Data Processing Agreement

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) reflects the parties’ agreement with respect to the terms governing the Processing of Personal Data on behalf of the Customer under any applicable written agreement between Customer and the entity identified as “Company” in the Agreement governing the use of the Bindplane Offerings (paid or otherwise), and any related order forms, attachments, and statements of work (collectively, the “Agreement”). For Bindplane Offerings contracted under the current contracting model, “Company” means observIQ, Inc. dba Bindplane, unless otherwise stated in the applicable Agreement. This DPA is effective as of the effective date of the Agreement (the “Effective Date”).

This DPA is subject to the terms of, and fully incorporated and made part of, the Agreement. This DPA shall replace any existing data processing agreement unless otherwise explicitly stated herein. In the event of any conflict between this DPA and any other provision of the Agreement with respect to personal data, this DPA shall govern and apply. Capitalized terms used but not defined in this DPA have the same meanings as set out in the End User License Agreement available at https://bindplane.com/legal.

1. Definitions.
2. “APPI” means the Japanese Act on the Protection of Personal Information (Act No. 57 of 2003 as amended).
3. “Brazilian SCCs” means the standard contractual clauses approved by the Brazilian National Data Protection Authority (“ANPD”) by Resolution CD/ANPD no. 19, dated August 23, 2024, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for Personal Data by the ANPD (as amended and updated from time to time), thus, applicable for transfers of personal data from the Data Exporter to the Data Importer outside Brazil to enable the provision of the Services, as attached to this DPA in Schedule C.
4. “Data Protection Law” means all data protection and data privacy laws and regulations applicable to Company’s Processing of Customer Personal Data under the Agreement. 
5. “Company” means the entity identified as “Company” in the Agreement. For Bindplane Offerings, Companys is observIQ, Inc. dba Bindplane, unless otherwise stated.
6. “Company Group” means Company and its Affiliates, including Dynatrace group entities, that assist Company in providing the Bindplane Offerings and/or related support or services under the Agreement and this DPA.
7. “Controller” has the same meaning given under the applicable Data Protection Law and includes “Database Owner” under the Protection of Privacy Law of Israel and “Business” under the applicable US State Privacy Law.
8. “Customer Personal Data” means any Customer Data that meets the definition of Personal Data.
9. “Europe” means the European Union, European Economic Area (“EEA”), and/or their member states, Switzerland, and the United Kingdom.
10. “GDPR” means the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
11. “LGPD” means the Lei Geral de Proteção de Dados Pessoais (General Personal Data Protection Act in Brazil).
12. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Customer Personal Data while being transmitted, stored, or otherwise Processed by Company.
13. “PIPL” means the China Personal Information Protection Law.
14. “Personal Data” means “Personal Data,” or “Personal Information” as defined under applicable Data Protection Laws that Company collects or receives on behalf of Customer. Personal Data does not include information that Company obtains or Processes independent of the performance of its respective obligations under the Agreement with Customer.
15. “Processor” has the same meaning given under the applicable Data Protection Law and includes “Holder” as defined under the Protection of Privacy Law of Israel, and “Service Provider” under the applicable US State Privacy Law.
16. “Standard Contractual Clauses” means the Standard Contractual Clauses promulgated by the EU Commission Decision 2021/914/EU incorporated herein by reference as updated amended or replaced from time to time.
17. “Sub-processor” means Processors engaged by Company or a member of the Company Group to process Customer Personal Data on behalf of Customer in connection with the Bindplane Offerings.
18. “Supervisory Authority” means the government agency, department, or other competent organization with authority over the processing of Personal Data relevant to this DPA.
19. “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s office under S119A (1) Data Protection Act 2018, as updated, amended, or replaced from time to time.
20. “Business”, “Controller”, “Consumer,” “Data Exporter”, “Data Importer”, Processor,” “Service Provider,” “Data Subject”, “Sell,” “Supervisory Authority”, and “Processing” (and “process”) shall have the meanings given under applicable Data Protection Law.
21. Applicability of DPA and Parties’ Roles
22. This DPA applies to Processing of Customer Personal Data by Company on behalf of Customer to perform its obligations and exercise its rights under the Agreement and this DPA. 
23. Customer is a Controller or a Processor, as applicable, and Company is a Processor. To the extent applicable under Data Protection Law, Customer appoints Company as a Processor to process the Customer Personal Data on Customer’s behalf.
24. Company may use members of the Company Group, including Dynatrace group entities, to assist in providing the Bindplane Offerings. Company remains responsible for the acts and omissions of such entities in accordance with this DPA.
25. Processing of Customer Personal Data
26. The nature and extent of Processing Customer Personal Data by Company to deliver the Bindplane Offerings is determined and controlled by Customer and is supplemented by Schedule A. The nature, purpose, and duration of the Processing, as well as the types of Personal Data collected and categories of Data Subjects whose Personal Data may be Processed by Company, are described in Schedule A to this DPA. Customer acknowledges that Company does not have any knowledge of the actual data or types of Personal Data contained in the Customer Data. The parties agree that the Customer’s complete and final instructions about the nature and purposes of the Processing in connection with the Bindplane Offerings are set out in the Agreement and this DPA.
27. Any changes or modifications to the instructions shall be communicated in writing and acknowledged by both parties. Company shall inform Customer if, in its reasonable opinion, Customer’s processing instructions are likely to infringe any applicable Data Protection Law; in such event, Company is entitled to refuse Processing of Customer Personal Data that it believes to be in violation of any applicable Data Protection Law until Customer’s instruction so as not to be infringing.
28. To the extent Customer’s configuration of Bindplane Offerings results in Company capturing Customer Personal Data, Customer represents and warrants that, it will, at all times, comply with all applicable Data Protection Law. As between Customer and Company, Customer is responsible for: (i) protecting Customer Personal Data while using Company to granularly control the scope of Customer Personal Data to be captured by the Bindplane Offerings; (ii) the accuracy, quality and legality of Customer Personal Data, and the means by which Customer or any relevant third-party acquired Personal Data.
29. If Customer is a Processor acting on behalf of a third-party Controller, Customer warrants to Company that Customer's instructions and actions with respect to that Customer Personal Data, including its appointment of Company as another Processor, have been authorized by the relevant Controller.
30. Customer represents and warrants that: (i) it will inform its Data Subjects as legally required about its use of Processors to Process their Customer Personal Data, including Company, including where required providing notice to Data Subjects about the use of the Bindplane Offerings; (ii) it has obtained, and continues to have, during the term, all necessary rights, lawful basis, authorizations, and/or valid consents, including from Data Subjects, for the Processing of Customer Personal Data by Company as contemplated by the Agreement; (iii) Customer’s use of the Bindplane Offerings will not, and will not cause Company to, violate any Data Protection Laws or other applicable laws or regulations, or any agreement or obligation between Customer and any third party.
31. Customer will provide Company only with the Customer Personal Data necessary for Company to perform its obligations under the Agreement with respect to the Bindplane Offerings and any related services. Customer acknowledges that the use of the Bindplane Offerings does not require and is not suitable for the Processing of any Restricted Information and will not, through its use of the Bindplane Offerings, provide any Restricted Information to be Processed by Company.
32. Requests from Third Parties.
33. To the extent Customer Personal Data is available within the Bindplane Offerings, the Bindplane Offerings provide Customer with functionality to access Customer Personal Data in order to assist Customers with requests from Data Subjects exercising their rights granted to them under Data Protection Law (“Data Subject Requests”) or requests from regulatory or judicial bodies relating to the Processing of Customer Personal Data. To the extent that Customer is unable to access the relevant Customer Personal Data within Bindplane Offerings or the access to Customer Personal Data does not provide sufficient assistance to answer such requests in accordance with Data Protection Law, and where required by applicable Data Protection Law, Company agrees, at the Customer’s request, to provide reasonable assistance to Customer, to enable Customer to respond to Data Subject Requests or requests from regulatory or judicial bodies relating to the Processing of Customer Personal Data under the Agreement. If a request is made directly to Company relating to Customer Personal Data for which Company can identify Customer as the Controller, Company shall without undue delay refer such communication to Customer and shall not respond to such request without Customer’ express authorization. The foregoing shall not prohibit Company from communicating with a Data Subject or regulatory or judicial body if it is not reasonably apparent on the face of the communication that the request relates to the Customer or if Company has a legal obligation to respond itself.
34. If Company is compelled to disclose Personal Data for which Customer is the Controller due to a request by a law enforcement agency or other third-party, Company will give Customer notice of such request before granting access and/or providing Personal Data, to allow Customer to seek a protective order or other appropriate remedy. If Company is legally prohibited from providing Customer notice, Company will take measures to protect Personal Data from undue disclosure, as if it were Company’s own Confidential Information being requested.
35. Assistance and Cooperation. Subject to the nature of the processing and the Personal Data available to Company and where required by applicable Data Protection Law, Company will, upon Customer’s written request, provide reasonable assistance and information to Customer, where, in Customer’s judgement, the type of Processing performed by Company requires a data protection impact assessment, and/or prior consultation with the relevant data protection authorities and provide reasonable assistance to Customer in complying with its other obligations under applicable Data Protection Law relating to data security and Personal Data Breach notifications, to the extent applicable to the Processing of Customer Personal Data. Customer shall reimburse Company for all non-negligible costs Company incurs in performing its obligations under this section. 
36. Demonstrable Compliance. Company agrees to provide information necessary to demonstrate compliance with this DPA upon Customer’s reasonable request.
37. Audits and Assessments.
38. Where applicable Data Protection Laws afford Customer an audit or assessment right and subject to the scope of such right, Customer may carry out, upon Customer’s written request and up to once per year, an audit or assessment of Company’s policies, procedures, and records relevant to the Processing of Customer Personal Data, in accordance with applicable Data Protection Laws.
39. To request an audit, Customer must submit a detailed audit plan and should be agreed by both parties at least four (4) weeks in advance of the proposed audit date to Company, which plan describes the proposed scope, duration, and start date of the audit. Company will review the audit plan and provide Customer with any concerns or questions. Before the commencement of any audit, the parties shall agree on a detailed audit plan, including fees, timing, scope of controls, evidence to be produced, and duration. If the requested audit scope is addressed in a similar audit report within the prior twelve months and Company confirms there are no material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report. 
40. Any audit or assessment must be: (i) conducted during Company’s normal business hours; and (ii) subject to the parties’ confidentiality obligations. If a third-party is to conduct the audit, the third-party must not be a competitor to Company, and such third-party is subject to Company’s prior consent, and must execute a written confidentiality agreement with the parties before conducting the audit. Customer shall not disclose audit information to third parties without prior consent from Company. Customer must return and or securely destroy audit information upon Company request unless it is required under the applicable law to retain it for a longer period; in which case Customer shall maintain no more than one copy for the legally required duration.
41. Any audits are at Customer’s expense. Any request for Company to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from, or in addition to, those required for the provision of the Bindplane Offerings. Company will seek Customer’s written confirmation that it will pay any applicable fees before performing such audit assistance.

8. Confidentiality. Any person that Company authorizes to process the Customer Personal Data shall be subject to a contractual, statutory duty, or other binding obligations of confidentiality.

9. Security

1. Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company has implemented and shall maintain appropriate technical and organizational measures designed to provide a level of security appropriate to the risk of Processing Customer Personal Data (“Security Measures”). Customer confirms that Company’s implementation of the Security Measures identified at Schedule B is sufficient for the purposes of complying with its obligations under this DPA. Notwithstanding the above, Customer acknowledges and agrees it is responsible for its own secure use of the Bindplane Offerings.
2. Personal Data Breach. Company will notify Customer without undue delay and no later than required of Company by applicable Data Protection Law, after it becomes aware of a Personal Data Breach. Company will promptly initiate an investigation into the circumstances surrounding the Personal Data Breach and make its findings available to Customer. Company will endeavour to take all steps required by applicable Data Protection Law to mitigate the effects of such Personal Data Breach. At Customer’s request and taking into account the nature of the Processing and information available to Company, Company will take commercially reasonable steps to assist Customer in complying with its obligations necessary to enable Customer to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Customer is required to do so under applicable Data Protection Law. Notification of a Personal Data Breach will be delivered to one or more of Customer’s administrators by any means Company selects including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on the online portal or as otherwise required by Company in a written notice to Customer’s administrator(s). Company’s obligation to report or respond to a Personal Data Breach under this Section is not an acknowledgement by Company of any fault or liability with respect to the Personal Data Breach.

10. Sub-processing

1. Customer provides general authorization for Company to engage Sub-processors, including members of the Company Group, and authorizes Company and members of the Company Group to engage further Sub-processors. A list of current Sub-processors for the Bindplane Offerings is available at Bindplane Trust Center (the “Sub-processor List”). Company shall update the Sub-processor List to reflect any addition or change in third-party Sub-processors not less than thirty (30) days prior to the effective date of the change. 
2. To the extent required by applicable Data Protection Law, Customer may object to the processing of Customer Personal Data by any newly appointed Sub-processor on reasonable grounds relating to the protection of Customer Personal Data and shall inform Company in writing within fifteen (15) days after notice of the changes are posted on the Sub-processor List, setting out the specific reasons for its objection. Customer’s objection must be in writing and provide commercially reasonably justification for the objection, based on reasonable concerns concerning the proposed Sub-processor’s practices relating to data protection. Following an objection, the parties will then work together in good faith to address Customer’s reasonable objections and proceed with the change in Sub-processor. If an agreement cannot be reached within fifteen (15) days of the objection, at Company’s option: (a) Company will instruct the Sub-processor not to process Customer Personal Data, which may result in a Bindplane Offerings feature being suspended and unavailable to Customer, or (b) Customer may immediately terminate this DPA and the Agreement and Company will promptly refund a prorated portion of any prepaid fees for the period after such suspension or termination date. If no objection is received by Company within the time period specified above, Customer shall be deemed to have approved the use of the new Sub-processor.
3. Company shall: (i) enter into a written agreement with each Sub-processor containing data protection obligations that provide substantially similar appropriate contractual obligations but not less restrictive than those set forth in this DPA, to the extent appropriate to the nature of the service provided by such Sub-processor; and (ii) remain responsible for such Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that cause Company to breach any of its obligations under this DPA.

11. Deletion of Customer Data on Termination. Following termination or expiry of the Agreement, Customer Data, including Customer Personal Data, will be securely deleted within a commercially reasonable period following termination, or, at the choice of Customer, returned, except as required to be retained by Applicable Law or to the extent archived on back-up systems, in which case the terms of this DPA shall survive.

12. International Data Transfers

1. Customer authorizes Company and its Sub-processors to transfer Customer Personal Data across international borders, including without limitation from the EEA, UK, and/or Switzerland to the United States. If Customer Personal Data originating from the EEA or Switzerland is transferred to a country that has not been found to provide an adequate level of protection under applicable Data Protection Law (“Restricted Transfer”), the parties agree that the transfer shall be governed by the Standard Contractual Clauses that are hereby incorporated by reference into this DPA as follows. The signatures on this DPA or the Agreement constitute signing the Standard Contractual Clauses and any annexes attached thereto. When the transfer of Customer Personal Data from Customer (“Data Exporter”) to Company (“Data Importer”) is a Restricted Transfer and Data Protection Laws require that a valid transfer mechanism be put in place, the transfers shall be subject to the Standard Contractual Clauses.
2. The Standard Contractual Clauses shall be completed as follows:
3. Module Two (Controller to Processor) will apply;
4. In Clause 7 (Docking), the optional docking clause will apply;
5. In Clause 8.5 and Clause 16 (d), the certification of deletion will be provided upon Data Exporter’s written request;
6. In Clause 8.9, the audit right shall be conducted in accordance with Section 7 of the DPA;
7. In Clause 9 (Use of Sub-processors), option 2 “General Written Authorization” for subprocessors shall apply and the time period for prior notice shall be as set out in section 10 of this DPA;
8. In Clause 11 (Redress), the optional language shall not apply;
9. In Clause 13 (Supervision), the competent supervisory authority shall be the Commission nationale de l’informatique et des libertes (“CNIL”).
10. In Clause 14 (f) and Clause 16 (c), the termination right will be limited to the termination of the Clauses;
11. In Clause 17 (Governing Law), the Standard Contractual Clauses shall be governed by French law;
12. In Clause 18(b) (Choice of Forum and Jurisdiction), the parties agree that disputes shall be resolved before the courts of France;
13. Annex 1 of the Standard Contractual Clauses shall be completed with the information set out in Schedule A of this DPA;
14. Annex 2 of the Standard Contractual Clauses shall be completed with the information set out in Schedule B of this DPA; and
15. A new Clause 1 (e) is added to the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the parties’ Processing of Customer Personal Data that is subject to the Swiss Federal Act on Data Protection. Where applicable, reference to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to the transfer of Customer Personal Data that are subject to the Swiss Federal Act on Data Protection and the Swiss Federal Data Protection and Information Commissioner as the supervisory authority under these Clauses.”.
16. To the extent Company’s provision of the Bindplane Offerings involves the transfer of Customer Personal Data originated from the UK to a third country that has not been designated as providing an adequate level of protection for Customer Personal Data under the Applicable Laws in the UK, the Standard Contractual Clauses shall: (i) be used and completed as set forth in section 12; (ii) a new Clause 1(f) is added to the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses, as supplemented by Section 12, also apply mutatis mutandis to the parties’ Processing of Customer Personal Data that is subject to the UK Data Protection Laws; and (iii) the UK Addendum shall be completed as follows:
17. Table 1 of the UK Addendum shall be completed with the information in Schedule A.
18. Table 2 of the UK Addendum shall be completed with the information located in this Section 12 (c) of this DPA.
19. Table 3 of the UK Addendum shall be completed as follows:
20. The list of parties is set forth in Schedule A;
21. A description of the transfer is set forth in Schedule A;
22. A description of the technical and organizational measures is set forth in Schedule B;
23. The list of sub-processors is in section 10 of this DPA;
24. For purposes of completing Table 4 of the UK Addendum, both the importer and the Data Exporter may end the UK Addendum as set out in Section 19 of the UK Addendum.
25. To the extent Company’s provision of the Bindplane Offerings involves the transfer of Customer Personal Data originated from China to a third country that has not been designated as providing an adequate level of protection for Customer Personal Data under the Applicable Laws in China, Customer shall be responsible for fulfilling all the following obligations for exporting Customer Personal Data (where Customer is the Controller) or ensuring that all the following obligations have been fulfilled by the relevant third-party controller (where Customer is the Processor):
26. informing the individuals of the name and contact information of the overseas receiving party of Customer Personal Data, the purpose and means of the Processing, the categories of Customer Personal Data, and the methods and procedures via which the individuals may raise requests to exercise the rights to Customer Personal Data with the overseas receiving party of Customer Personal Data;
27. securing a lawful basis for the export of Customer Personal Data, and where consent of the individuals is the lawful basis, obtaining separate consent of the individuals;
28. conducting a personal information protection impact assessment on the exporting of Customer Personal Data; and
29. adopting the appropriate safeguard measure required by the PIPL and accompanying administrative regulations (i.e., passing the government security assessment, filing the executed standard contractual clauses or obtaining the certification) unless an exemption applies.
30. If Customer Personal Data originating from Brazil is transferred to a country that has not been found to provide an adequate level of protection under the LGPD, the parties agree that the transfer shall be governed by the Brazilian SCCs . When the transfer of Customer Personal Data from Customer (“Data Exporter”) to Company (“Data Importer”) is a Restricted Transfer and Data Protection Laws require that a valid transfer mechanism be put in place, the transfers shall be subject to the Brazilian SCCs.
31. In addition to the foregoing, if a Supervisory Authority adopts, updates or replaces any standard contractual clauses or similar data transfer mechanisms, Company reserves the right to adopt an alternative compliance standard to replace or supplement the Standard Contractual Clauses or the UK Addendum for the lawful transfer of Personal Data, or add new data transfer mechanisms for other countries, provided these are recognized under Data Protection Law. Company will provide thirty (30) days advance notice of the adoption of the alternative compliance standard to customers who subscribe to Data Protection Notices. The variation will automatically apply as set out in Company’s notification at the end of the notice period.
32. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the Standard Contractual Clauses (provided however, Processor may appoint Sub-processors as set out, and subject to the requirements of, Section 10 of this DPA) or a similar mechanism required by applicable Data Protection Laws specifically for international data transfers; (2) this DPA; and (3) the Agreement.
33. To the extent Company transfers Customer Data originating from and protected by applicable Data Protection Law in Japan, Company shall comply with the principles and rights of Data Subjects and the data protection obligations provided in the APPI.
34. To the extent Company’s provision of the Bindplane Offerings involves the transfer of Customer Personal Data originated from Israel to a third country that has not been designated as providing an adequate level of protection for Customer Personal Data under the Applicable Laws in Israel, Customer shall be responsible for securing a lawful basis for the export of Customer Personal Data. For clarity, this DPA constitute as Company's written obligation for adopting the appropriate safeguard measures required by the Protection of Privacy Regulations (International Data Transfer), 2001. For the sake of clarity, the obligations in this DPA are deemed sufficient by the Customer to facilitate the transfer of information outside the Israel in accordance with Regulation 3 of the Privacy Protection Regulations (Transfer of Data to Databases Outside the Borders of the Country), 2001.

13. Supplemental US State Privacy Laws Specific Terms.

1. The definition of “Applicable Data Protection Law” includes US State Privacy Laws. “US State Privacy Laws” means all state laws relating to the protection and processing of personal data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”) and similar consumer privacy laws in other states, in each case, as amended, supplemented or replaced from time to time. 
2. Where Company processes Customer Personal Data subject to US State Privacy Laws, Company is a “service provider” or “processor” (as applicable) when processing Customer Personal Data. Customer discloses, or otherwise makes available, Customer Personal Data to Company for a limited and specified purpose of providing Bindplane Offerings in accordance with the Agreement (the “Purpose”). Company shall (and will require that its Sub-processors): 
3. comply with obligations applicable to it as a service provider or processor under US State Privacy Laws;
4. notify if it can no longer meet its obligations under US State Privacy Laws;
5. not “sell” or “share” (as such terms are defined by the CCPA) Customer Content or retain, use, or disclose Customer Personal Data: (1) for any purpose other than the Purpose, including retaining, using, or disclosing Customer Personal Data for a commercial purpose other than the Purpose, or as otherwise permitted by US State Privacy Laws; or (2) outside of the direct business relationship between Customer and Company; or, unless otherwise permitted by US State Privacy Laws, not combine Customer Personal Data with Personal Data that Company receives from or on behalf of another business or person, or that it collects from its own interactions with individuals, unless such combination is required to perform any business purpose as permitted by US State Privacy Laws; 
6. Customer will: (1) upon notice, have the right to take reasonable and appropriate steps agreed upon by the parties to help ensure that Company Processes Customer Personal Data in a manner consistent with Customer’s obligations under US State Privacy Laws and to stop and remediate unauthorized Processing of Customer Personal Data by Company Processing of Customer Personal Data by Company; (2) notify Customer if it makes a determination that it can no longer meet its obligations under US State Privacy Laws in relation to Customer Personal Data; 
7. Company acknowledges and confirms that it does not receive Customer Personal Data as consideration for any Bindplane Offerings provided to Customer. Company certifies that it understands and will comply with its obligations under US State Privacy Laws.
8. Miscellaneous
9. Except as amended by this DPA, the Agreement will remain in full force and effect. Any amendments to this DPA shall be in writing and duly signed by authorized representatives of the parties. 
10. Notwithstanding anything to the contrary in the Agreement or this DPA, each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, any order or the Agreement, whether in contract, tort or under any other theory of liability, shall remain subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and this DPA, including all Schedules hereto. Company shall not be liable to Customer for indirect or consequential loss or damage, loss of profit, loss of sales, loss of business, loss of anticipated savings, loss of or damage to goodwill, or otherwise in each case whether direct or indirect which arise out of or in connection with this DPA. Without limiting either of the parties’ obligations under the Agreement or this DPA, Customer agrees that any liability incurred by Company in relation to the Customer Personal Data that arises as a result of, or in connection with, Customer’s failure to comply with its obligations under this DPA or applicable Data Protection Law shall count toward and reduce Company’s liability limit under the Agreement (or if applicable, under this DPA) as if it were liability to the Customer. Notwithstanding anything to the contrary in this DPA (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
11. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement provided that the Standard Contractual Clauses will be governed as set out in section 12 of this DPA. In the event of any inconsistency or conflict between the English version of this DPA and any translation, the English version shall prevail and control.

SCHEDULE A

DETAILS OF THE PROCESSING

Description of Data Exporter

The Data Exporter is the entity identified as the “Customer” or “Company”, as the case may be in case of any Sub-processing, in the Data Processing Agreement in place between Data Exporter and data importer and to which this Schedule is appended.

Description of Data Importer

The data importer is the entity identified as “observIQ, Inc. dba Bindplane” or a duly authorized Sub-processor in the Data Processing Agreement in place between Data Exporter and data importer and to which this schedule is appended. 

Subject Matter and Duration of the Processing

The subject-matter and duration of the processing is as follows:

As between the parties, Customer shall be the Controller of certain Customer Personal Data provided to Company by Customer in connection to its use of Bindplane Offerings. The duration of the processing shall be the term of the Agreement. 

Purposes of the Processing

The processing is necessary for the following purposes:

To enable Company to provide the Bindplane Offerings to Customer and exercise its rights and obligations under the Agreement. 

Data Subjects

The data subjects may include: (i) users authorized by the Customer to use the Bindplane Offerings and (ii) users of or visitors to Customer’s monitored applications and/or websites (including but not limited to the Customer’s employees, customers or clients, agents, contractors, and advisors) as determined in the Customer’s sole discretion. 

Type of Personal Data

Customer Personal Data processed under this DPA may include Personal Data contained in Customer Data processed through the Bindplane Offerings, including telemetry data such as logs, metrics, traces, events, and related metadata. Such Personal Data may include IP addresses, email addresses, usernames, device or endpoint identifiers, or other Personal Data, to the extent included in such Customer Data by or on behalf of Customer.

Special categories of data or sensitive personal data (if appropriate)

The Personal Data transferred concern the following special categories of data or sensitive personal data:

Not applicable. Customer may not use the Bindplane Offerings to process any data classified as “special category data” or “sensitive personal data” , unless explicitly agreed in writing.

Processing Operations

Company shall process the Customer Personal Data as necessary to provide the Bindplane Offerings and to perform its obligations under the Agreement and this Data Processing Agreement, including for purposes such as customer enablement, technical support, and professional services.

For clarity, this does not include processing of Personal Data by Company as an independent controller in connection with improving the Bindplane Offerings, user authentication, communications, or account administration.

SCHEDULE B

PHYSICAL, TECHNICAL, AND ORGANISATIONAL REQUIREMENTS FOR THE 
SECURITY OF PERSONAL DATA

1. Introduction

1. This document sets forth minimum physical, technical, and organizational security requirements that shall be implemented by Company as a Processor for the processing of Personal Data on behalf of the Customer.
   
2. Additional Definitions

1. Authorized Users: Personnel who are authorized to access Processor’s information systems that store, process, or transmit Customer Personal Data. 
   
2. Physical Requirements
   
3. Personnel Security: Processor shall perform appropriate due diligence on its personnel, including background and criminal history checks.
   
4. Asset Inventory: Processor shall maintain a register of all hardware, software, and third-party licensing requirements. 
   
5. Asset Removal: Processor shall have controls for the removal of media containing Customer Personal Data, including:
   
6. Media may be removed from designated premises only if specifically authorized by Processor (as applicable).
   
7. Processor shall maintain logs of all media removal.
   
8. Processor shall take necessary measures to prevent unauthorized access to the media and the Customer Personal Data therein.
   
9. Asset Re-Use and Disposal: 
   
10. Processor shall have policies and controls for asset re-use and disposal.
11. Processor shall ensure the secure and irretrievable deletion of Customer Personal Data, with certificates of destruction.
    
12. Processor shall ensure the secure and irretrievable destruction of paper documents.
    
13. Technical Requirements

1. Authorization: Processor shall have authorization systems where different authorization profiles are used for different purposes.

1. Identification: 
   
2. Processor shall establish identification and authentication procedures for all access to information systems.
   
3. Every Authorized User shall receive a personal and unique identification code for that purpose (“User ID”). A User ID may not be assigned to another person, even at a subsequent time.
   
4. Authentication: 
   
5. Authorized Users shall be allowed to access Processor’s information systems (as applicable) only if they have been provided with authentication credentials.
   
6. Processor shall ensure that authentication is based on: 
   
7. a secret password, which is associated with the User ID and is known only by the Authorized User; and
   
8. a Multi-Factor Authentication (“MFA”) solution, as described below.

1. Processor shall have procedures to assign, distribute, and store passwords in a manner that ensures password confidentiality and integrity including storing passwords in a way that makes them unintelligible while they remain valid.
   
2. Processor shall ensure that passwords shall:
   
3. consist of at least 10 characters—or, if this is not technically permitted by the relevant information systems, the maximum number of permitted characters;
   
4. not contain any item that can be easily related to the Authorized User; 
   
5. be modified by the Authorized User to a secret value known only to the Authorized User when it is first used.
   
6. In addition to a valid User ID and password combination, Processor shall secure all access to information systems by an MFA solution. The MFA solution may be software or hardware in nature.
   
7. Processor shall promptly de-activate an Authorized User’s authentication credentials if the Authorized User is terminated, transferred, or de-authorized.
   
8. Access: 
   
9. Processor shall enact operating systems and database access controls to ensure access only by Authorized Users.
   
10. Processor shall have a logical access control policy that categorizes and restricts access based on job function. Processor shall review categorizations on at least a semi-annual basis.
    
11. Processor shall maintain an up-to-date record of Authorized Users and the access available to each.
    
12. Processor shall grant Authorized Users access to only Customer Personal Data necessary to provide products or services to Customer.

1. Processor shall ensure that only authorized administrators are able to grant, alter, or cancel access by Authorized Users to Customer Personal Data.
   
2. Processor shall periodically review all privileged access authorizations.
   
3. Segregation Control:
    
4. Processor shall ensure logical separation of Customer Personal Data from that of other clients. 
   
5. Processor shall provide for separate processing (e.g., storage, modification, access, deletion, and transmission) of Customer Personal Data for different purposes, as follows:
   
6. Development, testing, and production environments shall be physically separated.
   
7. Production data shall not be used in non-production environments unless it is necessary, and there is no reasonable alternative. If used, production data shall be anonymized, limited to the extent necessary, and protected by security measures that are proportionate to the sensitivity of the data.
   
8. Encryption: Processor shall encrypt Customer Personal Data (including data at rest, data in transit, and backups) as follows:
   
9. Processor shall implement current industry standards for encryption algorithms, minimum key lengths, and secure hashes. 
   
10. Minimum key lengths shall be 256 bits (symmetric encryption) and 2048 bits (asymmetric encryption), unless otherwise approved..
    
11. Processor shall encrypt all Customer Personal Data transmitted over a public network.
    
12. Processor shall encrypt all Customer Personal Data on portable media and storage devices (including servers, laptop computers, smartphones, tablet computers, solid state devices, and magnetic tapes).
    
13. Processor shall store encryption keys in a non-tamperable location (hardware security module preferred).
    
14. Processor shall ensure that access to encryption keys is strictly restricted to named administrators.
    
15. Data Transmission: For any Customer Personal Data that is transmitted over an electronic communications network: 
    
16. Processor shall have measures to control the flow of Customer Personal Data.
    
17. Processor shall record the timing of the transmission, the Customer Personal Data transmitted, the destination of the transmission, and the Authorized User conducting the transmission.
    
18. Email:
    
19. Processor shall secure email communications by using either the most current release of Transport Layer Security or one prior version.
    
20. Processor shall implement anti-spoofing configurations, including SPF, DKIM, and DMARC.
    
21. Processor shall prohibit auto-forwarding.
    
22. Data Recovery:
    
23. Processor shall make backups of Customer Personal Data at least daily, and on a more frequent basis if required by service level agreement.
    
24. Processor shall store backups and data recovery procedures in a different location than (but the same region as) the information systems that process Customer Personal Data. 
    
25. Processor shall encrypt backups if they are transferred or stored off-site.
    
26. Processor and its Sub-Processors shall have procedures to ensure that, in the event of data loss or destruction, Customer Personal Data is restored promptly without material data loss.
    
27. Vulnerability Identification and Remediation: 
    
28. Processor shall periodically review the hardware, firmware, and software used in information systems to identify security vulnerabilities. 
    
29. Processor shall conduct annual penetration tests. 
    
30. Processor shall remediate identified security vulnerabilities promptly, in accordance with the severity and criticality of each vulnerability.
    
31. Information System Security: Processor shall employ:
    
32. Threat intelligence monitoring: continuous monitoring and analysis of emerging threats, attacks, and vulnerabilities.
    
33. System monitoring: logging of all events that may assist in the identification or investigation of security incidents. 
    
34. Intrusion Detection Systems (“IDS”): tools to identify unauthorized access to Customer Personal Data, as well as actual and potential attacks on the network and anywhere Customer Personal Data is stored, processed, or accessed. IDS shall reflect industry’s best practice.
    
35. Firewalls: Routing of all traffic networks owned or managed by a third party through a firewall and ensuring secure connections between internal and external systems. Firewall configuration shall include anti-spoofing, prevention of source routing, an inactivity timeout, and the disablement of packet forwarding and the ANY-ANY rule. 
    
36. Malware protection: tools and processes to detect, protect against, and remove malware.

1. Security patches: Timely implementation of security patches and other vulnerability updates.

1. Change control: procedures to ensure that modifications to the production environment (e.g., application, operating system, and hardware level changes) protect the confidentiality, integrity, and availability of information systems
   
2. Emergency change control: procedures to ensure that emergency access to the production environment and the introduction of unscheduled changes occur only with appropriate authorization.
   
3. Organizational Requirements

1. Overview: Processor shall have an organizational framework, adopted by executive leadership, and written policies and procedures that establish an appropriate and accountable information security organization and ensure the proper training and competent performance of its personnel.
   
2. Chief Information Security Officer: 
   
3. Processor shall have a Chief Information Security Officer (“CISO”), or someone in a comparable position, who is suitably trained and experienced in managing information security and provided with appropriate resources. 
   
4. The CISO or comparable person shall be responsible for overall compliance with the requirements set forth in this document.
   
5. The contact details of the CISO or comparable person shall be provided to Customer upon request.
   
6. Information Security Policies and Procedures: 
   
7. Processor shall maintain information security policies and procedures that address:
   
8. Physical security, including: 
   
9. The security of premises. 
   
10. The security of equipment and telecommunications systems.
    
11. Environmental security.
    
12. The physical security requirements described herein.
    
13. Technical security, including:
    
14. The security and maintenance of telecommunications systems, computers, software, databases, and removable media.

1. Secure software development (including design, implementation, and maintenance).
   
2. The security of connecting systems to the Internet.

1. The security of encryption keys, passwords, and other signals and codes.

1. Malware identification, containment, and removal. 
   
2. Vulnerability identification and remediation.

1. The identification and prevention of unauthorized attempts to access systems and applications.
   
2. Backups and data recovery.

1. The technical security requirements described herein.
   
2. Organizational security, including: 
   
3. Defined responsibilities for personnel regarding data protection and information security.
   
4. Data retention and disposal.
   
5. The organizational security requirements described herein. 
   
6. Processor shall maintain the policies and procedures in a manner that is accessible to appropriate personnel.
   
7. Processor shall review the policies and procedures at least annually, and whenever material changes are made to information systems or to physical, technical, or organizational measures.

1. Incident Response Plan:
   
2. Processor shall maintain a plan for reporting, responding to, and managing security incidents. The plan shall include, at a minimum: 
   
3. A detailed specification of protected resources (including, but not limited to, “crown jewels” analysis).
   
4. Procedures for reporting and escalating incidents to appropriate management.
   
5. A designated team, led by the CISO or comparable person, which manages and coordinates incident response.
   
6. Recordkeeping requirements, including the time the incident occurred, the person reporting the incident, the impact of the incident, mitigation measures, and the effects thereof, and other material facts.
   
7. Remediation standards for different types of foreseeable security incidents (e.g., malware, DDoS, etc.).
   
8. The requirement to notify Customer, as specified in the service level agreement, if an incident results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
   
9. The requirement to work with Customer where appropriate until such security incident has been satisfactorily resolved.
   
10. Procedures for recovering Customer Personal Data, including recording the personnel who undertook recovery activities, the data restored, and if data needed to be input manually during the recovery process.
    
11. Processor shall maintain the incident response plan in a manner that is accessible to appropriate personnel, including during a security incident.
    
12. Processor shall review the incident response plans at least annually, and whenever material changes are made to information systems or to physical, technical, or organizational measures.
    
13. Processor shall test their incident response plans at least once a year.
    
14. Business Continuity and Disaster Recovery: Processor shall maintain business continuity and disaster recovery plans. Each plan shall be exercised on at least an annual basis and shall contain a recovery time objective (RTO) and a recovery point objective (RPO). 
    
15. Artificial Intelligence: If Processor are authorized by Customer to provide products or services that use or rely on machine learning, deep learning, large language models, neural networks, or other similar models or artificial intelligence capabilities (collectively, “AI”), then Processor shall employ risk management programs that are designed to identify, reduce, mitigate, and remedy any risks associated with reasonably foreseeable misuse of AI.

1. Training: Processor shall train personnel regularly on: 
   
2. Applicable law (e.g., cybersecurity, data privacy, and data protection).
   
3. Relevant security policies and procedures.
   
4. How to report and escalate security incidents.
   
5. For personnel who have access to Customer Personal Data, the requirements in this document.
   
6. The consequences of violating the foregoing, with disciplinary measures clearly documented and communicated.
   
7. Contractors, Agents, and Sub-sub-processors: Processor shall perform adequate due diligence and implement appropriate controls on all entities working on its behalf (e.g., contractors, agents, and sub-sub-processors). These measures shall include, for each entity:

1. A pre-onboarding review of the entity’s information security and data protection program for fitness and suitability.
   
2. A written agreement that sets forth the requirements in this document and other appropriate obligations.
   
3. A requirement that entities receiving Customer Personal Data shall: (a) use and grant access to such information only as necessary to provide products or services to Customer; and (b) anonymize or mask such information to the greatest extent possible.
   
4. Reviews—on at least an annual basis—to ensure compliance with the requirements in this document.
   
5. Processor Security Policy Review: 
   
6. Processor shall review their compliance with the requirements in this document at least annually, and whenever material changes are made to this document or to information systems or physical, technical, or organizational measures managed by Processor.
   
7. As part of the review, Processor shall assess the extent to which its security measures and controls comply with these requirements, identify any gaps, and propose corrective or supplementary measures, as necessary.
   
8. Audit:
   
9. Processor shall have annual programs to audit their information security and data protection programs against suitable industry standards, such as NIST CSF, SOC1 Type II, SOC2 Type II, and similar programs. 
   
10. Processor shall provide copies of certifications to Customer upon request.
    

SCHEDULE C

Brazilian SCCs

STANDARD CONTRACTUAL CLAUSES – CONTROLLER/PROCESSOR

CLÁUSULAS-PADRÃO CONTRATUAIS – CONTROLADOR/OPERADOR

Section I – General Information

CLAUSE 1. Identification of the Parties

Seção I – Informações Gerais CLÁUSULA 1. Identificação das Partes

1.1. By this agreement, the Exporter and the Importer (hereinafter, “Parties”), identified below, have agreed to these standard contractual clauses (hereinafter, “Clauses”) approved by the National Data Protection Authority (ANPD), to govern the International Data Transfer described in Clause 2, in accordance with the provisions of the National Legislation.

1.1. Pelo presente instrumento contratual, o Exportador e o Importador (doravante, Partes), abaixo identificados, resolvem adotar as cláusulas-padrão contratuais (doravante Cláusulas) aprovadas pela Autoridade Nacional de Proteção de Dados (ANPD), para reger a Transferência Internacional de Dados descrita na Cláusula 2, em conformidade com as disposições da Legislação Nacional.

Exporter’s information

Informações do Exportador

Name: See Schedule A of the DPA

Nome: Ver Anexo A do DPA

Qualification: As defined in the Agreement

Qualificação: As defined in the Agreement

Main address: As defined in the Agreement

Endereço principal: As defined in the Agreement

Email address: As defined in the Agreement mailto:

Endereço de e-mail: As defined in the Agreement

Contact for the Data Subject: As defined in the Agreement

Contato para o Titular: As defined in the Agreement

Other information: N/A

Outras informações: N/A

Exporter (Controller): [X]

Exporter (Processor): [ ]

Exportador (Controlador): [X]

Exportador (Operador): [ ]

Importer’s information

Informações do Importador

Name: See Schedule A of the DPA

Nome: Ver Anexo A do DPA

Qualification: As defined in the Agreement

Qualificação: As defined in the Agreement

Main address: As defined in the Agreement

Endereço principal: As defined in the Agreement

Email address: As defined in the Agreement mailto:

Endereço de e-mail: As defined in the Agreement

Contact for the Data Subject: As defined in the Agreement

Contato para o Titular: As defined in the Agreement

Other information: N/A

Outras informações: N/A

Importer (Controller): [ ]

Importer (Processor): [ X ]

Importador (Controlador): [ ]

Importador (Operador): [ X ]

CLAUSE 2. Object

CLÁUSULA 2. Objeto

2.1. This Clauses shall apply to International Transfers of Personal Data between Data Exporters and Data Importers, as described below.

2.1. Estas cláusulas se aplicam às Transferências Internacionais de Dados do Exportador para o Importador, conforme a descrição abaixo.

Description of the international data transfer:

Descrição da transferência internacional:

Main purposes of the transfer: As provided for in the Agreement. See Clause 3 and Schedule A of the DPA

Principais finalidades da transferência: Conforme estabelecido no Contrato. Ver Cláusula 3 e Anexo A do DPA

Categories of personal data transferred: See Schedule A of the DPA

Categorias de dados pessoais transferidos: Ver Anexo A do DPA

Period of data storage: See Schedule A of the DPA

Período de armazenamento dos dados: Ver Anexo A do DPA

Other information: N/A

Outras informações: N/A

CLAUSE 3. Onward Transfers

CLÁUSULA 3. Transferências Posteriores

OPTION B. 3.1. The Importer may carry out an Onward Transfer of Personal Data subject to the International Data Transfer governed by these Clauses, in the cases and according to the conditions described below and the provisions of Clause 18.

OPÇÃO B. 3.1. O Importador poderá realizar Transferência Posterior dos Dados Pessoais objeto da Transferência Internacional de Dados regida por estas Cláusulas nas hipóteses e conforme as condições descritas abaixo e desde que observadas as disposições da Cláusula 18.

Main purposes of the transfer: As provided for in the Agreement. See Clause 3 and Schedule A of the DPA

Principais finalidades da transferência: Conforme estabelecido no Contrato. Ver Cláusula 3 e Anexo A do DPA

Categories of personal data transferred: See Schedule A of the DPA

Categorias de dados pessoais transferidos: Ver Anexo A do DPA

Period of data storage: See Schedule A of the DPA

Período de armazenamento dos dados: Ver Anexo A do DPA

Other information: Onward Transfers must observe the provisions of Clause 10 and Schedule A of the DPA.

Outras Informações: As Transferências Posteriores devem observar as disposições da Cláusula 10 e Anexo A do DPA.

CLAUSE 4. Responsibilities of the Parties

CLÁUSULA 4. Responsabilidades das Partes

4.1 Without prejudice to the duty of mutual assistance and the general obligations of the Parties, the Designated Party below, as Controller, shall be responsible for complying with the following obligations set out in these Clauses:

4.1. Sem prejuízo do dever de assistência mútua e das obrigações gerais das Partes, caberá à Parte Designada abaixo, na condição de Controlador, a responsabilidade pelo cumprimento das seguintes obrigações previstas nestas Cláusulas:

a) Responsible for publishing the document provided in Clause 14:

Exporter [ X ]

Importer [ ]

b) Responsible for responding to requests from Data Subjects dealt with in Clause 15:

a) Responsável por publicar o documento previsto na Cláusula 14:

Exportador [ X ]

Importador [ ]

b) Responsável por atender às solicitações de titulares de que trata a Cláusula 15:

Exporter [ X ]

Importer [ ]

Exportador [ X ]

Importador [ ]

c) Responsible for notifying the security incident provided in Clause 16:

c) Responsável por realizar a comunicação de incidente de segurança prevista na Cláusula 16:

Exporter [ X ]

Importer [ ]

Exportador [ X ]

Importador [  ]

4.2. For the purposes of these Clauses, if the Designated Party pursuant to item 4.1. is the Processor, the Controller remains responsible for:

4.2. Para os fins destas Cláusulas, verificado, posteriormente, que a Parte Designada na forma do item 4.1 atua como Operador, o Controlador permanecerá responsável:

a) compliance with the obligations provided in CLAUSES 14, 15 and 16 and other provisions established in the National Legislation, especially in case of omission or

non-compliance with the obligations by the Designated Party;

a) pelo cumprimento das obrigações previstas nas Cláusulas 14, 15 e 16 e demais disposições estabelecidas na Legislação Nacional, especialmente em caso de omissão ou descumprimento das obrigações pela Parte Designada;

b) compliance with ANPD’s determinations; and

b) pelo atendimento às determinações da ANPD; e

c) guaranteeing the Data Subjects' rights and repairing damages caused, subject to the provisions of Clause 17.

c) pela garantia dos direitos dos Titulares e pela reparação dos danos causados, observando o disposto na Cláusula 17.

4.3 In the event of being deemed a Controlling Party as referred to in item 4.2, the Exporter shall be responsible for complying with the obligations set out in Clauses 14, 15 and 16.

4.4 With the exception of the provisions of items 4.2 and 4.3, the provisions of Clauses 14, 15 and 16 shall not apply to the Parties as Processors.

4.5. The Parties shall, in any event, provide all the information at their disposal that proves necessary for the Third-Party Controller to comply with ANPD's determinations and to adequately fulfill the obligations provided for in the National Legislation relating to transparency, compliance with the rights of data subjects and the reporting of security incidents to ANPD.

4.6. The Parties shall promote mutual assistance in order to meet the requests of the Data Subject.

4.7 In the event of receiving a request from a Data Subject, the Party shall:

a) respond to the request when it has the necessary information;

b) inform the Data Subject of the service channel provided by the Third-Party Controller; or

c) forward the request to the Third-Party Controller as soon as possible, to enable a response within the period provided for in the National Legislation.

4.8. The Parties must keep a record of security incidents involving personal data, in accordance with National Legislation.

4.3. Caso verificada a equiparação a Controlador de que trata o item 4.2, caberá ao Exportador o cumprimento das obrigações previstas nas Cláusulas 14, 15 e 16.

4.4. Ressalvado o disposto nos itens 4.2. e 4.3, não se aplica às Partes, na condição de Operadores, o disposto nas Cláusulas 14, 15 e 16.

4.5. As Partes fornecerão, em qualquer hipótese, todas as informações de que dispuserem e que se demonstrarem necessárias para que o Terceiro Controlador possa atender a determinações da ANPD e cumprir adequadamente obrigações previstas na Legislação Nacional relacionadas à transparência, ao atendimento a direitos dos titulares e à comunicação de incidentes de segurança à ANPD.

4.6. As Partes devem promover assistência mútua com a finalidade de atender às solicitações dos Titulares.

4.7. Em caso de recebimento de solicitação de Titular, a Parte deverá:

a) atender à solicitação, quando dispuser das informações necessárias;

b) informar ao Titular o canal de atendimento disponibilizado pelo Terceiro Controlador; ou

c) encaminhar a solicitação para o Terceiro Controlador o quanto antes, a fim de viabilizar a resposta no prazo previsto na Legislação Nacional.

4.8. As Partes devem manter o registro de incidentes de segurança com dados pessoais, nos termos da Legislação Nacional.

Section II

Seção II

Mandatory Clauses

Cláusulas Mandatórias

CLAUSE 5. Purpose

CLÁUSULA 5. Finalidade

5.1. These Clauses are presented as a mechanism to enable the secure international flow of personal data, establish minimum guarantees and valid conditions for carrying out the International Data Transfer and aim to guarantee the adoption of adequate safeguards for compliance with the principles, the rights of the Data Subject and the data protection regime provided for in National Legislation.

5.1. Estas Cláusulas se apresentam como mecanismo viabilizador do fluxo internacional seguro de dados pessoais, estabelecem garantias mínimas e condições válidas para a realização de Transferência Internacional de Dados e visam garantir a adoção das salvaguardas adequadas para o cumprimento dos princípios, dos direitos do Titular e do regime de proteção de dados previstos na Legislação Nacional.

CLAUSE 6. Definitions

CLÁUSULA 6. Definições

6.1. For the purposes of these Clauses, the definitions in art. 5 of LGPD, and art. 3 of the Regulation on the International Transfer of Personal Data shall be considered, without prejudice to other normative acts issued by ANPD. The Parties also agree to consider the terms and their respective meanings as set out below:

6.1. Para os fins destas Cláusulas, serão consideradas as definições do art. 5° da Lei nº 13.709, de 14 de agosto de 2018, e do art. 3º do Regulamento de Transferência Internacional de Dados Pessoais, sem prejuízo de outros atos normativos expedidos pela ANPD. As Partes concordam, ainda, em considerar os termos e seus respectivos significados, conforme exposto a seguir:

a) Processing agents: the controller and the processor;

a) Agentes de tratamento: o controlador e o operador;

b) ANPD: National Data Protection Authority;

b) ANPD: Autoridade Nacional de Proteção de Dados; 

c) Clauses: the standard contractual clauses approved by the ANPD, which are part of Sections I, II, and III;

c) Cláusulas: as cláusulas-padrão contratuais aprovadas pela ANPD, que integram as Seções I, II e III;

d) Related Contract: contractual instrument signed between the Parties or, at least, between one of them and a third-party, including a Third-Party Controller, which has a common purpose, link or dependency relationship with the contract that governs the International Data Transfer;

d) Contrato Coligado: instrumento contratual firmado entre as Partes ou, pelo menos, entre uma destas e um terceiro, incluindo um Terceiro Controlador, que possua propósito comum, vinculação ou relação de dependência com o contrato que rege a Transferência Internacional de Dados;

e) Controller: Party or third party (“Third Controller”) responsible for decisions regarding the processing of Personal Data;

e) Controlador: Parte ou terceiro (“Terceiro Controlador”) a quem compete as decisões referentes ao tratamento de Dados Pessoais;

f) Personal Data: information related to an identified or identifiable natural person;

f) Dado Pessoal: informação relacionada a pessoa natural identificada ou identificável;

g) Sensitive Personal Data: personal data on racial or ethnic origin, religious belief, political opinion, affiliation to trade unions or to a religious, philosophical or political organization, data regarding health or sexual life, genetic or biometric data, whenever related to a natural person;

g) Dado Pessoal Sensível: dado pessoal sobre origem racial ou étnica, convicção religiosa, opinião política, filiação a sindicato ou a organização de caráter religioso, filosófico ou político, dado referente à saúde ou à vida sexual, dado genético ou biométrico, quando vinculado a uma pessoa natural;

h) Erasure: exclusion of data or dataset from a database, regardless of the procedure used;

h) Eliminação: exclusão de dado ou de conjunto de dados armazenados em banco de dados, independentemente do procedimento empregado;

i) Exporter: processing agent, located in the national territory or in a foreign country, who transfers personal data to the Importer;

i) Exportador: agente de tratamento, localizado no território nacional ou em país estrangeiro, que transfere dados pessoais para Importador;

j) Importer: processing agent, located in a foreign country, who receives personal data from the Exporter;

j) Importador: agente de tratamento, localizado em país estrangeiro ou que seja organismo internacional, que recebe dados pessoais transferidos por Exportador;

k) National Legislation: set of Brazilian constitutional, legal and regulatory provisions regarding the protection of Personal Data, including the LGPD, the International Data Transfer Regulation and other normative acts issued by ANPD;

k) Legislação Nacional: conjunto de dispositivos constitucionais, legais e regulamentares brasileiros a respeito da proteção de Dados Pessoais, incluindo a Lei nº 13.709, de 14 de agosto de 2018, o Regulamento de Transferência Internacional de Dados e outros atos normativos expedidos pela ANPD;

l) Arbitration Law: Law no. 9.307, of September 23, 1996;

l) Lei de Arbitragem: Lei nº 9.307, de 23 de setembro de 1996;

m) Security Measures: technical and administrative measures able to protect Personal Data from unauthorized access and from accidental or unlawful events of destruction, loss, alteration, communication or dissemination;

m) Medidas de Segurança: medidas técnicas e administrativas aptas para proteger os dados pessoais de acessos não autorizados e de situações acidentais ou ilícitas de destruição, perda, alteração, comunicação ou difusão;

n) Research Body: body or entity of the government bodies or associated entities or a non-profit private legal entity legally established under Brazilian laws, having their headquarter and jurisdiction in the Brazilian territory, which includes basic or applied research of historical, scientific, technological or statistical nature in its institutional mission or in its corporate or statutory purposes;

n) Órgão de Pesquisa: órgão ou entidade da administração pública direta ou indireta ou pessoa jurídica de direito privado sem fins lucrativos legalmente constituída sob as leis brasileiras, com sede e foro no País, que inclua em sua missão institucional ou em seu objetivo social ou estatutário a pesquisa básica ou aplicada de caráter histórico, científico, tecnológico ou estatístico;

o) Processor: Party or third-party, including a Sub-processor, which processes Personal Data on behalf of the Controller;

o) Operador: Parte ou terceiro, incluindo um Subcontratado, que realiza o tratamento de Dados Pessoais em nome do Controlador; 

p) Designated Party: Party or a Third-Party Controller, under the terms of Clause 4, designated to fulfill specific obligations regarding transparency, Data Subjects’ rights and notifying security incidents;

p) Parte Designada: Parte do contrato designada, nos termos da Cláusula 4 (“Opção A”), para cumprir, na condição de Controlador, obrigações específicas relativas à transparência, direitos dos Titulares e comunicação de incidentes de segurança;

q) Parties: Exporter and Importer;

q) Partes: Exportador e Importador;

r) Access Request: request for mandatory compliance, by force of law, regulation or determination of public authority, to grant access to the Personal Data subject to the International Data Transfer governed by these Clauses;

r) Solicitação de Acesso: solicitação de atendimento obrigatório, por força de lei, regulamento ou determinação de autoridade pública, para conceder acesso aos Dados Pessoais objeto da Transferência Internacional de Dados regida por estas Cláusulas;

s) Subcontractor: processing agent hired by the Importer, with no link with the Exporter, to process Personal Data after an International Data Transfer;

s) Subcontratado: agente de tratamento contratado pelo Importador, sem vínculo com o Exportador, para realizar tratamento de Dados Pessoais após uma Transferência Internacional de Dados;

t) Third Party Controller: Personal Data Controller who authorizes and provides written instructions for the carrying out of the International Data Transfer between Processors governed by these Clauses, on his behalf, pursuant to Clause 4 (“Option B”);

t) Terceiro Controlador: Controlador dos Dados Pessoais que fornece instruções por escrito para a realização, em seu nome, da Transferência Internacional de Dados entre Operadores regida por estas Cláusulas, na forma da Cláusula 4 (“Opção B”);

u) Data Subject: natural person to whom the Personal Data which are subject to the International Data Transfer governed by these Clauses relate;

u) Titular: pessoa natural a quem se referem os Dados Pessoais que são objeto da Transferência Internacional de Dados regida por estas Cláusulas;

v) Transfer: processing modality through which a processing agent transmits, shares or provides access to Personal Data to another processing agent;

v) Transferência: modalidade de tratamento por meio da qual um agente de tratamento transmite, compartilha ou disponibiliza acesso a Dados Pessoais a outro agente de tratamento;

w) International Data Transfer: transfer of Personal Data to a foreign country or to an international organization which Brazil is a member of; and

w) Transferência Internacional de Dados: transferência de Dados Pessoais para país estrangeiro ou organismo internacional do qual o país seja membro; e

x) Onward Transfer: transfer of Personal Data, within the same country or to another country, by an Importer to a third-party, including a Sub-processor, provided that it does not constitute an Access Request.

x) Transferência Posterior: Transferência Internacional de Dados, originada de um Importador, e destinada a um terceiro, incluindo um Subcontratado, desde que não configure Solicitação de Acesso.

CLAUSE 7. Applicable legislation and ANPD supervision

CLÁUSULA 7. Legislação aplicável e fiscalização da ANPD

7.1. The International Data Transfer subject to these Clauses shall subject to the National Legislation and to the supervision of ANPD, including the power to apply preventive measures and administrative sanctions to both Parties, as appropriate, as well as the power to limit, suspend or prohibit the international transfers arising from this agreement or a Related Contract.

7.1. A Transferência Internacional de Dados objeto das presentes Cláusulas submete-se à Legislação Nacional e à fiscalização da ANPD, incluindo o poder de aplicar medidas preventivas e sanções administrativas a ambas as Partes, conforme o caso, bem como o de limitar, suspender ou proibir as transferências internacionais decorrentes destas Cláusulas ou de um Contrato Coligado.

CLAUSE 8. Interpretation

CLÁUSULA 8. Interpretação

8.1. Any application of these Clauses shall occur according to the following terms:

8.1. Qualquer aplicação destas Cláusulas deve ocorrer de acordo com os seguintes termos:

a) these Clauses shall always be interpreted more favorably to the Data Subject and in accordance with the provisions of the National Legislation;

a) estas Cláusulas devem sempre ser interpretadas de forma mais favorável ao Titular e de acordo com as disposições da Legislação Nacional;

b) in case of doubt about the meaning of any term in these Clauses, the meaning which is most in line with the National Legislation shall apply;

b) em caso de dúvida sobre o significado de termos destas Cláusulas, aplica-se o significado que mais se alinha com a Legislação Nacional;

c) no item in these Clauses, including a Related Agreement and the provisions set forth in Section IV, shall be interpreted as limiting or excluding the liability of any of the Parties in relation to obligations set forth in the National Legislation; and

c) nenhum item destas Cláusulas, incluindo-se aqui um Contrato Coligado e as disposições previstas na Seção IV, poderá ser interpretado com o objetivo de limitar ou excluir a responsabilidade de qualquer uma das Partes em relação a obrigações previstas na Legislação Nacional; e

d) provisions of Sections I and II shall prevail in case of conflict of interpretation with additional clauses and other provisions set forth in Sections III and IV of this agreement or in Related Agreements.

d) as disposições das Seções I e II prevalecem em caso de conflito de interpretação com Cláusulas adicionais e demais disposições previstas nas Seções III e IV deste instrumento ou em Contratos Coligados.

CLAUSE 9. Docking Clause

CLÁUSULA 9. Possibilidade de adesão de terceiros

9.1. By mutual agreement between the Parties, it shall be possible for a processing agent to adhere to these Clauses, either as a Data Exporter or as a Data Importer, by completing and signing a written document, which shall form part of this contract.

9.1. Em comum acordo entre as Partes, é possível a um agente de tratamento aderir a estas Cláusulas na condição de Exportador ou de Importador, por meio do preenchimento e assinatura de documento escrito, que integrará o presente instrumento.

9.2. The acceding party shall have the same rights and obligations as the originating parties, according to the position assumed of Exporter or Importer and according to the corresponding category of treatment agent.

9.2. A parte aderente terá os mesmos direitos e obrigações das Partes originárias, conforme a posição assumida de Exportador ou Importador e de acordo com a categoria de agente de tratamento correspondente.

CLAUSE 10. General obligations of the Parties

CLÁUSULA 10. Obrigações gerais das Partes

10.1. The Parties undertake to adopt and, when necessary, demonstrate the implementation of effective measures capable of demonstrating observance of and

compliance with the provisions of these Clauses and the National Legislation, as well as with the effectiveness of such measures and, in particular:

10.1. As Partes se comprometem a adotar e, quando necessário, demonstrar a adoção de medidas eficazes e capazes de comprovar a observância e o cumprimento das disposições destas Cláusulas e da Legislação Nacional e, inclusive, da eficácia dessas medidas e, em especial:

a) use the Personal Data only for the specific purposes described in Clause 2, with no possibility of subsequent processing incompatible with such purposes, subject to the limitations, guarantees and safeguards provided for in these Clauses;

a) utilizar os Dados Pessoais somente para as finalidades específicas descritas na Cláusula 2, sem possibilidade de tratamento posterior de forma incompatível com essas finalidades, observadas, em qualquer caso, as limitações, garantias e salvaguardas previstas nestas Cláusulas;

b) guarantee the compatibility of the processing with the purposes informed to the Data Subject, according to the processing activity context;

b) garantir a compatibilidade do tratamento com as finalidades informadas ao Titular, de acordo com o contexto do tratamento;

c) limit the processing activity to the minimum required for the accomplishment of its purposes, encompassing pertinent, proportional and non-excessive data in relation to the Personal Data processing purposes;

c) limitar o tratamento ao mínimo necessário para a realização de suas finalidades, com abrangência dos dados pertinentes, proporcionais e não excessivos em relação às finalidades do tratamento de Dados Pessoais;

d) guarantee to the Data Subjects, subject to the provisions of Clause 4:

d) garantir aos Titulares, observado o disposto na Cláusula 4:

(d.1.) clear, accurate and easily accessible information on the processing activities and the respective processing agents, with due regard for trade and industrial secrecy;

(d.1.) informações claras, precisas e facilmente acessíveis sobre a realização do tratamento e os respectivos agentes de tratamento, observados os segredos comercial e industrial;

(d.2.) facilitated and free of charge consultation on the form and duration of the processing, as well as on the integrity of their Personal Data; and

(d.2.) consulta facilitada e gratuita sobre a forma e a duração do tratamento, bem como sobre a integralidade de seus Dados Pessoais; e

(d.3.) accuracy, clarity, relevance and updating of the Personal Data, according to the necessity and for compliance with the purpose of their processing;

(d.3.) a exatidão, clareza, relevância e atualização dos Dados Pessoais, de acordo com a necessidade e para o cumprimento da finalidade de seu tratamento;

e) adopt the appropriate security measures compatible with the risks involved in the International Data Transfer governed by these Clauses;

e) adotar as medidas de segurança apropriadas e compatíveis com os riscos envolvidos na Transferência Internacional de Dados regida por estas Cláusulas;

f) not to process Personal Data for abusive or unlawful discriminatory purposes;

f) não realizar tratamento de Dados Pessoais para fins discriminatórios ilícitos ou abusivos;

g) ensure that any person acting under their authority, including sub-processors or any agent who collaborates with them, whether for reward or free of charge, only processes data in compliance with their instructions and with the provisions of these Clauses;

g) assegurar que qualquer pessoa que atue sob sua autoridade, inclusive subcontratados ou qualquer agente que com ele colabore, de forma gratuita ou onerosa, realize tratamento de dados apenas em conformidade com suas instruções e com o disposto nestas Cláusulas; e

h) keep a record of the Personal Data processing operations of the International Data Transfer governed by these Clauses, and submit the relevant documentation to ANPD, when requested.

h) manter registro das operações de tratamento dos Dados Pessoais objeto da Transferência Internacional de Dados regida por estas Cláusulas, e apresentar a documentação pertinente à ANPD, quando solicitado.

CLAUSE 11. Sensitive personal data

CLÁUSULA 11. Dados Pessoais sensíveis

11.1. If the International Data Transfer involves Sensitive Personal Data, the Parties shall apply additional safeguards, including specific Security Measures which are proportional to the risks of the processing activity, to the specific nature of the data and

to the interests, rights and guarantees to be protected, as described in Section III.

11.1. Caso a Transferência Internacional de Dados envolva Dados Pessoais sensíveis, as Partes aplicarão salvaguardas adicionais, incluindo medidas de segurança específicas e proporcionais aos riscos da atividade de tratamento, à natureza específica dos dados e aos interesses, direitos e garantias a serem protegidos, conforme descrito na Seção III.

CLAUSE 12. Personal data of children and adolescents

CLÁUSULA 12. Dados Pessoais de crianças e adolescentes

12.1. In case the International Data Transfer governed by these Clauses involves Personal Data concerning children and adolescents, the Parties shall implement measures to ensure that the processing is carried out in their best interest, under the terms of the National Legislation and relevant instruments of international law.

12.1. Caso a Transferência Internacional de Dados envolva Dados Pessoais de crianças e adolescentes, as Partes aplicarão salvaguardas adicionais, incluindo medidas que assegurem que o tratamento seja realizado em seu melhor interesse, nos termos da Legislação Nacional e dos instrumentos pertinentes de direito internacional.

CLAUSE 13. Legal use of data

CLÁUSULA 13. Uso legal dos dados

13.1. The Exporter guarantees that Personal Data has been collected, processed and transferred to the Importer in accordance with the National Legislation.

13.1. O Exportador garante que os Dados Pessoais foram coletados, tratados e transferidos para o Importador de acordo com a Legislação Nacional.

CLAUSE 14. Transparency

CLÁUSULA 14. Transparência

14.1. The Designated Party shall publish, on its website, a document containing easily accessible information written in simple, clear and accurate language on the conduction of the International Data Transfer, including at least information on:

14.1. A Parte Designada publicará, em sua página na Internet, documento contendo informações facilmente acessíveis redigidas em linguagem simples, clara e precisa sobre a realização da Transferência Internacional de Dados, incluindo, pelo menos, informações sobre:

a) the form, duration and specific purpose of the international transfer;

a) a forma, a duração e a finalidade específica da transferência internacional;

b) the destination country of the transferred data;

b) o país de destino dos dados transferidos;

c) the Designated Party's identification and contact details;

c) a identificação e os contatos da Parte Designada;

d) the shared use of data by the Parties and its purpose;

d) o uso compartilhado de dados pelas Partes e a finalidade;

e) the responsibilities of the agents who shall conduct the processing;

e) as responsabilidades dos agentes que realizarão o tratamento;

f) the Data Subject's rights and the means for exercising them, including an easily accessible channel made available to respond to their requests, and the right to file a petition against the Exporter and the Importer before ANPD; and

f) os direitos do Titular e os meios para o seu exercício, incluindo canal de fácil acesso disponibilizado para atendimento às suas solicitações e o direito de peticionar contra o Controlador perante a ANPD; e

g) Onward Transfers, including those relating to recipients and to the purpose of such transfer.

g) Transferências Posteriores, incluindo as relativas aos destinatários e à finalidade da transferência.

14.2. The document referred to in item 14.1. shall be made available on a specific website page or integrated, in a prominent and easily accessible format, to the Privacy Policy or equivalent document.

14.3. Upon request, the Parties shall make a copy of these Clauses available to the Data Subject free of charge, complying with trade and industrial secrecy.

14.2. O documento referido no item 14.1. poderá ser disponibilizado em página específica ou integrado, de forma destacada e de fácil acesso, à Política de Privacidade ou documento equivalente.

14.3. A pedido, as Partes devem disponibilizar, gratuitamente, ao Titular uma cópia destas Cláusulas, observados os segredos comercial e industrial.

14.4. All information made available to Data Subjects, under the terms of these Clauses, shall be written in Portuguese.

14.4. Todas as informações disponibilizadas aos titulares, nos termos destas Cláusulas, deverão ser redigidas na língua portuguesa.

CLAUSE 15. Rights of the data subject

CLÁUSULA 15. Direitos do Titular

15.1. The Data subject shall have the right to obtain from the Designated Party, as regards the Personal Data subject to the International Data Transfer governed by these Clauses, at any time, and upon request, under the terms of the National Legislation:

15.1. O Titular tem direito a obter da Parte Designada, em relação aos Dados Pessoais objeto da Transferência Internacional de Dados regida por estas Cláusulas, a qualquer momento, e mediante requisição, nos termos da Legislação Nacional:

a) confirmation of the existence of processing;

a) confirmação da existência de tratamento;

b) access to data;

b) acesso aos dados;

c) correction of incomplete, inaccurate, or outdated data;

c) correção de dados incompletos, inexatos ou desatualizados;

d) anonymization, blocking or erasure of unnecessary or excessive data or data processed in noncompliance with these Clauses and the provisions of National Legislation;

d) anonimização, bloqueio ou eliminação de dados desnecessários, excessivos ou tratados em desconformidade com estas Cláusulas e com o disposto na Legislação Nacional;

e) portability of data to another service or product provider, upon express request, in accordance with ANPD regulations, complying with trade and industrial secrecy;

e) portabilidade dos dados a outro fornecedor de serviço ou produto, mediante requisição expressa, de acordo com a regulamentação da ANPD, observados os segredos comercial e industrial;

f) erasure of Personal Data processed under the Data Subject’s consent, except for the events provided in Clause 20;

f) eliminação dos Dados Pessoais tratados com o consentimento do Titular, exceto nas hipóteses previstas na Cláusula 20;

g) information on public and private entities with which the Parties have shared data;

g) informação das entidades públicas e privadas com as quais as Partes realizaram uso compartilhado de dados;

h) information on the possibility of denying consent and on the consequences of the denial;

h) informação sobre a possibilidade de não fornecer consentimento e sobre as consequências da negativa;

i) withdrawal of consent through a free of charge and facilitated procedure, remaining ratified the processing activities carried out before the request for elimination;

i) revogação do consentimento mediante procedimento gratuito e facilitado, ratificados os tratamentos realizados antes do requerimento de eliminação;

j) review of decisions taken solely on the basis of automated processing of personal data affecting their interests, including decisions aimed at defining their personal, professional, consumer and credit profile or aspects of their personality; and

j) revisão de decisões tomadas unicamente com base em tratamento automatizado de Dados Pessoais que afetem seus interesses, incluídas as decisões destinadas a definir o seu perfil pessoal, profissional, de consumo e de crédito ou os aspectos de sua personalidade; e

k) information on the criteria and procedures adopted for the automated decision.

15.2. Data subject may oppose to the processing based on one of the events of waiver of consent, in case of noncompliance with the provisions of these Clauses or National Legislation.

k) informações a respeito dos critérios e dos procedimentos utilizados para a decisão automatizada, observados os segredos comercial e industrial.

15.2. O titular pode opor-se a tratamento realizado com fundamento em uma das hipóteses de dispensa de consentimento, em caso de descumprimento ao disposto nestas Cláusulas ou na Legislação Nacional.

15.3. The deadline for responding to the requests provided for in this Clause and in item 14.3 is 15 (fifteen) days from the date of the data subject's request, except in the event of a different deadline established in specific ANPD regulations.

15.3. O prazo para atendimento às solicitações previstas nesta Cláusula e no item 14.3. é de 15 (quinze) dias contados da data do requerimento do titular, ressalvada a hipótese de prazo distinto estabelecido em regulamentação específica da ANPD.

15.4. In case the Data Subject's request is directed to the Party not designated as responsible for the obligations set forth in this Clause or in item 14.3., the referred Party shall:

15.4. Caso a solicitação do Titular seja direcionada à Parte não designada como responsável pelas obrigações previstas nesta Cláusula ou no item 14.3., a Parte deverá:

a) inform the Data Subject of the service channel made available by the Designated Party; or

a) informar ao Titular o canal de atendimento disponibilizado pela Parte Designada; ou

b) forward the request to the Designated Party as early as possible, to enable the response within the period provided in item 15.2.

b) encaminhar a solicitação para a Parte Designada o quanto antes, a fim de viabilizar a resposta no prazo previsto no item 15.2.

15.5. The Parties shall immediately inform the Data Processing Agents with whom they have shared data with the correction, deletion, anonymization or blocking of the data, for them to follow the same procedure, except in cases where this communication is demonstrably impossible or involves a disproportionate effort.

15.5. As Partes deverão informar, imediatamente, aos Agentes de Tratamento com os quais tenham realizado uso compartilhado de dados a correção, a eliminação, a anonimização ou o bloqueio dos dados, para que repitam idêntico procedimento, exceto nos casos em que esta comunicação seja comprovadamente impossível ou implique esforço desproporcional.

15.6. The Parties shall promote mutual assistance to respond to the Data Subjects’ requests.

15.6. As Partes devem promover assistência mútua com a finalidade de atender às solicitações dos Titulares.

CLAUSE 16. Security Incident Reporting

CLÁUSULA 16. Comunicação de Incidente de Segurança

16.1. The Designated Party shall notify ANPD and the Data Subject, within 3 (three) working days of the occurrence of a security incident that may entail a relevant risk or damage to the Data Subjects, according to the provisions of National Legislation.

16.1. A Parte Designada deverá comunicar à ANPD e aos Titulares, no prazo de 3 (três) dias úteis, a ocorrência de incidente de segurança que possa acarretar risco ou dano relevante para os Titulares, observado o disposto na Legislação Nacional.

16.2. The Importer must keep a record of security incidents in accordance with National Legislation.

16.2. O Importador deve manter o registro de incidentes de segurança nos termos da Legislação Nacional.

CLAUSE 17. Liability and compensation for damages

CLÁUSULA 17. Responsabilidade e Ressarcimento de Danos

17.1. The Party which, when performing Personal Data processing activities, causes patrimonial, moral, individual or collective damage, for violating the provisions of these Clauses and of the National Legislation, shall compensate for it.

17.1. A Parte que, em razão do exercício da atividade de tratamento de Dados Pessoais, causar dano patrimonial, moral, individual ou coletivo, em violação às disposições destas Cláusulas e da Legislação Nacional, é obrigada a repará-lo.

17.2. Data Subject may claim compensation for damage caused by any of the Parties as a result of a breach of these Clauses

17.2. O Titular poderá pleitear a reparação do dano causado por quaisquer das Partes em razão da violação destas Cláusulas.

17.3. The defense of Data Subjects' interests and rights may be claimed in court, individually or collectively, in accordance with the provisions in relevant legislation regarding the instruments of individual and collective protection.

17.3. A defesa dos interesses e dos direitos dos Titulares poderá ser pleiteada em juízo, individual ou coletivamente, na forma do disposto na legislação pertinente acerca dos instrumentos de tutela individual e coletiva.

17.4. The Party acting as Processor shall be jointly and severally liable for damages caused by the processing activities when it fails to comply with these Clauses or when it has not followed the lawful instructions of the Controller, except for the provisions of item 17.6.

17.4. A Parte que atuar como Operador responde, solidariamente, pelos danos causados pelo tratamento quando descumprir as presentes Cláusulas ou quando não tiver seguido as instruções lícitas do Controlador, ressalvado o disposto no item 17.6.

17.5. The Controllers directly involved in the processing activities which resulted in damage to the Data Subject shall be jointly and severally liable for these damages, except for the provisions of item 17.6.

17.5. Os Controladores que estiverem diretamente envolvidos no tratamento do qual decorreram danos ao Titular respondem, solidariamente, por estes danos, ressalvado o disposto no item 17.6.

17.6. Parties shall not be held liable if they have proven that:

17.6. Não caberá responsabilização das Partes se comprovado que:

a) they have not carried out the processing of Personal Data attributed to them;

a) não realizaram o tratamento de Dados Pessoais que lhes é atribuído;

b) although they did carry out the processing of Personal Data attributed to them, there was no violation of these Clauses or National Legislation; or

b) embora tenham realizado o tratamento de Dados Pessoais que lhes é atribuído, não houve violação a estas Cláusulas ou à Legislação Nacional; ou

c) the damage results from the sole fault of the Data Subject or of a third-party which is not a recipient of the Onward Transfer or not subcontracted by the Parties.

c) o dano é decorrente de culpa exclusiva do Titular ou de terceiro que não seja destinatário de Transferência Posterior ou subcontratado pelas Partes.

17.7. Under the terms of the National Legislation, the judge may reverse the burden of proof in favor of the Data Subject whenever, in his judgement, the allegation is credible, there is a lack of sufficient evidence or when the Data Subject would be excessively burdened by the production of evidence

17.7. Nos termos da Legislação Nacional, o juiz poderá inverter o ônus da prova a favor do Titular quando, a seu juízo, for verossímil a alegação, houver hipossuficiência para fins de produção de prova ou quando a produção de prova pelo Titular resultar-lhe excessivamente onerosa.

17.8. Judicial proceedings for compensation for collective damages which intend to establish liability under the terms of this Clause may be collectively conducted in court, with due regard for the provisions in relevant legislation.

17.8. As ações de reparação por danos coletivos que tenham por objeto a responsabilização nos termos desta Cláusula podem ser exercidas coletivamente em juízo, observado o disposto na legislação pertinente.

17.9. The Party which compensates the damage to the Data Subject shall have a right of recourse against the other responsible parties, to the extent of their participation in the damaging event.

17.9. A Parte que reparar o dano ao titular tem direito de regresso contra os demais responsáveis, na medida de sua participação no evento danoso.

CLAUSE 18. Safeguards for Onward Transfer

CLÁUSULA 18. Salvaguardas para Transferência Posterior

18.1. The Importer shall only carry out Onward Transfers of Personal Data subject to the International Data Transfer governed by these Clauses if expressly authorized, in accordance with the terms and conditions described in Clause 3.

18.1. O Importador somente poderá realizar Transferências Posteriores dos Dados Pessoais objeto da Transferência Internacional de Dados regida por estas Cláusulas se expressamente autorizado, conforme as hipóteses e condições descritas na Cláusula 3.

18.2. In any case, the Importer:

18.2. Em qualquer caso, o Importador:

a) shall ensure that the purpose of the Onward Transfer is compatible with the specific purposes described in Clause 2;

a) deve assegurar que a finalidade da Transferência Posterior é compatível com as finalidades específicas descritas na Cláusula 2;

b) shall guarantee, by means of a written contractual instrument, that the safeguards provided in these Clauses shall be ensured by the third-party recipient of the Onward Transfer; and

b) deve garantir, mediante instrumento contratual escrito, que as salvaguardas previstas nestas Cláusulas serão observadas pelo terceiro destinatário da Transferência Posterior; e

c) for the purposes of these Clauses, and regarding the Personal Data transferred, shall be considered responsible for any eventual irregularities committed by the third-party recipient of the Onward Transfer.

c) para fins destas Cláusulas, e em relação aos Dados Pessoais transferidos, será considerado o responsável por eventuais irregularidades praticadas pelo terceiro destinatário da Transferência Posterior.

18.3. The Onward Transfer shall also be carried out based on another valid modality of International Data Transfer provided in National Legislation, regardless of the authorization referred to in Clause .3

18.3. A Transferência Posterior poderá, ainda, ser realizada com base em outro mecanismo válido de Transferência Internacional de Dados previsto na Legislação Nacional, independentemente da autorização de que trata a Cláusula 3.

CLAUSE 19. Access Request Notification

CLÁUSULA 19. Notificação de Solicitação de Acesso

19.1. The Importer shall notify the Exporter and the Data Subject of any Access Request related to the Personal Data subject to the International Data Transfer governed by these Clauses, except in the event that notification is prohibited by the law of the country in which the data is processed.

19.1. O Importador notificará o Exportador e o Titular sobre Solicitação de Acesso relacionada aos Dados Pessoais objeto da Transferência Internacional de Dados regida por estas Cláusulas, ressalvada a hipótese de vedação de notificação pela lei do país de tratamento dos dados.

19.2. The Importer shall implement the appropriate legal measures, including legal actions, to protect the rights of the Data Subjects whenever there is adequate legal basis to question the legality of the Access Request and, if applicable, the prohibition of issuing the notification referred to in item 19.1.

19.2. O Importador adotará as medidas legais cabíveis, incluindo ações judiciais, para proteger os direitos dos Titulares sempre que houver fundamento jurídico adequado para questionar a legalidade da Solicitação de Acesso e, se for o caso, a vedação de realizar a notificação referida no item 19.1.

19.3. To comply with both the ANPD’s and the Exporter’s requests, the Importer shall keep a record of Access Requests, including date, requester, purpose of the request, type of data requested, number of requests received, and legal measures implemented.

19.3. Para atender às solicitações da ANPD e do Exportador, o Importador deve manter registro de Solicitações de Acesso, incluindo data, solicitante, finalidade da solicitação, tipo de dados solicitados, número de solicitações recebidas e medidas legais adotadas.

CLAUSE 20. Termination of processing and erasure of data

CLÁUSULA 20. Término do tratamento e eliminação dos dados

20.1. Parties shall erase the personal data subject to the International Data Transfer governed by these Clauses after the ending of their processing, being their storage authorized only for the following purposes:

20.1. As Partes deverão eliminar os Dados Pessoais objeto da Transferência Internacional de Dados regida por estas Cláusulas após o término do tratamento, no âmbito e nos limites técnicos das atividades, autorizada a conservação apenas para as seguintes finalidades:

a) compliance with legal or regulatory obligation by the Controller;

a) cumprimento de obrigação legal ou regulatória pelo Controlador;

b) study by a Research Body, guaranteeing, whenever possible, the anonymization of personal data;

b) estudo por Órgão de Pesquisa, garantida, sempre que possível, a anonimização dos Dados Pessoais;

c) transfer to a third-party, upon compliance with requirements set forth in these Clauses and in the National Legislation; and

c) transferência a terceiro, desde que respeitados os requisitos previstos nestas Cláusulas e na Legislação Nacional; e

d) exclusive use of the Controller, being the access by a third-party prohibited, and provided data have been anonymized.

d) uso exclusivo do Controlador, vedado seu acesso por terceiro, e desde que anonimizados os dados.

20.2. For the purposes of this Clause, processing of personal data shall cease when:

20.2. Para fins desta Cláusula, considera-se que o término do tratamento ocorrerá quando:

a) the purpose set forth in these Clauses has been achieved;

a) alcançada a finalidade prevista nestas Cláusulas;

b) Personal Data are no longer necessary or pertinent to attain the intended specific purpose set forth in these Clauses;

b) os Dados Pessoais deixarem de ser necessários ou pertinentes ao alcance da finalidade específica prevista nestas Cláusulas;

c) at the termination of the treatment period;

c) finalizado o período de tratamento;

d) Data Subject's request is met; and

d) atendida solicitação do Titular; e

e) at the order of ANPD, upon violation of the provisions of these Clauses or National Legislation.

e) determinado pela ANPD, quando houver violação ao disposto nestas Cláusulas ou na Legislação Nacional.

CLAUSE 21. Data processing security

CLÁUSULA 21. Segurança no tratamento dos dados

21.1. Parties shall implement Security Measures which guarantee sufficient protection of the Personal Data subject to the International Data Transfer governed by these Clauses, even after its termination.

21.1. As Partes deverão adotar medidas de segurança que garantam proteção aos Dados Pessoais objeto da Transferência Internacional de Dados regida por estas Cláusulas, mesmo após o seu término.

21.2. Parties shall inform, in Section III, the Security Measures implemented, considering the nature of the processed information, the specific characteristics and the purpose of the processing, the technology current state and the probability and severity of the risks to the Data Subjects’ rights, especially in the case of sensitive personal data and that of children and adolescents.

21.2. As Partes informarão, na Seção III, as Medidas de Segurança adotadas, considerando a natureza das informações tratadas, as características específicas e a finalidade do tratamento, o estado atual da tecnologia e os riscos para os direitos dos Titulares, especialmente no caso de dados pessoais sensíveis e de crianças e adolescentes.

21.3. The Parties shall make the necessary efforts to implement periodic evaluation and review measures to maintain the appropriate level of data security.

21.3. As Partes deverão realizar os esforços necessários para adotar medidas periódicas de avaliação e revisão visando manter o nível de segurança adequado às características do tratamento de dados.

CLAUSE 22. Legislation of country of destination

CLÁUSULA 22. Legislação do país destinatário dos dados

22.1. The Importer declares that it has not identified any laws or administrative practices of the country receiving the Personal Data that prevent it from fulfilling the obligations assumed in these Clauses.

22.1. O Importador declara que não identificou leis ou práticas administrativas do país destinatário dos Dados Pessoais que o impeçam de cumprir as obrigações assumidas nestas Cláusulas.

22.2. In the event of a regulatory change which alters this situation, the Importer shall immediately notify the Exporter to assess the continuity of the contract.

22.2. Sobrevindo alteração normativa que altere esta situação, o Importador notificará, de imediato, o Exportador para avaliação da continuidade do contrato.

CLAUSE 23. Non-compliance with the Clauses by the Importer

CLÁUSULA 23. Descumprimento das Cláusulas pelo Importador

23.1. In the event of a breach in the safeguards and guarantees provided in these Clauses or being the Importer unable to comply with any of them, the Exporter shall be immediately notified, subject to the provisions in item 19.1.

23.1. Havendo violação das salvaguardas e garantias previstas nestas Cláusulas ou a impossibilidade de seu cumprimento pelo Importador, o Exportador deverá ser comunicado imediatamente, ressalvado o disposto no item 19.1.

23.2. Upon receiving the communication referred to in item 23.1 or upon verification of non-compliance with these Clauses by the Importer, the Exporter shall implement the relevant measures to ensure the protection of the Data Subjects' rights and the compliance of the International Data Transfer with the National Legislation and these Clauses, and may, as appropriate:

23.2. Recebida a comunicação de que trata o item 23.1 ou verificado o descumprimento destas Cláusulas pelo Importador, o Exportador adotará as providências pertinentes para assegurar a proteção aos direitos dos Titulares e a conformidade da Transferência Internacional de Dados com a Legislação Nacional e as presentes Cláusulas, podendo, conforme o caso:

a) suspend the International Data Transfer;

a) suspender a Transferência Internacional de Dados;

b) request the return of Personal Data, its transfer to a third party, or its erasure; and

b) solicitar a devolução dos Dados Pessoais, sua transferência a um terceiro, ou a sua eliminação; e

c) terminate the contract.

c) rescindir o contrato.

CLAUSE 24. Choice of forum and jurisdiction

CLÁUSULA 24. Eleição do foro e jurisdição

24.1. Brazilian legislation applies to these Clauses and any controversy between the Parties arising from these Clauses shall be resolved before the competent courts in Brazil, observing, if applicable, the forum chosen by the Parties in Section IV.

24.1. Aplica-se a estas Cláusulas a legislação brasileira e qualquer controvérsia entre as Partes decorrente destas Cláusulas será resolvida perante os tribunais competentes do Brasil, observado, se for o caso, o foro eleito pelas Partes na Seção IV.

24.2. Data Subjects may file lawsuits against the Exporter or the Importer, as they choose, before the competent courts in Brazil, including those in their place of residence.

24.2. Os Titulares podem ajuizar ações judiciais contra o Exportador ou o Importador, conforme sua escolha, perante os tribunais competentes no Brasil, inclusive naqueles localizados no local de sua residência.

24.3. By mutual agreement, Parties may use arbitration to resolve conflicts arising from these Clauses, provided that the procedure is carried out in Brazil and in accordance with the provisions of the Arbitration Law.

24.3. Em comum acordo, as Partes poderão se valer da arbitragem para resolver os conflitos decorrentes destas Cláusulas, desde que realizada no Brasil e conforme as disposições da Lei de Arbitragem.

Section III – Security Measures

Seção III – Medidas de Segurança

(i) Governance and supervision of internal processes: See Schedule B of the DPA

(i) Governança e supervisão de processos internos: Ver Anexo B do DPA.

(ii) Technical and administrative security measures, including measures to guarantee the security of the operations carried out, such as collection, transmission, and storage of data: See Schedule B of the DPA

(ii) Medidas de segurança técnicas e administrativas, incluindo medidas para garantir a segurança das operações realizadas, tais como a coleta, a transmissão e o armazenamento dos dados: Ver Anexo B do DPA.

CLAUSE 25. Language

These Clauses have been presented here in the English and Portuguese versions. If there is any conflict between these two versions of the Clauses, the English version shall prevail for the interpretation of the document.

CLÁUSULA 25. Idioma

Estas Cláusulas estão apresentadas em versões em inglês e português. Se houver qualquer conflito entre as duas versões das Cláusulas, a versão em inglês deverá prevalecer para interpretação do documento.