Background

1. This Data Processing Addendum (“DPA*) sets out the terms, requirements, and conditions on which ReliaQuest, LLC, and its applicable Affiliates (“ReliaQuest”, “We”, “Us”, or “Our”) will Process Personal Data when providing Services to the customer identified in the applicable Order (“You” or “Customer”) under the terms of the GreyMatter End User License Agreement or the Platform and Support Agreement, as applicable (“Agreement”).
2. Any use of the Services constitutes Your acceptance of this DPA. If You do not agree to the terms of this DPA, do not proceed further nor continue use of any Service. We reserve the right to change the terms of this DPA at any time upon ten (10) days’ electronic notice. If You objects to any changes, then You should cease using the Services. If You continue to use the Services at the end of such ten (10) day period, You will be deemed to have accepted the revised DPA.
3. This DPA contains the Standard Contractual Clauses for international transfers of Personal Data from the European Economic Area or the United Kingdom to a Third Country.

1. Definitions and Interpretation
The following definitions and rules of interpretation apply in this DPA. Capitalized terms not otherwise defined herein have the meanings assigned to such terms in the Agreement.
1.1 Definitions:
“Controller, Data Subject, Processor, Processing/Process/Processed and Supervisory Authority” are each as defined in the GDPR.

“Customer Personal Data” means Personal Data to the extent such data or information is contained in Your Customer Operational Data and Processed by Us using ReliaQuest Systems, but excluding, as applicable, data or information not within the scope of the Data Protection Legislation.

“Data Protection Legislation” means the applicable data protection and privacy legislation in force from time to time in the United States of America (“USA”), European Union (“EU”) and the United Kingdom (“UK”), including Regulation (EU) 2016/679 (“GDPR”); the GDPR as defined in section 3(10) (as supplemented by section 205(4)) of the DPA 2018 (“UK GDPR”); the Data Protection Act 2018 (“DPA 2018”); the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426); the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. (“CCPA”); each as amended, and any other legislation and regulatory requirements in force from time to time, solely to the extent such legislation applies to ReliaQuest’s Processing of Your Personal Data using ReliaQuest Systems.

“Personal Data” has the meaning given to “personal data,” “personal information” or equivalent defined terms in the Data Protection Legislation.
“Personal Data Breach” means an instance in which ReliaQuest’s intentional or gross negligent acts and omissions result in (i) any loss or unauthorized access, acquisition, theft, destruction, disclosure or use of Customer Personal Data from ReliaQuest Systems; (ii) the security of ReliaQuest Systems being materially compromised resulting in exposure of Customer Personal Data; or (iii) ReliaQuest otherwise directly compromising the security, confidentiality or integrity of Customer Personal Data on ReliaQuest Systems. If required by the GDPR or UK GDPR, “Personal Data Breach” will also have the meaning given to such term in the GDPR or UK GDPR, as applicable.
“ReliaQuest Systems” means the networks, systems, software, equipment and premises controlled by ReliaQuest to provide the Services.
“Services” means the provision of the ReliaQuest Platform by Us to You under the Agreement.
“Standard Contractual Clauses” means, together, the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Decision (EU) 2021/914 2021 (“EU SCCs”) and the UK International Transfer Addendum to the EU SCCs published by the Information Commissioner’s Office on 2 February 2022 (“UK Addendum”).

“Sub-Processor” means another Processor engaged directly by ReliaQuest who will Process Personal Data as part of the performance of the Services, including a third party or Affiliate of ReliaQuest, but excluding an employee of ReliaQuest or an issuer or reseller of Third-Party Software Products.

“Sub-Processor Page” means the webpage available on ReliaQuest’s website at: https://www.reliaquest.com/platform-sub-processors.

“Third Country” means a state for which the UK or the EU, as applicable, has not made an appropriate adequacy decision under the Data Protection Legislation (other than the UK or the EU).

1.2 A reference to writing or written includes email but not fax. Electronic notice includes notice through the Services (including GreyMatter or the RQ Portal) or by updating Our website.
1.3 In the case of conflict between:
1.3.1 any provisions contained in the body of this DPA and any provisions contained in the Schedules, the provisions in the body of this DPA will prevail; and
1.3.2 any of the provisions of this DPA and any provisions in the Agreement, the provisions of this DPA will prevail.

2. Personal Data Types and Processing Purposes
2.1 The parties acknowledge that for the purpose of the Data Protection Legislation, You are the Controller and We are the Processor. Where You are acting as a Processor to your customer or Affiliates, as applicable, we will be your sub-Processor.
2.2 You retain control of the Personal Data and remain responsible for Your compliance obligations under the applicable Data Protection Legislation, including providing any required or reasonably expected notices and obtaining any required or reasonably expected consents, and for the Processing instructions You give to Us.
2.3 You warrant that Our expected use of the Personal Data for the provision of the Services, and as specifically instructed by You, will comply with the Data Protection Legislation.
2.4 The Schedules describe the subject matter, duration, nature and purpose of Processing and the Personal Data categories and Data Subject types in respect of which We may Process to fulfil the Services.

3. YOUR OBLIGATIONS
You shall:
3.1 have at all times during the term of the Agreement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to protect any Personal Data, and no less than Our measures set out at paragraph 3.12 of Schedule 1;
3.2 provide clear and comprehensible written instructions to Us for the Processing of Personal Data to be carried out under the Agreement;
3.3 ensure that You have all the necessary or reasonably expected licences, permissions and consents from Data Subjects with respect to all Personal Data; and
3.4 ensure that You have an applicable legal basis for the transfer of Personal Data to Us and the Processing of that Personal Data by Us.

4. Our Obligations
4.1 We will only Process the Customer Personal Data to the extent, and in such a manner, as is necessary for the Services in accordance with Your written instructions. We will not Process the Customer Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. We will immediately notify You if, in Our opinion, Your instruction would not comply with the Data Protection Legislation.
4.2 We will promptly comply with any written request or instruction from You requiring Us to amend, transfer, delete or otherwise Process the Customer Personal Data, or to stop, mitigate or remedy any unauthorised Processing.
4.3 We will maintain the confidentiality of all Customer Personal Data in accordance with our obligations under the Agreement and will not disclose Customer Personal Data to third parties unless You or this DPA specifically authorises the disclosure, or as required by law. If a law, court, regulator or Supervisory Authority requires Us to Process or disclose Customer Personal Data, We will first use reasonable endeavours to inform You of the legal or regulatory requirement and give You an opportunity to object or challenge the requirement, unless the law prohibits such notice.
4.4 We will reasonably assist You with meeting Your compliance obligations under the Data Protection Legislation, taking into account the nature of Our Processing and the information available to Us, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with Supervisory Authorities under the Data Protection Legislation.
4.5 We will promptly notify You of any material changes to Data Protection Legislation that may adversely affect Our performance of the Services.
4.6 You acknowledge that We:
4.6.1 will add certain data discovered in the course of providing the Services (other than the Customer Personal Data We Process on Your instructions) into Our Services for Your benefit and for the benefit of Our other customers, and to the extent such data includes Personal Data, We are a Controller and this DPA does not apply to such Personal Data; and
4.6.2 are free to use meta-data, statistics and such other information derived from the Customer Personal Data We receive from You which cannot be identified as originating or deriving directly from such Customer Personal Data, and cannot be reverse-engineered by a third party such that it can be so identified, for any purpose whatsoever.
4.7 If We receive a request or communication from a Data Subject whose data is being Processed by Us pursuant to this DPA, We will notify You and direct the applicable Data Subject to submit its request directly to You, providing to the applicable Data Subject any contact details for receiving such requests as may be listed from time to time on Your privacy policy.

5. Our Employees
5.1 We will ensure that any and all of Our employees and Sub-Processors performing the Services:
5.1.1 are informed of the confidential nature of the Customer Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Customer Personal Data;
5.1.2 have undertaken or are required to perform training on appropriate information security practices and how such practices apply to their particular duties with respect to the data handled by such persons; and
5.1.3 are aware both of Our duties and their personal duties and obligations under the Data Protection Legislation and this DPA.

6. Security
6.1 We will at all times implement appropriate technical and organisational measures intended to protect against unauthorised or unlawful Processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Customer Personal Data and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Customer Personal Data including, but not limited to:
6.1.1 the measures set forth at paragraph 3.12 of Schedule 1;
6.1.2 the pseudonymisation and encryption of Customer Personal Data as appropriate;
6.1.3 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of ReliaQuest Systems;
6.1.4 the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; and
6.1.5 a process for regularly testing, assessing and evaluating the effectiveness of security measures.
6.2 We may update the security measures from time to time, provided they do not result in a material reduction in the security over the Customer Personal Data to which they apply. We will maintain an up-to-date written record of Our then-current security measures, which We shall provide to You on written request, and review at least on an annual basis to ensure they remain current and complete.
6.3 We will implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate the measures set out at paragraph 3.12 of Schedule 1.

7. Personal Data Breach
7.1 We will promptly and without undue delay notify You if We confirm that any Customer Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable.
7.2 We will without undue delay notify You if We confirm:
7.2.1 any accidental, unauthorised or unlawful Processing of Customer Personal Data; or
7.2.2 any Personal Data Breach relating to Customer Personal Data.
7.3 Where We confirm an event within the scope of clause 7.2, We shall, without undue delay, also provide You with the following information, to the extent available to Us:
7.3.1 a description of the nature of such event, including the categories and approximate number of both Data Subjects and Customer Personal Data records concerned;
7.3.2 the likely consequences of the event; and
7.3.3 a description of the measures taken or proposed to be taken to address such event, including measures to mitigate its possible adverse effects.
7.4 Immediately following Our confirmation of any unauthorised or unlawful Customer Personal Data Processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. We will reasonably co-operate with You in Your handling of the matter, including:
7.4.1 assisting with any investigation;
7.4.2 making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by You; and
7.4.3 taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Customer Personal Data Processing.
7.5 We will not inform any third party of any Personal Data Breach without first obtaining Your prior written consent, except when required to do so by law, to maintain any policy of insurance, to notify other affected customers or third parties, or to maintain regulatory or equivalent certifications.
7.6 Subject to clause 7.5 You have the sole right to determine:
7.6.1 whether to provide notice of the Personal Data Breach to any Data Subjects, Supervisory Authorities, regulators, law enforcement agencies or others, as required by law or regulation or in Your discretion, including the contents and delivery method of the notice; and
7.6.2 whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

8. Cross-Border Transfers of Personal Data
8.1 If an adequate protection measure for the international transfer of Customer Personal Data to a Third Country is required under Data Protection Legislation (and has not otherwise been arranged by the parties), the Standard Contractual Clauses shall be incorporated into this Agreement in Schedules 1 and 2 as if they had been set out in full. Notwithstanding the foregoing, the application of the Standard Contractual Clauses will be without prejudice to any other permissible transfer mechanisms or derogations that facilitate the Processing of Customer Personal Data outside the GDPR Territories (as defined below), including any adequacy decisions that may come into force after the date of this DPA.
8.2 The parties shall ensure that whenever Customer Personal Data is transferred outside the European Economic Area or the UK (“GDPR Territories”) they:
8.2.1 are Processing Customer Personal Data in a territory which is subject to a current finding by the European Commission under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals;
8.2.2 participate in a valid cross-border transfer mechanism under the Data Protection Legislation, so that the parties can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the GDPR; or
8.2.3 otherwise ensure that the transfer complies with the Data Protection Legislation.
8.3 In the case of any Processing of Customer Personal Data in a Third Country as at the date of this DPA, We have identified in Schedules 1 and 2 the relevant transfer mechanism. We will promptly inform You by electronic notice of any change to such mechanisms.
8.4 You authorise Us to enter into the Standard Contractual Clauses with the sub-Processor on Your behalf, if required to ensure the relevant Processing of Customer Personal Data complies with Data Protection Legislation. We will make the relevant sections of the Standard Contractual Clauses available to You on written request.

9. California Consumers
9.1 The following terms apply to the extent We Process Personal Data about California consumers. These terms are in addition to all other requirements set forth in the DPA; provided, however, in the event of any conflict between these CCPA provisions and the remainder of this DPA, these CCPA provisions shall control with respect to personal information about California consumers.
9.2 The terms “consumer”, “business”, “service provider”, “business purpose”, “commercial purpose”, “sell” and “share” as used in this clause 9 shall have the meanings defined under CCPA.
9.3 The parties acknowledge and agree that You are a business and We are a service provider.
9.4 We will process Customer Personal Data on Your behalf.
9.5 We will not, in relation to any Customer Personal Data for which We are a service provider:
9.5.1 sell or share Customer Personal Data;
9.5.2 retain, use, or disclose Customer Personal Data for any purpose other than for the Services, including retaining, using, or disclosing Customer Personal Data for a commercial purpose other than the Services, or as otherwise permitted under the CCPA, this DPA or the Agreement;
9.5.3 retain, use, or disclose Customer Personal Data outside of the direct business relationship between the parties; or
9.5.4 combine the Customer Personal Data We receive from, or on behalf of, You with Personal Data that We receive from, or on behalf of, another person or persons, or collects from Our own interaction with the consumer, provided that We may combine Personal Data to perform any business purpose as permitted by the CCPA, this DPA or the Agreement.
9.6 If We engage a sub-Processor to assist in processing Customer Personal Data for the Services on Your behalf We will provide electronic notice to You of that engagement as set out at clause 10.

10. Sub-Processors
10.1 We may only authorise a Sub-Processor(s) to Process the Personal Data if:
10.1.1 You are provided with an opportunity to object to (but not prevent) the appointment of each Sub-Processor within 10 days of Us providing You with electronic notice of the forthcoming changes to Our Sub-Processors, with such details to be provided by Us updating the Sub-Processor Page;
10.1.2 We enter into a written contract with the Sub-Processor(s) that contains terms materially similar to those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon Your written request and at Your expense, provide You with copies of such contracts (subject to redaction of any confidential information); and
10.1.3 We maintain control over all Customer Personal Data We entrust to the Sub-Processor(s).
10.2 You authorise Us to use the Sub-Processors set out on the Sub-Processor Page, as updated from time to time. These Sub-Processors include but are not limited to the general categories of infrastructure and data storage, hosting (including data centres and providers of virtual software environments), security, enterprise and other support services. For clarity, we may add or remove Sub-Processor(s) from the Sub-Processor Page by providing you with electronic notice.
10.3 Where the Sub-Processor fails to fulfil its obligations under the written agreement referenced in clause 10.2, We remain fully liable to You for the Sub-Processor’s performance of its agreement obligations.

11. Complaints, Data Subject Requests and Third-Party Rights
11.1 We will take such technical and organisational measures as may be appropriate, and promptly provide such available information to You as You may reasonably require, to enable You to comply with:
11.1.1 the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase Customer Personal Data, object to the Processing and automated Processing of Customer Personal Data, and restrict the Processing of Customer Personal Data; and
11.1.2 information or assessment notices served on You by any Supervisory Authority under the Data Protection Legislation.
11.2 We will notify You immediately if We receive any complaint, notice or communication that relates directly or indirectly to the Processing of the Customer Personal Data or to either party’s compliance with the Data Protection Legislation.
11.3 We will notify You without undue delay if We receive a request from a Data Subject for access to their Customer Personal Data or to exercise any of their related rights under the Data Protection Legislation.
11.4 We will give You Our reasonable co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
11.5 We will not disclose the Customer Personal Data to any Data Subject or to a third party other than at Your request or instruction, as provided for in this DPA or as required by law.

12. Liability
12.1 Our entire aggregate liability under this DPA for any claims, damages, liabilities, costs or Our breach of this DPA shall be governed by and subject to the disclaimers, exclusions and limitations on liability in the Agreement.

13. Term and Termination
13.1 This DPA will remain in full force and effect for so long as We retain any Customer Personal Data related to the Services in Our possession or control.
13.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Services in order to protect Customer Personal Data will remain in full force and effect.
13.3 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of the Services, the parties will discuss in good faith with a view to implementing any changes necessary to ensure the Processing of Customer Personal Data complies with the new requirements.

14. Data Return and Destruction
14.1 At Your written request, and to the extent readily available to Us, We will give You a copy of or access to all or part of Customer Personal Data in Our possession or control in a commonly accessible and electronic format determined by Us.
14.2 On termination of the Services for any reason or expiry of its term, We will securely delete or, if directed in writing by You, return all or any Customer Personal Data We are Processing under this DPA in line with our standard policies available on request. This requirement shall not apply to Customer Personal Data which We have archived on Our backup systems which are not reasonably accessible, provided that such Customer Personal Data is deleted promptly in the event such backups become reasonably accessible (such as by Us using those backups to restore Our systems).
14.3 Clause 14.2 shall not apply to the extent any law, regulation, or government or regulatory body requires Us to retain any documents or materials that We would otherwise be required to return or destroy.

15. Records
15.1 We will keep detailed, accurate and up-to-date written records regarding any Processing of Customer Personal Data We carry out for You (“Records”) and provide You with copies of the Records upon written request.

16. Audit
16.1 No more than once during any consecutive 12-month period, on Your request We will provide You with the relevant information from Our audits, such as SOC 2 Type 2 or IEC/ISO 27001:2013 (or successor standard) performed by an independent third party to evidence Our compliance with this DPA and provide the summary results to You. You shall be entitled to ask questions of Us related to compliance with Data Protection Legislation in advance of the audit, and We shall use Our reasonable endeavours to respond adequately when providing the audit results.
16.2 On Your written request, We will exercise relevant audit rights or rights to request information We may have in connection with Our Sub-Processors’ compliance with their obligations regarding Customer Personal Data and provide You with a summary of the audit results if permitted under Our agreement with the applicable Sub-Processor.
16.3 The audit rights set out at clauses 16.1 – 16.2 are Your only contractual rights (and Our only contractual obligations) in connection with the auditing of Our Processing of Personal Data. Save that nothing in this DPA shall prevent or is intended to undermine the rights and powers granted to Data Subjects or Supervisory Authorities, and accordingly We shall submit to any audits required by a Supervisory Authority under the Data Protection Legislation.

Schedule 1
EU SCCs

1. Incorporation of the EU SCCS
1.1 To the extent clause 8.1 of the DPA applies and the transfer is made pursuant to the GDPR, this Schedule 1 and the following terms shall apply:
1.1.1 Module 2 of the EU SCCs, and no other optional clauses unless explicitly specified, are incorporated into this Schedule 1 as if they had been set out in full in the case where the exporter is a Controller, the importer is a Processor and the transfer requires such additional protection; and
1.1.2 Module 3 of the EU SCCs, and no other optional clauses unless explicitly specified, are incorporated into this Schedule 1 as if they had been set out in full in the case where the exporter is a Processor, the importer is a sub-Processor and the transfer requires such additional protection.

2. Clarifications to the EU SCCS
2.1 Deletion of data. For the purposes of clause 8.5 of the EU SCCs (Duration of processing and erasure or return of data), the parties agree that the data deletion/return process as set out in clause 14 of the main body of this DPA applies. The importer shall certify to the exporter that it has deleted the data (if applicable), if requested to provide such certification by the exporter in writing.
2.2 Auditing. The parties acknowledge that the importer complies with its obligations under clause 8.9 of the EU SCCs (Documentation and compliance) by exercising its contractual audit rights or rights to request information it has agreed with its sub-Processors.
2.3 Sub-Processors. For the purposes of clause 9 of the EU SCCs (Use of sub-processors), the parties agree that the process for appointing sub-Processors set out in clause 10 of the main body of this DPA applies.
2.4 International Transfer Assessments. For the purposes of clause 14(c) of the EU SCCs (Local laws and practices affecting compliance with the Clauses) the exporter has been provided with a transfer impact assessment by the importer which the exporter accepts as sufficient to fulfil the importer’s obligations pursuant to clauses 14(c) and 14(a). The exporter acknowledges that it has been provided with the security measures applied to the Personal Data and approves such measures as being in compliance with the EU SCCs.
2.5 Best Efforts Obligations. For the purposes of clauses 14(c), 15.1(b) and 15.2 of the EU SCCs (Local laws and practices affecting compliance with the clauses) the parties agree that “best efforts” and the obligations of the importer under clause 15.2 of the EU SCCs shall mean exercising the degree of skill and care, diligence, prudence and foresight which would reasonably and ordinarily be expected from a leading practice engaged in a similar type of undertaking under the same or similar circumstances and shall not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.
2.6 Competent Supervisory Authority. For the purposes of clause 13 of the EU SCCs, the competent Supervisory Authority shall be:
2.6.1 if the exporter is established in an EU Member State: The Irish Data Protection Commissioner;
2.6.2 where the exporter is not established in an EU Member State and has appointed a representative pursuant to Article 27(1) GDPR, it shall notify the importer of this and the EU Member State in which the exporter’s representative is appointed shall be the competent Supervisory Authority; and
2.6.3 where the exporter is not established in an EU Member State, but falls within the territorial scope of Article 3(2) GDPR but has not appointed a representative pursuant to Article 27(1) GDPR: the exporter shall notify the importer of its chosen competent supervisory authority, which must be the Supervisory Authority of an EU Member State in which the Data Subjects whose Personal Data is transferred under the EU SCCs in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.
2.7 Governing Law & Jurisdiction. For the purposes of clauses 17 and 18 of the EU SCCs, the parties agree that the governing law shall be where the exporter is established. If those laws do not allow for third party rights, the law of Ireland shall apply.
2.8 To the extent Module 3 of the EU SCCs applies: (i) paragraphs 3.1 and 3.2 of this Schedule 1 shall be modified to reflect that the exporter is a Processor and the importer is a sub-Processor; (ii) the exporter warrants that it has the rights necessary to transfer the Personal Data to the importer; (ii) any request received from a Data Subject in connection with the Personal Data being Processed by the importer shall be forwarded to the exporter to facilitate with the Controller of such Personal Data; and (iii) for the purposes of clause 8.6(c) and (d) of the EU SCCs, the importer shall notify the exporter of any Personal Data Breach.

3. Processing Particulars for the EU SCCS

The Parties

3.1 Exporter (Controller): You, the Customer
3.2 Importer (Processor): ReliaQuest, LLC
Description Of Data Processing
3.3 Categories of data subjects: ReliaQuest may, through indirect and unintentional disclosure, access communications meta-data including domain names, IP addresses, and e-mail addresses; that may be inadvertently indexed and searchable in the course of investigating cybersecurity events.
3.4 Categories of personal data transferred: Communications data: domain names; IP addresses; log data, e.g., time stamps, duration, subject or recipient.
3.5 Sensitive data transferred: None.
3.6 Frequency of the transfer: Continuous.
3.7 Nature of the processing: As necessary for ReliaQuest to perform the Services described in the Agreement.
3.8 Purpose of the processing: For the purpose of ReliaQuest performing the Services described in the Agreement.
3.9 Duration of the processing: For the duration of the Agreement.
3.10 Sub-Processor Transfers: As set out at clause 10 of the DPA.
3.11 Competent Supervisory Authority: As set out at paragraph 2.6 of this Schedule 1.
3.12 Technical and Organisational Measures: As described in Exhibit A (Data Security Schedule) attached to the Agreement.

Schedule 2
UK Addendum

1. Parties
As set out in Schedule 1.

2. Selected SCCs, Modules and Clauses
Module 2 and Module 3 of the EU SCCs and no other optional clauses unless explicitly specified, and as amended by the clarifications in Schedule 1, paragraph 2, but subject to any further amendments detailed in this Schedule 2.

3. Appendix Information
The Processing details required by the UK Addendum are as set out in Schedule 1, paragraph 3.

4. Termination of the UK Addendum
In the event the template UK Addendum issued by the Information Commissioner’s Office and laid before Parliament in accordance with s119A of the DPA 2018 on 2 February 2022, as it is revised under Section ‎18 is amended, either party may terminate this Schedule 2 on written notice to the other in accordance with Table 4 and paragraph 19 of the UK Addendum and replace it with a mutually acceptable alternative.