THIS DATA PROTECTION ADDENDUM is made on [INSERT DATE] between:

1. [CLIENT], a [STATE OF INCORPORATION] corporation with offices at [ADDRESS]  (“Licensee”); and
2. Valente Sherman, Inc. DBA VISO TRUST, a Delaware corporation with offices at 635 San Geronimo Valley Drive, San Geronimo, CA 94963 (“VISO TRUST”),

(the “Parties”, and each a “Party”).

WHEREAS:

1. Licensee and VISO TRUST are each party to a SOFTWARE LICENCE AGREEMENT with effective date [INSERT DATE], as amended from time to time (the “Original Agreement”) pursuant to which VISO TRUST Processes (as defined below) certain Licensee Personal Data (as defined below) in connection with the provision of SaaS Third Party Cyber Risk Management (the “Services”). 
2. The Parties now wish to enter into this Data Protection Addendum to supplement (and in respect of certain terms supersede) the Original Agreement to regulate VISO TRUST’s Processing of any Licensee Personal Data thereunder to ensure the terms of the Original Agreement are compliant with Data Protection Laws (as defined below).

The Parties hereby agree the following:

1. DEFINITIONS

In this Data Protection Addendum, the following terms shall have the following meanings and shall be construed accordingly:

1. “Data Protection Laws” means all laws and regulations applicable to VISO TRUST’s Processing of Personal Data, which may include the European Union General Data Protection Regulation 2016/679 (“GDPR”), ”), the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”), the Privacy and Electronic Communications Directive, and any legislation implementing, supplementing, amending or replacing such legislation, the California Consumer Privacy Act (“CCPA”), as amended, and all other data protection laws or regulations applicable to VISO TRUST; 
2. “Licensee Personal Data” means any Personal Data Processed by VISO TRUST on behalf of Licensee pursuant to or in connection with the Original Agreement;
3. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data;
4. “Standard Contractual Clauses“, or “EU SCCs” means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to EU Regulation 2016/679, as approved with the Commission Implementing Decision (EU) 2021/914;
5. “Subprocessor” means any person (including any third party, but excluding an employee of VISO TRUST or any  employee of its sub-contractors) appointed by or on behalf of VISO TRUST to Process Personal Data on behalf of Licensee in connection with the Original Agreement; and
6. “VISO TRUST Personnel” means any employee, agent or contractor of VISO TRUST.
7. “United Kingdom International Data Transfer Agreement or Addendum”, or “UK IDTA” means either, as applicable, (a) the International Data Transfer Agreement when used under the UK GDPR, or (b) the International Data Transfer Addendum to the EU SCCs issued by the Commissioner under s119A(1) of the Data Protection Act 2018, version A1.0, in force from March 21, 2022.

The terms, “Data Controller“, “Data Processor”, “Data Protection Impact Assessments”, “Data Subject“, “Personal Data“, “Personal Data Breach“, “Processing“,  and “Supervisory Authority” shall have the same meaning as in the GDPR or their respective equivalents under Data Protection Laws, and their cognate terms shall be construed accordingly.

1. PROCESSING OF LICENSEE PERSONAL DATA
   1. Roles and Responsibilities. The Parties acknowledge and agree that for the purposes of this Data Protection Addendum, Licensee acts as the Data Controller and VISO TRUST acts as the Data Processor of any Licensee Personal Data Processed by VISO TRUST on behalf of Licensee in connection with its provision of the Services, notwithstanding the fact that Licensee may itself be a Data Processor (and VISO TRUST a Subprocessor) acting on behalf of a third party who is the original Data Controller (“Original Controller”). 
   2. Processing Activities and Instructions. VISO TRUST warrants and undertakes that it shall:  (a) comply with all applicable obligations which may arise under Data Protection Laws in connection with its Processing of Licensee Personal Data; and (b) not Process Licensee Personal Data other than as contemplated under the Original Agreement or on Licensee’s documented instructions in Schedule 1 and solely for the purposes of providing the Services unless Processing is required by any applicable Data Protection Laws to which VISO TRUST is subject.
   3. Lawfulness of Instructions.  Licensee shall ensure that its instructions (a) comply with Data Protection Laws, and (b) do not cause, by following them, VISO TRUST to violate any applicable laws or regulations. Each Party will inform the other if it reasonably believes that Licensee’s instructions violate any applicable laws or regulations, including applicable Data Protection Laws.
2. CONFIDENTIALITY OBLIGATIONS
   1. VISO TRUST shall take reasonable steps to ensure the reliability of any VISO TRUST Personnel who may have access to the Licensee Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Licensee Personal Data, as strictly necessary for the performance of the Services, and to comply with any applicable Data Protection Laws in the context of that individual’s duties to VISO TRUST. 
   2. VISO TRUST shall ensure that all such individual VISO TRUST Personnel are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and are subject to confidentiality undertakings or professional or statutory obligations of confidentiality. VISO TRUST shall ensure that such confidentiality obligations survive the termination of VISO TRUST Personnel engagement.
3. SECURITY
   1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, VISO TRUST shall in relation to the Licensee Personal Data implement reasonable technical and organisational measures to ensure a level of security appropriate to that risk, including at least those set out in Schedule 2 of this Data Protection Addendum.  In assessing the appropriate level of security, VISO TRUST shall take account in particular of the risks that are presented by its Processing, in particular from a Personal Data Breach.
4. SUBPROCESSING
   1. Current Subprocessors. Licensee agrees to provide general authorization for VISO TRUST to engage Subprocessors, including VISO TRUST affiliates and third parties, listed in Schedule 4, which includes the name, purpose of Processing, and categories of Personal Data processed with respect to each Subprocessor. If VISO TRUST wishes to modify its existing Subprocessors, it will provide Licensee advanced notification thirty (30) days prior to Subprocessor Processing of Personal Data.
   2. Right to Object. Licensee shall have the right to reasonably object to such appointment based on justifiable grounds and in good faith.  If no objection is received within a thirty (30) day period after appointment, Licensee will be deemed to have authorised the appointment.  Should Licensee object within the thirty (30) day period before appointment, the Parties shall work together in good faith to determine a suitable alternative Subprocessor.  If this cannot be agreed by the Parties, VISO TRUST shall confirm whether the Processing to be undertaken by the Subprocessor can reasonably be not performed and/or whether it can be amended in any way to allow the Parties to continue to each comply with their obligations under this Data Protection Addendum.  If it is determined this is not possible, the Parties agree that this Data Protection Addendum can be terminated by Licensee by notice in writing. 
   3. Subprocessors Obligations and Liability. VISO TRUST will require that any Subprocessor it engages to provide the Services in connection with this Data Protection Addendum does so only with a written agreement that imposes on such Subprocessor terms with the same or materially similar protections, including confidentiality, for VISO TRUST under this Data Protection Addendum and following reasonable due diligence. 
5. ASSISTANCE
   1. Upon Licensee’s request, VISO TRUST will cooperate to enable Licensee to comply with honouring data subject rights under Data Protection Laws relevant to the Processing of Licensee Personal Data. VISO TRUST will provide reasonable assistance to Licensee with respect to (a) completion of Data Protection Impact Assessments (as defined in Data Protection Laws); (b) Licensee’s ability to access, rectify, and restrict Processing of Licensee Personal Data consistent with the Services; (c) Licensee’s compliance with its obligations under Data Protection Laws; (d) in response to any Personal Data Breach; and (e) any prior consultations required with a supervisory authority.
6. PERSONAL DATA BREACH
   1. Notification. VISO TRUST shall notify Licensee, promptly and without undue delay upon VISO TRUST or any Subprocessor first suspecting or becoming aware of a Personal Data Breach affecting Licensee Personal Data, providing Licensee with all necessary information to allow Licensee to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Data Protection Laws.

 

1. Mitigation and Cooperation. VISO TRUST shall use prompt and reasonable efforts consistent with industry standards to investigate, contain, mitigate, and remediate any Personal Data Breach. VISO TRUST will provide reasonable cooperation and assistance to allow Licensee to reduce the risk to Data Subjects affected by the Personal Data Breach and to comply with Data Protection Laws.

 

1. DELETION OR RETURN OF LICENSEE PERSONAL DATA
   1. Within thirty (30) days of Licensee’s request, VISO TRUST will (a) return a complete copy of all Licensee Personal Data to Licensee (if requested) and/or (b) unless prohibited by applicable law, delete Licensee Personal Data Processed under this Data Protection Addendum. Nothing herein (a) requires VISO TRUST to delete Licensee Personal Data from files created for security, backup, and/or business continuity purposes; (b) alleviates any confidentiality obligations on VISO TRUST; or (c) permits Processing of Licensee Personal Data beyond the instructions of this Data Protection Addendum.
2. AUDIT RIGHTS
   1. VISO TRUST shall make available to Licensee on reasonable request and no more than annually, and at its own cost, sufficient information necessary to demonstrate compliance with this Data Protection Addendum, and shall allow for and contribute to reasonable audits and access, including inspections, by Licensee or an auditor mandated by Licensee in relation to the Processing of the Licensee Personal Data by VISO TRUST or its Subprocessor(s). 
   2. Once per calendar year commencing on the date 12 months after the date of this Data Protection Addendum, VISO TRUST shall, upon reasonable request, at its own cost, supply to Licensee a report from its own internal audit of its Processing activities in so far as they relate to the Licensee Personal Data to enable Licensee to verify that VISO TRUST is in compliance with its obligations under this Data Protection Addendum. Such report shall include, but shall not be limited to, descriptions of VISO TRUST’s security control policies and procedures, including a statement on the operating effectiveness of those policies and procedures and remediation plans for any deficiencies.
   3. VISO TRUST may redact any confidential or commercially sensitive information from such audit reports before providing copies to Licensee as described above. VISO TRUST shall be responsible for promptly remediating, at its cost, all failures, deficiencies and risks identified in such audit reports. 
3. INTERNATIONAL DATA TRANSFERS
   1. Data Transfers under the EU SCCs. The SCCs are incorporated into this Data Protection Addendum and apply where the execution of the SCCs, as between the Parties, is required under applicable Data Protection Laws for the transfer of Personal Data. The SCCs shall be deemed completed as follows:
      1. Where Licensee acts as a Data Controller and VISO TRUST acts as Licensee’s Data Processor with respect to Licensee Personal Data subject to the SCCs, Module 2 applies.
      2. Where Licensee acts as a Data Processor and VISO TRUST acts as Licensee’s Subprocessor with respect to Licensee Personal Data subject to the SCCs, Module 3 applies.
      3. Clause 7 (the optional docking clause) is not included.
      4. Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization). 
      5. Under Clause 11 (Redress), the optional language will not apply.
      6. Under Clause 17 (Governing law), the parties choose Option 1 and select the law of Ireland.
      7. Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Ireland.
      8. Annexes I, II, and III of the EU SCCs are set forth in Appendix 1 below.

 

1. Data Transfers under the IDTA. When used as an addendum to the EU SCCs and the UK IDTA is otherwise required under applicable Data Protection Laws for the transfer of Personal Data, the UK IDTA addendum shall incorporate the selections above and be deemed further completed as follows:
   1. Table 1: the Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in Appendix 1, and the Key Contact shall be the contacts set forth in Appendix 1.
   2. Table 2: The referenced Approved EU SCCs shall be the EU SCCs incorporated into this Data Protection Addendum.
   3. Table 3: Annex 1A, 1B, and II shall be set forth in Appendix 1.
   4. Table 4: Either Party may end the EU SCCs as set out in Section 19 of the EU SCCs.

When the transfer will only involve Licensee Personal Data from the UK, the full IDTA agreement, found in Schedule 2 of this Data Protection Addendum, shall be executed.

1. Data Transfers from Switzerland. Where the EU SCCs are required under Swiss data protection law applicable to the transfer of Personal Data, the following additional provisions will apply:
   1. References to the GDPR in the EU SCCs are to be understood as references to the Swiss Federal Act on Data Protection (“FADP”) insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.
   2. The term “member state” in the EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.
   3. References to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.
   4. Under Annex I(C) of the EU SCCs: where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the EU SCCs insofar as the transfer is governed by the GDPR.

 

1. 1. MUTUAL INDEMNIFICATION
      1. Indemnification by VISO TRUST. VISO TRUST will defend, indemnify and hold harmless,  Licensee and its directors, officers, employees and agents (“Licensee Indemnitees”) from and against any and all liabilities, obligations, claims, contingencies, fines, deficiencies, demands, assessments, losses (including diminution in value), damages (including incidental and consequential damages), costs and expenses, including all corrective and remedial actions, all court costs and reasonable attorneys’ fees and all reasonable amounts paid in investigation, defense or settlement of the foregoing, that constitute, or arise  out of or in connection with a third party alleging that any Services infringe or misappropriate such third party’s intellectual property rights; provided, however,  Licensee (a) promptly gives VISO TRUST written notice of the claim, (b) gives VISO TRUST sole control of the defence and settlement of the claim (except that VISO TRUST may not settle any claim unless it unconditionally releases Licensee of all liability), and (c) gives VISO TRUST all reasonable assistance, at VISO TRUST’s expense. If VISO TRUST receives information about an infringement or misappropriation claim related to the Services, VISO TRUST may in its discretion and at no cost to Licensee (i) modify the Services so that they are no longer claimed to infringe or misappropriate, without breaching VISO TRUST’s warranties under the Original Agreement, (ii) obtain a licence for Licensee’s continued use of the Services in accordance with the Original Agreement, or (iii) terminate Licensee’s use of the Services per the Original Agreement. The above defence and indemnification obligations do not apply if (I) the allegation does not state with specificity that the Services are the basis of the claim against Licensee; (II) a claim arises from the use or combination of the Services or any part thereof, if the Services or use thereof would not infringe without such combination; or (III) a claim arises from Licensee’s breach of this Data Protection Addendum.
      2. Indemnification by Licensee. Licensee will defend, indemnify and hold harmless, VISO TRUST and its directors, officers, employees and agents (“VISO TRUST Indemnitees”) from and against any and all liabilities, obligations, claims, contingencies, fines, deficiencies, demands, assessments, losses (including diminution in value), damages (including incidental and consequential damages), costs and expenses, including, without limitation, all corrective and remedial actions, all court costs and reasonable attorneys’ fees and all reasonable amounts paid in investigation, defense or settlement of the foregoing, that constitute, or arise  out of or in connection with  (i) Licensee’s use of the Services in an unlawful manner or in violation of this Data Protection Addendum, (ii) any Licensee data or Licensee’s use of data with the Services, and will indemnify VISO TRUST from any damages, attorney fees and costs finally awarded against VISO TRUST as a result of, or for any amounts paid by VISO TRUST under a settlement approved by Licensee (such approval which shall not be unreasonably withheld) in writing of, a claim against VISO TRUST, provided VISO TRUST (A) promptly gives Licensee written notice of the claim, (B) gives Licensee sole control of the defence and settlement of the claim (except that Licensee may not settle any claim against VISO TRUST unless it unconditionally releases VISO TRUST of all liability), and (C) gives Licensee all reasonable assistance, at Licensee’s expense. The above defence and indemnification obligations do not apply if a claim against VISO TRUST arises from VISO TRUST’s breach of the Original Agreement or this Data Protection Addendum.
      3. Exclusive Remedy. This “Mutual Indemnification” section states the indemnifying Party’s sole liability to, and the indemnified Party’s exclusive remedy against, the other Party for any third-party claim described in this section. 

• LIMITATION OF LIABILITY

1. 1. Limitation of Liability. IN NO EVENT SHALL THE AGGREGATE LIABILITY OF VISO TRUST TOGETHER WITH ALL OF ITS AFFILIATES ARISING OUT OF OR RELATED TO THIS DATA PROTECTION ADDENDUM EXCEED THE TOTAL AMOUNT PAID BY LICENSEE UNDER THE ORIGINAL AGREEMENT FOR THE SERVICES GIVING RISE TO THE LIABILITY IN THE TWELVE MONTHS PRECEDING THE FIRST INCIDENT OUT OF WHICH THE LIABILITY AROSE. THE FOREGOING LIMITATION WILL APPLY WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, BUT WILL NOT LIMIT LICENSEE’S AND ITS AFFILIATES’ PAYMENT OBLIGATIONS HEREUNDER, IF ANY.
   2. Exclusion of Consequential and Related Damages. IN NO EVENT WILL VISO TRUST OR ITS AFFILIATES HAVE ANY LIABILITY ARISING OUT OF OR RELATED TO THIS DATA PROTECTION ADDENDUM FOR ANY LOST PROFITS, REVENUES, GOODWILL, OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER, BUSINESS INTERRUPTION OR PUNITIVE DAMAGES, WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF LICENSEE OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IF LICENSEE’S OR ITS AFFILIATES’ REMEDY OTHERWISE FAILS OF ITS ESSENTIAL PURPOSE. THE FOREGOING DISCLAIMER WILL NOT APPLY TO THE EXTENT PROHIBITED BY LAW. 
2. GENERAL TERMS
   1. Order of priority. In the event of any conflict between this Data Protection Addendum and the Original Agreement, this Data Protection Addendum will prevail with respect to the Processing of Personal Data. In the event of any conflict between this Data Protection Addendum and the EU SCCs or the UK IDTA, the EU SCCs or UK IDTA, as applicable, will prevail. 
   2. Severance. Should any provision of this Data Protection Addendum be invalid or unenforceable, then the remainder of this Data Protection Addendum shall remain valid and in force. 
   3. Termination. The terms and conditions of this Data Protection Addendum will terminate upon termination or expiration of the Original Agreement. Notwithstanding the foregoing, provisions by which their nature are intended to survive the expiration or earlier termination of this Data Protection Addendum or the Original Agreement are intended by the Parties to survive such expiration or earlier termination.
   4. Governing law and jurisdiction. Except for any obligations and disputes arising under the Standard Contractual Clauses or the UK Standard Contractual Clauses for Controllers to Processors, this Data Protection Addendum and all non-contractual or other obligations arising out of or in connection with it shall be governed by and construed in accordance with the governing law provisions set forth in the Original Agreement. 
   5. Certification. VISO TRUST certifies that it understands the restrictions set forth above and will comply with them.

IN WITNESS WHEREOF, this Data Protection Addendum is entered into and takes effect on the date first set out above.

Licensee

Signature ______________________________

Name _________________________________

Title __________________________________

Date Signed ____________________________

 

VISO TRUST

Signature ______________________________

Name _________________________________

Title __________________________________

Date Signed ____________________________

• : Details of processing of Licensee Personal Data

For the purposes of Article 28(3) of the GDPR;

Data Subjects

The Licensee Personal Data transferred concern the following categories of Data Subjects:

• Licensee Employees, Licensee’s Supplier Employees

 

Categories of Personal Data

The Licensee Personal Data transferred may concern the following types / categories of Personal Data:

• Names, work email addresses, limited device information (i.e. IP address, web browser)

Special Categories of Personal Data (if applicable)

The Licensee Personal Data transferred may concern the following Special Categories of Personal Data (please specify):

N/A

Nature / Purpose of Processing

The Licensee Personal Data transferred is to be Processed by VISO TRUST as necessary to perform the Services pursuant to the Original Agreement and as further instructed by Licensee in its use of the Services. 

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Competent Supervisory Authority

Location of Processing

The Licensee Personal Data is to be Processed by VISO TRUST in the following locations:

United States and India

 

• Technical and Organisational Security Measures

1. 1. VISO TRUST agrees to maintain and use appropriate safeguards to prevent the unauthorised access to or use of Licensee information, including Licensee Personal Data (together the “Licensee Data”), and to implement administrative, physical and technical safeguards to protect Licensee Data that are no less rigorous than accepted applicable industry standards for information security, e.g. ISO/IEC 27001:2013, that reasonably and appropriately protect the confidentiality, integrity and availability of information or data that VISO TRUST processes in the course of providing the Services. Such safeguards shall include:
      1. security management policies and procedures including incident management procedures to address security events;
      2. access controls, including password change controls, to ensure access to information resources is granted on a need to know and least privilege basis;
      3. industry recognised device and software management controls to guard against viruses and other malicious or unauthorised software. To include but not limited to installing, configuring and maintaining appropriate firewalls; anti-virus software and robust patching schedules;
      4. industry standard encryption safeguards as appropriate and where required by law;
      5. supporting and maintaining operating systems and infrastructure as required by best practice;
      6. security awareness to ensure employee understanding of their responsibilities in guarding against security events and unauthorised use or access to information;
      7. logging procedures to proactively record user and system activity for routine review; and 
      8. facility access and protection controls to limit physical access to information resources and guard against environmental hazards (e.g., water or fire damage).

Schedule 3 – International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Start date	Effective date of the Agreement
The Parties	Exporter (who sends the Restricted Transfer)	Importer (who receives the Restricted Transfer)
Parties’ details	Full legal name: [Licensee]Trading name (if different):      Main address (if a company registered address): Official registration number (if any) (company number or similar identifier):	Full legal name: Valente Sherman Inc. (as identified in the Data Protection Addendum and the Original Agreement)Trading name (if different):  VISO TRUST    Main address (if a company registered address): as identified in the Data Protection Addendum and the Original Agreement Official registration number (if any) (company number or similar identifier):
Key Contact	Full Name (optional):      Job Title: Contact details including email:	Full Name (optional):      Job Title: As indicated in the Original Agreement and Data Protection AddendumContact details including email: As indicated in the Data Protection Addendum and the Original Agreement
Signature (if required for the purposes of Section ‎2)

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

☐ The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:Date:       Reference (if any):       Other identifier (if any):       Or☒ the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:

 

Module	Module in operation	Clause 7 (Docking Clause)	Clause 11 (Option)	Clause 9a (Prior Authorisation or General Authorisation)	Clause 9a (Time period)	Is personal data received from the Importer combined with personal data collected by the Exporter?
1
2	Module 2	No	No	General Authorization	Thirty (30) days	N/A
3
4

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: Exhibit E to the DPA

Annex 1B: Description of Transfer: Exhibit E to the DPA

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Exhibit B to the DPA

Annex III: List of Sub processors (Modules 2 and 3 only): Exhibit C to the DPA

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section ‎19:☒ Importer☒ Exporter☐ neither Party

Part 2 Mandatory Clauses:

Mandatory Clauses

Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.

Schedule 4 – Approved Subprocessors

 

NAME	Purpose of Processing	Categories of Personal Data processed
Okta	Identity provider platform used for multi -factor authentication and SSO functionality.	Names, work email addresses, limited device information (i.e. IP address, web browser) of licensee employees and licensee’s supplier employees
Google	Corporate productivity, email, calendar, meeting platform and hosting and IT infrastructure..	Names, work email addresses, limited device information (i.e. IP address, web browser) of licensee employees and licensee’s supplier employees
Atlassian	The JIRA ticketing system is used internally for tracking all code or infrastructure changes that are made to the application, user access management, personnel onboarding and offboarding, and customer service support requests.	Names, work email addresses, limited device information (i.e. IP address, web browser) of licensee employees and licensee’s supplier employees
Slack	Slack is used for internal, real-time communication between VISO TRUST associates and is also offered to customers as an avenue for support by utilising the ability for a Slack channel to have external organisations.	Names, work email addresses, limited device information (i.e. IP address, web browser) of licensee employees and licensee’s supplier employees
AWS	Industry leading cloud hosting provider that is used to host the application and related data.	Names, work email addresses, limited device information (i.e. IP address, web browser) of licensee employees and licensee’s supplier employees
CloudFlare	Cloudflare-owned, globally distributed network of caching servers with application protection. Includes Cloud CDN and WAF Protection.	Names, work email addresses, limited device information (i.e. IP address, web browser) of licensee employees and licensee’s supplier employees
Honeycomb	Honeycomb is a cloud-hosted observability platform that allows VISO TRUST to analyse and inspect the performance of various components of the web application.	Names, work email addresses, limited device information (i.e. IP address, web browser) of licensee employees and licensee’s supplier employees
Postmark	Postmark delivers transactional platform email.	Names, work email addresses, limited device information (i.e. IP address, web browser) of licensee employees and licensee’s supplier employees
Hubspot	Hubspot is used for Customer Support and ticketing.	Names, work email addresses, limited device information (i.e. IP address, web browser) of licensee employees and licensee’s supplier employees