Global Data Processing
Agreement (DPA)

Definitions

1. Processing of data

   1. Parties’ roles. As between SIS and the Customer, the Customer is the controller of Customer Personal Data, and SIS shall process Customer Personal Data only as a processor acting on behalf of Customer as described in Annex A (Details of Processing) of this DPA. Customer is responsible for providing all notices and obtaining all consents, licenses, and legal bases required to allow SIS to process Personal Data.
   2. Purpose limitation. SIS shall process Customer Personal Data only in connection with the arrangements envisaged under this DPA and in accordance with Customer’s documented lawful instructions, except where otherwise required by applicable law. Customer instructs SIS and its Sub-processors to process Customer Personal Data as reasonably necessary for the provision of the Products contemplated by the Agreement and to perform its obligations under the Agreement. SIS will not sell, retain or use any Personal Data for any purpose other than as permitted by this DPA, the SIS Terms of Use, or SIS’s privacy policy. SIS will use the technical and organizational measures described in Annex B when processing Personal Data to ensure a level of security appropriate to the risk involved.
   3. Description of processing. A description of the nature and purposes of the Processing, the types of Personal Data, categories of Data Subjects, and the duration of the Processing are set out further in Annex A of this DPA.
   4. Sensitive Data. The Customer, by usage of the services, determines the type of data that can be transmitted or processed into the Products. The Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting Customer’s Uses to transmit or process, any Sensitive Data via the Products. The Customer shall take such additional measures (e.g. relating to consent, security, data protection) as are necessary to protect such Sensitive Data in accordance with its obligations under all Applicable Privacy Laws. The processing of any Sensitive Data by SIS will be subject to the scope limitations, restrictions and safeguards as mutually agreed upon by both parties, as reflected in this DPA.
   5. Third Countries. To the extent such data is transferred under this DPA to a Third Country, the parties agree to abide by the SCCs, where applicable, for such consented transfers. In particular, transfers of Personal Data from the European Union, European Economic Area, Switzerland, or the United Kingdom of Great Britain and Northern Ireland (“UK”) to Third Countries are subject to the Standard Contractual Clauses, Module Two or as applicable Module Three. The information required for the purposes of the SCCs is provided in Annex C of this DPA. The SCCs are hereby incorporated into the Agreement and the parties’ acceptance of this DPA shall constitute the parties’ acceptance and signing of the Standard Contractual Clauses. If the terms of the Agreement conflict with the SCCs, the terms of the SCCs will prevail. Notwithstanding the foregoing, in the event any data transfer mechanisms are approved under Applicable Privacy Laws the parties may agree to leverage such data transfer mechanisms in lieu of the Standard Contractual Clauses.
   6. Customer compliance. Customer shall, in its use of the Products, at all times process Personal Data, and provide the Instructions for the processing of Personal Data, in compliance with Applicable Privacy Laws. Customer represents and warrants that Customer has obtained or will obtain, all necessary consents, licenses and approvals for the processing of Personal Data under this DPA and, where applicable, has a valid legal basis under Applicable Privacy Laws for the processing of Personal Data under this DPA. If Customer is a Data Processor of Personal Data, Customer represents and warrants that Customer’s instructions and processing of Personal Data, including its appointment of SIS as a sub-processor, have been authorized by the respective Data Controller. Customer further represents and warrants that Customer (i) will comply with all Applicable Privacy Laws in its performance arising out of this DPA; and (ii) has reviewed SIS’s security practices and acknowledges that such practices are appropriately designed to ensure a level of security appropriate to the risk of processing hereunder.
   7. Notification obligations regarding the Customer's instructions. SIS shall promptly notify the Customer in writing without any obligation to provide legal advice, unless prohibited from doing so under Applicable Privacy Laws, if it becomes aware or believes that any data processing instruction from the Customer violates Applicable Privacy Laws.
2. Return or Deletion of Data
   
   
   1. Following completion of the Products, SIS shall return and delete the Personal Data as set forth under the Agreement or applicable service documentation, or provide Customer the ability to delete such Personal Data directly through the tools or functionality made available by the Service. The foregoing obligations shall not apply (a) where deletion is not permitted under applicable law (including Applicable Privacy Laws) or the order of a governmental or regulatory body; (b) where SIS retains such Personal Data for internal record keeping and compliance with any legal obligations; and (c) where SIS’s then-current data retention or similar back-up system stores Personal Data provided such data will remain protected in accordance with the measures described in the Agreement and this DPA.
3. Authorized Personnel
   
   
   1. SIS shall ensure that all Authorized Personnel are made aware of the confidential nature of Personal Data and have executed confidentiality agreements or are otherwise subject to binding duties of confidentiality that prohibit them from disclosing or otherwise processing any Personal Data except in accordance with the Instructions and their obligations in connection with the Products.
   2. SIS shall take commercially reasonable steps to ensure that Authorized Personnel have received data privacy security and training appropriate to the nature of their processing of Personal Data and the requirements of Applicable Privacy Laws.
4. SIS Sub-processors
   
   
   1. Customer hereby provides SIS with general written authorization to engage Sub-processors to process (including transfer) Personal Data in connection with the Products in accordance with this Section 4.
   2. A list of SIS’s current Sub-processors for all products (the “Sub-processor List”) is available at https://trust.signinsolutions.com/. The relevant link mentioned herein shall be the “Sub-processor List” as applicable for the purposes of this DPA and such URL’s may be updated by SIS from time to time upon notice to the Customer.
   3. The applicable Sub-processors will be deemed authorized by Customer to process Personal Data in connection with this DPA. At least thirty (30) days before enabling any new Sub-processor to access or participate in the processing of Customer Personal Data, SIS will add such Sub-processor to the Sub-processor List and notify Customer of that update. Customer may object to such an engagement on reasonable data protection grounds by providing notice to SIS within ten (10) days of receipt of the aforementioned notice from SIS.
   4. If the Customer has raised a reasonable objection to the new Sub-processor, and the parties have failed to agree on a solution within a reasonable period of time, the Customer shall have the right to terminate the Agreement with a notice period mutually determined by SIS and the Customer, without prejudice to any other remedies available under law or contract. In this event Customer shall immediately pay all fees and costs then owing to SIS up until the date of termination.
   5. If Customer does not object to the engagement of a third party in accordance with Section 4.2, that third party will be deemed an Sub-processor for the purposes of this DPA.
   6. SIS shall ensure that each Sub-processor is subject to obligations regarding the processing of Personal Data that are substantially similar to those which SIS is subject under this DPA.
   7. SIS shall be liable to Customer for any breach of this DPA caused by the acts or omissions of its Sub-processor
   8. If Customer and SIS have entered into the Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data) the above authorizations will constitute Customer’s prior written consent to the subcontracting by SIS of the processing of Personal Data if such consent is required under the Standard Contractual Clauses.
5. Security of Personal Data
   
   
   1. SIS shall implement and maintain appropriate technical and organizational measures designed to (i) ensure a level of security appropriate to the risk presented by the processing of the Personal Data; and (ii) protect the Personal Data from unauthorized access, destruction, use, modification or disclosure. Such technical and organizational measures shall include measures equal to or exceeding the measures set forth in Annex B of this DPA.
6. Transfers of Personal Data
   
   
   1. Only to the extent applicable, or if required by SIS to provide the Products, Customer acknowledges and agrees that SIS and its Sub-processors may process (including transfer) Personal Data in the United Kingdom of Great Britain and Northern Ireland (“UK”), the European Economic Area, the United States of America, Canada, New Zealand and in any other location where SIS or its Sub-processors maintains data processing operations, as set forth in the Sub-processor SIS will at all times provide an adequate level of protection for the Personal Data, in accordance with the requirements of Applicable Privacy Laws and, to the extent applicable, the requirements below.
   2. In connection with the provision of the Products to Customer, SIS may (and may authorize its Sub-processors to) receive from, process within, or transfer Personal Data to, any Third Country provided that SIS and its Sub-processors take measures to adequately protect such data consistent with Applicable Privacy Laws. Such measures may include to the extent available and applicable under such laws:
   3. The parties’ agreement to enter into and comply with the Standard Contractual Clauses which are hereby incorporated into this DPA and as further set forth in Annex C. In particular, transfers of Personal Data from the European Union, European Economic Area, Switzerland or the UK by Customer to SIS or SIS to Customer in Third Countries are subject to the Standard Contractual Clauses, Module Two (“Controller to Processor”), and Module Three (“Processor to Processor”). The information required for the purposes of the SCCs is provided in Annex C to this DPA. To the extent that any substitute or additional appropriate safeguards or transfer mechanisms under Applicable Privacy Laws are required to transfer data to a Third Country, the parties agree to implement the same as soon as practicable and document such requirements for implementation in an attachment to this DPA.
   4. The Parties acknowledge and agree that they have, taking into account, without limitation, the Personal Data and Third Countries in scope, the relevant security measures under this DPA and the relevant parties participating in the processing of such Personal Data, conducted an assessment of the appropriateness of the relevant transfer mechanism adopted hereunder and have determined that such transfer mechanism is appropriately designed to ensure Personal Data transferred in accordance with this DPA is afforded a level of protection in the destination country that is essentially equivalent to that guaranteed under the Applicable Privacy Laws.
7. Cooperation, Audit and Records Requests
   
   
   1. SIS shall, to the extent permitted by law, promptly notify Customer following the receipt and verification of a Data Subject Request or shall otherwise advise the Data Subject to submit their Data Subject Request to Customer directly. In either case, Customer will be responsible for responding to such a request.
   2. At the request of Customer and taking into account the nature of the processing applicable to any Data Subject Request, SIS shall apply appropriate technical and organizational measures to enable Customer to comply with Customer’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance provided that (i) Customer is itself unable to respond or fulfill the request without SIS’s assistance and (ii) SIS is able to do so in accordance with all applicable laws, rules, and regulations. Customer shall be responsible, to the extent legally permitted, for any costs and expenses incurred by SIS in providing assistance in connection with any Data Subject Request only where such costs arise as a result of unreasonable or excessive requests.
   3. If SIS receives a subpoena, court order, warrant or other legal demand from a third party, law enforcement, foreign government, or any other public or judicial authorities) seeking the disclosure of Personal Data, SIS shall, legally permitting, promptly notify Customer in writing of such request. SIS shall only comply with such third-party requests where SIS has determined it is legally required to do so, in which case SIS shall provide reasonable cooperation to Customer, at Customer’s expense where appropriate, if Customer wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable laws. Customer shall assume all risk and liability in handling and responding to such third-party requests to the extent that such liability arises from Customer's processing activities. Customer and SIS shall remain liable for any violations of Applicable Privacy Laws, including GDPR, directly resulting from its own actions, omissions, or failure to comply with its obligations as a data controller and data processor. Customer shall indemnify SIS for all losses, costs, damages, claims, actions, suits, demands, and liabilities suffered or incurred by or brought against SIS arising out of or relating to Customer’s failure to comply with its obligations as a data controller, provided such liability is not attributable to SIS’s failure to meet its obligations under Applicable Privacy Laws.
   4. SIS shall, taking into account the nature of the processing and the information available to SIS provide Customer with reasonable cooperation and assistance for Customer to comply with its obligations under the Applicable Privacy Laws, including any obligations to conduct a data protection impact assessment, respond to any inquiry from or consult with any Supervisory Authority or demonstrate compliance with Applicable Privacy Law. The obligations hereunder shall only apply where required of SIS by Applicable Privacy Law and provided that Customer does not otherwise have access to the relevant information or functionality being requested. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by SIS.
   5. Upon Customer’s request and no more than once per calendar year, SIS shall make available for Customer’s review copies of all applicable attestation reports, certifications and/or other documents demonstrating SIS’s compliance with Applicable Privacy Laws as they relate to SIS’s processing of the Customer Personal Data hereunder. These documents are available at https://trust.signinsolutions.com for review. Solely where and to the extent (i) required by Applicable Privacy Laws and (ii) such copies of the attestation reports or certifications are insufficient to demonstrate SIS’s compliance with Applicable Privacy Laws as it relates to SIS’s processing of the Personal Data hereunder, SIS shall make available to the Customer additional information reasonably necessary to demonstrate compliance with such obligations and allow for and contribute to audits, including mutually agreed and managed inspections, of those data processing facilities within SIS’s control conducted by the Customer or another auditor mutually agreed upon by SIS and the
   6. Any Audit or Evaluation authorized by Section 7.5 will occur only after the Customer has provided SIS with at least 30 days’ prior written notice and during a mutually agreed upon date, time, and location by SIS and the Customer. Audits must not unreasonably interfere with SIS’s business or operations, and the scope of such audit will be subject to SIS’s reasonable pre-approval. Individuals responsible for conducting such an audit shall be subject to a contract of confidentiality with SIS. The work required by SIS to participate in any audit may result in additional fees (only if requests for audits are excessive or unreasonable and at a mutually agreed upon hourly rate which will be agreed in writing prior to the commencement of any audit). To ensure that SIS complies with Applicable Privacy Laws and its contractual obligations regarding data privacy and security, Customer agrees that SIS is not required to provide Customer with access to SIS’s systems or information in a manner that may compromise the security, privacy, or confidentiality of SIS’s other customers’ confidential or proprietary information.
   7. Any information disclosed pursuant to this Section 7 will be deemed SIS’s Confidential Information.
8. Personal Data Breach
   
   
   1. After becoming aware of a positively identified Personal Data Breach, SIS shall, without undue delay (but no later than 72 hours), inform Customer of the Personal Data Breach and take such steps as SIS, in its sole discretion, deems necessary and reasonable to remediate such Personal Data Breach (to the extent that remediation is within SIS’s reasonable control).
   2. SIS shall, taking into account the nature of the processing and the information reasonably available to SIS: (a) provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under Applicable Privacy Laws with respect to notifying relevant regulators and/or Data Subjects affected by such Personal Data Breach; and (b) provide Customer with information in SIS’s reasonable control concerning the details of the Personal Data Breach including, as applicable, the nature of the Personal Data Breach, the categories and approximate numbers of Data Subjects and Personal Data records concerned, and the likely consequences of the Personal Data Breach.
   3. The obligations described in this Section 8 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Customer. In no event will SIS’s cooperation or obligation to report or respond to a Personal Data Breach under this Section be construed as an acknowledgement by SIS of any fault or liability with respect to the Personal Data Breach.
   4. Unless prohibited by an applicable statute or court order, Customer will notify SIS of any third-party legal process relating to any Personal Data Breach, including, but not limited to, any legal process initiated by any governmental entity.
9. Miscellaneous
   
   
   1. All notices to Customer under this DPA shall be sent by email and directed to the Customer’s designated system administrator for the Products and the “legal and privacy notices” contact if provided by Customer in conjunction with the Agreement. Customer may update these contacts at any time by emailing: privacy@signinsolutions.com.
   2. The liability of SIS and its respective employees, directors, officers, Affiliates, successors, and assigns (the “SIS Parties”), arising out of or related to this DPA, whether in contract, tort, or other theory of liability, shall be subject to the Limitation of Liability and Disclaimers section of the Agreement, and any reference in such section to the liability of SIS or the SIS Parties means the aggregate liability of the SIS Parties under the Agreement and this DPA together.
   3. This DPA is without prejudice to the rights and obligations of the parties under the Agreement which will continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA will prevail. In the event of any conflict between the terms of this DPA and the Standard Contractual Clauses then, only insofar as the Standard Contractual Clauses apply, the Standard Contractual Clauses will prevail.
   4. Unless otherwise so required under this DPA or Applicable Privacy Law, Customer and SIS each agree that the dispute resolution provisions of the Agreement (including governing law and venue) apply to this DPA.

Annex A

Details of Data Processing

1. Data Exporter:

   Name, address and contact information:
   As provided under the Agreement.

   Activities relevant to the data transferred under the Clauses:
   Receipt of the Products under the Agreement.

   Signature and date:
   As provided under the Agreement.

2. Data Importer:

   Name:
   Sign In Solutions Inc.
   
   Address:
   150 2nd Ave N, Suite 1540 St. Petersburg FL, USA 33701

   Contact information for privacy and data protection:
   Jason Mordeno: Global Privacy Officer
   privacy@signinsolutions.com

   Activities relevant to the data transferred under the Clauses:
   The provision, maintenance and securing of the Products

   Signature and date:
   As provided under the Agreement.

3. Details of Data Processing:
   
   
   1. Subject matter: The subject matter of the data processing under this DPA is the Customer Personal Data.
   2. Duration: As between SIS and Customer, the duration of the data processing under this DPA is until the expiration or termination of the Agreement in accordance with its terms.
   3. Purpose: SIS shall only process Customer Personal Data for the following purposes: (i) processing to perform its obligations under the Agreement; and (ii) processing to comply with any other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement (individually and collectively, the "Purpose").
   4. Nature of the processing: SIS provides support to the Customer in their use of the Products as more particularly described in the Agreement.
   5. Categories of data subjects: Customer’s employees and Users (as such term is defined in the Agreement)
   6. Categories of Customer Personal Data: Customer may upload, submit or otherwise provide certain personal data to SIS, the extent of which is typically determined and controlled by Customer in its sole discretion, and may include the following types of personal data:
      
      
      1. Data Subjects’ identification information (first and last name), contact information (which may include some or all of the Data Subject’s e-mail address, address, telephone number, and location and IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data) and
      2. Any other personal data that you choose to include in your instance of the Products for Data Subjects to enter, notably Sensitive Data for which you have received the explicit consent from a Data Subject to the Processing of such Sensitive Data for the intended purposes and subject to Clause 1.4 of this DPA, Sensitive Data.
   7. Processing Operations: Customer Personal Data will be processed in accordance with the Agreement (including this DPA) and may be subject to the following processing activities: Storage and other processing necessary to provide, maintain and improve the Products and Professional Products provided to Customer pursuant to the Agreement; and/or Disclosures in accordance with this DPA and/or as compelled by applicable law.
      
      

Annex B

Technical and Organizational Measures

SIS shall:

Provide an appropriate level of technical and organizational measures, including relevant security and compliance controls aligned to the categories or nature of Customer Data, as necessary to protect against potential harm resulting from a data breach, including, but not limited to:

1. Governance, Risk and Compliance Controls

• Governance - SIS maintains a governance, risk and compliance program, that are a set of processes, practices, measures, policies and procedures in order to operate in accordance with relevant laws, regulations and industry standards;
• Risk - SIS manages risk frameworks that identify and manage risks to technology, organization and data processing systems;
• Compliance - SIS maintains security, privacy, data protection and compliance processes and practices and conducts assessments and audits that examines our controls with management and the safeguarding of customer data;
• Frameworks - SIS maintains frameworks, controls and criteria’s for global privacy, data protection, information security, and applicable laws and regulations;
• Certifications and Attestations - SIS maintains ISO 27001 accredited certification for its Information Security Management System and separately holds SOC 2 Type II + CCPA + GDPR Attestation Reports for additional and applicable complex product categories, affirming compliance with rigorous security and compliance standards 

2. Data Security Controls

• Technical and Organizational Policies - SIS has policies and processes in place for the classification, management, access, use, and destruction of data;
• Encryption - SIS encrypts data in transmit, in transit, at rest and in storage by utilizing industry standard encryption tools and methods;
• Encryption Keys - SIS safeguards the security and confidentiality of all encryption keys associated with encrypted Customer Data;
• Role Based Access Controls - SIS practices the method of least privilege which limits user access to authorized individuals;
• Incident Response, Business Continuity, and Disaster Recovery - SIS has an incident response plan for managing and reporting security incidents involving personal data. Business continuity is supported through regular and secure data backups to ensure integrity. Disaster recovery plans facilitate timely operational restoration after disruptions, with periodic testing to maintain readiness and compliance.

3. Cybersecurity Controls

• Access Control and Identity Verification - Access to SIS assets and resources are controlled through enforcement, identity verification protocols, multi-tiered access controls, adaptive authentication measures, and session management processes.
• Application Hardening and Security Baselines - SIS applies application hardening techniques to reinforce the security of its platform, including the deactivation of non-essential services, implementation of secure configurations, and adherence to security baselines consistent with established industry cybersecurity standards;
• Threat Intelligence and Response - SIS mitigates risks to controlled environments through continuous threat intelligence and response mechanisms, including ongoing scanning for indicators of compromise, execution of isolation measures, and collaboration with threat intelligence networks, thereby reinforcing and sustaining a resilient security posture;
• Continuous Security Assessment and Penetration Testing - SIS performs regular and as-necessary security assessments and penetration testing to proactively identify and remediate vulnerabilities in the control

4. Infrastructure Security Controls

• Monitoring - SIS maintains security monitoring systems, including, but not limited to, detecting and preventing intrusion, monitoring traffic and monitoring file integrity;
• Vulnerability and Patch Management - SIS has a defined policy and process that establishes requirements for assessing and managing vulnerabilities. Regular vulnerability scans are conducted and patches are deployed in a timely manner based on the criticality of the vulnerabilities;
• Continuous Integration/Continuous Deployment (CI/CD) Practices - SIS embeds security checks within the CI/CD pipeline to enable secure code deployment. This includes automated code scanning, dependency checks, and security testing at each stage of the CI/CD process, fostering a secure and resilient infrastructure

5. Application Security Controls

• Secure Software Development Lifecycle (S-SDLC) - SIS adheres to a secure development lifecycle (S-SDLC) that includes secure coding practices, code reviews, and ongoing security testing. Developers are trained in secure coding standards, and application code is scanned for vulnerabilities throughout development to proactively address potential risks;
• Controlled Configuration and Deployment Processes - SIS enforces stringent controls over configuration and deployment processes. A version-controlled environment is utilized for traceable changes and with approvals required for deployment to production. Regular configuration reviews are conducted to prevent misconfigurations that may impact application security;
• Continuous Application Monitoring - SIS employs specialized tools for application-level monitoring, tracking system interactions, unusual access patterns, and deviations in expected application behaviors;
• Libraries and Components Risk Management - SIS regularly reviews the security of secure libraries and secure source components integrated into the application. Security assessments of dependencies are conducted pre-implementation, and regular updates are applied to mitigate risks of vulnerabilities from external sources

6. Network Security Controls

• Access Points - SIS maintains the authentication and supervision of access rights with access to the network and by applying technical policies to prevent any internal and external threats posed by the access;
• Network Management of Roles and Responsibilities - defines authorized groups, roles and responsibilities for management of network components;
• System Events, Security Events and Firewalls - SIS automatically logs system and security events, reviews logs on a periodic basis, issues identified are investigated and resolved in a timely manner

Annex C

Standard Contractual Clauses

The parties agree that personal data transferred between and by the parties to Third Countries shall be subject to the Standard Contractual Clauses to the extent applicable and as further set forth under the DPA.

1. The parties acknowledge the importance of the protection of personal data and the legal restrictions on international transfers of such data to Third Countries.
2. Accordingly, the parties agree to abide by the GDPR, UK DPA 2018, and Swiss DPA, and other Applicable Privacy Laws recognizing the Standard Contractual Clauses or similar principles, as applicable, and enter into these standard contractual clauses to ensure that transfers of personal data to Third Countries are lawful and subject to adequate data protections. To the extent a transfer of personal data is subject to Article 3(2) of the GDPR, this Annex C shall not apply.
   

1. CLARIFICATION OF DEFINITIONS & TERMS
   
   
   1. The terms “data controller” or “controller,” “data exporter,” “data importer,” “data processor” and “Personal Data” shall have the meaning under the GDPR, UK DPA 2018, Swiss DPA, or another Applicable Privacy Law, as applicable.
   2. For transfers of Personal Data to Third Countries originating from outside the EU, references to the General Data Protection Regulation will be replaced by the Applicable Privacy Law and references to the “EU,” “Union” or “Member State” shall be replaced with the applicable originating region.
   3. Section 1 Clause 1 (a) of the Standard Contractual Clauses (Definition of Data Importer): The “data importer” means SIS.
   4. Section 1 Clause 1 (a) of the Standard Contractual Clauses (Definition of Data Exporter):The “data exporter” means Customer.
   5. With respect to objections to Sub-processors under Section 1 Clause 9,the process set forth under Section 4 of this DPA shall apply.
2. APPLICABLE MODULES
   
   With respect to Processing of applicable personal data:
   
   
   1. When Customer is a Data Exporter and Controller, and SIS is a Data Importer and Controller – Module 1 shall apply.
   2. When Customer is a Data Exporter and Controller, and SIS is a Data Importer and Processor – Module 2 shall apply.
   3. When Customer is a Data Exporter and Processor, and SIS is a Data Importer and Sub-Processor – Module 3 shall apply.
   4. References to Module 4 in the SCCs shall not apply and language referencing that module shall not be treated as part of this DPA.
3. AMENDMENTS OR UPDATES
   
   To the extent that any additional appropriate safeguards under Applicable Privacy Laws recognizing the Standard Contractual Clauses or similar principles are required to export data to any Third Country, or to the extent that the Standard Contractual Clauses are substituted or replaced or not recognised under any such law, the parties agree to either promptly implement the same or agree to use another acceptable method for transfer of such data and promptly amend this Annex C as necessary to comply with such requirements.
   
   
4. CONFLICTS
   
   If the terms of the Agreement or the DPA conflict with the Standard Contractual Clauses, the terms of the Standard Contractual Clauses will prevail.
   
   
5. STANDARD CONTRACTUAL CLAUSES
   
   
   1. The Standard Contractual Clauses will be deemed incorporated into this DPA and shall apply as completed below:
   2. In Clause 7, the “Docking Clause (Optional)”, will be deemed incorporated.
   3. In Clause 9, Option 2 is selected, and the time period for prior notice of addition or replacement of Sub-processors will be as set forth in the DPA.
   4. In Clause 11, the optional language will not apply.
   5. In Clause 13, the competent supervisory authority shall be the Irish Data Protection Commission where the EU SCCs apply, the FDPIC where the Swiss DPA applies and the UK Information Commissioner where the UK Transfer Addendum applies.
   6. In Clause 17, Option 2 is selected, and the Standard Contractual Clauses will be governed by the law of Ireland where the EU SCCs apply, the law of Switzerland where the Swiss DPA applies and the law of England and Wales where the UK Transfer Addendum applies.
   7. In Clause 18(b), disputes will be resolved before the courts of Ireland where the EU SCCs apply, the courts of Switzerland where the Swiss DPA applies and the courts of England and Wales where the UK Transfer Addendum applies.
   8. Annexes I and II of the SCCs are as set in Exhibits A and B of this DPA; and Annex III is as set forth in the Sub-processor
   9. For the purposes of the UK Transfer Addendum, the Standard Contractual Clauses will be interpreted in accordance with Part 2 of the UK Transfer Addendum; Sections 9 – 11 of the UK Transfer Addendum will override Clause 5 of the EU SCCs and both the “Importer” and “Exporter” shall be able to end the UK Transfer Addendum as set out in Section 19 of the UK Transfer Addendum.

By entering into the DPA, the Parties are deemed to be signing the applicable Standard Contractual Clauses.

Annex D

Affiliated Companies List

UK GDPR Addendum to the DPA

This GDPR and UK GDPR Addendum (this “GDPR and UK Addendum”) supplements the DPA or Agreement between the Parties governing the processing of Personal Data. This GDPR and UK Addendum applies when the GDPR or UK GDPR applies to SIS’s Software and Services interaction with applicable Personal Data. Unless otherwise defined in this GDPR and UK Addendum, all capitalized terms are defined by the DPA or Agreement.

1. Processing Controls. SIS’s privacy email address at privacy@signinsolutions.com may be used to assist the Parties with obligations under the GDPR, including obligations to respond to requests from Data Subjects. Taking into account the nature of the interactions involving the Software and Services, the Parties agree it is unlikely that a Processor or Subprocessor would become aware that Personal Data transferred under a Transfer Mechanism is or would be inaccurate or outdated. Nonetheless, if a Processor or Subprocessor becomes aware that Personal Data transferred under a Transfer Mechanism is inaccurate or outdated, it will inform the Controller without undue delay. Processor will cooperate with Controller to erase or rectify inaccurate or outdated Personal Data transferred under the Transfer Mechanism, such as by responding to appropriate requests received through privacy web forms.
2. Specified Purpose. While the Software and Services do not specifically request or require special categories of Personal Information, Controller represents they have obtained necessary and explicit consent for the processing of special categories of Personal Data, for the specified purposes of (i) processing to perform its obligations under the Agreement; and (ii) processing to comply with any other reasonable instructions provided by Controller (e.g., via email or support tickets) that are consistent with the terms of the Agreement, and such other services as described in an Agreement between the Parties from time to time.
3. Controller Instructions. The Parties agree that the DPA and the Agreement constitute Controller’s documented instructions regarding processing of Personal Data (“Documented Instructions”). Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between the Parties, including agreement on any additional fees for carrying out such instructions. Taking into account the nature of the processing, the Parties agree it is unlikely that a Processor or Subprocessor can form an opinion on whether Documented Instructions infringe the GDPR or UK GDPR. If Processor or Subprocessor forms such an opinion, it will inform the Controller, in which case the Controller is entitled to withdraw or modify its Documented Instructions.

CCPA Addendum (“CCPA Terms”)

These SIS CCPA Terms (“CCPA Terms”) supplements the DPA and other Agreement between the Parties when the California Consumer Privacy Act of 2018 (“CCPA”) or California Privacy Rights Act of 2020 (“CPRA”) applies to access, use or otherwise processing of “Personal Information” (as defined and applied in CCPA or CPRA) by the parties. Unless otherwise defined in these CCPA Terms, all capitalized terms are defined by the DPA or Agreement.

The parties each agree and certify, with respect to any Personal Information it receives from the other party under circumstances where the receiving party is acting as a Service Provider, and not already in such receiving party’s possession, that it will operate as a Service Provider and will not: (a) retain, use, or disclose Personal Information except as permitted in an agreement between the parties and under CCPA or CPRA, or (b) sell or share Personal Information.

These CCPA Terms do not limit or reduce any other data privacy commitments either party may have under an agreement between the parties.

Last updated: August 23, 2025.
Jason Mordeno, Global Privacy and Data Protection Officer