Data Processing Addendum

This Data Processing Addendum ("DPA") is entered between Trace Space, Inc., a Delaware company with its registered address at 111 NE 1st St, Suite 88511, 8th Floor, Miami, FL 33132, USA ("Trace.Space") and the customer identified in the Agreement ("Customer"). This DPA is incorporated by reference into, and forms an integral part of, the Trace.Space Terms of Service (“Terms)” or the Trace.Space Master Service Agreement (“MSA”) and governs Trace.Space's Processing of Customer Personal Data under the Agreement.

Deployment Scope. Trace.Space provides its services as Cloud Software or Self-Hosted Software. Provisions marked as Cloud-specific or Self-Hosted-specific apply only to that deployment scope. All other provisions apply to both.

Acceptance. By accepting the Agreement or using the services, Customer agrees to this DPA. No separate signature is required. The version published at https://www.trace.space/dpa at the time of use governs.

1. Data processing terms

Capitalised terms not defined in this DPA have the meanings given in Terms, MSA or applicable Data Protection Law. For the purposes of this Addendum, the following terms have the meanings set out below.

"Customer Data Incident" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored, or otherwise processed by Trace.Space or its Sub-processors, of which Trace.Space becomes aware.

"European Data Protection Law" means any data protection and privacy laws of Europe applicable to Customer Personal Data, including where applicable: (i) Regulation (EU) 2016/679 (GDPR); (ii) Directive 2002/58/EC; (iii) applicable national implementations and supplementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act; and (v) in respect of the United Kingdom, the Data Protection Act 2018 and any legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; in each case as may be amended, superseded, or replaced from time to time.

"Instruction" means a written, documented instruction issued by Customer to Trace.Space, delivered by email or other agreed means, directing the performance of a specific action with regard to Customer Personal Data (including, but not limited to, depersonalising, blocking, deleting, or making available such data).

"Standard Contractual Clauses" or "EU-SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, in the form set out in Appendix 2, as amended, superseded, or replaced from time to time in accordance with this Addendum. Where Customer acts as a Controller, the Controller-to-Processor Clauses (Module 2) apply. Where Customer acts as a Processor, the Processor-to-Processor Clauses (Module 3) apply.

"Sub-Processor" means any Processor engaged by Trace.Space or its Affiliates to assist in fulfilling Trace.Space's obligations with respect to the provision of the Services to Customer. The current list of Sub-Processors is available at: https://www.trace.space/sub-processors 

"UK Addendum" means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner's Office under S119(A) of the UK Data Protection Act 2018, as may be amended, superseded, or replaced from time to time.

"U.S. Data Protection Law" means data protection or privacy laws applicable to Customer Personal Data in force within the United States, including the California Consumer Privacy Act (CCPA), as may be amended from time to time, and any rules or regulations implementing the foregoing.

2. Processing of personal data

2.1 Roles of the Parties

The parties acknowledge and agree that with regard to the Processing of Customer Personal Data:

(a) Cloud Software: Customer and its Affiliates act as Controller and Trace.Space acts as Processor. Trace.Space or its Affiliates will engage Sub-processors pursuant to this Addendum.

(b) Self-Hosted Software: Customer acts as the sole Controller and Processor of all Personal Data within its own infrastructure. Trace.Space's role as Processor arises only in the following limited circumstances where Customer Personal Data is explicitly provided to Trace.Space:

(i) authorised remote support sessions, where Customer has expressly requested assistance and shared data with Trace.Space;

(ii) license verification, to the extent that any Personal Data is transmitted as part of the license-verification mechanism described in the Agreement; and

(iii) telemetry and diagnostics, limited to anonymised and aggregated data as described in the Agreement and Section 4.5 of this Addendum.

Where Customer acts as a Processor of Personal Data on behalf of its own controllers, Trace.Space acts as a Sub-processor. For clarity, this Addendum applies to all Customer Personal Data that Trace.Space receives, accesses, views, copies, transmits, stores, or otherwise Processes in connection with the Self-Hosted Software, including any Customer Personal Data contained in support files, attachments, screenshots, logs, diagnostics, exports, or other materials provided by Customer. This Addendum does not apply to third-party applications used by Customer that are not provided, managed, or controlled by Trace.Space and are not Sub-Processors as defined herein.

2.2 Trace.Space's Role as Controller

Notwithstanding the foregoing, Trace.Space may act as an independent controller only with respect to limited business contact information of Customer personnel used for account administration, contract management, billing, fraud prevention, legal compliance, and security communications.

Trace.Space shall not act as an independent controller with respect to any Customer Personal Data Processed in connection with authorized support sessions, license verification, diagnostics, troubleshooting, maintenance, updates, or any other Services provided under the Agreement for the Self-Hosted Software.

2.3 No Joint Controllership

The parties acknowledge and agree that each is acting independently as a Controller with respect to Personal Data, except for Customer Personal Data as defined in this Addendum, and the parties are not joint controllers. Each party will, to the extent that it acts as a Controller with respect to Personal Data, reasonably cooperate with the other party to enable data protection rights to be exercised as set forth in applicable Data Protection Laws.

2.4 Details of the Processing

The subject matter of Processing of Customer Personal Data by Trace.Space is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects Processed under this Addendum are further specified in Appendix 1 to this Addendum.

2.5 Telemetry and License Verification Data

Where Customer uses the Self-Hosted Software, Trace.Space may receive limited technical data solely in connection with license verification, system health monitoring, and diagnostics expressly enabled or approved by Customer.

Such data shall:

(a) be limited to anonymized and aggregated technical information that does not include Customer Personal Data or information reasonably capable of identifying Customer, its personnel, or any Data Subject;

(b) exclude content, prompts, free-text entries, attachments, screenshots, support files, logs containing Personal Data, user names, email addresses, IP addresses, account identifiers, or similar identifying information;

(c) be processed solely for license compliance, security monitoring, and maintenance of the Self-Hosted Software; and

To the extent any telemetry or diagnostic data constitutes Customer Personal Data notwithstanding the foregoing, such data shall be treated as Customer Personal Data and subject to this Addendum in full. Customer shall have the right to configure or disable telemetry features to the extent technically feasible and as described in the Agreement or Documentation.

3. Customer’s obligations

3.1 Compliance with Law

Customer shall Process Personal Data in accordance with the requirements of applicable Data Protection Laws, including any obligation to provide notice to Data Subjects of the use of Trace.Space as a Processor and/or to obtain Data Subjects' consent to such Processing where required.

3.2 Legal Ground

Customer shall ensure that there is a valid legal ground and a lawful purpose for the Processing of Personal Data in connection with the Agreement at all times.

3.3 Instructions

Customer shall provide Trace.Space with Instructions regarding Trace.Space's Processing of Customer Personal Data as set out in this Addendum and in any additional documented instructions provided by Customer. 

3.4 Accuracy and Responsibility

Customer shall undertake sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired such data. Trace.Space bears no responsibility for any inaccuracy, loss, or damage arising from Customer Personal Data that is incomplete, inaccurate, or unlawfully obtained.

3.5 Self-Hosted Software Obligations

Where Customer uses the Self-Hosted Software, Customer shall additionally:

(a) operate the Self-Hosted Software in compliance with the Documentation and applicable Data Protection Laws;

(b) implement and maintain appropriate technical and organisational security measures within its own infrastructure to protect Customer Personal Data processed therein;

(c) ensure compliance with all applicable Data Protection Laws in respect of any Personal Data processed within its Self-Hosted environment, including any sector-specific obligations (such as those arising under HIPAA, PCI DSS, or equivalent frameworks);

(d) be solely responsible for detecting, investigating, and notifying competent Supervisory Authorities and affected Data Subjects of any Personal Data breach occurring within its own infrastructure, in accordance with applicable Data Protection Laws; and

(e) ensure that any international transfers of Personal Data performed by Customer from within its Self-Hosted environment comply with applicable Data Protection Laws, independently of Trace.Space's transfer safeguards set out in Section 15 of this Addendum.

3.6 Designation of a Contact

At Trace.Space’s reasonable request, Customer shall designate a single point of contact responsible for receiving and responding to communications from Trace.Space relating to Data Subject Requests involving Customer Personal Data actually received by Trace.Space under Section 2.1(b). Trace.Space shall not fulfill, delete, alter, or otherwise act on any Data Subject Request except on Customer’s documented instruction or where required by applicable law.

3.7 Prohibited Data

Customer shall not submit to Trace.Space, whether through the Cloud Software or in connection with any Self-Hosted support interaction, any special categories of Personal Data as defined under Article 9 of the GDPR, or any data relating to criminal convictions and offences, unless expressly agreed in writing with Trace.Space in advance. Customer acknowledges that Trace.Space's systems and processes are not configured to apply the heightened safeguards required for such data absent a specific written agreement.

4. Trace.space’s obligations

4.1 Compliance with Law

Trace.Space shall treat Customer Personal Data as confidential information and shall Process Customer Personal Data in accordance with the requirements of applicable Data Protection Laws and this Addendum.

4.2 Confidentiality

Trace.Space shall ensure that any person authorised to Process Customer Personal Data on Trace.Space's behalf - including Trace.Space's Affiliates, personnel, and Sub-processors - is subject to appropriate confidentiality obligations, whether contractual or statutory, with respect to that Customer Personal Data.

4.3 Compliance with Instructions

Trace.Space shall Process Customer Personal Data only in accordance with Instructions from Customer, unless required to do otherwise by applicable law, in which case Trace.Space shall notify Customer of such legal requirement prior to the relevant Processing, unless the applicable law prohibits such notification on grounds of important public interest.

Trace.Space shall Process Customer Personal Data for the following purposes only:

(a) Processing in accordance with the Agreement;

(b) Processing initiated by Customer's Authorised Users in their use of the Services; and

(c) Processing to comply with other documented reasonable Instructions provided by Customer, where such Instructions are consistent with the terms of the Agreement.

The Agreement and this Addendum constitute Customer’s standing Instructions to Trace.Space regarding the Processing of Customer Personal Data, together with any additional documented Instructions issued by Customer from time to time. No configuration setting, external policy, or product default shall expand Trace.Space’s rights to Process Customer Personal Data beyond what is expressly permitted in this Addendum.

4.4 Notification of Unlawful Instructions

Trace.Space has no obligation to monitor the compliance of Customer's use of Trace.Space with applicable law. However, Trace.Space shall use commercially reasonable efforts to promptly inform Customer if, in Trace.Space's reasonable opinion, an Instruction provided under this Addendum: (i) infringes applicable Data Protection Laws; (ii) is misleading or unclear; or (iii) relates to a situation for which Trace.Space has not received an Instruction regarding the Processing of Customer Personal Data.

4.5 Restrictions

Without limiting the foregoing:

(a) Trace.Space will not collect, retain, use, disclose, or otherwise Process Customer Personal Data in a manner inconsistent with Trace.Space's role as Customer's Processor, regardless of whether the CCPA applies;

(b) Trace.Space will not sell Customer Personal Data, as the term "sell" is defined under the CCPA or any equivalent U.S. Data Protection Law; and

(c) Trace.Space hereby certifies that it understands the restrictions and obligations set out in this Addendum and will comply with them.

4.6 Deployment-Specific Scope

For the avoidance of doubt, the obligations set out in this Section 4 apply to Trace.Space's Processing of Customer Personal Data as follows:

(a) Cloud Software: the obligations in this Section 4 apply in full to all Customer Personal Data submitted to or processed through the Cloud Software.

(b) Self-Hosted Software: the obligations in this Section 4 apply only to Customer Personal Data that Trace.Space actually receives from Customer in the limited circumstances. Trace.Space has no Processing obligations under this Section in respect of Customer Personal Data that remains solely within Customer's own infrastructure and is never transmitted to Trace.Space.

4.7 AI-Powered Features

To the extent the Services incorporate artificial intelligence or machine learning features, Trace.Space shall not use Customer Personal Data to train, retrain, or fine-tune any foundation or generative AI model made available to third parties.

Trace.Space may use Customer Personal Data in connection with AI-powered features to: (a) provide and operate such features as part of the Services; (b) monitor, test, and improve the performance, safety, and security of such features; and (c) generate aggregated and de-identified data that does not identify Customer, any Authorised User, or any Data Subject, which Trace.Space may use for any lawful business purpose.

Trace.Space shall not use Customer Personal Data received in connection with the Self-Hosted Software to train, retrain, fine-tune, validate, or benchmark any artificial intelligence or machine learning model, except to the extent expressly authorised in writing by Customer.

Additional operational details regarding AI-powered features, including third-party AI/ML providers, are described in the Trace.Space AI Policy at https://www.trace.space/ai-policy. In the event of any conflict between the AI Policy and this Addendum, this Addendum prevails, and the AI Policy shall not expand Trace.Space's rights to Process Customer Personal Data beyond those expressly granted in this Addendum.

5. Rights of data subjects

5.1 Data Subject Requests

Trace.Space shall, to the extent permitted by applicable law, promptly notify Customer if Trace.Space receives a request from a Data Subject to exercise any of the following rights in respect of Customer Personal Data:

(a) the right of access;

(b) the right to rectification;

(c) the right to restriction of Processing;

(d) the right to erasure ("right to be forgotten");

(e) the right to data portability;

(f) the right to object to Processing; or

(g) the right not to be subject to automated decision-making.

Each such request is referred to in this Addendum as a "Data Subject Request."

Trace.Space shall not delete, alter, restrict, or otherwise act on any Data Subject Request except on Customer’s documented instruction or where required by applicable law.

5.2 Assistance with Data Subject Requests

Taking into account the nature of the Processing, Trace.Space shall use reasonable efforts to assist Customer by appropriate technical and organisational measures, insofar as possible, to fulfil Customer's obligation to respond to Data Subject Requests under applicable Data Protection Laws.

Where Customer does not have the ability to address a Data Subject Request directly through its use of the Services, Trace.Space shall, upon Customer’s written request, provide reasonable assistance to Customer in responding to such Data Subject Request. Such ordinary assistance shall be included in the fees for the Services. Any extraordinary, bespoke work materially beyond the ordinary assistance required under applicable Data Protection Laws shall be subject to Customer’s prior written approval of scope and fees.

5.3 Deployment-Specific Scope

(a) Cloud Software: Trace.Space shall notify Customer of any Data Subject Request it receives in relation to Customer Personal Data processed through the Cloud Software and shall provide assistance.

(b) Self-Hosted Software: As Customer is the sole Controller and Processor of Personal Data within its own infrastructure, Customer is solely responsible for receiving, handling, and responding to Data Subject Requests in respect of such data. Trace.Space has no visibility into, and therefore no obligation to notify Customer of, Data Subject Requests received directly by Customer or relating to data held solely within Customer's Self-Hosted environment. 

5.4 No Independent Response

Trace.Space shall not respond independently to any Data Subject Request relating to Customer Personal Data without Customer's prior written authorisation, except where required to do so by applicable law, in which case Trace.Space shall notify Customer as soon as reasonably practicable to the extent permitted by law.

5.5 Automated Decision-Making

Trace.Space does not engage in automated decision-making that produces legal or similarly significant effects on Data Subjects within the meaning of Article 22 of the GDPR, except where explicitly described and agreed in writing between the parties. Any outputs generated by AI or machine learning features within Trace.Space are intended to support users and require human review and validation.

6. Trace.space’s personnel

6.1 Confidentiality of Personnel

Trace.Space shall ensure that its personnel engaged in the Processing of Customer Personal Data:

(a) are informed of the confidential nature of the Customer Personal Data they access or process;

(b) have received appropriate training on their responsibilities under applicable Data Protection Laws and this Addendum; and

(c) are subject to written confidentiality agreements or an appropriate statutory obligation of confidentiality regarding Customer Personal Data.

6.2 Limitation of Access

Trace.Space shall ensure that access to Customer Personal Data is limited to those personnel who require such access to perform their obligations in connection with the Services under the Agreement, on a strict need-to-know basis.

6.3 Deployment-Specific Scope

(a) Cloud Software: the obligations in Sections 6.1 and 6.2 apply in full to all personnel engaged in Processing Customer Personal Data through the Cloud Software.

(b) Self-Hosted Software: the obligations in Sections 6.1 and 6.2 apply to personnel engaged in Processing Customer Personal Data received by Trace.Space in the limited circumstances such as authorised support personnel handling data shared during a remote support session. Trace.Space personnel have no access to Customer Personal Data residing solely within Customer's Self-Hosted infrastructure.

6.4 Data Protection Officer

Trace.Space has appointed a Data Protection Officer. The Data Protection Officer may be contacted at privacy@trace.space.

7. Sub-processors

7.1 List of Sub-Processors

The approved Sub-Processors authorized to Process Customer Personal Data in connection with providing Services is available at https://www.trace.space/sub-processors

7.2 Notice and Objection

Trace.Space maintains the current list of Sub-Processors at https://www.trace.space/sub-processors. Trace.Space will update this list at least thirty (30) days before a new Sub-Processor begins Processing Customer Personal Data. Customer may subscribe to notifications of updates through the mechanism provided on that page.

Customer may object to a new Sub-Processor on reasonable, documented data protection or security grounds by written notice to privacy@trace.space within thirty (30) days of the update. The parties shall discuss the objection in good faith. Where Trace.Space is able to offer a commercially reasonable alternative, it shall do so. Where no such alternative is available, Customer's sole and exclusive remedy is to terminate the affected Services on written notice, and Trace.Space shall refund any prepaid Fees for the terminated portion of the then-current Term on a pro-rata basis.

If Customer does not object within the thirty (30) day period, the new Sub-Processor is deemed approved.

7.3 Protection

Trace.Space shall enter into a written agreement with each Sub-processor containing data protection obligations that are substantially equivalent to those imposed on Trace.Space under this Addendum, to the extent applicable to the nature of the services provided by that Sub-processor. Where required by applicable Data Protection Laws or the Standard Contractual Clauses, such agreements shall include the EU-SCCs or equivalent transfer safeguards.

7.4 Limitation of Access

Trace.Space shall ensure that each Sub-processor accesses and uses Customer Personal Data only to the extent strictly required to perform the obligations subcontracted to it in connection with the Services, and for no other purpose.

7.5 Liability for Sub-Processors

Trace.Space shall be liable to Customer for the acts and omissions of its Sub-processors to the same extent that Trace.Space would be liable if performing the relevant services directly under the terms of this Addendum, except as otherwise set out in the Agreement.

8. Third-party data processors

8.1 General

Customer acknowledges and agrees that in the provision of certain Services - such as integrations and plugins accessible through Trace.Space - Trace.Space may, pursuant to Instructions issued by Customer, transfer Customer Personal Data to and otherwise interact with third-party data processors that are not Sub-processors within the meaning of this Addendum ("Third-Party Processors").

8.2 Customer Responsibility

Where Customer independently elects to connect the Self-Hosted Software to a third-party service that is not provided, managed, controlled, or technically mediated by Trace.Space, Customer is responsible for ensuring that such third-party service complies with applicable Data Protection Laws and Customer’s internal security requirements.

Any third-party service that Trace.Space provides, enables, routes, supports, recommends as part of the Services, or technically mediates in connection with the Services, and that Processes Customer Personal Data, shall be treated as a Sub-Processor of Trace.Space and remain Trace.Space’s responsibility under this Addendum.

8.3 Deployment-Specific Scope

(a) Cloud Software: where Customer enables a third-party integration through the Cloud Software, Trace.Space may transfer Customer Personal Data to the relevant Third-Party Processor pursuant to Customer's Instruction. Customer is responsible for reviewing the privacy and security practices of any such Third-Party Processor before enabling the integration.

(b) Self-Hosted Software: where Customer configures outbound integrations from its Self-Hosted environment to third-party services, Trace.Space has no visibility into or control over the resulting data flows. Customer bears sole responsibility for ensuring that such integrations comply with applicable Data Protection Laws, its own internal security policies, and any applicable data residency or data sovereignty requirements. Trace.Space is not responsible for the availability, performance, or security of any third-party service that Customer connects to from a Self-Hosted environment.

9. Security and assistance

9.1 Protection of Customer Personal Data

Trace.Space shall implement and maintain appropriate technical and organisational measures for the protection of the security, confidentiality, and integrity of Customer Personal Data, as required under applicable Data Protection Laws and as further described in Annex II of this Addendum. Trace.Space shall regularly monitor compliance with these measures.

Such measures are subject to technological progress and development. Trace.Space may implement alternative or updated measures provided that the overall level of protection afforded to Customer Personal Data is not materially reduced during the term of the Agreement.

9.2 Deployment-Specific Security Obligations

(a) Cloud Software: Trace.Space shall maintain technical and organisational measures applicable to all infrastructure and systems under Trace.Space's control through which Customer Personal Data is processed, in accordance with Annex II. Trace.Space maintains SOC 2 Type II controls in respect of the Cloud Software, details of which are available upon written request subject to applicable confidentiality obligations.

b) Self-Hosted Software: Trace.Space’s technical and organizational measures apply to the design, development, delivery, and security of the Self-Hosted Software itself, including security updates, patches, support tools, and any access by Trace.Space personnel or approved Sub-Processors. Customer remains responsible for the security of Customer’s infrastructure, network, configuration, and operating environment.

Notwithstanding the foregoing, Trace.Space remains responsible for:
(i) vulnerabilities, defects, or insecure default configurations in the Self-Hosted Software as delivered by Trace.Space;
(ii) compromised, malicious, or defective updates or patches provided by Trace.Space;
(iii) Processing or access performed by Trace.Space personnel, contractors, or approved Sub-Processors; and
(iv) security incidents caused by Trace.Space’s failure to provide security updates or patches within a reasonable period after discovery and notice.

Trace.Space shall ensure that any support access to Customer systems is limited to authorized personnel, uses named accounts and multi-factor authentication, is logged, is limited to the minimum scope necessary, and does not result in persistent retention of Customer Personal Data except as expressly authorized by Customer.

9.3 Third-Party Certifications and Audits

Trace.Space shall obtain and maintain third-party certifications and audits as required under applicable Data Protection Laws. Upon Customer's written request, at reasonable intervals and subject to the confidentiality obligations set out in the Agreement, Trace.Space shall make available to Customer a copy of its most recent third-party audit reports or certifications, as applicable, provided that Customer is not a competitor of Trace.Space. Where Customer appoints a third-party auditor to receive such reports on its behalf, such auditor must also not be a competitor of Trace.Space.

9.4 Data Protection Impact Assessments

Upon Customer's written request, Trace.Space shall provide Customer with reasonable cooperation and assistance to fulfil Customer's obligations under applicable Data Protection Laws to carry out a data protection impact assessment ("DPIA") related to Customer's use of the Services, to the extent that:

(a) Customer does not otherwise have access to the relevant information; and

(b) such information is available to Trace.Space.

Ordinary assistance with DPIAs and related regulator consultations required under applicable Data Protection Laws shall be included in the fees for the Services. Any extraordinary, bespoke work materially beyond such ordinary assistance shall be subject to Customer’s prior written approval of scope and fees.

9.5 Assistance with Supervisory Authority Consultations

Where Customer is required under applicable Data Protection Laws to consult with a Supervisory Authority prior to commencing Processing, Trace.Space shall, upon Customer's written request, provide reasonable cooperation and assistance in connection with such consultation, to the extent that relevant information is available to Trace.Space and has not already been provided to Customer through the Documentation, Annex II, or third-party audit reports. 

10. Customer data incident management

10.1 Incident Management Policy

Trace.Space shall implement and maintain data security incident management policies and procedures compliant with applicable Data Protection Laws, addressing the detection, assessment, containment, and management of Customer Data Incidents.

10.2 Notification

Trace.Space shall notify Customer without undue delay, and in any event within twenty-four (24) hours after becoming aware of a Customer Data Incident, providing to the extent available:

(a) the nature of the incident, including approximate number of Data Subjects and records affected;
(b) contact details of the relevant Trace.Space contact point;
(c) the likely consequences of the incident; and
(d) measures taken or proposed to address the incident and mitigate its effects.

Where full information is unavailable at the time of notification, Trace.Space shall provide what is available and supplement it without undue delay.

10.3 Deployment-Specific Scope

(a) Cloud Software: Sections 10.1 and 10.2 apply in full.

(b) Self-Hosted Software: Trace.Space has no visibility into Customer's infrastructure and cannot detect or notify Customer of incidents occurring there. Customer is solely responsible for incident detection, containment, and notification within its Self-Hosted environment. Sections 10.1 and 10.2 apply only in respect of Customer Personal Data received by Trace.Space.

10.4 Assistance

Upon Customer's written request, Trace.Space shall provide reasonable assistance to enable Customer to notify competent Supervisory Authorities and affected Data Subjects where required under applicable Data Protection Laws Such ordinary assistance shall be included in the fees for the Services.  Any extraordinary, bespoke work materially beyond the assistance required under applicable Data Protection Laws shall be subject to Customer’s prior written approval of scope and fees.

10.5 No Acknowledgement of Fault

Notification of a Customer Data Incident by Trace.Space under this Section 12 shall not be construed as an acknowledgement of fault or liability.

11. Return or deletion of customer personal data

11.1 Return and Deletion

Upon Customer's written request, or when Trace.Space no longer requires Customer Personal Data to fulfil its obligations under the Agreement, Trace.Space shall, and shall procure that its Affiliates and Sub-processors shall:

(a) cease all Processing of Customer Personal Data; and

(b) at Customer's election, either return all Customer Personal Data and copies thereof to Customer, or securely delete Customer Personal Data and all copies thereof and certify such deletion in writing to Customer.

11.2 Retention

Trace.Space may retain Customer Personal Data to the extent and for the period required by applicable law, including applicable Data Protection Laws. During any such retention period, Trace.Space shall ensure that:

(a) the Customer Personal Data is held in confidence and not processed for any purpose other than that required by the applicable law mandating its retention; and

(b) the Customer Personal Data is deleted immediately upon expiry of the legally required retention period.

11.3 Limited Technical Impossibility Exception

Where Trace.Space is temporarily unable to delete Customer Personal Data for demonstrated technical or legal reasons, Trace.Space shall promptly notify Customer, explain the basis for the delay, apply appropriate measures to restrict any further Processing, and complete deletion as soon as deletion becomes technically and legally possible. Anonymization shall not be used as a substitute for deletion except where expressly instructed in writing by Customer.

11.4 No Continued Processing

Trace.Space shall not continue to Process, anonymize, aggregate, derive analytics from, or otherwise use Customer Personal Data after the relevant support purpose or the termination of the Agreement, except to the limited extent required by applicable law and only for the minimum period required by law.

11.5 Deployment-Specific Scope

(a) Cloud Software: Sections 11.1 through 1.4 apply in full. Customer may request export of its Customer Personal Data within 30 calendar days of the effective termination date, after which Trace.Space may permanently delete all Customer Personal Data associated with Customer's account.

(b) Self-Hosted Software: Customer Personal Data resides within Customer's own infrastructure. Customer is solely responsible for the deletion of such data. Trace.Space's obligations under Sections 11.1 through 11.4 apply only in respect of Customer Personal Data received by Trace.Space.

12. Audit rights

12.1 Documentation First

Trace.Space's primary mechanism for demonstrating compliance with this Addendum is through documentation. Upon Customer's written request, Trace.Space shall make available its most recent relevant third-party audit reports or certifications. Customer agrees to rely on such documentation as the primary means of verifying Trace.Space's compliance before requesting any further audit activity.

12.2 On-Site Audit Right

Only where the documentation provided under Section 12.1 does not, in Customer's reasonable judgement, provide sufficient evidence of compliance with a specific obligation under this Addendum may Customer request an on-site audit. Any such audit shall be conducted by a mutually agreed independent third-party auditor who is not a competitor of Trace.Space. Trace.Space's consent to the auditor shall not be unreasonably withheld or delayed.

12.3 Audit Conditions

Any audit under Section 12.2 is subject to the following conditions, all of which are prerequisites to Trace.Space's obligation to cooperate:

(a) Customer shall provide at least 30 days' prior written notice specifying the scope, proposed timing, and duration of the audit;

(b) the scope shall be limited strictly to Customer's use of the Services and Trace.Space's specific obligations under this Addendum — broad or fishing-expedition audits are not permitted;

(c) the audit shall be conducted during regular business hours in a manner that minimises disruption to Trace.Space's operations;

(d) Customer may conduct no more than one audit per calendar year, unless a competent Supervisory Authority expressly requires otherwise; and

 (e) Customer shall bear its own third-party audit costs. Trace.Space shall bear its own internal costs of supporting ordinary audits under this Addendum. Any extraordinary or duplicative audit activity imposing a materially excessive burden on Trace.Space shall be subject to prior written agreement on reasonable cost allocation.

12.4 Audit Results

 Customer shall provide Trace.Space with a summary of any material non-compliance identified during an audit, unless applicable law or regulatory requirements require provision of the full audit report. Audit reports are confidential and may be used by Customer solely to verify compliance with this Addendum or to meet Customer's own regulatory audit obligations. Customer shall promptly notify Trace.Space of any non-compliance identified and allow Trace.Space a reasonable opportunity to remediate before taking any further action.

12.5 Deployment-Specific Scope

(a) Cloud Software: Sections 12.1 through 12.4 apply in full. Audit evidence is limited to Trace.Space's processing systems, access controls, and technical and organisational measures as described in Annex II.

(b) Self-Hosted Software: as Trace.Space does not process Customer Personal Data within Customer's infrastructure in the ordinary course, audit rights under this Section apply only in respect of Customer Personal Data actually received by Trace.Space. Relevant audit evidence is limited to Trace.Space's secure software design practices, security update cadence, and Documentation. Customer has no right to audit Trace.Space's systems in connection with data that never leaves Customer's own infrastructure.

13. Data transfer outside of europe

13.1 Scope

This Section 13 applies to:

(a) Cloud Software: all transfers of Customer Personal Data originating from Europe that Trace.Space processes in connection with the Cloud Software; and

(b) Self-Hosted Software: transfers of Customer Personal Data originating from Europe that Customer explicitly provides to Trace.Space in the limited circumstances.

Customer Personal Data that originates from Europe and remains solely within Customer's Self-Hosted infrastructure is not subject to this Section 13. Customer is solely responsible for ensuring that any international transfers it performs from within its own Self-Hosted environment comply with applicable Data Protection Laws.

13.2 Transfer Mechanisms

Where Trace.Space transfers Customer Personal Data outside Europe to a jurisdiction for which the European Commission or the UK has not issued an adequacy decision, Trace.Space shall ensure that an appropriate transfer safeguard is in place, which may include:

(a) Standard Contractual Clauses: in relation to transfers of Customer Personal Data protected by the EU GDPR, Trace.Space shall process such data in accordance with the EU-SCCs set out in Appendix 2, which are incorporated into and form part of this Addendum. Trace.Space is the "data importer" and Customer is the "data exporter" for the purposes of the EU-SCCs. Where Customer acts as a Controller, Module 2 (Controller-to-Processor) applies. Where Customer acts as a Processor, Module 3 (Processor-to-Processor) applies;

(b) UK Addendum: in relation to transfers of Customer Personal Data protected by UK data protection law, the EU-SCCs apply as completed under Section 15.2(a) and are deemed amended as specified by the UK Addendum, which is deemed executed by the parties and incorporated into this Addendum. The UK Addendum tables are completed as follows:

(i) Table 1: completed with the party information set out in Annex I.A of Appendix 2;

(ii) Table 2: the Approved EU-SCCs apply, with only the modules selected under Section 15.2(a) brought into effect;

(iii) Table 3: completed with the information set out in Appendix 1 and Appendix 2 of this Addendum;

(iv) Table 4: neither party may terminate the UK Addendum where the approved EU-SCCs are amended; and

(v) any conflict between the EU-SCCs and the UK Addendum shall be resolved in accordance with Sections 10 and 11 of the UK Addendum;

(c) adequacy decision: where the European Commission or the UK has issued an adequacy decision covering the relevant transfer; or

(d) other safeguard: any other appropriate safeguard pursuant to Article 46 of the GDPR or derogation pursuant to Article 49 of the GDPR, as agreed between the parties in writing.

13.3 Compliance Notification

Trace.Space shall promptly notify Customer if it becomes aware that it can no longer meet its obligations under this Section 13 in respect of any transfer. In such event, Trace.Space shall work with Customer to promptly identify and implement appropriate remedial measures. If no appropriate safeguard can be ensured, Trace.Space shall suspend the relevant transfer until a compliant mechanism is in place, and Customer may terminate the affected Services on written notice subject to the termination provisions of the Agreement.

13.4 Customer Transfers

Where Customer itself transfers Customer Personal Data outside Europe — whether through use of the Cloud Software or from within its Self-Hosted environment — Customer is solely responsible for ensuring that such transfers comply with applicable Data Protection Laws independently of the transfer mechanisms Trace.Space has put in place under this Section 13.

14. Limitation of liability

14.1 Aggregate Liability

Each party's liability and all of its Affiliates' liability, taken together in the aggregate, arising out of or related to this Addendum, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability set out in the Agreement. Any reference in the Agreement to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and this Addendum together

14.2 Aggregate Cap

Trace.Space's and its Affiliates' total liability for all claims arising out of or related to this Addendum applies in the aggregate across both the Agreement and this Addendum and will not be understood to apply individually or severally to Customer or any Affiliate that is a party to this Addendum. Neither Customer nor any of its Affiliates shall be entitled to recover more than once in respect of the same claim.

14.3 Self-Hosted Liability Exclusion

To the maximum extent permitted by applicable law, Trace.Space shall have no liability under this Addendum for loss, damage, or breach arising solely from:

(a) Customer’s infrastructure, network, or operating environment;

(b) Customer’s misconfiguration of the Self-Hosted Software; or

(c) Customer’s failure to implement critical security updates made available by Trace.Space within a reasonable period after written notice.

Notwithstanding the foregoing, Trace.Space remains responsible for loss, damage, or breach arising from defects in the Self-Hosted Software, insecure default configurations, compromised or defective updates, or the acts or omissions of Trace.Space, its personnel, contractors, or Sub-Processors.

14.4 Mutual Exclusion of Consequential Loss

To the maximum extent permitted by applicable law, neither party shall be liable to the other for any indirect, incidental, special, consequential, or punitive damages arising out of or related to this Addendum, including loss of profits, revenue, data, goodwill, or business opportunity, even if advised of the possibility of such damages, consistent with the limitations set out in the Agreement.

15. General terms

15.1 Conflict of Provisions

In the event of any conflict or inconsistency between the documents governing the relationship between the parties, the following order of precedence applies:

(a) the Standard Contractual Clauses (Appendix 2);

(b) this Addendum;

(c) the applicable Customer order under the Agreement; and

(d) the Agreement (MSA or ToS, as applicable).

15.2 Supporting Documents

The following documents form part of the framework governing Trace.Space's processing of Customer Personal Data and are incorporated into this Addendum by reference where indicated:

(a) the Privacy Policy, available at https://trace.space/privacy-policy;

(b) List of Sub-processors, available at https://www.trace.space/sub-processors;

(c) the SLA, available at https://www.trace.space/sla, governing service levels for both Cloud Software and Self-Hosted Software support; and

(d) the AI Policy,available at https://www.trace.space/ai-policy, governing Trace.Space's use of artificial intelligence and machine learning in the provision of the Services.

In the event of any conflict between this Addendum and any supporting document listed above, this Addendum shall prevail.

No supporting document incorporated by reference shall expand Trace.Space’s rights to collect, use, retain, disclose, or otherwise Process Customer Personal Data beyond those expressly granted in this Addendum.

15.3 Termination

This Addendum has the same duration as the Agreement and is subject to the termination provisions thereof. Trace.Space's obligations to implement and maintain appropriate security measures in respect of Customer Personal Data shall survive termination of this Addendum for as long as Trace.Space retains any Customer Personal Data.

15.4 Governing Law

This Addendum is governed by the same governing law and jurisdiction as the Terms of Service or a signed Agreement, unless otherwise required by applicable Data Protection Laws.

15.5 Amendments

This Addendum may be amended only by a written agreement signed by both parties, except that Trace.Space may propose updates required solely to reflect changes in applicable Data Protection Laws. No such update shall materially reduce Customer’s rights or Trace.Space’s obligations under this Addendum without Customer’s prior written consent.

15.6 Severability

If any provision of this Addendum is held to be invalid, illegal, or unenforceable, that provision shall be enforced to the maximum extent permissible and the remaining provisions shall continue in full force and effect.

15.7 Entire Agreement on Data Processing

This Addendum, together with the Agreement and the supporting documents listed in Section 15.2, constitutes the entire agreement between the parties with respect to the processing of Customer Personal Data and supersedes all prior agreements, representations, and understandings relating to the same subject matter.

APPENDIX 1 DETAILS OF PROCESSING

1. Subject Matter

Trace.Space will process Customer Personal Data as necessary to provide the Services to Customer pursuant to the Agreement.

2. Purpose of Processing

For the Self-Hosted Software, Trace.Space shall Process Customer Personal Data only for the following purposes:

(a) to provide authorized support, troubleshooting, maintenance, diagnostics, and security response requested or approved by Customer;

(b) to perform license verification to the extent any Personal Data is necessarily transmitted as part of that mechanism; and

(c) to comply with disclosures required by applicable law.

3. Duration of Processing

Trace.Space will process Customer Personal Data for the duration of the Agreement, plus any period following expiration or termination during which Customer Personal Data is retained by Trace.Space on Customer's behalf, subject to Section 11 of this Addendum.

4. Deployment-Specific Scope of Processing

(a) Cloud Software: Trace.Space processes Customer Personal Data as Processor across all processing activities described in this Appendix 1 for the full duration of the Agreement.

(b) Self-Hosted Software: Trace.Space's processing of Customer Personal Data is limited to data received in the circumstances set out in Section 2.1(b) of this Addendum. The location, duration, and nature of such processing corresponds to the specific circumstance in which the data is received — for example, data shared during a support session is processed only for the duration and purposes of that session.

5. Telemetry and License Verification

For the Self-Hosted Software, Trace.Space may receive limited anonymized and aggregated technical data solely in connection with license verification, system health monitoring, and diagnostics as described in Section 4.5 of this Addendum. Such data shall not include Customer Personal Data and shall not include names, email addresses, IP addresses, account identifiers, content, prompts, support files, or other data reasonably capable of identifying Customer, its personnel, or any Data Subject.

6. Data Subjects

The following categories of Data Subjects may be covered by this Addendum:

(a) Customer's Authorised Users, including officers, employees, and contractors; and

(b) third parties that have or may have a commercial relationship with Customer, such as translators, editors, or project collaborators, to the extent their Personal Data is submitted to Trace.Space by Customer.

For the avoidance of doubt, all Customer Personal Data is submitted at Customer's direction. Trace.Space does not collect bank details or payment card details directly unless explicitly requested by Customer to do so.

7. Categories of Personal Data

Customer may submit the following categories of Personal Data to the Services, the extent of which is determined and controlled by Customer:

(a) email address, full name, and IP address of Authorised Users;

(b) Customer's legal name and registered address (for legal entities);

(c) position or role of Authorised Users within Customer's organisation; and

(d) phone number of Customer's representatives.

Where Customer makes payments or conducts payment transactions through a third-party payment processor integrated with Trace.Space, Trace.Space may receive the following limited transaction information:

(a) cardholder name and email address;

(b) unique customer identifier and order ID;

(c) partial payment card details (last four digits and card type) or limited bank account details;

(d) card expiration date; and

(e) date, time, total amount, and location of transaction.

The specific payment information received depends on the payment method selected by Customer.

8. Sensitive Data

Trace.Space does not knowingly process special categories of Personal Data as defined under Article 9 of the GDPR, or data relating to criminal convictions and offences, in connection with the processing activities described in this Addendum. Customer is prohibited from submitting such data to Trace.Space without a separate prior written agreement, as set out in Section 3.7 of this Addendum.

9. Location of Processing

(a) Cloud Software: Customer Personal Data may be processed in the European Union, the United Kingdom, the United States, and such other locations as are necessary for Trace.Space and its Sub-processors to provide the Services, subject to the transfer safeguards set out in Section 15 of this Addendum.

(b) Self-Hosted Software: Customer Personal Data within Customer’s Self-Hosted environment is processed at the locations determined by Customer’s infrastructure choices.

10. Data Processing Activities

For the Self-Hosted Software, Customer Personal Data actually received by Trace.Space may be subject only to the following Processing activities, as applicable: limited collection, transmission, consultation, retrieval, use, restriction, return, and deletion, solely to the extent necessary to provide the authorized support, troubleshooting, diagnostics, maintenance, or license verification described in this Addendum.

APPENDIX 2

STANDARD CONTRACTUAL CLAUSES

This Appendix is attached to and forms part of the Data Processing Addendum. Unless otherwise defined in this attachment, capitalised terms used in this attachment have the meanings given to them in the Addendum. When Customer is acting as a controller, the Controller-to-Processor Clauses (module 2) will apply to a Data Transfer. When Customer is acting as a processor, the Processor-to-Processor Clauses (module 3) will apply to a Data Transfer. Where no specific modules are mentioned, the clauses apply to all data exporters, regardless of whether the Customer is a controller or a processor.

SECTION I

Clause 1

Purpose and scope

1. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
2. The Parties:
   
   1. the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
   2. the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’) have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).
3. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
4. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

1. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
2. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

1. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
   
   1. Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
   2. Clause 8 – Module 2 (Controller-to-Processor Clauses): Clause 8.1(b), 8.9(a), (c), (d) and (e); Module 3 (Controller-to-Processor Clauses): Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g);
   3. Clause 9 – Module 2 (Controller-to-Processor Clauses): Clause 9(a), (c), (d) and (e); Module 3 (Controller-to-Processor Clauses): Clause 9(a), (c), (d) and (e);
   4. Clause 12 – Clause 12(a), (d) and (f); (v) Clause 13;
   5. Clause 15.1(c), (d) and (e);
   6. Clause 16(e);
   7. Clause 18 – Clause 18(a) and (b).
2. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

1. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
2. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
3. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7

Docking clause

1. An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
2. Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
3. The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

MODULE 2: Transfer controller to processor (when Customer is acting as controller)

8.1 Instructions

1. The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
2. The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I. B, unless on further instructions from the data exporter.

8.3. Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4 Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5. Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6. Security of processing

1. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
2. The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
4. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7. Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8. Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (4) (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person. Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9. Documentation and compliance

1. The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
2. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
3. The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of noncompliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
4. The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
5. The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

MODULE 3: Transfer processor to processor (when Customer is acting as a processor)

8.10 Instructions

1. The data exporter has informed the data importer that it acts as processor under the instructions of its controller(s), which the data exporter shall make available to the data importer prior to processing.
2. The data importer shall process the personal data only on documented instructions from the controller, as communicated to the data importer by the data exporter, and any additional documented instructions from the data exporter. Such additional instructions shall not conflict with the instructions from the controller. The controller or data exporter may give further documented instructions regarding the data processing throughout the duration of the contract.
3. The data importer shall immediately inform the data exporter if it is unable to follow those instructions. Where the data importer is unable to follow the instructions from the controller, the data exporter shall immediately notify the controller.
4. The data exporter warrants that it has imposed the same data protection obligations on the data importer as set out in the contract or other legal act under Union or Member State law between the controller and the data exporter.

8.12 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B., unless on further instructions from the controller, as communicated to the data importer by the data exporter, or from the data exporter.

8.13 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the data exporter may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.

8.14 Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to rectify or erase the data.

8.15 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the controller and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.16 Security of processing

1. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
2. The data importer shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
4. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify its controller so that the latter may in turn notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.17 Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards set out in Annex I.B.

8.18 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the controller, as communicated to the data importer by the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

1. the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
2. the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679;
3. the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
4. the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person. Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.19 Documentation and compliance

1. The data importer shall promptly and adequately deal with enquiries from the data exporter or the controller that relate to the processing under these Clauses.
2. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the controller.
3. The data importer shall make all information necessary to demonstrate compliance with the obligations set out in these Clauses available to the data exporter, which shall provide it to the controller.
4. The data importer shall allow for and contribute to audits by the data exporter of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of noncompliance. The same shall apply where the data exporter requests an audit on instructions of the controller. In deciding on an audit, the data exporter may take into account relevant certifications held by the data importer.
5. Where the audit is carried out on the instructions of the controller, the data exporter shall make the results available to the controller.
6. The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
7. The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors MODULE 2: Transfer controller to processor (when Customer is acting as controller)

1. The data importer has the data exporter’s general authorisation for the engagement of subprocessor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
2. Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
3. The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
4. The data importer shall remain fully responsible to the data exporter for the performance of the subprocessor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
5. The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

MODULE 3: Transfer processor to processor (when Customer is acting as a processor)

1. The data importer has the controller’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of sub-processors at least 20 days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the controller with the information necessary to enable the controller to exercise its right to object. The data importer shall inform the data exporter of the engagement of the subprocessor(s).
2. Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the controller), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.18. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
3. The data importer shall provide, at the data exporter’s or controller’s request, a copy of such a subprocessor agreement and any subsequent amendments. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
4. The data importer shall remain fully responsible to the data exporter for the performance of the subprocessor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
5. The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

MODULE 2: Transfer controller to processor (when Customer is acting as controller)

1. The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
2. The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
3. In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

MODULE 3: Transfer processor to processor (when Customer is acting as a processor)

4. The data importer shall promptly notify the data exporter and, where appropriate, the controller of any request it has received from a data subject, without responding to that request unless it has been authorised to do so by the controller.
5. The data importer shall assist, where appropriate in cooperation with the data exporter, the controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
6. In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the controller, as communicated by the data exporter.

Clause 11

Redress

1. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
2. In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
3. Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
   
   1. lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
   2. refer the dispute to the competent courts within the meaning of Clause 18.
4. The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
5. The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
6. The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

1. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
2. The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
3. Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its subprocessor) causes the data subject by breaching the third party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
4. The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
5. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
6. The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
7. The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

1. Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority. Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority. Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
2. The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

1. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
2. The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
   
   1. the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
   2. the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
   3. any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
3. The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
4. The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

MODULE 2: Transfer controller to processor (when Customer is acting as controller)

5. The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
6. Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

MODULE 3: Transfer processor to processor (when Customer is acting as a processor)

7. The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). The data exporter shall forward the notification to the controller.
8. Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation, if appropriate in consultation with the controller. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the controller or the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

MODULE 2: Transfer controller to processor (when Customer is acting as controller)

15.1 Notification

1. The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary, with the help of the data exporter) if it:
   
   1. receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
   2. becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
2. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
3. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
4. The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
5. Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimisation

1. The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
2. The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
3. The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

MODULE 3: Transfer processor to processor (when Customer is acting as a processor)

15.1 Notification

1. The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary, with the help of the data exporter) if it:
   
   1. receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
   2. becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer. The data exporter shall forward the notification to the controller.
2. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
3. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). The data exporter shall forward the information to the controller.
4. The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request. (i) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these

Clauses. 15.2 Review of legality and data minimisation

1. The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
2. The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. The data exporter shall make the assessment available to the controller.
3. The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

1. The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
2. In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
3. The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
   
   1. the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
   2. the data importer is in substantial or persistent breach of these Clauses; or
   3. the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

MODULE 2: Transfer controller to processor (when Customer is acting as controller)

In these cases, it shall inform the competent supervisory authority of such noncompliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

MODULE 3: Transfer processor to processor (when Customer is acting as a processor)

In these cases, it shall inform the competent supervisory authority and the controller of such noncompliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

4. Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
5. Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of Latvia.

Clause 18

Choice of forum and jurisdiction

1. Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
2. The Parties agree that those shall be the courts of Latvia.
3. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
4. The Parties agree to submit themselves to the jurisdiction of such courts.

ANNEX 1

A. LIST OF PARTIES

1. Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
   Name: Customer as provided in the Agreement.
   Address: As provided in the Agreement. Contact person’s name, position and contact details: As provided in the Agreement. Activities relevant to the data transferred under these Clauses: The activities specified in Appendix 1 of the Addendum.
   Role (controller/processor): Where the Customer determines the purposes and means of the Processing of Personal Data, its role is a Controller; where the Customer acts on behalf of and under the instructions of a Controller, its role is a Processor.

2. Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
   Name: Trace Space, Inc.
   Address: 111 NE 1st St, Suite: 88511, 8th Floor, Miami, FL33132, USA
   Contact person’s name, position and contact details: Karlis Broders, CTO
   Activities relevant to the data transferred under these Clauses: Fulfilment of data importer’s obligations with respect to the provision of the Services to data exporter under the Agreement. The activities specified in Appendix 1 of the Addendum.
   Role (controller/processor): processor

B. DESCRIPTION OF TRANSFER

For Customer’s Self-Hosted deployment, this Annex I.B describes only the limited transfers of Customer Personal Data to Trace.Space that occur in the circumstances set out in Section 2.1(b) of the Addendum.

1. Categories of data subjects whose personal data is transferred

For the Self-Hosted Software, the categories of Data Subjects whose Personal Data may be transferred to the data importer are limited to:

• Customer’s Authorised Users, including officers, employees, and contractors; and
• third parties that have or may have a commercial relationship with Customer, such as translators, editors, or project collaborators, but only to the extent their Personal Data is explicitly provided to Trace.Space by Customer in the limited circumstances described in the Addendum.

For the avoidance of doubt, Personal Data residing solely within Customer’s Self-Hosted environment and not explicitly transmitted to Trace.Space is not part of the transfer described in these Clauses.

2. Categories of personal data transferred

For the Self-Hosted Software, the categories of Personal Data that may be transferred to the data importer are limited to Personal Data explicitly provided by Customer in connection with authorised support, troubleshooting, maintenance, diagnostics, security response, or license verification, and may include:

• email address, full name, and IP address of Authorised Users;
• Customer’s legal name and registered address (for legal entities);
• position or role of Authorised Users within Customer’s organisation; and
• phone number of Customer’s representatives.

Where Customer makes payments or conducts payment transactions through a third-party payment processor integrated with Trace.Space, Trace.Space may receive the following limited transaction information:

• cardholder name and email address;
• unique customer identifier and order ID;
• partial payment card details (last four digits and card type) or limited bank account details;
• card expiration date; and
• date, time, total amount, and location of transaction.

The specific payment information received depends on the payment method selected by Customer.

For the avoidance of doubt, telemetry and diagnostics data for the Self-Hosted Software are not intended to include Customer Personal Data and shall not include names, email addresses, IP addresses, account identifiers, content, prompts, support files, or other data reasonably capable of identifying Customer, its personnel, or any Data Subject.

3. Trace.Space does not knowingly process special categories of Personal Data as defined under Article 9 of the GDPR, or data relating to criminal convictions and offences, in connection with the processing activities described in the Addendum. Customer is prohibited from submitting such data to Trace.Space without a separate prior written agreement.

If any such data is inadvertently transferred, Trace.Space shall process it only to the extent strictly necessary to resolve the applicable support, troubleshooting, maintenance, diagnostics, security response, or legal-compliance issue, shall apply heightened confidentiality and access restrictions, and shall delete or return such data promptly in accordance with the Addendum.

4. For the Self-Hosted Software, transfers of Customer Personal Data to Trace.Space are expected to occur on a limited and occasional basis only, depending on Customer’s use of authorised support, troubleshooting, maintenance, diagnostics, security response, or license verification. Personal Data is not transferred to Trace.Space on a continuous basis as part of the ordinary operation of the Self-Hosted Software.
5.  For the Self-Hosted Software, the nature of the processing is limited to the following activities, to the extent strictly necessary for the authorised purpose for which the Personal Data was provided:

• limited collection;
• transmission;
• consultation;
• retrieval;
• use;
• restriction;
• return; and
• deletion.

For the avoidance of doubt, the nature of processing for the Self-Hosted Software does not include routine hosting, storage, migration, dissemination, alignment or combination, or other broad platform-side processing operations, except to the extent strictly necessary in the limited circumstances set out in Section 2.1(b) of the Addendum.

6. Purpose(s) of the data transfer and further processing

For the Self-Hosted Software, processing of Customer Personal Data is necessary only for the following purposes:

(i) to provide authorised support, troubleshooting, maintenance, diagnostics, and security response requested or approved by Customer;

(ii) to perform license verification to the extent any Personal Data is necessarily transmitted as part of that mechanism; and

(iii) to comply with disclosures required by applicable law in accordance with the Agreement.

For the avoidance of doubt, Customer Personal Data transferred in connection with the Self-Hosted Software shall not be processed for hosted-service delivery, team/workspace identification, product development, analytics, marketing, or other independent business purposes.

7. For the Self-Hosted Software, the data importer will process Customer Personal Data only for the duration of the relevant authorised support, troubleshooting, maintenance, diagnostics, security response, or license verification activity, and thereafter only for such additional period as may be required under the Agreement and the Addendum, including any limited retention period required by applicable law.   Where Customer Personal Data is retained following expiration or termination of the Agreement, such retention shall be subject to Section 11 of the Addendum.
8. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing.

The subject matter, nature, and duration of any such Sub-Processor processing shall be limited to the specific authorised support, troubleshooting, maintenance, diagnostics, security response, or license verification activity for which the Customer Personal Data was transferred.

For the avoidance of doubt, no Sub-Processor may receive Customer Personal Data from the Self-Hosted Software in the ordinary course of operation, and any such transfer must remain subject to the restrictions and approval rights set out in the Addendum.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Trace.Space maintains a comprehensive information security programme aligned with SOC 2 Type II and ISO 27001 standards. Trace.Space undergoes annual third-party audits and penetration testing to verify the effectiveness of its controls. Trace.Space shall maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Personal Data. Trace.Space regularly monitors compliance with these safeguards. Trace.Space will not materially decrease the overall security of the Service during a term of an Agreement. Technical and Organisational measure of Trace.Space include the following:

1. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services;
2. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
3. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing;
4. Measures for user identification and authorization;
5. Measures for the protection of data during transmission;
6. Measures for the protection of data during storage;
7. Measures for ensuring events logging and log analysis;
8. Measures for ensuring secure system configuration;
9. Measures for internal IT and IT security governance and management;
10. Measures for certification/assurance of processes and products;
11. Measures for ensuring data minimization;
12. Measures for ensuring data quality;
13. Measures for ensuring limited data retention;
14. Measures for ensuring accountability;
15. Measures for allowing data portability and ensuring erasure.