Legal Center

Data Processing Addendum

Last Updated February 23, 2024

This Agreement also includes the:

This Data Processing Addendum (“DPA”) supplements and forms part of the Subscription and Services Agreement or other written or electronic agreement between “TrustArc” and the “Customer” purchasing online services from TrustArc (the “Solutions”) (the “Agreement”). This DPA reflects the Parties’ agreement with respect to the Processing of Customer Data by TrustArc, including any Personal Information contained therein, on behalf of Customer while Customer utilizes TrustArc Solutions. Customer enters this DPA on behalf of itself, and to the extent required under Data Protection Laws and Regulations, on behalf of its Authorized Affiliates, to the extent such entities qualify as a Controller. As used herein, any references to the: (a) “Customer” shall hereafter include Customer and its Authorized Affiliates; and (b) “Agreement” will be construed to include this DPA. All capitalized terms not defined herein shall have the meaning given to them in the Agreement. This DPA consists of distinct parts: the main body of the DPA, and, as applicable, Schedules 1 (Description of the Transfer) and 2 (Provisions Related to the Standard Contractual Clauses).

By executing this DPA, TrustArc and Customer agree to comply with the following provisions with respect to any Personal Information, each acting reasonably and in good faith.

HOW THIS DPA APPLIES

This DPA is executed by and between the Parties. Customer’s Authorized Affiliates will also be covered by this DPA, provided that Customer shall remain responsible for their acts and omissions. For the avoidance of doubt, the Customer entity that is the contracting party to the Agreement shall, on behalf of itself and its Authorized Affiliates: (a) remain responsible for coordinating, making, and receiving all communication with TrustArc under this DPA; (b) exercise any of its own or its Authorized Affiliates’ rights herein in a combined manner; and (c) be responsible for Authorized Affiliates’ compliance with this DPA and all acts and/or omissions by an Authorized Affiliate with respect to Customer’s obligations in this DPA shall be considered acts and/or omissions of Customer.

DATA PROCESSING TERMS

1. DEFINITIONS

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Authorized Affiliate” means any Affiliate of Customer’s which is: (i) subject to Data Protection Laws and Regulations; and (ii) authorized by Customer to use the Solutions pursuant to the Agreement between Customer and TrustArc but has not signed its own Order with TrustArc and is not otherwise a “Customer” under the Agreement.

“CCPA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 or “CPRA”, and its implementing regulations, in each case, upon becoming final and going into full force and effect; Cal. Civ. Code § 1798.100- 1798.199.100 et seq.

“Controller” means the entity that determines the purposes and means of the Processing of Personal Information.

“Customer Data” means any files, documents, content, data, Personal Information, evidence, responses, assessments, intake form information, consent preferences, and similar data that TrustArc maintains on Customer’s and/or its end-users’ behalf, as well as any other information Customer or its Users or end-users may upload or submit to Customer’s Solution account in connection with the Solutions.

“Data Protection Laws and Regulations” means all applicable data protection and privacy laws and regulations, including the laws and regulations of Brazil, the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, and the United States and its states (including but not limited to California), in each case, to the extent applicable to the Processing of Personal Information under the Agreement.

“Data Subject” means, as applicable: (i) the identified or identifiable person to whom Personal Information relates as defined by Data Protection Laws and Regulations; and/or (ii) a “Consumer” as the term is defined in the CCPA.

“Data Subject Request” means a request from a Data Subject to exercise their right: (i) of access; (ii) of rectification; (iii) of restriction of processing; (iv) of erasure (e.g., a “right to be forgotten”); (v) of data portability; (vi) to know any first- or third-party sharing activities; (vii) to know TrustArc’s relevant processing activities; (viii) to review the consequences of any objections or consent withdrawals; (ix) to not be subject to automated individual decision making; and/or (x) to object to Processing.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal information and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

“LGPD” means Brazil Law No. 13.709, the General Law on Protection of Personal Information, as amended.

“Party” or “Parties” means either Customer or TrustArc individually, or both entities together, respectively, and as applicable.

“Personal Information” means any information relating to: (i) an identified or identifiable natural person (e.g., a Data Subject or Consumer); (ii) a household under CCPA; and/or (iii) any elements that constitute personal information or a similar construct under applicable law, in each case, where such information is maintained on behalf of the Controller by the Processor within its Solutions environment and is protected similarly as personal data, personally identifiable information, or the equivalent construct under Data Protection Laws and Regulations.

“Processing” means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Processor” means the entity that Processes Personal Information on behalf of the Controller, including, as applicable, a “Service Provider” as the term is defined by the CCPA.

“Security Incident” means any breach of TrustArc’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including any Personal Information therein, transmitted, stored, or otherwise Processed by TrustArc or its Sub-processors of which TrustArc becomes aware.

“Standard Contractual Clauses” means the standard contractual clauses, also known as “SCCs,” attached to the European Commission’s Implementing Decision (EU) 2021/914 found here.

“Sub-processor” means any Processor engaged by TrustArc to assist in fulfilling its obligations with respect to providing the Solutions pursuant to the Agreement or this DPA or TrustArc.

“Supervisory Authority” means an independent public authority established under applicable law to oversee compliance with Data Protection Laws and Regulations.

“Swiss FADP” means the Swiss Federal Act on Data Protection of 19 June 1992 and its corresponding ordinances, in each case, as may be amended, superseded, or replaced.

“Technical and Organizational Measures” or “TOMs” means the technical and organizational measures documentation located in our Technical and Organizational Measures found here.

“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the Information Commissioner under S119A Data Protection Act 2018, which can be found here.

2. PROCESSING OF PERSONAL INFORMATION

2.1. Roles of the Parties. The Parties agree that with regard to the Processing of Personal Information by TrustArc on behalf of Customer, Customer is the Controller, TrustArc is the Processor, and TrustArc will engage Sub-processors as further detailed in Section 5 (Sub-Processors) of this DPA.

2.2. Customer’s Responsibilities. When using the Solutions, Customer shall Process Personal Information in accordance with Data Protection Laws and Regulations, including maintaining lawful basis (e.g., consent) and rights to use and provide Personal Information, as part of Customer Data. Customer’s instructions for the Processing of Personal Information shall be lawful and will not violate applicable Data Protection Laws and Regulations.

2.3. TrustArc’s Responsibilities. TrustArc shall treat Customer’s Personal Information in a confidential manner, consistent with Section 6 (Security) of this DPA, and shall only Process Customer’s Personal Information on its behalf and in accordance with Customer’s documented instructions, which are deemed given, for the following purposes: (i) Processing in accordance with the Agreement and applicable Order(s); (ii) Processing initiated by users in their use of the Solutions; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement. As required under Article 28 of the GDPR, to the extent such Processing of Personal Information includes transfers of Personal Information to a third country or an international organization as legally required by European Union or Member State law to which TrustArc is subject, TrustArc shall inform the Customer of that legal requirement before initiating Processing, unless the applicable European Union or Member State law prohibits such information on important grounds of public interest. TrustArc shall immediately inform Customer if, in its opinion, it believes that any instructions of Customer conflict with or violate the requirements of Applicable Data Protection Laws and Regulations.

2.4. Processing Details. The categories of Data Subjects, categories of Personal Information transferred, sensitive data transferred (if applicable), frequency of the transfer, nature and purpose of Personal Information transfer and Processing, retention of Personal Information, and subject matter of the Processing are specified in Schedule 1 (Description of the Transfer) of this DPA.

3. RIGHTS OF DATA SUBJECTS

Unless legally prohibited from doing so, TrustArc shall promptly notify Customer and/or direct the applicable Data Subject to Customer in the event that it receives a Data Subject Request. Taking into account the nature of the Processing, TrustArc shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests related to a Data Subject’s rights under Data Protection Laws and Regulations.

4. TRUSTARC PERSONNEL

TrustArc shall ensure that its personnel engaged in the Processing of Personal Information: (a) are informed of the confidential nature of the Personal Information and shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty); (b) have received appropriate training on their responsibilities, specifically pertaining to security and privacy measures; and (c) only have access to Personal Information to the extent reasonably determined to be necessary in order to perform any obligations, responsibilities, or duties as further specified in this DPA and the Agreement. Further, to the extent permitted by applicable law, TrustArc shall ensure that the confidentiality obligations specified in this Section 4 shall survive the termination of the personnel engagement.

5. SUB-PROCESSORS

5.1. Appointment of Sub-processors. Customer acknowledges and agrees that TrustArc may engage third-party Sub-processors in connection with the provision and operation of the Solutions. Prior to engaging any Sub-processors, TrustArc shall carry out appropriate due diligence on the Sub-processor and enter into a written agreement with each Sub-processor which provides for sufficient guarantees from the Sub-processor to implement appropriate technical and organizational measures containing the same level of data protection obligations with respect to the protection of Customer Data such that the processing will meet the requirements of applicable Data Protection Laws and Regulations and the terms of this DPA.

5.2. Current Sub-processors and Notice of New Sub-processors. Customer hereby approves the Sub-processors currently listed here (“Sub-processor Disclosure”). TrustArc may remove, replace or appoint suitable and reliable (further) Sub-processors at its own discretion in accordance with Sections 5.2 and 5.3 herein. TrustArc’s most up-to-date list of Sub-processors utilized for the Solutions and their geographic location may be found here. TrustArc shall inform Customer of any new Sub-processors by updating its Sub-Processor disclosure and providing e-mail notification no less than thirty (30) days before authorizing such Sub-processor(s) to Process Personal Information in connection with the provision of the applicable Solutions. To enable receipt of such e-mail notifications, Customer may subscribe here.

5.3. Objection Rights. Customer may, in good faith, reasonably object to TrustArc’s use of a new Sub-processor by notifying TrustArc promptly, in writing (e-mail acceptable), within thirty (30) days of TrustArc’s notice in accordance with the mechanism set out in Section 5.2. Customer’s notice of objection shall explain their good faith, reasonable grounds for the objection. If Customer objects to a new Sub-processor, TrustArc will use commercially reasonable efforts to make available to Customer a change in the Solutions or recommend a commercially reasonable change to Customer’s configuration or use of the Solutions to avoid Processing of Personal Information by the objected-to new Sub-processor without unreasonably burdening the Customer. If it can be reasonably demonstrated to TrustArc that the new Sub-processor is unable to Process Customer Personal Data in compliance with the terms of this DPA and TrustArc cannot provide an alternative Sub-processor, or the Parties are not otherwise able to achieve resolution, Customer, as its sole and exclusive remedy, may, by providing written notice to TrustArc, terminate the applicable Order(s) with respect to those Solutions which cannot be provided by TrustArc without the use of the objected-to new Sub-processor. Customer’s exclusive remedy for termination pursuant to this Section 5.3 shall be a refund for any prepaid, unused, fees covering the remainder of the term of such Order(s) following the effective date of termination solely with respect to such terminated Solutions.

5.4. Liability. TrustArc shall be liable for the acts and omissions of its Sub-processors to the same extent TrustArc would be liable if performing the applicable Sub-processor services directly under the terms of this DPA.

6. SECURITY

6.1. Protection of Customer Content. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, TrustArc shall implement and maintain appropriate technical and organizational measures for the security (including protection against a Security Incident), confidentiality, and integrity of Customer Data, as set forth in the applicable Technical and Organizational Measures found here. TrustArc regularly monitors compliance with these measures and may review and update its Technical and Organizational Measures from time to time, provided that any such updates shall not materially diminish the overall security of the Solutions or Customer Data.

6.2. Third-Party Certifications and Audits. TrustArc shall make available to Customer information necessary to demonstrate compliance with its obligations under applicable Data Protection Laws and Regulations by making available, upon Customer’s request and no more than once annually: (a) any written technical documentation that TrustArc makes available or generally provides to its customer base; and (b) information regarding TrustArc’s compliance with the obligations in this DPA, in the form of applicable third-party certifications and/or audits, including those specified in the applicable Technical and Organizational Measures. Where required under Data Protection Laws and Regulations, the preceding may also include relevant information and documentation about TrustArc’s Sub-processors, to the extent such information is available and may be distributed by TrustArc. Should additional audit activities be deemed reasonably necessary, for example if there is: (i) a requirement under Data Protection Laws and Regulations; (ii) a Security Incident; (iii) a material adverse change or reduction to the relevant data protection practices for TrustArc’s Solutions; and/or (iv) a breach of the material terms of this DPA, Customer may contact TrustArc to request an audit by Customer directly or by an auditor appointed by Customer of the procedures relevant to the protection of Personal Information under this DPA. Before the commencement of any such audit, Customer and TrustArc shall mutually agree upon the reasonable start date, scope, timing, duration, and/or reimbursable expenses (if any and solely to the extent permitted by Data Protection Laws and Regulations) of the audit. Customer shall: (a) promptly provide TrustArc with information regarding any non-compliance discovered during the course of an audit; and (b) use best efforts to minimize interference with TrustArc’s business operations when conducting any such audit. Any reports or information arising from such an audit shall be considered TrustArc’s confidential information and may only be shared with a third-party with TrustArc’s prior written agreement. Where the auditor is a third-party, the auditor may be required to execute a separate confidentiality agreement with TrustArc prior to any review of third-party certifications and/or audits, and TrustArc may object in writing to such auditor, if in TrustArc’s reasonable opinion, the auditor is not suitably qualified or is a direct competitor of TrustArc. Any such objection by TrustArc may require Customer to either appoint another auditor or conduct the audit itself.

6.3. Data Protection Impact Assessment. If, pursuant to Data Protection Laws and Regulations, Customer is required to perform a data protection impact assessment, prior consultation with a Supervisory Authority having appropriate jurisdiction, privacy impact assessment, or the equivalent construct, in connection with their use of the Solutions provided by TrustArc under this DPA, TrustArc shall provide reasonable cooperation and assistance to Customer in helping to fulfill these obligations, so long as Customer does not otherwise have access to the relevant information, and to the extent such information is available to TrustArc.

7. NOTIFICATIONS REGARDING CUSTOMER DATA

TrustArc maintains security incident management policies and procedures and shall notify Customer, without undue delay, of a Security Incident. Notification provided under this Section 7 shall not be interpreted or construed as an admission of fault or liability by TrustArc. TrustArc shall make reasonable efforts to identify the cause of such Security Incident and take those steps as TrustArc deems necessary and reasonable to remediate the cause of such a Security Incident to the extent the remediation is within TrustArc’s commercially reasonable control. Additionally, TrustArc shall provide Customer with relevant information about the Security Incident, as reasonably required to assist Customer in ensuring Customer’s compliance with its own obligations under Data Protection Laws and Regulations, such as to notify any Supervisory Authority or Data Subject in the event of a Security Incident.

8. DELETION AND RETURN OF CUSTOMER DATA

Upon Customer’s written request, TrustArc shall delete and make irretrievable Customer Data, including any Personal Information therein, to the extent allowed by applicable law. TrustArc shall certify the deletion of Customer Data and, upon request, shall provide proof of such certification and/or deletion. Additionally, upon Customer’s written request, where permissible by applicable law, TrustArc shall either: (i) return to Customer or Customer’s representative any Customer Data, including any Personal Information therein, retained by TrustArc; or (ii) direct Customer on how to conduct a self-service data export (where available). If no such request is made, TrustArc shall delete Customer Data following the termination or expiration of Customer’s Agreement or Customer’s discontinuation of the use of their TrustArc Solutions.

9. LIMITATION OF LIABILITY

Each Party’s liability, including the liability of all of such Party’s applicable Affiliates, if any, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and TrustArc, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference to the liability of a Party means the total liability of that Party and all of its Affiliates under the Agreement and all DPAs together.

10. EUROPEAN-SPECIFIC PROVISIONS

The following provisions shall apply to the extent that: (i) Customer is located in the European Union/European Economic Area; or (ii) is located outside of the European Union/European Economic Area but remains subject to the GDPR:

10.1. GDPR. To the extent TrustArc engages in Processing of Personal Information on behalf of Customer, it shall do so in accordance with the requirements of the GDPR directly applicable to TrustArc in the provision of its Solutions.

10.2. Standard Contractual Clauses. The Standard Contractual Clauses shall apply in addition to the DPA for any transfers of Personal Information under this DPA from the European Union, the European Economic Area, and/or Switzerland to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations of the foregoing territories. The Standard Contractual Clauses, pursuant to this Section 10.2, shall be structured as follows: (i) Module Two (Controller to Processor) terms shall apply and Modules One, Three, and Four shall be deleted in their entirety; (ii) Clause 7 shall be deleted in its entirety and the Parties acknowledge that they may add additional entities to this DPA by contacting TrustArc; (iii) in Clause 9, Option 2 shall apply (as detailed in Section 5 of this DPA); (iv) in Clause 11, the provision pertaining to an optional independent dispute resolution body shall be deleted in its entirety; (v) in Clause 17, Option 1 shall apply and the Standard Contractual Clauses shall be governed by Irish law; (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland; and (vii) the Annexes of the EU Standard Contractual Clauses shall be populated with the information set out in the Schedules to this DPA.

10.3. Alternative Data Transfer Mechanism. For the avoidance of doubt, should the transfer mechanism identified in Section 10.2 above be deemed invalid by a Supervisory Authority or court with applicable authority, the Parties shall endeavor in good faith to negotiate an alternative mechanism (if available and required) to permit the continued transfer of Personal Information.

11. CALIFORNIA CONSUMER PRIVACY ACT (CCPA)

Within this Section 11, any capitalized term not defined in the DPA shall have the meaning given in the CCPA. The following provisions shall apply to the extent that Customer: (i) resides in California; or (ii) is located outside of California but remains subject to the CCPA:

11.1. California Privacy Rights. To the extent TrustArc Processes Personal Information on behalf of Customer, it shall do so in accordance with the requirements of the CCPA directly applicable to TrustArc in the provision of its Solutions.

11.2. Affirmations. TrustArc shall: (a) provide an appropriate level of privacy protection as required by the CCPA; (b) notify Customer if it can no longer meet its obligations under the CCPA; (c) grant Customer the right, subject to Section 6.2 of the DPA (Third-Party Certifications and Audits), to take reasonable and appropriate steps to ensure that TrustArc’s use of Personal Information is consistent with TrustArc’s privacy and security obligations under the Agreement and CCPA; and (d) upon Customer’s request, which shall be provided to TrustArc with reasonable advanced notice, cooperate with Customer to determine reasonable and appropriate steps to stop and remediate unauthorized use (i.e., use that is inconsistent with the terms of the Agreement and/or Data Protection Laws and Regulations) of Customer Personal Information.

11.3. Restrictions. TrustArc shall not sell Customer Personal Information or otherwise share, use, combine (with another source), or disclose Customer Personal Information except where permitted under the Agreement or Data Protection Laws and Regulations, pursuant to a direct business relationship with Customer, and/or as a Service Provider pursuant to a Business Purpose [i.e., to provide, operate, support, develop, and secure the Solutions (each a “Business Purpose”)].

12. BRAZILIAN GENERAL DATA PROTECTION LAW (LGPD)

For Customers and/or Data Subjects who are residents of the Federal Republic of Brazil, TrustArc shall, where applicable: (a) provide its Solutions under the express obligations imposed by the LGPD on a Data Processor for the benefit of a Data Controller; and (b) as required under Articles 33 through 36 of the LGPD, transfer Personal Information on the basis of the Standard Contractual Clauses, as modified in accordance with the LGPD.

13. INTERNATIONAL TRANSFERS

For applicable jurisdictions outside of the European Economic Area, the Standard Contractual Clauses and/or standard contractual clauses that may be approved by a European Commission decision shall be utilized where required and/or permitted for the lawful transfer of Personal Information, provided that such terms shall be amended to align with Data Protection Laws and Regulations, as well as to reflect TrustArc’s choice of law and location of disputes.

14. TRANSFERS FROM THE UNITED KINGDOM

For Customers and/or Data Subjects who are residents of the United Kingdom, TrustArc shall, where applicable: (a) provide its Solutions in accordance with its obligations under the UK Addendum, which is incorporated into this DPA by reference; and (b) as required by applicable law, transfer and process Personal Information on the basis of the Standard Contractual Clauses, as modified in accordance with the UK Addendum. The UK Addendum shall be structured as follows: (i) Table 1 shall be populated by the information in Schedule 2 of the DPA; (ii) Table 2 shall be populated by the information in Section 10.2 of the DPA; (iii) Table 3 shall be populated by Schedules 1-2 of the DPA together with TrustArc’s Sub-processor Disclosure and Technical and Organizational Measures; and (iv) in Table 4, either the Importer or the Exporter may terminate the UK Addendum.

15. TRANSFERS FROM SWITZERLAND

For Customers and/or Data Subjects who are residents of Switzerland, TrustArc shall, as required by applicable law, protect, transfer, and process Personal Information on the basis of the Standard Contractual Clauses, which are incorporated into this DPA by reference. Where this section applies, the Standard Contractual Clauses shall be modified as follows: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss FADP; (ii) references to “EU,” “Union,” and “Member State” shall be amended to include Switzerland; (iii) references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the “Swiss Federal Data Protection and Information Commissioner” and the “competent Swiss courts”; (iv) the term “member state” as used in Standard Contractual Clauses shall not be interpreted to exclude Data Subjects in Switzerland from exercising applicable rights (e.g., in their habitual place of residence); and (v) the Standard Contractual Clauses shall be governed by the laws of Switzerland and disputes shall be resolved before the Swiss courts having appropriate jurisdiction.

16. LEGAL EFFECT AND CONFLICT

This DPA shall become legally binding between Customer and TrustArc upon execution of the Agreement. Once effective, this DPA shall be incorporated into and form part of the Agreement or applicable Order. For matters not addressed under this DPA, the terms of the Agreement apply. With respect to the rights and obligations of the Parties vis-à-vis each other, in the event of a conflict between the terms of the Agreement and this DPA, the terms of this DPA will control. In the event of a conflict between the terms of the DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will control.

List of Schedules:

Schedule 1: Description of the Transfer

Schedule 2: Provisions Related to the Standard Contractual Clauses

[Signatures Reflected in the Solutions Order]

SCHEDULE 1 – DESCRIPTION OF THE TRANSFER

Categories of Data Subjects

Customer may submit Personal Information to the Solutions, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Information relating to the following categories of Data Subjects:

Employees, contractors, consultants, advisors, authorized users, and third-party contacts of data exporter and/or its affiliates
Website visitors of data exporter and/or its affiliates websites (for Cookie Consent Manager)
Customers and other contacts of data exporter and/or its affiliates (for Individual Rights Manager and Dispute Resolution services)

Categories of Personal Data Transferred

Business contact information (e.g., name, business address and email address)
Consent information (e.g., consent unique identifier, record of consent)
Digital identifiers (e.g., IP address, pseudonymous ID, account credentials, and browser and OS type for Cookie Consent Manager)
Other information as provided by Data Subjects on request or unsolicited (e.g., relationship with data exporter for a rights request)

Sensitive Data Transferred (If Applicable)

The Parties do not anticipate that any sensitive data will be transferred. However, it is possible for the Customer to choose to submit sensitive data to the Solutions, the extent of which is determined and controlled by the Customer in its sole discretion, and for which relevant safeguards are specified in the Technical and Organizational Measures.

Frequency of the Transfer

The frequency, type, nature, and purpose of the data transfer will be dependent upon the Customer’s individual use case and discretion using the Solutions, during the term of the Agreement (i.e., transfer frequency may be continuous and/or may be limited in time to a specific session or event).

Nature and Purpose of Personal Data Transfer and Processing

TrustArc will Process and transfer Personal Information, in its capacity as a Processor, and engage Sub-processors, as necessary to perform and operate the Solutions pursuant to the Agreement, as further specified in the applicable list of Approved Sub-processors and Technical and Organizational Measures, and to the extent further instructed by Customer through its use of the Solutions.

Retention of Personal Data

TrustArc will Process and retain Personal Information, in its capacity as a Processor, for the duration of the Agreement, unless otherwise agreed upon in writing or required by applicable law.

Subject-Matter of the Processing

TrustArc provides, directly and through its Sub-processors, a portfolio of privacy-focused software-as-a-service solutions, consulting and managed services. The objective and subject of the Processing of Personal Information by TrustArc as a Processor, is servicing Customer and providing and operating the Solutions. The activities relevant to and/or the objective and subject of the Processing of Personal Information by TrustArc as a Processor, is servicing Customer and providing, supporting, and operating the provision of the Solutions.

SCHEDULE 2 – PROVISIONS RELATED TO THE STANDARD CONTRACTUAL CLAUSES

Identified Parties and Competent Supervisory Authority

Data Exporter

Name: Customer and its Authorized Affiliates established within the European Economic Area and/or Switzerland.

Address: The Customer address identified on the relevant order documentation or Order, as applicable.

Contact Person’s Name, Position, and Contact Details: Customer’s primary contact, position, and details as identified on the relevant order documentation or Order, as applicable.

Activities Relevant to the Data Transferred Under the Standard Contractual Clauses: Customer (data exporter) procures TrustArc’s (data importer) Solutions in the fields of privacy-focused software-as-a-service solutions, consulting, and managed services.

Role: Data Controller

Competent Supervisory Authority: The supervisory authority of the EEA Member State in which Customer is established or, if Customer is not established in the EEA, the EEA Member State in which Customer’s representative is established or in which Customer’s end-users or customers are predominantly located.

Data Importer

Name: TrustArc, Inc

Address: 2121 N. California Blvd. Suite 290, Walnut Creek, CA 94596 USA

Contact Person’s Name, Position, and Contact Details: TrustArc Privacy Team, tel.:+1-415-520-3490 e-mail: [email protected]

Activities Relevant to the Data Transferred Under the Standard Contractual Clauses: TrustArc provides privacy-focused software-as-a-service solutions, consulting, and managed services. The objective and subject of the Processing of Personal Information by TrustArc, as a Processor, is servicing Customer and providing and operating the Solutions. The activities relevant to and/or the objective and subject of the Processing of Personal Information by TrustArc, as a Processor, is servicing Customer and providing, supporting, and operating the provision of the Solutions.

Role: Data Processor