1 Administrators 

You may be able to specify certain End Users as Administrators, who will have important rights and controls over Your use of our services and Your End User Accounts.  This may include taking actions which may incur additional fees for You; creating, de-provisioning, monitoring or modifying End User Accounts, and setting End User usage permissions; and managing access to Your data by End Users or others.  You are responsible for whom You allow to become Administrators and any actions they take, including as described above.  You agree that our responsibilities do not extend to the internal management or administration of Your access to our services.

4.2 End User consent 

You are responsible for providing all required disclosures to and will obtain and maintain all required consents from End Users to allow:-

1. Administrators to have the access described in these terms; and
2. the Vendor’s provision of its services to Your chosen Administrators and End Users.  You will provide evidence of such consents upon our reasonable request.

4.3 End User responsibility 

Our services have various user onboarding flows.  Some require users to be designated by Administrators; some allow users to sign up for individual accounts which can become associated with teams or organizations at a later time; and some may allow users to invite other users.  You are responsible for understanding the settings and controls for each service You use and for controlling whom You allow to become an End User.

If payment is required for End Users to use or access our services, then we are only required to provide the services to those End Users for whom You have paid the applicable fees, and only such End Users are permitted to access and use of our services.

Some services may allow You to designate different types of End Users (for example End Users with different levels of access / authorization), in which case pricing and functionality may vary according to the type of End User.  You are responsible for compliance with these terms by all End Users, including for any payment obligations.

Please note that You are responsible for the activities of all Your End Users, including all additional fees and how End Users use Your data, even if those End Users are not from Your organization or domain.

4.4 End User security 

You must require that all End Users keep their user IDs and passwords for access to our services strictly confidential and do not share such information with any unauthorised person.  User IDs are granted to individual, named persons and may not be shared.  You are responsible for any and all actions taken using End User accounts and passwords, and You agree to immediately notify us of any unauthorised use of which You become aware. 

5. OUR SERVICES - GENERAL 

5.1 Access 

Subject to these terms and during the applicable term specified in Your Order Form as updated from time to time, You may access and use our services for Your own business purposes in accordance with these terms, the applicable Order Form and where applicable additional the Vendor documentation.

5.2 Support 

During the service term specified in Your Order Form, we will provide support for our services.

5.3 Restrictions

Except as otherwise expressly permitted in these terms,  You will not: 

1. 1. 1. 1. 1. reproduce, modify, adapt or create derivative works of our services;
            2. rent, lease, distribute, sell, sublicense, transfer or provide access to our services to a third party or anyone not specified in the Order Form;
            3. use our services for the benefit of any third party;
            4. incorporate any of our services into a product or service You provide to a third party;
            5. interfere with or otherwise circumvent mechanisms in our services intended to limit Your use;
            6. reverse engineer, disassemble, decompile, translate or otherwise seek to obtain or derive the source code, underlying ideas, algorithms, file formats or non-public APIs to any of our services, except to the extent expressly permitted by applicable law (and then only upon advance notice to us);
            7. remove or obscure any proprietary or other notices contained in any of our services;
            8. use our services for competitive analysis or to build competitive products; or
            9. encourage or assist any third party to do any of the foregoing.

5.4 Warranty Disclaimer

You agree and accept that the Services, software and tools are being provided “as is” and that the Vendor provides no warranties as to the function or use of these, whether express, implied or statutory, including without limitation, any implied warranties of merchantability or fitness for particular purpose.  The Vendor does not warrant that the functions of its Services and tools will meet Your requirements or that the Services will be error free or uninterrupted.

5.5 Reliance

The Vendor makes no warranties for services or information accessed by You through use of our Services.  Binder provides a tool for You to access information provided by third parties which may assist you in fulfilling Your compliance obligations however the Vendor is not responsible for the reliability of any information provided by third parties and You are solely responsible for the conclusions you reach through the use of our Services.  Information you access through the Vendor services is not updated in real time and as such accuracy of such information may be affected.  This is outside the control and responsibility of the Vendor.

6. ADDITIONAL SERVICES 

Subject to these terms, You may purchase additional services that we will provide to You pursuant to the applicable Order.  Additional Services may be subject to additional policies and terms (including fees) as specified by us. 

7. RAISING QUERIES OR CONCERNS WITH US 

Please discuss any concerns about any aspect of our services with Your Relationship Manager.  We shall try to resolve any problem quickly through our internal complaints procedure, a copy of which is available on request.

8. ELECTRONIC COMMUNICATION 

Unless You instruct us otherwise, You hereby expressly consent to our communicating with You by email.

8.1 General risks 

There are inherent risks associated with communication by internet-based systems (eg email, SMS and mobile telephone applications amongst others).

We deploy various means to prevent such cyber threats and regularly keep them under review however we assume no responsibility or liability whatsoever in relation to any damages or costs incurred by You due to such occurrences.  Please make sure that You also have a proper means of checking for viruses and other malware in any emails and attachments, especially those received by You from third parties.  We will be entitled to regard any email with which You provide us to communicate with You as secure and to  assume that You have consented to the risks associated with the use of that email.

8.2 Our emails to You 

We cannot accept responsibility for the accuracy or completeness of the content of emails or any attachments once they have left our server (including any corruption or alteration which may have occurred after sending).

Most businesses have experienced a situation where a client or third-party email account has been hacked, the details of the matter obtained and a scam email, adopting apparently legitimate signatures and the logo of the business is sent to the client or third party seeking to redirect a payment to a new account.

Payment must only be made to the bank account printed on our invoice.  Any communication received by You and seeking to redirect such a payment is likely to be fraudulent.  Please contact us immediately if You receive any such communication, and only using the telephone number on which You usually contact us (not on any telephone number contained in the suspect communication).

8.3 Unintended consequences 

We may use software intended to filter out unsolicited and / or undesirable emails and this may inadvertently reject legitimate emails from You.  We cannot accept liability for the consequences where emails do not reach their intended recipient because of such software. 

9. LIABILITY

You agree to bring any claim (including one in negligence) in connection with the services provided by the Vendor only against the company and not against any individuals or other Vendor Group entities.  In the event that You do pursue any officer or employee of the Vendor or of any Vendor Group entity, they will be entitled to rely on these terms.  You agree that any dispute, controversy or claim arising out of or relating to this contract, or the breach, termination or invalidity thereof, shall be settled by arbitration, in accordance with Part IV (Domestic Arbitration) or Part V (International Arbitration) of the Malta Arbitration Act and the Arbitration Rules of the Malta Arbitration Centre as in force at the time of the claim.  In other jurisdictions this will be under similar jurisdictional laws as applicable.

Our liability to You in relation to our services is subject to a limit of three (3) months fees applicable pursuant to your Order Form.  That limit applies to any liabilities, losses, damages or costs.

Unless otherwise agreed in writing, we shall only ever be liable to You in relation to our services and not to any third party and no such third party will be entitled to enforce the terms of this agreement.  We assume no liability for any act or omission attributable to another party.

We shall not be liable to You if we are unable to perform our services due to a cause beyond our reasonable control.  In the event of any such occurrence affecting us we shall notify You as soon as reasonably practicable.

10. VARIATION AND TERMINATION 

No amendment, variation, rescission or termination of this agreement will require the consent of any person who is not a party to it.

You agree to enter into this Agreement for the Minimum Service Term which is always 12 months, and hence to pay the applicable minimum fees for that period, irrespective if you want to terminate early.  Without prejudice and subject to the payment of the minimum fees, both You and the Vendor may terminate the provision of services at any time by sending a written communication giving 30 days notice of the termination.

In some circumstances we may cease to provide You with services, for example if You are in breach of our terms, there is a breakdown in our relationship, if to continue acting for You would cause us an issue in relation to any other services we may provide or have provided for You or if You do not pay any invoice in accordance with these terms.

If for whatever reason our relationship is terminated, You will pay our fees incurred up to the date of service termination.  

If You fail to pay our fees we will be entitled to charge interest on such costs at the rate applicable to judgment debts.  Further, where we are obliged to obtain a Court order to compel payment of our fees together with interest thereon, we will also be entitled to recover the costs of obtaining any such order and the costs of its enforcement.

In the event of termination of our agreement for whatever reason, the terms of our agreement will remain in force as regards payments, confidentiality, data protection, liability and files / documents.

11. GENERAL 

11.1 Applicable law and jurisdiction 

These terms (including this paragraph) and our Order Form and any dispute or claim concerning them shall be governed by Maltese law excluding conflict of laws principles.  By Your agreement to these terms by clicking “I agree” (or similar button or checkbox) at the time You complete Your Order Form both we and You submit to the non-exclusive jurisdiction of the Maltese Courts.

11.2 Elective arbitration 

Notwithstanding the provisions of this clause 11, we may, at our sole option, elect in writing to have any dispute determined by arbitration.  Any arbitration commenced in accordance with this clause will be subject to Part IV (Domestic Arbitration) of the Malta Arbitration Act, 1996 and the Arbitration Rules of the Malta Arbitration Centre as at present in force.  The number of arbitrators shall be one.

11.3 Entire agreement 

These terms and our Order Form constitute the entire agreement between the parties in relation to the services we provide.  It replaces any earlier terms, representations or discussions.

11.4 Vendor Group 

The following companies are wholly owned subsidiaries of Binderr Limited – Binderr Operations Limited and Binderr Mena Software Trading LLC.

12. INTERPRETATION 

If any provision of the agreement between us is held to be void, then that provision will be deemed not to form part of our agreement and the remaining provisions will continue in force.

In these terms, the following words and expressions have the meanings given to them below:-

Administrator – the personnel of the specific entity specified in the Order Form designated by You who administer the Vendor’s services access to End Users on Your behalf

End User – an individual employed by the specific entity specified in the Order Form who You permit or invite to use the Vendor’s services.  You will control End User access by Your appointed Administrator(s)

Minimum Service Term – the initial period of 12 months for which you are agreeing to pay for the Vendor’s services

Order Form – the Vendor form as updated from time to time signed by You recording the services You wish the Vendor to supply to You

Vendor, we, us or our – the relevant the Binderr entity as applicable by reference to the Order Form:- 

• Binderr Limited - a company, incorporated in  Malta (number C-96125), whose registered office is  at C1, Midland Micro Enterprise Park, Triq Burmarrad, Naxxar, NXR 6345, Malta 
• Binderr Operations Limited – a company  incorporated in Malta (number C- 107515), whose  registered office is at C1, Midland Micro Enterprise Park, Triq Burmarrad, Naxxar, NXR 6345, Malta
• Binderr Mena Trading Software LLC – a company incorporated in UAE (number 2351664), whose registered office is at The H Dubai Office Tower Level 17. Sheikh Zayed Road Dubai, United Arab Emirates.

Vendor Group – Binderr Limited and any of its affiliated entities or subsidiary undertakings from time to time

You, Your – the party or parties to these terms and the Order Form (excluding us)

Terms of Service – Appendix A
Privacy Notice

1  The type of personal information we collect

September 2024

We currently collect and process the following information:-

1. 1. 1. 1. 1. Name, address and date of birth
            2. Passport and other identification documentation
            3. Contact numbers and email addresses
            4. Financial account details and asset ownership
            5. Education and employment details
            6. Family details including the names and ages of children
            7. Communications eg letters ,emails and app exchanges
            8. Open data and public records

2  How we get the personal information and why we have it

Most of the personal information we process is provided to us by You in response to You asking us to provide You with services as  per these terms.

We also receive personal information indirectly, from companies and individuals that You introduce us to, or You where you have made a request that they use the Vendor’s services.

We use the information that you have given us in order to provide our services to You.  This includes, although is not limited to, assisting you to fulfil Your own policy requirements when onboarding clients.

3  Who we may share this information with

1. 1. 1. 1. 1. All locations of the Vendor Group companies where appropriate
            2. Authorities ie official bodies that include; central and local government, tax authorities, regulators (including HM Revenue and Customs)
            3. Outside companies we work with to provide services to you (including those that store data required for AML / KYC identity verification purposes)
            4. Outside companies we work with to run our business - agents, suppliers, sub-contractors, advisers, credit  reference agencies, fraud prevention agencies etc 

4  The lawful bases we rely on for processing this information

1. 1. 1. 1. 1. Your consent.  You are able to remove Your consent at any time.  You can do this by contacting Your Relationship Manager.
            2. We have a contractual obligation.
            3. We have a legal obligation. 
            4. We need it to perform a public task.
            5. We have a legitimate interest.

Where applicable, if we transfer your personal data to a third country, we will only do so in line with our obligations under Chapter V of the General Data Protection Regulation (GDPR) or Chapter V of the retained EU law version of the GDPR (UK GDPR).  Where the transfer is to a recipient in a country which does not have an adequacy decision under Article 45 of the UK GDPR or Article 45 of the GDPR (as appropriate), we will rely on standard contractual clauses (with supplementary measures where appropriate) under Article 46(2)(c) of the UK GDPR or Article 46(2)(c) of the GPDR (as appropriate), or an appropriate derogation under Article 49 of the UK GDPR or Article 49 of the GDPR (as appropriate). 

5  How we store your personal information 

Your information is securely stored.  We will keep Your personal information for as long as you are a client of the Vendor.  After you stop being a client, we may keep Your data for a period afterwards: 

1. 1. 1. 1. 1. to maintain records to comply with our legal and regulatory obligations 
            2. to respond to any questions or complaints.

We regularly review our retention periods to ensure that we do not keep your personal information for longer than necessary.

6  Your data protection rights 

Under data protection law, you have rights including: 

1. 1. 1. 1. 1. Your right of access - You have the right to ask us for copies of Your personal information.  
            2. Your right to rectification - You have the right to ask us to rectify personal information You think is inaccurate.  You also have the right to ask us to complete information You think is incomplete.  
            3. Your right to erasure - You have the right to ask us to erase Your personal information in certain circumstances. 
            4. Your right to restriction of processing - You have the right to ask us to restrict the processing of Your personal information in certain circumstances.
            5. Your right to object to processing - You have the right to object to the processing of Your personal information in certain circumstances. 
            6. Your right to data portability - You have the right to ask that we transfer the personal information You gave us to another organisation, or to You, in certain circumstances. 

Please be aware that there are exemptions and restrictions that may apply to some or all of these rights.

You are not required to pay any charge for exercising your rights.  If you make a request, we have one month to respond to You. 

Please contact Your Relationship Manager if you wish to make a request.

7  How to complain 

If you have any concerns about our use of your personal information, you can make a complaint to us by email at privacy@binderr.com

You can also raise any concerns with the Office of the Information and Data Protection Commissioner through https://idpc.org.mt/contact/

Terms of Service – Appendix B
Data Processing Agreement

September 2024

INTRODUCTION 

Your signed Order Form and the Terms of Service constitutes Your instruction to the Vendor to process Your customer data with regards to the services we are providing You.  Agreement shall be regulated in accordance with the terms of this Data Processing Agreement (“DPA”).

You and the Vendor agree that this DPA sets forth their obligations with respect to the Processing of Personal Data.

1. DEFINITIONS 

Controller - the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Law, the Controller or the specific criteria for its nomination may be provided for by such Law.

Data Importer and Data Exporter have the meanings set forth in the Standard Contractual Clauses, in each case irrespective of whether such Standard Contractual Clauses, European Data Protection Legislation or Non-European Data Protection Legislation applies.

Data Protection Legislation means, as applicable:-

1. 1. 1. 1. 1. European Data Protection Legislation, and 
            2. Non-European Data Protection Legislation 

which applies to the Processing of Personal Data.

Data Subject - an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

European Data Protection Legislation - as applicable, data protection and privacy legislation in force inside the European Economic Area, including the General Data Protection Regulation and any national Laws implementing such legislation.

General Data Protection Regulation or GDPR - Regulation (EU) 2016/679 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data.

Non-European Data Protection Legislation means data protection or privacy legislation in force outside the European Economic Area, including without limitation such legislation as is in force in the UK (including the UK GDPR and the Data Protection Act 2018 and national implementing legislation).

Personal Data - any information Processed by the Vendor that relates to a Data Subject.

Processing - any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Process” and “Processed” have correlative meanings.

Processor - a natural or legal person, public authority, agency, or other body that Processes Personal Data on behalf of a Controller.

Pseudonymisation - the Processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person.

Standard Contractual Clauses - as applicable: 

1. 1. 1. 1. 1. the standard contractual clauses available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR (“EU SCCs”); and 
            2. the International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner’s Office under S119A(1) of the Data Protection Act available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf

(“UK Addendum”).

Sub-Processor - Processors used by the Vendor to Process Personal Data.

Supervisory Authority - an independent public authority that has been established by a governmental body and is responsible for monitoring the application of applicable Data Protection Legislation, to protect the fundamental rights and freedoms of natural persons in relation to Processing and to facilitate the free flow of Personal Data.

UK GDPR - the GDPR as it forms part of the law of the United Kingdom.

2. ROLES & SCOPE 

This DPA only applies to the Processing of Your Personal Data by the Vendor pursuant to the above terms, together with Your Order Form as updated from time to time.

You and the Vendor agree that with respect to Personal Data, You are the Controller of such Personal Data and the Vendor is the Processor of such Personal Data, except when You act as a Processor or Sub-Processor of such Personal Data, in which case the Vendor is a Sub-Processor of such Personal Data.  Nothing in the preceding sentence alters the obligations of either the Vendor or You under this DPA, as the Vendor acts as a Processor with respect to You in all events.  In any instance where You are a Processor or Sub Processor, You warrant to the Vendor that Your instructions, including the appointment of the Vendor as a Processor or Sub Processor, have been authorised by the relevant Controller.

This DPA does not limit or reduce any data protection commitments the Vendor makes to You in the Terms of Service.

You acknowledge and agree that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing of its Personal Data as well as the risks to individuals) the security practices and policies implemented and maintained by the Vendor provide a level of security appropriate to the risk with respect to its Personal Data. 

3. DETAILS OF PROCESSING 

3.1 Data Subjects 

The categories of Data Subjects whose Personal Data may be Processed in connection with the services are determined and controlled by You at Your sole discretion and may include but are not limited to: Your representatives and end users, such as employees, contractors, collaborators, clients, prospects, and 

customers; and employees or contractors of Your clients, prospects, and customers.

3.2 Categories of Personal Data 

The categories of Personal Data to be Processed in connection with the services are determined by You at Your sole discretion and may include but are not limited to: first and last name, employer, role, professional title, and contact information (eg, email, telephone numbers, and physical address).

3.3 Special categories of Personal Data 

Special categories of Personal Data (eg information revealing racial or ethnic origin; political, religious, or philosophical beliefs; trade union membership; or health data) will not be Processed by the Vendor.  You agree to never share any special categories of Personal Data with the Vendor.

3.4 Processing operations 

The Vendor shall Process Personal Data only as described and subject to the limitations herein: 

1. 1. 1. 1. 1. to provide You the services in accordance with the Documented Instructions (as defined below); and 
            2. for business operations incidental to providing the services to You, which may include: 

• delivering functional capabilities as licensed, configured, and used by You and Your Authorised Users, and 
• preventing, detecting, and repairing problems, including Security Incidents (as defined below), and providing technical support, professional planning, advice and guidance.

4. OBLIGATIONS OF BINDERR 

4.1 Processing Personal Data 

The Vendor shall: 

1. 1. 1. 1. 1. Process Personal Data only on Documented Instructions (as defined below) from You, including  with regard to transfers of Personal Data to a third  country or an international organisation, unless required to do so by applicable Data Protection Legislation; in such a case, the Vendor shall notify You of  said legal requirement before Processing, unless said  Data Protection Legislation prohibits such notification on important grounds of public interest;
            2. inform You if, in its opinion, an instruction given by You with regard to Processing of Personal Data infringes any applicable Data Protection Legislation; in such a case, the Vendor may suspend the relevant Processing without penalty or liability until You give the Vendor relevant written instructions that in the Vendor’s opinion do not infringe Data Protection Legislation; 
            3. ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 
            4. provide periodic and mandatory data privacy and security training and awareness to the Vendor Personnel with access to Personal Data in accordance with applicable Data Protection Legislation;
            5. taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, including, any detailed in the terms related to Personal Data  and, inter alia, as appropriate: 

• the Pseudonymisation and encryption of Personal Data; 
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing.

4.2 Systems and services 

The Vendor shall ensure: 

1. 1. 1. 1. 1. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; 
            2. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing;
            3. in assessing the appropriate level of security for purposes of clause 2 above, take account in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed; 
            4. take steps to ensure that any natural person acting under the authority of the Vendor who has access to Personal Data does not Process such Personal Data except on instructions from You, unless he or she is required to do so by applicable Data Protection Legislation; and 
            5. adhere to the conditions set forth in clauses 6 and 7 below for engaging or changing a Sub-Processor.

You and the Vendor agree that this DPA and the above terms, together with Your Order Form as updated from time to time (including the provision of instructions made available by the Vendor for the provision of its services) constitute Your documented instructions regarding the Vendor’s Processing of Personal Data (“Documented Instructions”).  The Vendor shall Process Personal Data only in accordance with Documented Instructions, and for business operations incidental to providing the services.  You hereby grant all such rights and permissions in or relating to Personal Data to the Vendor and its Sub-Processors, as are necessary to perform the service.  The Vendor shall not retain, use, disclose or otherwise Process Personal Data other than for the purposes set out in this DPA and the above terms, together with Your Order Form as updated from time to time.  The Vendor shall not derive information from Personal Data for any advertising or similar commercial purposes.  In no event shall the Vendor sell Personal Data.

Additional instructions outside the scope of the Documented Instructions (if any) require a prior written agreement between the Vendor and You, including any additional fees payable by You to the Vendor for carrying out such instructions.

5. SECURITY INCIDENT MANAGEMENT

5.1 Notice 

The Vendor shall notify You of any breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data while Processed by the Vendor (a “Security  Incident”) without undue delay after becoming aware of the Security Incident and, in any event, within 48 hours of becoming aware of such Security Incident.  Notification of a Security Incident shall be delivered to one or more of Your administrators by any means the Vendor selects, including via email.  It is Your sole responsibility to ensure Your administrators maintain accurate contact information.  You are solely responsible for complying with Your obligations under incident notification Laws applicable to You and fulfilling any third-party notification obligations related to any Security Incident.  The Vendor’s obligation to report or respond to a Security Incident is not an acknowledgement by the Vendor of any fault or liability with respect to the Security Incident.  Similarly, Your failure to comply with notification provisions hereunder or otherwise and any liabilities arising therefrom shall not be attributed to the Vendor.

In the event of a Security Incident, the Vendor shall: 

1. 1. 1. 1. 1. investigate the Security Incident; 
            2. provide You with information about the Security Incident (including, where possible, the nature of the Security Incident, the contact from whom more information can be obtained, and the likely consequences of the Security Incident), which information may be provided in phases as it becomes available; and 
            3. take reasonable steps to mitigate the effects of, and to help minimise any damage resulting from, the Security Incident.

In the event that a Security Incident was not due to the fault of the Vendor, the Vendor shall cooperate with You with reasonable costs and expenses to be covered by You. 

The Vendor shall make reasonable efforts to assist You in fulfilling Your obligation under GDPR Article 33 or other applicable Data Protection Legislation to notify the relevant Supervisory Authority and Data Subjects about such Security Incident.

You shall notify the Vendor promptly about any possible misuse of its accounts or authentication credentials or any potential security incident related to the Vendor’s services. 

6. SUB-PROCESSORS 

The Vendor may engage subcontractors and Sub-Processors to  provide services on its behalf. 

Binder shall: 

1. 1. 1. 1. 1. Provide prior notice of any changes concerning the addition or replacement of Sub-Processors, giving You the opportunity to object to such changes.
            2. Ensure that Sub-Processors are bound by data protection obligations no less protective than those in this DPA.
            3. Remain fully liable to You for the performance of the Sub-Processor’s obligations.

You consent to the Vendor engaging the Sub-Processors listed below: 

for the Processing of Personal Data in accordance with this DPA.  The preceding authorisations shall constitute Your prior written consent to the subcontracting by the Vendor of the Processing of Personal Data if such consent is required.

Where the Vendor engages a Sub-Processor for carrying out specific Processing activities on behalf of You, the same data protection obligations as set out in this DPA shall be imposed on such Sub-Processor by way of contract or other legal act to the extent required by applicable Data Protection Legislation, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing shall meet the requirements of applicable Data  Protection Legislation.

Where a Sub-Processor fails to fulfil such data protection obligations, the Vendor shall remain fully responsible and liable for the performance of such Sub-Processor’s obligations.

7. CHANGES TO SUB-PROCESSORS 

Unless otherwise agreed by the You and the Vendor, at least sixty (60) days before authorising any new Sub-Processor to access Personal Data, the Vendor shall provide notice of  such change by posting to www.binderr.com .  Within thirty (30) days of such notice being posted, You may object to the appointment of an additional Sub-Processor on reasonable grounds, provided in writing to the Vendor, in which case the Vendor shall have the right to cure the objection through one of the following options (to be selected at the Vendor’s sole discretion): 

1. 1. 1. 1. 1. the Vendor shall cancel its planned use of Sub-Processor or shall offer an alternative plan to provide the Services without using such Sub-Processor; 
            2. the Vendor shall take the corrective steps, if any, identified by You in Your objection as sufficient to remove Your objection, and proceed to use the Sub Processor; or 
            3. the Vendor may cease to provide, or You may agree not to use (temporarily or permanently), the particular aspect of the services that would involve the use of such Sub-Processor, subject to a mutual agreement of the Vendor and You to adjust the remuneration for the services considering the reduced scope of the  services. 

If none of the above options are reasonably available or the objection otherwise has not been resolved to the mutual satisfaction of the Vendor and You within thirty (30) days after the Vendor’s receipt of Your objection pursuant to this DPA, either Party may terminate the provision of  services. 

7.1 Emergency Replacement of a Sub-Processor 

The Vendor may replace a Sub-Processor at any time if the need for the change is urgent and necessary, and the reason for the change is beyond the Vendor’s reasonable control.  In such instance, the Vendor shall notify You of the replacement Sub-Processor as soon as reasonably practicable, and You shall retain the right to object to the replacement Sub-Processor pursuant to the clause above.  You shall not be entitled to any remuneration or accrue any rights of termination due to the emergency replacement.

8. COOPERATION WITH REQUESTS FROM DATA SUBJECTS 

The Vendor shall assist You, to the extent reasonably practicable and consistent with the functionality of the services, in respect of any Data Subject requests to exercise one or more of their rights under applicable Data Protection Legislation.  To the extent legally permitted, You shall be responsible for any costs arising from the Vendor’s provision of such assistance beyond the existing functionality or performance of the services. 

If the Vendor receives a request from one of Your Data Subjects to exercise one or more of their rights under applicable Data Protection Legislation, the Vendor shall instruct the Data Subject to make its request directly to You.  You shall be responsible for responding to any such request.

The Vendor, unless prevented by law, shall notify You without undue delay if a Supervisory Authority makes any inquiry or request for disclosure regarding Personal Data provided by You to the Vendor.

9. OTHER COOPERATION 

Taking into account the nature of Processing and the information available to the Vendor, the Vendor shall provide reasonable assistance to You in ensuring compliance with obligations: 

1. 1. 1. 1. 1. to ensure an appropriate level of security; 
            2. in cases of a Security Incident, to provide appropriate notifications to Supervisory Authorities and Data Subjects, in accordance with applicable Data Protection Legislation; 
            3. where required under applicable Data Protection Legislation, to carry out assessments of the impact of envisaged Processing operations on the protection of Personal Data;
            4. where required under applicable Data Protection Legislation, to consult with Supervisory Authorities with regard to matters related to such Processing;  and 
            5. to demonstrate compliance with the obligations concerning Processing of Personal Data carried out on behalf of a Controller and allow for and contribute to audits, including inspections, conducted by You or another auditor mandated by You pursuant to clause 11 below. 

10. RETENTION AND DELETION OF PERSONAL DATA 

10.1 Personal Data

Subject to clause 10.2 below, the Vendor shall delete or return Personal Data in accordance with the mutual agreement between the Vendor and You save to the extent that the Vendor is required by any applicable Law to retain some or all of the Personal Data.  In such event, the Vendor shall extend the protections of the Terms of Service and this DPA to such retained Personal Data and limit any further Processing of such Personal Data only to those limited purposes for which, and only for so long as, such retention is required by applicable Law. 

10.2 the Vendor services 

At all times during the applicable term, You shall have the ability to access, extract, and delete Personal Data held in our systems.  the Vendor shall retain Personal Data it stores for ninety (90) days after expiration or termination of Your use of the Vendor’s services so that You may extract Personal Data.  After said 90-day period ends, the Vendor shall disable Your account and delete all Personal Data within thirty (30) days and, where required by Law, shall certify to You that it has done so, save to the extent that  the Vendor is required by any applicable Law to retain some or all of such Personal Data.  In such event, the Vendor shall extend the protections of its Terms of Service and this DPA to such retained Personal Data and limit any further Processing of such Personal Data only to those limited purposes for which, and only for so long as, such retention  is required by applicable Law.

Nothing contained herein shall require the Vendor to alter, modify, delete, or destroy backups or other media created in the ordinary course of business for purposes of disaster recovery and business continuity, so long as such backups or other media are kept solely for such purposes and are overwritten, recycled, or otherwise remediated in the ordinary course of business and, in any event, not longer than ninety (90) days after creation.

The Vendor has no liability for the deletion of any data, including Personal Data as described in this clause 10.2. 

11. SECURITY REPORTS, AUDITS AND RECORDS 

To the extent Your audit requirements under the Standard Contractual Clauses or Data Protection Legislation cannot reasonably be satisfied through (i) audit reports provided by the Vendor, (ii) documentation, or (iii) other compliance information that the Vendor makes generally available to You, the Vendor shall, not more than one time per calendar year, promptly respond to Your audit requests.  Before the commencement of an audit, You and the Vendor shall mutually agree upon the scope, timing, duration, control and evidence requirements, and fees for the audit, provided that this requirement to agree shall not permit the Vendor to unreasonably delay performance of the audit.  To the extent needed to perform the audit, the Vendor shall make the processing systems, facilities and supporting documentation relevant to the Processing of Personal Data by the Vendor, its Affiliates, and its Sub-Processors (where  possible) available.  Such an audit shall be conducted by an independent, accredited third-party audit firm, during  regular business hours, with reasonable advance notice to the Vendor (not less than twenty days), and subject to reasonable confidentiality and security procedures.  Neither You nor the auditor shall have access to any data from the Vendor’s other customers or to the Vendor systems or facilities not involved in the services the Vendor provides to you.  You are responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time the Vendor expends for any such audit, in addition to the rates for services performed by the Vendor.  If the audit report generated as a result of Your audit includes any finding of material non-compliance, You shall share such audit report with the Vendor and the Vendor shall promptly cure any material non-compliance.

Where Standard Contractual Clauses apply, nothing in this clause varies or modifies the Standard Contractual Clauses or affects any Supervisory Authority’s or Data Subject’s rights under the Standard Contractual Clauses or Data Protection Legislation.

The Vendor shall maintain, to the extent and in the manner required by applicable Data Protection Legislation, a record of all categories of Processing activities carried out on behalf of You and, to the extent applicable to the Processing of Personal Data on behalf of You, make such record available to You upon request.

12. YOUR OBLIGATIONS  

12.1 Your acknowledgment 

You acknowledge that: 

1. 1. 1. 1. 1. You shall comply with all applicable Data Protection Legislation (including Your obligations thereunder); 
            2. You are responsible for determining whether the Vendor’s services are appropriate for storage and Processing of Personal Data; 
            3. You have the right to transfer, or provide access to, Personal Data to the Vendor and its Sub-Processors for Processing in accordance with the Terms of Service and this DPA; 
            4. You are solely responsible for fulfilling any third-party notification obligations related to a Security Incident; and 
            5. You specifically acknowledge that Your use of the Vendor services shall not violate the rights of any Data Subject, including, without limitation, those that have opted-out from sales or other disclosures of Personal Data, to the extent applicable under Data Protection Legislation.

12.2 Personal Data sharing 

The use of the Vendor’s services may enable Authorised Users to share Personal Data or invite third party users to use and access the Vendor’s services.  Such third-party users may access, view, download, and share Personal Data.  You understand and agree that: 

1. 1. 1. 1. 1. it is solely Yours and Your Authorised Users’ choice to share Personal Data; 
            2. the Vendor cannot control third parties with whom You or Authorised Users have shared Personal Data; and
            3. You and / or Your Authorised Users are solely responsible for their sharing of any Personal Data through the Vendor’s services. 

13. MODIFICATION SUPPLEMENTATION AND TERM 

The Vendor may modify or supplement this DPA, with notice to You: 

1. 1. 1. 1. 1. if required to do so by a Supervisory Authority or other government or regulatory entity; 
            2. if necessary to comply with applicable Data Protection Legislation; 
            3. to implement Standard Contractual Clauses, or
            4. to adhere to an approved code of conduct or certification mechanism approved or certified pursuant to Articles 40, 42 and 43 of the GDPR or analogous provisions of other applicable Data Protection Legislation.

In the event that such required modification or supplement results in You becoming non-compliant with Law that is applicable to You, You may terminate the Terms of Service, and 

You shall be entitled to a pro-rata refund for prepaid Fees for Services not performed as of the date of termination. 

This DPA is effective upon Your use of the Vendor’s services for which the Vendor is a Processor or Sub-Processor. 

This DPA shall remain in force as long as the Vendor Processes Personal Data on behalf of You. 

14. TRANSFER OF PERSONAL DATA AND LOCATION 

You acknowledge that the Vendor and its Sub-Processors may without limitation Process Personal Data in countries that are outside of the European Economic Area (“EEA”) and the United Kingdom.  This shall apply even where You have agreed with the Vendor to host Personal Data in the EEA or the United Kingdom, if such Processing is necessary to provide services requested by You. 

The Vendor shall abide by the requirements of the Data Protection Legislation regarding the collection, use, transfer, retention, and other Processing of Personal Data from the EEA and the United Kingdom.  All transfers of Personal Data to a third country or an international organisation (including any relevant Sub-Processor) that does not ensure an adequate level of protection shall be subject to appropriate safeguards as described in Article 46 of the GDPR and UK GDPR.  Such transfers and safeguards shall be documented according to Article 30(2) of the GDPR or UK GDPR (as applicable). 

All transfers of Personal Data out of the EEA and the United Kingdom shall be governed by the Standard Contractual Clauses, except for transfers (a) to and from any country which has a valid adequacy decision from the European Commission or the UK Government (as applicable), or (b) to and from any organisation which ensures an adequate level of protection in accordance with the applicable Data Protection Legislation. Subject to the foregoing and where indicated as applicable in Schedule 1 of this DPA, or this DPA, by You include execution of the Standard Contractual Clauses.  In the event any Standard Contractual Clauses include a transition period for implementation, the Vendor shall ensure the updated Standard Contractual Clauses shall be implemented prior to the expiration of such transition period (including in respect of transfers to any Sub-Processors which rely on the Standard Contractual Clauses).

14.1 Location of Personal Data 

All Personal Data processed by the Vendor shall be stored in the EEA.  You acknowledge that the Vendor may employ Sub Processors based in other regions without limitation and, 

thus, Personnel of Sub-Processors in such locations may have access to Personal Data.  Notwithstanding the foregoing, the Vendor does not control or limit the region or regions from, in, or to which You or Authorised Users may access, move, store or otherwise Process Personal Data. 

14.2 Miscellaneous 

The Vendor has appointed a data protection officer, EU representative, and UK representative.  These are documented in the Privacy Policy at www.binderr.com . 

If there is a conflict or inconsistency between the Terms of Service and this DPA, the terms of this DPA shall prevail.  If there is a conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. 

To the fullest extent permitted by Law, any claims brought under this DPA and / or the Standard Contractual Clauses shall be subject to the Terms of Service, including but not limited to, any applicable exclusions and limitations set forth therein.  For the sake of clarity, the Vendor’s aggregate liability arising out of this DPA and / or the Standard Contractual Clauses shall in no event exceed the limitations set forth in the Terms of Service.

Terms of Service – Appendix C
Data Processing Agreement Schedule 1

September 2024

1. STANDARD CONTRACTUAL CLAUSES 

You and the Vendor agree that the applicable Standard Contractual Clauses, as issued by the European Commission, are incorporated into the DPA by reference, as if they had been set out in full, and are populated as follows.  Unless expressly stated below, any optional clauses contained within the Standard Contractual Clauses shall not apply. 

The following Standard Contractual Clauses shall apply where Personal Data is transferred to a third country (unless the transfer is permitted on the basis of an adequacy decision):-

1. 1. 1. 1. 1. CONTROLLER → PROCESSOR (Module Two) (“Controller to Processor Standard Contractual Clauses”) if You, acting as a Controller, are making a restricted transfer of Personal Data subject to the GDPR and / or the UK GDPR (as applicable) to the Vendor, acting as a Processor;

2. 1. 1. 1. 1. PROCESSOR → PROCESSOR (Module Three) (“Processor to Processor Standard Contractual Clauses”) if You, acting as a Processor, make a restricted transfer of Personal Data subject to the GDPR and / or the UK GDPR (as applicable) to the Vendor acting as a Processor; and / or 

3. 1. 1. 1. 1. PROCESSOR → CONTROLLER (Module Four) (“Processor to Controller Standard Contractual Clauses”) if the Vendor, acting as a Processor, makes a restricted transfer of Personal Data subject to the GDPR and / or the UK GDPR (as applicable) to You, acting as a Controller.

2. UK ADDENDUM 

You and the Vendor agree that the UK Addendum, as issued by the Information Commissioner’s Office (ICO), is incorporated into the DPA by reference, as if it had been set out in full, and is populated and shall be read against the EU SCCs as follows. Unless expressly stated below, any optional clauses contained within the UK Addendum shall not apply.

Start Date 

The UK Addendum is effective as of the date You first click “I agree” (or similar button or checkbox) or use or access our services.

1. Table 1: Parties 

Exporter and key contact: As set out in Annex 1 of the Standard Contractual Clauses below. 

Importer and key contact: As set out in Annex 1 of the Standard Contractual Clauses below.

2. Table 2: Selected SCCs, Modules and Clauses 

As applicable, Module 2, Module 3 or Module 4 of the EU SCCs as incorporated by reference into Schedule 1 of this DPA including any supplementary clauses set out within Schedule 1 of this DPA.

3. Table 3: Appendix Information 

As set out in Annex 1 and Annex 2 of the Standard Contractual Clauses below.

4. Table 4: Ending this Addendum when the Approved Addendum Changes 

In the event the Commissioner issues a revised Approved Addendum, in accordance with Section 18 of the UK Addendum which as a direct result of such changes has a substantial, disproportionate and demonstrable increase in: (a) the data importer’s direct costs of performing its obligations under the Addendum; and / or (b) the data importer’s risk under the Addendum, the data importer may terminate this UK Addendum on reasonable written notice to the data exporter in accordance with Table 4  and paragraph 19 of the UK Addendum.

3. SUPPLEMENTARY CLAUSES FOR MODULE TWO AND MODULE THREE: 

3.1 Erasure and deletion 

For the purposes of Clause 8.5, Section II of and Module Three of the Standard Contractual Clauses the data importer shall delete the Personal Data in accordance with clause 10.1 of the DPA.

3.2 Audit 

You and the Vendor acknowledge that the data importer complies with its obligations under Clause 8.9, Section II of Module Two and Module Three of the Standard Contractual Clauses by (i) acting in accordance with clause 9 part v of the DPA and (ii) exercising its contractual audit rights it has agreed with its Sub-Processors.  For the purposes of Clause 8.9(e), Section II of Module Three of the Standard Contractual Clauses, the data exporter shall ensure the results are provided to the relevant controller(s) on a confidential basis and that the controller(s) have committed themselves to confidentiality in respect of the same.

3.3 Notifications 

For the purposes of Clause 8, Section II of Module Three of the Standard Contractual the data exporter shall use all reasonable endeavours to ensure any instructions provided by the relevant controller(s) are directed via the data exporter.  The data exporter shall be responsible for ensuring any notifications provided by the data importer are promptly notified to the relevant controller(s) to fulfil the data importer’s notification obligations pursuant to Clause 8.

3.4 Sub-processors 

For the purposes of Clause 9, Section II of Module Two and Module Three of the Standard Contractual Clauses, You and the Vendor agree that option 2: general written authorisation shall apply, and the data importer shall notify the data exporter of any changes in accordance with clause 7 of the DPA.  For the purposes of Clause 9, Section II of Module Three of the Standard Contractual Clauses, the data importer shall notify the data exporter of any changes to a Sub-Processor and the data exporter shall be responsible for ensuring such notifications are provided to the relevant controller(s) and shall inform the data importer of any objections within the time frames specified.  Copies of any Sub-Processor agreements (redacted as appropriate) requested from the data importer shall be provided to the data exporter for onward provision to the relevant controller, as applicable. 

3.5 Data Subject rights 

For the purposes of Clause 10(a) to (c) Section II of Module Three of the Standard Contractual Clauses, You and the Vendor acknowledge that given the nature of the Processing by the data importer it would not be appropriate for the data importer to notify or assist the controller directly in respect of any requests received from a Data Subject.

3.6 Transfer impact assessment 

For the purposes of Clause 14(c), Section III of Module Two and Module Three of the Standard Contractual Clauses, the data exporter acknowledges that the Vendor may transfer Personal Data to the following countries: 

• Cyprus
• Germany
• United Kingdom
• United States of America

The data exporter acknowledges a transfer impact assessment has been made available by the data importer on or prior to the date of the Engagement Letter which the data exporter accepts as sufficient to fulfil the data importer’s obligations pursuant to Clause 14(c) and 14(a) of the Standard Contractual Clauses. 

For the purposes of Clause 14(c), 15.1(b) and 15.2, Section III of Module Two and Module Three of the Standard Contractual Clauses, the Parties agree that “best efforts” and the obligations of the data importer under clause 15.2 shall mean exercising the degree of skill and care, diligence, prudence and foresight which would reasonably and ordinarily be expected from a leading practice engaged in a similar type of undertaking under the same or similar circumstances and shall not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.

3.7 Governing law and jurisdiction 

For the purposes of Clause 17 and 18, Section IV of Module Two and Module Three of the EU SCCs, the Parties agree that the laws and courts of Malta shall apply.  For the purpose of the UK Addendum, the Parties acknowledge and accept that the laws and courts of England and Wales shall apply. 

3.8 Supplementary clauses for Module Four:-

Erasure and Deletion: 

For the purposes of Clause 8.1(d), Section II of Module Four of the Standard Contractual Clauses, the data exporter shall delete the Personal Data in accordance with clause 10.1 of the DPA.

Governing law and Jurisdiction: 

For the purposes of Clauses 17 and 18, Section IV of Module Four of the EU SCCs and the UK Addendum, the Parties agree that the laws and courts of England and Wales shall apply.