DATA PROCESSING ADDENDUM

CLOUD 4J, LLC, MIRAGE COMPUTER SYSTEMS GMBH, PAYONOMY LIMITED, UNARIC GMBH, UNARIC HOLDING LIMITED, UNARIC INC., AND UNARIC LIMITED

TABLE OF CONTENTS

Preamble
1.  Interpretation  
2.  Interaction With the Agreement  
3.  Role of the Parties  
4.  Details of Data Processing  
5.  Sub-Processors  
6.  Data Subject Rights Requests  
7.  Security and Audits  
8.  Security Incidents  
9.  Deletion and Return  
10.  Contract Period  
11.  Standard Contractual Clauses  
12.  Deidentified Data  
13.  General  
Schedule 1
Schedule 2
Schedule 3
Schedule 4  

Last Updated: July 31, 2025
Effective From: July 31, 2025

THIS DATA PROCESSING ADDENDUM (“DPA”) FORMS PART OF AND SUPPLEMENTS THE MASTER  SERVICE  AGREEMENT  (THE  “AGREEMENT”)  BETWEEN  CUSTOMER  AND COMPANY,  GOVERNING  CUSTOMER’S  ACQUISITION  AND  USE  OF  COMPANY’S SERVICES.

BY  ACCEPTING  THIS  DPA—BY  CLICKING  A  BOX  INDICATING  ACCEPTANCE,  BY EXECUTING AN ORDER FORM THAT REFERENCES THIS DPA, OR BY USING COMPANY’S SERVICES (INCLUDING FREE SERVICES), CUSTOMER AGREES TO THE TERMS OF THIS DPA. BY GIVING CONSENT WHERE INDICATED, CUSTOMER ACKNOWLEDGES THAT CUSTOMER HAS READ, UNDERSTOOD, AND AGREED TO THIS DPA.

IF CUSTOMER IS ENTERING INTO THE AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, CUSTOMER REPRESENTS THAT IT HAS THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THE TERMS OR THE AGREEMENT AND THE DPA,  AND  “CUSTOMER”  SHALL  REFER  TO  SUCH  ENTITY  AND  ITS  AFFILIATES.  IF CUSTOMER DOES NOT HAVE SUCH AUTHORITY, OR IF CUSTOMER DOES NOT AGREE WITH THE TERMS OF THE AGREEMENT OR THE DPA, CUSTOMER MUST NOT ACCEPT THE AGREEMENT AND MAY NOT ACCESS OR USE THE SERVICES.

THIS DPA GOVERNS THE PROCESSING OF PERSONAL DATA BY COMPANY ON BEHALF OF  CUSTOMER  IN  CONNECTION  WITH  THE  AGREEMENT,  IN  COMPLIANCE  WITH APPLICABLE  DATA  PROTECTION  AND  PRIVACY  LAWS,  INCLUDING,  WHERE APPLICABLE, THE GENERAL DATA PROTECTION REGULATION (EU) 2016/679 (“GDPR”), THE UK GDPR, AND OTHER SIMILAR LAWS.

THE PARTIES ACKNOWLEDGE THAT: (A) COMPANY’S PROCESSING OF PERSONAL DATA AS PROCESSOR ON BEHALF OF CUSTOMER SHALL BE GOVERNED BY THIS DATA PROCESSING ADDENDUM (“DPA”); AND (B) COMPANY’S PROCESSING OF PERSONAL DATA AS AN INDEPENDENT CONTROLLER INCLUDING IN CONNECTION WITH CUSTOMER’S OR ITS USERS’ USE OF COMPANY’S WEBSITES, PORTALS, AND ONLINE SERVICES, SHALL BE SUBJECT TO COMPANY’S PRIVACY POLICY AND COOKIE POLICY, AS UPDATED FROM TIME TO TIME AND AVAILABLE AT WWW.UNARIC.COM/POLICIES/PRIVACY-POLICY.

Important Notice Regarding Changes

PLEASE NOTE THAT COMPANY RESERVES THE RIGHT TO UPDATE OR AMEND THIS DATA  PROCESSING  ADDENDUM  FROM  TIME  TO  TIME  IN  ACCORDANCE  WITH THE RULES SET FORTH IN THE AGREEMENT. CUSTOMERS ARE ENCOURAGED TO REVIEW THIS ADDENDUM REGULARLY (AVAILABLE AT WWW.UNARIC.COM/POLICIES/DATA-PROCESSING-ADENDUM TO STAY INFORMED OF ANY CHANGES. THE DATE OF THE LAST UPDATE TO THIS ADDENDUM IS INDICATED ABOVE. CONTINUED ACCESS TO OR USE OF THE SERVICES AFTER ANY SUCH UPDATE CONSTITUTES ACCEPTANCE OF THE  AMENDED  TERMS,  EXCEPT  WHERE  SUCH  AMENDMENTS  REQUIRE  SPECIFIC CONSENT UNDER APPLICABLE DATA PROTECTION LAWS.

AGREED TERMS

  1. Interpretation

    1.1 - Definitions

    DEFINITIONS:      Capitalized  terms  used  but  not  defined  within  this  DPA  shall  have  the meaning set forth in the Agreement. The following capitalized terms used in this DPA will be defined as follows:

    Applicable Data Protection Laws:     means all applicable laws, regulations, and legally binding requirements relating to the privacy, protection, confidentiality, or security of Personal Data Processed under this DPA, including, without limitation, the GDPR, the UK GDPR, and any other similar mandatory data protection law, in each case as amended, superseded, or replaced from time to time.  

    Controller:     means the Customer, as the entity that determines the purposes and means of the Processing of Personal Data, as defined by applicable Data Protection Laws.  

    Controller Affiliate:     means an Affiliate of the Controller that is permitted to use the Services in accordance with the Agreement and applicable Data Protection Laws.

    Covered Data:     means Personal Data that (a) is provided by or on behalf of the Controller to the  Processor  in  connection  with  the  Services,  including  any  Personal  Data  obtained, developed, produced, or derived from such data, and (b) any Personal Data the Processor collects  directly from  Data  Subjects  or other  third parties  on  behalf of the Controller in connection with the Services.  

    Data Subject:     means an identified or identifiable natural person whose Personal Data is Processed.  

    Deidentified Data:     means data that is created from Covered Data and that cannot reasonably be linked, directly or indirectly, to any individual or to the original Covered Data, in accordance with applicable Data Protection Laws.  

    EEA:     means the European Economic Area including the European Union ("EU").  

    GDPR:     means Regulation (EU) 2016/679 (the “EU GDPR”) or, where applicable, the “UK GDPR” as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018, or, where applicable, the equivalent provision under Swiss data protection law.  

    Member State:     means a member state of the European Economic Area, including any member state of the European Union, as well as Iceland, Norway, and Liechtenstein.  

    Personal Data:     means any data or information that (a) is linked or reasonably linkable to an identified  or  identifiable  natural  person,  or  (b)  is  otherwise  considered  “personal  data,” “personal  information,”  “personally  identifiable  information,”  or  a  similar  term  under Applicable Data Protection Laws.  

    Processing:     means any operation or set of operations which is performed on Personal Data or on  sets  of  Personal  Data,  whether  or  not  by  automated  means.  The  terms  “Process”, “Processes”, and “Processed” shall be interpreted accordingly.

    Processor: means the Company, as the entity that Processes Personal Data on behalf of the Customer, as defined by applicable Data Protection Laws.

    Security Incident: means any actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including internal access) Covered Data.  

    Standard  Contractual  Clauses  or “SCCs” means Module Two  (controller-to-processor) and/or Module Three (processor-to-processor) of the standard contractual clauses annexed to Commission Implementing Decision (EU) 2021/914.

    Sub-processor: means any entity engaged by the Processor to Process Covered Data on behalf of the Processor.  

    UK means the United Kingdom.  

    US Data Protection Laws: means, to the extent applicable, federal and state laws in the United States relating to data protection, the Processing of Personal Data, privacy, and/or data security, as amended or updated from time to time.

    1.2 Any phrase introduced by the terms including, include, in particular, for example or any other similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.

    1.3 A reference to writing or written includes email.

    1.4 Unless the context otherwise requires, words in the singular include the plural and, in the plural, include the singular.
  2. Interaction With the Agreement

    2.1 This DPA is incorporated into and forms an integral part of the Agreement. In the event of any conflict between this DPA and the Agreement with respect to the Processing of Covered Data, this DPA shall prevail.

    2.2 Any Processing operations as described in Clause 4 (Details of Data Processing) and Schedule 1 of this DPA shall be governed by this DPA.

    2.3 Controller Affiliates are beneficiaries under this DPA and, through the Controller as set out in Clauses 2.4 and 2.5, are entitled to enforce all rights relating to Covered Data provided by the respective Controller Affiliate. Controller shall ensure that all obligations under this DPA are passed on to the relevant Controller Affiliates

    2.4 Controller warrants that it is duly authorized by each Controller Affiliate on whose behalf Processor Processes Covered Data under this DPA to (a) enforce the terms of this DPA on behalf of the Controller Affiliate and to manage any claims arising in connection with this DPA, and (b) receive and respond to any notices or communications under this DPA on behalf of such Controller Affiliates.

    2.5 Controller  shall  be  the  sole  point  of  contact  for  all  communications  between  Controller Affiliates and Processor.

  3. Role of the Parties

    The Parties acknowledge and agree that: For the purposes of the GDPR and the UK GDPR, Processor acts as a “processor” or “sub-processor” (as defined in the GDPR):

    (a)  Where the Controller acts as a controller, Processor acts as a processor; and  
    (b)  Where the Controller acts as a processor on behalf of another controller, Processor acts as a sub-processor.

    For the purposes of the US Data Protection Laws, Processor will act as a “service provider” or “processor”  (as  defined  in  applicable  US  Data  Protection  Laws),  as  applicable,  in  its performance of its obligations under the Agreement and this DPA.

  4. Details of Data Processing

    4.1 The details of the Processing of Personal Data under the Agreement and this DPA (including the subject matter, nature and purpose of the Processing, and the categories of Personal Data and Data Subjects) are described in the Agreement and/or in Schedule 1 of this DPA.

    4.2 Covered Data shall only be Processed on behalf of and in accordance with the documented instructions of the Controller and in compliance with Applicable Data Protection Laws. The Agreement and this DPA generally constitute the Controller’s instructions for the Processing of Covered Data. The Controller may issue additional written instructions that are consistent with this DPA and the Agreement, and Processor shall comply with such instructions provided they are reasonable, lawful and technically feasible.

    4.3 Without limiting the foregoing, Processor shall not:

    (a) sell Covered Data or otherwise make Covered Data available to any third party for monetary or other valuable consideration;
    (b)  share Covered Data with any third party for cross-context behavioural advertising;
    (c)  retain, use, or disclose Covered Data for any purpose other than the business purposes specified in the Agreement or as otherwise permitted by Applicable Data Protection Laws;
    (d)  retain, use,  or  disclose Covered  Data  outside of  the  direct  business relationship between the Parties; or
    (e)  except as otherwise permitted by Applicable Data Protection Laws, combine Covered Data with Personal Data that Processor receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.

    4.4 Processor shall limit access to Covered Data to personnel who have a business need to access such data and shall ensure that such personnel are subject to obligations at least as protective of the Covered Data as those set out in this DPA and the Agreement.

    4.5 Processor may Process Covered Data in any location where Processor or its Sub-processors maintain facilities, subject to Clause 5 of this DPA.

    4.6 Processor shall provide Controller with information reasonably necessary to enable Controller to conduct and document any data protection assessments required under Applicable Data Protection Laws. Processor shall promptly notify Controller if it determines that it can no longer comply with its obligations under Applicable Data Protection Laws.

    4.7 Controller shall have the right to take reasonable and appropriate steps to ensure that Processor Processes Covered Data in a manner consistent with Controller’s obligations under Applicable Data Protection Laws.

  5. Sub-Processors

    5.1 Controller grants Processor a general authorization to engage Sub-processors, subject to Clause 5.2 of this DPA.

    5.2 Processor shall:

    (a) enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective of the Covered Data than those imposed on Processor under this DPA, including appropriate technical and organizational measures; and
    (b)  remain fully liable for each Sub-processor’s compliance with the obligations under this DPA.

    5.3 Processor shall maintain a current list of Sub-processors involved in Processing Covered Data, which shall be made available to Controller at a designated online location (the “Sub-processor List”). Controller is responsible for regularly reviewing the Sub-processor List to stay informed of any updates. Controller may object to the use of a new Sub-processor (including exercising its right to object under Clause 9(a) of the SCCs, if applicable) by providing Processor with written notice of the objection within fourteen (14) days of the update to the Sub-processor List (an “Objection”). If Controller does not object within the Objection period, consent to the engagement shall be deemed granted. In the event of an Objection, Controller and Processor will work together in good faith to find a mutually acceptable resolution. If the Parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Controller may terminate the portion of the Agreement relating to the Services affected by such change by providing  written  notice  to Processor.  During any  such Objection  period,  Processor  may suspend the affected portion of the Services.

    Use of Affiliates: The Controller acknowledges and agrees that Processor may engage its Affiliates  as  Sub-processors  without  listing  them  individually  in  the  Sub-processor  List, provided such Affiliates are bound by written agreements requiring them to comply with obligations substantially similar to those set out in this DPA. The term “Affiliate” shall have the meaning set out in  the Agreement. The Controller acknowledges and agrees  that the engagement of such Affiliates shall be deemed pre-authorised, subject to the terms of this DPA.

  6. Data Subject Rights Requests

    6.1 As between the Parties, Controller shall have sole discretion and responsibility for responding to any requests from individuals in relation to Covered Data under Applicable Data Protection Laws (“Data Subject Requests”).

    6.2 Processor shall promptly forward to Controller, without undue delay, any Data Subject Request it or any Sub-processor receives. Processor may also inform the individual to contact the Controller directly to submit their request.

    6.3 Processor shall provide Controller with reasonable assistance, as necessary and to the extent required by Applicable Data Protection Laws, to enable Controller to fulfil its obligations to respond to Data Subject Requests.

  7. Security and Audits

    7.1 Processor  shall  implement  and  maintain  appropriate  technical  and  organizational  data protection and security measures designed to ensure the security of Covered Data, including protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage. When assessing the appropriate level of security, Processor shall consider the nature, scope, context, and purpose of the Processing, as well as the risks presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data.  

    7.2 Processor shall implement and maintain, at a minimum, the measures set out in Schedule 2.

    7.3 Controller shall have the right to audit Processor’s compliance with this DPA. The Parties agree that such audits shall:

    (a)  be conducted upon reasonable written notice to Processor;
    (b)  occur no more than once per year, unless an audit reveals non-compliance; and
    (c)  be conducted only during Processor’s normal business hours.

    7.4 Controller may engage a third-party auditor to conduct such audits, provided that the auditor is suitably qualified, independent, and complies with Clause 7.3.

    7.5 Controller shall promptly notify Processor of any non-compliance discovered during an audit.

    7.6 Upon request, Processor shall provide Controller with documentation reasonably evidencing the implementation of the technical and organizational data security measures in accordance with industry standards. Processor may, at its discretion, provide data protection compliance certifications issued by a recognized certification body or a publicly certified auditing company. If the requested audit scope is addressed in such a certification report produced within twelve (12) months of Controller’s audit request, and Processor confirms there have been no known material changes in the controls audited, Controller agrees to accept those findings in lieu of requesting a new audit of the same controls.

    7.7 Processor shall audit its Sub-processors on a regular basis and, upon Controller’s request, confirm  their  compliance with  Applicable  Data Protection  Laws and  the  Sub-processors’ contractual obligations.

  8. Security Incidents

    8.1 Processor shall notify Controller in writing without undue delay, and in any event within forty-eight (48) hours after becoming aware of any Security  Incident involving Covered Data. Processor shall reasonably cooperate with Controller in connection with any obligation of Controller under Applicable Data Protection Laws to make any required notifications, such as to individuals or supervisory authorities.

    8.2 Processor shall take reasonable steps to contain, investigate, and mitigate any Security Incident and shall provide Controller with timely information about the Security Incident, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of any investigation.

    8.3 Processor’s notification of or response to a Security Incident under this Clause 8 shall not be construed as an acknowledgment by Processor of any fault or liability with respect to the Security Incident.

    8.4 Processor shall provide reasonable assistance to Controller in connection with Controller’s investigation of the Security Incident and any notification obligations under Applicable Data Protection Laws, such as in relation to individuals or supervisory authorities.

  9. Deletion and Return

    Processor shall, within ninety (90) days of the termination or expiry of the Agreement:

    (a)  if requested by Controller within that period, return a copy of all Covered Data or provide a self-service functionality allowing Controller to do the same; and
    (b)  delete all other copies of Covered Data Processed by Processor or any Sub-processors,

    in each case, except to the extent that retention of the data is required by Applicable Data Protection Laws or as part of secure backup files that are automatically overwritten in the ordinary course of business and not actively used for Processing.

  10. Contract Period

    This DPA shall commence on the Effective Date and, notwithstanding any termination of the Agreement, shall remain in effect until, and automatically expire upon, Processor’s deletion of all Covered Data as described in this DPA.

  11. Standard Contractual Clauses

    11.1 The Parties agree that the terms of the Standard Contractual Clauses Module Two (Controller to Processor) and Module Three (Processor to Processor), as further specified in Schedule 3 of this DPA, are hereby incorporated by reference and shall be deemed to have been executed by the Parties and shall apply to any transfers of Covered Data falling within the scope of the GDPR from Controller (as data exporter) to Processor (as data importer).

    11.2 To the extent applicable, the jurisdiction-specific addenda to the Standard Contractual Clauses set out in Schedule 3 are also incorporated herein by reference and shall be deemed to have been executed by the Parties and shall apply to any transfers of Covered Data falling within the scope of Applicable Data Protection Laws in the listed jurisdiction(s) from Controller (as data exporter) to Processor (as data importer).

    11.3 Processor shall provide Controller with reasonable support to enable Controller’s compliance with the requirements imposed on international transfers of Covered Data. Processor shall, upon Controller’s  request,  provide  information  to  Controller  that  is  reasonably  necessary  for Controller to complete a transfer impact assessment ("TIA") under Applicable Data Protection Laws.

    11.4 Processor further agrees to implement the supplementary measures agreed upon and set forth in Schedule 4 of this DPA in order to enable Controller’s compliance with requirements imposed on international transfers of Covered Data under Applicable Data Protection Laws.

  12. Deidentified Data

    If Processor receives Deidentified Data from or on behalf of Controller, Processor shall:

    (a)  take reasonable measures to ensure that the information cannot be associated with a Data Subject;
    (b)  publicly commit to Process the Deidentified Data solely in deidentified form and not to attempt to reidentify the information; and (c)  contractually obligate any recipients of the Deidentified Data to comply with the foregoing requirements and Applicable Data Protection Laws.

  13. General

    13.1 Each Party certifies that it understands and shall comply with its obligations under this DPA.

    13.2 Processor shall indemnify, defend, and hold harmless Controller and its Affiliates from and against any third-party claims, actions, or proceedings to the extent arising from a breach by Processor of its obligations under this DPA or applicable Data Protection Laws, provided that such breach results from Processor’s failure to comply with its obligations as a data processor under this DPA. Processor’s liability under this clause shall be subject to any limitations of liability or indemnification procedures set out in the Agreement.

    13.3 Except  as  expressly  stated  in  this  DPA,  the  terms  of  the  Agreement  (including  without limitation  provisions on indemnification, amendments,  severability,  no  waiver,  and  entire agreement) shall apply to this DPA.

Schedule 1
Details of Processing

A. List of Parties

  1. Data Exporter:

    The data  exporter  is: each  of the  Controller  and/or Controller  Affiliates  operating  in the countries which comprise the European Economic Area, UK, and/or Switzerland and/or, to the extent agreed by the Parties, Controller and/or Controller Affiliates in any other country to the extent the GDPR or Applicable Data Protection Laws apply. The data exporter’s contact details, including any data protection officer or representative contact information (if applicable), shall be included in the Agreement or provided to Processor upon request.
  2. Data Importer:

    The data importer is: the Processor and/or its Affiliates that Process Covered Data on behalf of the Controller under the Agreement. The data importer’s contact details shall be included in the Agreement or provided to Controller upon request.

    B. Description of Processing
  3. Categories of Data Subjects:

    The categories of Data Subjects whose Personal Data are Processed are determined by the Controller and typically include:
    (a)  Users of the Controller’s services
    (b)  Controller’s employees or contractors
    (c)  Customers, prospects, business partners, and vendors of the Controller
    (d)  Any other natural persons whose Personal Data is Processed by the Controller in connection with the Services
  4. Categories of Personal Data:

    The categories of Personal Data Processed are determined by the Controller and typically include:
    (a) Basic personal details (e.g., name, title, position)
    (b) Contact information (e.g., email address, phone number, physical address)
    (c) Account and login details (e.g., usernames, user IDs)
    (d) Professional data (e.g., employer, job title)
    (e) Communication  data  and usage  logs (e.g., IP  address,  device information,  login records)
    (f) Financial or billing information (if applicable)
    (g)  Any other Personal Data submitted by the Controller in connection with the Services
  5. Special Categories of Personal Data:

    The Processing of special categories of Personal Data (as defined in Article 9 of the GDPR) is not intended or required under the Agreement. If special categories of data are Processed, the Processor will apply appropriate additional safeguards.
  6. Frequency of Processing:

    The Processing is performed: continuously and as needed to provide the Services under the Agreement.
  7. Subject Matter and Nature of Processing: 

    The subject matter and nature of the Processing is the performance of the Services as described in the Agreement, including support, maintenance, customer communications, and related activities.
  8. Purpose(s) of Processing:

    The purpose(s) of the data transfer and further Processing are:
    (a)  Provision of the Services to the Controller
    (b)  Support and maintenance of the Services
    (c)  Account management and communications related to the Services
    (d)  Security and performance monitoring
    (e)  Billing and payment processing (if applicable)
    (f)  Compliance with legal and contractual obligations
  9. Storage Limitation:

    The Personal Data will be retained and Processed for the duration of the Agreement, unless otherwise instructed by the Controller or required by Applicable Data Protection Laws.
  10. Sub-processor(s):

    (a)  Cloud hosting providers (e.g., AWS, Azure, Google Cloud)
    (b)  Email service providers
    (c)  Payment processors (if applicable)
    (d)  Other sub-processors as listed in the Processor’s sub-processor list made available to the Controller upon reasonable request.
  11. Competent Supervisory Authority:

    The competent supervisory authority is determined as follows:
    (a)  Where the  data exporter is  established in  an  EU Member  State or  the  UK, the competent supervisory authority is the authority of that Member State or the UK (as applicable)
    (b)  Where the data exporter is not established in an EU Member State but is subject to the GDPR or UK GDPR (for example, due to Article 3 (2 ), the competent supervisory authority will be the authority of the Member State or the UK in which the data exporter’s representative is established or, if there is no representative, as otherwise determined by Applicable Data Protection Laws.

Schedule 2
Technical and Organizational Measures

Specific measures may vary depending on the product or service provided by the Processor or its Affiliates, and may be further described in product documentation or provided upon reasonable request by the Controller. The following baseline technical and organizational measures are typically implemented by the Processor to ensure a level of security appropriate to the risk:

  • Organizational security and staff responsible for data protection
  • Risk assessments and audits to manage security risks
  • Encryption of personal data in transit and at rest
  • Access controls based on job roles and authentication
  • Strong password policies and regular updates
  • Physical security at data centres
  • System and event logging for monitoring and security
  • Change and configuration management for secure systems
  • Incident and problem management for quick response
  • Network security (firewalls, intrusion detection, traffic monitoring)
  • Vulnerability and patch management to counter threats
  • Business continuity and disaster recovery planning
  • Data segregation in multitenant environments
  • Secure system configuration and data disposal
  • Authentication measures, including multifactor where needed
  • Regular testing of security measures
  • Return or deletion of personal data upon contract end
  • Use of secure third-party data centres with certifications
  • Transparent logging and security reviews
  • Analytics to improve security and performance, using deidentified data

Schedule 3
Standard Contractual Clauses and Addenda

12. EU SCCs

The Standard Contractual Clauses will apply to any Processing of Covered Data that is subject to the GDPR. For the purposes of the Standard Contractual Clauses:
12.1 - Module Two will apply for Controller to Processor transfers and Module Three for Processor to Processor transfers, as applicable. 12.2 - Clause 7 (Docking Clause) does not apply.
12.3 - Clause 9(a) option 2 (general written authorization) is selected, with the time period for changes specified in clause 5.3 of this DPA. 12.4 - Clause 11(a) (independent dispute resolution body) does not apply.
12.5 - Clause 17 (Governing law): the law of Germany applies.
12.6 - Clause 18 (Jurisdiction): the courts of Germany shall have jurisdiction.
12.7 - For the purposes of Annex I of the SCCs: the details of the parties, data transfers, and the competent supervisory authority are described in Schedule 1 of this DPA.
12.8 - For the purposes of Annex II of the SCCs: the technical and organizational measures are described in Schedule 2 of this DPA.
12.9 - For the purposes of Annex III of the SCCs: the sub-processors are described in clause 5 and in Schedule 1 of this DPA.

13. UK Addendum
This UK Addendum will apply to any Processing of Covered Data subject to the UK GDPR, or to both UK GDPR and the GDPR.
13.1 - The Approved Addendum (version B.1.0, 2022) is incorporated by reference.
13.2 -Tables 1, 2, 3, and 4 of the Approved Addendum are completed as follows:
(a)  Table 1 (Parties): see Schedule 1 of this DPA.
(b)  Table 2 (Selected SCCs): as described above in Section 1 of this Schedule.
(c)  Table 3 (Appendices): see Schedules 1 and 2 of this DPA.
(d)  Table 4 (Ending this Addendum): either party may end as permitted by the Approved Addendum.
13.3 - In the event of a conflict between the UK Addendum and the SCCs, the UK Addendum will prevail to the extent required by UK law.


14.  Swiss Addendum
This Swiss Addendum will apply to any Processing of Covered Data subject to Swiss data protection law, or to both Swiss data protection law and the GDPR.
14.1 - The SCCs are adapted as follows to ensure compliance with Swiss data protection law:
(a)  References to the EU/Member States include Switzerland.
(b)  The  competent  supervisory  authority  is  the  Swiss  Federal  Data  Protection  and Information Commissioner (FDPIC).
(c) Clause 17: governed by Swiss law for Swiss transfers.
(d)  Clause 18: Swiss courts have jurisdiction for Swiss transfers.
(e)  This Addendum shall be interpreted in light of Swiss data protection law and, in case of conflict with the SCCs, the provisions that provide the most protection to data subjects shall prevail. References to the EU or GDPR in the SCCs shall be understood to refer to Switzerland and Swiss data protection law to the extent applicable.
14.2 - In the event of a conflict between this Swiss Addendum and the SCCs, the Swiss Addendum will prevail to the extent required by Swiss law.

Schedule 4
Additional Supplementary Measures

1. Processor and its Affiliates implement additional supplementary measures, as appropriate, to provide safeguards for international transfers of Covered Data in accordance with applicable data protection laws.

2.  These  supplementary  measures  are  typically  based  on  the  technical  and  organizational measures described in Schedule 2 of this DPA and may vary depending on the product or service provided by Processor or its Affiliates.

3.  Specific supplementary measures for particular services or products may be further described in product documentation or made available to Controller upon reasonable request.

Company

About
Contact
LinkedIn

Industries

Recruitment
Healthcare & Life Sciences
Financial Services

Products

Unaric Voice
Unaric Voice for Microsoft Teams
Unaric Meetings for Microsoft Teams
Unaric Payments
Unaric Payments for Certinia
Unaric Guide
Unaric Reports
Unaric Sidebar
Unaric Activity Sync 
Unaric User Analytics
Unaric Equipment Track
Unaric Scan
Unaric Docs
Unaric Org Chart
Copyright © 2025 Unaric