WiseOx Page

Data Processing Agreement

Please review this agreement of processing personal data in WiseOx.

This Data Processing Agreement including its attached schedules (“DPA”) sets forth the terms and conditions relating to Processing of Personal Data through the WiseOx AI platform and services by Bacon AI Inc. (“WiseOx”) in the course of Customer’s use or receipt of the Services pursuant to the Terms of Service (the “Agreement” which includes this DPA and all schedules hereto, and all schedules, attachments, and addenda to the Agreement) between WiseOx and you as a customer (referred to herein as “you” or “Customer”). The parties agree to comply with the terms and conditions in this DPA in connection with such Processing of Personal Data. All capitalized terms not defined herein have the same meaning set forth in the Agreement. 

BY EXECUTING THE AGREEMENT, THE PARTIES ALSO EXECUTE THIS DPA. 

For the avoidance of doubt, Customer’s agreement to this DPA via execution of the Agreement shall be deemed to constitute signature and acceptance of the main body of this DPA, Schedule 1: EU SCCs, Schedule 2: Description of Processing, and Schedule 3: International Transfer Addendum. This DPA shall not replace any comparable or additional rights relating to the Processing of Personal Data contained in the Agreement (including any existing data processing addendum to the Agreement). 

1. DATA PROCESSING TERMS

  1. Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition, means direct or indirect ownership or control of more than fifty percent (50%) of the voting interests of the subject entity.
  2. Authorized Affiliate” means any of Customer’s Affiliate(s) which (i) is subject to Data Protection Laws and (ii) is permitted to use the Services pursuant to the Agreement but has not executed its own contract with WiseOx and is not “Customer” as defined under the Agreement.
  3. CCPA” means the California Consumer Privacy Act, Cal. Civ. Code§ 1798.100 et seq., and its implementing regulations.
  4. Controller” means the entity that determines the means and purposes of the Processing of Personal Data.
  5. Customer Data” means electronic data and information submitted by or for Customer to the Services.
  6. Data Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (including Personal Data, transmitted, stored, or otherwise) Processed by WiseOx or its Sub-processors.
  7. Data Protection Laws” means all Laws applicable to the Processing of Personal Data under the Agreement, including without limitation CCPA and other Laws of the United States and its states, the GDPR and other European Data Protection Laws, each as amended from time to time.
  8. Data Subject” means the identified or identifiable person to whom Personal Data relates.
  9. Europe” means the European Union, the European Economic Area, Switzerland, and the United Kingdom.
  10. European Data Protection Laws” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC together with any subordinate legislation or implementing regulation (“GDPR”), the laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the without limitation the Data Protection Act 2018 (“UK Data Protection Laws”) and other applicable data protection Laws of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, each as amended from time to time.
  11. Personal Data” or “Personal Information” means any information contained in Customer Data that is protected under applicable Data Protection Laws, such as information describing or relating to: (i) an identified or identifiable natural person or household or (ii) an identified or identifiable legal entity (where such information is protected as personal data or personally identifiable information under applicable Data Protection Laws).
  12. Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  13. Processor” means the Party which Processes Personal Data on behalf of the Controller, including as applicable any "Service Provider" as that term is defined by the CCPA.
  14. Security Measures” means the technical and organizational measures employed by WiseOx to secure Personal Data on the Services and as described in Section 9 of Schedule 2.
  15. Standard Contractual Clauses” or “SCCs”) means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
  16. Sub-processor” means a Processor engaged by WiseOx to Process Personal Data contained in Customer Data.
  17. Supervisory Authority” means an independent public authority that is established pursuant to the GDPR or UK Data Protection Laws.
  18. “U.S. Data Protection Laws” means the federal and state laws of the United States governing consumer privacy and data protection, including without limitation the California Consumer Privacy Act, Cal. Civ. Code§ 1798.100 et seq., and its implementing regulations (“CCPA”) and consumer privacy and data protection law of Connecticut, Colorado, Iowa, Nevada, Oregon, Tennessee, Texas, Virginia, and other states as enacted or amended from time to time. 
  19. U.S. Personal Information” means Personal Information that is subject to the protection of one or more U.S. Data Protection Laws.

2. PROCESSING PERSONAL DATA

  1. Roles of the Parties. This DPA applies where and to the extent that Customer discloses Personal Data to WiseOx pursuant to the Agreement. The parties acknowledge and agree that (i) with regard to the Processing of Personal Data, Customer is the Controller and WiseOx is the Processor and (ii) WiseOx will engage Sub-processors pursuant to the requirements of Section 5 “Sub-Processors” herein.
  2. Duration. WiseOx shall process Personal Data throughout the term of the Agreement or any renewal term thereof. Upon termination of the Agreement by either Party, WiseOx shall cease processing Personal Data on Customer’s behalf upon completion of the termination provisions described herein. 
  3. Nature, Purpose, and Subject-Matter of the Processing. WiseOx shall only Process Customer Data as Instructed (defined in Section 2.5) by Customer and only for the purpose of providing the Services to Customer pursuant to the Agreement. The nature, purpose, and subject matter of WiseOx’s Processing of Personal Data as Customer’s Processor is described in and governed by the Agreement and as further specified in Schedule 2 to this DPA. All Processing of Personal Data via the Services is determined solely by Customer and according to Customer’s privacy practices. 
  4. Customer Processing of Personal Data. Customer shall Process Personal Data in accordance with the requirements of all applicable Data Protection Laws, including without limitation requirements to provide notice to Data Subjects of the use of WiseOx as Processor. Customer represents and warrants that Customer has established a lawful basis to Process Personal Data, Customer’s use of the Services will not violate the rights of any Data Subject, and Customer has the right to transfer, or provide access to, the Personal Data to WiseOx for Processing under the terms of the Agreement. Customer shall have sole responsibility for (i) the accuracy, quality, and legality of Personal Data, (ii) the means by which Customer acquired Personal Data, and (iii) the lawful basis and mechanisms of transferring Personal Data to WiseOx. Customer shall inform WiseOx without undue delay if Customer is not able to comply with Customer’s obligations under this DPA or any applicable Data Protection Laws. For the avoidance of doubt, WiseOx is not responsible for compliance with any Data Protection Laws applicable to Customer or Customer’s industry that are not generally applicable to WiseOx.
  5. Instructions. WiseOx shall Process, retain, use, store, or disclose Personal Data only according to written, documented, and lawful instructions issued by Customer to WiseOx for the purpose of providing the Services to Customer pursuant to the Agreement (“Instructions”). The parties agree that the Agreement, together with Customer’s selections, configurations, customizations, and use of the Services under the Agreement and other written Instructions from Customer to WiseOx, shall constitute Customer’s complete and final Instructions to WiseOx concerning the Processing of Personal Data. Customer may modify, amend, add, or replace individual Instructions in writing (“Additional Instructions”) to WiseOx via email. Additional Instructions must be consistent with the Agreement. If WiseOx determines that Additional Instructions are outside the scope of the Agreement, WiseOx may charge additional fees and/or require a written agreement between WiseOx and Customer to perform such Additional Instructions. WiseOx shall inform Customer without delay if, in WiseOx’s opinion, an Instruction violates applicable Data Protection Laws or WiseOx is unable to follow an Instruction. Where necessary as determined by WiseOx, WiseOx may cease all Processing without liability until Customer issues new Instructions with which WiseOx can comply. Notwithstanding any provision to the contrary, Customer is solely responsible for the legality, outcome, and results of any and all Instructions and WiseOx shall have no liability whatsoever related to its performance of the Agreement according to any Customer Instructions.
  6. WiseOx Processing of Personal Data. Customer hereby appoints WiseOx to Process the Personal Data on Customer’s behalf as necessary for WiseOx to provide the Services under the Agreement. WiseOx shall treat Personal Data as Confidential Information. If WiseOx is required by applicable law to disclose Personal Data for a purpose unrelated to the Agreement, WiseOx will first inform Customer of the legal requirement and give Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice. Notwithstanding the foregoing, WiseOx shall have the right to (i) collect and use Personal Data to investigate a use of the Services that is unlawful or violates the Agreement, provide, and develop the Services, respond to legal actions, or for administrative purposes such as accounting and compliance and (ii) use any data in an anonymized format for WiseOx’s internal purposes. 

3. RIGHTS OF DATA SUBJECTS

WiseOx shall, to the extent legally permitted, promptly notify Customer if WiseOx receives a request from a Data Subject to exercise the Data Subject's right under applicable Data Protection Laws relating to Personal Data (each a “Data Subject Request”). Taking into account the nature of the Processing, if Customer is unable to independently address a Data Subject Request, WiseOx will assist Customer by appropriate technical and organizational measures insofar as this is possible and to the extent WiseOx is legally permitted to do so, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. Customer shall be legally responsible for responding to any such Data Subject Requests or communications involving Personal Data and for all costs associated with the same. 

4. WISEOX PERSONNEL

WiseOx shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. WiseOx shall ensure that such confidentiality obligations survive the termination of the personnel engagement. WiseOx shall take commercially reasonable steps to ensure the reliability of any WiseOx personnel engaged in the processing of Personal Data. WiseOx shall ensure that WiseOx's access to Personal Data is limited to those personnel who are necessary to provide the Services. 

5. SUB-PROCESSORS

  1. Appointment of Sub-processors. WiseOx shall make available to Customer the current list of Sub-processors for the applicable Service(s) (“Sub-Processor List”) upon Customer’s written request. Customer generally authorizes WiseOx to engage Sub-Processors for the provision of the Services and Customer acknowledges and agrees that (i) WiseOx’s Affiliates may be retained as Sub-processors and (ii) WiseOx and WiseOx’s Affiliates respectively may engage third-party Sub-Processors in connection with the provision of the Services to Customer. WiseOx or a WiseOx Affiliate has entered into a written agreement with each Sub-Processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-Processor. WiseOx shall be liable for the acts and omissions of its Sub-Processors to the same extent WiseOx would be liable if performing the Services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
  2. Objection Right for New Sub-processors. If Customer is entitled to notice and an opportunity to object to new Sub-Processors under applicable Data Protection Laws, (i) upon request by Customer to be so notified, WiseOx shall notify Customer of new Sub-Processors and (ii) Customer may object to WiseOx’s use of a new Sub-Processor by notifying WiseOx promptly in writing within ten (10) business days after receipt of WiseOx’s notice thereof. In the event Customer objects to a new Sub-Processor under Section 5.2(ii), WiseOx will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-Processor without unreasonably burdening Customer. If WiseOx is unable to make available such change within thirty (30) days, Customer may terminate the Agreement.

6. SECURITY

  1. Controls for the Protection of Personal Data. WiseOx shall maintain appropriate technical and organizational measures to protect the security, confidentiality, and integrity of Personal Data as detailed in Section 9 of Schedule 2. In doing so, WiseOx shall take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Customer is solely responsible for (i) reviewing and determining whether the Services meet Customer’s security standards and support Customer’s obligations under Data Protection Laws and (ii) the secure use of WiseOx’s Services by Customer or any individual Customer provides with access to the Services or any AI Mascot (each a “User”), including but not limited to securing account authentication information and ensuring no User seeks to misuse Personal Data or engages in activities likely to give rise to a Data Incident.
  2. Audits. Upon reasonable written request from Customer, WiseOx will make available to Customer applicable reports and summaries from WiseOx’s most recent inspection or audit to assess compliance with this DPA, where required by applicable law (“Audit Report”). The Audit Report will be WiseOx’s Confidential Information subject to non-disclosure and distribution limitations. If and to the extent the Audit Report is not sufficient to meet Customer’s demonstration of compliance obligations under applicable Data Protection Laws, WiseOx will promptly respond to Customer’s additional Instructions to participate in an audit of WiseOx’s records and systems directly relating to Customer’s receipt of the Services (“Audit”). Audits shall be conducted: (i) acting reasonably, in good faith, and in a proportional manner, taking into account the nature and complexity of the Services used by Customer; (ii) up to one time per year with at least three weeks’ advance written notice and at Customer’s sole expense; and (iii) during WiseOx’s normal business hours, under reasonable duration and shall not unreasonably interfere with WiseOx’s day-to-day operations. If an emergency justifies a shorter notice period, WiseOx will use good faith efforts to accommodate the Audit request. Before any Audit commences, Customer and WiseOx shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for which Customer shall be responsible.
  3. Data Protection Impact Assessment. Upon Customer’s written request, WiseOx shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligations under Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to WiseOx.

7. DATA INCIDENT MANAGEMENT AND NOTIFICATION 

WiseOx shall notify Customer without undue delay after becoming aware of a Data Incident occurring on WiseOx or our Sub-Processor’s information system. WiseOx shall make reasonable efforts to identify the cause of such Data Incident and take such steps as WiseOx deems necessary and reasonable to remediate the cause of such a Data Incident to the extent the remediation is within WiseOx's reasonable control. At Customer’s reasonable request, and to the extent WiseOx is required to do so under applicable Data Protection Laws, WiseOx will promptly provide Customer with commercially reasonable assistance as necessary to enable Customer to meet Customer’s obligations under applicable Data Protection Laws to notify authorities and/or affected Data Subjects. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users. 

8. GOVERNMENT ACCESS REQUESTS 

If WiseOx receives a legally binding request from a Public Authority to access Personal Data that WiseOx Processes on Customer’s behalf, WiseOx shall, unless otherwise legally prohibited, promptly notify Customer including a summary of the nature of the request. To the extent WiseOx is prohibited by law from providing such notification, WiseOx shall use commercially reasonable efforts to obtain a waiver of the prohibition to enable WiseOx to communicate as much information as possible, as soon as possible. Further, WiseOx shall challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful. WiseOx shall pursue possibilities of appeal. When challenging a request, WiseOx shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the Personal Data requested until required to do so under the applicable procedural rules. WiseOx agrees it will provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request. WiseOx shall promptly notify Customer if WiseOx becomes aware of any direct access by a Public Authority to Customer Data and provide information available to WiseOx in this respect, to the extent permitted by law. For the avoidance of doubt, this DPA shall not require WiseOx to pursue action or inaction that could result in civil or criminal penalty for WiseOx such as contempt of court. WiseOx shall ensure that Sub-processors involved in the Processing of Personal Data are subject to the relevant commitments regarding Government Access Requests in the Standard Contractual Clauses.

9. RETURN OR DELETION OF PERSONAL DATA 

WiseOx will return, destroy, or render anonymous all Personal Data in accordance with Customer’s reasonable written Instructions submitted to WiseOx within 30 days of termination or expiration of the Agreement or as otherwise instructed by Customer. The requirements of this Section 9 do not apply to the extent that WiseOx is required by applicable law to retain any Customer Data, or to Customer Data that is archived on backup systems, which data WiseOx shall securely isolate and protect from any further Processing and delete following WiseOx’s deletion practices.

10. AUTHORIZED AFFILIATES

  1. Contractual Relationship. The parties acknowledge and agree that, by executing the Agreement, Customer enters into the DPA on behalf of Customer and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between WiseOx and each such Authorized Affiliate subject to the provisions of the Agreement and this Section 10 and Section 11. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement and is only a party to the DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Customer.
  2. Communication. Customer, as the contracting party to the Agreement, shall remain responsible for coordinating all communication with WiseOx under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
  3. Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to the DPA with WiseOx, it shall to the extent required under applicable Data Protection Laws be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
    1. Except where applicable Data Protection Laws require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against WiseOx directly by itself, the parties agree that (i) solely Customer as the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) Customer as the contracting party to the Agreement shall exercise any such rights under this DPA, not separately for each Authorized Affiliate individually, but in a combined  manner for itself and all of its Authorized Affiliates together (as set forth, for example, in Section 10.3.2, below).
    2. The parties agree that Customer as the contracting party to the Agreement shall, when carrying out an On-Site Audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on WiseOx and its Sub-Processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of itself and all of its Authorized Affiliates in one single audit.

11. LIMITATION OF LIABILITY

Except as specifically provided in the Standard Contractual Clauses applicable to this DPA, all activities under this DPA are subject to the applicable limitations of liability set forth in the Agreement. For the avoidance of doubt, WiseOx’s and its Affiliates’ total liability for all claims from Customer and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Customer and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPA. Additionally, Customer agrees that any regulatory fines or penalties incurred by Customer in relation to the Customer Data that arise as a result of, or in connection with, Customer's failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce WiseOx's liability under the Agreement as a liability under the Agreement. 

12. EUROPEAN PROVISIONS

  1. Definitions. This Section 12 shall apply only to the extent WiseOx Processes Personal Data subject to European Data Protection Laws as Customer’s Processor. For the purposes of this Section 12 and the Schedules attached hereto, the “Standard Contractual Clauses” or “SCCs” means Standard Contractual Clauses sections I, II, III, and IV (as applicable) to the extent they reference Module Two (Controller-to-Processor).
  2. European Data Protection Laws. WiseOx will Process Personal Data in accordance with the European Data Protection Laws requirements directly applicable to WiseOx’s provision of its Services.
  3. Transfer mechanisms for data transfers. If, in the provision of the Services, Personal Data that is subject to the GDPR or any other law relating to the protection or privacy of individuals that applies in Europe is transferred out of Europe to countries that do not ensure an adequate level of data protection within the meaning of the Data Protection Laws of Europe, the SCCs, subject to the additional terms in Section 2 of Schedule 1, shall apply to such transfers, provided that Customer and/or its Authorized Affiliate is a Controller and a data exporter of Personal Data and WiseOx is a Processor and data importer in respect of that Personal Data. In such case, the SCCs can be directly enforced by the Parties to the extent such transfers are subject to the European Data Protection Laws. 
  4. Impact of local laws. If WiseOx reasonably believes that any existing or future enacted or enforceable laws and practices in the third country of destination applicable to its Processing of the Personal Data (“Local Laws”) prevent it from fulfilling its obligations under this DPA, it shall (i) promptly notify Customer and (ii) use reasonable efforts to make available to Customer a change in the Services to facilitate compliance with Local Laws without unreasonably burdening Customer. If WiseOx is unable to make available such change promptly, Customer may terminate the applicable SOW and suspend the transfer of Personal Data in respect only to those Services which cannot be provided by WiseOx in compliance with the Local Laws by providing written notice to WiseOx as required under the Agreement. 

13. UNITED STATES PROVISIONS

  1. Definitions. This Section 12 shall apply only to the extent WiseOx Processes U.S. Personal Information on Customer’s behalf.  For the purposes of this Section 12, these terms shall be defined as follows: (a) “Business”, “Service Provider”, “Sell”, and “Share” shall have the meanings given to them in the CCPA or other applicable U.S. Data Protection Laws; (b) Controller” is replaced with “Business” wherever those terms appear in Sections 2 through 10 and Sections 13 and 14 of this DPA; and (c) “Processor” is replaced with “Service Provider” wherever those terms appear in Sections 2 through 11 of this DPA.
  2. Responsibilities. The Parties agree that WiseOx will Process U.S. Personal Information as Customer’s Service Provider in accordance with applicable U.S. Data Protection Laws and strictly for the business purpose of performing the Service under the Agreement. WiseOx shall not (i) Sell U.S. Personal Information; (ii) Share U.S. Personal Information with third Parties for cross-contextual behavioral advertising purposes; (iii) retain, use, or disclose U.S. Personal Information for a commercial purpose other than for such business purpose or as otherwise permitted by U.S. Data Protection Laws; or (iv) retain, use, or disclose U.S. Personal Information outside of the direct business relationship between Customer and WiseOx. WiseOx certifies that it understands and will comply with the restrictions of this Section 13.2.
  3. No Sale Between Parties. The Parties agree that Customer does not sell U.S. Personal Information to WiseOx because, as a Service Provider, WiseOx may only use U.S. Personal Information for the purposes of providing the Services to Customer.  

14. GENERAL

If and to the extent language in this DPA conflicts with the Agreement, this DPA shall control concerning the subject matter herein. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement unless otherwise required by applicable Data Protection Laws. This DPA and the schedules hereto will automatically terminate upon expiration or termination of the Agreement.

 

SCHEDULE 1

TRANSFER MECHANISMS FOR EUROPEAN DATA TRANSFERS

1. STANDARD CONTRACTUAL CLAUSES OPERATIVE PROVISIONS AND ADDITIONAL TERMS

For the purposes of the SCCs (as defined in Section 12 of the DPA), Customer is the data exporter and WiseOx is the data importer and the Parties agree to the following. If and to the extent an Authorized Affiliate relies on the SCCs for the transfer of Personal Data, any references to “Customer” in this Schedule, include such Authorized Affiliate. Where this Schedule 1 does not explicitly mention SCCs, it applies to them.

1. Reference to the Standard Contractual Clauses. The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA. The information required for the purposes of the Appendix to the Standard Contractual Clauses is set out in Schedule 2.

2. Docking clause. The option under clause 7 shall not apply.

3. Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in clause 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by WiseOx to Customer only upon Customer’s written request.

4. Instructions. This DPA and the Agreement are Customer’s complete and final documented instructions at the time of signature of the Agreement to WiseOx for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of this DPA and the Agreement. For the purposes of clause 8.1(a), the instructions by Customer to Process Personal Data are set out in Section 2 of this DPA and include onward transfers to a third party located outside Europe for the provision of the Services. 

5. Security of Processing. For the purposes of clause 8.6(a), Customer is solely responsible for making an independent determination as to whether the technical and organisational measures set forth in the Section 9 of Schedule 2 meet Customer’s security requirements and Customer agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the Processing of its Personal Data as well as the risks to individuals) the security measures and policies implemented and maintained by WiseOx provide a level of security appropriate to the risk with respect to its Personal Data. For the purposes of clause 8.6(c), personal data breaches will be handled in accordance with Section 7 of this DPA.

6. Audits of the SCCs. The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with Section 6.2 of this DPA.

7. General authorisation for use of Sub-processors. Option 2 under clause 9 shall apply. For the purposes of clause 9(a), WiseOx has Customer’s general authorisation to engage Sub-processors in accordance with Section 5 of this DPA. WiseOx shall make available to Customer the current list of Sub-processors in accordance with Section 5 of this DPA. Where WiseOx enters into the processor-to-processor transfer clauses with a Sub-Processor in connection with the provision of the Services, Customer grants WiseOx and WiseOx’s Affiliates authority to provide a general authorisation on Controller's behalf for the engagement of sub-processors by Sub-processors engaged in the provision of the Services, as well as decision making and approval authority for the addition or replacement of any such Sub-Processors.

8. Notification of New Sub-Processors and Objection Right for new Sub-Processors. Pursuant to clause 9(a), Customer acknowledges and expressly agrees that WiseOx may engage new Sub-Processors as described in Section 5 of the DPA. WiseOx shall inform Customer of any changes to Sub-Processors according to the terms of Section 5 of the DPA.

9. Complaints - Redress. For the purposes of clause 11, and subject to Section 3 of this DPA, WiseOx shall inform data subjects on its website of a contact point authorised to handle complaints. WiseOx shall inform Customer if it receives a complaint by, or a dispute from, a Data Subject with respect to Personal Data and shall without undue delay communicate the complaint or dispute to Customer. WiseOx shall not otherwise have any obligation to handle the request (unless otherwise agreed with Customer). The option under clause 11 shall not apply.

10. Liability. WiseOx’s liability under clause 12(b) shall be limited to actual and proven damage caused by WiseOx’s Processing of Personal Data on Customer’s behalf as a Processor where WiseOx has not complied with its obligations under the GDPR specifically directed to Processors, or where WiseOx has acted outside of or contrary to Customer’s lawful Instructions, as specified in Article 82 GDPR.

11. Supervision. Clause 13 shall apply as follows:

    1. Where Customer is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by Customer with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
    2. Where Customer is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.
    3. Where Customer is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The Data Protection Commission of Ireland, 21 Fitzwilliam Square South, Dublin, 2 D02 RD28, Ireland shall act as competent supervisory authority. 
    4. Where Customer is established in the United Kingdom or falls within the territorial scope of application of UK Data Protection Laws, the Information Commissioner's Office shall act as competent supervisory authority.
    5. Where Customer is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws.

12. Notification of Government Access Requests. For the purposes of clause 15.1(a), WiseOx shall notify Customer only, and not the Data Subject(s), in case of government access requests. Customer shall be solely responsible for promptly notifying the Data Subject as necessary.

13. Governing Law. The governing law for the purposes of clause 17 shall be the law that is designated in the Governing Law section of the Agreement. If the Agreement is not governed by an EU Member State law, the Standard Contractual Clauses will be governed by either (i) the laws of Ireland; or (ii) where the Agreement is governed by the laws of the United Kingdom, the laws of the United Kingdom.

14. Choice of forum and jurisdiction. The courts under clause 18 shall be those designated in the Governing Law section of the Agreement. If the Agreement does not designate an EU Member State court as having exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with this Agreement, the parties agree that the courts of either (i) Ireland; or (ii) where the Agreement designates the United Kingdom as having exclusive jurisdiction, the United Kingdom, shall have exclusive jurisdiction to resolve any dispute arising from the Standard Contractual Clauses. For Data Subjects habitually resident in Switzerland, the courts of Switzerland are an alternative place of jurisdiction in respect of disputes.

15. Appendix. The Appendix shall be completed as follows:

    1. The contents of section 1 of Schedule 2 shall form Annex I.A to the SCCs.
    2. The contents of sections 2 to 9 of Schedule 2 shall form Annex I.B to the SCCs.
    3. The contents of section 10 of Schedule 2 shall form Annex I.C to the SCCs.
    4. The contents of section 11 of Schedule 2 to this Exhibit shall form Annex II to the SCCs.

16. Data Exports from the United Kingdom and Switzerland under the Standard Contractual Clauses. In case of any transfers of Personal Data from the United Kingdom and/or transfers of Personal Data from Switzerland subject exclusively to the Data Protection Laws of Switzerland (“Swiss Data Protection Laws”), (i) general and specific references in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in the UK Data Protection Laws or Swiss Data Protection Laws, as applicable; and (ii) any other obligation in the Standard Contractual Clauses determined by the Member State in which the data exporter or Data Subject is established shall refer to an obligation under UK Data Protection Laws or Swiss Data Protection Laws, as applicable. In respect of data transfers governed by Swiss Data Protection Laws, the Standard Contractual Clauses also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity.

17. Conflict. The Standard Contractual Clauses are subject to this DPA and the additional safeguards set out hereunder. The rights and obligations afforded by the Standard Contractual Clauses will be exercised in accordance with this DPA unless stated otherwise. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

 

SCHEDULE 2

DESCRIPTION OF PROCESSING/TRANSFER

1. LIST OF PARTIES

Data exporter(s): Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union

Name: Customer, as identified in Customer’s registration with WiseOx.

Address: Customer address is set forth in Customer’s registration with WiseOx.

Contact person's name, position, and contact details: Customer point of contact is set forth in Customer’s registration with WiseOx.

Activities relevant to the data transferred under these clauses: Provision of the Services as described in the Agreement.

Customer Signature: Execution of the Agreement by Customer shall constitute Customer’s signature to and execution of the DPA and this Schedule 2.

Role: Customer and/or Customer’s Authorized Affiliates are the Controller. 

Data importer(s): Identity and contact details of the data importer(s), including any contact person with responsibility for data protection

Name: Bacon AI Inc.

Address: 19466 Kemple Drive, Bend, Oregon 97702

Contact person's name, position, and contact details: Fritz Brumder, President, notices@wiseox.com

WiseOx Signature: Execution of the Agreement by WiseOx shall constitute WiseOx’s signature to and execution of the DPA and this Schedule 2.

Role: WiseOx is the Processor or, where Customer is a Processor a Client of Customer, WiseOx is a Sub-Processor to Customer.

2. CATEGORIES OF DATA SUBJECTS WHOSE PERSONAL DATA IS TRANSFERRED

Customer may disclose, submit, or host Personal Data via the Services of Customer’s end users, customers, employees, contractors, or other data subjects as Customer chooses to permit to access or use the Services in any manner as determined solely by Customer and according to Customer’s privacy practices.

3. CATEGORIES OF PERSONAL DATA TRANSFERRED

Customer may include, or permit its Users to include, Personal Data in the data that Customer inputs, discloses, submits to, or hosts on the Services in the categories of identifiers, employment or education information, commercial information, inferences drawn from Personal Data, or any other category of Personal Data as determined solely by Customer and according to Customer’s privacy practices. 

4. SENSITIVE DATA TRANSFERRED

The parties do not anticipate the transfer of sensitive data under the Agreement. If Customer chooses to Process sensitive data via the Services, Customer does so at Customer’s own risk and with no responsibility or liability of WiseOx.

5. FREQUENCY OF THE TRANSFER

Data is transferred on a continuous basis depending on Customer’s use of the Services pursuant to the Agreement.

6. NATURE OF THE PROCESSING

The nature of the Processing is the provision of the Services to Customer pursuant to the Agreement.

7. PURPOSE OF PROCESSING, THE DATA TRANSFER AND FURTHER PROCESSING

WiseOx will Process Personal Data as necessary to provide the Services under the Agreement and as Instructed by Customer.

8. DURATION OF PROCESSING

Subject to Section 2.2 of the DPA, WiseOx will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

9. SUB-PROCESSOR TRANSFERS

Sub-Processor(s) will Process Personal Data as necessary to provide the Services pursuant to the Agreement. Subject to section 5 of this DPA, the Sub-Processor(s) will Process Personal Data for the duration of the Agreement unless otherwise agreed in writing. Identities of the Sub-Processors used for the provision of the Services and their country of location will be provided to Customer upon written request.

10. COMPETENT SUPERVISORY AUTHORITY

  • Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
  • Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as the competent supervisory authority.
  • Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland shall act as the competent supervisory authority.
  • Where the data exporter is established in the United Kingdom or falls within the territorial scope of application of UK Data Protection Laws, the Information Commissioner's Office shall act as the competent supervisory authority.
  • Where the data exporter is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws

11. TECHNICAL AND ORGANISATIONAL MEASURES

WiseOx has implemented the following technical and organizational Security Measures for the Services:

  1.  

Physical access controls employed for preventing unauthorized persons from gaining access to data processing systems within which Personal Data is processed or used.

Data center is ISO 27001 certified.Data center compliant with [CISPE Code of Conduct/other standard] for data protection.

2.

Admission control measures taken for preventing data processing systems from being used without authorization.

Multi-factor-authentication Fine granular access to objects is enabled (only administrative level staff can personal access data) Only authorized API-request authentication is usedGCP Security Token services enabled.   

    

3.

Virtual access control measures taken to ensure that persons entitled to use a data processing system have access only to Personal Data to which they have a right of access, and that Personal Data cannot be read, copied, modified or removed without authorizations in the course of Processing or use and after storage.

  • User authentication is based on username and strong password.  

  • All transactional records contain identifiers to distinguish client records.  

  • Data access based upon specific user and role.

  • Data access, insert, and modification are logged.

  • Cloud security and privacy standards: ISO 27001.     

4.

Transmission control measures taken to ensure that Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of Personal Data by means of data transmission facilities is envisaged. 

  • All data are encrypted in transit using AES-256.

  • Access to reports is logged.

  • Backup media are encrypted.

  • Removable storage is not used.     

5.

Input control measures taken to ensure that it is possible to check and establish whether and by whom Personal Data have been entered into data processing systems, modified or removed.

  • Governance, auditing, and monitoring of Personal data stored tracked by Google Cloud Storage for uploaded documents, MongoDB Atlas Cloud to store organization and session data, and Weaviate Cloud Services for managed vector databases.

  • Record entry is restricted to a defined set of roles.

  • All entry is date/time stamped and includes identifiers for entering party.

  • Firewalls and intrusion prevention systems are in place to prevent unauthorized access.

6.

Assignment control measures employed to ensure that, in the case of commissioned Processing of Personal Data, the data are processed strictly in accordance with the instructions of the principal.

  • Confidentiality agreements in place for all individuals with data access.

  • Regular training conducted for personnel.

  • No third parties used for the processing of data other than as described in this Agreement.

     

7.

Availability control measures taken to ensure that Personal Data are protected from accidental destruction or loss.

  • Snapshots are made and stored on GCP.

8.

Separation control measures taken to ensure that Personal Data collected for different purposes can be processed separately.

  • Physical and logical data separation.

  • Discrete development, staging and production environments are maintained.

  • Personal data necessary for services and support is stored separately from marketing data.




SCHEDULE 3

INTERNATIONAL DATA TRANSFER ADDENDUM

TO THE EU COMMISSION STANDARD CONTRACTUAL CLAUSES

TO BE ISSUED BY THE COMMISSIONER UNDER S119A(1) DATA PROTECTION ACT 2018

VERSION B1.0, in force 21 March 2022

PART 1: TABLES

Table 1: Parties

Start Date: Effective Date of the Agreement

The Parties

Exporter (who sends the Restricted Transfer)

Importer (who receives the Restricted Transfer)

Parties’ Details

Bacon AI Inc.

19466 Kemple Drive, Bend, Oregon 97702

Customer name and address as registered with WiseOx. 

Key Contact

Fritz Brumder, President, notices@wiseox.com

Customer point of contact as registered with WiseOx.

Signature

By executing the DPA, WiseOx also executes all Schedules thereto.  

By executing the DPA, Customer also executes all Schedules thereto.  

 

Table 2: Selected SCCs, Modules and Selected Clauses

EU SCCs

The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information.

EU Standard Contractual Clauses sections I, II, III, and IV (as applicable) to the extent they reference Module Two (Controller-to-Processor) (the “EU SCCs”).

Clause 7 (Docking clause): The docking clause shall not apply.

Clause 11 (Option): The option under clause 11 shall not apply.

Clause 9(a) (Prior Authorisation or General Authorisation): WiseOx has Customer’s general authorisation to engage Sub-Processors in accordance with Section 5 of this DPA. Where WiseOx enters into processor-to-processor transfer clauses with a Sub-Processor in connection with the provision of the Infrastructure, Customer grants WiseOx authority to provide a general authorisation on Customer’s behalf for the engagement of sub-processors by Sub-Processors engaged in the provision of the Infrastructure, as well as decision making and approval authority for the addition or replacement of any such sub-processors.

Clause 9(a) (Time Period): WiseOx shall make available to Customer the current list of Sub-Processors in accordance with Section 5 of the DPA. WiseOx shall inform Customer of any changes to Sub-Processors as required by applicable Data Protection Laws.

Is Personal Data received from the Importer combined with Personal Data collected by the Exporter? Yes, as instructed by Customer pursuant to the Agreement.

 

Table 3: Appendix Information 

Appendix Information” means the information that must be provided for the selected modules and which for this Addendum is set out in:

  • Annex 1A: List of Parties: See Table 1 to this Schedule 3.
  • Annex 1B: Description of Transfer: See Schedule 2, Sections 2 through 5.
  • Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Schedule 2, Section 9.
  • Annex III: List of Sub-Processors (Modules 2 and 3 only): See Schedule 1, Sections 7 and 8.

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section 19? Neither Party except as provided in Section 2 of the DPA.

 

PART 2: MANDATORY CLAUSES

Entering into this Addendum

  1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
  2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

Interpretation of this Addendum

  1. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
    1. Addendum: This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
    2. Addendum EU SCCs: The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.
    3. Appendix Information: As set out in Table 3.
    4. Appropriate Safeguards: The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
    5. Approved Addendum: The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18.
    6. Approved EU SCCs: The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
    7. ICO: The Information Commissioner.
    8. Restricted Transfer: A transfer which is covered by Chapter V of the UK GDPR.
    9. UK: The United Kingdom of Great Britain and Northern Ireland.
    10. UK Data Protection Laws: as defined in Section 1.8 of the DPA.
  2. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfills the Parties’ obligation to provide the Appropriate Safeguards.
  3. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
  4. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws apply.
  5. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning that most closely aligns with UK Data Protection Laws applies.
  6. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re- enacted and/or replaced after this Addendum has been entered into.

Hierarchy

  1. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
  2. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
  3. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

Incorporation of and changes to the EU SCCs

  1. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
    1. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
    2. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
    3. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
  2. Unless the Parties have agreed to alternative amendments which meet the requirements of Section 11, the provisions of Section 15 will apply.
  3. No amendments to the Approved EU SCCs other than to meet the requirements of Section 11 may be made.
  4. The following amendments to the Addendum EU SCCs (for the purpose of Section 11) are made:
    1. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
    2. In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
    3. Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
    4. Clause 8.7(i) of Module 1 is replaced with: “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
    5. Clause 8.8(i) of Modules 2 and 3 is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
    6. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
    7. References to Regulation (EU) 2018/1725 are removed;
    8. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
    9. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
    10. Clause 13(a) and Part C of Annex I are not used;
    11. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
    12. In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
    13. Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”;
    14. Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
    15. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10, and 11.
  5. Amendments to this Addendum
    1. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
    2. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
    3. From time to time, the ICO may issue a revised Approved Addendum which: (i) makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or (ii) reflects changes to UK Data Protection Laws; and
    4. The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
  6. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in: (a) its direct costs of performing its obligations under the Addendum; and/or (b) its risk under the Addendum, and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
  7. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.

Alternative Part 2 Mandatory Clauses

Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.