Online Data Processing Addendum

This Agreement was last updated on October 20, 2025, and supersedes any previous versions.

This Data Processing Addendum (“Addendum”) is entered into by and between Purpose Brands Intermediate LLC or the Purpose Brands Affiliate that is a party to the Agreement (“Company”) and the named organization that is a party to the Agreement (“Vendor”) and is effective as of the execution date of the Agreement (“Effective Date”).

This Addendum forms a part of any agreement between Company and Vendor which incorporates this Addendum (the “Agreement”) related to Vendor's provision of certain products or services (the “Services”). Except as modified herein, the terms of the Agreement shall remain in full force and effect.

The parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.

1. Definitions. For purposes of this Addendum, the following terms will have the meanings set forth below. Capitalized terms used but not otherwise defined in this Addendum will have the meaning given to them in the Agreement.
1.1. “Affiliate” means an entity that (i) owns or controls, is owned or controlled by, or is under common control or ownership with, either Company or Vendor respectively; or (ii) an entity the operates under trademarks directly or indirectly controlled by the Company and that shares data with the Company or another Company Affiliate including, but not limited to, Company franchisees, master franchisees and sub-franchisees. “Control,” for purposes of this definition, means the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
1.2. “Company Personal Data” means any Personal Data received by Vendor or a Subprocessor on behalf of Company in connection with the Agreement, or any Personal Data created or otherwise Processed by Vendor or Subprocessor pursuant to the Agreement.
1.3. “California Data Protection Laws” means the California Consumer Privacy Act of 2018 (“CCPA”), Cal. Civ. Code Section 1798.100, et seq., as amended from time to time (including but not limited to those amendments enacted by the California Privacy Rights Act of 2020 (“CPRA”)).
1.4. “Data Protection Laws” means any and all laws, rules and regulations related to privacy, security, data protection, and/or the Processing of Personal Data, in any relevant jurisdiction, each as amended, replaced or superseded from time to time.
1.5. “Data Subject” means the identified or identifiable person to whom Personal Data relates.
1.6. “Deidentified Information” means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular Data Subject.
1.7. “European Data Protection Laws” means all data protection laws and regulations applicable to the European Economic Area and Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation” or “GDPR”), as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time; (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (“ePrivacy Directive”), as amended, replaced or superseded from time to time; and (iii) the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland (“UK GDPR”).
1.8. “Personal Data” means (a) information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household; and (b) any information defined as “personal data”, “personal information,” or other similar terms under applicable Data Protection Laws.
1.9. “Personal Data Breach” means (a) the accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to, Company Personal Data transmitted, stored or otherwise Processed by Vendor or any Subprocessor; and (b) any other broader circumstance defined by applicable Data Protection Laws as a “breach,” “data breach,” “personal data breach” or other similar term.
1.10. “Processing” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, return or destruction. The terms “Process”, “Processes” and “Processed” will be construed accordingly.
1.11. “Processor” means any person or entity which Processes Company Personal Data, including as applicable any “service provider” or “contractor” as those terms are defined by applicable Data Protection Laws.
1.12. “Regulator” means any independent public authority, government agency, and any similar regulatory authority responsible for the enforcement of Data Protection Laws.
1.13. “Sensitive Personal Data” means any Personal Data which is defined as Sensitive Data, Sensitive Information, or any other similar term by Applicable Data Protection Laws.
1.14. “Subprocessor” means any Processor (including any third party and any Vendor Affiliate) appointed by or on behalf of Vendor who may Process Company Personal Data.
2. Processing of Personal Data
2.1. General Applicability Terms. This Section 2.1 applies to all Processing of Company Personal Data.
2.1.1. The subject-matter and details of Vendor's Processing (including the duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects) are set forth in Exhibit 1 attached to this Addendum.
2.1.2. Vendor acknowledges and agrees that, with regard to the Processing of Company Personal Data, Vendor is acting as a Processor. Vendor further certifies that Vendor (a) understands the obligations and restrictions imposed on it by applicable Data Protection Laws in its role as a Processor; and (b) will comply with all such obligations, including providing the same level of privacy protection as required by applicable Data Protection Laws.
2.1.3. Vendor will only Process Company Personal Data on behalf of Company (a) to the extent, and in such a manner, as is necessary for the purposes of fulfilling its obligations under the Agreement; and (b) in accordance with the terms of the Agreement and this Addendum, which together constitute Company's instructions. The restrictions set forth in this section shall not restrict Vendor's ability to Process Company Personal Data where required to do so by applicable laws to which Vendor is subject; provided, however, Vendor shall promptly notify Company of such legal requirement before Processing, unless such law prohibits such notification.
2.1.4. If Vendor receives Deidentified Information from Company, or creates Deidentified Information at Customers instruction, Vendor will (a) take reasonable measures to ensure the Deidentified Information cannot be associated with a Data Subject or household, (b) publicly commit to maintain and use the Deidentified Information in deidentified form, and (c) not attempt to reidentify the Deidentified Information except for the sole purpose of determining whether the Vendor's deidentification processes satisfy the requirements of applicable Data Protection Laws.
2.2. California Specific Terms. This Section 2.2 applies to the extent the Processing involves Personal Data subject to the California Data Protection Laws.
2.2.1. Subject to Vendor's compliance with this Addendum, Company agrees to make Company Personal Data available to Vendor for the limited and specified purpose of providing the Services as contemplated by the Agreement.
2.2.2. Without limiting Vendor's obligations under Section 2.1, Vendor will not:
2.2.2.1. retain, use, or disclose Company Personal Data for any purpose other than to perform its obligations under the Agreement, which for the avoidance of doubt prohibits Vendor from retaining, using, or disclosing Company Personal Data outside of the direct business relationship with Company or for any other purpose;
2.2.2.2. “sell” or “share” (as those terms are defined by applicable Data Protection Laws) Company Personal Data; or
2.2.2.3. combine Company Personal Data with Personal Data Vendor receives from or on behalf of another person or entity or collects from its own interactions with a Data Subject except to perform a business purpose as defined in regulations adopted pursuant to Cal. Civ. Code 1798.185(a)(10).
2.2.3. Company reserves the right to take reasonable and appropriate steps to help ensure that Vendor Processes Company Personal Data in a manner consistent with Company's obligations under Data Protection Laws, including without limitation, the right upon notice to stop and remediate any unauthorized Processing of Company Personal Data.
2.2.4. Vendor will notify Company immediately if Vendor determines it can no longer meet its obligations under applicable Data Protection Laws or this Addendum.
2.3. Europe Specific Terms. To the extent the Processing involves Personal Data subject to the European Data Protection Laws, Vendor will immediately inform Company if, in Vendor's opinion, a Processing instruction violates applicable Data Protection Laws.
3. Vendor Personnel. Vendor will take reasonable steps to ensure that access to Company Personal Data is limited to those of its Affiliates, employees, agents, and subcontractors who (a) have a need to know or otherwise access Company Personal Data to enable Vendor to perform its obligations under the Agreement and this Addendum, and (b) who are bound in writing by confidentiality obligations sufficient to protect the confidentiality of Company Personal Data in accordance with the terms of this Addendum.
4. Security.
4.1. Vendor will implement and maintain appropriate technical and organizational safeguards to protect Company Personal Data that are no less rigorous than accepted industry standards for information security and will ensure that all such safeguards comply with applicable Data Protection Laws. Such safeguards are further specified in Exhibit 2 attached to this Addendum. In assessing the appropriate level of security, Vendor will take into account the risks that are presented by Processing, in particular from accidental, unauthorized, or unlawful destruction, loss, alteration, damage, disclosure of, or access to Company Personal Data transmitted, stored, or otherwise Processed.
4.2. Vendor will document its security measures and evaluations of such security measures in written form and make those documents available to Company for review upon Company's request.
4.3. Vendor will ensure that there is no material decrease in the level of security afforded to Company Personal Data while this Addendum is in effect. Any material decrease in the security safeguards shall be reported to Company without delay.
4.4. Vendor bears full and complete responsibility for the security of all processing of Company Personal Data by Vendor and its Subprocessors.
5. Personal Data Breach. In the event of a Personal Data Breach impacting Company Personal Data, Vendor will (a) notify Company without undue delay, but no later than twenty-four (24) hours after Vendor or any Subprocessor becomes aware of such Personal Data Breach; (b) provide Company with sufficient details of the Personal Data Breach to allow Company to meet any obligations under Data Protection Laws to report or inform Data Subjects or relevant Regulators of the Personal Data Breach; and (c) cooperate, and require any Subprocessor to cooperate, with Company in the investigation, mitigation, and remediation of any such Personal Data Breach.
6. Subprocessors
6.1. Vendor and Vendor Affiliates will not engage any Subprocessor without notifying Company. Such notification shall include full details of the Processing to be undertaken by the Subprocessor. Neither Vendor nor Vendor Affiliates shall appoint (nor disclose any Company Personal Data to) the proposed Subprocessor except with the prior written consent of Company.
6.2. With respect to any authorized Subprocessor, Vendor and Vendor Affiliates will:
6.2.1. carry out adequate due diligence to ensure that each Subprocessor is capable of meeting the requirements set forth in this Addendum;
6.2.2. enter into a written agreement with each Subprocessor containing the same obligations imposed on Vendor under this Addendum and applicable Data Protection Laws with respect to Company Personal Data; and
6.2.3. remain fully liable to Company for the acts or omissions of its Subprocessors.
7. Data Subject Rights
7.1. Vendor will promptly notify Company within five business days if it receives a request from a Data Subject regarding Company Personal Data, including a request by a Data Subject to exercise a right under Data Protection Laws. Vendor will await instructions from Company concerning whether, and how, to respond to such a request.
7.2. Vendor will promptly assist Company in fulfilling Company's obligations to respond to such requests, including at minimum, maintaining the ability to access, modify, remove from Processing, or irrevocably delete or destroy the Personal Data of an individual Data Subject when requested by Company.
7.3. Should the Vendor or any Subprocessor directly perform any data collection from Data Subjects in connection with the Company's instructions, the Vendor will ensure that Data Subjects receive the Company's Privacy Policy at or before the point at which any information is collected about the Data Subject.
7.4. If Vendor Processes Sensitive Personal Data from Company, Vendor will comply with all additional instructions relating to such Sensitive Personal Data that may be provided by Company to Vendor. Upon notice to Vendor from Company, Vendor will promptly carry out any requests to limit use and disclosure of Sensitive Personal Data that may be made to Company by consumers.
8. Deletion or Return of Company Personal Data
8.1. At any time during the term of the Agreement at Company's request, or upon the termination or expiration of the Agreement for any reason, Vendor will, and will instruct all Subprocessors to, promptly or in any event within thirty (30) calendar days of the effective date of termination (a) return to Company all copies of Company Personal Data in its possession, or the possession of such Subprocessor, or (b) delete and procure the deletion of all other copies of Company Personal Data Processed by Vendor or any Subprocessor. Vendor will comply with all reasonable directions provided by Company with respect to the return or deletion of Company Personal Data.
8.2. Vendor shall provide written certification to Company that it and each Subprocessor has fully complied with Section 8.1 within seven (7) days of Company's request for return or deletion of Company Personal Data or termination of the Agreement.
8.3. Notwithstanding Section 8.1 above, Vendor may retain Company Personal Data if required by applicable Data Protection Laws, but only to the extent and for such period as required by such legal requirement. Vendor will notify Company in writing if it believes that such a legal requirement exists. If required by law to retain Company Personal Data, Vendor will continue to ensure the security and confidentiality of such Company Personal Data and only Process such Company Personal Data as necessary for the purpose specified in the applicable Data Protection Laws requiring such storage.
9. Compliance and Audits
9.1. Upon Company's request, Vendor will provide such assistance as Company reasonably requires in ensuring compliance with Company's obligations under applicable Data Protection laws, including but not limited to any data protection impact assessments and any prior consultations with any Regulator where required.
9.2. In addition to any audit rights Company may have under the Agreement, Vendor will make available to Company all information necessary to demonstrate Vendor's compliance with this Addendum, as well as any applicable Data Protection Laws, and will allow for and contribute to audits, including inspections, by Company, or a third-party auditor mandated by Company, in order to assess Vendor's compliance. Vendor will fully cooperate with such audits or assessments by providing reasonable access to knowledgeable personnel; physical premises; and any relevant records, documentation, processes, and systems in order that Company may satisfy itself of Vendor's compliance with this Addendum.
9.3. Company undertaking an audit shall give Vendor reasonable notice of any audit or inspection to be conducted under section 9.2 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Vendor's premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.
10. International Data Transfers
10.1. If the Processing (including storage) of Company Personal Data involves the transfer of Company Personal Data from the European Economic Area (“EEA”) to a jurisdiction outside of the EEA where the transfer would be prohibited by Data Protection Laws in the absence of standard contractual clauses or another adequate transfer mechanism as approved by the European Commission, the parties agree that such transfer(s) will be carried out in accordance with and subject to the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council annexed to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”) as set out in Exhibit 3 attached to this Addendum. To the extent there is any conflict between this Addendum and the EU SCCs, the terms of the EU SCCs will prevail.
10.2. If the Processing (including storage) of Company Personal Data involves the transfer of Company Personal Data from the United Kingdom (“UK”) to a jurisdiction outside of the UK where the transfer would be prohibited by Data Protection Laws in the absence of standard contractual clauses or another adequate transfer mechanism as approved by the UK Information Commissioners Office (“ICO”), the Parties agree that such transfer(s) will be carried out in accordance with and subject to the International Data Transfer Agreement A1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (“UK IDTA”) as set out in Exhibit 4 attached to this Addendum. To the extent there is any conflict between this Addendum and the UK IDTA, the terms of the UK IDTA will prevail.
10.3. If the Processing (including storage) of Company Personal Data involves the transfer of Company Personal Data from Switzerland to a jurisdiction outside of Switzerland where the transfer would be prohibited by Data Protection Laws in the absence of standard contractual clauses or another adequate transfer mechanism as approved by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”), the parties agree that such transfer(s) will be carried out in accordance with and subject to the EU SCCs as amended by the Addendum to the EU SCCs attached hereto as Exhibit 5.
10.4. Insofar as the Agreement involves the transfer of Company Personal Data from any other jurisdiction where applicable Data Protection Laws requires that additional steps, or safeguards, be imposed before the data can be transferred to a second jurisdiction, Vendor agrees to cooperate with Company to take appropriate steps to comply with applicable Data Protection Laws.
11. Indemnity. Vendor will defend, indemnify, and hold harmless Company and Company Affiliates from and against any third-party claim arising out of or relating to Vendor's failure to comply with any of its obligations under this Addendum.
12. Termination. Vendor's failure to comply with any of the provisions of this Addendum will be considered a material breach of the Agreement. In such event, Company may terminate the Agreement as permitted under the Agreement. Upon expiration or termination of the Agreement for any reason, Vendor's obligations under this Addendum in relation to the Processing of Personal Data will continue for as long as Vendor has access to Company Personal Data.
13. Changes in Data Protection Laws. If any variation is required to this Addendum as a result of a change in or subsequently applicable Data Protection Laws, the parties agree to discuss and negotiate in good faith any variations to this Addendum necessary to address such changes, with a view to agreeing and implementing those or alternative variations as soon as practicable.
14. General Terms. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum will remain valid and in force. The invalid or unenforceable provision will be either: (a) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein. This Addendum and the other portions of the Agreement will be read together and construed, to the extent possible, to be in concert with each other. In the event of any conflict between the Agreement and this Addendum, this Addendum will govern with respect to the subject matter of this Addendum.

List of Exhibits:

Exhibit 1: Details of Processing
Exhibit 2: Description of Technical and Organizational Security Measures
Exhibit 3: EU SCCs
Exhibit 4: UK IDTA
Exhibit 5: Addendum to the EU SCCs for Transfers out of Switzerland

Exhibit 1

Details of Processing

1. Subject Matter of Processing
The subject-matter of Processing of Company Personal Data by Vendor is the performance of the Services pursuant to the Agreement.
2. Nature and Purpose of Processing
Company Personal Data will be Processed as necessary to perform the Services pursuant to the Agreement and will be subject to the processing activities described in the Agreement or any applicable Statement of Work or Order Form that makes reference to, is incorporated under, or is subject to the Agreement.
3. Duration of Processing
Subject to section 8 of the Addendum, Vendor will Process Company Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
4. Categories of Data Subjects
The types of Data Subject shall be as is contemplated or related to the Processing described in the Agreement or any Statement of Work or Order Form that makes reference to, is incorporated under, or is subject to the Agreement.
5. Types of Personal Data
The types of Company Personal Data shall be as is contemplated or related to the Processing described in the Agreement or any Statement of Work or Order Form that makes reference to, is incorporated under, or is subject to the Agreement.

Exhibit 2

Description of Technical and Organizational Security Measures

Vendor will implement and maintain appropriate technical and organizational measures to meet its obligations under applicable Data Protection Laws. For example, Vendor will:

inform all employees that Company Personal Data is confidential and subject to contractual and legal protections;
instruct employees to access or display Company Personal Data only in secure locations;
require that all devices used to store or transfer Company Personal Data are encrypted and subject to a strong password policy that requires a password at initial startup and upon waking from sleep;
require multi-factor authorization and other account protection as available;
prohibit employees from using portable drives to hold Company Personal Data;
protect servers behind a firewall and perform periodic vulnerability tests, remediating every 30 days;
use reasonable technical and organizational measures to ensure that Company Personal Data is (i) encrypted when in transit and at rest in a manner designed to prevent access by third parties without appropriate credentials (including government agencies); and (ii) anonymized or pseudonymized where appropriate in light of the purposes of the relevant Processing activities;
only transfer Company Personal Data using unique and randomly generated links for sharing files, which automatically expire at a maximum of 10 days.

Exhibit 3

Standard Contractual Clauses - Controller to Processor

The parties hereby agree that they will comply with the EU Standard Contractual Clauses: Module 2, which are incorporated herein by reference, a copy of which can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en. The Parties agree that the following terms apply:

1. Clause 7: The Parties have chosen to include Clause 7.
2. Clause 9(a): The data importer has the data exporter's general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub- processors at least 15 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
3. Clause 11(a): The Parties do not incorporate the optional language allowing a data subject to lodge a complaint with an independent dispute resolution body at no cost to the data subject.
4. Clause 13(a): The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
5. Clause 17: These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
6. Clause 18(b): The Parties agree that those shall be the courts of the EU Member State in which the data exporter is established.

ANNEX I TO THE STANDARD CONTRACTUAL CLAUSES

A. LIST OF PARTIES

Data exporter(s):

Name:	Company
Address:	Refer to Signatories of the Agreement
Contact person's name, position and contact details:	Refer to Signatories of the Agreement
Activities relevant to the data transferred under these Clauses:	For the provision of the Services to Company as contemplated under the Agreement.
Signature and date:	Refer to Signatories of the Agreement
Role (controller/processor):	Controller

Data importer(s):

Name:	Vendor
Address:	Refer to Signatories of the Agreement
Contact person's name, position and contact details:	Refer to Signatories of the Agreement
Activities relevant to the data transferred under these Clauses:	For the provision of the Services to Company as contemplated under the Agreement.
Signature and date:	Refer to Signatories of the Agreement
Role (controller/processor):	Processor

B. DESCRIPTION OF TRANSFER

Refer to Exhibit 1 of this Addendum.

C. COMPETENT SUPERVISORY AUTHORITY

The EU Member State in which the data exporter is established.

ANNEX II TO THE STANDARD CONTRACTUAL CLAUSES –
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

A description of the technical and organisational measures implemented by the data importer(s) is set forth in Exhibit 2 of the Addendum.

Exhibit 4

UK International Data Transfer Agreement

Part 1: Tables

Table 1: Parties and signatures

Start date	The Effective Date of the Addendum
The Parties	Exporter (who sends the Restricted Transfer)	Importer (who receives the Restricted Transfer)
Parties' details	Company	Vendor
Key Contact	Refer to Signatories of the Agreement	Refer to Signatories of the Agreement
Importer Data Subject Contact	Refer to Signatories of the Agreement	Refer to Signatories of the Agreement
Signatures confirming each Party agrees to be bound by this IDTA	Refer to Signatories of the Agreement	Refer to Signatories of the Agreement

Table 2: Transfer Details

UK country's law that governs the IDTA:	☑ England and Wales ☐ Northern Ireland ☐ Scotland
Primary place for legal claims to be made by the Parties	☑ England and Wales ☐ Northern Ireland ☐ Scotland
The status of the Exporter	In relation to the Processing of the Transferred Data: ☑ Exporter is a Controller ☐ Exporter is a Processor or Sub-Processor
The status of the Importer	In relation to the Processing of the Transferred Data: ☐ Importer is a Controller ☑ Importer is the Exporter's Processor or Sub-Processor ☐ Importer is not the Exporter's Processor or Sub-Processor (and the Importer has been instructed by a Third Party Controller)
Whether UK GDPR applies to the Importer	☑UK GDPR applies to the Importer's Processing of the Transferred Data ☐UK GDPR does not apply to the Importer's Processing of the Transferred Data
Linked Agreement	The agreement(s) between the Parties which sets out the Purpose for Processing the Transferred Data: Name of agreement: Master Services Agreement (the “Agreement”) Date of agreement: The Effective Date. Parties to the agreement: Refer to Signatories of the Agreement Reference (if any):
Term	The Importer may Process the Transferred Data for the following time period: ☑the period for which the Linked Agreement is in force ☐time period: ☐(only if the Importer is a Controller or not the Exporter's Processor or Sub-Processor) no longer than is necessary for the Purpose.
Ending the IDTA before the end of the	☑the Parties cannot end the IDTA before the end of the Term unless there is a breach of the IDTA or the Parties agree in writing. ☐the Parties can end the IDTA before the end of the Term by serving: ____ months' written notice, as set out in Section 29 (How to end this IDTA without there being a breach).
Ending the IDTA when the Approved IDTA changes	Which Parties may end the IDTA as set out in Section 29.2: ☐Importer ☐Exporter ☑neither Party
Can the Importer make further transfers of the Transferred Data?	☑The Importer MAY transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data). ☐The Importer MAY NOT transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data).
Specific restrictions when the Importer may transfer on the Transferred Data	The Importer MAY ONLY forward the Transferred Data in accordance with Section 16.1: ☑if the Exporter tells it in writing that it may do so. ☐to: ______ ☐to the authorised receivers (or the categories of authorised receivers) set out in: ☐there are no specific restrictions.
Review Dates	First review date: Effective Date of the Addendum The Parties must review the Security Requirements at least once: ☐each ____ month(s) ☐each quarter ☐each 6 months ☐each year ☐each ____ year(s) ☑each time there is a change to the Transferred Data, Purposes, Importer Information, TRA or risk assessment, to the extent that Importer is made aware of such changes; Importer will conduct a review at the time of contract renewal

Table 3: Transferred Data

Transferred Data	The personal data to be sent to the Importer under this IDTA consists of that data outlined in Exhibit 1 of the Addendum. The categories of Transferred Data will update automatically if the information is updated in the Linked Agreement referred to.
Special Categories of Personal Data and Criminal Convictions and Offences	The Transferred Data includes data relating to that data outlined in Exhibit 1 of the Addendum. The categories of special category and criminal records data will update automatically if the information is updated in the Linked Agreement referred to.
Relevant Data Subjects	The Data Subjects of the Transferred Data are those data subjects outlined in Exhibit 1 of the Addendum. The categories of Data Subjects will update automatically if the information is updated in the Linked Agreement referred to.
Purpose	The Importer may Process the Transferred Data for the purposes set out in the Addendum. The purposes will update automatically if the information is updated in the Linked Agreement referred to.

Table 4: Security Requirements

Security of Transmission	As set out in Exhibit 2 of the Addendum.
Security of Storage	As set out in Exhibit 2 of the Addendum.
Security of Processing	As set out in Exhibit 2 of the Addendum.
Organisational security measures	As set out in Exhibit 2 of the Addendum.
Technical security minimum requirements	As set out in Exhibit 2 of the Addendum.
Updates to the Security Requirements	The Security Requirements will update automatically if the information is updated in the Linked Agreement referred to.

Part 2: Extra Protection Clauses

Extra Protection Clauses:

N/A

Part 3: Commercial Clauses

Commercial Clauses:

Commercial Clauses are not used

Part 4: Mandatory Clauses

Mandatory Clauses:

Part 4: Mandatory Clauses of the Approved IDTA, being the template IDTA A.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 5.4 of those Mandatory Clauses.

Exhibit 5

Addendum to the EU SCCs

In accordance with guidance issued by the Swiss Federal Data Protection and Information Commissioner (FDPIC) titled “The transfer of personal data to a country with an inadequate level of data protection based on recognised standard contractual clauses and model contracts,” dated 27 August 2021, the parties hereby agree to adopt the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council annexed to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021(the “EU SCCs”) as adapted by this Addendum in order to comply with Swiss legislation and thus be suitable for ensuring an adequate level of protection for data transfers from Switzerland to a third country in accordance with Article 6 paragraph 2 letter a of the Federal Act on Data Protection (“FADP”).

1. Selected SCCs, Modules and Selected Clauses

The version of the EU SCCs which this Addendum is appended to, detailed below:
Reference (if any): Module 2 of the EU SCCs as set forth in Exhibit 3 of the Data Processing Addendum.
2. Amendments to the EU SCCs

The following amendments are hereby made to the EU SCCs in order for the EU SCCs to comply with Swiss legislation and thus be suitable for ensuring an adequate level of protection for data transfers from Switzerland to a third country in accordance with Article 6 paragraph 2 letter a FADP.
2.1 Competent supervisory authority in Annex I.C under Clause 13: The competent supervisory authority shall be the FDPIC, insofar as the data transfer is governed by the FADP; and shall be the EU authority referenced in Annex I.C insofar as the data transfer is governed by the GDPR.
2.2 Applicable law for contractual claims under Clause 17: Applicable law for contractual claims under Clause 17 shall be Swiss law or the law of a country that allows and grants rights as a third party beneficiary for contractual claims regarding data transfers pursuant to the FADP; law of an EU member state for those according to the GDPR.
2.3 Place of jurisdiction for actions between the parties pursuant to Clause 18 b: Free choice for actions concerning data transfers pursuant to the FADP; court of an EU member state for actions concerning data transfers pursuant to the GDPR.
2.4 Adjustments or additions concerning the place of jurisdiction for actions brought by data subjects: The term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).
2.5 Adjustments or additions regarding references to the GDPR: References to the GDPR should be understood as references to the FADP insofar as the data transfers are subject to the FADP.
2.6 Supplement until the entry into force of the FADP: The EU SCCs shall also protect the data of legal entities until the entry into force of the revised FADP.