ARCH DATA, INC PROCESSING ADDENDUM

This Data Processing Addendum (this “DPA”) forms part of the Arch Data, Inc Terms of Service Agreement available at https://arch.dev/terms-of-service/ or other written or electronic agreement that includes a link or express reference incorporating this DPA into the terms of such agreement, entered into between Arch Data, Inc. (“Arch”) and the Customer (as defined below) (the “Agreement”).  This DPA sets forth each party’s respective obligations regarding the processing of Personal Data in connection with the Services provided pursuant to the Agreement. This DPA is effective on the effective date of the Agreement, unless this DPA is separately executed in which case it is effective on the date of the last signature or last adoption (“DPA Effective Date”). Capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement.

  1. Definitions.  In addition to terms defined elsewhere in this DPA, the following terms have the following meanings:

    Anonymous Data” means Personal Data that has been Processed in such a manner that it can no longer be attributed to an identified or identifiable Data Subject and cannot be re-identified, including “aggregate consumer information,” as such term is defined in the CPRA or other Applicable Data Laws.

    Applicable Data Law(s)” means any state, federal, local and/or foreign data protection and privacy laws, rules or regulations that are applicable to the parties’ Processing of Personal Data under the Agreement and this DPA, including, but not limited to, (to the extent applicable): (i) EU Data Laws, and (ii) the California Privacy Rights Act, together with any implementing regulations, as may be amended, superseded, or replaced from time to time (collectively, “CPRA”).

    Authorized Sub-Processor” means another Processor engaged by Arch, and who is: (i) a third-party sub-Processor engaged by Arch as of the effective date of the Agreement, (ii) an Affiliate of Arch, or (iii) a new third-party sub-Processor engaged by Arch after the effective date of the Agreement that is approved authorized by Customer as set forth in Section 4 of this DPA.

    Controller” means the entity that determines the purposes and means of the Processing of Personal Data, including as applicable any “business” as defined under the CPRA.

    Customer” means the person or entity identified as the Customer in the Agreement.

    Customer Personal Data” means Personal Data specified in Exhibit B to this DPA, which Arch Processes on behalf of Customer in connection with the provision of the Services.

    Data Subject” means an identified or identifiable person to whom Personal Data relates, including as applicable any “consumer” as defined under the CPRA or other Applicable Data Laws.

    Data Subject Request” means a request by a Data Subject to exercise any of the Data Subject’s rights provided for under Applicable Data Laws, including, but not limited to, the right of: access, rectification, restriction of Processing, erasure, data portability, objection to Processing, withdrawal of consent to Processing, or objection to being subject to Processing that constitutes automated decision-making.

    De-Identified Data” has the meaning provided for under the relevant Applicable Data Law.

    EU Data Laws” means, individually and collectively, the laws of the European Union, the European Economic Area, their member states, the United Kingdom, and Switzerland, including, to the extent applicable and as amended, repealed, consolidated or replaced from time to time: (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (“GDPR”) and the EU e-Privacy Directive (Directive 2002/58/EC), (ii) the GDPR as implemented into the law of the United Kingdom the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2020 and the Data Protection Act 2018,and (iii) the Swiss Federal Data Protection Act or any other applicable data protection laws, rules or regulations of Switzerland (“Swiss Data Laws”).

    Instruction” means a direction or instruction with respect to the Processing of Customer Personal Data, either in writing, in textual form (e.g., by e-mail) or by using a software or online tool, issued by or on behalf of Customer to Arch.

    Personal Data” means information defined as personal data, personal information, or a similar term by Applicable Data Laws, and any other information that identifies, relates to, describes, or is capable of being associated with, directly or indirectly, an individual or household. Personal Data does not include Anonymous Data and/or De-Identified Data, as provided for under Applicable Data Law.

    Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to unencrypted Customer Personal Data in Arch’s possession or control.

    Process” or “Processing” means any operation or set of operations which is performed upon the Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.

    Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller, including, as applicable, any “service provider” as defined under the CPRA or other Applicable Data Laws.

    Services” means the Arch Cloud Service and any related services provided by Arch to Customer as defined and specified under the terms of the Agreement.

    Supervisory Authority” means an independent public authority which is established by a member state of the European Economic Area or United Kingdom, or any other similar governmental, regulatory, or supervisory authority, including, any U.S. State Attorney Generals and the U.S. Federal Trade Commission, that has competent authority in its jurisdiction for overseeing, enforcing, or supervising the Applicable Data Laws of such jurisdiction.
  1. Term of DPA.  Unless earlier terminated as set forth in this DPA or the Agreement, this DPA shall commence as of the DPA Effective Date and continue for the duration of the Agreement.
  1. Processing Activities
    1. Roles of the Parties.  The parties acknowledge and confirm that with respect to the Processing of Customer Personal Data, Customer is the Controller or Processor, and Arch is the Processor.
    2. Details of Processing.  The subject matter, nature, purpose, and duration of Processing, as well as the types of Customer Personal Data and categories of Data Subjects that may be Processed by Arch, are described in Exhibit B hereto.
    3. Customer Processing Obligations
      1. Processing & Instructions.  The rights and obligations of the Customer with respect to the Processing of Customer Personal Data are described herein. Customer shall, in its use of the Services, at all times Process Customer Personal Data, and provide Instructions for the Processing of Customer Personal Data, in compliance with the Applicable Data Laws. Customer shall ensure that its Instructions comply with all laws, rules and regulations applicable in relation to the Customer Personal Data, and that the Processing of Customer Personal Data in accordance with Customer’s Instructions shall not cause Arch to be in breach of the Applicable Data Laws. Customer is solely responsible for the accuracy, quality, and legality of (a) the Customer Personal Data provided to Arch by or on behalf of Customer, (b) the means by which Customer acquired any such Customer Personal Data, and (c) the Instructions it provides to Arch regarding the Processing of such Customer Personal Data. Customer shall not provide or make available to Arch any Customer Personal Data other than as specified in Exhibit B hereto, unless otherwise mutually agreed upon in writing by the parties.
      2. Consents.  To the extent required by Applicable Data Laws, Customer is responsible for ensuring that any necessary Data Subject consents to this Processing are obtained and for ensuring that a record of such consents is maintained. Should such a consent be revoked by the Data Subject, Customer shall promptly notify Arch of such revocation.
      3. Customer as Processor.  Where Customer is a Processor, Customer warrants that its Processing Instructions as set out in the Agreement and this DPA, including its authorizations to Arch for the appointment of Subprocessors in accordance with this DPA, have been authorized by the relevant Controller.  Customer shall be solely responsible for forwarding any notifications received from Arch to the relevant Controller where appropriate.
      4. Customer Affiliates.  Where an Affiliate of Customer is the Controller over any Customer Personal Data processed by Arch under this DPA, Customer shall ensure that any relevant Affiliate complies with the obligations of Customer under the Applicable Data Laws and this DPA in respect of such Customer Personal Data.  Customer shall remain responsible for its Affiliates’ performance under this DPA.
    4. Arch Processing Obligations
      1. Processing.  Arch shall treat Customer Personal Data as Confidential Information and shall Process Customer Personal Data on behalf of and only in accordance with Customer’s Instructions for the following purposes: (i) Processing in accordance with the Agreement, any applicable Service Order(s), and this DPA, including Exhibit B hereto, including, as necessary to perform the Services; and (ii) Processing initiated by or on behalf of Customer in the use of the Services.  Customer hereby instructs Arch to Process Customer Personal Data in accordance with the foregoing. If Arch is unable to Process Customer Personal Data pursuant to the Instructions due to legal requirements under applicable laws, Arch will inform the Customer of that legal requirement before Processing, unless otherwise prohibited by Applicable Data Laws. Arch agrees to promptly inform the Customer if, in its reasonable opinion, an Instruction infringes any Applicable Data Laws. In such case, Arch will cease all Processing of the affected Customer Personal Data (other than merely storing and maintaining the security of the affected Customer Personal Data, as applicable) until such time as the Customer issues new Instructions with which Arch is able to comply, and Arch shall not be liable to Customer under the Agreement for failure to perform the Services until such time as Customer issues such Instructions.
      2. Personnel.  Arch shall ensure that all employees, contractors and personnel (collectively, “Personnel”) that have access to Customer Personal Data are made aware of the confidential nature of Customer Personal Data and have executed confidentiality agreements with, or are otherwise bound by, confidentiality obligations at least as protective as those herein.  Arch shall remain responsible and liable for its Personnel’s performance under, and compliance with, this DPA.
      3. Deletion.  Following completion of the Services, Arch will delete the Customer Personal Data in accordance with the provisions of the Agreement, except as required to be retained by the Applicable Data Laws or other applicable laws.
      4. CPRA.  To the extent Arch’s Processing of Customer Personal Data is subject to the CPRA, Arch shall not  (1) retain, use, or disclose Customer Personal Data for any purpose (commercial or otherwise) other than the business purposes expressly stated in this DPA or outside the direct business relationship between Customer and Arch, unless expressly permitted in the CPRA; (2) “sell” or “share” Customer Personal Data, as such terms are defined under the CPRA; or (3) combine the Customer Personal Data received with Personal Data received from another business or that Arch collects itself (unless such combination is necessary for certain business purposes identified in the CPRA).
    5. Security Measures
      1. Arch shall implement and maintain industry-standard technical and organizational security measures that are reasonably designed to prevent unauthorized access to and disclosure of Customer Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Arch’s Processing of Customer Personal Data as well as the risks to individuals, including, but not limited to, those measures set forth on Exhibit C hereto.
      2. Without prejudice to Arch’s obligations under this DPA, and elsewhere in the Agreement, Customer is responsible for its secure use of the Services, including, without limitation: (a) protecting account authentication credentials; (b) protecting the security of Customer Personal Data using third party tools not operated or controlled by Arch when in transit to and from the Services; and (c) implementing measures to allow Customer to backup and archive appropriately in order to restore availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident.
  2. Engaging Sub-Processors
    1. General Authorization.  Customer acknowledges and agrees that Arch may engage Authorized Sub-Processors to Process Customer Personal Data in connection with the Services.  Arch’s current list of third party sub-Processors as of the Effective Date is set forth on Exhibit B.
    2. New Engagements
      1. Arch will provide Customer reasonable prior notice, as required under Applicable Data Laws, before enabling any additional third-party Sub-Processors (other than Authorized Sub-Processors) to Process any Customer Personal Data in connection with the provision of the Services. Arch will notify Customer of such updates via email.  Customer may object to the use of such third-party Sub-Processor in writing within 10 days of receipt of Customer’s receipt of the notice.
      2. If Customer reasonably objects to an engagement in accordance with this Section 4.2 of this DPA, Arch may provide Customer with a written description of commercially reasonable alternative(s), if any, to such engagement, including without limitation modification to the Services. If Arch does not provide or is unable to make available any such alternative(s) within a reasonable period of time (not to exceed 30 days), or if Customer does not agree to any such alternative(s) upon its reasonable and good faith consideration, either party may terminate this DPA and the Agreement, without penalty, upon written notice to the other party.  In which case, Arch will refund Customer any prepaid and unused fees covering the remainder of the Service term of any then-current Service Order(s) following the effective date of termination.
      3. If Customer does not object to the engagement of a third-party Sub-Processor in accordance with this Section 4.2 of this DPA within 10 days of notice by Arch, that third-party Sub-Processor shall be deemed an Authorized Sub-Processor for the purposes of this DPA.
    3. Subprocessor Responsibility.  Each Authorized Sub-Processor shall be bound by a written agreement which subjects the Authorized Sub-Processor to obligations regarding the Processing of Customer Personal Data that are no less protective than those to which Arch is subject under this DPA and to the extent applicable to the nature of the services provided by the Sub-Processors.  Arch shall remain responsible and liable for its Authorized Sub-Processors’ performance under, and compliance with, this DPA.
  3. Security Incidents.  Arch will inform Customer without unreasonable delay (but in no event, less than 48 hours), as soon as it has become aware of a Security Incident.  Arch will provide all reasonable information in Arch’s possession concerning such Security Incident insofar as it affects Customer, including the following, to the extent then known: (i) the possible cause and consequences for the Data Subjects of the Security Incident; (ii) the categories of Customer Personal Data involved; (iii) a summary of the possible consequences for the relevant Data Subjects; (iv) a summary of the unauthorized recipients of the Customer Personal Data; and (v) the measures taken by Arch to mitigate any damage.  Arch will use reasonable efforts to provide Customer updates of further developments concerning a Security Incident.
  4. Legal Disclosure and Data Subjects Requests
    1. Legal Disclosure Requests.  If Arch receives any order, demand, warrant, or any other document requesting or purporting to compel the production of Personal Data Processed on behalf of Customer (“Disclosure Request”), Arch will notify Customer without undue delay, except to the extent otherwise required by laws applicable to Arch.  Arch will exercise commercially reasonable efforts to prevent and limit any such disclosure and to otherwise preserve the confidentiality of the Personal Data and will cooperate with Customer upon Customer’s reasonable request, with respect to any action taken in response to a Disclosure Request, to the extent it is commercially reasonable for Arch to do so.
    2. Data Subject Requests.  As between the parties, Customer is responsible for handling and responding to all Data Subject Request relating to Customer Personal Data under Applicable Data Laws, including, but not limited to, communicating with the Data Subject who is the subject of the applicable Data Subject Request.  If Arch receives a Data Subject Request in relation to Customer Personal Data, Arch will (i) promptly notify Customer of the request and provide a copy of the request to Customer; and (ii) advise the Data Subject to submit their request to Customer.  Arch will use commercially reasonable efforts to assist Customer with responding to any such request upon Customer’s written request for assistance; provided that, (i) Customer is itself unable to respond without Arch’s assistance and (ii) Arch is able to do so in accordance with all applicable laws, rules, and regulations, including, any Applicable Data Laws.
  5. Compliance Assistance.  Arch shall, taking into account the nature of the Processing and the information available to Arch, provide Customer with reasonable cooperation and assistance where necessary for Customer to comply with obligations applicable to it under the Applicable Data Laws, including, but not limited to: (i) any requirements to conduct a data protection or transfer impact assessment, provided that Customer does not otherwise have access to the relevant information, or (ii) Customer’s cooperation or prior consultation with any Supervisory Authority, where necessary or where required by the Applicable Data Laws.  Arch shall be entitled to be reimbursed by Customer, to the extent legally permitted, for reasonable costs and expenses actually incurred by Arch in Arch’s performance of its obligations under Sections 6 and 7 of this DPA.
  6. Audits During the Term of this DPA, upon prior written request by Customer (not less than 30 days), Arch shall cooperate and within a reasonable time provide Customer with: (i) a summary of the audit reports available to Arch that demonstrate Arch’s material compliance with its obligations under Applicable Data Laws and this DPA with respect to Customer Personal Data, after redacting any confidential and commercially sensitive information; and (ii) confirmation that such audit has not revealed any material vulnerability in Arch’s systems, or to the extent that any such vulnerability was revealed, that Arch has taken steps to remediate such vulnerability (collectively, the “Audit Report”).  If the above measures are insufficient to confirm Arch’s material compliance with Applicable Data Laws or this DPA with respect to Customer Personal Data, then subject to Arch’s reasonable confidentiality and security procedures, Arch will permit Customer, or an independent third party auditor that is mutually agreed upon by the parties, at Customer’s sole cost and expense, to audit Arch’s data protection compliance program (“Customer Audit”).  Any Customer Audit must be conducted during Arch’s normal business hours, and the parties must mutually agree upon the scope, timing, and duration of a Customer Audit in advance of a Customer Audit.  In addition, Customer acknowledges that Arch operates a multi-tenant cloud environment.  Accordingly, Arch shall have the right to reasonably adapt the scope of any Customer Audit to avoid or mitigate risks with respect to, and including, service levels, availability, and confidentiality of Arch’s other customers’ information.

    The Audit Reports and results of any Customer Audit, which may include the results of any written reports in connection with a Customer Audit, shall be deemed Arch’s Confidential Information.  Customer may only request an Audit Report (and any related Customer Audit) once per consecutive 12 month period; provided that, in the event of a Security Incident, Customer may request a supplementary Audit Report, and if applicable, a Customer Audit, in accordance with this Section.
  7. RESTRICTED TRANSFERS
    1. Transfer Mechanism for Data Exports.  For any transfers of Customer Personal Data to Arch where such Customer Personal Data originate from the European Economic Area or Switzerland, are subject to EU Data Protection Law (“EU Personal Data”) and are transferred to countries (or territories or sectors within a country) or international organizations which do not benefit from an adequacy decision under EU Data Protection Law, the parties hereby agree to, and incorporate herein, the standard contractual clauses set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj) (“Standard Contractual Clauses”).  Exhibit A to this DPA sets forth the operative provisions of the Standard Contractual Clauses and additional terms agreed upon by the parties with respect to transfers of EU Personal Data. 
    2. Data Exports from the UK.  Where applicable, the parties agree to and incorporate by reference the International Data Transfer Addendum available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK Addendum”) to the Standard Contractual Clauses.  For the avoidance of doubt, references to Standard Contractual Clauses throughout this DPA shall include, where applicable, the UK Addendum.
    3. Data Exports from Switzerland.  For data transfers where Customer is established in Switzerland or the transfer falls within the territorial scope of application of Swiss Data Laws, the Standard Contractual Clauses also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Laws until such laws are amended to no longer apply to a legal entity. In such circumstances, general and specific references in the Standard Contractual Clauses to GDPR or EU or other applicable EU Data Laws shall have the same meaning as the equivalent reference in Swiss Data Laws.
    4. Integration; Conflicts.  The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA.  The Standard Contractual Clauses are subject to this DPA and the additional safeguards set out hereunder. The rights and obligations afforded by the Standard Contractual Clauses will be exercised in accordance with this DPA, unless stated otherwise. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail with respect to EU Personal Data.
    5. Onward Transfers. Arch shall not transfer Customer Personal Data (nor permit Customer Personal Data to be transferred) outside of its country of origin unless Arch takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Laws. With respect to transfers of EU Personal Data outside of the United Kingdom, Switzerland, or the European Economic Area to a country or territory that has not received a binding adequacy decision by a competent national data protection authority (a restricted transfer), such transfer shall be subject to appropriate safeguards in accordance with EU Data Laws, and the Standard Contractual Clauses, or such other appropriate safeguard provided for under EU Data Law, shall apply.
  8. Amendments to this DPA.  Notwithstanding any provisions to the contrary in this DPA, if any change in Applicable Data Laws may require or result in any variation to this DPA, Arch shall modify this DPA as necessary to incorporate such change(s) and provide a copy of the modified DPA to Customer.  Customer shall notify Arch of any objection to such modifications of the DPA within 30 days of Arch’s delivery of such modified DPA to Customer.  If Arch does not receive any objection from Customer within this 30 day period, Customer shall be deemed to have accepted such modifications and such modifications shall become binding and enforceable as part of this DPA.  Should Customer submit objections to Arch within the above-referenced 30 days, Customer and Arch agree to discuss and negotiate in good faith any such necessary modifications to this DPA to address the changes with a view to agreeing and implementing modifications as mutually agreeable to both Customer and Arch as soon as is reasonably practicable but no later than 30 days following Arch’s receipt of Customer’s objections.  If Customer and Arch are unable to reach agreement on modifications to this DPA within such 30 day time period and do not mutually agree in writing to extend the negotiation period prior to expiration of such 30 day period, either party may terminate the Agreement upon written notice to the other party, and Arch will issue a pro rata refund for any Fees paid and unused under any then-current Service Order(s) corresponding to the time period between the effective date of termination and the expiration of the Agreement.  Except as stated above or as otherwise expressly set forth in this DPA, this DPA may be modified or amended only in writing signed by both Arch and Customer.
  9. Order of Precedence.  In the event of any conflict between this DPA and the Agreement or any Service Order(s), the following order of precedence shall apply (in descending order): (1) this DPA, (2) the Agreement, and (3) the Service Order(s). There shall be no force or effect to any different terms of any related statement of work, subscription order, purchase order, online terms of service, or similar form even if signed by the parties after the Effective Date.  For the avoidance of doubt, each party’s liability and remedies under this DPA are subject to the aggregate liability limitations and damages exclusions set forth in the Agreement.
  10. Governing Law.  This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Laws.
  11. Severability.  Should any provision of this DPA be held invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

EXHIBIT A

STANDARD CONTRACTUAL CLAUSES – OPERATIVE PROVISIONS AND ADDITIONAL TERMS

  1. STANDARD CONTRACTUAL CLAUSES

Operative Clauses & Additional Terms

Operative Clauses & Additional TermsModule 2: Applies where Customer is the ControllerModule 3: Applies where Customer is a Processor
Docking (Clause 7)Shall not apply
Instructions and Notifications (Clause 8.1(a))For the purposes of Clause 8.1(a), the processing instructions by Customer are set out in Section 3.1(i) of this DPA and include onward transfers to a third party located outside Europe for the purpose of the performance of the Services.
In addition, where Module 3 applies, for the purposes of Clauses 8.1(a), Customer hereby informs Arch that it acts as Processor under the instructions of the relevant Controller in respect of Personal Data.Customer shall be solely responsible for forwarding any notifications received from Arch to the relevant Controller where appropriate.
Certification and Deletion (Clauses 8.5 and 16(d))For the purposes of Clauses 8.5 and 16(d), the parties agree that Arch will provide the certification of deletion to Customer only upon Customer’s written request
Security of Processing (Clause 8.6(c) and (d)))For the purposes of Clause 8.6(c), personal data breaches will be handled in accordance with Section 5 of this DPA.
In addition, where Module 3 applies, for the purposes of Clause 8.6(c) and (d), Arch shall provide notification of a personal data breach concerning Customer Personal Data Processed by Arch to Customer, and not to the relevant Controller.
Documentation and Compliance (Clause 8.9) – Module 3 OnlyFor the purposes of Clause 8.9, all enquiries from the relevant Controller shall be provided to Arch by Customer. If Arch receives an enquiry directly from a Controller, it shall forward the enquiry to Customer and Customer shall be solely responsible for responding to any such enquiry from the relevant Controller where appropriate.
Audits (Clause 8.9)The parties agree that the audits described in Clause 8.9 shall be carried out in accordance with Section 8 of this DPA.
Subprocessors (Clause 9)Option 2 will apply and the time period for prior notice of subprocessor change shall be as set forth in Section 4.2 of this DPA.List of Sub processors: See Exhibit B to this DPA.The parties agree that: (i) the authorizations in Section 4.1 of this DPA shall constitute Customer’s prior written consent to Arch’s subcontracting the Processing of Customer Personal Data if such consent is required under the Standard Contractual Clauses; and (ii) the parties agree that the copies of the agreements with Sub-Processors that must be provided by Arch to Customer pursuant to Clause 9(c) may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by Arch beforehand, and that such copies will be provided by Arch only upon request by Customer.
Data Subject Requests (Clause 10) –  Module 3 onlyFor the purposes of Clause 10, and subject to Section 6.2 of this DPA, Arch shall notify Customer about any request it has received directly from a Data Subject without obligation to handle it (unless otherwise agreed) but shall not notify the relevant Controller. Customer shall be solely responsible for cooperating with the relevant Controller in fulfilling the relevant obligations to respond to any such request.
Complaints – Redress (Clause 11)For the purposes of Clause 11, and subject to Section 6.2 of this DPA, Arch shall inform data subjects on its website of a contact point authorized to handle complaints. The optional language in Clause 11(a) shall not apply.
Government Requests (Clause (15(1)(a))For the purposes of Clause 15(1)(a), Arch shall notify Customer (only) and not the Data Subject(s) in case of government access requests and Customer shall be solely responsible for promptly notifying the affected Data Subjects as necessary.
Liability (Clause 12(b))Arch’s liability under Clause 12(b) shall be limited to any damage caused by its Processing where Arch has not complied with its obligations under the GDPR specifically directed to Processors, or where it has acted outside of or contrary to lawful instructions of Customer, as specified in Article 82 GDPR.
Governing Law (Clause 17)Option 1 will apply, and the member state will be the Republic of Ireland.
Choice of Forum/Jurisdiction (Clause 18(b))The member state will be the Republic of Ireland.

Appendix Information

Annex 1List of Parties: See Exhibit B to this DPA.  By signing the Agreement or this DPA, the data exporter and data importer will be deemed to have signed Annex I.
Description of Transfer: The required information is set out in Exhibit B to the DPA.
Competent Supervisory Authority:  The Irish Data Protection Commissioner.
Annex 2See Exhibit C to this DPA.
  1. UK ADDENDUM
Table 1: PartiesTable 1 is completed using the information set forth in Section A (List of Parties) of Exhibit B to this DPA.  By signing the Agreement or this DPA, the data exporter and data importer will be deemed to have signed Annex I.
Table 2: Selected SCCs, Modules and Selected ClausesTable 2 is completed using the relevant version of the Standard Contractual Clauses available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj and the relevant information set out in Section A of this Exhibit A above.
Table 3: Appendix InformationAnnex 1A: List of Parties: See Exhibit B to this DPA.
Annex 1B: Description of Transfer: See Exhibit B to this DPA.
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Exhibit C to this DPA.
Annex III: List of Sub processors (Modules 2 and 3 only): See Exhibit B to this DPA.
Table 4: Ending this Addendum when the Approved Addendum ChangesTable is 4 is completed so that either the data importer or data exporter may end the UK Addendum when the approved UK Addendum changes.

EXHIBIT B

DETAILS OF PROCESSING

A.  LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Data Exporter: Customer, as identified in the Agreement and the DPA.

Data Exporter’s name, address, and contact person:  This information shall be as set out under the Agreement.

Activities relevant to the data transferred under this DPA: Transferring and otherwise Processing the Customer Personal Data identified and described in this Exhibit B related to receipt of the Services described in the Agreement.

Signature and date: The Data Exporter’s signature to or electronic adoption of the Agreement shall constitute the signature for the Standard Contractual Clauses, including Annex 1 to the Standard Contractual Clauses. The date shall be the DPA Effective Date.

Role (controller/processor):  For purposes of Module 2 of the Standard Contractual Clauses, Data Exporter is the Data Controller. For purposes of Module 3 of the Standard Contractual Clauses, Data Exporter is a Data Processor.

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

Data Importer:  Arch Data, Inc.

Data Importer’s name, address, and contact person:  This information shall be as set out under the Agreement.

Activities relevant to the data transferred under these Clauses: Processing related to the Services, as described in the Agreement between Data Exporter and Data Importer, including the DPA. 

Signature and date: The Data Importer’s signature to or electronic adoption of the Agreement shall constitute the signature for the Standard Contractual Clauses, including Annex I to the Standard Contractual Clauses. The date shall be the DPA Effective Date.

Role (controller/processor): For purposes of Module 2 and Module 3 of the Standard Contractual Clauses, Data Importer is a Data Processor. 

B.  DESCRIPTION OF TRANSFER

Categories of data subjects & personal data transferred

Categories of Data SubjectsCategories of Personal Data
Data Exporter’s end users of the Services (e.g., employees, contractors, personnel, who are natural persons) (“End Users)Data Exporter’s customers or other individuals whose Personal Data are included in the Data Exporter’s data sources or data sets that Data Importer Processes on behalf of Data Exporter (“Data Sets”)End Users: Contact data such as name and email address.Identifiers, such as user ID, IP address.Usage analytics and activity data.Content of messages and communications transmitted by End Users.Data Sets:Any categories of Personal Data determined or selected by Customer in connection with Customer’s use of the Services

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

End Users: None.

Data Sets: In accordance with and as set forth under the Agreement, if Customer has determined that Processing sensitive Personal Data using the Services is compliant with Applicable Data Laws, sensitive Personal Data transferred includes any categories of sensitive Personal Data determined or selected by Customer in connection with Customer’s use of the Services. Per the terms of the Agreement, Customer agrees that the technical and organizational security measures specified in Exhibit C to this DPA are sufficient and no additional restrictions or safeguards are necessary. 

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).

As and when the Services are requested.

Nature of the processing

Data Importer will Process the Personal Data as necessary to perform the Services pursuant to the Agreement, including the DPA. 

Purpose(s) of the data transfer and further processing

The provision of the Services to Customer pursuant to the Agreement, including the DPA.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

End Users: Personal Data will be retained for the duration of the Agreement between Data Exporter and Data Importer or for the duration specified under Applicable Data Laws or other applicable laws.

Data Sets: Personal Data will be retained only transiently or for a short duration to transmit the Personal Data from Customer’s chosen source to Customer’s chosen destination. 

For transfers to (sub-) processors, also specify the subject matter, nature and duration of the processing

Sub-processors Process Personal Data for purposes of providing services to Data Importer pursuant to the DPA.  

Sub-processors Process Personal Data for the duration of the agreement between the Data Importer and Sub-processor, unless otherwise agreed with such Sub-processor in writing.

C.  COMPETENT SUPERVISORY AUTHORITY

As set forth in Exhibit A of the DPA.

D.  SUBPROCESSORS

  • Amazon Web Services (Amazon, Inc.) – backend hosting provider – U.S. West 
  • GitHub, Inc. – hosting provider – U.S.

EXHIBIT C

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Arch’s Processing, as well as the risks to individuals, Arch will implement and maintain the following industry-standard technical and organizational security measures:

  1. Information Security Policies and Standards.  Arch will implement and maintain industry-standard security requirements and measures for staff and all subcontractors, vendors, and agents who have access to Customer Personal Data, that are reasonably designed to:
    1. prevent unauthorized persons from gaining access to Customer Personal Data processing systems;
    2. prevent Customer Personal Data processing systems being used without authorization;
    3. ensure that persons entitled to use a Customer Personal Data processing system gain access only to such Customer Personal Data as they are entitled to access in accordance with their access rights and that, in the course of processing or use and after storage, Customer Personal Data cannot be read, copied, modified or deleted without authorization;
    4. ensure that Customer Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of Customer Personal Data by means of data transmission facilities can be established and verified;
    5. ensure the establishment of an audit trail to document whether and by whom Customer Personal Data have been entered into, modified in, or removed from Customer Personal Data processing;
    6. ensure that Customer Personal Data are processed solely in accordance with the instructions;
    7. ensure that Customer Personal Data are protected against accidental destruction or loss; and
    8. ensure that these measures are kept up to date, and revised whenever relevant changes are made to the information system that uses or houses Customer Personal Data, or to how that system is organized.
  2. Physical Security.  Arch will maintain commercially reasonable security systems at all Arch sites at which an information system that uses or houses Customer Personal Data is located. Arch will ensure that such systems reasonably restrict access to such Customer Personal Data as appropriate.
  3. Organizational Security.  Arch will ensure that when media are to be disposed of or reused, procedures have been implemented to prevent any subsequent retrieval of any Customer Personal Data stored on them before they are withdrawn from the inventory.  Arch will ensure that all Customer Personal Data security incidents are managed in accordance with appropriate incident response procedures.
  4. Network Security.  Arch will maintain and implement network security using commercially available equipment and industry standard techniques, including firewalls, intrusion detection and/or prevention systems, access control lists and routing protocols.
  5. Access control.  Arch will ensure that only authorized staff can grant, modify or revoke access to an information system that uses or houses Customer Personal Data.  Arch will implement and maintain commercially reasonable physical and electronic security to create and protect passwords.
  6. Personnel.  Arch will implement and maintain a security awareness program to train personnel about their security obligations. Arch will ensure this program includes training about data classification obligations, physical security controls, security practices and security incident reporting.