Data Processing Addendum

This Data Processing Addendum (“DPA”) is entered into by and between [___________________________] (“Vendor or Data Processor”) and [Customer Name] and its Affiliates (“Customer or Data Controller”) to reflect the Parties’ agreement regarding the Processing of Personal Data by Vendor or Data Processor on behalf of Customer or Data Controller, or where Vendor or Data Processor acts as Data Controller for certain Processing activities as specified in the Agreement. Each of the parties hereto may also be referred to as a “Party”, and together as the “Parties”.

In consideration of the mutual obligations herein, the Parties hereby agree that the terms and conditions set out below shall be added as an addendum integral to the agreement, purchase order, license, or subscription established between Customer or Data Controller and the Vendor or Data Processor (“Agreement”).

Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.

In the event of any conflict between specific provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely concerning the Processing of Personal Data.

1. 1. DEFINITIONS

1.1 Definitions:

(a) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

(b) The terms “Controller”, “Member State”, “Processor”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR. The terms “Business”, “Business Purpose”, “Consumer” and “Service Provider” shall have the same meaning as in the CPRA. The terms “Data Principal”, “Data Fiduciary” (also referred to as “Data Controller”), and “Data Processor” shall have the same meaning as in the DPDP Act, where “Data Controller” means the entity that determines the purpose and means of processing Personal Data (equivalent to Data Fiduciary), and “Data Processor” means the entity that processes Personal Data on behalf of the Data Controller.

(c) For clarity, within this DPA, “Controller” shall also mean “Business” or “Data Fiduciary” or “Data Controller”, and “Processor” shall also mean “Service Provider” or “Data Processor”, to the extent that the CPRA or DPDP Act applies. In the same manner, Processor’s Sub-processor shall also refer to the concept of Service Provider or Data Processor. Where Vendor acts as Controller or Data Controller, the roles shall be reversed mutatis mutandis.

(d) “Data Protection Laws” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”), the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 and as amended by the Data (Use and Access) Act 2025 (“UK GDPR”), California Privacy Rights Act of 2020 (the “CPRA”), Virginia Consumer Data Protection Act (“VCDPA”), Colorado Privacy Act (“CPA”), Digital Personal Data Protection Act, 2023 (the “DPDP Act”) of India, as amended, and the Digital Personal Data Protection Rules, 2025 notified thereunder and any other applicable federal, state, or local privacy laws in the United States, India, or elsewhere that regulate the processing of personal data, including but not limited to regulations issued thereunder as of the effective date of this DPA.

(e) “Data Subject” means an identified or identifiable natural person; an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Data Subject includes Consumer as such term is defined under the CPRA, Data Principal as such term is defined under the DPDP Act, and equivalent terms under other Data Protection Laws.

(f) “EU Standard Contractual Clauses” or “EU SCCs” shall mean the Standard Contractual Clauses set out in the Annex of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council, as amended or superseded.

(g) “Personal Data” means any information relating to a Data Subject. Personal Data includes Personal Information as such term is defined under the CPRA, Personal Data as such term is defined under the DPDP Act, and equivalent terms under other Data Protection Laws.

(h) “Services” means the services provided to Customer or Data Controller by Vendor or Data Processor in accordance with the Agreement.

(i) “Security Documentation” means the Security Documentation applicable to the Services purchased by Customer or Data Controller as provided to Customer or Data Controller by Vendor or Data Processor.

(j) “Sub-processor” means any third party that Processes Personal Data under the instruction or supervision of Vendor or Data Processor.

(k) “UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner’s Office in the UK (available under: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en), as amended or superseded.

2. 2. PROCESSING OF PERSONAL DATA

2.1 Roles of the Parties. This DPA applies when Personal Data is Processed by Vendor or Data Processor as part of the provision of the Services, as further specified in the Agreement and the applicable order form. The Parties acknowledge and agree that with regard to Vendor’s or Data Processor’s Processing of Personal Data on behalf of Customer or Data Controller, (i) Customer or Data Controller is the Controller or Business or Data Fiduciary, respectively, (ii) Vendor or Data Processor is the Processor or Service Provider or Data Processor, respectively, except where the Agreement specifies that Vendor or Data Processor acts as Controller or Data Controller for certain Processing activities (e.g., for Vendor’s or Data Processor’s internal analytics, billing, or compliance purposes), in which case Vendor or Data Processor shall assume the role and obligations of Controller or Data Controller for such activities, and Customer or Data Controller shall act as Processor where applicable. The terms “Controller” and “Processor” below hereby signify Customer or Data Controller and Vendor or Data Processor, respectively, unless otherwise specified in the Agreement for Vendor’s or Data Processor’s Controller or Data Controller role, in which case the roles shall reverse mutatis mutandis. In alignment with the DPDP Act, where applicable, the Customer acts as Data Fiduciary (Data Controller) determining the purpose and means of processing, and Vendor as Data Processor processing only on documented instructions from the Data Fiduciary, subject to verifiable parental consent for children’s data under Section 9 of the DPDP Act.

2.2 Vendor’s Processing of Personal Data. When Processing on Customer’s or Data Controller’s behalf under the Agreement as Processor or Data Processor, Vendor or Data Processor shall Process Personal Data solely for the following purposes: (i) Processing in accordance with the Agreement and as part of the provision of the Services; (ii) Processing in accordance with Customer’s or Data Controller’s documented instructions, where such instructions are consistent with the terms of the Agreement. Where Vendor or Data Processor acts as Controller or Data Controller, Vendor or Data Processor shall Process Personal Data solely for the purposes specified in the Agreement, in compliance with Data Protection Laws as Controller or Data Controller, and shall provide Customer or Data Controller (as Processor) with documented instructions consistent therewith.

Vendor or Data Processor shall inform Customer or Data Controller without undue delay if, in Vendor’s or Data Processor’s opinion, an instruction for the Processing of Personal Data given by Customer or Data Controller infringes applicable Data Protection Laws. In such event, Vendor or Data Processor shall (i) inform Customer or Data Controller, providing relevant details of the issue, (ii) upon request of Customer or Data Controller, temporarily cease all Processing of the affected Personal Data (other than securely storing such data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, Customer or Data Controller may terminate the Agreement and this DPA with respect to the affected Processing. Where Vendor or Data Processor acts as Controller or Data Controller, Customer or Data Controller shall similarly inform Vendor or Data Processor of any infringing instructions. Under the DPDP Act, processing shall be limited to the specified purpose (Section 4), with data minimization, and accuracy ensured .

2.3 Details of the Processing. The subject matter of Processing of Personal Data by Vendor or Data Processor is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data, and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of Processing) to this DPA. Where Vendor or Data Processor acts as Controller or Data Controller, such details shall be as specified in the Agreement for those activities.

2.4 CPRA and DPDP Standard of Care; No Sale or Sharing of Personal Information. Vendor or Data Processor will not (1) sell, share (as defined in the CPRA or other Data Protection Laws), or target advertising using Personal Data, or (2) retain, use or disclose Personal Data: (i) for any purpose other than for the specific purpose of performing the Services or as specified for Vendor’s or Data Processor’s Controller or Data Controller role in the Agreement, (ii) outside of the direct business relationship between Customer or Data Controller and Vendor or Data Processor, except as permitted under applicable Data Protection Laws, or (3) combine Personal Data received pursuant to the Agreement with personal information (as defined in the CPRA, DPDP Act, or other Data Protection Laws) (i) received from or on behalf of another person, or (ii) collected from Vendor’s or Data Processor’s own interaction with any Data Subject to whom such Personal Data pertains. Vendor or Data Processor does not receive any Personal Data from Customer or Data Controller as consideration for its provision of the Services. Vendor or Data Processor certifies that it understands the restrictions set forth in this Section and will comply with them. Vendor or Data Processor shall also comply with any opt-out signals or consumer preference signals received under applicable Data Protection Laws, including but not limited to Global Privacy Control (GPC). Vendor or Data Processor shall not discriminate against Data Subjects for exercising their rights under applicable Data Protection Laws. To the extent the DPDP Act applies, Vendor or Data Processor shall process Personal Data only with the verifiable consent of the Data Principal or as otherwise permitted under the DPDP Act, and shall provide mechanisms for withdrawal of consent. Where Vendor or Data Processor acts as Controller or Data Controller, these obligations apply to Vendor’s or Data Processor’s Processing as Controller or Data Controller. 

2.5 Vendor as Controller or Data Controller. Where the Agreement specifies that Vendor or Data Processor Processes Personal Data as Controller or Data Controller (e.g., for Vendor’s or    Data Processor’s legitimate business purposes such as service improvement or legal compliance), Vendor or Data Processor shall: (i) comply with all applicable Data Protection Laws as Controller or Data Controller, including transparency, lawful basis for Processing, and Data Subject rights fulfillment; (ii) notify Customer or Data Controller of any changes to Processing purposes; (iii) where Customer or Data Controller Processes on Vendor’s or Data Processor’s behalf as Processor, provide documented instructions to Customer or Data Controller; and (iv) indemnify Customer or Data Controller for claims arising from Vendor’s or Data Processor’s Controller or Data Controller Processing. Customer or Data Controller shall assist Vendor or Data Processor in fulfilling Controller or Data Controller obligations to the extent applicable. The provisions of this DPA shall apply mutatis mutandis to such scenarios, with roles reversed. 

3. 3. DATA SUBJECT REQUESTS

Vendor or Data Processor shall assist Customer or Data Controller in responding to requests to exercise Data Subject rights or Consumer rights or Data Principal rights (including any complaints regarding the Processing of Personal Data) under Applicable Data Protection Laws, including, without limitation, EU Data Protection Laws, the CPRA, VCDPA, CPA, DPDP Act, and other state privacy laws (“Data Subject Request(s)”). This includes Vendor or Data Processor (i) promptly notifying Customer or Data Controller if it receives a Data Subject Request in respect of Personal Data; (ii) providing full cooperation and assistance to Customer or Data Controller in relation to any Data Subject Request; (iii) ensuring that it does not respond to Data Subject Requests except on the documented instructions of Customer or Data Controller or as strictly required by Data Protection Laws to which the Vendor or Data Processor is subject; and (iv) maintaining electronic records of Data Subject Requests. Vendor or Data Processor shall provide such assistance at no additional cost to Customer or Data Controller, unless the request requires disproportionate effort, in which case the Parties shall discuss reasonable cost allocation. To the extent required under the DPDP Act, Vendor or Data Processor shall assist Customer or Data Controller in providing notice of data breaches to affected Data Principals and the Data Protection Board of India (Section 8(6)). Where Vendor or Data Processor acts as Controller or Data Controller, Vendor or Data Processor shall handle Data Subject Requests as Controller or Data Controller and assist Customer or Data Controller accordingly. 

4. 4. VENDOR PERSONNEL

4.1. To the extent permissible under applicable law, Vendor or Data Processor shall conduct an appropriate background investigation of all employees or contractors of the Vendor or Data Processor who may have access to Personal Data (“Vendor Personnel”), prior to allowing them such access. If a background investigation reveals that an individual is not suited to access Personal Data, then Vendor or Data Processor shall not provide such individual with access to Personal Data.

4.2. Vendor or Data Processor shall ensure that all Vendor Personnel: (i) has such access only as necessary for the purposes of providing Customer or Data Controller with the Services and complying with Data Protection Laws; (ii) is contractually bound to confidentiality requirements no less onerous than this DPA; (iii) is provided with appropriate privacy and security training, at least annually; (iv) is informed of the confidential nature of Personal Data, and required to keep it confidential; and (v) is aware of the Vendor’s or Data Processor’s duties and obligations under this DPA.

5. 5. SUB-PROCESSORS

5.1 List of Current Sub-processors and Notification of New Sub-processors.

Vendor or Data Processor shall not subcontract any Processing of Personal Data to any third party without the prior written consent of Customer or Data Controller. Notwithstanding the foregoing, Customer or Data Controller authorizes Vendor or Data Processor to engage the Sub-Processors listed in Schedule 1 hereto which includes the identities of those Sub-processors, the Processing services they provide, and the entity’s country (“Sub-Processor List”) provided that, (i) such Sub-processors are only engaged in Processing Personal Data as strictly necessary for the fulfillment of Vendor’s or Data Processor’s obligations under the Agreement and this DPA, (ii) Vendor or Data Processor has conducted the level of due diligence necessary to ensure that such Sub-processor is capable of meeting the requirements of this DPA and Data Protection Laws, and (iii) the Vendor or Data Processor and the Sub-processor have entered a written agreement binding on the Sub-processor containing data protection, security and privacy standards that are no less onerous than this DPA.

5.2 Objection to New Sub-processors. Vendor or Data Processor shall provide Customer or Data Controller at least thirty (30) days prior written notice of its intention to engage or replace a Sub-Processor. Such notice shall be sent to [Customer’s or Data Controller’s designated email], and must include at least: (i) the name of the proposed Sub-Processor; (ii) the type of Personal Data Processed by such Sub-Processor and for which purposes; (iii) a description of the data subjects whose Personal Data shall be processed by such Sub-Processor, and (iv) location of the Data Processing performed by such Sub-Processor. Customer or Data Controller may object to the engagement of any Sub-Processor on any privacy, data protection, or security grounds. In the event Customer or Data Controller objects to a new Sub-processor, Vendor or Data Processor will use reasonable efforts to make available to Customer or Data Controller a change in the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer or Data Controller. If Vendor or Data Processor is unable to make available such change within thirty (30) days, Customer or Data Controller may terminate the Agreement and this DPA.

5.3 Agreements with Sub-processors. Vendor or Data Processor represents that it has entered into a written agreement with each Sub-processor containing appropriate safeguards for protecting Personal Data. Where Vendor or Data Processor engages a Sub-processor for carrying out specific Processing activities on behalf of Customer or Data Controller, the same or materially similar data protection obligations as set out in this DPA shall be imposed on such new Sub-processor by way of a contract, including obligations to implement appropriate technical and organizational measures so that the Processing will meet the requirements of the GDPR, DPDP Act (including flow-down of fiduciary obligations under Section 8), and other Data Protection Laws. Where a Sub-processor fails to fulfill its data protection obligations concerning its Processing of Personal Data, Vendor or Data Processor shall remain fully liable for the performance of the Sub-processor’s obligations.

6. 6. SECURITY & AUDITS

6.1 Controls for the Protection of Personal Data. Vendor or Data Processor represents and warrants that it has implemented and will maintain all appropriate technical and organizational measures for the protection of Personal Data Processed hereunder (including protection against unauthorized or unlawful Processing and accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data, confidentiality and integrity of Personal Data, including those measures set forth in the Security Documentation). Detailed information regarding such safeguards is outlined in Annex II of the Standard Contractual Clauses, as attached hereto as Schedule 2. Upon Customer’s or Data Controller’s request, Vendor or Data Processor shall assist Customer or Data Controller, in ensuring compliance with the obligations under DPDP Act, and equivalent provisions under other Data Protection Laws.

6.2 Records of Processing. Vendor or Data Processor shall keep records of its Processing activities performed on behalf of Customer or Data Controller, which shall include at least: (i) The details of the Vendor or Data Processor as Personal Data Processor, any representatives, Sub-Processors, data protection officers, and Vendor Personnel having access to Personal Data; (ii) The categories of Processing activities performed; (iii) Information regarding Cross-Border Data Transfers, if any; and (iv) A description of the technical and organizational security measures implemented in respect of the Processed Personal Data. Without derogation from Customer’s or Data Controller’s Audit Rights under clause 6.3 below, Customer or Data Controller reserves the right to inspect the records maintained by Vendor or Data Processor under this clause 6.2 at any time. 

6.3 Audits and Inspections. Upon prior written request, and subject to confidentiality undertakings by Customer or Data Controller, Vendor or Data Processor shall make available to Customer or Data Controller (or Customer’s or Data Controller’s independent third-party auditor subject to their confidentiality undertakings) all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by them. If and to the extent that the Standard Contractual Clauses apply, nothing in this Section 6.3 varies or modifies the Standard Contractual Clauses nor affects any Supervisory Authority’s or Data Subject’s rights under the Standard Contractual Clauses. Audits shall be conducted no more than once per year, unless required due to a suspected breach, and Vendor or Data Processor shall bear the costs of any audit unless otherwise agreed. To the extent required under the DPDP Act, Vendor or Data Processor shall cooperate with audits or inquiries by the Data Protection Board of India.

In the event of an audit or inspection as set forth above, Customer or Data Controller shall take reasonable steps to avoid causing (or, if it cannot avoid, minimize) any disruption to Vendor’s or Data Processor’s operations while conducting such audit or inspection.

7. 7. DATA INCIDENT MANAGEMENT AND NOTIFICATION

Vendor or Data Processor maintains security incident management policies and procedures and shall notify Customer or Data Controller without undue delay, and in any event no later than seventy-two (72) hours, after becoming aware of:

1. any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data (a “Data Incident”). Vendor’s or Data Processor’s notice will at least: (a) describe the nature of the Data Incident, including, where possible, the categories and the approximate number of Data Subjects concerned, and the categories and the approximate number of Personal Data records concerned; (b) communicate the name and contact details of Vendor’s or Data Processor’s data protection team, which will be available to provide any additional Data Incident information; (c) describe the measures taken or proposed to be taken by Vendor or Data Processor to address the Data Incident, including, where appropriate, measures to mitigate its possible adverse effects. Where it is impossible to provide the information simultaneously, the information may be provided in phases without further delay. Vendor or Data Processor will work diligently, per its security incident management and breach notification policies and procedures, to promptly identify and remediate the cause of the Data Incident and inform Customer or Data Controller accordingly as soon as possible. Upon Customer’s or Data Controller’s request, Vendor or Data Processor shall provide sufficient information to allow Customer or Data Controller to meet any obligations under Data Protection Laws to report or inform Data Subjects or data protection authorities of the Data Incident, including notification to the Data Protection Board of India under the DPDP Act where applicable .
2. any request for disclosure of Personal Data by a Supervisory Authority or other law enforcement authority or court, unless prohibited under criminal law specifically requiring Vendor or Data Processor to preserve the confidentiality of a law enforcement investigation against Customer or Data Controller.

Vendor or Data Processor will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Data Incident or disclosure request which directly or indirectly identifies Customer or Data Controller (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Customer’s or Data Controller’s prior written approval, unless, and solely to the extent that, Vendor or Data Processor is compelled to do so pursuant to applicable Data Protection Laws. In the latter case, unless prohibited by such laws, Vendor or Data Processor shall provide Customer or Data Controller with reasonable prior written notice to provide Customer or Data Controller with the opportunity to object to such disclosure and in any case Vendor or Data Processor shall limit the disclosure to the minimum scope required.

8. 8. RETURN AND DELETION OF PERSONAL DATA

Without undue delay, and in any event, no later than thirty (30) days following termination of the Agreement, Vendor or Data Processor shall, at Customer’s or Data Controller’s choice, delete or return all the Personal Data it processes on behalf of Customer or Data Controller, including all existing copies, in the manner described in the Agreement or as otherwise reasonably requested by Customer or Data Controller. If required to maintain copies due to Data Protection Laws requirements, Vendor or Data Processor warrants to guarantee the confidentiality of Personal Data and cease processing Personal Data, and to return or destroy the Personal Data when the said legal obligation expires. Upon Customer’s or Data Controller’s written request, the Vendor’s or Data Processor’s Chief Privacy Officer (or equivalent) shall provide written certification to Customer or Data Controller stating that Vendor or Data Processor has fully complied with this section. To the extent required under the DPDP Act, Vendor or Data Processor shall erase Personal Data upon withdrawal of consent by the Data Principal or as otherwise mandated .

9. 9. CROSS-BORDER DATA TRANSFERS

9.1 Transfers from the EEA, Switzerland, and the United Kingdom to countries that offer an adequate level of data protection. Personal Data may be transferred from EU Member States, the three EEA member countries (Norway, Liechtenstein, and Iceland) (collectively, “EEA”), Switzerland, and the United Kingdom (“UK”) to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, Switzerland, or the UK as relevant, as applicable, without any further safeguard being necessary. Transfers to India shall comply with the requirements of the DPDP Act where applicable .

9.2 GDPR-governed Personal Data (“EEA Transferred Data”) may be transferred to a country that does not ensure an adequate level of data protection of Personal Data (“Third Country”) in accordance with the EU Standard Contractual Clauses, in the form attached and incorporated by reference to this DPA as Schedule 2, giving effect to the module specified therein, or, as required, in accordance with any successor thereof or an alternative lawful data transfer mechanism, and as follows:

1. In Clause 7, the optional docking clause will apply.
2. In Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes will be as set out in Section 5 of this DPA.
3. In Clause 11, the optional language will not apply.
4. In Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law.
5. In clause 18(b), disputes will be resolved before the courts of Ireland.

9.3 In accordance with Article 46 of the GDPR and the EU SCCs, and without prejudice to any provisions of this DPA, Vendor or Data Processor undertakes to implement the following organizational and technical safeguards, in addition to the safeguards mandated by the EU SCCs and in accordance with Clause 14(b)(iii) of the EU SCCs, to ensure the required adequate level of protection to the EEA Transferred Data:

1. Vendor or Data Processor will implement and maintain the technical measures specified in Annex II of Schedule 2, attached and incorporated by reference to this DPA, with a purpose to protect the EEA Transferred Data from Processing for national security or other governmental purposes that are beyond what is necessary and proportionate in a democratic society, considering the type of Processing activities under the Agreement and relevant circumstances;
2. In order to safeguard EEA Transferred Data, when any government or regulatory agency of a Third Country (“Authority”) requests access to such data (“Request”), and unless required by a valid court order or if otherwise Vendor or Data Processor may face criminal charges for failing to comply with orders or demands to disclose or otherwise provide access to EEA Transferred Data, or where the access is requested in the event of an imminent threat to lives, Vendor or Data Processor will:
   1. not allow access to EEA Transferred Data, for example by providing any Authority with encryption keys; and
   2. upon Customer’s or Data Controller’s written request, provide reasonably available information about the requests for access to Personal Data by government agencies that Vendor or Data Processor has received in the six (6) months preceding Customer’s or Data Controller’s request.
3. Vendor or Data Processor will notify Customer or Data Controller of such a request, to enable Customer or Data Controller to take necessary actions, to communicate directly with the relevant agency, and to respond to the Request. If Vendor or Data Processor is prohibited by law to notify Customer or Data Controller of the Request, Vendor or Data Processor will make reasonable efforts to challenge such prohibition through judicial action or other means and, to the extent possible, will provide only the minimum amount of information necessary.

9.4 In relation to transfers of UK GDPR-governed Personal Data (“UK Transferred Data”) to a Third Country, the EU SCCs: (i) apply as completed in accordance with sections 9.2 and 9.3 above; and (ii) are deemed amended as specified by the UK Addendum, which is deemed executed by the parties and incorporated into and forming an integral part of this DPA.

9.5 The terms set forth in Part 3 of Schedule 2 (Additional Safeguards) shall apply to an EEA Transfer and a UK Transfer. Transfers under the DPDP Act shall comply with any restrictions on cross-border transfers as notified under the DPDP Rules.

10. 10. OTHER PROVISIONS

10.1 Data Protection Impact Assessment and Prior Consultation. Upon Customer’s or Data Controller’s request, Vendor or Data Processor shall provide Customer or Data Controller with the cooperation and assistance needed to fulfill Customer’s or Data Controller’s obligations under the GDPR or the UK GDPR or the DPDP Act (as applicable) to carry out a data protection impact assessment related to Customer’s or Data Controller’s use of the Services. Vendor or Data Processor shall provide Customer or Data Controller with the necessary assistance for cooperation or prior consultation with the Supervisory Authority or Data Protection Board of India in the performance of its tasks relating to this Section 10.1, to the extent required under the GDPR or the UK GDPR or the DPDP Act, as applicable. Such assistance shall also extend to assessments required under other Data Protection Laws, such as privacy impact assessments under the CPRA or equivalent state laws. 

10.2 Indemnification. Vendor or Data Processor shall indemnify, defend, and hold harmless Customer or Data Controller, its Affiliates, and their respective officers, directors, and employees from and against all claims and proceedings and all liability, loss, costs, fines, and expenses (including reasonable legal fees) arising in connection with (i) Vendor’s or Data Processor’s unlawful or unauthorized Processing, destruction of, or damage to any Personal Data; or (ii) Vendor’s or Data Processor’s (including the Vendor Personnel and Sub-Processors) failure to comply with its obligations under this DPA, the Agreement or any further written Processing instructions given by Customer or Data Controller in accordance with this DPA.

10.3 Modifications. Each Party may by at least forty-five (45) calendar days prior written notice to the other Party, request in writing any variations to this DPA if they are required as a result of any change in, or decision of a competent authority under Data Protection Laws, to allow Processing of Customer or Data Controller Personal Data to be made (or continue to be made) without breach of those Data Protection Laws. The Parties shall make commercially reasonable efforts to accommodate such modification requested by Customer or Data Controller or that Vendor or Data Processor believes is necessary. The Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in the notice as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within thirty (30) days of such notice, then Customer or Data Controller or Vendor or Data Processor may, by written notice to the other Party, with immediate effect, terminate this DPA and the Agreement. 

IN WITNESS WHEREOF, this DPA is entered into and becomes binding between the Parties with effect from the date first set out above.

“This is a sample DPA template. Schedules 1 and 2 are customizable and can be found in the full EU SCCs document [https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_enhttps://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en] or tailored per your agreement.”