Data Processing Agreement

Effective Date: October 9, 2023

This Data Processing Agreement (“DPA”) is a supplement to, and made a part of, the commercial services agreement and/or terms between User Interviews, Inc. (“UI”) and Customer (the “Agreement”).

To comply with Data Protection Laws, and in consideration of the mutual obligations set out herein, the parties hereby agree as follows:

‍

1. DEFINITIONS

Capitalized terms used but not defined herein have the meaning set forth in the Agreement.

‍

1.1. “Affiliate(s)” means any entity that controls, is controlled by, or is under common control with, a party, where “control” means possession, directly or indirectly, of the power to direct or manage the affairs of the party or entity whether through voting power, by contract, or otherwise, but only for as long as such control exists.

‍

1.2. “California Personal Information” means Controller-to-Processor Data that is subject to the CCPA.

‍

1.3. “CCPA” means California Civil Code § 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 or “CPRA”).

‍

1.4. “Contact Data” means Personal Data relating to a party’s representatives exchanged for the purpose of performing a party’s obligations under this Agreement, including name, email address, telephone number and/or job title, but expressly excluding Personal Data relating to Recruit Participants or Researcher-Affiliated Participants.

‍

1.5 “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

‍

1.6 “Controller-to-Controller Data” means, to the extent applicable, (i) Personal Data relating to Recruit Participants and (ii) Contact Data.

‍

1.7 “Controller-to-Processor Data” means, to the extent applicable, Personal Data relating to Researcher-Affiliated Participants.

‍

1.8 “Data Protection Laws” means all applicable legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, the CCPA, and other applicable U.S. federal and state privacy laws, in each case as may be amended, replaced, or superseded from time to time.

‍

1.9 “European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) GDPR as it forms part of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (v) the Swiss Federal Act on Data Protection of 2020 and its Ordinance (“FADP”).

‍

1.10 “EU Standard Contractual Clauses” means the annex to EU Commission Implementing Decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation 2016/679 of the European Parliament and of the Council (available as of the Effective Date at http://data.europa.eu/eli/dec_impl/2021/914/oj).

‍

1.11 “Personal Data” means any information relating to an identified or identifiable natural person (a “Data Subject”), and any other information that constitutes “personal data,” “personal information,” or “personally identifiable information” as defined by Data Protection Laws.

‍

1.12 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Controller-to-Processor Data.

‍

1.13 “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

‍

1.14 “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

‍

1.15 “Sensitive Personal Data” means Personal Data that is deemed sensitive or otherwise subject to enhanced protection under applicable Data Protection Laws, including without limitation Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, or data concerning health or data concerning a person’s sex life or sexual orientation.

‍

1.16 “Subprocessor” means any third party appointed by or on behalf of UI to Process Controller-to-Processor Data, including “Service Providers” and “Contractors” as those terms are defined in the CCPA.

‍

1.17 “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/), completed as set forth in this DPA.

‍

1.18 The terms “Business,” “Sell,” “Service Provider” and “Share" have the meanings given to them in the CCPA.

‍

2. CONTROLLER-TO-CONTROLLER DATA

‍

2.1 Roles of the Parties. To the extent applicable, the parties acknowledge and agree that with respect to the Processing of Controller-to-Controller Data, each party is a separate and independent Controller. Each party acknowledges and agrees that Data Subjects may exercise their rights in respect of and against each of them in their capacity as a Controller of the Controller-to-Controller Data.

‍

2.2 Compliance with Data Protection Laws. Each party will comply with the obligations that apply to it as a Controller under Data Protection Laws with respect to Controller-to-Controller Data and will provide reasonable assistance to each other in complying with applicable Data Protection Laws. Without limitation of the foregoing, each party will be responsible for:

(a) Providing necessary information to Data Subjects in accordance with the notice and transparency requirements of Data Protection Laws;

(b) Processing the Controller-to-Controller Data only in compliance with and for the purposes contemplated by the Agreement and this DPA;

(c) Ensuring that it has in place appropriate technical and organizational measures to protect the Controller-to-Controller Data against accidental, unlawful or unauthorized destruction, loss, alteration, disclosure or access;

(d) Ensuring that, to the extent it transfers Controller-to-Controller Data to third-party Processors, such Processors are subject to written contractual obligations concerning the Controller-to-Controller Data that are at least as protective as those imposed by this DPA;

(e) Responding to any request to exercise Data Subject rights under Data Protection Laws;

(f) Providing each other with reasonable assistance in responding to any request to exercise Data Subject rights under Data Protection Laws; and

(g) Maintaining complete and accurate records and information to demonstrate its compliance with this Agreement.

‍

2.3 Not a Sale. The parties acknowledge and agree that the disclosure of Controller-to-Controller Data by one party to the other party does not form part of any monetary or other valuable consideration exchanged between the parties with respect to the Agreement or this DPA.

‍

3. CONTROLLER-TO-PROCESSOR DATA

‍

3.1 Roles of the Parties. To the extent applicable, the parties acknowledge and agree that with respect to the Processing of Controller-to-Processor Data, Customer is the Controller, UI is the Processor, and UI will engage Subprocessors in accordance with this DPA.

‍

3.2 Customer’s Processing of Controller-to-Processor Data. Customer will, in its use of the Services, Process Controller-to-Processor Data in accordance with the requirements of Data Protection Laws. Customer represents and warrants that, to the extent required by Data Protection Laws, it has provided all legally required notices to, and obtained all legally required consents from, Data Subjects to allow UI to Process Controller-to-Processor Data and provide the Services. Customer will ensure that its instructions for the Processing of Controller-to-Processor Data comply with, and will not cause UI to be in breach of, Data Protection Laws. As between the parties, Customer is solely responsible for (i) the accuracy, quality, and legality of the Controller-to-Processor Data provided to UI by or on behalf of Customer, (ii) the means by which Customer acquired Controller-to-Processor Data, and (iii) the instructions it provides to UI.

‍

3.3 UI’s Processing of Controller-to-Processor Data. UI will Process Controller-to-Processor Data in compliance with Data Protection Laws and only for the following purposes: (i) Processing to perform the Services in accordance with the Agreement; and (ii) Processing to comply with other documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement, this DPA and Data Protection Laws. If Processing of Controller-to-Processor Data for a purpose not specified above is required by laws to which UI is subject, UI will to the extent permitted by law inform Customer of the legal requirement before such Processing occurs. UI will not disclose, transfer, or otherwise make available any Controller-to-Processor Data to a third party without the prior written consent of Customer unless and to the extent that such disclosure is made to a Subprocessor or is required by applicable law. In no event will UI sell Controller-to-Processor Data to any third party.

‍

3.4 Instructions for Processing. Customer instructs UI (and authorizes UI to instruct each Subprocessor) to (i) Process Controller-to-Processor Data as necessary for the provision of the Services in accordance with the Agreement and this DPA and (ii) transfer Controller-to-Processor Data to any country or territory as reasonably necessary for the provision of the Services and in accordance with Section 4 (Restricted Transfers of Personal Data) of this DPA.

‍

3.5 Details of Processing. The subject matter, duration, nature, and purpose of the Processing of Controller-to-Processor Data are as set forth in the Agreement and in Annex I to this DPA. Customer is solely responsible for determining the types of Controller-to-Processor Data to be Processed by UI. The categories of Data Subjects are Researcher-Affiliated Participants.

‍

3.6 Personnel. UI will take reasonable steps to ensure the reliability of its personnel who Process Controller-to-Processor Data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

‍

3.7 Data Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedom of natural persons, UI will in relation to Controller-to-Processor Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk. In assessing the appropriate level of security, UI will take into account the risks that are presented by Processing, in particular from a Personal Data Breach. UI’s technical and organizational measures are further described at https://www.userinterviews.com/legal/security-measures. UI may update its security measures from time to time to reflect process improvements or changing practices, provided that such modifications do not materially decrease the overall security of Controller-to-Processor Data.

‍

3.8 Subprocessors. Customer authorizes UI to appoint third-party Subprocessors in connection with the provision of the Services. UI has entered or will enter into a written agreement with each Subprocessor containing data protection obligations not less protective than those in this DPA with respect to the protection of Controller-to-Processor Data, to the extent applicable to the nature of the services provided by such Subprocessor. The list of Subprocessors engaged by UI as of the Effective Date of this DPA is set forth at https://www.userinterviews.com/legal/subprocessors, and Customer hereby consents to such Subprocessors. UI will give written notice to Customer of the appointment of any new Subprocessor that may Process Controller-to-Processor Data. If, within 10 business days of receipt of that notice, Customer (acting reasonably and in good faith) notifies UI in writing of any objection to the appointment, UI will use reasonable efforts to address Customer’s objection or recommend a commercially reasonable change to Customer’s use of the Services to avoid Processing of Controller-to-Processor Data by the objected-to new Subprocessor. After this process, if a resolution has not been agreed to within 10 business days, Customer may elect to terminate the Agreement without penalty. Where a Subprocessor fails to fulfill its data protection obligations in connection with the Processing of Controller-to-Processor Data under this DPA, UI will remain fully liable to Customer for the performance of that Subprocessor’s obligations.

‍

3.9 Rights of Data Subjects. Taking into account the nature of the Processing, UI will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests to exercise Data Subjects’ rights under Data Protection Laws. If UI receives a request from a Data Subject under any Data Protection Law in relation to Controller-to-Processor Data, UI will promptly notify Customer and ensure that it does not respond to that request except on the documented instructions of Customer or as required by laws to which UI is subject, in which case UI will to the extent permitted by law inform Customer of that legal requirement before responding to the request.

‍

3.10 Data Protection Impact Assessment and Prior Consultation. UI will provide reasonable assistance to Customer with any data protection impact assessments and prior consultation with relevant data protection authorities, which Customer reasonably considers to be required by Data Protection Laws, in each case solely in relation to Processing of Controller-to-Processor Data by, and taking into account the nature of the Processing and information available to, UI.

‍

3.11 Personal Data Breach. UI will notify Customer without undue delay and at least within 72 hours upon becoming aware of a Personal Data Breach. UI will provide Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of each such Personal Data Breach under Data Protection Laws. UI will reasonably cooperate with Customer and take reasonable steps to assist in the investigation, mitigation and remediation of each such Personal Data Breach, to the extent such mitigation and remediation is within UI’s reasonable control. To the extent that a Personal Data Breach was caused by UI’s breach of this DPA, UI shall be liable for all reasonable costs that Customer incurs in responding to such Personal Data Breach, subject to any limitations of liability set forth in the Agreement.

‍

3.12 Audit. UI will make available to Customer, on reasonable request and at least 30 days’ prior written notice, reports, documentation and other information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to reasonable audits by or on behalf of Customer in relation to its Processing of Controller-to-Processor Data as set forth in this Section. Any such audit will be subject to the confidentiality obligations set forth in the Agreement. Customer understands and agrees that UI will not be required to conduct, or to permit Customer or its auditors to conduct, any activities that could impair the security or confidentiality of the information of any other UI customers. Customer will not exercise such audit right more frequently than once in any calendar year except to the extent required by instruction of a competent data protection authority or in the event of a Personal Data Breach. Customer will bear the full cost and expense of any such audit, unless such audit reveals a material breach of this DPA, in which case UI will bear the reasonable cost and expense of such audit.

‍

3.13 Deletion of Controller-to-Processor Data. Following termination of the Agreement, or at any time upon Customer’s written request, UI will delete Controller-to-Processor Data from the Services 30 days after the date of termination and from backup servers 7 days thereafter. UI will, upon Customer’s request, provide written certification that it has complied with this Section. Notwithstanding the foregoing, UI may retain Controller-to-Processor Data to the extent required by applicable law, provided that such data will be securely isolated and protected from any further Processing, except to the extent required by applicable law.

‍

3.14 California Personal Information. To the extent applicable, the parties acknowledge and agree that with respect to the Processing of California Personal Information, Customer is the Business and UI is the Service Provider. UI will Process California Personal Information strictly for the business purpose of performing the Services under the Agreement or as otherwise permitted by the CCPA. UI shall: (i) comply with its obligations under the CCPA; (ii) provide California Personal Information with the same level of protection as required by the CCPA; (iii) notify Customer if it can no longer meet its obligations under the CCPA; (iv) not Sell or Share California Personal Information; (v) not retain, use, or disclose California Personal Information outside of the direct business relationship between Customer and UI, unless required by applicable law; and (vi) not combine California Personal Information with Personal Data that UI collects or receives from another source (other than information UI receives from another source in connection with its obligations as a Service Provider under the Agreement). Customer may: (a) take reasonable and appropriate steps to help ensure that UI Processes California Personal Information in a manner consistent with Customer’s obligations under the CCPA; and (b) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized Processing of California Personal Information by UI. UI certifies that it understands the restrictions set forth in this Section and will comply with them.

‍

4. RESTRICTED TRANSFERS OF PERSONAL DATA

‍

4.1 To the extent that either party transfers Personal Data originating in the European Economic Area (“EEA”), Switzerland or the United Kingdom (“UK”) to a country that has not been designated by the European Commission, Swiss Federal Data Protection Authority or Information Commissioner’s Office (respectively) as providing an adequate level of protection for Personal Data, the parties agree to the provisions set forth in this Section 4. The data exporter will provide all disclosures to Data Subjects as legally required to permit such transfers.
‍

4.2 Transfers of Personal Data Originating in the EEA. With respect to transfers of Personal Data originating in the EEA, the EU Standard Contractual Clauses (Module 1 for Controller-to-Controller transfers, and Module 2 for Controller-to-Processor transfers) shall form part of this DPA, shall take precedence over the rest of this DPA to the extent of any conflict when legally required, and shall be deemed completed as follows:

(a) For purposes of Clause 7 (Docking clause), UI hereby authorizes additional Controller Affiliates to accede to the Clauses as data exporters if they are permitted to act as data exporters under the Agreement.

(b) Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorisation).

(c) Under Clause 11 (Redress), the optional requirement that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.

(d) Under Clause 17 (Governing law), the parties select the law of Ireland.

(e) Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Ireland.

(f) Annexes I, II and III to the EU Standard Contractual Clauses are attached to this DPA.

‍

4.3 Transfers of Personal Data Originating in Switzerland. With respect to transfers of Personal Data that are subject to the FADP, the EU Standard Contractual Clauses shall form part of this DPA as set forth in Section 4.2, but shall be deemed to have the following differences to the extent required by the FADP:

(a) References to the GDPR in the EU Standard Contractual Clauses are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.

(b) The term “member state” in the EU Standard Contractual Clauses shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU Standard Contractual Clauses.

(c) References to personal data in the EU Standard Contractual Clauses also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.

(d) Under Annex I.C (Competent Supervisory Authority) to the EU Standard Contractual Clauses: (i) where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner; and (ii) where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in Annex I to this DPA insofar as the transfer is governed by the GDPR.

‍

4.4 Transfers of Personal Data Originating in the UK. With respect to transfers of Personal Data that are subject to UK law (and not the law in any EEA jurisdiction), the UK Addendum shall form part of this DPA, shall take precedence over the rest of this DPA as set forth in the UK Addendum, and shall be deemed completed as follows:

(a) Table 1: the “Parties’ details” shall be the parties and their Affiliates to the extent any of them is involved in such transfer, including those set forth in Annex I to this DPA, and the “Key Contact” shall be the contacts set forth in Annex I to this DPA.

(b) Table 2: the “Approved EU Standard Contractual Clauses” shall be the EU Standard Contractual Clauses as set forth in Section 4.2.

(d) Table 4: Customer may end the UK Addendum as set out in Section 19 thereof.

(e) By entering into this DPA, the parties are deemed to be signing the UK Addendum.

‍

5. GENERAL TERMS

‍

5.1 Changes in Data Protection Laws. Either party may, by at least 30 days’ written notice to the other, propose any variations to this DPA which the party reasonably considers to be necessary to address the requirements of any Data Protection Law. The parties will promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing variations designed to address the relevant requirements as soon as is reasonably practicable.

‍

5.2 Severability. If any provision of this DPA is held by a court of competent jurisdiction to be unenforceable, such provision will be modified and interpreted so as to best accomplish the original provision to the fullest extent permitted by law, and the remaining provisions of this DPA will remain in effect.

‍

5.3 Order of Precedence. In the event of an express conflict between any of the provisions of the Agreement, this DPA and (where applicable) the Standard Contractual Clauses, the provisions shall apply in the following order of precedence: (i) the Standard Contractual Clauses; (ii) the DPA; and then (iii) the Agreement.

‍

5.4 Governing Law and Jurisdiction. The parties to this DPA hereby submit to the choice of jurisdiction and choice of law stipulated in the Agreement with respect to any disputes or claims arising under this DPA. Notwithstanding the foregoing, the Standard Contractual Clauses will be governed by and construed in accordance with the laws as specified in Section 4 (Restricted Transfers of Personal Data) of this DPA.

‍

ANNEX I

A. LIST OF PARTIES

MODULE ONE: Transfer of Controller-to-Controller Data

Data exporter(s) and data importer(s):

The data exporter is the party transferring the Personal Data and its Affiliates to the extent any of them is involved in such transfer, and the data importer is the party to which the Personal Data is being transferred and its Affiliates to the extent any of them is involved in such transfer.

‍

Customer’s name, address and contact details are as set forth in the Agreement.

‍

Customer’s activities relevant to the data transferred under these Clauses: User research.

UI’s name, address and contact details are as follows:

‍

Name: User Interviews, Inc.

Address: 228 Park Ave S, PMB 38712, New York, NY 10003

Contact person’s name, position and contact details: Data Protection Officer, privacy@userinterviews.com

‍

UI’s activities relevant to the data transferred under these Clauses: Provision of the Services.

‍

Signature and date: By entering into the Agreement and DPA, Customer and UI are deemed to be signing the EU Standard Contractual Clauses incorporated herein, including Annexes I, II and III thereto, as of the Effective Date.

‍

Role (controller/processor): Controller

‍

MODULE TWO: Transfer of Controller-to-Processor Data

Data exporter(s):

The data exporter is Customer and its Affiliates to the extent any of them is involved in such transfer. Customer’s name, address and contact details are as set forth in the Agreement.

‍

Activities relevant to the data transferred under these Clauses: User research.

‍

Signature and date: By entering into the Agreement and DPA, Customer is deemed to be signing these EU Standard Contractual Clauses incorporated herein, including Annexes I, II and III thereto, as of the Effective Date.

‍

Role (controller/processor): Controller

Data importer(s):

Name: User Interviews, Inc.

‍

Address: 228 Park Ave S, PMB 38712, New York, NY 10003

‍

Contact person’s name, position and contact details: Data Protection Officer, privacy@userinterviews.com

‍

Activities relevant to the data transferred under these Clauses: Provision of the Services.

Signature and date: By entering into the Agreement and DPA, UI is deemed to be signing these EU Standard Contractual Clauses incorporated herein, including Annexes I, II and III thereto, as of the Effective Date.

Role (controller/processor): Processor

‍

B. DESCRIPTION OF TRANSFER

MODULE ONE: Transfer of Controller-to-Controller Data

Categories of data subjects whose personal data is transferred

Recruit Participants; each party’s representatives.

Categories of personal data transferred

Recruit Participants: Name, email address, telephone number, employment/professional information, age, city, country, gender, household information, income

Each party’s representatives: Contact Data including name, email address, telephone number and/or job title

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Recruit Participants: race/ethnicity

Each party’s representatives: none

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Data is transferred on a continuous basis

Nature of the processing

Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data (whether or not by automated means)

Purpose(s) of the data transfer and further processing

Provision of the Services

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Controller-to-Controller Data will be retained for as long as reasonably necessary to provide the Services or to the extent required by applicable law.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subject matter, nature and duration of processing by processors are as set forth in the Agreement and DPA.

‍

MODULE TWO: Transfer of Controller-to-Processor Data

Categories of data subjects whose personal data is transferred

Researcher-Affiliated Participants

Categories of personal data transferred

Name, email address, and any other categories of personal data as determined by Customer in its sole discretion

Any categories of sensitive data as determined by Customer in its sole discretion, subject to the limitations set forth in the Agreement. The restrictions or safeguards are as described in Annex II.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Data is transferred on a continuous basis.

Nature of the processing

Purpose(s) of the data transfer and further processing

Provision of the Services

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Following termination of the Agreement, or at any time upon Customer’s written request, UI will delete Controller-to-Processor Data from the Services 30 days after the date of termination and from backup servers 7 days thereafter. Notwithstanding the foregoing, UI may retain Controller-to-Processor Data to the extent required by applicable law, provided that such data will be securely isolated and protected from any further Processing, except to the extent required by applicable law.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subject matter, nature and duration of processing by subprocessors are as set forth in the Agreement and DPA.

‍

C. COMPETENT SUPERVISORY AUTHORITY

‍MODULE ONE: Transfer of Controller-to-Controller Data

Identify the competent supervisory authority/ies in accordance with Clause 13

The competent supervisory authority shall be the authority that has supervision over the data exporter in accordance with Clause 13.

‍

MODULE TWO: Transfer of Controller-to-Processor Data

Identify the competent supervisory authority/ies in accordance with Clause 13

The competent supervisory authority shall be the authority that has supervision over Customer in accordance with Clause 13.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

MODULE ONE: Transfer of Controller-to-Controller Data

MODULE TWO: Transfer of Controller-to-Processor Data

The technical and organisational security measures implemented by UI are as described at https://www.userinterviews.com/legal/security-measures.

ANNEX III

MODULE TWO: Transfer of Controller-to-Processor Data

LIST OF SUB-PROCESSORS

Customer, as the controller, has authorized the use of the Subprocessors set forth at https://www.userinterviews.com/legal/subprocessors.