Impart Security Data Processing Agreement

Last Revised: September 14, 2023

  1. Purpose. The Data Processing Agreement (“DPA”) is made solely for the purpose of reflecting the parties’ agreement with regards to the Processing of Personal Data by Impart on behalf of Customer in accordance with Privacy and Data Protection Laws. Impart agrees to comply with the following provisions with respect to any Personal Data submitted by or for Customer to the Services or collected and Processed by or for Customer in its use of the Services. This DPA is only valid and binding during the term of any Order that incorporates the Agreement.
  2. Definitions. Capitalized terms not defined in this Exhibit A shall have the meaning set forth in the Agreement.
  1. “Agreement” means any master subscription agreement, by which Impart grants a limited subscription to use the Services to Customer or otherwise makes its services available.
  2. “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations, and as amended or modified by the California Privacy Rights Act of 2020 (“CPRA”).
  3. “Customer” means the customer that has executed an Order for Services.
  4. “Customer System Data” has the meaning of such defined term in the Agreement or other similar term to describe the data submitted (or caused to be submitted) to the Impart via the Services.
  5. “Data Controller” has the meaning given to “controller” or “data controller” in accordance with applicable Privacy and Data Protection Laws.
  6. “Data Processor” has the meaning given to “processor” or “data processor” in accordance with applicable Privacy and Data Protection Laws.
  7. “Data Subject” has the meaning given to “data subject” in accordance with applicable Privacy and Data Protection Laws.
  8. “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
  9. “GDPR” means, as applicable, the EU GDPR and/or the UK GDPR.
  10. “Personal Data” has the same meaning as personal data or information of or about a person, as defined in the applicable Privacy and Data Protection Laws, where such data is submitted to Impart via the Services.
  11. “Privacy and Data Protection Laws” means any law or regulation applicable to the processing of personal data under the Agreement, including, for example, the GDPR and the CCPA.
  12. “Processing” and “process” have the meaning given in accordance with applicable Privacy and Data Protection Laws.
  13. “Order” means one or more online or written ordering documents which incorporate the Agreement or have otherwise been accepted by Impart.
  14. “Services” has the meaning of such defined term in the Agreement or other similar terms to describe the products and services provided by Impart.
  15. “Standard Contractual Clauses” means, as applicable, the EEA Standard Contractual Clauses and/or the UK Standard Contractual Clauses as defined in Appendix 3.
  16. “Sub-processor” means any Data Processor engaged by Impart.
  17. “UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018.

3. Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is either a Data Controller or a Data Processor, and Impart is a Data Processor. 

4. Customer’s Processing of Personal Data. Customer shall, in its use of the Services, only Process Personal Data or transfer such Personal Data to Impart, in accordance with the requirements of Privacy and Data Protection Laws and the Documentation. In particular, Customer represents and warrants on an ongoing basis that, for the purposes of Article 6 of the GDPR, there is a legal basis for the Processing by Impart of Personal Data on behalf of Customer in accordance with this DPA and the Agreement (including any and all instructions issued by Customer from time to time in respect of such Processing) and it will honor the rights of Data Subjects pursuant to Privacy and Data Protection Laws.  If Customer is a Data Processor, Customer represents and warrants that its instructions and actions with respect to the Personal Data, including appointing Impart as a Processor, have been and are authorized by the relevant Data Controller.

5. Impart’s Processing of Personal Data. Impart shall only Process Personal Data upon Customer’s documented instructions and immediately notify Customer in writing if, in Impart’s reasonable opinion, their instructions infringe Privacy and Data Protection Laws. Customer instructs Impart to Process Personal Data for the following purposes:  (i) Processing in accordance with the Agreement, applicable Orders, and Customer’s use of the Services; (ii) Processing initiated by Customer through the Services’ application programming interfaces (APIs) or user interfaces; (iii) Processing to comply with other reasonable documented instructions provided by Customer (e.g., via support tickets, email communications and chat platforms) where such instructions are consistent with the terms of the Agreement; and (iv) Processing otherwise required of Impart by applicable laws. This DPA and the Agreement contain Customer’s sole instructions to Impart for the Processing of Personal Data, provided that the Customer may provide additional instructions during the term of the Agreement or applicable Order that are consistent with this DPA and the nature and lawful use of the Services.  Appendix I, Part B to this DPA sets out the details of Impart’s Processing of Personal Data.

6. Transfers Of Personal Data

  1. Consent to Transfer. Except as expressly set forth in the Agreement, Impart may store and process Personal Data in the United States or any other country in which Impart or any of its Sub-processors maintains facilities, subject to this Section 6.
  2. Cross-Border Personal Data Transfer Mechanism. Where Processing of Personal Data by Impart requires an onward transfer mechanism to lawfully transfer Personal Data from a jurisdiction (including those identified in Appendix 3), then the terms and conditions of Appendix 3 (Cross Border Transfer Mechanism) shall apply.

7. Correction, Amendment and Deletion of Personal Data. To the extent Customer, in its use of the Services, does not have the ability to correct, amend or delete Personal Data as required by Privacy and Data Protection Laws, Impart shall comply with any commercially reasonable request by Customer to facilitate such actions to the extent Impart is legally permitted to do so and has reasonable access to the Personal Data. Customer acknowledges that Impart cannot correct, amend, or permanently delete cached copies of Personal Data hosted or stored on equipment controlled by Customer; and the storage and deletion of Customer System Data processed by the Services occur automatically in accordance with the Documentation.

8. Third Party Requests. Impart shall, to the extent legally permitted, promptly notify Customer if it receives a request, complaint, inquiry or other correspondence from a data subject, regulatory authority, or other third party in connection with Impart’s processing of Personal Data. Unless required by law, Impart shall not respond to any such third party request without Customer’s prior written consent except to confirm that the third party request relates to Customer and to provide the third party with Customer’s contact information to allow them to contact Customer directly. Taking into account the nature of the Processing and to the extent Customer does not have access to the relevant information through its use of the Services, Impart shall, at Customer’s cost, provide Customer with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Customer in fulfilling its obligations with respect to third party requests. 

9. Impart Personnel

  1. Confidentiality. Impart shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed confidentiality agreements. 
  2. Reliability. Impart shall take commercially reasonable steps to ensure the reliability of any Impart personnel engaged in the Processing of Personal Data.
  3. Limitation of Access. Impart shall limit its access to Personal Data to those personnel who require such access to perform the Agreement.
  4. Data Protection Officer. Impart has appointed a data protection officer to the extent this is required by Privacy and Data Protection Laws. The appointed person may be reached at privacy@impart.security.  Impart’s language for official communications is English.

10. Sub-Processors

  1. Appointment of Sub-processors.  In accordance with Article 28(2) of the GDPR, Customer acknowledges and agrees that Impart may engage third-party Sub-processors in connection with the provision of the Services, in which case, Impart shall enter into a written agreement with each Sub-processor containing data protection obligations in substantially similar terms to those in this DPA with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor. Impart will make available to Customer a current list of Sub-processors engaged in connection with the provision of the Services with the identities of those Sub-processors upon request. Additions or changes to the list of Sub-processors will be provided to Customers in writing in no event less than thirty (30) days prior to the date on which those Sub-processors begin processing Personal Data.
  2. Right to Object. In the event Customer objects to a new or replacement Sub-processor that Processes Personal Data, Customer may terminate the applicable Order(s) for those Services which cannot be provided by Impart without the Processing of Personal Data by the objected-to new Sub-processor by providing written notice to Impart within thirty (30) days of Impart’s notice or disclosure of such new Sub-processor(s). Customer shall receive a pro-rata refund of any unearned prepaid fees for the period following the effective date of termination in respect of such terminated Services. 
  3. Liability. Impart shall be liable for the acts and omissions of its Sub-processors to the same extent Impart would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

11. Security Controls for the Protection of Personal Data. Impart shall maintain appropriate administrative, physical and technical safeguards for protection of the security and integrity of the Personal Data.  Impart regularly monitors compliance with these safeguards.

12. Security Breach Management and Notification. Impart shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by Impart or its Sub-processors of which Impart becomes aware (“Security Breach”), providing Customer with sufficient information (insofar as such information is within Impart’s possession) to allow Customer to meet its obligations to report or inform data subjects and/or regulatory authorities of the Security Breach under the GDPR, to the extent permitted by law. Impart shall make commercially reasonable efforts to assist Customer in the investigation, mitigation and remediation of a Security Breach that is known to Impart to the extent such Security Breach is caused by a violation of the requirements of this DPA by Impart.

13. Limitation of Liability. Nothing in this DPA is intended to prejudice or limit any of Impart’s right to limitations of liability afforded to data processors pursuant to Privacy and Data Protection Laws. Each party’s liability arising out of or related to this DPA (whether in contract, tort or under any other theory of liability) is subject to the limitations of liability set forth in the Agreement; provided, in no event will such limitation apply to any data subject’s rights under the Standard Contractual Clauses.

14. Specific Provisions

  1. Security Controls for the Protection of Personal Data. Impart shall maintain appropriate administrative, physical and technical safeguards for protection of the security and integrity of the Personal Data.  Impart regularly monitors compliance with these safeguards.
  2. Security Breach Management and Notification. Impart shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by Impart or its Sub-processors of which Impart becomes aware (“Security Breach”), providing Customer with sufficient information (insofar as such information is within Impart’s possession) to allow Customer to meet its obligations to report or inform data subjects and/or regulatory authorities of the Security Breach under the GDPR, to the extent permitted by law. Impart shall make commercially reasonable efforts to assist Customer in the investigation, mitigation and remediation of a Security Breach that is known to Impart to the extent such Security Breach is caused by a violation of the requirements of this DPA by Impart.
  3. Limitation of Liability. Nothing in this DPA is intended to prejudice or limit any of Impart’s right to limitations of liability afforded to data processors pursuant to Privacy and Data Protection Laws. Each party’s liability arising out of or related to this DPA (whether in contract, tort or under any other theory of liability) is subject to the limitations of liability set forth in the Agreement; provided, in no event will such limitation apply to any data subject’s rights under the Standard Contractual Clauses.
  1. Upon Customer’s request, and subject to the confidentiality obligations set forth in the Agreement, Impart shall make available to Customer information regarding Impart’s compliance with the obligations set forth in this DPA and Customer shall use such information solely for the purposes of complying with its obligations under Privacy and Data Protection Laws.
  2. If the information made available pursuant to Section 14.3.1 is insufficient, in Customer’s reasonable judgment, to confirm Impart’s compliance with its obligations under this DPA, then Customer may request an on-site audit of the procedures relevant to the protection of Personal Data under this DPA. All such audits will be performed at Customer’s expense. Customer shall give Impart reasonable notice of any on-site audit to be conducted under this Section 14.3(which shall in no event be less than thirty (30) days’ notice unless required by a regulatory authority).
  3. Customer shall reimburse Impart for any time expended for any such on-site audit at Impart’s then-current professional services rate, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and Impart shall mutually agree upon the scope, timing and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Impart. Customer shall promptly notify Impart with information regarding any non-compliance discovered during the course of an audit.

4. Deletion of Personal Data. Impart shall delete Personal Data upon the termination or expiration of all Orders providing for the Processing of Personal Data and upon the request of Customer to the extent permitted by applicable law. 

5. Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in Clause 8.5 of the Standard Contractual Clauses shall be provided by Impart to Customer only upon Customer’s request.

15. CCPA Compliance. As a service provider to Customer under the Agreement, Impart will comply with the CCPA’s restrictions and prohibitions on service providers selling Personal Data and retaining, using, or disclosing Personal Data outside of the parties’ direct business relationship. Impart shall not collect, use, retain, or disclose Personal Data except as permitted in the Agreement and under the CCPA. Impart shall not sell Personal Data.

16. Enforcement. If any provision of this DPA is held by a court of competent jurisdiction to be contrary to law, the provision will be deemed null and void, and the remaining provisions of this DPA will remain in effect.

17. Order of Precedence. In the event of any conflict or inconsistency among the following, the provisions of the following agreements, in order of precedence, shall prevail: (i) the Standard Contractual Clauses (when applicable), (ii) this DPA, (iii) the Order(s) and (iv) the Agreement.

Appendix 1

Details of the Parties and Processing

A. List of Parties

Data exporter(s): 

  • Name: Customer and any Affiliates identified by Customer in the Agreement
  • Address: Address of Customer described in the Agreement or as Customer has otherwise informed Impart
  • Contact person’s name, position, and contact details: As stated in the Agreement or as Customer has otherwise informed Impart
  • Activities relevant to the data transferred under the SCCs and this DPA: use of the Services in accordance with the Agreement
  • Signature and Date: This Appendix 1 shall be deemed executed upon execution of the DPA. 
  • Role: Data exporter’s role is set forth in Section 3 of the DPA.

Data importer(s):

  • Name: Impart Security Inc.
  • Address: 1430 S. Dixie Hwy Ste 105 #1132, Coral Gables, FL 33146, United States of America
  • Contact person’s position and contact details: Data Protection Officer, privacy@impart.security
  • Activities relevant to the data transferred under the SCCs and this DPA: Processing necessary to provide the Services
  • Signature and Date: This Appendix 1 shall be deemed executed upon execution of the DPA.
  • Role: Processor

B. Description of Processing and Transfer

The categories of Data Subject to whom the Personal Data relates

Data Subjects include the identified or identifiable persons contained in content or requests, including internet protocol (IP) addresses, caused to be submitted to Impart via the Services according to, by or at the direction of Customer’s configuration of the Services. 

Categories of personal data processed and transferred

Personal Data within Customer System Data (as that term is defined in the Agreement). 

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

The Services do not require the Processing of sensitive data. Sensitive data will be processed only if data exporter instructs data importer to process sensitive data. The sensitive or special categories of data contained in content or requests (as determined and controlled by the data exporter) may include, Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of data concerning health or sex life. Any such special categories of data shall be protected by applying the Security Measures described in Appendix 2.

The frequency of the processing and transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Processing and transfers shall occur on a continuous basis as instructed by data exporter. 

The nature and purpose of the Processing 

Impart is a provider of network security services. Impart provides all of its services upon the instruction of the data exporter in accordance with the terms of (i) the Agreement and (ii) the DPA with the data exporter. 

Impart will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Documentation and in accordance with Customer’s configurations of the Services. 

Purpose(s) of the data transfer and further processing 

The objective of processing of personal data by data importer is the performance of the Services pursuant to the Agreement with data exporter. 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period 

Personal Data is retained consistent with data exporter’s instructions and data importer’s documentation. 

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Data may be transferred to sub-processors to process data, on data importer’s behalf, consistent with data exporter’s instructions to data importer and data importers published documentation. 

Data importer makes available to data exporter a current list of sub-processors engaged in connection with the Services. Notice of additions or changes to the list of sub-processors will be provided to data exporter according to the DPA.

C. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13

For the EEA Standard Contractual Clauses, the competent supervisory authority is determined in accordance with Clause 13 of the EEA SCCs.

For the UK Standard Contractual Clauses, the competent supervisory authority is the UK Information Commissioner’s Office.

Appendix 2 

Technical and Organisational Measures Including Technical and Organisational Measures To Ensure The Security Of The Data

Impart will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data as described below, and as may be updated from time to time.  

Authentication and authorization

Our systems and devices enforce user roles or similar measures to control the extent of access we grant individual users.

We control access to privileged systems enforcing MFA, TLS  and other best practices.

Our authentication requirements, such as passwords, are in line with industry standard practices.

Business continuity and operational resilience

We monitor production operation systems and supporting systems to detect service-related issues on a continuous basis. The systems are monitored 24x7 to ensure constant availability to clients.

If an update has potential impact to customer uptime, we will determine a timeline for the update and communicate the impact to customers via written and/or verbal communications, including email, slack and/or phone.

We maintain our services in multiple Availability Zones (AZs) to operate production applications and databases that are more highly available, fault-tolerant, and scalable than would be possible from a single data center.

Cloud infrastructure data center and physical security

We rely on data center space under the control of Amazon Web Services (AWS) and their physical security controls. As part of our third-party security review process, we confirm that this provider maintains appropriate physical security measures to protect its data center facilities.

Customer and end user data management

We store and retain customer data that is sent to us and that is processed via the security components of the Services for up to 30 days.

Encryption

We use industry-accepted encryption technologies to encrypt sensitive information. All client data is encrypted in transit using TLS.

Governance

We have formally assigned information security duties to our personnel. Our leadership works with all departments to safeguard sensitive information related to our services.

Our policies and procedures help us maintain security in our systems, processes, and employee practices. Our leadership formally reviews these policies and procedures at least annually.

We integrate risk assessment activities with various processes to identify and address information security risk to the company and customer data on our network.

We perform risk-based evaluations of the security measures of our vendors. We review these security measures before we begin using a vendor. We re-evaluate vendor security measures on a recurring basis thereafter.

Human resources security

Our employees formally agree to safeguard the sensitive information they may view, process, or transmit as part of their job functions.

We train our people to protect the data and devices they use.

We screen new employees as part of the hiring process. Screening activities depend on applicable local regulations and may include criminal background checks and reference checks.

Identity and access management

We periodically inspect access privileges to make sure our personnel have appropriate access to our systems and data.

We promptly update or remove an employee's access to our network to match that employee's current job function or employment status.

Logging and monitoring

We configure thresholds within our monitoring tool to alert when a security policy has been violated. Threshold policies are reviewed on an annual basis for accuracy and appropriateness.

We restrict, log, and monitor information security management systems activity with anomaly alerting. 

Network and infrastructure security

We review and validate information systems and network device configurations against established security policies and procedures.

To maintain awareness of potential security vulnerabilities, we monitor public and private distribution lists. We validate and implement security patches for critical vulnerabilities within 24 hours of them becoming available. For non-critical vulnerabilities and updates, we schedule and deploy vendor-provided patches on a regular basis.

To protect from known vulnerabilities, we maintain assets at the latest version and patch levels currently supported by vendors. Priority of patch deployment is based on vulnerabilities and risks it poses to the environment.

Security incident management

We will notify affected customers within 48 hours of validating an unauthorized disclosure of customer confidential information.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Impart conducts internal audits and risk assessments.

Appendix 3 - Cross Border Transfer Mechanism

1. Definitions. Capitalized terms not defined in this Appendix shall have the meaning set forth in the DPA.

1.1 “Standard Contractual Clauses” means, as applicable to a particular transfer, one of the following:

  • 1.1.1 EEA SCCs
  • 1.1.2 UK SCCs
  • 1.1.3 IDTA

1.2 “EEA SCCs” or “EEA Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

1.3 “UK SCCs” or “UK Standard Contractual Clauses” means the UK Addendum to the EEA SCCs adopted pursuant to or permitted under Article 46 of the UK GDPR.

1.4 “UK IDTA” means the UK International Data Transfer Agreement (IDTA) adopted pursuant to or permitted under Article 46 of the UK GDPR.

2. The Standard Contractual Clauses will apply to any Processing of Personal Data by Impart where Personal Data is transferred from the European Economic Area (“EEA”), the United Kingdom and/or Switzerland to outside the EEA, the United Kingdom and/or Switzerland, either directly or via onward transfer, to any country or recipient:  (a)  not recognized by the European Commission, United Kingdom, or Switzerland (as applicable) as providing an adequate level of protection Personal Data (within the meaning of Privacy and Data Protection Laws); and (b) to the extent the transfer is not covered by an alternative mechanism of transfer (e.g., binding corporate rules) recognized by the relevant authorities or courts as providing an adequate level of protection for personal data.

3. Application of the EEA Standard Contractual Clauses. For data transfers from the EEA or Switzerland, then the EEA SCCs will apply as follows:

  • 3.1 Module 2 (Controller to Processor) will apply where Customer is a Controller of Personal Data and Impart is a Processor of Personal Data;
  • 3.2 Module 3 (Processor to Processor) will apply where Customer is a Processor of Personal Data and Impart is a Processor of Personal Data;
  • 3.3. For each module, where applicable:
  • 3.3.1 in Clause 7, the option docking clause will not apply.
  • 3.3.2 in Clause 9, Option 2 will apply, and the time period for prior notice of a sub-processor will be as set forth in Section 10 of the DPA.
  • 3.3.3 in Clause 11, the option will apply.
  • 3.3.4 in Clause 17 (Governing Law) (Option 1), the law of Ireland will apply.
  • 3.3.5 In Clause 18(b), disputes will be resolved before the courts of Ireland.

3.4 Annex I of the SCCs shall be deemed completed with the information in Appendix 1 of this DPA.

3.5 Annex II of the SCCs shall be deemed completed with the information in Appendix 2 of this DPA.

3.6 For transfers from Switzerland:

  • 3.6.1 The supervisory authority with respect to such Personal Data is the Swiss Federal Data Protection and Information Commissioner.
  • 3.6.2 References to a “Member State” shall be interpreted to refer to Switzerland.
  • 3.6.3 Data subjects located in Switzerland shall be able to enforce their rights in Switzerland.
  • 3.6.4 References to the EU GDPR shall be understood to refer to the Swiss Federal Act on Data Protection (as amended or replaced).
  • 3.6.5 In Clause 17 (Governing Law)(Option 1), the law of Switzerland will apply.
  • 3.6.6 In Clause 18(b), disputes will be resolved in the courts of Switzerland.

4. Application of the UK Standard Contractual Clauses. In relation to any Personal Data that is subject to the UK GDPR, the EEA SCCs will apply in accordance with sub-section (a) and the following modifications: (i) the EEA SCCs will be modified and interpreted in accordance with the UK Addendum, which will be incorporated by reference and form an integral part of the Agreement; (ii) Tables 1, 2 and 3 of the UK SCCs will be deemed completed with the information set out in the Appendices of this DPA and Table 4 will be deemed completed by selecting “neither party”; and (iii) any conflict between the terms of the EEA SCCs and the UK SCCs will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

5. Application of the UK International Data Transfer Agreement. For Personal Data transfers from the UK that do not also involve Personal Data being transferred from the EEA or Switzerland (“Transferred Data”), then the UK IDTA will apply as follows:

5.1 Part one: Tables

5.1.1 Table 1: Parties and signature: This Table shall be deemed completed with the information in Appendix 1 of this DPA and the signatures to the DPA.

5.1.2 Table 2: Transfer Details

  • 5.1.2.1 UK country’s law that governs the IDTA: England and Wales
  • 5.1.2.2 Place for legal claims to be made: England and Wales
  • 5.1.2.3 The status of the importer: Importer is the Exporter’s Processor or  Sub-Processor
  • 5.1.2.4 Whether the UK GDPR applies to the Importer: UK GDPR applies to the Importer’s Processing of the Transferred Data
  • 5.1.2.5 Linked Agreements: The Agreement, Orders, and the DPA.
  • 5.1.2.6 Term: The Importer may Process the Transferred Data for the following time period: the period for which the Linked Agreement is in force.
  • 5.1.2.7 Ending the ITDA before the end of the term: the Parties cannot end the IDTA before the end of the Term unless there is a breach of the IDTA.
  • 5.1.2.8 Can the Importer make further transfers of the Transferred Data?  The Importer MAY transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with IDTA Section 16.1 (Transferring on the Transferred Data).
  • 5.1.2.9 Specific restrictions when the Importer may transfer on the Transferred Data: The Importer MAY ONLY forward the Transferred Data in accordance with IDTA Section 16.1 pursuant to the terms of Section 10 of the DPA.
  • 5.1.2.10 Review Dates: The Parties must review this IDTA at least once each year.

5.1.3 Table 3: Transferred Data: This Table shall be deemed completed with the information in Appendix 1 of this DPA.

5.1.4 Table 4: Security Requirements: This Table shall be deemed completed with the information in Appendix 2 of this DPA.

5.2 Part two: Extra Protection Clauses: Intentionally omitted

5.3 Part three: Commercial Clauses: Intentionally omitted

5.4 Part four: Mandatory Clauses: no modifications