Home

Appfire Partner Data Processing Addendum

Home

Appfire Partner Data Processing Addendum

(including EU SCCs, UK IDTA, and California Privacy Laws requirements)

This Data Processing Addendum (the “DPA”) forms part of the Appfire Partner Agreement (the “Agreement”), concluded by and between Appfire and the Partner, under which the Partner agrees to provide Appfire with certain services (the "Services"). All capitalized terms that are not expressly defined in this DPA, will have the meanings given to them in the Agreement. The term of this DPA corresponds to the duration of the cooperation of the Parties under the Agreement. In case of a conflict between the terms of the DPA and the Agreement, the terms of the DPA shall prevail with regards to processing and protection of personal data. This DPA supersedes and replaces all prior agreements between the Partner and Appfire regarding the subject matter of this DPA. This DPA does not apply to the processing of personal data as described in the section 14 of the Agreement, whereas it governs the processing of personal data as referred to in section 14A of the Agreement.

1. DEFINITIONS

In this DPA, the terms below shall have the following meanings:

Appfire”, “our”, “us,” or “we” means Appfire Technologies, LLC., a Delaware limited liability company, with a principal place of business at 1500 District Avenue, Burlington, MA 01803;

“Partner”, “your”, or “you”means the Partner as defined in the Agreement;

Data Protection Legislation” means (i) the Privacy and Electronic Communications Directive, 2002/58/EC; (ii) the General Data Protection Regulation (“EU GDPR”), (EU) 2016/679; (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance (“Swiss DPA”); (iv) the UK Data Protection Act of 2018 and any applicable national legislation that replaces or converts to domestic law of the UK, the GDPR, or any other law related to data privacy as a consequence of the UK leaving the EU (“UK GDPR”); (v) any legislation and/or regulation implementing or made pursuant to the foregoing; and (vi) the US State Privacy Laws, including but not limited to the California Privacy Laws, (vii) and any other laws and regulations in the EU, Switzerland, the UK or US, which relate to data privacy, the processing or protection of personal data or data security and which are applicable to Licensee, in each case as may be amended, suspended or replaced from time to time;

“US State Privacy Laws” means the applicable privacy laws enacted by a state of the United States of America, including, but not limited to applicable laws of California, Colorado, Connecticut, Utah and Virginia, including but not limited to the Colorado Privacy Act1, Connecticut Data Privacy Act2, the Utah Consumer Privacy Act3, the Virginia Consumer Data Protection Act4 and California Privacy Laws;

“California Privacy Laws” means the applicable privacy laws of the State California, including: 

  • the California Privacy Act of 2018 (California Civil Code §§1798.100 to 1798.199 and its implementing regulations, as amended or supplemented from time to time (the “CCPA”), and 
  • the California Privacy Rights Act of 2020 (2020 Cal. Legis. Serv. Proposition 24 codified at California Civil Code §§ 1798.100 et seq.), and its implementing regulations, as amended or supplemented from time to time (the “CPRA”); 

EEA” means the European Economic Area;

EU” means the European Union;

GDPR” means, collectively, the EU GDPR and the UK GDPR; 

Personal Data” shall have the meaning given under the GDPR, US State Privacy Laws, or other applicable Data Protection Legislation, including “personal information” and “personally identifiable information”, or an analogous term as may be defined by applicable Data Protection Legislation. 

Processing”, “Data Subject”, “Special Categories of Personal Data”, “Controller (or “data controller”)”, “Special Categories”, “Sub-Processor” and “Appropriate Technical and Organizational Measures” - shall have the meanings given to them under the GDPR and US State Privacy Laws, or other applicable Data Protection Legislation that is applicable, and “process”, “processes” and “processed”, with respect to any Personal Data, shall be interpreted accordingly; “Processor” or “data processor” shall have the meaning given under the GDPR, US State Privacy Laws, or analogous in other applicable Data Protection Legislation, including “service provider” as that term is defined by the CCPA;

1C.R.S.A. § 6-1-1301 et seq. (SB 21-190), including any implementing regulations and amendments thereto;

2S.B. 6 (Connecticut 2022), including any implementing regulations and amendments thereto;

3Utah Code § 13-61-101 et seq. (SB 0227), including any implementing regulations and amendments thereto;

4Va. Code Ann. § 59.1-571 et seq. (SB 1392), including any implementing regulations and amendments thereto;

Standard Contractual Clauses” or “SCCs” means:

  1. where the EU GDPR or Swiss DPA apply, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Module 2 (Controller to Processor) or Module 3 (Processor to Sub-Processor), as applicable) (“2021 SCCs”) which can be found at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en; and
  2. where the UK GDPR applies, and: (a) Personal Data relevant to Data Subjects located in the UK only is the subject of the transfer, the International Data Transfer Agreement issued by the UK Information Commissioner’s Office (the “UK IDTA”) which can be found at https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf; or (b) Personal Data relevant to Data Subjects located in the UK and the EEA is the subject of the transfer, the contractual clauses issued by the UK Information Commissioner’s Office to be appended to those contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries (the “UK Addendum”) which can be found at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf] in addition to the applicable modules of the 2021 SCCs; and

UK” means the United Kingdom.

2. DATA PROCESSING

2.1. Scope and Roles.  The provisions of this DPA shall apply where the Data Protection Legislation applies to your Processing of personal data of our customers that we provide to you for purposes of the performance of the Agreement (from this point also referred to as Personal Data or Appfire’s Sale Contacts) and where you process that Personal Data in the course of providing us the Services under the Agreement. We are a Controller and you are a Processor in relation to Appfire’s Sale Contacts.

2.2. Details of the Processing.  The subject-matter of the Processing is to perform the Agreement, in particular the services set out in clause 3 of the Agreement, with regards to Appfire’s Sale Contacts (i.e. Appfire’s existing and/or prospective customers, whose personal data Appfire shall share with you for purposes of rendering of the services to us under the Agreement).  Appendix 1 of this DPA sets out the nature and purpose of the processing, and additional details regarding the Processing of Personal Data.

3. OBLIGATIONS OF THE PARTNER

3.1. The Partner agrees and warrants:

3.1.1. to process Appfire’s Sale Contacts only on behalf of Appfire and in accordance with its documented instructions, unless otherwise required by the applicable Data Protection Legislation;

3.1.2. to process Appfire’s Sale Contacts only for the purpose of carrying out the Services or as otherwise instructed by Appfre, and not for Partner’s own purposes;

3.1.3. to process Appfire’s Sale Contacts in compliance with this DPA;

as well as the Partner agrees and warrants:

3.1.4. that if it is legally required to process Personal Data otherwise than as instructed by Appfire, it shall notify Appfire before such processing occurs, unless the law requiring such processing prohibits Partner from providing such notification to Appfire on an important ground of public interest, in which case it shall notify Appfire as soon as that law permits it to do so;

3.1.5. that it has implemented and will maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and, in particular, where the processing involves the transmission of data over a network, against all other unlawful forms of processing. Having regard to the state of the art and cost of their implementation, Partner agrees that such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of Personal Data to be protected.

3.1.6. that it will treat all Personal Data as confidential information and ensure that its personnel who have access to the Personal Data:

(i) are both informed of the confidential nature of the Personal Data and obliged to keep such Personal Data confidential; and

(ii) are aware of and comply with Partner’s duties and their personal duties and obligations under this DPA;

3.1.7. that it will notify the Appfire, without undue delay, of:

(i) any instruction which, in its opinion, infringes applicable law;

(ii) any actual or suspected security breach, unauthorized access, misappropriation, loss, damage or other compromise of the security, confidentiality, or integrity of Personal Data processed by Partner or Partner’s Sub-processor ("Security Breach"); and

(iii) any complaint, communication or request received directly by Partner or its Sub-processor from a data subject, and pertaining to their personal data, without responding to that request unless it has been otherwise authorized to do so by Appfire;

3.1.8. that upon discovery of any Security Breach, it shall:

(i) immediately take action to prevent any further Security Breach; and

(II) provide Appfire with comprehensive information, full and prompt cooperation and assistance in relation to any notifications that Appfire is required to make as a result of the Security Breach.

3.1.9. to provide Appfire with full and prompt cooperation and assistance in relation to any complaint, communication or request received from a data subject, including by:

  • providing Appfire with full details of the complaint, communication or request;
  • providing Appffire with any personal data it holds in relation to a data subject, if required in a commonly-used, structured, electronic and machine-readable format;
  • providing Appfire with any information requested by Appfire, relating to the processing of thee Personal Data under this DPA;
  • correcting, deleting or blocking any Personal Data processed under this DPA; and
  • implementing appropriate technical and organizational measures that enable it to comply with this clause 3.1.

3.1.10. to provide Appfire with full and prompt cooperation and assistance in relation to any data protection impact assessment or regulatory consultation that Appfire is legally required to make in respect of the Personal Data;

3.1.11. to make available to Appfire, upon request, all information and evidence necessary to demonstrate that Partner is complying with its obligations under this DPA;

3.1.12. at the request of Appfire, to submit its data processing facilities for audits and inspections of the processing activities covered by this DPA, which shall be carried out by Appfire or any independent or impartial inspection agents or auditors selected by Appfire and not reasonably objected to by thee Partner;

3.1.13. that it shall not subcontract any of its processing operations under this DPA unless:

(i) it has obtained the prior written consent of Appfire to do so; and

(ii) the sub-processor is subject to a written agreement which imposes the same obligations on that sub-processor as are imposed on the Partner hereunder.

4.  LIABILITY

The Partner shall remain fully liable to Appfire for any sub-processor that processes Appfire’s Sale Contacts. 

5.  DATA TRANSFERS

5.1. To the extent that the provision of the Services involves the transfer of the Personal Data from the European Economic Area (“EEA”), UK or Switzerland to outside the EEA, UK or the Switzerland (either directly or via onward transfer) to any country or recipient which has not been recognised by the European Commission as offering an adequate level of protection for Personal Data transferred to it from the EEA, Partner agrees to comply with the transfer mechanisms listed below, which are hereby incorporated herein by reference to such transfers and can be directly enforced by the Parties to the extent such transfers are subject to the applicable Data Protection Legislation:

a) The Controller to Processor Transfer Clauses. Where Partner processes Personal Data that originates from the EEA or Switzerland and the Appfire is a Controller and a data exporter of such Personal Data, and Partner is a Processor and data importer in respect of that Personal Data, then the parties shall comply with the applicable modules of the 2021 SCCs, subject to the additional terms in section 1 of Appendix 2 of this DPA.

b) The Processor to Processor Transfer Clauses. Where Partner processes Personal Data that originates from the EEA or Switzerland and the Appfire is a Processor acting on behalf of a separate Controller (e.g., another Appfire entity) and a data exporter of such Personal Data, and Partner is a Processor and data importer in respect of that Personal Data, the parties shall comply with the terms of the applicable modules of the 2021 SCCs, subject to the additional terms in sections 1 and 2 of Appendix 2 of this DPA.

c) Personal Data from the UK: Where Partner processes Personal Data that originates from the UK, such Personal Data shall be subjected to the UK Addendum and/or the UK IDTA (as applicable) subject to the additional terms in sections 1 and 3 and/or 4 (as applicable) of Appendix 2 of this DPA.

d) Personal Data from Switzerland: Where Partner processes Personal Data that originates from Switzerland, such Personal Data shall be subjected to the applicable 2021 SCCs, subject to the additional terms in sections 1 and 5 of Appendix 2 of this DPA.

e) Follow-up SCCs. If Partner transfers Personal Data to a Sub-Processor located outside the EEA, Switzerland or the UK or otherwise makes a transfer (including onward transfer) of Personal Data, that, in the absence of either party and/or Sub-Processor (as applicable) being bound by the applicable SCC’s or any successor clauses issued by a competent body from time to time, would cause either party and/or a Sub-Processor to breach any Data Protection Legislation, then Partner shall ensure it has in place SCCs with the relevant Sub-Processors, and the parties shall reasonably amend any data processing agreement between the parties (so that they apply at least for the term of the Agreement, including this DPA).

In the event of any conflict or inconsistency between the provisions of the Agreement (including this DPA) and the applicable SCCs, the provision of the applicable SCCs shall prevail to the extent of such conflict.

5.2. To the extent that any Sub-processor engaged by Partner is located in a country outside the EEA which has not been recognised by the European Commission as offering an adequate level of protection for Personal Data transferred to it from the EEA, Partner will assist Appfire to adduce an adequate level of protection for the Personal Data as required by Data Protection Legislation by entering into the appropriate transfer clauses with the Sub-processor on Appfire’s behalf whereby the sub-processor will be regarded as the data importer and Partner will act as agent for Appfire as the data exporter. For the purposes of this Clause 5.2 Appfire hereby appoints Partner as its agent to enter into the relevant transfer clauses with the sub-processor on Appfire's behalf.

5.3. Appfire shall be entitled, at no cost to itself, to suspend, or require Partner to suspend any transfers of the Personal Data which do not comply or which cease to comply with the provisions of this Clause 5.

6.  INDEMNITY

Partner agrees to indemnify and keep indemnified and defend at its own expense Appfire against all costs, claims, damages or expenses incurred by Appfire or for which Appfire may become liable due to any failure by Partner or its employees or agents to comply with any of its obligations under this DPA.

7. FINAL PROVISIONS

7.1. This DPA is concluded for the term of the Agreement. This DPA automatically terminates on the date of termination of the Agreement without the need for an additional termination notice. After the termination of the Agreement, the Partner will return to Appfire all Personal Data processed under this DPA, and will delete its all existing copies, unless otherwise instructed by Appfire.

7.2. Notwithstanding termination of the Agreement, the provisions of Clauses 3 and 5 of this DPA shall survive the termination and shall continue in full force and effect until all the Personal Data is returned and deleted in accordance with Clause 7.1. above.

7.3. In the event of inconsistencies between the provisions of this DPA and other agreements between the Parties, the provisions of this DPA shall prevail with regard to the Parties' data protection obligations relating to Personal Data. In cases of doubt, this DPA shall prevail, in particular, where it cannot be clearly established whether a clause relates to a Party's data protection obligations.

8. CCPA/CPRA PROVISIONS

8.1. The provisions of this Section 8 shall apply additionally to the extent where you process Personal Data governed by the CCPA/CPRA on our behalf.

8.2. In case of discrepancies between this Section 8 and any other provision of this DPA, its Appendixes, or the Agreement, this Section 8 shall prevail in relation to the Processing subjected to the CCPA/CPRA.

8.3. Definitions. For the purposes of of this Section 8 of the DPA, the following terms shall have the following meanings:

“Business Purpose” has the meaning provided in § 1798.140(d) of the California Civil Code, as amended or supplemented from time to time.

“Consumer Rights Request” means a verified communication from a consumer requesting to access their rights under the CCPA.

“Personal Information” has the meaning provided in § 1798.140(o)(1) of the California Civil Code, as amended or supplemented from time to time.

8.4. Relationship of the Parties. Appfire shall be the “business”, and the Partner shall be the “service provider” with respect to Personal Information, as such terms are defined in the CCPA/CPRA.

8.5. Business Purpose and Data Processing. Appfire may disclose Personal Information to the Partner when necessary to perform a Business Purpose. Appfire represents and warrants to Partner that such disclosures of Personal Information shall be consistent with the requirements set forth in the CCPA/CPRA. The Partner shall Process Personal Information on behalf of Appfire in accordance with and for the Business Purpose only.

8.6. Do Not Sell. The Partner shall not sell Personal Information, nor shall it retain use, or disclose Personal Information, except as necessary to perform the Business Purpose, or as otherwise authorized by the CCPA/CPRA.

8.7. Consumer Rights Requests. The Partner shall notify Appfire with undue delay if it receives a Consumer Rights Request concerning the Processing of Personal Information and, in any event, in a reasonable time for Appfire to meet its obligations to respond to such Consumer Rights Request under the CCPA. The Partner shall not respond to any Consumer Rights Request concerning Personal Information unless it is otherwise required by law. To the extent Appfire, in its use of the services of the the Partner, does not have the ability to address a Consumer Rights Request, the Partner shall upon Appfire’s request assist Appfire in responding to such Consumer Rights Request, to the extent the Partner is legally permitted to do so and the response to such Consumer Rights Request is required under the CCPA. Appfire shall not be responsible for any costs arising from Partner’s provision of such assistance.

Appendix 1 to the Data Processing Addendum

Description of the transfer

Scope, nature, and purpose of the Processing

The Processing shall be carried out for purposes related to the proper performance of the Agreement, as well as for purposes related to the proper performance of Partner’s commitments deriving from the DPA, relating to securing Personal Data, especially by ensuring their integrity and accessibility.

Period of the Processing

The period during which the Personal Data shall be processed is the same as the period of the performance of Services rendered on basis of the Agreement, subject to the provision that respective provisions of the DPA shall remain in full force until all data are deleted in line with the provisions thereof.

Categories of Data Subjects

The Processing shall be related to the following categories of data subjects:  Appfire’s existing and/or prospective customers.

Special Categories of Personal Data

The Processing involves also processing of Special Categories of Personal Data, i.e.:

Not applicable (no Special Category Data is processed)

Appendix 2 to the Data Processing Addendum

EU Standard Contractual Clauses

UK IDTA and UK ADDENDUM

For the purposes of the Controller to Processor Modules, Controller to Processor Modules of the applicable SCCs, the UK IDTA or the UK Addendum (as applicable) Customer is the data exporter and Vendor is the data importer and the parties agree to the following. Where this Appendix 2 does not explicitly mention Controller to Processor Modules or Controller to Processor Modules of the applicable SCCs, the UK IDTA or UK Addendum it applies to each of them.

1. GENERAL TERMS

1.1. Reference to the SCCs. The relevant provisions contained in the applicable SCCs are incorporated by reference and are an integral part of this DPA. The information required for the purposes of this Appendix to the applicable SCCs is set out in Appendix 3 of the DPA.

1.2. Docking clause. The option under clause 7 of the applicable SCCs shall not apply.

1.3. Instructions. This DPA and the Agreement are Appfire’s complete and final documented instructions to Partner for the Processing of Personal Data at the time of conclusion of the Agreement. Any additional or alternate instructions must be consistent with the terms of this DPA and the Agreement.

For the purposes of clause 8.1(a) of the applicable SCCs, the instructions by Appfire to Process Personal Data are set out in Clause 2 and 3 of the DPA.

1.4. Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in clause 8.5 and 16(d) of the applicable SCCs shall be provided by Partner to Appfiree immediately upon deletion, without any additional Appfire’s request.

1.5. Security of Processing. For the purposes of clause 8.6(a) of the applicable SCCs, Partner is solely responsible for making an independent determination as to whether the Appropriate Technical and Organizational Measures applied by the Partner to process Personal Data meet the requirements for the Processing of Personal Data and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing of Personal Data as well as the risks to individuals) the security measures and policies implemented and maintained by Partner provide a level of security appropriate to the risk with respect to the Personal Data. For the purposes of clause 8.6(c) of the applicable SCCs, personal data breaches will be handled in accordance with Section 3.1.7 and 3.1.8. of the DPA.

1.6. Audits of the SCCs. The parties agree that the audits described in clause 8.9 of the applicable SCCs shall be carried out in accordance with Clause 3.1.11 and 3.1.12. of the DPA.

1.7. General authorization for use of Sub-Processors. Option 2 under clause 9 of the applicable SCCs shall apply. For the purposes of clause 9(a) of the applicable SCCs, Partner can engage Sub-Processors in accordance with Clause 3.1.13 of the DPA. Where Partner enters into the EU Processor to Processor Modules of the applicable SCCs with a Sub-Processor in connection with providing the Services, Appfire hereby grants Partner the authority to provide a general authorisation on Controller's behalf for the engagement of further Sub-Processors by those Sub-Processors engaged in providing the Services, as well as decision making and approval authority for the addition or replacement of any such Sub-Processors.

1.8. Notification of New Sub-Processors and Objection Right for new Sub-Processors. Pursuant to clause 9(a), of the applicable SCCs, Appfire acknowledges and expressly agrees that Partner may engage new Sub-Processors as described in the DPA. Partner shall inform Appfire of any changes to Sub-Processors immediately and at least 21 days since their engagement is in force.

1.9. Liability. Partner’s liability under clause 12(b) of the applicable SCCs shall be subject to the provisions of the DPA.

1.10. Supervision. Clause 13 of the applicable SCCs shall apply as follows:

1.10.1. Where Appfire is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by Customer with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.

1.10.2. Where Appfire is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.

1.10.3. Where Appfire is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679, The Office of the Polish Data Protection Commissioner, Warsaw, Poland shall act as competent supervisory authority.

1.10.4. Where Appfire is established in the UK or falls within the territorial scope of application of UK Data Protection Laws and Regulations, the Information Commissioner's Office shall act as competent supervisory authority.

1.10.5. Where Appffire is established in Switzerland and Vendor processes Personal Data that originates only from Switzerland or falls within the territorial scope of application of Swiss DPA, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by the Swiss DPA.

1.11. Notification of Government Access Requests. For the purposes of clause 15(1)(a) of the applicable SCCs, Partner shall notify Appfire (only) and not the Data Subject(s) in case of government access requests. Appfire shall be solely responsible for promptly notifying the Data Subject as necessary.

1.12. Governing Law. The governing law for the purposes of clause 17 of the applicable SCCs shall be the laws of Poland.

1.13. Choice of forum and jurisdiction. The courts under clause 18 of the applicable SCCs shall be the courts of Warsaw, Poland as having exclusive jurisdiction to resolve any dispute arising from SCCs. For Data Subjects habitually resident in Switzerland, the courts of Switzerland are an alternative place of jurisdiction in respect of disputes.

1.14. Appendix. The Appendix of the SCCs shall be completed as follows:

  • The contents of section A of Appendix 3 to this DPA shall form Annex I.A to the applicable SCCs 
  • The contents of section B of Appendix 3 to this DPA shall form Annex I.B to the applicable SCCs 
  • The contents of section C of Appendix 3 to this DPA shall form Annex I.C to the applicable SCCs 
  • The contents of Appendix 2 to this DPA shall form Annex II to the applicable SCCs.

2. ADDITIONAL TERMS FOR THE EU PROCESSOR TO PROCESSOR TRANSFER CLAUSES

For the purposes of the EU Processor to Processor Modules of the applicable SCCs (only), the parties agree the following. 

2.1. Instructions and notifications. For the purposes of clause 8.1(a) of the applicable SCCs, Appfire hereby informs Partner that it acts as Processor under the instructions of the relevant Controller in respect of Personal Data. Appfire warrants that its Processing instructions as set out in the Agreement and the DPA, including its authorizations to Partner for the appointment of Sub-processors in accordance with the DPA, have been authorized by the relevant Controller. Appfire shall be solely responsible for forwarding any notifications received from Partner to the relevant Controller where appropriate.

2.2. Security of Processing. For the purposes of clause 8.6(c) and (d) of the applicable SCCs, Partner shall provide notification of a personal data breach concerning Personal Data Processed by Partner to Appfire.

2.3. Documentation and Compliance. For the purposes of clause 8.9 of the applicable SCCs, all enquiries from the relevant Controller shall be provided to Partner by Appfire. If Partner receives an enquiry directly from a Controller, it shall forward the enquiry to Appfire and Appfire shall be solely responsible for responding to any such enquiry from the relevant Controller where appropriate.

2.4. Data Subject Rights. For the purposes of clause 10 of the applicable SCCs and subject to the respective provisions of the DPA, Partner shall notify Appfire about any request it has received directly from a Data Subject without obligation to handle it (unless otherwise agreed in writing), but shall not notify the relevant Controller. Appfire shall be solely responsible for cooperating with the relevant Controller in fulfilling the relevant obligations to respond to any such request.

3. ADDITIONAL TERMS FOR THE UK ADDENDUM

3.1 Reference to the UK Addendum. The relevant provisions contained in the UK Addendum are incorporated by reference and are an integral part of this DPA. The information required for the purposes of the UK Addendum is set out below.

3.2 Tables. The tables contained within the UK Addendum shall be completed as follows:

  • The contents of section A of Appendix 3 to the DPA shall be used to complete Table 1 of the UK Addendum.
  • The contents of sections 1 and 2 of the Appendix 2 to this DPA shall be used to complete Table 2 of the UK Addendum.
  • The contents of section 1.15 of the Appendix 2 of this DPA shall be used to complete Table 3 of the UK Addendum.
  • For the purposes of Table 4 of the UK Addendum neither party may terminate the UK Addendum upon the UK Information Commissioner’s Office receipt of a revised UK Addendum.

4. ADDITIONAL TERMS FOR THE UK IDTA

4.1 Reference to the UK IDTA. The relevant provisions contained in the UK IDTA are incorporated by reference and are an integral part of the DPA. The information required for the purposes of the UK IDTA is set out below.

4.2 Tables. The tables contained within the UK IDTA shall be completed as follows:

The contents of section A of Appendix 4 of this DPA shall be used to complete Table 1 of the UK IDTA. 

Table 2 of the UK IDTA shall be completed as follows:

  • UK country’s law that governs the UK IDTA: England and Wales 
  • Primary place for legal claims to be made by the parties: England and Wales 
  • Status of exporter: controller or processor 
  • Status of importer: processor or sub-processor 
  • Whether UK GDPR applies to Importer: Yes 
  • Linked Agreement: this DPA and Agreement (service agreement) 
  • Term: duration of the Agreement, subject to provisions of the DPA
  • Ending the UK IDTA before the end of the Term: N/A 
  • Onward transfers: Permitted 
  • Restrictions on onward transfers: as per the DPA.
  • Review dates: Beginning on the date of the Agreement

The contents of section B of Appendix 3 of the DPA shall be used to complete Table 3 of the UK IDTA and such categories of Personal Data shall, for the purposes of the UK IDTA, be automatically to reflect any changes made to section B of Appendix 3 of this DPA.

The contents of Appendix 2 of this DPA shall be used to complete Table 4 of the UK IDTA

5. ADDITIONAL TERMS FOR THE TRANSFER OF SWISS PERSONAL DATA

To the extent Personal Data solely subject to the Swiss DPA is to be transferred from Appfire to Vendor, such transfer shall be subject to the relevant modules of the 2021 SCCs (as amended and incorporated by relevant Appendix of this DPA) subject to the following amendments: all references to the GDPR within the applicable 2021 SCCs shall be understood to be references to the Swiss DPA.

Appendix 3 to the Data Processing Addendum

Description of the transfer

A. Parties

Data Exporter. The Data Exporter is Appfire or a Controller (if applicable).

Data Importer. The Data Importer is the Partner who provides the Services.

B. Description of the Transfer

Data Subjects. The Personal Data transferred concerning the following categories of Data Subjects include the data exporter’s: Appfire’s existing and/or prospective customers (Appfire’s Sale Contacts).

Data Subjects to Whom Personal Data Relates. The Data Subjects whose Personal Data is processed by the Partner concerns: Customer’s contact persons and/or representatives, their contact information such as: name, surname, email address, telephone number, job position and other data if required for the proper performance of the processing.

Subject matter and duration of the processing of Personal Data. The subject matter and duration of the Processing of the Personal Data are set out in the DPA.

Categories of data. The Personal Data transferred concerning the following categories of data: contact information, such as: telephone number, email address, name, surname, job position/ job title, and other data if required for the proper performance of the processing.

Special Categories of Data (if appropriate). The Personal Data transferred concerning the following Special Categories of Data (please specify):

Not applicable.

The frequency of the transfer. The personal data will be transferred on a continuous basis, as long as the transfer is required for the proper performance of the Agreement.

Retention of personal data. Data will be stored for no longer than is necessary for the proper performance of the Services rendered under the Agreement.

Transfers of personal data to processors. The personal data transferred may be disclosed only to the following recipients or categories of recipients:

  • further service providers (e.g. data hosting providers).

Processing operations. The Personal Data transferred will be subject to the following basic processing activities:

The Personal Data is processed for the purpose of providing Services under the Agreement.

C. Competent Supervisory Authority

The competent supervisory authority is set out in section 1.10 of Appendix 2 of this DPA, as required by clause 13.