Data Processing Addendum

Current

Last updated: October 16, 2023

This Data Processing Addendum, including the Standard Contractual Clauses referenced herein, (collectively, “DPA”) amends and supplements any existing and currently valid Main Agreement (defined below) either previously or concurrently made between:

Scratchpad Inc.,
a company incorporated under the laws of the State of Delaware, USA, having its principal place of business at 440 N. Barranca Ave, # 9418, Covina, CA 91723-1722 (USA) (the “Data Processor”)

and

The other party to the Main Agreement, as defined below, (the “Data Controller”).

Data Processor and Data Controller are also individually referred to herein as a “Party” and collectively as the “Parties”. Defined terms used in this DPA but not otherwise defined herein shall have the meanings ascribed to them in the Main Agreement.

RECITALS

I. Data Processor and Data Controller agreed to the Main Agreement (as defined below).
‍
II. Pursuant to the Main Agreement, Data Processor may Process Personal Data in connection with the Service (as defined below) on behalf of Data Controller.
‍
III. The Parties agree to comply with the following provisions with respect to any Personal Data transferred to Data Processor in connection with Data Processor’s provision of the Service to Data Controller.

NOW, THEREFORE, THE PARTIES AGREE AS FOLLOWS:

1. Definitions

‍
“Affiliate” has the meaning ascribed to it in the Main Agreement.
‍
“CCPA” means the California Consumer Privacy Act.
‍
“Data Controller” means the Party that determines the purposes and means of the Processing of Personal Data, namely, the other Party to the Main Agreement, as noted above.
‍
“Data Processor” means the Party who Processes Personal Data on behalf of Data Controller, namely, Scratchpad Inc., as noted above.
‍
“Data Protection Law(s)” means all applicable laws relating to the Processing of Personal Data and privacy that may exist in any relevant jurisdiction, including, where applicable, guidance, formal directives, applicable regulations, and codes of practice issued by the applicable Supervisory Authority, and including, without limitation to the extent applicable: (i) CCPA; (ii) GDPR; (iii) UK GDPR; and (iv) FADP.  Data Protection Law(s) exclude, without limitation, consent decrees.

“Data Subject” means the person to whom the Personal Data relates.

“Effective Date” means the date on which the Main Agreement between the Parties became effective.

“European Economic Area” means a Member State of the European Union, together with Norway, Iceland, and Liechtenstein, (jointly referred to as “EEA”).

“EU Personal Data” means Personal Data which is, or has been, subject to the Data Protection Laws of a Member State   of the EEA.

“EU SCC” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clause, Module II, for the transfer of personal data to third countries pursuant to GDPR, where GDPR applies.

“FADP” means the Swiss Federal Act on Data Protection as updated on 25 September 2020.

“GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).

“Main Agreement’’ means the Scratchpad Terms of Service, the SaaS Service Agreement, or written agreement (as applicable) and the contractual documents including Order Form(s) thereto, as well as any exhibits or amendments or add-on Order Form(s), as entered into between Data Controller and Data Processor.

“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific  to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person that Data Processor has received from Data Controller on or after the Effective Date for Processing pursuant to the Main Agreement when such data is protected as “personal data” or “personally identifiable information” or a similar term under applicable Data Protection Laws. Personal Data processed pursuant to the Main Agreement explicitly excludes Prohibited Data.

“Personal Data Breach” means any accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to Personal Data where such compromise of the Personal Data meets the definitions of both “personal   data” (or like term) and “security breach” (or like term) under applicable Data Protection Law(s) governing the particular circumstances.

“Process” or “Processing” or “Processed” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, blocking, erasure or destruction.

“Prohibited Data” has the meaning ascribed to it in Section 3.5.

“Service” has the meaning ascribed to “Service” in the Main Agreement.

“Standard Contractual Clauses” means the EU SCC or the UK SCC together as means to safeguard the transfer of personal data outside of, respectively, the EEA, the UK, or Switzerland.

“Sub-processor” means any processor engaged by Data Processor or by any other Sub-processor of Data Processor who receives Personal Data exclusively intended for Processing activities to be carried out on behalf of Data Controller in connection with the Service.

“Supervisory Authority” has the meaning set forth under the applicable Data Protection Laws. When the EU Personal Data are involved, the Supervisory Authority is the data protection commission for the Republic of Ireland.

“Swiss Personal Data” means Personal Data which is, or has been, subject to the Data Protection Laws of Switzerland. Swiss Personal Data shall encompass, in addition to data relating to identified or identifiable individuals, data relating to identified and identifiable legal entities if and as long as such data is considered personal data under the FADP.

“UK GDPR” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

“UK Personal Data” means Personal Data which is, or has been, subject to the Data Protection Laws of the United Kingdom.

“UK SCC” means the UK International Data Transfer Addendum to the EU SCC issued by the UK ICO, where the UK GDPR applies.

2.0 Scope of the DPA
‍
‍
2.1
‍
The Personal Data to be transferred or collected for Processing pursuant to the Main Agreement may consist of the following categories of data:

First and last name, email address, title, phone number, business address, employer’s company name, localization data, and/or information related to selections made through the Service, including online orders placed thereby.

Where Data Controller initiates video recording, such categories of Personal Data as may be recorded during the session including, without limitation, Personal Data in:
‍
• Video, audio, whiteboard, captions and presentations
• Text files of meeting group chats
• Closed captioning transcripts

2.2
‍
The categories of Data Subjects whose Personal Data may be Processed are: Individuals about whom Personal Data is provided to the Data Processor via the Services by (or at the direction of) Data Controller and/or its Affiliates, which may include, without limitation, employees,  contractors, customers and/or prospective customers of Data Controller or its Affiliates

2.3
‍
The nature and purpose of Processing activities to be undertaken by Data Processor are: Providing the Service to Data Controller.

3.0 Obligations of Data Controller

3.1
‍
In accordance with the applicable Data Protection Law(s), Data Controller remains responsible for ensuring the rights of the concerned Data Subjects, including but not limited to, (i) access to their data, (ii) rectification of inaccurate or incomplete data, (iii) erasure of their data, (iv) when applicable, limitation of the use of their data, (v) when data is processed in an automated way, right to transfer their data to a third party under a standard interoperable format (right to portability), (vi) when applicable, opposition to the data processing, or (vii) consent withdrawal. A Data Subject may lodge a complaint with the applicable Supervisory Authority at any time.

3.2
Data Controller shall have provided, and will continue to provide its Data Subjects all notices and have obtained, and will continue to obtain from its Data Subjects, all consents, permissions and rights necessary under applicable Data Protection Law(s) for Data Processor to lawfully process Personal Data for the purposes contemplated by the Main Agreement (including this DPA).

3.3
Data Controller will inform its Data Subjects (i) about its use of Data Processor to Process their Personal Data as required by applicable Data Protection Law(s) and (ii) that their Personal Data will be Processed outside of the European Economic Area, the United Kingdom, Switzerland, as required by applicable Data Protection Law(s).
‍
3.4
Data Controller shall without undue delay notify Data Processor in writing (email insufficient) at the address specified above when it discovers errors or irregularities in the Processing of Personal Data in accordance with applicable Data Protection Law(s).

3.5
Data Controller shall respond in a reasonable time to enquiries from any Supervisory Authority regarding the processing of relevant Personal Data by Data Controller. If any Party is required under applicable Data Protection Law(s) to issue information to any Supervisory Authority regarding the collection, processing, or use of Personal Data, the other Party may support the responding Party in its efforts to provide such information.

3.6
Data Controller hereby acknowledges that the Service is intended only to record notes, tasks, and the like related to sales opportunities, and is not intended for storage or use of any data not related to such purpose, including, without limitation, social security numbers, financial account numbers, health information, driver’s license numbers or information, passport or visa numbers, credit card information, or any special categories of personal data (“Prohibited Data”). Data Controller agrees that it will not, and will not permit its Affiliate or any user, to input any Prohibited Data into the Service.

4.0 Obligations of Data Processor

4.1
In providing the Service, Data Processor shall comply with the instructions of Data Controller for the Processing of Personal Data and Process the Personal Data exclusively in connection with the provision of the Service. The provisions of this DPA are the main source of instructions issued by Data Controller. Any amendments to the Processing requirements shall be agreed between the Parties and documented in writing.

4.2 Data Processor shall assist Data Controller:
‍
(i) in responding to requests by Data Subjects to exercise their rights; and
‍
(ii) in complying with its obligations in relation to security of Personal Data under applicable Data Protection Law(s), including but not limited to, as applicable, data protection impact assessment and prior consultation, taking into account the nature of the Service and the information available to Data Processor.

(iii) carrying out a request from Data Controller to amend, transfer, or delete any of the Personal Data to the extent necessary to allow Data Controller to comply with its responsibilities as a data controller under applicable Data Protection Law(s).

4.3 Notification of Non-Compliance with Data Protection Requirements:
‍
Data Processor shall inform Data Controller without delay if it becomes aware:

(i) That Data Processor’s employees, subcontractors, and/or any third party engaged in the Processing fail to comply with any requirements regarding the protection of Personal Data or any provisions of this DPA; and/or

(ii) Of any other irregularity in the Processing of Personal Data.

4.4 Storage and Erasure of Data

(i) Data Processor shall store the Personal Data as long as it is needed for the provision of the Service and in accordance with applicable Data Protection Law(s).

(ii) Data Processor must store the Personal Data, together with any copies or reproductions made of such Personal Data, with reasonable care and securely so that it is not accessible to third parties.

(iii) Any Personal Data that is no longer required will be deleted in accordance with applicable Data Protection Law(s).

(iv) Upon request by Data Controller or upon termination or expiration of the Main Agreement, Data Processor shall at Data Controller’s choice (a) deliver to Data Controller all Personal Data (and any copies or derivative works of same) in its possession, and/or (b) destroy all Personal Data (and any copies or derivative works of same) in its possession, and certify to Data Controller that it has done so, unless otherwise required under operation of Data Protection Law(s), or as mutually agreed by the Parties, and/or (c) cease any Processing of Personal Data.

4.5 Data Access and Modification

(i) Data Processor shall permit Data Subjects access to their respective Personal Data. In particular, Data Subjects shall be permitted to correct, amend, or delete inaccurate Personal Data at no additional cost.

(ii) Both Parties agree that, in the event of receiving a Data Subject complaint or access request that may involve the other Party, to notify the other Party without delay and to provide such cooperation and assistance as may be reasonably required to enable that Party to deal with any Data Subject complaint or access request in accordance with the provisions of the applicable Data Protection Law(s).

(iii) To the extent that Data Controller does not have the ability to correct, amend, block, or delete already transferred Personal Data, Data Processor shall comply with any reasonable request by Data Controller to facilitate such actions as required by Data Protection Law(s).

(iv) If Data Processor becomes aware of any errors or incorrectness of Personal Data, Data Processor shall notify Data Controller prior to correcting such data. Whenever a situation arises where this may be appropriate and in line with applicable Data Protection Law(s), consideration may be given to blocking data instead of erasing it.

4.6
Upon request by Data Controller with reasonable notice, Data Controller (or a duly qualified independent auditor selected by Data Controller and not unreasonably objected to by Data Processor) may audit Data Processor to ensure that Data Processor is in compliance with this DPA. Data Processor shall provide Data Controller access to the relevant Data Processor personnel and records. Data Processor shall notify Data Controller without delay if Data Processor becomes aware that an instruction for the Processing of Personal Data given by Data Controller violates any applicable Data Protection Law(s).

4.7
To the extent that Data Controller is a “business” as defined under the CCPA, it is the understanding of the Parties that Processor is a “service provider” as defined under CCPA with respect to the Personal Data. Except for usage of Personal Data as permitted by this Agreement or as necessary to bring and defend claims, to comply with requirements of the legal process, to cooperate with regulatory authorities, and to exercise other similar permissible uses as expressly provided under applicable Data Protection Law(s), Data Processor shall not (i) “sell” or “share” Personal Data; (ii) retain, use, or disclose the Personal Data for any purpose, including other commercial purposes, outside of the direct business relationship with Data Controller; or (iii) combine Personal Data with Personal Data that Data Processor collects or receives from another person. Data Controller and Data Processor acknowledge and agree that the disclosure of Personal Data by Data Controller to Data Processor does not constitute a “sale.” Data Controller agrees that Data Processor may de-identify or aggregate Personal Data in the course of providing the Service to Data Controller.

5. International Data Transfers

5.1
By the Effective Date, Data Controller acknowledges that it will carry out EU Personal Data, Swiss Personal Data, and UK Personal Data transfers to the following country/ies: United States of America.

5.2
Data Processor hereby agrees to comply with the obligations of a data importer as set out in the EU SCC, incorporated by reference in Exhibit 1 hereto, and acknowledges that Data Controller will be a data exporter under such clauses.

5.3
Data Processor also agrees to comply with the obligations of a data importer as set out in the UK SCC, incorporated by reference in Exhibit 2 hereto, and acknowledges that Data Controller will also be a data exporter under such clauses.

5.4
To the extent the FADP is applicable, the Parties agree that (i) the EU SCC will apply to the transfer of Swiss Personal Data between Data Processor as data importer and Data Controller as data exporter in Switzerland, provided that (i) where the EU SCC include references to the GDPR, such references shall be understood as references to the FADP and (ii) such EU SCC include the superseding changes mentioned in Exhibit 1 for the purpose of that transfer.

5.5
The Parties agree that they will provide additional information about the transfer and will co-operate, without delay, where this is required by a Supervisory Authority in any EEA Member State, the United Kingdom, and/or Switzerland. In the event that a Supervisory Authority revokes or adapts the decision that it made approving the EU SCC or the UK SCC, then Data Controller shall have the right forthwith to require Data Processor to cease to Process EU Personal Data outside the EEA or, if Data Processor is unable to do this, to terminate the Processing of EU Personal Data.

5.6
With respect to the Processing of EU Personal Data, UK Personal Data, and Swiss Personal Data, Data Controller grants authorization to Data Processor to appoint as Sub-processors the entities set out in Annex III of the Appendix to Exhibit 1 hereto, and for the sub-processing activities described therein, as it may be updated from time to time. Data Processor shall provide Data Controller thirty (30) days’ notice (email or message through the Service sufficient) of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving Data Controller the opportunity to object to such changes. Data Processor shall be fully liable for the acts and omissions of its Sub-processors’ Processing of EU Personal Data to the same extent Data Processor would be liable if performing the services of each Sub-processor directly under the terms of this DPA.

6.0 Security Measures

6.1
Data Processor shall implement and adhere to appropriate technical and organizational measures in order to protect Personal Data, in particular where the Processing involves the transmission of data over a network. These measures shall include the requirements established under applicable Data Protection Law(s).

Therefore, Data Processor agrees to undertake appropriate technical and organizational measures with the following purposes:

(i) protect the Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, theft, alteration, or disclosure;

(ii) ensure, to the extent within Data Processor’s control and not that of Data Controller, that Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission, transport, or storage and that it is possible to examine, control, and establish to which parties the transfer of Personal Data by means of data transmission facilities is envisaged (transmission control); and

(iii) ensure that, for at least one year, it is possible to retrospectively examine, control, and establish whether and by whom Personal Data has been introduced into data processing systems, including any modifications or removal (input control).

6.2
These measures shall be appropriate to the harm which might result from any unauthorized or unlawful Processing, accidental loss, destruction, damage, or theft of the Personal Data and having regard to the nature of the Personal Data which is to be protected.

At a minimum, these measures should include, but not be limited to:

(i) encrypting sensitive and other Personal Data in transit (but solely to the extent such transit is initiated by Data Processor as opposed to Data Controller and it being understood and agreed by Data Controller that the scope of the Main Agreement does not require or address the Processing of any sensitive data, which Data Controller should not transmit to Data Processor without Data Processor’s express written consent);

(ii) ensuring least privileged access rights on systems containing Data Controller’s Personal Data;

(iii) regularly reviewing access permissions to Data Controller’s Personal Data;

(iv) ensuring the use of complex passwords or two-factor authentication when used;

(v) ensuring proper physical access controls to all systems containing Data Controller’s Personal Data; and

(vi) ensuring proper disposal of any Personal Data, in print or electronic media, properly patching systems containing Data Controller’s Personal Data, and ensuring an up-to-date antivirus application is installed on all systems Processing and/or containing Data Controller’s Personal Data.

7.0 Data Breaches
‍

7.1
Data Processor shall notify Data Controller promptly and in writing if it becomes aware of any actual Personal Data Breach on Data Processor’s equipment or in Data Processor’s facilities, or Sub-processors’, if any.

In particular, Data Processor must notify Data Controller immediately in writing in the event that the property of Data Controller or its Personal Data in the possession or control of Data Processor is endangered by measures undertaken by third parties.

7.2
Immediately after notification, Data Processor will:

(i) investigate the Personal Data Breach and provide Data Controller with a detailed description of the Personal Data Breach, the type of data and other Personal Data that was the subject of the Personal Data Breach and the identity of each affected person, as soon as such information can be collected or otherwise becomes available (as well as periodic updates to this information and any other information Data Controller may reasonably request relating to the Personal Data Breach);

(ii) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach; and

(iii) provide its full assistance and support to Data Controller in the event that Data Controller determines that it is necessary to notify Data Subjects or any concerned Supervisory Authority of such Personal Data Breach.

8.0 Sub-processors

8.1
Data Processor uses the third-party Sub-processors set out in Annex III of the Appendix to Exhibit 1. Any such Sub-processor will Process Personal Data only in connection with Data Processor’s provision of the Service and will be prohibited from using Personal Data for any other purpose.

8.2
Data Processor ensures the reliability and competence of its Sub-processors and shall agree with its Sub- processors to protect and Process the Personal Data under terms and conditions no less restrictive than those contained in this DPA.

9.0 Term and Termination‍

9.1
This DPA shall enter into effect on the Effective Date and its term shall be coextensive with the term of the Main Agreement. The obligations under Section 4.4 shall survive any termination or expiration of the Main Agreement. Any other obligation, excepting those that reasonably or under any applicable laws have to survive a termination or expiration of the Main Agreement, shall terminate upon termination or expiration of the Main Agreement.

9.2
Data Controller shall deem any breach of this DPA as a breach of the Main Agreement and thus the same provisions for the termination of this DPA shall be applicable.

10.0 Miscellaneous‍

10.1
This DPA is intended to ensure the adequate level of protection of Personal Data and does not otherwise affect the rights and obligations under any other agreements between the Parties, including, without limitation, the Main Agreement. Without limiting the foregoing, for the avoidance of doubt, each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA and the SCCs, whether in contract, tort or under any other theory of liability is subject to the liability restrictions set forth in the Main Agreement, including the damages disclaimer and any aggregate limitation of liability.

10.2
Nothing in this DPA shall be construed as an exclusion of Data Protection Laws or export regulations that may be applicable to the Service provided by Data Processor under the Main Agreement and that must be observed by the Parties.

10.3
If any term or provision of this DPA shall be held to be illegal or unenforceable in whole or in part, the validity of the remaining provisions of this DPA shall remain unaffected. The same shall apply in the event that this DPA is incomplete.

Exhibit 1‍

‍EU SCC Controller to Processor

‍
The transfer of EU Personal Data is made in accordance with the EU SCC, or in accordance with any successor thereof or an alternative lawful data transfer mechanism, and as follows:

• In Clause 7, the optional docking clause will apply;
• If applicable, in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes will be as set out in section 5.6 of the DPA;
• In Clause 11, the optional language will not apply;In Clause 17, Option 1 will apply, and the EU SCC will be governed by Irish law; and
• In Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland.

The transfer of Swiss Personal Data is made in accordance with these EU SCCs provided the Parties agree on the following superseding changes, limited to the cross-border disclosure of Swiss Personal Data:

• In Clause 13 and Annex I.C of the Appendix below, the Supervisory Authority is the Swiss Federal Data Protection and Information Commissioner;
• In Clause 17, Option 1 will apply and the EU SCC will be governed by Swiss law;
• In Clause 18(b), disputes will be resolved before the courts of Switzerland; and
• In Clause 18(c), the term "member state" shall not be interpreted in such a way that Data Subjects in Switzerland are excluded from exercising their rights, if any, at their place of habitual residence.

In both cases, the Appendix of the EU SCC is completed by the following Annexes:

Appendix

Annex 1

A. LIST OF PARTIES

Data exporter(s):
‍
Name: See Main Agreement (“Customer”)
Address: See Main Agreement
Contact person’s name, position and contact details: See Main Agreement

Activities relevant to the data transferred under these Clauses:

Activities relevant to the data transferred under these clauses may include storage, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available data exporter’s data as necessary to provide the Service in accordance with the Main Agreement, including related internal purposes (such as quality control, troubleshooting, and product development).

Signature and date: See Main Agreement Role (controller/processor):Controller

Data importer(s):
‍
Name: See Main Agreement (“Scratchpad”)
Address: See Main Agreement
Contact person’s name, position and contact details: See Main Agreement

Activities relevant to the data transferred under these Clauses:

Activities relevant to the data transferred under these clauses may include storage, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available data exporter’s data as necessary to provide the Service in accordance with the Main Agreement, including related internal purposes (such as quality control, troubleshooting, and product development).

Signature and date: See Main Agreement Role (controller/processor): Processor
‍
B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred
Individuals about whom Personal Data is provided to the Data Processor via the Services by (or at the direction of) Data Controller and/or its Affiliates, which may include, without limitation, employees, contractors, customers and/or prospective customers of Data Controller or its Affiliates.

Categories of personal data transferred
‍
First and last name, email address, title, phone number, business address, employer’s company name, localization data, and/or information related to selections made through the Service, including online orders placed thereby.

Where Data Controller initiates video recording, such categories of Personal Data as may be recorded during the session including, without limitation, Personal Data in:

• Video, audio, whiteboard, captions and presentations
• Text files of meeting group chats
• Closed captioning transcripts

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.N/A

‍The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).Continuous basis, through term of Main Agreement.

‍Nature of the processing
‍
Processing may include storage, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available data exporter’s data as necessary to provide the Service in accordance with the Main Agreement, including related internal purposes (such as quality control, troubleshooting, and product development).

‍Purpose(s) of the data transfer and further processing
‍
To provide the Service, as described in the Main Agreement and this DPA.

‍The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
‍
Criteria used to determine retention periods include the status of fulfillment of the purpose of the data processing, as specified above, the data retention periods specified in each Party’s disaster recovery plan and/or business continuity plan, the term of the Main Agreement, and data subject request.

‍For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
‍
See Annex III and above descriptions regarding duration of processing.

C. COMPETENT SUPERVISORY AUTHORITY

‍
Identify the competent supervisory authority/ies in accordance with Clause 13
‍
The data protection commission for the Republic of Ireland, located at 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland.

‍
ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING
TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF DATA
See DPA, Section 6.

ANNEX III
‍
LIST OF SUB-PROCESSORS
Identities of the Sub-processors used for the provision of the Service and their country of location can be found here:
https://scratchpad.com/subprocessors.
‍

Exhibit 2‍

UK SCC
Controller-to-Processor

Pursuant to Section 5.3 of this DPA between Scratchpad and Customer, the SCCs, as supplemented by the specific and optional clauses set forth in Exhibit I to this DPA (the “EU SCCs”) and as modified to include the UK Addendum (the “UK SCCs”) are deemed incorporated into and form part of this DPA.  For the avoidance of doubt, in the event of any conflict between (i) the EU SCCs and (ii) UK SCCs, the UK SCCs shall prevail. The following information completes the UK Addendum and Annexes:

Part 1.

1. For Table 1 of the UK Addendum:  (a)  the Start Date is as set forth in this DPA, (b) Parties’ Details and Key Contact are as set forth in Annex I.A. to Exhibit 1 – the EU SCCs and (b) the Exporter is the Data Controller (Customer) and the Importer is the Data Processor (Scratchpad).

2. For Table 2, the Selected SCCs, Modules and Selected Clauses are as set forth Section 5.2 of this DPA and Exhibit 1 (the EU-SCCs) to this DPA.

3. Table 4 of the UK Addendum is modified as follows: Neither party may end the UK Addendum as set out in Section 19 of the UK Addendum; to the extent ICO issues a revised Approved Addendum under Section ‎18 of the UK Addendum, the parties will work in good faith to revise this DPA accordingly.

4. For Annex 1A, the Parties are as set forth in Annex I.A. to Exhibit 1 (EU-SCCs).

5. For Annex 1B, the Description of the Transfer is as set forth in Annex I.B. to Exhibit 1(EU SCCs).

6. For Annex II, the technical and organizational measures are as set forth in Annex II to Exhibit 1 (EU SCCs).

7. For Annex III, the Sub-Processors (Modules 2 and 3 only) shall be as described in Annex III to Exhibit 1 (EU SCCs).

Part 2.

Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.