Huble Data Processing Agreement

Version 5.2, Last Modified: 05 November 2024

1. Introduction and Application

1.1. This Data Processing Addendum and its Exhibits (the “DPA”) govern the use and protection of Customer Personal Data by Huble while providing Services to a Customer in terms of a Principal Agreement. 

1.2. The DPA is integral to the Services and forms part of any Principal Agreement concluded between Huble and the Customer. 

2. Definitions and Interpretation

2.1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. For purposes of this definition.

2.2. “Control,” means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

2.3. "Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Customer Personal Data. 

2.4. “Customer” means the entity procuring the Services from Huble in terms of the Principal Agreement.

2.5. “Customer Personal Data” means any Personal Data pertaining to the Customer’s Data Subjects, which is Processed by Huble in terms of the Principal Agreement. 

2.6. “Data Protection Law” means all laws and regulations applicable to the Processing of Customer Personal Data under the Principal Agreement, including but not limited to the GDPR, the PDPA, the POPIA, and the laws and regulations defined in the Jurisdiction-Specific Terms in Exhibit 3 to this DPA.

2.7. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as may be amended from time to time.

2.8. "Huble” means the Huble entity providing the Services to the Customer in terms of the Principal Agreement. 

2.9. “Instruction” means the written, documented instruction, issued by the Customer as Controller or Processor to Huble as the Processor or Sub-processor, directing Huble to perform a specific Processing action with regard to Customer Personal Data.

2.10. "Parties” means Huble and the Customer, and “Party” shall be a reference to either Huble or the Customer, as the context may require. 

2.11. “Principal Agreement” means the written or electronic agreement between Huble and the Customer for the provision of the Services.

2.12. “Processor” means the natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of a Controller.

2.13. “Services” means the services specified in the Principal Agreement, which may include, HubSpot marketing, business, sales and services consulting, sales and services onboarding, web development and technical integration, SEO and paid media services.

2.14. “Sensitive Information” means credit or debit card numbers and biometric information.

2.15. “Special Category Data” means Personal Data that will be within the definition of “special categories of data” under the UK GDPR, excluding Sensitive Information as defined in this DPA.

 

2.16. The terms “Data Subject”, “Personal Data Breach”, “Processing” (or any cognate terms), and “Supervisory Authority” shall all have the same meaning as in the GDPR or the corresponding terms as provided for other Data Protection Law.

2.17. Capitalised terms which are not defined herein have the meaning ascribed to them in the Principal Agreement. 

2.18. In case of any conflict or inconsistency with the terms of the Principal Agreement, this DPA will take precedence. 

3. Processing of Customer Personal Data

3.1. In the course of providing Services under the Principal Agreement, Huble may Process certain Customer Personal Data on behalf of the Customer. Huble and the Customer agree to comply with this DPA in connection with the Processing of such Customer Personal Data. 

3.2. The subject matter and duration of the Processing, nature and purpose of the Processing and types of Customer Personal Data are set out in the Principal Agreement and/or in Exhibit 1 to this DPA.

4. Controllership Roles

4.1. In the context of this DPA, when Customer acts as a Controller, Huble acts as a Processor, and when Customer acts as a Processor, Huble acts as a sub-Processor. For the avoidance of doubt, both situations fall within the scope of this DPA.

5. Customer Responsibility and Undertakings

5.1. When acting as Controller within the scope of the Principal Agreement:

5.1.1. the Customer assumes absolute responsibility for the Instructions given to Huble where applicable  and warrants to Huble that it will always comply with its statutory obligations in terms of Data Protection Law, including, without limitation, law regarding the disclosure and transfer of Customer Personal Data to Huble and the Processing of Customer Personal Data; 

5.1.2. the Customer will ensure that any Customer Personal Data provided to Huble by, or on behalf of the Customer has been collected lawfully, fairly and in a transparent manner to enable such Customer Personal Data to be processed by Huble for all of the Purposes;

5.1.3. the Customer unconditionally acknowledges and accepts the legal duties imposed on it as a Controller in terms of Data Protection Law and indemnifies Huble for any loss or harm (whether direct or consequential) which may arise as a result of its failure to comply with its obligations as Controller; and

5.1.4. the Customer will ensure that the persons giving instructions to Huble and making decisions in relation with this DPA are authorized by the Customer and that such instructions are binding upon the Customer. Huble shall be entitled to rely on such instructions and decisions.

5.2. If the Customer is a Processor with respect to the Customer Personal Data, the Customer warrants that its Instructions and actions with respect to Processing of the Customer Personal Data, including its appointment of Huble as a sub-Processor have been authorized by the relevant Controller.

5.3. Customer’s Instructions for the Processing of Customer Personal Data shall comply with Data Protection Law and the Customer indemnifies Huble to the greatest extent permissible in law for any direct loss occasioned by Huble acting as Processor on behalf of and/or on the Instructions of the Controller with respect to the Processing of Customer Personal Data pursuant to the Principal Agreement. 

5.4. As between the Parties, the Customer will have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which the Customer acquired such Customer Personal Data.   

5.5. The Customer shall at its sole expense, indemnify and hold Huble harmless against all liability, including legal costs, claims, civil actions, damages, indirect or consequential damages, or expenses incurred by Huble or for which Huble may become liable due to any failure by the Customer or its employees or agents whether authorised or not, to comply with the obligations under the Principal Agreement or Data Protection Law.

5.6. The Customer warrants that the Principal Agreement and this DPA sets out the Customer’s complete and final Instruction to Huble in relation to the Processing of Customer Personal Data and any additional Instructions outside the scope of the Principal Agreement will require prior written agreement between the Parties. 

5.7. The Customer shall inform Huble without undue delay and comprehensively about any errors or irregularities related to Data Protection Law.

5.8. The Customer shall inform Huble, without delay, if the Processing includes special categories of Customer Personal Data as contemplated by Data Protection Law, including without limitation: financial, medical and health-related information, information regarding children, or any type of Processing of Personal Data that is afforded a higher level of protection under Data Protection Law. In such an event, the Customer shall ensure that any required explicit consent from the data subjects are obtained in writing and securely stored, which shall be specific, informed and unambiguous, as per GDPR Article 9 requirements. 

6. Huble's Obligations

6.1. Compliance with Instructions

6.1.1. In relation to the Customer Personal Data, Huble will comply (and will ensure that any of its personnel comply and use commercially reasonable efforts to ensure that its Contracted Sub-Processors comply), with Data Protection Law. 

6.1.2. Huble will collect, Process, and use Customer Personal Data only within the scope of the Customer’s written instructions and in accordance with Data Protection Law. If Huble believes that any Instruction infringes Data Protection Law, it will inform the Customer without undue delay. 

6.1.3. If Huble is unable to Process Customer Personal Data as per Customer’s Instructions due to a legal requirement, Huble will:

6.1.3.1 promptly notify the Customer of that legal requirement before continuing with the Processing; and

6.1.3.2. cease all Processing (other than merely storing and maintaining the security of the affected Customer Personal Data) until such time as the Customer issues new instructions with which we are able to comply. 

6.1.4. If section 6.1.3 of this DPA is invoked, Huble will not be liable to the Customer under the Principal Agreement for any failure to perform until such time as the Customer issues new, lawful Instructions. 

6.1.5. Huble will facilitate the Customer’s compliance obligations to implement security measures with respect to Customer Personal Data (including if applicable, the Customer’s obligations pursuant to Articles 32 to 36 (inclusive) of the GDPR) by: (i) implementing and maintaining the security measures described in terms of our Information Security Policies; (ii) complying with the terms of section 6.3 (Personal Data Breaches) of this DPA; (iii) assisting Customer in meeting its obligations in relation to a data protection impact assessment or prior consultation with a supervisory authority; and (iv) providing the Customer with information in relation to the Processing in accordance with section 7 (Audits) of this DPA.

6.2. Confidentiality

6.2.1. Huble will ensure that any personnel, whether they are employed or contracted as such, who are under Huble’s authority and who are authorised to Process Customer Personal Data are subject to confidentiality obligations with respect to Customer Personal Data.

6.2.2. The undertaking of confidentiality in section 6.2.1 shall continue after the termination of the Processing activities to which the duty of confidentiality relates. 

6.2.3. Such Confidentiality clause does not apply when information is disclosed by the Processor in compliance with a legal requirement of a government agency or otherwise where disclosure is required by force of governing law as specified under the Principal Agreement, provided always that the Processor should, to the extent reasonably possible whilst complying with the governing law as specified under the Principal Agreement, notify the Controller of such requirements prior to any such disclosure and provide the Controller with a reasonable opportunity to contest the requirement to disclose the information or to limit the extent of the disclosure.

6.3. Personal Data Breaches

6.3.1. Huble will notify the Customer as soon as possible after becoming aware of any Personal Data Breach affecting Customer Personal Data.

6.3.2. At the Customer’s request, Huble will promptly provide the Customer with all reasonable assistance to enable the Customer to notify the competent Supervisory Authority/ies and/or affected Data Subjects about any relevant Personal Data Breaches if Customer is required to do so under Data Protection Law.

Data Subject Requests 

6.4.1. Huble will provide reasonable assistance including the implementation of reasonable and appropriate technical and organisational measures, to enable Customer to respond to any Data Subjects seeking to exercise their rights under Data Protection Law (including their right to access, rectification, restriction, deletion, or portability of Customer Personal Data), to the extent permitted by the law. If such a request is made directly to Huble, Huble will promptly inform the Customer and will advise Data Subjects to submit their request to the Customer. The Customer shall be solely responsible for responding to any Data Subjects’ requests. The Customer shall reimburse Huble for any costs arising from this assistance.

6.4.2. Without prejudice to clause 6.2.3, Huble agrees to obtain the written consent from the Customer prior to any request for disclosure of Customer Personal Data by a Data Subject, and where this request is not of a legal nature to which Huble must adhere to.

6.5. Data Security  

6.5.1. Taking into account the state of the art, nature, and level of sensitivity of the Customer Personal Data, Huble shall implement appropriate measures toward achieving the required technical and organisational measures to adequately protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data. These measures are outlined in Exhibit 1.

6.6. Contracted Sub-Processors

6.6.1. The Customer authorises Huble to engage Sub-Processors to fulfil its obligations defined in the Principal Agreement (each an “Infrastructure Sub-Processor” or a “Affiliate Sub-Processor") in accordance with this Section 6.6. For these purposes, Huble may use Huble Affiliates and the third parties listed in Exhibit 2 of this DPA as Contracted Sub-Processors. 

6.6.2. If Huble intends to instruct a Contracted Sub-Processor other than the Contracted Sub-Processors listed in Exhibit 2 of this DPA, Huble will notify the Customer in writing (including by way of email to the Customer email address(es) on record) and will give the Customer the opportunity to object to the proposed engagement of the new Contracted Sub-Processor within 14 (fourteen) days of being notified, failing which Huble will be entitled to appoint the Contracted Sub-Processor. Should Customer object to the engagement of a Contracted Sub-Processor, such objection must be based on reasonable grounds (e.g., if the Customer proves that significant risks to the protection of its Customer Personal Data exist at the Contracted Sub-Processor). If Huble and Customer are unable to resolve such objections, either Party may terminate the Principal Agreement in accordance with its provisions relating to termination.  

6.6.3. Where Huble engages a Contracted Sub-Processor, Huble will enter into a contract with the Contracted Sub-Processor that imposes on the Contracted Sub-Processor the same obligations that apply to Huble and the Customer under this DPA. 

6.6.4. Where a Contracted Sub-Processor is engaged, the Customer is granted the right to monitor and inspect the Contracted Sub-Processor’s activities in accordance with this DPA and Data Protection Law, including to obtain information from Huble, upon written request, on the substance of the contract and the implementation of the data protection obligations under the contract with the Contracted Sub-Processor, where necessary, by inspecting the relevant contract documents, provided that Huble’s engagement with the Contracted Sub-Processor does not prohibit such disclosure. Huble reserves the right to redact sections in such contract documents that are of a commercially sensitive nature.

6.6.5. The provisions of this section shall mutually apply if Huble engages a Contracted Sub-Processor in a country which does not provide an adequate level of protection for Customer Personal Data as provided for in Data Protection Law. In this event, Huble will implement measures to ensure an "adequate level of protection”, including, but not limited to, the execution of standard contractual clauses issued pursuant to Data Protection Law by and between Huble and the Contracted Sub-Processor. 

6.7. Deletion or Retrieval of Customer Personal Data

6.7.1. Other than to the extent required to comply with Data Protection Law, following termination or expiry of the Principal Agreement, Huble will, at the choice of the Customer, delete or return all Customer Personal Data (including copies thereof) processed pursuant to the Principal Agreement. 

6.7.2. The Customer shall, upon termination or expiration of the Principal Agreement and by way of issuing an instruction, stipulate, within a period of time set by Huble, whether Customer Personal Data should be returned or deleted. Any additional cost arising in connection with the return or deletion of Customer Personal Data shall be borne by the Customer. 

7. Audits

7.1. The Customer may, subject to the confidentiality terms in the Principal Agreement, prior to the commencement of Processing, at annual intervals hereafter, or where a Personal Data Breach is reasonably suspected to have occurred, audit the technical and organisational measures taken by Huble in terms of the Data Protection Laws. For such purpose, the Customer may:

7.1.1. obtain information from Huble, demonstrating Huble’s compliance with the terms of this DPA;   

7.1.2. request an attestation or certificate by an independent professional expert with respect to Huble’s security measures, or 

7.1.3. upon reasonable and timely advance agreement, during regular business hours and without interrupting business operations, conduct an on-site inspection of the business operations or, subject to appropriate confidentiality undertakings, have the same conducted by a qualified third party which shall not be a competitor of Huble. The Controller will impose sufficient confidentiality obligations on its auditors and will be liable for this aspect. 
  
7.2. Huble shall, upon written request, and within a reasonable period of time provide the Customer with all information necessary for purposes of this section 7 of the DPA, to the extent that such information is within the Huble’s control and Huble is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.  

7.3. The Customer must, or will request that its external auditors, send a draft version of the audit report to Huble. Huble has the right to submit its comments within a reasonable timeframe. The auditor shall take the comments of Huble into account and include these comments in its final report submitted to the Customer.

7.4. The Customer shall bear the expenses unless any serious non-compliance or breach of data protection obligations is found, in which case the party responsible for the violation shall bear the audit costs. The allocation of costs shall be determined based on the proportionate responsibility for the non-compliance or breach. Both Parties shall cooperate in good faith to minimize audit expenses while ensuring a thorough assessment of data protection practices.

8. Liability

8.1. The Customer shall be liable for, and shall indemnify (and keep indemnified) Huble in respect of any and all action, fines, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, Huble, including any Contracted Sub-Processor, arising directly or in connection with:

8.1.1. any non-compliance by the Customer with Data Protection Law;

8.1.2. notwithstanding section 6.1.1, any Customer Personal Data Processing carried out by Huble or its Contracted Sub-Processor in accordance with Instructions given by the Customer that infringe Data Protection Law; or

8.1.3. any breach by the Customer of its obligations under this DPA,

except to the extent that Huble or any Contracted Sub-Processor is liable under section 8.2 below. 

8.2. Huble shall be liable for, and shall indemnify (and keep indemnified) the Customer in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Customer, arising directly with Huble’s Customer Personal Data Processing activities that are subject to this DPA:

8.2.1. only to the extent that the same results from Huble’s breach of this DPA;

8.2.2. subject to Section 8.4 below, only to the extent that the same results from a Personal Data Breach by a Contracted Sub-Processors or a Contracted Sub-Processor’s non-compliance with Data Protection Law; and

8.2.3. not to the extent that the same is or are contributed to by any breach of this DPA by the Customer.

8.3. The Customer shall not be entitled to claim back from Huble or its Contracted Sub-Processors any sums paid in compensation by the Customer in respect of any damage to the extent that the Customer is liable to indemnify Huble under section 8.1 above.

8.4. Notwithstanding anything to the contrary in this DPA, the maximum aggregate liability of Huble, howsoever arising due to a Personal Data Breach at a Contracted Sub-Processor or a Contracted Sub-Processor’s non-compliance with Data Protection Law, shall be limited to 2 (two) times the amount paid to Huble for the Services during the 12 (twelve) month period preceding the date on which the claim arose. 

9. General Provisions

9.1. Where individual provisions of this DPA are invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected.

9.2. This DPA is applicable for the duration of the Principal Agreement with surviving provisions applying as the applicable law and context dictates.

9.3. This DPA shall be governed in accordance with the governing law set out in the Principal Agreement.

Exhibit 1: Details of Customer Personal Data and Processing Activities

1. Subject matter of Processing:

The subject matter of the Processing of Customer Personal Data pertains to the provision of Services in terms of the Principal Agreement. 

2. Nature and purpose of Processing:  

The nature and purpose of Processing pertain to the provision of the Service to Customer, pursuant to the Principal Agreement, this DPA and the Customer’s Instructions.

3. Duration of the Processing:  

Until the earliest of (i) expiry/termination of the Principal Agreement, or (ii) the date upon which Processing is no longer necessary for the purposes of either Party performing its obligations under the Principal Agreement (to the extent applicable).

4. Categories of Data Subjects: 

Customer contacts and other end users, including the Customer’s employees, contractors, collaborators, customers, prospects, suppliers, and subcontractors.   

Data Subjects also include individuals attempting to communicate with or transfer Customer Personal Data to the Customer’s end users.  

5. Categories of Customer Personal Data:  

-Contact Information, the extent of which is determined and controlled by the Customer in its sole discretion.

-Biographical data, demographic data, personal statements, personal interests, purchase history.
-Employment details & history, employee performance data.
-Details of goods or services provided to or for the benefit of individuals.
-Navigational data, browsing history and cookies (including website usage information).
-Email data, system usage data, application integration data, and other electronic data submitted, stored, sent, or received by end-users via the HubSpot subscription service.

6. Special categories of Customer Personal Data:

Special categories of Customer Personal Data will be Processed under this DPA. The Customer is obligated to inform Huble if any special categories of Customer Personal Data will be Processed in terms of Section 5.8 of the DPA. 

7. Description of the technical and organizational measures implemented by Huble:

Huble will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia:

-the pseudonymisation and encryption of personal data where possible;
-the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
-the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
-a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.

In addition, the following information security policies will apply to the Processing of Customer Personal Data:

- Huble Digital Group’s Acceptable Use Policy (“AUP”): The purpose of the AUP is to outline the acceptable use of computer systems at the Huble Digital Group. These rules are in place to protect the Huble Digital Group’s information against loss or theft, unauthorised access, disclosure, copying, use, modification or destruction.
-Information Classification and Handling Policy (“ICHP”): Huble Digital Group has a responsibility to protect the information it holds and processes using controls appropriate to the sensitivity of the information involved. Only by classifying information according to a documented scheme can the correct level of protection be applied. The ICHP sets out the details of the scheme to be adopted and the criteria applied in deciding which level of protection to apply to any given information asset. Employees will be responsible for Huble Digital Group’s data and information and for mitigating the risks of an information security breach. Classification of information and documents according to this ICHP will determine the way in which the document is handled, published, moved, and stored – and thereby ensuring that appropriate protections are in place.
-Information Security Policy (“ISP”): The ISP sets out the information security landscape including supporting policies, procedures, frameworks and controls both technical and administrative at Huble Digital Group such that they enable the organisation to operate smoothly and in line with the ISO/IEC:27001 standards.
-Document Management Policy: Documented information within the scope of Huble Digital Group’s established Information Security Management System (“ISMS”) must be controlled in such a way that meets both business requirements and recognised international standards which are established and maintained within this policy
-Two Factor Authentication Policy (“TFAP”): The TFAP establishes the requirements for individuals within the scope of the ISMS to make use of two factor authentication methods on all core systems as defined within the policy and all other systems used within the course of the employment or service provision to Huble Digital Group where available.

For transfers to Contracted Sub-Processors, the specific technical and organizational measures to be taken by the Contracted Sub-Processors to be able to provide assistance to the Controller and, for transfers from a Processor to Contracted Sub-Processors, to the data exporter:

When Huble engages a Contracted Sub-Processor under this DPA, Huble and the Contracted Sub-Processor must enter into an agreement with data protection terms substantially similar to those contained in this DPA. 

Huble must ensure that the agreement with each Contracted Sub-Processor allows Huble to meet its respective obligations with respect to the Customer. In addition to implementing technical and organizational measures to protect Customer Personal Data, a Contracted Sub-Processors must:

-notify Huble in the event of a Personal Data Breach;

-delete Customer Personal Data when instructed by Huble in accordance with the Customer’s Instructions to Huble;

 

-establish clear procedures to promptly respond to data subject’s request regarding their Special Category Data;

-not engage additional Contracted Sub-Processors without Huble’s authorization; and

-not process Customer Personal Data in a manner which conflicts with the Customer’s instructions to Huble.

 

8. Data Breach Notification Procedures:

In the event of a personal data breach involving Special Category Data, Huble shall follow robust procedures to promptly detect, report, and investigate the breach in compliance with GDPR Article 33 and 34.

9. Frequency of transfers:

Personal Data is transferred in accordance with the Customer’s Instructions to the Huble to Process Customer Personal Data for the provision of the Services under the Principal Agreement.

 

10. Audits and Reviews:

Huble shall, upon written request, be allowed to conduct Data Protection Impact Assessments (DPIA’s) for processing activities involving Special Category Data to identify and mitigate risks to data subject’s rights and freedoms.

11. Further Processing:

Huble will not carry out further Processing on Customer Personal Data. Processing is limited to what is strictly necessary for the provision of the Services.

10. Controllership Roles:

Data Exporter: Customer, acting as a Controller or Processor in terms of Section 4.1 of this DPA. 

Data Importer: Huble, acting as a Processor or sub-Processor in terms of Section 4.1 of this DPA.

Exhibit 2: List of Contracted Processors

Screenshot 2023-08-22 at 18.35.33

Screenshot 2023-08-22 at 18.41.07

Screenshot 2023-08-22 at 18.41.50

Exhibit 3: Jurisdiction-Specific Terms

1. European Economic Area

1.1. For purposes of this DPA:

1.1.1 “EU 2021 SCCs” means contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

1.1.2. “Restricted Transfer of EEA Personal Data” means any transfer of Customer Personal Data subject to the GDPR which is undergoing Processing or is intended for Processing after transfer to an EEA Third Country or an international organization in an EEA Third Country, including data storage on foreign servers.

1.1.3. "EEA” means the European Economic Area, consisting of the European Union Member States, and Iceland, Liechtenstein, and Norway. 

1.1.4. “EEA Third Country” means a country outside of the EEA.

1.2. With regards to any Restricted Transfer of EEA Personal Data from Customer to Huble within the scope of this DPA and the Principal Agreement, the following mechanisms, in the order of precedence, shall apply:

1.2.1. an adequacy decision adopted by the European Commission in terms of Article 45 of the GDPR that provides that the EEA Third Country, a territory, or one or more specified sectors within that EEA Third Country, or the international organization in question to which Customer Personal Data is to be transferred ensures an adequate level of data protection;

1.2.2. the EU 2021 SCCs, in so far as their use constitutes an “appropriate safeguard” under Article 46 of the GDPR and Data Protection Law; or

1.2.3. any other lawful data transfer mechanism, as provided for in the GDPR.

1.3. EU 2021 SCCs:

1.3.1. This DPA incorporates by reference the EU 2021 SCCs. The Parties are deemed to have accepted, executed, and signed the EU 2021 SCCs in their entirety, including the annexes thereto. 

1.3.2. The contents of Annex I and Annex II of the EU 2021 SCCs are set out in Exhibit 1 to this DPA. The content of Annex III of the EU 2021 SCCs is set out in Exhibit 3 to this DPA. Annex 1 to this Exhibit supplements the EU 2021 SCCs as indicated therein.

1.3.3. The following modules of the EU 2021 SCCs shall apply as specified below:

1.3.3.1. Module 2 of the EU 2021 SCCs (Controller to Processor) to the extent that the Customer, acting as “data exporter”, is the Controller, and Huble, acting as “data importer”, is the Processor, in accordance with section 4.1 of this DPA. 

1.3.3.2. Module 3 of the EU 2021 SCCs (Processor to sub-Processor) to the extent that the Customer, acting as “data exporter”, is the Processor, and Huble, acting as “data importer”, is the sub-Processor, in accordance with section 4.1 of this DPA.

1.3.4. The Parties agree to make the following choices pursuant to the EU 2021 SCCs:

1.3.4.1. The Parties do not elect to include Clause 7 (Docking Clause) of the EU 2021 SCCs.

1.3.4.2. The Parties select “Option 2: General Authorization” and the time period set forth in section 6.6.2 of this DPA for purposes of Clause 9 of the EU 2021 SCCs.
 
1.3.4.3. In respect of Clause 11 of the EU 2021 SCCs, the Parties agree not to provide the right to lodge a dispute with an independent dispute resolution body. 

1.3.4.4. In respect of Clause 13 of the EU 2021 SCCs:

1.3.4.4.1. where the Customer is established in the EEA, the competent supervisory authority shall be the authority for the EEA country in which the Customer is established;

1.3.4.4.2. where the Customer is not established in the EEA, but has appointed a representative in the EEA pursuant to Article 27(1) of the GDPR, the competent supervisory authority shall be the authority for the EEA country in which such representative has been appointed; or

1.3.4.4.3. where the Customer is not established in the EEA and has not appointed a representative in an EEA country pursuant to Article 27(1) of the GDPR, the supervisory authority in one of the EEA countries in which the Data Subject whose Customer Personal Data is transferred under the EU 2021 SCCs, in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, shall act as competent supervisory authority. 

1.3.4.5. In respect of Clause 17 of the EU 2021 SCCs, the Parties select “Option 2”. Accordingly, the EU 2021 SCCs shall be governed by the law of the EU Member State in which the Customer is established. Where such law does not provide for third-party beneficiary rights, the EU 2021 SCCs shall be governed by the law of the Republic of Ireland.

1.3.4.6. In respect of Clause 18 of the EU 2021 SCCs, the Parties agree that any dispute arising from the EU 2021 SCCs shall be resolved by the courts of the Republic of Ireland.

2. Germany

2.1. For purposes of this DPA:

2.1.1. “Data Protection Law” as defined in Section 2 of this DPA includes the Federal Data Protection Act (BDSG) of 30 June 2017 Law on the Protection of Individuals with Regard to the Processing of Personal Data as amended from time to time as the case may be.

3. Belgium

3.1. For purposes of this DPA:

3.1.1. "Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. For purposes of this definition, “Control,” means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity or the power to exert decisive influence the management of such entity.

3.1.2. “Data Protection Law” as defined in Section 2 of this DPA includes the Belgian Act of 30 July 2018 Law on the Protection of Individuals with Regard to the Processing of Personal Data as amended from time to time as the case may be.

4. United Kingdom

 For purposes of this DPA:

4.1. “Data Protection Law” as defined in Section 2 of this DPA includes UK Data Protection Law.

4.1.1. “UK Addendum” means the International Data Transfer Addendum to the EU 2021 Standard Contractual Clauses, issued by the UK Information Commissioner, Version B1.0. in force as of 21 March 2022, as amended from time to time.

4.1.2. “UK Third Country” means a country outside of the United Kingdom. 

4.1.3. “Restricted Transfer of UK Personal Data” means any transfer of Customer Personal Data subject to the UK GDPR which is undergoing Processing or is intended for Processing after transfer to a UK Third Country or an international organization in a UK Third Country, including data storage on foreign servers.

4.1.4. “UK Data Protection Law” means the GDPR, as it forms part of domestic law in England and Wales, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or a part of the United Kingdom from time to time) (the “UK GDPR”) and the Data Protection Act 2018, as may be amended from time to time.

4.1.5. With regards to any Restricted Transfer of UK Personal Data from Customer to Huble within the scope of this DPA and the Principal Agreement, the following mechanisms, in the order of precedence, shall apply:

4.2.1. an adequacy decision adopted in accordance with Article 45 of the UK GDPR that provides that the UK Third Country, a territory, or one or more specified sectors within that UK Third Country, or the international organization in question to which Customer Personal Data is to be transferred ensures an adequate level of data protection;

4.2.2. the EU 2021 SCCs, using the UK Addendum, in so far as their use constitutes an “appropriate safeguard” under Article 46 of the UK GDPR and UK Data Protection Law; or

4.2.3. any other lawful data transfer mechanism, as provided for in the UK Data Protection Law.

4.3. EU 2021 SCCs:

4.3.1. This DPA incorporates by reference the EU 2021 SCCs. The Parties are deemed to have accepted, executed, and signed the EU 2021 SCCs in their entirety, including the annexes thereto. 

4.3.2. The contents of Annex I and Annex II of the EU 2021 SCCs and tables of the UK Addendum are set out in Exhibit 1 to this DPA. The content of Annex III of the EU 2021 SCCs is set out in Exhibit 3 to this DPA.  supplements the EU 2021 SCCs as indicated therein.

4.3.3. The following modules of the EU 2021 SCCs shall apply as specified below:

4.3.3.1. Module 2 of the EU 2021 SCCs (Controller to Processor) to the extent that the Customer, acting as “data exporter”, is the Controller, and Huble, acting as “data importer”, is the Processor, in accordance with section 4.1 of this DPA. 

4.3.3.2. Module 3 of the EU 2021 SCCs (Processor to sub-Processor) to the extent that the Customer, acting as “data exporter”, is the Processor, and Huble, acting as “data importer”, is the sub-Processor, in accordance with section 4.1 of this DPA.

4.4. The Parties agree to make the following choices pursuant to the EU 2021 SCCs and the UK Addendum:

4.4.1. The Parties do not elect to include Clause 7 (Docking Clause) of the EU 2021 SCCs.

4.4.2.The Parties select “Option 2: General Authorization” and the time period set forth in section 6.6.2 of this DPA for purposes of Clause 9 of the EU 2021 SCCs.

4.4.3. In respect of Clause 11 of the EU 2021 SCCs, the Parties agree not to provide the right to lodge a dispute with an independent dispute resolution body. 

5. California

5.1. For purposes of this DPA:

5.1.1. “California Data Protection Law” includes the California Consumer Privacy Act of 2018, Assembly Bill 375 of the California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, including the California Consumer Privacy Act Regulations (collectively, the “CCPA”), and the California Privacy Rights Act of 2020 (the “CPRA”).

5.1.2. “Controller” (as defined in this DPA) includes “Business” as defined in the California Data Protection Law.

5.1.3. “Data Protection Law” (as defined in this DPA) includes California Data Protection Law.

5.1.4. “Data Subject” (as defined in this DPA) includes “Consumer” as defined in the California Data Protection Law.

5.1.5. “Personal Data” (as defined in this DPA) includes “Personal Information” as defined in California Data Protection Law.

5.1.6. The terms “Business Purpose”, “Commercial Purpose”, “Sell”, and “Share”, shall have the meaning ascribed to it in California Data Protection Law.

5.2. Customer discloses Customer Personal Data to Huble only for a valid Business Purpose, and to enable Huble to perform the Services under the Principal Agreement. 

5.3. To the extent Huble Processes Customer Personal Data subject by the CCPA, Huble will comply with the obligations of the CCPA in its performance of the Principal Agreement. In this regard, Huble agrees that it will not Sell or Share Customer Personal Data, retain, use, or disclose Customer Personal Data other than providing the Services or as permitted by the CCPA, nor retain, use, or disclose Customer Personal Data except where permitted under the Principal Agreement.

5.4. Huble certifies that it will comply with the restrictions outlined in this section 3 of this Exhibit.

6. South Africa

For purposes of this DPA:

6.1.1. "Binding Corporate Rules” (for the purpose of this Section 4) shall have the meaning ascribed to it in Section 72(2)(a) of the POPIA. 

6.1.2. “Controller” (as defined in this DPA) includes a “Responsible Party” as defined in the POPIA. 

6.1.3. “Data Protection Law” (as defined in this DPA) includes the South African Protection of Personal Information Act 4 of 2012 (“POPIA”).

6.1.4. “Personal Data” (as defined in this DPA) includes “Personal Information” as defined in the POPIA.

6.1.5. “Processor” (as defined in this DPA) includes an “Operator” as defined in the POPIA.

6.1.6. “Restricted Transfer of SA Personal Data” means any transfer of Customer Personal Data subject to the POPIA which is undergoing Processing or is intended for Processing after transfer to a SA Third Country or an international organization in a SA Third Country, including data storage on foreign servers.

6.1.7. “SA Third Country” means a country outside of the Republic of South Africa.

6.2. With regards to any Restricted Transfer of SA Personal Data from Customer to Huble within the scope of this DPA and the Principal Agreement, the following mechanisms, in the order of precedence, shall apply:

6.2.1. Data Protection Law to which Huble is subject, that effectively upholds the principles for reasonable processing of Personal Data that are substantially similar to the conditions for the lawful processing of Personal Data relating to a Data Subject, and which includes provisions substantially similar to Section 72 of the POPIA, relating to any further onward transfer of Personal Data (for the purposes of this Section 4.2.1 of this Exhibit, the Parties agree that transfers to Huble entities within the EEA, which are subject to the GDPR and Huble entities within the UK, which are subject to UK Data Protection Law, comply with this mechanism);

6.2.2. if implemented by Huble, Binding Corporate Rules in line with the provisions of Section 72(1)(a) of the POPIA; 

6.2.3. the terms of this DPA, as a binding agreement between the Parties to effectively upholds the principles for reasonable processing of Personal Data that are substantially similar to the conditions for the lawful processing of Personal Data relating to a Data Subject, and which includes provisions substantially similar to Section 72 of the POPIA, relating to any further onward transfer of Personal Data; or

6.2.4. any other lawful data transfer mechanism, as provided for in the POPIA.

7. Singapore 

7.1. For purposes of this DPA:

7.1.1. "ASEAN MCCs” means the ASEAN Model Contractual Clauses, as approved on 22 January 2021 by the Association of Southeast Asian Nations. 

7.1.2. "Binding Corporate Rules” (for the purpose of this Section 5) shall have the meaning ascribed to it in Section 11(3) of the SDPR.

7.1.3. “Data Protection Law” (as defined in this DPA) includes the Singapore Data Protection Act 2012 and the Singapore Data Protection Regulations 2021 (the “SDPR”, and collectively, the “SDPA”).

7.1.4. “Processor” (as defined in this DPA) includes a “Data Intermediary” as defined in the SDPA.

7.1.5. “Restricted Transfer of Singapore Personal Data” means any transfer of Customer Personal Data subject to the SDPA which is undergoing Processing or is intended for Processing after transfer to a Singapore Third Country or an international organization in a Singapore Third Country, including data storage on foreign servers.

7.1.6. “Singapore Third Country” means a country outside of the Republic of Singapore.

7.2. With regards to any Restricted Transfer of Singapore Personal Data from Customer to Huble within the scope of this DPA and the Principal Agreement, the following mechanisms, in the order of precedence, shall apply:

7.2.1. Data Protection Law to which Huble is subject, allows for legally enforceable obligations to provide the transferred Personal Data a standard that is at least comparable to the protection under the SDPA (for the purposes of this Section 5.2.1 of this Exhibit, the Parties agree that transfers to Huble entities within the EEA, which are subject to the GDPR and Huble entities within the UK, which are subject to UK Data Protection Law, comply with this mechanism);

7.2.2. if implemented by Huble, Binding Corporate Rules in line with the provisions of Section 11(3) of the SDPA;

7.2.3. the ASEAN MCCs, incorporated by reference into this DPA, as contained in Annex 2 to this Exhibit; or

7.2.4. any other lawful data transfer mechanism, as provided for in the SDPA.

8. Canada

For purposes of this DPA:

8.1. “Data Protection Law” (as defined in this DPA) includes the Canadian Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”).

8.2. “Contracted Sub-Processor” (as defined in this DPA) includes a “Third Party Organization” as defined under the PIPEDA.

8.3. “Personal Data” (as defined in this DPA) includes “Personal Information” as defined under the PIPEDA.

8.4. “Personal Data Breach” (as defined in this DPA) includes a “Breach of Security Safeguards” as defined under the PIPEDA.

9. General

In cases where the EU 2021 SCCs or ASEAN MCCs apply, and there is a conflict between the terms of this DPA and the terms of the EU 2021 SCCs or ASEAN MCCs, the terms of the EU 2021 SCCs or ASEAN MCCs shall prevail. 

Annex 1 to Exhibit 3: Supplementary Measures

This Annex 1 to Exhibit 3 (the “Annex”) provides additional safeguards and redress to the Data Subjects whose Customer Personal Data is transferred to Huble pursuant to the EU 2021 SCCs. This Annex supplements and is made part of, but is not in variation or modification of the EU 2021 SCCs.

1. Applicability of this Annex

1.1 This Annex only applies with respect to Restricted International Transfers when the EU 2021 SCCs apply to such Restricted International Transfers pursuant to this Addendum and its exhibits.

2. Definitions

2.1. For the purpose of interpreting this Annex, the following terms shall have the meanings set out below:

2.2. “Data Importer” and “Data Exporter” shall have the same meaning assigned to them in Exhibit 1, read with Exhibit 3.

2.3.“Disclosure Request” means any request from law enforcement authority or other governmental authority with competent authority and jurisdiction over the Data Importer for disclosure of Customer Personal Data processed under this DPA

2.4. “EO 12333” means the U.S. Executive Order 12333.

2.5. “FISA” means the U.S. Foreign Intelligence Surveillance Act.

2.6. “Restricted International Transfers” means a Restricted Transfer of EEA Personal Data or a Restricted Transfer of UK Personal Data, as defined in Exhibit 3.

2.7. “Schrems II Judgment” means the judgment of the European Court of Justice in Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems.

3. Applicability of Surveillance Laws to Data Importer and its Contracted Sub-Processors

3.1. U.S Surveillance Laws

3.1.1. Data Importer represents and warrants that, as of the effective date of this DPA, it has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II judgment.

3.1.2. Data Importer represents that it reasonably believes that it is not eligible to be required to provide information, facilities, or assistance of any type under FISA Section 702 because:

3.1.2.1. No court has found Data Importer to be an entity eligible to receive legal process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C. § 1881(b)(4); or (ii) an entity belonging to any of the categories of entities described within that definition.

3.1.2.2. If Data Importer were to be found eligible for process under FISA Section 702, which it believes it is not, it is nevertheless also not the type of provider that is eligible to be subject to UPSTREAM collection pursuant to FISA Section 702, as described in paragraphs 62 and 179 of the Schrems II judgment.

3.1.2.3. EO 12333 does not provide the U.S. government the ability to order or demand that Data Importer provide assistance for the bulk collection of information and Data Importer shall take no action pursuant to U.S. Executive Order 12333.

3.2. General provisions about surveillance laws applicable to Data Importer

3.2.1. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination of Customer Personal Data applicable to the Processing of Customer Personal Data by Data Importer, including any requirements to disclose Customer Personal Data or measures authorizing access by public authorities, prevent Data Importer from fulfilling its obligations under the EU 2021 SCCs (where applicable). 

3.2.2. Data Importer shall monitor any legal or policy developments that might lead to its inability to comply with its obligations under the EU 2021 SCCs and this Annex, and promptly inform Data Exporter of any such changes and developments. When possible, Data Exporter shall inform Data Exporter of any such changes and developments ahead of their implementation.

4. Obligation on Data Importer Related to Disclosure Requests

4.1. In the event Data Importer receives a Disclosure Request, Data Importer shall:

4.1.1. Promptly (and, when possible, before disclosing the transferred Customer Personal Data to the public authority) notify Data Exporter of the Disclosure Request, and, where possible, the Data Subject, unless prohibited by law, or, if so prohibited from notifying Data Exporter, use all lawful efforts to obtain the right to waive the prohibition to communicate information relating to the Disclosure Request to Data Exporter as soon as possible. This includes, but is not limited to, informing the requesting public authority of the incompatibility of the Disclosure Request with the safeguards contained in the EU 2021 SCCs and the resulting conflict of obligations for Data Importer and documenting this communication.

4.1.2. Ask the public authority that issued the Disclosure Request to redirect its request to the Data Exporter to control conduct of the disclosure.

4.1.3. Use all lawful efforts to challenge the Disclosure Request on the basis of any legal deficiencies under the laws of the requesting party or any relevant conflicts with the law of the European Union or applicable EEA Member State law or any other Data Protection Laws and demand that the public authority aims to obtain such information via co-operation with government bodies in each jurisdiction (such as using an alternative established treaty or mechanism to allow government-government sharing of information).

4.1.4. Seek interim measures with a view to suspend the effects of the Disclosure Request until a competent court has decided on the merits.

4.1.5. Not disclose the requested Customer Personal Data until required to do so under the applicable procedural rules.

4.1.6. Provide the minimum amount of information permissible when responding to the request, based on a reasonable interpretation of the request.

4.1.7. Document all the steps taken by Data Importer related to the Disclosure Request.

4.2. For the purposes of this Section, lawful efforts do not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.

5. Information on Requests for Personal Data by Public Authorities

5.1. Data Importer commits to provide Data Exporter with sufficiently detailed information on all requests for Personal Data by public authorities which Data Importer has received over a specified period of time (if any), in particular in the areas of intelligence, law enforcement, administrative, and regulatory supervision applicable to the transferred data and comprising information about the requests received, the data requested, the requesting body, and the legal basis for disclosure and to what extent Data Importer has disclosed the requested Personal Data. Data Importer may choose the means to provide this information.

6. Backdoors

6.1. Data Importer certifies that:

6.1.1. It has not purposefully created backdoors or similar programming for governmental agencies that could be used to access Data Importer’s systems or Customer Personal Data subject to the EU 2021 SCCs.

6.1.2. It has not purposefully created or changed its business processes in a manner that facilitates governmental access to Customer Personal Data or systems.

6.1.3. National law or government policy does not require Data Importer to create or maintain back doors or to facilitate access to Customer Personal Data or systems.

6.2. Data Exporter will be entitled to terminate the contract upon 30 days’ prior written notice to the Data Importer in cases in which Data Importer does not reveal the existence of a back door or similar programming or manipulated business processes or any requirement to implement any of these or fails to promptly inform Data Exporter once their existence comes to its knowledge.

7. Information About Legal Prohibitions

7.1. Data Importer will provide Data Exporter information about the legal prohibitions on Data Importer to provide information under this Annex. Data Importer may choose the means to provide this information.

8. Additional Measures to Prevent Authorities from Accessing Customer Personal Data

8.1. Notwithstanding the application of the security measures set forth in this DPA, Data Importer will implement the following technical, organizational, administrative, and physical measures designed to protect the transferred Customer Personal Data:

8.1.1. Encryption of the transferred Customer Personal Data in transit using the Transport Layer Security (TLS) protocol version 1.2 or higher with a minimum of 128-bit encryption;

8.1.2. Encryption at rest within software applications used by Data Importer using a minimum of AES-256;

8.1.3. Active monitoring and logging of network and database activity for potential security events, including intrusion;

8.1.4. Regular scanning and monitoring of any unauthorized software applications and IT systems for vulnerabilities of Data Importer;

8.1.5. Restriction of physical and logical access to IT systems that Process transferred Customer Personal Data to those officially authorized persons with an identified need for such access;

8.1.6. Firewall protection of external points of connectivity in Data Importer’s network architecture;

8.1.7. Expedited patching of known exploitable vulnerabilities in the software applications and IT systems used by Data Importer; and

8.1.8. Internal policies establishing that:

8.1.8.1. Where Data Importer is prohibited by law from notifying Data Exporter or the Data Subject of a request or order from a public authority for transferred Customer Personal Data, Data Importer shall take into account the laws of other jurisdictions and use best efforts to request that any confidentiality requirements be waived to enable it to notify the competent supervisory authorities;

8.1.8.2. Data Importer must require an official, signed document issued pursuant to the applicable laws of the requesting third party before it will consider a request for access to transferred Customer Personal Data; 

8.1.8.3. Data Importer shall scrutinize every request for legal validity and, as part of that procedure, will reject any request Data Importer considers to be invalid; 

8.1.8.4. If Data Importer is legally required to comply with an order, it will respond as narrowly as possible to the specific request; and

8.1.8.5. If Data Importer receives a request from public authorities to cooperate on a voluntary basis, Customer Personal Data transmitted in plain text may only be provided to public authorities with the express agreement of Data Exporter.

9. Inability to Comply with this Annex and the EU 2021 SCCs

9.1. If Data Importer determines that it is no longer able to comply with its contractual commitments under this Annex, Data Exporter can swiftly suspend the transfer of Customer Personal Data and/or terminate the Principal Agreement upon 30 days prior written notice. 

9.2. If Data Importer determines that it is no longer able to comply with the EU 2021 SCCs or this Annex, Data Importer shall return or delete the Customer Personal Data received in reliance with the EU 2021 SCCs. If returning or deleting the Customer Personal Data received is not possible, Data Importer must securely encrypt the data without necessarily waiting for Data Exporter’s instructions.

9.3. Data Importer shall provide the Data Exporter with sufficient indications to exercise its duty to suspend or end the transfer of Customer Personal Data and/or terminate the contract upon 30 days’ prior written notice.

10. Termination

This Annex shall automatically terminate with respect to the Processing of Customer Personal Data transferred in reliance of the EU 2021 SCCs if the European Commission or a competent regulator approves a different transfer mechanism that would be applicable to the Restricted International Transfers covered by the EU 2021 SCCs (and if such mechanism applies only to some of the data transfers, this Annex will terminate only with respect to those transfers) and that does not require the additional safeguards set forth in this Annex.

Annex 2 to Exhibit 3: ASEAN MCCs

Module 1: Contractual Provisions for Controller-to-Processor Transfers

1. Definitions 

1.1. “AMS Law”: Any and all written laws of an ASEAN Member State relating to data protection (or are, minimally, relevant to the transfer of Personal Data) which the Data Exporter or the Data Importer (or both) are subject to. 

1.2. “Data Breach”: Any loss or unauthorised use, copying, modification, disclosure, or destruction of, or access to, Personal Data transferred under this contract. 

1.3. “Data Exporter”: The Party which transfers Personal Data to the Data Importer under this contract. 

1.4. “Data Importer”: The Party which receives Personal Data from the Data Importer for Processing under this contract. 

1.5. “Data Sub-Processor”: Any person or legal entity which may be engaged by the Data Importer to assist in the Data Exporter’s Processing of Personal Data on behalf of the Data Exporter. 

1.6. “Enforcement Authority”: Any public authority empowered by applicable AMS Law to implement and enforce the applicable AMS Law. 

1.7. “Personal Data”: Any information relating to an identified or identifiable natural person (“Data Subject”) transferred under this contract. 

1.8. “Processing”: Any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means, including, for example, collection, use and disclosure of Personal Data. 

2. Obligations of Data Exporter 

The Data Exporter warrants, represents and undertakes that: 

2.1. The Personal Data has been collected, used, disclosed and transferred to the Data Importer under this contract in accordance with applicable AMS Law. In the absence of such law, where reasonable and practicable, the Data Subject has been notified of and given consent to the purpose(s) of the collection, use, disclosure and/or transfer of his/her Personal Data. 

2.2. Any Personal Data that have been transferred under this contract is accurate and complete to the extent necessary for the purposes identified by the Data Exporter in order to comply with Clause 2.1. 

2.3. The Data Exporter shall implement adequate technical and operational measures to ensure the security of the Personal Data during transmission to the Data Importer. 

2.4. The Data Exporter shall respond to enquiries from Data Subjects or Enforcement Authorities regarding the Processing of Personal Data by the Data Importer as required by applicable AMS Law, including requests to access or correct Personal Data, unless the Parties have agreed in writing that the Data Importer shall so respond, and such delegation is permitted by applicable AMS Law. Responses to such enquiries and requests shall be made within a reasonable time frame or within the time frame and in the manner, if any, required under the applicable AMS Law. 

3. Obligations of Data Importer 

The Data Importer warrants, represents and undertakes that: 

3.1. The Data Importer shall process the Personal Data only in compliance with the Data Exporter’s instructions and for the purposes described in Exhibit 1 of the DPA. 

3.2. The Data Importer shall not further disclose or transfer the Personal Data it receives from the Data Exporter to another person, Enforcement Authority or legal entity, including to Data Sub-Processors, unless it has notified the Data Exporter of such further disclosure or transfer in writing, and provided reasonable opportunity for the Data Exporter to object. 

3.3. The Data Importer agrees that prior to any disclosure or transfer of Personal Data to third parties, including to Data Sub-Processors, the Data Importer shall ensure that the third party shall be subject to and bound by the obligations of the Data Importer to the Data Exporter. 

3.4. The Data Importer shall promptly communicate and refer to the Data Exporter any enquiries and requests from Data Subjects relating to the Personal Data transferred by the Data Exporter, including requests to access or correct the Personal Data. 

3.5. Upon the termination of this contract or completion of Processing required under this contract, the Data Importer shall, at the election of the Data Exporter, either return to the Data Exporter the Personal Data held in its possession pursuant to this contract, or cease to retain such Personal Data in manner approved of by the Data Exporter. The Data Importer agrees to confirm this with the Data Exporter in writing once action has been taken to cease to retain such Personal Data. 

3.6. The Data Importer shall have in place reasonable and appropriate technical, administrative, operational and physical measures, consistent with applicable AMS Laws to protect the confidentiality, integrity and availability of Personal Data, in particular against risks of Data Breaches. 

3.7. If the Data Importer becomes aware that a Data Breach has occurred affecting Personal Data in its possession or under its control, or in the possession or under the control of an importer of an onward disclosure or transfer of the Personal Data, it shall notify the Data Exporter without undue delay.

3.8. The Data Importer shall promptly notify and consult with the Data Exporter regarding any investigation regarding the collection, use, transfer, disclosure, security, or disposal of the Personal Data transferred under this contract, unless otherwise prohibited under law. 

3.9. The Data Importer shall provide prompt assistance to the Data Exporter upon request for the purposes of clause 2.4; and where the Data Importer has agreed in writing, to respond to enquiries and requests from Data Subjects or Enforcement Authorities regarding its Processing of Personal Data when notified by the Data Exporter. 

Commercial Components

4. Choice of Law; Disputes: 

4.1. This contract shall be interpreted according to the laws of the Republic of Singapore. 

4.2. If there is any conflict or inconsistency between clauses in this contract and AMS Law, then the applicable AMS law shall prevail. 

Termination of Contract 

6.1. In the event that: 

6.1.1. the transfer of Personal Data to the Data Importer has been temporarily suspended by the Data Exporter for longer than 60 days pursuant to Clause 5.1; 

6.1.2. compliance by the Data Importer with this contract would put it in breach of its obligations under the law in the country in which it is Processing the Personal Data; 

6.1.3. the Data Importer is in material breach of any obligations under this contract; 

6.1.4. the Data Importer ceases its operations voluntarily or involuntarily, announces its intent to cease operations, or transfers all or substantially all of its assets to a non-affiliated entity, then the Data Exporter, without prejudice to any other rights which it may have against the Data Importer shall be entitled to terminate this contract. In cases covered by (6.1.1) or (6.1.2), above the Data Importer may also terminate this contract. 

6.2. In the event that: 

6.2.1. compliance by the Data Exporter with this contract would put it in breach of its obligations under the law; 

6.2.2. the Data Exporter is in material breach of any obligations under this contract; 

6.2.3. the Data Exporter ceases its operations voluntarily or involuntarily, announces its intent to cease operations, or transfers all or substantially all of its assets to a non-affiliated entity, then the Data Importer, without prejudice to any other rights which it may have against the Data Exporter, shall be entitled to terminate this contract. In cases covered by (6.2.1) above, the Data Exporter may also terminate this contract. 

6.3. The Parties agree that the termination of this contract at any time, in any circumstances and for whatever reason does not exempt them from the obligations of this contract regarding the return or deletion of the Personal Data transferred. 

7. Variation 

7.1. The Parties may, by written agreement, adopt or modify this contract where consistent with the principles set forth in the ASEAN Framework on Personal Data Protection, or as required by applicable AMS Law. This does not preclude the Parties from adding or amending clauses, by written agreement, as appropriate for their commercial or business arrangements.

8. Description of the Transfer 

8.1. The details of the transfer and the Personal Data involved are specified in Exhibit 1 of the DPA. 

Additional Terms for Individual Remedies 

This section contains the additional provisions and should be read as forming part of the attached contract between the Parties. Words and phrases given a defined meaning in these additional terms have the same meaning in the contract. If there is any inconsistency between these additional terms and the contract, these additional terms shall prevail. 

Individual Remedies: 

1.1 The Parties acknowledge that the law of the Republic of Singapore confers a right on Data Subjects to enforce the data protection warranties and undertakings of this contract as third-party beneficiaries. The Parties agree that this contract shall uphold such rights of Data Subjects under the law of the Republic of Singapore. 

1.2. Data Subjects can enforce against the Data Exporter (Clauses 2.1 and 2.4) as third-party beneficiary. 

1.3. Data Subjects can enforce against the Data Importer (Clause 3.4). 

1.4. Data Subjects can enforce against Sub-Processors (Clauses 2.1, 2.4 and 3.4) when both the Data Exporter and Data Importer have ceased operations, ceased to exist in law, or transferred all or substantially all of their assets to a non-associated entity such that the non-associated entity has assumed the legal obligations of the Data Exporter by contract or operation of law. 

1.5. To the extent authorized by applicable AMS Law, Data Subjects may obtain compensation for breaches of this contract by either the Data Importer and/or Data Exporter (as prescribed by applicable AMS Law or, if such law is silent on the allocation of compensation, then from both the Data Importer and Data Exporter in equal shares). 

1.6. The Parties do not object to a Data Subject being represented by another body if the Data Subject expressly wishes so and such representation is permitted by applicable law.