Data Processing Agreement

This Data Processing Agreement (the “DPA”) is intended to supplement the Terms of Service, Order Form, or any other licensing agreement or contract (“Master Agreement”) are entered into by and between the relevant Enboarder entity as listed on the Order Form (“Enboarder”), and (ii) the other legal entity identified in the Master Agreement that accepts or agrees to this DPA (“Customer”). For purposes of this DPA, Enboarder and Customer may be referred to individually as a “party” and collectively as the “parties.”

Enboarder Contracting Entity	Enboarder Address for Notices
US Enboarder LLC	728 Northwestern Ave., Building B, Austin, Texas 78702
APAC Enboard.me PTY LTD (ACN 606 680 602)	PO Box Q1331 Queen Victoria Building NSW 1230
EMEA Enboarder Limited	10 John St., London, WC1N 2EB

In the event of a conflict between this DPA and the Master Agreement, the terms and conditions set forth in this DPA shall supersede and control with respect to such conflict. Any capitalized term that is used, but not otherwise defined, herein shall be ascribed the meaning set forth in the Master Agreement.

This DPA reflects each party’s understanding regarding the processing of customer personal data by Enboarder for, or on behalf of, Customer. This DPA replaces and supersedes any and all previously agreed upon terms governing the processing of customer personal data.

1.             Definitions

1.1. Affiliate means any person that is directly or indirectly, through one or more intermediaries, Controlling, Controlled by, or under common Control with, one of the parties hereto. For purposes of this definition, “Control” shall mean possessing, directly or indirectly, the power to direct or cause the direction of the management, policies, and operations of a person, whether through ownership of voting securities or by contract.

1.2. California Consumer Privacy Act (“CCPA”) means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 and any other applicable amendments (codified at Cal. Civ. Code § 1798.100 et seq.), and includes any and all implementing regulations thereto.

1.3. Customer Personal Data means the Personal Data that Enboarder Processes on behalf of Customer.

1.4. Data Controller means an entity that determines the purposes and means of the Processing of Personal Data.

1.5. Data Processor means an entity that Processes Personal Data on behalf of a Data Controller.

1.6. Data Protection Law means all applicable laws, regulations or other binding rules, judicial or administrative interpretation, guidance, approved certification mechanisms or codes of practice (as amended, consolidated or re-enacted from time to time) relating to the processing of Personal Data and privacy in any relevant jurisdiction and any corresponding or supplemental state or national laws or regulations, once in force and applicable. Any reference to any laws no longer in force shall be replaced with references to any laws replacing, amending, extending, re-enacting or consolidating such law, once in force and applicable.

1.7. Data Subject means an identified or identifiable individual whose Personal Data is being Processed by Enboarder.

1.8. Documented Instructions means the Processing terms and conditions set forth in the Master Agreement, this DPA, and any applicable Order Form or mutually agreed upon statement of work or similar work order issued thereunder describing Processing responsibilities.

1.9. European Union (“EU”) Standard Contractual Clauses means standard contractual clauses adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

1.10. General Data Protection Regulation (“GDPR”) means the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC and all applicable European Union (EU) Member State legislation implementing the same.

1.11. Personal Data means any information or data that, alone or in combination with other information or data, can be used to reasonably identify a particular individual, household, or device, and is subject to, or otherwise afforded protection under, an applicable Data Protection Law.

1.12. Process, Processing, or Processes means any action performed on Customer Personal Data, including collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transfer or otherwise making available, alignment or combination, restriction, deletion, or destruction.

1.13. Security Event means any actual or reasonable degree of certainty of unauthorized access, use, loss, acquisition, exfiltration, or disclosure of unencrypted Customer Personal Data. A Security Event does not include an Unsuccessful Security Incident.

1.14. Services means products or services provided by Enboarder to Customer pursuant to the Master Agreement that involves Enboarder Processing of Customer Personal Data on behalf of Customer.

1.15. Subprocessor means any third-party organization engaged by Enboarder to Process Customer Personal Data on its behalf.

1.16. Subprocessor List means the list of Subprocessors providing Processing services to Enboarder, which may be amended from time to time and can be found at https://enboarder.com/legal/subprocessors/. A list of Enboarder’s Subprocessors at the time of execution of this Agreement is set forth in Annex III.

1.17. United Kingdom (“UK”) Addendum means the International Data Transfer Addendum to the EU Standard Contractual Clauses (B.1.0) issued by the UK Information Commissioner’s Office under S119A(1) Data Protection Act 2018, in force 21 March 2022, and as may be amended or replaced by the UK Information Commissioner’s Office or/and Secretary.

1.18. Unsuccessful Security Incident means an unsuccessful attempt or activity that does not compromise the security of Customer Personal Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial-of-service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.

2.             Scope and Applicability; Ownership

2.1.         Scope; Applicability. This DPA applies where and only to the extent that Enboarder Processes Customer Personal Data for or on the behalf of Customer in the course of providing Services pursuant to the Master Agreement. Notwithstanding expiry or termination of the Master Agreement, this DPA will remain in effect until, and will automatically expire upon, deletion or return of all Customer Personal Data by Enboarder to Customer.

2.2.         Data Ownership. As between Customer and Enboarder, Customer owns the Customer Personal Data and all Customer Personal Data shall remain the property of Customer. Customer hereby grants and agrees to grant to Enboarder and its Affiliates a non-exclusive, royalty-free, worldwide, sublicensable, right and license to Process the Customer Personal Data to the extent reasonably necessary to provide, monitor, and modify the Services or as otherwise set forth herein or in the Master Agreement.

 

3.             Processing Details; DisCLAIMERS

3.1.         Roles and Responsibilities. For the purposes of this DPA, (i) where Customer is considered a Data Controller, then Enboarder shall be considered a Data Processor, and (ii) where Customer is considered a Data Processor, then Enboarder shall be considered a sub-Processor, provided that in either of the foregoing circumstances, Enboarder shall Process any Customer Personal Data only in accordance with the Documented Instructions, unless required to do otherwise by law. In the event Enboarder is compelled by law to Process Customer Personal Data other than in accordance with the terms and conditions set forth in the Documented Instructions, Enboarder shall notify Customer of that legal requirement prior to Processing, unless such notification is expressly prohibited by law. Additional Processing by Enboarder outside the Documented Instructions, if any, will require prior written agreement between Enboarder and Customer.

3.2.         Details of Processing. The subject matter, duration, nature, and purpose of the Processing, the types of Customer Personal Data, and the categories of Data Subjects covered by this DPA are set forth in the Master Agreement and this DPA, including Annex I, and, when necessary, supplemented in an additional Order Form, statement of work or similar work order executed between the parties. The parties agree that Customer is solely responsible for determining the types of Customer Personal Data uploaded to, and used within, the Services.

3.3.         CCPA Disclaimer. Each party acknowledges and agrees that the disclosure of Customer Personal Data to the other does not constitute, and is not the intent of either party for such disclosure to constitute, a Sale or Sharing of Customer Personal Data, and if valuable consideration, monetary or otherwise, is being provided by either party, such valuable consideration, monetary or otherwise, is being provided for the rendering of Services and not for the disclosure of Customer Personal Data. Enboarder (i) shall not collect, retain, use, or disclose Customer Personal Data for any purpose (including for any commercial purpose) other than for the specific purpose of performing the Services, unless otherwise required by law, (ii) shall not Sell or Share Customer Personal Data, except as necessary to satisfy its obligations under the Master Agreement, (iii) shall not collect, retain, use, or disclose Customer Personal Data outside the direct business relationship between Enboarder and Customer, unless expressly permitted by law, and (iv) shall, at Customer’s reasonable request, cease any unauthorized Processing of Customer Personal Data and grant Customer authorization to assess and remediate any such unauthorized Processing. This DPA is Enboarder’s certification, to the extent the CCPA or any other applicable Data Protection Law requires such a certification, that Enboarder understands and will comply with the Processing limitations with respect to Customer Personal Data that are reasonable and set forth in the Documented Instructions. The parties acknowledge and agree that the “business purpose” for which Enboarder Processes Customer Personal Data is to provide the Services as defined in the applicable Master Agreement. For purposes of this Section 3.3 only, the terms “Business,” “Service Provider,” “Personal Information,” “Sale,” and “Sell” shall have the same meaning as set forth in the CCPA (Cal. Civ. Code § 1798.140). The limitations set forth in this Section 3.3 shall not be interpreted to prevent Enboarder from complying with an applicable law, statute, regulation, or binding order of a governmental or regulatory body.

3.4. Australian Law Disclaimers. For the purposes of interpreting this DPA in the context of Australia (if applicable) and otherwise to the extent the Privacy Act 1988 (Cth) applies to the Processing of Personal Data by Enboarder: where there are direct equivalents to the concepts or definitions of “Process” and “special categories of Personal Data”, and other defined terms (including as defined in Section 1 above), those concepts or definitions shall have the meaning given to them in the Privacy Act 1988 (Cth); where there is no direct equivalent to the concepts or definitions of “Process” and “special categories of Personal Data”, and other defined terms (including as defined in Section 1 of this DPA), those terms shall be given the closest equivalent interpretation to give effect, as closely as possible, to the same substantive outcome under Privacy Act 1988 (Cth) as would be achieved under the GDPR; for the purposes of Section 8, “Security Event” includes an “eligible data breach” as that term is defined in the Privacy Act 1988 (Cth); neither Customer nor Enboarder will adopt a government related identifier as its own identifier unless permitted by the Privacy Act 1988 (Cth); and Customer must comply with its obligations in relation to Personal Data processed by Enboarder under the Master Agreement (including this DPA) and without limiting the generality of the foregoing, make all disclosures and obtain all consents necessary to allow: (i) Customer to disclose, provide or make available the Personal Data to Enboarder (and its Subprocessors) lawfully (including without breaching the Privacy Act 1988 (Cth)); (ii) Enboarder (and its Subprocessors) to collect, store, use, disclose and otherwise deal with the Personal Data in accordance with the Master Agreement (including this DPA) and the Privacy Act 1988 (Cth).

 

4.             CUSTOMER OBLIGATIONS

4.1. Accuracy; Compliance. Customer shall be responsible for complying with all requirements that apply to it under applicable Data Protection Law and the Documented Instructions it issues to Enboarder. Where Customer acts as a Data Controller under this DPA, then Customer is solely responsible for the accuracy, quality, and legality of Customer Personal Data; complying with all necessary transparency and lawfulness requirements under applicable Data Protection Law for the collection and use of Customer Personal Data, including obtaining any necessary consents and authorizations from Data Subjects or otherwise; and, ensuring that the Documented Instructions comply with all applicable laws, statutes, and regulations, including applicable Data Protection Law. Where Customer acts as a Data Processor under this DPA, Customer represents it has executed terms and conditions with the applicable Data Controller requiring the Data Controller to acknowledge and agree that the Data Controller is solely responsible for the accuracy, quality, and legality of Customer Personal Data; complying with all necessary transparency and lawfulness requirements under applicable Data Protection Law for the collection and use of the Customer Personal Data, including obtaining any necessary consents and authorizations from Data Subjects or otherwise; and, ensuring that the Documented Instructions comply with all applicable laws, statutes, and regulations, including applicable Data Protection Law.

4.2. Lawful Basis. Customer hereby represents to Enboarder that Customer has the legal authority and appropriate business purpose to provide Enboarder with any and all Customer Personal Data in conjunction with the Services, and when legally required, has obtained the consent from all applicable Data Subjects concerning the Processing described herein. Customer shall inform Enboarder, immediately and without undue delay (and in any event within seventy-two (72 hours) if Customer is not able to comply with its responsibilities set forth in the Documented Instructions or if the Documented Instructions violate an applicable Data Protection Law, and in either such circumstance, Enboarder shall be permitted, upon notice to Customer, to immediately terminate the Master Agreement or to cease any Processing without being in breach of the Master Agreement.

4.3. Sufficiency. Customer is solely responsible for reviewing the Services, including any available security documentation and features, to determine whether they satisfy Customer’s requirements, business needs, and legal obligations. Customer is responsible for its use of the Services, including making appropriate use of the Services to ensure a level of security appropriate to the risk with respect to Customer Personal Data, securing its account authentication credentials, protecting the security of Customer Personal Data when in transit to and from the Services, taking appropriate steps to securely encrypt and/or back up any Customer Personal Data uploaded to the Services, and properly configuring the Services and using available features and functionalities to maintain appropriate security in light of the nature of the Customer Personal Data. Enboarder has no obligation to protect Customer Personal Data that Customer transmits, stores or transfers outside of the Services (e.g., offline or on-premise storage).

4.4 Sensitive Personal Data. Unless set forth in Annex 1 of this DPA or otherwise agreed to in Documented Instructions, Customer shall not upload or otherwise input into the Services, any of the following: (i) Sensitive Personal Data, or (ii) Personal Data that is subject to, or otherwise afforded protection under a Data Protection Law applicable in a Restricted Country. For purposes of this clause, the term “Sensitive Personal Data” means “any Personal Data that is afforded special protection under a law or regulation because it could potentially cause harm, damage, or discrimination to an individual if it is disclosed, accessed, or used without authorization, and includes, but is not limited to, social security/insurance numbers and other government identifiers.” The term “Restricted Country” means “any country or territory other than Australia, Canada, the European Economic Area, Mexico, the United States of America, or the United Kingdom”

 

5.             CONFIDENTIALITY; SECURITY

5.1. Confidentiality. Enboarder shall at all times maintain the confidentiality of all Customer Personal Data and ensure that individuals who are authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.2. Information Security. Enboarder shall implement and maintain commercially reasonable technical and organizational security controls to protect and safeguard Customer Personal Data, which shall include written policies describing its security controls and measures and the relevant procedures and responsibilities of Enboarder personnel who have access to Customer Personal Data (“Information Security Program”). All of Enboarder’s employees who have access to Customer Personal Data shall have signed written confidentiality agreements ensuring their duty of confidentiality. Enboarder shall designate a senior employee to be responsible for the overall management of Enboarder’s Information Security Program.

5.3. Updates. Enboarder may update, amend, or otherwise alter its Information Security Program at any time, provided that any such update, amendment, or alteration does not increase the likelihood of a Security Event or cause the Information Security Program to not meet the minimum standards set forth herein.

 

6.             ASSISTANCE; COOPERATION

6.1. Requests. Enboarder shall, to the extent legally permitted, promptly notify Customer if Enboarder receives a request from (i) a government or regulatory authority regarding the Processing of, or seeking access to, Customer Personal Data (“Government Data Request”) or (ii) a Data Subject seeking to exercise a data protection right or privilege, such as the right to access or deletion (a “Data Subject Request”), and Enboarder shall, to the extent practicable, seek to direct the requestor to Customer. Taking into account the nature of the Processing, Enboarder shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Government Data Request or a Data Subject Request. In addition, to the extent Customer, in its use of the Services, does not have the ability to address the Government Data Request or the Data Subject Request, Enboarder shall, upon Customer’s request, furnish commercially reasonable efforts to assist Customer in responding to such requests, to the extent Enboarder is legally required to do so. For the avoidance of doubt, Customer shall be fully responsible and liable for timely and appropriately responding to a Government Data Request or a Data Subject Request.

6.2. Impact Assessments; Consultation. Upon Customer’s request, Enboarder shall provide Customer with reasonable cooperation and assistance (i) needed to fulfil Customer’s obligation under applicable Data Protection Law to undertake a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information and to the extent such information is available to Enboarder and (ii) with respect to a consultation with a government or regulatory authority.

6.3. Recordkeeping; Disclosures. Customer acknowledges that Enboarder may be required under applicable Data Protection Law to: (i) collect and maintain records of certain information, including the name and contact details of each Data Controller on behalf of which Enboarder is acting and, where applicable, of such Data Controller’s local representative and data protection officer and (ii) make such information available to a government or regulatory authority. Accordingly, to the extent such Data Protection Law applies to the Processing of Customer Personal Data, Customer will, where required by law, provide such information to Enboarder, and will ensure that all information provided is kept accurate.

 

7.             RETURN OR DESTRUCTION OF DATA

7.1. Obligations. On termination or expiration of the Master Agreement or this DPA, Customer may wish to instruct Enboarder to delete or return all Customer Personal Data (including copies) from Enboarder’s systems in accordance with applicable Data Protection Law. Enboarder will comply with this instruction as soon as reasonably practicable, and where technically feasible, and Enboarder shall not be required to delete or return Customer Personal Data to the extent that Enboarder is required by applicable law or order of a governmental or regulatory body to retain some or all of the Customer Personal Data or such Customer Personal Data is required for Enboarder to enforce or defend its legal rights or interests. In addition, except to the extent required by applicable law, Enboarder shall not be required to delete or return Customer Personal Data archived on backup systems if Enboarder shall securely isolate it and protect it from any further Processing and such Customer Personal Data is deleted in accordance with Enboarder’s standard overwriting and deletion policies.

 

8.             SECURITY EVENT PROCEDURES

8.1. Reporting to Customer. Upon confirming a Security Event and where legally required, Enboarder shall: (i) taking into account the nature of Processing of Customer Personal Data and the information available to Enboarder, promptly (and in accordance with the timeframes set forth in applicable Data Protection Law) notify Customer of a Security Event when it discovers the same, (ii) provide timely information to Customer relating to the Security Event as it becomes known or as is reasonably requested by Customer, and (iii) promptly take reasonable steps to contain, investigate, and mitigate any Security Event, and Enboarder may (in Enboarder’s sole and reasonable judgment) retain an independent data incident response consultant to contain, investigate, and remediate the Security Event on its behalf.

8.2. Incident Notification. Enboarder will cooperate with Customer as reasonably requested by Customer in responding to Customer’s regulators or customers with respect to a Security Event. Notwithstanding the foregoing, Customer acknowledges and agrees (i) Customer shall be solely responsible for notifying or disclosing a Security Event to any applicable government agency, individual, or entity, (ii) Customer may not name Enboarder in consumer or regulatory notifications or press releases without Enboarder’s consent (except as required by law), and (iii) Customer shall coordinate with Enboarder on developing the content of any public statements or any required notices for the affected Data Subjects and/or notices to the relevant supervisory authorities related to the Security Event if Enboarder’s name will be mentioned in such notices. Nothing in this DPA shall be interpreted to prevent Enboarder from complying with its own data incident notification requirements, provided Enboarder may not name Customer in regulatory notifications or press releases without Customer’s consent (except as required by law), and Enboarder shall coordinate with Customer on developing the content of any public statements or any required regulatory notices related to the Security Event if Customer’s name will be mentioned in such public statements or notices.

8.3. Disclaimer. Any notification, assistance, or cooperation provided by Enboarder in accordance with this Section 8 shall not be interpreted or construed as an admission of liability, wrongdoing, or fault by Enboarder. To the extent Enboarder is responsible for the Security Event, Enboarder shall be liable for the costs to investigate and respond to the Security Event in accordance with the terms of the Master Agreement.

 

9.             REPORTS; AUDITS

9.1. Security Reports. Upon request (which shall not occur more than annually), Enboarder shall provide to Customer, on a confidential basis, a summary copy of (if available) any third-party audit report or certification applicable to the Services (“Report”), so that Customer can verify Enboarder’s compliance with this DPA. If Customer reasonably believes that the Report provided is insufficient to demonstrate Enboarder’s compliance with this DPA, Enboarder shall also provide written responses (on a confidential basis) to reasonable requests for information made by Customer related to the Processing of Customer Personal Data.

9.2. Audits; Inspections. If Customer reasonably believes that the information provided by Enboarder pursuant to Section 9.1 is insufficient to demonstrate compliance with this DPA, Enboarder will allow an audit by Customer, or a third-party auditor appointed by Customer and reasonably acceptable to Enboarder, in relation to Enboarder’s Processing of Customer Personal Data. Any such audit will be at Customer’s expense, with reasonable advance notice, conducted during normal business hours no more than once per year and subject to Enboarder’s reasonable security and confidentiality requirements and provided that the exercise of rights under this Section 9.2 would not infringe Data Protection Laws.

 

10.             SUBPROCESSORS

10.1. Authorized Subprocessors. Customer agrees that Enboarder may, in accordance with this Section 10 of the DPA, engage Subprocessors to Process Customer Personal Data and Customer hereby approves the Subprocessors currently engaged by Enboarder as set forth in its Subprocessor List.

10.2. Subprocessor Obligations. Enboarder shall (i) ensure that each Subprocessor is subject to binding obligations that require the Subprocessor to protect the Customer Personal Data to the same standard as Enboarder and (ii) remain responsible for each Subprocessor’s compliance with the obligations of this DPA and for any failure by the Subprocessor to fulfil its data protection obligations.

10.3. Changes to Sub-processors. Enboarder shall inform Customer of any intended changes concerning the addition or replacement of a Subprocessor, thereby giving Customer the opportunity to object to such changes, provided Customer may only object to such changes involving Subprocessors if there are reasonable grounds to believe that the Subprocessor will be unable to comply with the Documented Instructions. If Customer objects to Enboarder’s use of a new Subprocessor, Customer shall notify Enboarder in writing within thirty (30) business days after receiving notification regarding the proposed use of the Subprocessor. Customer’s failure to object in writing within such time period shall constitute approval to use the new Subprocessor. Customer acknowledges and accepts that the refusal to permit the use of a particular new Subprocessor may result in Enboarder’s inability to satisfy, in full or in part, the terms and conditions of the Master Agreement, and in such circumstances, Customer may terminate the Master Agreement in accordance with the termination provisions of the Master Agreement, and such termination shall not constitute termination for breach of the Master Agreement. Enboarder shall notify Customer of any intended changes with respect to a Subprocessor (i) by clearly and conspicuously furnishing notice to Customer via a disclaimer or other notice on the Services, (ii) via email communication to Customer through any email contact information Customer has furnished to Enboarder and Customer is responsible for ensuring any such contact information is true, accurate, and complete (and Customer may provide such contact information to Enboarder at privacy@enboarder.com), or (iii) any other reasonable method that furnishes Customer with appropriate notice and opportunity to respond. Any changes to Enboarder’s Subprocessors will be reflected at https://enboarder.com/legal/subprocessors/

 

11.             INTERNATIONAL DATA TRANSFERS

11.1. EU Standard Contractual Clauses. Customer hereby acknowledges and agrees that, for providing the Services under the Master Agreement, Enboarder may transfer Customer Personal Data across national borders. To the extent Customer Personal Data originates in the European Economic Area (EEA), the parties undertake to apply the provisions of the EU Standard Contractual Clauses to the transfer and Processing of such Customer Personal Data. If the EU Standard Contractual Clauses are applicable between the parties pursuant to this Section 11.1 of this DPA, their provisions will be deemed incorporated by reference into this DPA. If the parties apply and incorporate the EU Standard Contractual Clauses pursuant to this Section 11.1 of this DPA, then the following shall apply:

11.1.1. Module Two or Three. The EU Standard Contractual Clauses shall be governed by Module Two (Transfer controller to processor) clauses where Customer is a Controller and Enboarder is a Processor, and by Module 3 (Transfer processor to processor) where Customer is a Processor and Enboarder is a sub-Processor. Customer and/or Customer’s EU Affiliates shall be the data exporter and Enboarder shall be the data importer.

11.1.2. Docking Clause. Each party acknowledges and agrees that Clause 7 (Optional – Docking Clause) of the EU Standard Contractual Clauses shall be deemed incorporated therein and applicable to the parties and third parties.

11.1.3. Sub-Processing Clause. For purposes of Clause 9(a) (Use of sub-processors) of the EU Standard Contractual Clauses, the parties agree that Option 2 (General Authorization) shall apply to the parties in accordance with Section 10 of this DPA.

11.1.4. Redress Clause. For purposes of Clause 11 (Redress) of the EU Standard Contractual Clauses, the parties agree that the optional wording shall not be incorporated therein and therefore shall not be applicable to the parties.

11.1.5. Governing Law. For purposes of Clause 17 (Governing law) of the EU Standard Contractual Clauses, the parties agree that the EU Standard Contractual Clauses shall be governed by the law of Ireland and select Clause 17, “Option 1” to this effect.

11.1.6. Choice of Forum Clauses. For purposes of Clause 18 (Choice of forum and jurisdiction) of the EU Standard Contractual Clauses, the parties agree that any dispute arising from the EU Standard Contractual Clauses shall be resolved by the Courts of Ireland.

11.1.7. Transfer Details (Annex I). Annex I of the EU Standard Contractual Clauses shall be completed with the information set forth in Annex I of this DPA.

11.1.8. Security Controls (Annex II). Annex II of the EU Standard Contractual Clauses shall be completed with the information set forth in Annex II of this DPA.

11.1.9. Sub-Processing List (Annex III). Annex III of the EU Standard Contractual Clauses shall be completed with Section 10 of this DPA.

11.1.10. Onward Transfers. Enboarder shall not transfer Customer Personal Data received under the EU Standard Contractual Clauses (nor permit such Customer Personal Data to be transferred) to a Subprocessor outside the EEA, unless (i) the Subprocessor is established in a country which the European Commission has granted an adequacy status, or (ii) Enboarder implements and maintains such measures as necessary to ensure the transfer is in compliance with Data Protection Law, and such measures may include (without limitation) executing the EU Standard Contractual Clauses, Module 3 (Transfer processor to processor).

11.2. UK Addendum. To the extent Customer Personal Data originates in the UK, the parties undertake to apply the provisions of the EU Standard Contractual Clauses, as updated and amended by the UK Addendum, to the transfer and Processing of such Customer Personal Data and hereby incorporate the UK Addendum by reference into this DPA, provided the UK Addendum shall be supplemented and completed, as appropriate, with the descriptions and party responsibilities, clause options, and similar criteria set forth in Section 11.1 of this DPA and the Annexes attached hereto. For the avoidance of doubt, with respect to UK data transfers, in the event of a conflict between the EU Standard Contractual Clauses and the UK Addendum, the terms and hierarchy set forth in the UK Addendum shall supersede and control with respect to such UK data transfers only. Enboarder shall not transfer any Customer Personal Data received under the UK Addendum (nor permit such Customer Personal Data to be transferred) to a Subprocessor outside the UK, unless (i) the Subprocessor is established in a country which the UK authorities have granted an adequacy status, or (ii) Enboarder implements and maintains such measures as necessary to ensure the transfer is in compliance with Data Protection Law, and such measures may include (without limitation) executing the EU Standard Contractual Clauses, Module 3 (Transfer processor to processor) and the UK Addendum thereto.

11.3. Other Transfers. To the extent Customer Personal Data originates outside of the EEA or the UK, and the parties seek to transfer and Process such Customer Personal Data across national borders, the parties shall also undertake to apply, as appropriate, the provisions of the EU Standard Contractual Clauses or UK Addendum to such transfer and Processing, provided that the EU Standard Contractual Clauses or UK Addendum are legally required and sufficient to meet the requirements of the applicable Data Protection Law for the transfer and Processing of Personal Data across national borders.

11.4 Surveillance Disclaimers. If the parties apply and incorporate the EU Standard Contractual Clauses pursuant to Section 11.1 of this DPA or the UK Addendum pursuant to Section 11.2 of this DPA, then Enboarder hereby represents and warrants the following to be true, accurate, and complete: (i) Enboarder has never been the subject to a “FISA” warrant issued pursuant to 50 United States Code (U.S.C.) § 1881(4) with regard to a request for disclosure of any Personal Data that it Processes, and (ii) Enboarder has never cooperated with public authorities conducting surveillance of communications pursuant to Executive Order (EO) 12333 with regard to Personal Data in Enboarder’s custody or control.

11.6. Changes to the Law. If and to the extent this DPA or the EU Standard Contractual Clauses or the UK Addendum are no longer recognized by the European Commission or other local privacy authorities as an adequate mechanism for the transfer of Customer Personal Data from the European Economic Area, United Kingdom or other country, as applicable, to the United States, then the parties shall abide by another adequate transfer mechanism, provided however that if, after commercially reasonable efforts, Enboarder is unable to comply with another adequate transfer mechanism, Customer or Enboarder may, upon prior advance written notice to the other party, terminate the Master Agreement and obtain a refund from Enboarder of pre-paid fees prorated for the remainder of the unused Services as Customer’s exclusive remedy.

 

12.             MISCELLANEOUS

12.1. Governing Clauses; Severance. The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Master Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity, and this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Master Agreement. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

12.2. Limitation of Liability. Each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Customer affiliates and Enboarder and Enboarder affiliates, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Master Agreement and the applicable cap (maximum) for the relevant party set forth in the Master Agreement. Any reference in such section to the liability of a party means the aggregate liability of that party and all of its affiliates under the Master Agreement and all DPAs together. For the avoidance of doubt, Enboarder and its affiliates’ total liability for all claims from Customer and all of Customer’s affiliates arising out of or related to the Master Agreement and all DPAs shall apply in the aggregate for all claims under both the Master Agreement and all DPAs established under the Master Agreement, including by Customer and all Customer affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Customer affiliate that is a contractual party to any such DPA. To the extent required by law, this section is not intended to (i) modify or limit either party’s liability for Data Subject claims made against a party where there is joint and several liability, or (ii) limit either party’s responsibility to pay penalties imposed on such party by a regulatory authority.

* * * * *

Annex I (Data Processing Activities)

 

 

 

Annex III (Approved Subprocessors)

Below is a list of Subprocessors currently utilized by Enboarder. This list, as amended from time to time, can be found at https://enboarder.com/legal/subprocessors/: