Terms of Service

Precoro Inc.

Last revised: 1 April 2026

1. Definitions 

We use the following terms in our Terms and Conditions: 

1. 1.1. "Additional Service" means a Service or an upgrade to the Platform developed by Precoro according to a separate written individual request of a User sent to Precoro that is ordered by the Customer and accepted by Precoro.
2. 1.2. "A.I." means artificial intelligence, a machine-based system that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions.
3. 1.3. "Precoro", "we", "us", or "our" means Precoro, Inc., together with its parents, affiliates, and subsidiaries, as applicable.
4. 1.4. "Customer" means a legal entity whose Users visit, browse, access, download, install, or otherwise use the Platform.
5. 1.5. "Customer Data" means any data, information, content, records, and files that a Customer or any of its Users loads, receives through, transmits to, enters into, or otherwise makes available to the Platform.
6. 1.6. "Misuse" means any use of the Services that causes or is reasonably likely to cause financial, operational, legal, reputational, or security harm to Precoro, the Platform, other customers, or third parties, including use: (i) in breach of privacy, data protection, or other applicable law; (ii) to transmit malicious code or interfere with the Platform; (iii) to infringe third-party rights; or (iv) contrary to these Terms or Precoro's documentation.
7. 1.7 "Party" or "Parties" means Precoro and/or the Customer, as the context requires.
8. 1.8. "Payment Plan" means the subscription plan selected by the Customer, consisting of: (i) a defined set of features and modules; and (ii) a user tier that specifies the maximum number of Users permitted under the subscription, unless otherwise agreed in a Service Agreement or Order Form.
9. 1.9. "Property" means all proprietary technology, software, interfaces, workflows, documentation, know-how, materials, trade names, logos, inventions, works of authorship, and other intellectual property rights embodied in or used to provide the Platform or Services, excluding Customer Data.
10. 1.10. "Precoro Account" means an account linked to a particular User and Customer through the registration process and the information provided in connection with creating such account.
11. 1.11. "Services" means the services provided by Precoro through the Website and Platform that streamline procurement and related business processes, including creating, recording, approving, and managing requests, purchase orders, invoices, catalogs, budgets, and related workflows, as updated from time to time.
12. 1.12. "Service Agreement" means a document, order form, statement of work, or other written instrument, including one executed electronically or by e-mail, that sets out specific commercial or service arrangements between the Customer and Precoro.
13. 1.13. "Terms" means these Terms and Conditions, as updated in accordance with Section 2.3.
14. 1.14. "User" means an individual who is an employee, contractor, or other authorized representative of the Customer and is authorized by the Customer to access and use the Platform through a Precoro Account.
15. 1.15. "Website" means the websites used by Precoro to provide the Services, including https://precoro.com, https://app.precoro.com/, and https://app.precoro.us, as may be updated from time to time.
16. 1.16. "EU/EEA Customer" means a Customer established in the European Union or the European Economic Area.
17. 1.17. "Switching Request" means a written request submitted by an EU/EEA Customer while the Services are active, including during any applicable notice period, to: (i) switch from the Services to a different service provider; or (ii) retrieve and erase Exportable Data and Digital Assets in accordance with Regulation (EU) 2023/2854 (Data Act).
18. 1.18. "Exportable Data" and "Digital Assets" have the meanings set out in Regulation (EU) 2023/2854 (Data Act).

2. Subject Matter and General Information

1. 2.1. These Terms govern the Customer's and its Users' access to and use of the Website, Platform, and Services.
2. 2.2. By creating a Precoro Account, executing a Service Agreement, clicking to accept, or otherwise accessing or using the Services, the Customer agrees to be bound by these Terms.
3. 2.3. Precoro may update these Terms from time to time. Any such updates will apply prospectively. Precoro will make updated Terms available on its Website and, where reasonably practicable, provide notice of material changes. By continuing to access or use Precoro after the effective date of any amendments, you acknowledge your acceptance of the revised Terms.

3. Our Services

1. 3.1. The Customer must maintain a Precoro Account to access the Services and any Additional Services.
2. 3.2. The Customer is responsible for ensuring that all information provided in connection with the creation and maintenance of a Precoro Account is accurate, current, and complete.
3. 3.3. The Customer must promptly notify Precoro of any actual or suspected unauthorized use of the Platform or any Precoro Account. Precoro may suspend, deactivate, or replace any Precoro Account if it determines, acting reasonably, that such account may have been compromised or is being used in breach of these Terms.
4. 3.4. The Customer is responsible for all Users' compliance with these Terms, Precoro's documentation, and any policies published by Precoro from time to time. The Customer and its Users must not:
   1. 3.4.1. use the Platform to send, upload, collect, transmit, store, use, disclose, process, or request Precoro to obtain any Customer Data or other information that: (a) contains viruses, worms, malicious code, or other harmful software; (b) the Customer or User does not have the lawful right to use, disclose, process, or transmit; or (c) violates applicable law or infringes any third-party right;
   2. 3.4.2. disable, overburden, impair, or otherwise interfere with the Platform or the servers or networks connected to it;
   3. 3.4.3. attempt to gain unauthorized access to the Platform or related systems or networks;
   4. 3.4.4. use data mining, bots, scraping tools, or similar data gathering or extraction methods, or reverse engineer, reverse assemble, disassemble, decompile, copy, or modify the Platform except to the extent expressly permitted by applicable law;
   5. 3.4.5. use the Platform to build a similar or competitive product or service; or
   6. 3.4.6. use the Platform in any manner not expressly permitted by these Terms.
5. 3.5. If Precoro identifies activity described in Section 3.4 or otherwise reasonably suspects a material breach of these Terms, it may suspend access to the affected Precoro Account or Services to the extent reasonably necessary to protect the Platform, other customers, or Precoro's legitimate interests.
6. 3.6. Precoro may restrict, suspend, or terminate access to the Services where the Customer or any User engages in Misuse or otherwise breaches these Terms. To the extent permitted by applicable law, the Customer shall defend, indemnify, and hold harmless Precoro from and against third-party claims, damages, liabilities, costs, and expenses, including reasonable legal fees, arising out of or relating to: (i) Customer Data; (ii) the Customer's or any User's Misuse of the Services; or (iii) the Customer's breach of these Terms.

4. Use of A.I.

1. 4.1. This Section governs the Customer's and its Users' use of the A.I. functions made available through the Precoro Account, including invoice matching and A.I. chat functionality.
2. 4.2. No product orders or service matters are accepted through the A.I. functions unless explicitly stated otherwise by Precoro in writing.
3. 4.3. A.I. functions are designed for specific, limited purposes and are not intended for any use outside those express purposes. A.I. functions may not be used to make or solicit offers or to generate content that violates these Terms or applicable law.
4. 4.4. Precoro may use third-party artificial intelligence service providers to enable certain A.I. functions. Precoro may change such providers from time to time in accordance with its Privacy Policy, security practices, and applicable law.
5. 4.5. Information submitted to the A.I. functions will be processed by Precoro and its authorized service providers solely for the purpose of providing, securing, supporting, and improving the A.I. functions and the Services, in accordance with these Terms, the Privacy Policy, and applicable law.
6. 4.6. Precoro grants the Customer a limited, revocable, non-exclusive, non-transferable, and non-sublicensable right to use the A.I. functions solely as part of the Services and in accordance with these Terms.
7. 4.7. Precoro does not guarantee the accuracy, completeness, or fitness for a particular purpose of output generated by the A.I. functions. Because of the probabilistic nature of machine learning, A.I. output may be inaccurate or incomplete and must be reviewed by the Customer before being relied upon.
8. 4.8. The Customer and its Users shall not use the A.I. functions in violation of these Terms, applicable law, third-party rights, or any usage restrictions communicated by Precoro.
9. 4.9. Use of the A.I. functions is voluntary. If the Customer or a User does not use such features, the associated third-party A.I. services will not be engaged for that use case.
10. 4.10. In addition to the limitations set out elsewhere in these Terms, the Customer acknowledges that use of the A.I. functions is at its own risk and that Precoro's sole obligation is to provide the A.I. functions as part of the Services in accordance with these Terms.
11. 4.11. Customer Data submitted to or processed within the Platform remains Customer Data. Precoro will not use Customer Data to train or develop generalized A.I. or machine learning models, except as necessary to provide, maintain, secure, and support the Services, and only in accordance with these Terms and applicable law.

5. Payment Terms

1. 5.1. The Customer shall pay the fees for the Services and any Additional Services in accordance with the applicable Payment Plan, invoice, Service Agreement, or Order Form.
2. 5.2. Subscription fees are invoiced in advance and are due within the payment period stated on the invoice. The subscription term begins when the initial payment and any agreed implementation fees are received, unless otherwise stated in writing. Unless otherwise expressly stipulated in the Invoice, the Customer shall pay all invoices within ten (10) calendar days of the invoice date.
3. 5.3. All payment obligations under these Terms remain in force at all times, and all payments are non-cancellable and non-refundable except as expressly stated in these Terms or the applicable Service Agreement.
4. 5.4. Fees shall be invoiced and payable in the currency stated in the applicable invoice, Service Agreement, or Order Form.
5. 5.5. Subscription fees for the applicable subscription term are fixed during that term, unless otherwise expressly stated in the applicable Service Agreement or Order Form. You can download your invoice or pay by credit card here:
   • https://app.precoro.com/manage/account/billing/index
   • https://app.precoro.us/manage/account/billing/index
6. 5.6. Each tier includes a maximum number of Users unless otherwise agreed in writing. If the number of Users exceeds the maximum number permitted under the selected tier, the Customer must upgrade to the next applicable tier or otherwise pay the additional fees specified by Precoro.
7. 5.7. If the Customer upgrades its tier within the same Payment Plan during an active term, additional fees may apply on a pro rata or other basis, as described in the applicable Payment Plan or invoice. Any change from one Payment Plan to another may require contacting Precoro support or executing an updated Service Agreement or Order Form.
8. 5.8. The Customer's Precoro Account may be activated after Precoro receives the required initial payment for the Services and any ordered Additional Services, unless otherwise agreed in writing.
9. 5.9. Precoro may issue invoices using the Customer's billing and contact details on file. The Customer is responsible for keeping such details accurate and current.
10. 5.10. If the Customer disputes an invoice or charge, it must notify Precoro in writing within thirty (30) days after the invoice date, providing reasonable detail regarding the basis of the dispute. The Customer shall timely pay all undisputed amounts.
11. 5.11. Precoro may suspend the Customer's access to the Services for non-payment after providing notice and a reasonable opportunity to cure, except where a shorter period is reasonably required to protect Precoro from material financial or operational risk.
12. 5.12. Fees do not include applicable taxes, levies, duties, or similar governmental assessments, including sales, use, VAT, GST, HST, withholding, or other taxes, all of which are the Customer's responsibility except for taxes based on Precoro's net income.
13. 5.13. Fees may be adjusted on renewal to reflect changes in CPI or another agreed index. Any such adjustment applies only to a renewal term and not to the then-current committed term.
14. 5.14. Precoro may update its standard list pricing, tiers, or Payment Plans from time to time. Any such updates apply only upon the Customer's renewal or purchase of a new subscription term, unless otherwise agreed in writing.

6. Limited Warranty; Exclusive Remedy

1. 6.1. Precoro warrants that, during the applicable subscription term, the Platform will materially conform to the functionality described in the applicable Payment Plan, Service Agreement, or Order Form, subject to reasonable updates, upgrades, maintenance, bug fixes, security changes, and changes that do not materially reduce the core functionality purchased by the Customer.
2. 6.2. As the Customer's sole and exclusive remedy for a breach of the warranty in Section 6.1, the Customer must notify Precoro in writing of a reproducible material non-conformity. If Precoro fails to cure such non-conformity within thirty (30) days after receipt of such notice, Precoro may, at its option: (i) correct the non-conformity; or (ii) terminate the affected Services and refund the prorated prepaid fees for the terminated portion of the unused subscription term.
3. 6.3. This warranty does not apply to any non-conformity caused by misuse, unauthorized modifications, third-party systems, Customer Data, or use of the Platform contrary to these Terms or Precoro's documentation.

7. Our Responsibility to You

1. 7.1. Subject to the Customer's compliance with these Terms, Precoro will make the Platform available to the Customer during the applicable subscription term in accordance with these Terms.
2. 7.2. Precoro may suspend, limit, or modify access to the Precoro Account or the Platform, in whole or in part:
   1. 7.2.1. upon prior notice where reasonably practicable, for planned maintenance, updates, or improvements;
   2. 7.2.2. immediately and without prior notice where necessary to protect the security, integrity, or availability of the Platform, to comply with applicable law, or to address a material risk or emergency; or
   3. 7.2.3. in the event of the Customer's material breach of these Terms, including non-payment.
3. 7.3. Precoro may modify the Platform from time to time, provided that such modifications do not materially reduce the core functionality purchased by the Customer during the applicable subscription term, except where a change is required by law, security needs, or a third-party dependency outside Precoro's reasonable control.
4. 7.4. Precoro will use commercially reasonable efforts to provide reasonable advance notice of any suspension, termination, or limitation under this Section where reasonably practicable.
5. 7.5. Precoro will use commercially reasonable efforts to maintain the availability, security, and performance of the Platform in a manner consistent with generally accepted industry practices. Any service level commitments, if applicable, shall be set out exclusively in a separate written service level agreement, Service Agreement, or Order Form signed by Precoro.
6. 7.6. Precoro maintains business continuity, backup, and disaster recovery measures designed in accordance with its internal security and operational policies. Specific recovery objectives, backup frequencies, and infrastructure configurations may be updated by Precoro from time to time.

8. Limitation of Liability

1. 8.1. To the maximum extent permitted by applicable law, in no event shall either Party be liable to the other for any indirect, incidental, special, consequential, exemplary, or punitive damages, or for any loss of profits, revenues, goodwill, business interruption, or loss of data, arising out of or relating to these Terms, the Platform, or the Services, even if advised of the possibility of such damages.
2. 8.2. To the maximum extent permitted by applicable law, Precoro's aggregate liability arising out of or relating to these Terms, the Platform, or the Services shall not exceed the total fees paid or payable by the Customer to Precoro under these Terms during the twelve (12) months immediately preceding the event giving rise to the claim.
3. 8.3. The exclusions and limitations in this Section do not apply to: (i) the Customer's payment obligations; (ii) either Party's fraud, gross negligence, or willful misconduct, to the extent such liability cannot be limited under applicable law; (iii) the Customer's infringement or misappropriation of Precoro's intellectual property rights; or (iv) liability that cannot be excluded or limited by applicable law.
4. 8.4. The Parties agree that the fees payable under these Terms reflect the allocation of risk set out in these Terms.

9. Intellectual Property

1. 9.1. The Website, Platform, Services, and all Property are and remain the intellectual property of Precoro or its licensors. Except for the limited rights expressly granted under these Terms, no rights are granted to the Customer by implication, estoppel, or otherwise.
2. 9.2. All rights, title, and interest in and to the Property remain with Precoro and are not sold to the Customer. The Customer acquires only the limited right to use the Platform and Services during the applicable subscription term in accordance with these Terms.
3. 9.3. Precoro may identify the Customer as a customer of Precoro and use the Customer's name and logo on Precoro's website and in marketing materials, subject to the Customer's then-current trademark usage guidelines made available to Precoro. Upon the Customer's written request, Precoro will cease such use within a reasonable period.

10. Privacy, Data Protection, and Confidentiality

1. 10.1. Precoro's Privacy Policy describes the types of data collected, how such data is used, and the legal bases for processing, and it forms part of the framework governing the Services to the extent applicable.
2. 10.2. Where the Parties' cooperation is subject to the General Data Protection Regulation (GDPR) or other applicable data protection law, each Party agrees to comply with such law in connection with its processing of personal data.
3. 10.3. Each Party, as the receiving party, shall use the other Party's Confidential Information solely as necessary to perform or receive the Services under these Terms and shall protect such Confidential Information using reasonable care, but no less than the care it uses to protect its own similar confidential information.
4. 10.4. "Confidential Information" means non-public information disclosed by one Party to the other that is identified as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Confidential Information does not include information that: (i) is or becomes public through no fault of the receiving Party; (ii) was lawfully known to the receiving Party without restriction before receipt; (iii) is lawfully obtained from a third party without restriction; or (iv) is independently developed without use of the disclosing Party's Confidential Information.
5. 10.5. The receiving Party may disclose Confidential Information to its employees, contractors, advisors, and affiliates who have a need to know and are bound by confidentiality obligations no less protective than those set out herein, and as required by law, provided that where legally permitted it gives prompt notice to the disclosing Party.
6. 10.6. The confidentiality obligations in this Section survive termination of these Terms for five (5) years, and indefinitely with respect to trade secrets for so long as they remain trade secrets under applicable law.

11. Switching and Data Portability (EU Data Act)

1. 11.1. Applicability (EU/EEA only). This Section applies only to an EU/EEA Customer and only where the EU/EEA Customer submits a Switching Request while the Services are active. Any request submitted after the Services have ended may be handled by Precoro in its discretion or as otherwise required by applicable law.
2. 11.2. Self-service export during the subscription term. During an active subscription or service period, the Customer may export or download its Customer Data available in the user interface at any time using the then-current export functionality made available by Precoro.
3. 11.3. Notice period (maximum 2 months) and start of switching. The EU/EEA Customer may initiate switching by submitting a Switching Request. Precoro may require a notice period for initiating the switching process, provided that such period does not exceed two (2) months and complies with applicable law.
4. 11.4. Transitional period (maximum 30 days) and Precoro obligations during switching. After expiry of the notice period, Precoro shall execute the switching process without undue delay and, in any event, not later than thirty (30) calendar days, unless a longer period is permitted under Section 11.10 and applicable law. During switching, Precoro shall:
   1. 11.4.1. provide reasonable cooperation, subject to the technical capabilities of the Services and the Customer's timely cooperation;
   2. 11.4.2. act with due care to maintain business continuity and continue providing the contracted functions or services during the applicable transition period;
   3. 11.4.3. provide clear information concerning known continuity risks; and
   4. 11.4.4. ensure an appropriate level of security throughout switching, including during transfer and throughout the retrieval period in accordance with applicable law.
5. 11.5. Exit strategy support. Precoro will provide information reasonably necessary to support the Customer's exit strategy and the switching process, to the extent required by applicable law and reasonably available within the standard capabilities of the Services.
6. 11.6. Retrieval period (30 days). Following the end of the transitional period, the Customer shall have a minimum period of at least thirty (30) calendar days to retrieve Exportable Data and Digital Assets using Precoro's then-current standard export mechanisms, to the extent technically feasible.
7. 11.7. For the purposes of switching under Regulation (EU) 2023/2854 and this Section 11, the provision of the Services shall cease: (i) upon the successful completion of the switching process; or (ii) at the end of the notice period where the Customer does not wish to switch but requests erasure of its Exportable Data and Digital Assets upon service cessation. Such cessation relates only to the operational provision of the Services and post-switching data access under this Section 11 and does not, by itself, modify or waive the Parties' agreed commercial terms, including any committed subscription term or payment obligations unless otherwise required by applicable law or agreed in writing.
8. 11.8. Exportable Data scope and trade secrets carve-out. Precoro may exclude categories of data strictly necessary for the internal functioning of the Services where disclosure would create a risk of breach of Precoro's trade secrets, provided that such exclusion complies with applicable law.
9. 11.9. Erasure after retrieval. After expiry of the retrieval period, or any later period agreed in writing, Precoro shall ensure erasure of all Exportable Data and Digital Assets generated directly by the EU/EEA Customer's use of the Services, except to the extent retention is required by applicable law or a binding order.
10. 11.10. Technical infeasibility (up to 7 months). Where the 30-day transitional period is technically infeasible, Precoro shall notify the Customer within fourteen (14) working days of the Switching Request, provide a justification, and indicate an alternative transitional period not exceeding seven (7) months, to the extent permitted or required by applicable law.
11. 11.11. Switching charges. Any switching charges, if applicable, shall comply with Article 29 of Regulation (EU) 2023/2854 and will be disclosed before contracting or otherwise as required by applicable law.

12. Data Retention and Deletion

1. 12.1. General retention (no switching). Except as provided in Section 11, Precoro retains Customer Data in accordance with the Privacy Policy, internal retention practices, and applicable law.
2. 12.2. Switching-related erasure. Where Section 11 applies, erasure of Exportable Data and Digital Assets is governed by Section 11.9.
3. 12.3. Legal retention carve-out. Nothing in these Terms requires Precoro to delete data to the extent and for as long as retention is strictly required by applicable law or a binding order, provided that access to such retained data is restricted accordingly.

13. Term and Termination

1. 13.1. These Terms take effect upon the earlier of the creation of a Precoro Account, execution of a Service Agreement, or the Customer's first access to or use of the Services, and remain in effect until terminated in accordance with these Terms.
2. 13.2. Unless otherwise stated in the applicable Service Agreement or Order Form, each subscription term will automatically renew for successive periods equal to the initial subscription term. Renewal subscriptions will be invoiced at Precoro's then-current pricing or as otherwise specified in the applicable Service Agreement or Order Form. Either Party may elect not to renew by providing written notice at least thirty (30) days before the end of the then-current term. The Customer has no right to withdraw from these Terms if there are any debts or financial obligations pertaining to Precoro until any such obligations or debts are settled.
3. 13.3. Either Party may terminate these Terms or the applicable Service Agreement for material breach if the other Party fails to cure such breach within thirty (30) days after written notice, except that Precoro may suspend or terminate earlier for non-payment, security risk, Misuse, or where required by law.
4. 13.4. Except as expressly provided in these Terms or the applicable Service Agreement, subscription fees are non-cancellable and non-refundable.
5. 13.5. An EU/EEA Customer may submit a Switching Request under Section 11 while the Services are active. Switching shall be carried out in accordance with Section 11. Where the Parties have agreed a fixed subscription or service term, the switching process does not, by itself, shorten or waive such commercial commitments unless otherwise required by applicable law or agreed in writing.

14. Force Majeure

1. 14.1. Neither Party shall be liable for failure or delay in performing its obligations under these Terms to the extent caused by circumstances beyond its reasonable control, including natural disasters, acts of government, war, terrorism, labor disputes, utility failures, internet or telecommunications disruptions, cyber incidents not caused by that Party's breach of these Terms, or failures of third-party infrastructure providers; provided that the affected Party uses commercially reasonable efforts to mitigate the effects of such event and resumes performance as soon as reasonably practicable.

15. General Provisions

1. 15.1. Governing law. These Terms shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to conflict of law principles, except where applicable law requires otherwise.
2. 15.2. Venue. The Parties submit to the exclusive jurisdiction of the state and federal courts located in Delaware, except where applicable law requires otherwise.
3. 15.3. Notices. Notices under these Terms must be in writing and sent by e-mail to the contact details on file or by another method expressly permitted in the applicable Service Agreement. Notices are deemed received when sent, unless the sender receives a delivery failure notice.
4. 15.4. Assignment. The Customer may not assign or transfer these Terms, in whole or in part, without Precoro's prior written consent, except in connection with a merger, reorganization, or sale of substantially all of its assets where the assignee agrees in writing to be bound by these Terms. Precoro may assign these Terms to an affiliate or in connection with a merger, reorganization, or sale of substantially all of its assets.
5. 15.5. Entire agreement; order of precedence. These Terms, together with any applicable Service Agreement, Order Form, Privacy Policy, and other documents expressly incorporated by reference, constitute the entire agreement between the Parties regarding the Services and supersede prior or contemporaneous understandings on the same subject matter. In the event of a conflict, the following order of precedence applies: (i) the applicable Service Agreement or Order Form; (ii) these Terms; and (iii) the Privacy Policy or other referenced policies, unless expressly stated otherwise.
6. 15.6. Severability. If any provision of these Terms is held invalid or unenforceable, the remaining provisions will remain in full force and effect.
7. 15.7. Waiver. Failure by either Party to enforce any provision of these Terms will not constitute a waiver of future enforcement of that or any other provision.
8. 15.8. Independent contractors. The Parties are independent contractors. These Terms do not create any partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the Parties.
9. 15.9. Survival. Any provisions that by their nature should survive termination or expiration of these Terms shall survive, including provisions relating to payment obligations, intellectual property, confidentiality, limitation of liability, indemnification, governing law, and dispute resolution.

Data Processing Agreement

This Data Processing Agreement (DPA) and its Annexes (the “Agreement”) is an addendum to the Terms of Service (“Principal Agreement”) between the Company (or/and the “Data Processor”) and the Customer (the “Data Controller”). All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

I. Preamble

1. 1. The Agreement sets out the rights and obligations of the Data Controller and the Company (the Data Processor), when processing personal data on behalf of the Data Controller.
2. 2. The Agreement has been designed to ensure the parties’ compliance with Article 28(3) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46/EC GDPR.
3. 3. In the context of the provision of Services, the Company will process personal data on behalf of the Data Controller in accordance with the Agreement.
4. 4. The Agreement shall take priority over any similar provisions contained in other agreements between the parties.

II. The Rights and Obligations of the Data Controller

1. 1. The Data Controller is responsible for ensuring that the processing of Personal Data takes place in compliance with the GDPR, the applicable EU or Member State data protection provisions, and the Agreement.
2. 2. The Data Controller has the right and obligation to make decisions about the purposes and means of the processing of personal data.
3. 3. The Data Controller shall be responsible, among others, for ensuring that the processing of personal data, which the Company is instructed to perform, has a legal basis.

III. Processing of Personal Data

1. 1. Company shall:
   1. 1.1. comply with all applicable data protection laws in the processing of personal data; and
   2. 1.2. not process personal data other than on the relevant Data Controller’s documented instructions.
2. 2. The Data Controller instructs Company to process personal data.
3. 3. Company shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any sub-processor who may have access to the Data Controller’s personal data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant the Data Controller’ personal data, as strictly necessary for the purposes of the Principal Agreement, and to comply with applicable laws in the context of that individual’s duties to the sub-processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

IV. Confidentiality

1. 1. The Company shall only grant access to the personal data being processed on behalf of the Data Controller to persons under the Company’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need-to-know basis. The list of persons to whom access has been granted shall be kept under periodic review. On the basis of this review, such access to personal data can be withdrawn if access is no longer necessary, and personal data shall consequently not be accessible anymore to those persons.
2. 2. The Company shall, at the request of the Data Controller, demonstrate that the concerned persons under the Company’s authority are subject to the abovementioned confidentiality.

V. Security of Processing

1. 1. Article 32 GDPR stipulates that taking into account state of the art, the costs of implementation and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and Company shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
2. 2. The Data Controller shall evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks.
3. 3. Depending on their relevance, the measures may include the following:
   1. a) Pseudonymisation and encryption of personal data;
   2. b) the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
   3. c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
   4. d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
4. 4. According to Article 32 GDPR, the Company shall also – independently from the Data Controller – evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. To this effect, the Data Controller shall provide the Company with all information necessary to identify and evaluate such risks.
5. 5. Furthermore, the Company shall assist the Data Controller in ensuring compliance with the Data Controller’s obligations pursuant to Articles 32 GDPR by inter alia providing the Data Controller with information concerning the technical and organizational measures already implemented by the Company pursuant to Article 32 GDPR along with all other information necessary for the Data Controller to comply with the Data Controller’s obligation under Article 32 GDPR.

VI. Use of Sub-processors

1. 1. Customer agrees that the Company may engage sub-processors to process personal data on Customer's behalf in accordance with applicable law. A current list of the Company sub-processors may be found at https://precoro.com/privacy Customer acknowledges and agrees to the engagement of the third parties listed on the sub-processor page as sub-processors in connection with the provision of the Services under this Agreement.
2. 2. Where Company engages a sub-processor, Company will enter into a Data Processing Agreement with the sub-processor that imposes on the sub-processor at least the same level of protection that apply to Company under this Agreement.
3. 3. If the Company engages a sub-processor in a country outside the European Economic Area that is not recognized by the European Commission as providing an adequate level of protection for personal data, then Company shall, in advance of any transfer of personal data to sub-processor, take steps to ensure that a legal mechanism to achieve adequacy in respect of that processing is in place.
4. 4. Company shall provide Customer reasonable advance notice (for which email shall suffice) if it adds or removes sub-processors. Customer may object in writing to Company’s appointment of a new sub-processor on reasonable grounds relating to data protection by notifying Company promptly in writing within five (5) calendar days of receipt of Company’s notice. Such notice shall explain the reasonable grounds for the objection. In such an event, the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If this is not possible, either party may terminate the applicable Services that cannot be provided by Company without the use of the objected-to-new sub-processor.

VII. Transfer of Data to Third Countries or International Organisations

1. 1. Any transfer of personal data to third countries or international organizations by the Company shall only occur on the basis of documented instructions from the Data Controller and shall always take place in compliance with Chapter V GDPR.
2. 2. In case transfers to third countries or international organizations, which the Company has not been instructed to perform by the Data Controller, is required under EU or Member State law to which the Company is subject, the Company shall inform the Data Controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.

VIII. Assistance to the Data Controller

1. 1. Taking into account the nature of the processing, the Company shall assist the data controller by appropriate technical and organizational measures, insofar as this is possible, in the fulfillment of the Data Controller’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR.
   1. a) the right to be informed when collecting personal data from the data subject
   2. b) the right to be informed when personal data have not been obtained from the data subject
   3. c) the right of access by the data subject
   4. d) the right to rectification
   5. e) the right to erasure (‘the right to be forgotten’)
   6. f) the right to restriction of processing
   7. g) notification obligation regarding rectification or erasure of personal data or restriction of processing
   8. h) the right to data portability
   9. i) the right to object
   10. j) the right not to be subject to a decision based solely on automated processing, including profiling.

IX. Notification of Personal Data Breach

1. 1. The Company shall notify the Data Controller without undue delay upon Company becoming aware of a personal data breach affecting the Data Controller's personal data, providing the Data Controller with sufficient information to allow the Data Controller to meet any obligations to report or inform data subjects of the personal data breach under the data protection laws.
2. 2. The Company shall co-operate with the Data Controller and take reasonable commercial steps as directed by the Data Controller to assist in the investigation, mitigation, and remediation of each such personal data breach.

X. Erasure and Return of Data

1. 1. Subject to this section X, the Company shall promptly and in any event, within 10 business days of the date of cessation of any Services involving the processing of the Data Controller's personal data (the “Cessation Date”), delete and procure the deletion of all copies of those the Data Controller personal data.

XI. Audit and Inspection

1. 1. Subject to this section XI, Company shall make available to the Data Controller on request all information necessary to demonstrate compliance with this Agreement and shall allow for and contribute to audits, including inspections, by the Data Controller or an auditor mandated by the Data Controller in relation to the processing of the Data Controller personal data by the sub-processors.
2. 2. The Company shall be required to provide the supervisory authorities, which pursuant to applicable legislation have access to the Data Controller’s and the Company’s facilities, or representatives acting on behalf of such supervisory authorities, with access to the Company’s physical facilities on presentation of appropriate identification.

XII. The Parties' Agreement on Other Terms

1. 1. The parties may agree on other clauses concerning the provision of the personal data processing service specifying e.g., liability, as long as they do not contradict directly or indirectly the Agreement or prejudice the fundamental rights or freedoms of the data subject and the protection afforded by the GDPR.

XIII. General Terms

1. 1. Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post, or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the parties changing address.
2. 2. Governing Law and Jurisdiction. This Agreement is governed by the laws of the State of Delaware.
3. 3. Any dispute arising in connection with this Agreement, which the parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of the State of Delaware.

IN WITNESS WHEREOF, this Agreement is entered into with effect from the date first set out below

ANNEX
STANDARD CONTRACTUAL CLAUSES

SECTION I

Clause 1. Purpose and scope

1. (a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
2. (b) The Parties:
   1. (i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
   2. (ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
3. have agreed to these standard contractual clauses (hereinafter: “Clauses”).
4. (c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
5. (d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2. Effect and invariability of the Clauses

1. (a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
2. (b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3. Third-party beneficiaries

1. (a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
   1. (i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
   2. (ii) Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
   3. (iii) Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
   4. (iv) Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
   5. (v) Clause 13;
   6. (vi) Clause 15.1(c), (d) and (e);
   7. (vii) Clause 16(e);
   8. (viii) Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.
2. (b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4. Interpretation

1. (a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
2. (b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
3. (c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5. Hierarchy

1. In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6. Description of the transfer(s)

1. The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 - Optional. Docking clause

1. (a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
2. (b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
3. (c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8. Data protection safeguards

1. 8.1 Instructions
   1. (a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
   2. (b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
2. 8.2 Purpose limitation
   1. The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
3. 8.3 Transparency
   1. On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
4. 8.4 Accuracy
   1. If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
5. 8.5 Duration of processing and erasure or return of data
   1. Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
6. 8.6 Security of processing
   1. (a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
   2. (b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
   3. (c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
   4. (d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
7. 8.7 Sensitive data
   1. Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8. 8.8 Onward transfers
   1. The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
      1. (i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
      2. (ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
      3. (iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
      4. (iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
   2. Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
9. 8.9 Documentation and compliance
   1. (a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
   2. (b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
   3. (c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
   4. (d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
   5. (e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9. Use of sub-processors

MODULE TWO: Transfer controller to processor

1. (a) The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least one month in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
2. (b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
3. (c) The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
4. (d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
5. (e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10. Data subject rights

MODULE TWO: Transfer controller to processor

1. (a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
2. (b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
3. (c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11. Redress

MODULE TWO: Transfer controller to processor

1. (a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
2. (b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
3. (c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
   1. (i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
   2. (ii) refer the dispute to the competent courts within the meaning of Clause 18.
4. (d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
5. (e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
6. (f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12. Liability

MODULE TWO: Transfer controller to processor

1. (a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
2. (b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
3. (c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
4. (d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
5. (e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
6. (f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
7. (g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13. Supervision

MODULE TWO: Transfer controller to processor

1. (a) The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
2. (b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14. Local laws and practices affecting compliance with the Clauses

MODULE TWO: Transfer controller to processor

1. (a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
2. (b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
   1. (i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
   2. (ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
   3. (iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
3. (d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
4. (e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
5. (f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by [for Module Three: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15. Obligations of the data importer in case of access by public authorities

1. 15.1 Notification
   1. (a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
      1. (i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
      2. (ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
   2. (b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
   3. (c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
   4. (d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
   5. (e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
2. 15.2 Review of legality and data minimisation
   1. (a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
   2. (b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
   3. (c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16. Non-compliance with the Clauses and termination

1. (a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
2. (b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
3. (c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
   1. (i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
   2. (ii) the data importer is in substantial or persistent breach of these Clauses; or
   3. (iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
4. In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
5. (d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
6. (e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17. Governing law

MODULE TWO: Transfer controller to processor

1. These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Lithuania.

Clause 18. Choice of forum and jurisdiction

MODULE TWO: Transfer controller to processor

1. (a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
2. (f) The Parties agree that those shall be the courts of Lithuania.
3. (g) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
4. (h) The Parties agree to submit themselves to the jurisdiction of such courts.

APPENDIX

ANNEX I

1. A. LIST OF PARTIES
   1. Data exporter(s): As per signed Service Agreement, Order Form or equivalent engagement agreement.
   2. Data importer(s): As per signed Service Agreement, Order Form or equivalent engagement agreement.
2. B. DESCRIPTION OF TRANSFER
   1. Categories of data subjects whose personal data is transferred
      • Controller’s employees
      • Controller’s suppliers
   2. Categories of personal data transferred
      • Log files, which contain information about a users’ IT system, a user’s IP address, browser type, domain names, internet service provider (ISP), the pages viewed on our site, operating system, access times, and referring website addresses
      • Name, Surname
      • Job title
      • Phone number
      • Email address
   3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
   4. N/A
   5. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
   6. Continuous basis
   7. Nature of the processing
      • Monitoring activities
      • Support and Maintenance
      • Authorization and Authentication of system users
      • Analytics of system usage needed for analyzing the quality of services provisioning
      • Other technical activities needed to perform services as per the Purchase Order, Service Agreement,
      • Order Form or other equivalent engagement agreement.
   8. Purpose(s) of the data transfer and further processing
      • to provide, operate, and maintain services
      • to improve, analyze, personalize, and services
      • to contact Precoro for support
      • to store end-user data
   9. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
   10. One year after the end of the contract
   11. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
   12. The list of actual sub-processors may be found in the Privacy Policy
3. C. COMPETENT SUPERVISORY AUTHORITY
   1. Lithuanian Supervisory Authority

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

1. 2.1.1 Organization of Information Security
   1. a) Security Ownership. The Data Processor has appointed an information security officer responsible for coordinating and monitoring the security rules and procedures.
   2. b) Security Roles and Responsibilities. The Data Processor personnel with access to personnel data are subject to confidentiality obligations.
2. 2.1.2 Human Resources Security
   1. a) General. The Data Processor informs its personnel about relevant security procedures and their respective roles. The Data Processor also informs its personnel of the possible consequences of breaching its security policies and procedures. Employees who violate security policies may be subject to disciplinary action, up to and including termination of employment. A violation of this policy by a temporary worker or contractor may result in the termination of his or her contract or assignment with the Data Processor.
   2. b) Training. The Data Processor personnel with access to personal data receive:
      1. I. annual mandatory training regarding privacy and security procedures for the Services to aid in the prevention of unauthorized use (or inadvertent disclosure) of personal data;
      2. II. annual training regarding effectively responding to security events;
      3. III. training is regularly reinforced through refresher training courses, emails, posters, notice boards, and other training materials.
3. 2.1.3 Device Management
   1. a) Devices. Data Processor personnel use trusted devices/corporate desktops and laptops, and corresponding controls are applied to non-enrolled devices. A full suite of anti-malware products is operated in real-time on all Data Processor’s servers and computers.
   2. b) Removable Media. Where necessary, removable media ports are restricted from being connected to media without prior authorization.
   3. c) Software. New software is installed and tested on isolated systems to prevent the infection of live operating systems.
   4. d) Updating. All software including the operating system and the anti-malware software on the machines is updated and patched frequently.
4. 2.1.4 Personnel Access Controls
   1. a) Access Policy. An access control policy is established, documented, and reviewed based on business and information security requirements.
   2. b) Access Recordkeeping. The Data Processor maintains a record of security privileges of its personnel that have access to personal data, networks, and network services.
   3. c) Access Authorization.
   4. d) Updating. All software including the operating system and the anti-malware software on the machines is updated and patched frequently.
   5. I. The Data Processor has data access policies that implement the following:
      1. i. Principles of least privilege and need to know basis access;
      2. ii. Regular access rights reviews;
      3. iii. Traceability of every login to a single person;
      4. iv. Lock-outs of accounts due to failed login attempts;
      5. v. Locking access of unattended laptops/devices after 10 minutes of inactivity;
      6. vi. Clean desk and clear screen controls;
      7. vii. Regular review of unauthorized access events (on a weekly or per need basis).
   6. II. The Data Processor has password policies that follow industry best practices with password length/complexity requirements.
5. 2.1.5 Cryptography
   1. a. Cryptographic controls:
      1. I. The Data Processor maintains policies on the use of cryptographic controls based on assessed risks.
      2. II. The Data Processor ensures that the used cryptographic standards adhere to industry standards.
   2. b. Key management.
      There are measures for managing keys and digital certificates included in cryptographic controls policies.
6. 2.1.6 Physical and Environmental Security
   1. a. Physical Access to Facilities
      1. I. The Data Processor limits access to its facilities where systems that process personal data are located to authorized individuals.
      2. II. A security alarm system or other appropriate security measures are in place to provide alerts of security intrusions.
   2. b. Protection from Disruptions.
      1. I. Data Processor’s facilities are designed in a way that safeguards confidential information and assets;
      2. II. Equipment is protected to reduce risks from unauthorized access, environmental threats, and hazards;
      3. III. Equipment is protected from power supply interruption and other disruptions caused by failures in supporting utilities;
      4. IV. Power and telecommunications cabling carrying data or supporting information services are protected from interception or damage; and
      5. V. Equipment is correctly maintained to help ensure the availability and integrity of confidential information and assets.
7. 2.1.7 Operations Security
   1. a. The Data Processor maintains policies describing its security measures and the relevant procedures and responsibilities of its personnel who have access to personal data and to its systems and networks.
   2. b. Timely update. The Data Processor continues to update its operational processes, procedures, and/or practices in a timely manner to ensure that they are effective against the latest threats discovered.
   3. c. Mobile Devices. When mobile devices are used to access personal data, they are managed according to the Endpoint Protection Policy. In this case, Data Processors’ personnel follow the general code of conduct, recognizing the need to protect accessed data. Technical measures described in p.2.1.3 fully apply to mobile device protection.
   4. d. Backup. Backup recovery media, where possible, is kept in an encrypted format.
8. 2.1.8 Communications Security and Data Transfer
   1. a. Network policies. The Data Processor has network policies that implement the following:
      1. I. Segregation and filtering of traffic between the Internet and Corporate Zones and between different Corporate Zones;
      2. II. Intrusion detection capability;
      3. III. Access control and password policies on network devices.
9. 2.1.9 System Acquisition, Development, and Maintenance
   1. a) Security Requirements. The Data Processor has adopted security requirements for the purchase or development of information systems, including for application services delivered through public networks.
   2. b) Change management. The Data Processor has a formal process for making changes in IT services and infrastructure systems that ensures that all changes are made in a thoughtful way to minimize negative impact to services and clients.
10. 2.1.10 Information Security Incident Management
    1. a) Response Process. The Data Processor has a robust incident handling and response process that includes the containment of threats, investigation, recovery, and restoration of services. The Data Processor maintains a record of information security breaches with a description of the breach, the severity of the incident, the name of the reporter and to whom the breach was reported, and the procedure for recovering data.
    2. b) Reporting. The Data Processor will report within 24 hours to the Data Controller any security incident that has resulted in a loss, misuse, or unauthorized acquisition of personal data processed under this agreement.
11. 2.1.11 Information Security Aspects of Business Continuity Management
    1. a) Planning. The Data Processor maintains business continuity and disaster recovery plans for the facilities in which the Data Processor information systems that process personal data are located.
    2. b) Data Recovery. The Data Processor’s redundant storage and its procedures for recovering data are designed to attempt to reconstruct personal in its original state from before the time it was lost or destroyed.

12. 2.1.12 Annual Audit

    Data Processor maintains current independent verification of the effectiveness of its technical and organizational security measures (e.g., SOC2 Type 1 or Type 2, or other relevant industry-recognized independent security review report.) The independent information security review is performed at least annually.

    1. 3. Data Retention Period/Data Erasure Procedures
       Personal data is being stored for the period of services provision and no longer than 1 year after termination of the contract unless otherwise required by applicable legislation.
    2. 4. Instructions on Transfer of Personal Data to a Third Country or International Organisations

    The Data Processor shall only disclose the personal data to a third party on documented instructions from the Data Controller. In addition, the data may only be disclosed to a third party located outside the European Union (4) (in the same country as the Data Processor or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

    1. I. the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
       II. the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
    2. III. the onward transfer is necessary for the establishment, exercise or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
    3. IV. the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

    Any onward transfer is subject to compliance by the Data Processor with all the other safeguards under these Clauses, in particular purpose limitation.

ANNEX III - INTERNATIONAL DATA TRANSFER ADDENDUM TO THE EU COMMISSION STANDARD CONTRACTUAL CLAUSES

VERSION B1.0, in force 21 March 2022

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

1. Start date	The effective date of the applicable Service Agreement or acceptance of the Terms by the Customer, whichever occurs first.
   The Parties	Exporter (who sends the Restricted Transfer)	Importer (who receives the Restricted Transfer)
   Parties’ details	Full legal name:  The Customer established in the United Kingdom that enters into the applicable Service Agreement or accepts the Terms and Conditions. Trading name (if different): As specified by the Customer. Main address (if a company registered address): As provided by the Customer in the applicable Service Agreement, Order Form, or account registration details. Official registration number (if any) (company number or similar identifier): As provided by the Customer (if applicable).	Full legal name: The Precoro contracting entity identified in the applicable Service Agreement / Order Form, being either: (i) Precoro, Inc., a company incorporated in Delaware, United States; or (ii) UAB “Procurement Technologies”, a company incorporated in Lithuania,  as applicable. Trading name (if different): Precoro Main address (if a company registered address): as set out in the applicable Service Agreement Official registration number (if any) (company number or similar identifier): as applicable
   Key Contact	Full Name (optional): Not applicable – details as provided by the Customer in the applicable Service Agreement or account registration. Job Title: Not applicable Contact details including email: As provided by the Customer in the applicable Service Agreement or account registration.	Full Name (optional): Data Protection Contact Job Title: Data Protection / Privacy Team Contact details including email: support@precoro.com
   Signature (if required for the purposes of Section ‎2)

Table 2: Selected SCCs, Modules and Selected Clauses

1. Addendum EU SCCs

   ☐ The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: 4 June 2021 Reference (if any): Commission Implementing Decision (EU) 2021/914 Other identifier (if any):        Or ☒ the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:

2. Module	Module in operation	Clause 7 (Docking Clause)	Clause 11  (Option)	Clause 9a (Prior Authorisation or General Authorisation)	Clause 9a (Time period)	Is personal data received from the Importer combined with personal data collected by the Exporter?
   1
   2	Controller to Processor	YES		General Authorisation	30 days prior written notice of any new or replacement sub-processor	NO
   3
   4

Table 3: Appendix Information

1. “Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

2. Annex 1A: List of Parties: As set out in Table 1 above and the DPA.

   Annex 1B: Description of Transfer: Transfer of Customer Data from a UK-based Customer (Controller) to the Precoro contracting entity identified in the applicable Service Agreement (Processor), including, where applicable, onward transfers of such data to sub-processors located outside the United Kingdom (including in the United States), for the purpose of providing the SaaS procurement platform and related support services as described in the Terms and the DPA.

   Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As set out in Annex II to the Data Processing Addendum (DPA) concluded between the Parties.

   Annex III: List of Sub processors (Modules 2 and 3 only): As set out in Precoro’s Sub-processor list referenced in the Data Processing Addendum and Privacy Policy and made available to Customers via Precoro’s Trust Portal (https://precoro.trust.site), as updated from time to time in accordance with Clause 9 of the EU SCCs.

Table 4: Ending this Addendum when the Approved Addendum Changes

1. Ending this Addendum when the Approved Addendum changes

   Which Parties may end this Addendum as set out in Section ‎19: ☐ Importer ☐ Exporter ☒ neither Party

Part 2: Mandatory Clauses

Entering into this Addendum

1. 1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.

2. 2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

   Interpretation of this Addendum

3. 3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:

   1. Addendum	This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
      Addendum EU SCCs	The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.
      Appendix Information	As set out in Table ‎3.
      Appropriate Safeguards	The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
      Approved Addendum	The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18.
      Approved EU SCCs	The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
      ICO	The Information Commissioner.
      Restricted Transfer	A transfer which is covered by Chapter V of the UK GDPR.
      UK	The United Kingdom of Great Britain and Northern Ireland.
      UK Data Protection Laws	All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
      UK GDPR	As defined in section 3 of the Data Protection Act 2018.

4. 4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
5. 5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
6. 6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
7. 7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.

8. 8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into. 

   Hierarchy

9. 9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section ‎10 will prevail.
10. 10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.

11. 11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

    Incorporation of and changes to the EU SCCs

12. 12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
    1. a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter's processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
    2. b. Sections ‎9 to ‎11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
    3. c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
13. 13. Unless the Parties have agreed alternative amendments which meet the requirements of Section ‎12. the provisions of Section ‎15 will apply.
14. 14. No amendments to the Approved EU SCCs other than to meet the requirements of Section ‎12 may be made.

15. 15. The following amendments to the Addendum EU SCCs (for the purpose of Section ‎12) are made:

    1. a. References to the "Clauses" means this Addendum, incorporating the Addendum EU SCCs;
    2. b. In Clause 2, delete the words:
       1. "and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679";
    3. c. Clause 6 (Description of the transfer(s)) is replaced with:
       1. "The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter's processing when making that transfer.";
    4. d. Clause 8.7(i) of Module 1 is replaced with:
       1. "it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer";
    5. e. Clause 8.8(i) of Modules 2 and 3 is replaced with:
       1. "the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;"
    6. f. References to "Regulation (EU) 2016/679", "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)" and "that Regulation" are all replaced by "UK Data Protection Laws". References to specific Article(s) of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of UK Data Protection Laws;
    7. g. References to Regulation (EU) 2018/1725 are removed;
    8. h. References to the "European Union", "Union", "EU", "EU Member State", "Member State" and "EU or Member State" are all replaced with the "UK";
    9. i. The reference to "Clause 12(c)(i)" at Clause 10(b)(i) of Module one, is replaced with "Clause 11(c)(i)";
    10. j. Clause 13(a) and Part C of Annex I are not used;
    11. k. The "competent supervisory authority" and "supervisory authority" are both replaced with the "Information Commissioner";
    12. l. In Clause 16(e), subsection (i) is replaced with:
        1. "the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;";
    13. m. Clause 17 is replaced with:
        1. "These Clauses are governed by the laws of England and Wales.";
    14. n. Clause 18 is replaced with:
        1. "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts."; and
    15. o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.

    Amendments to this Addendum

16. 16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17. 17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

18. 18. From time to time, the ICO may issue a revised Approved Addendum which:

    1. a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
    2. b. reflects changes to UK Data Protection Laws;

    The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.

19. 19. If the ICO issues a revised Approved Addendum under Section ‎18, if any Party selected in Table 4 "Ending the Addendum when the Approved Addendum changes", will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:

    1. a. its direct costs of performing its obligations under the Addendum; and/or
    2. b. its risk under the Addendum,

    and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

    20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.

Alternative Part 2 Mandatory Clauses:

1. Mandatory Clauses

   Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.