Data Processing Agreement

BACKGROUND

1.1.

This Data Processing Agreement (“DPA”) forms a part of the Platform Terms for Law Firms entered into by the Parties thereto (the “Agreement”) as of the Effective Date defined in the Agreement, and is incorporated therein. Customer and Priori hereby agree as follows:

INTERPRETATION

2.1.

Unless otherwise set out below, each capitalized term in this DPA shall have the meaning set out in the Agreement. In this DPA, unless the context requires otherwise:

(a)

“Affiliates” means the current and future respective affiliated offices of Customer;

(b)

“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., including any amendments and any implementing regulations thereto that become effective on or after the effective date of this DPA;

(c)

“Controller” means the entity which, along or jointly with others, determines the purposes and means of the Processing of personal information;

(d)

“Customer Personal Information” means the personal information that Priori Processes on behalf of the Customer in connection with Priori’s provision of the Services.

(e)

“Data Protection Laws” means all applicable laws, regulations and other legal requirements currently in effect, or as they become effective, relating in any way to the privacy, confidentiality, or security of Personal Data, including the EU Data Protection Laws, and the CCPA.

(f)

“EU Data Protection Laws” means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (the “GDPR“), the UK Data Protection Act, the UK GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 or, where applicable, the equivalent provision under Swiss data protection law, and any applicable national legislation implementing or supplementing the GDPR, in each case as amended, replaced or superseded from time to time, and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of GDPR Personal Data;

(g)

“European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;

(h)

“GDPR Personal Data” means the “personal data” (as defined in the GDPR) that the Service Provider Processes on behalf of the Customer and/or the Customer’s Affiliates in connection with the Service Provider’s provision of the Services;

(i)

“Member State” means a member state of the EEA, being a member state of the European Union, Iceland, Norway, or Liechtenstein;

(j)

“personal information” means any information relating to an identified or identifiable individual or device (a “data subject”), or is otherwise “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Protection Laws.

(k)

“Processing” means any operation or set of operations which is performed on personal information, or on sets of personal information, whether or not by automated means, and “Process” will be interpreted accordingly;

(l)

“Processor” means the entity that Processes personal information on behalf of a Controller;

(m)

“Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to (including unauthorized internal access to), any Customer Personal Information;

(n)

“Sell” shall have the meaning given in the CCPA;

(o)

“Services” means the service(s) provided by Priori to Customer under the Agreement;

(p)

“Standard Contractual Clauses” means Module Two (controller to processor) and/or Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 and set out in Annex 3, or any subsequent version thereof released by the European Commission (which will automatically apply); and

(q)

“Subprocessor” means any Processor engaged by Priori who agrees to receive from Priori Customer Personal Information.

(r)

The term “supervisory authority” shall have the same meaning as set out in the GDPR.

DATA PROCESSING

3.1.

Role of the Parties. The Parties acknowledge and agree that:

(a)

for the purposes of the GDPR,

(i)

Priori acts as “Processor” and the Customer acts as Controller; and

(ii)

In certain cases, Customer functions as a processor on behalf of Law Department Clients and Priori will act as a Subprocessor; and

(b)

for the purposes of the CCPA, Priori will act as a “Service Provider” (as such term is defined in the CCPA), in its performance of its obligations pursuant to the Agreement

3.2.

Instructions for Data Processing. Priori will, subject to clause 3.3, only collect, retain, use, Sell, disclose, release, transfer, make available or otherwise Process Customer Personal Information in accordance with:

(a)

the Agreement, to the extent necessary to provide the Services to Customer; and

(b)

Customer’s written instructions. If Customer’s instructions will cause Priori to process Customer Personal Information in violation of applicable law or outside the scope of the Agreement or the DPA, Priori shall promptly inform Customer thereof, unless prohibited by applicable law (without prejudice to the SCCs).

The details of data Processing (such as subject matter, nature and purpose of the Processing, categories of Personal Information and Data Subjects) are described in the Agreement and in Annex 1.

Notwithstanding the foregoing, nothing in this DPA shall restrict Priori’s ability to Process Customer Personal Information in anonymous format.

3.3.

Priori may Process Customer Personal Information to the extent required by:

(a)

applicable laws to which Priori is subject; or

(b)

where the Customer is established in the EEA, or the Processing of such Customer Personal Information by the Customer falls within the scope of the GDPR, applicable EEA Member State laws; or

(c)

where the Customer is established in the United Kingdom, or the Processing of such Customer Personal Information by the Customer falls within the scope of the UK Data Protection Act 2018, applicable law in the United Kingdom,

in which case Priori shall, unless prohibited by such applicable laws on important grounds of public interest, inform Customer of that legal requirement before Processing that Customer Personal Information.

3.4.

The Customer shall provide all applicable notices to data subjects required under applicable Data Protection Laws for the lawful Processing of Customer Personal Information by Priori in accordance with the Agreement.

3.5.

The Customer will obtain any consents required under applicable Data Protection Laws for the lawful Processing of Customer Personal Information by Priori in accordance with the Agreement.

3.6.

The Customer agrees to defend, indemnify and keep indemnified, and hold harmless, at its own expense, Priori against all costs, claims, damages and expenses incurred by Priori or for which Priori may become liable due to any failure by the Customer to comply with clause 3.4 and clause 3.5.

3.7.

The Customer acknowledges that Priori is reliant on the Customer for direction as to the extent to which Priori is entitled to use and process the Customer Personal Information. Consequently, Priori will not be liable for any claim brought against the Customer by a data subject arising from any act or omission by Priori to the extent that such act or omission resulted from the Customer’s instructions or the Customer’s use of the Services.

3.8.

Priori may store and process Customer Personal Information anywhere Priori or its Subprocessors maintain facilities, subject to clause 4 of this DPA.

SUBPROCESSORS

4.1.

Consent to Subprocessor Engagement. The Customer generally authorises Priori to engage Subprocessors provided that Priori shall inform Customer of its intention to engage an additional Subprocessor in writing at least ten (10) days in advance of the date of the intended commencement of the engagement. Customer may object to such intended engagement by giving written notice at the latest ten (10) days in advance of the date of the intended commencement of the engagement. If Customer does not object to Priori’s appointment of a Subprocessor on reasonable grounds relating to the protection of the Customer Personal Information, then either Priori shall not appoint the Subprocessor or Customer may elect to suspend or terminate this DPA. In all cases, Priori shall impose substantially similar data protection terms on any Subprocessor it appoints as those provided for by this DPA, and Priori shall remain fully liable for any breach of this DPA that is caused by an act, error, or omission of Subprocessor. For the avoidance of doubt, the Subprocessors set forth below are approved:

Subprocessor	Location
Salesforce/Heroku/Tableau	US, UK, EU (Customer relationship management database, Platform as a Service, Data analysis)
Amazon Web Services	US (data hosting)
Hubspot	US (email delivery services)
Salesloft	US (Client relationship management email services)

PROHIBITION ON TRANSFERS OF GDPR PERSONAL DATA

GDPR Personal Data from a Customer’s establishments in the EEA may only be exported or accessed by Priori or its Subprocessors outside the EEA (the “International Transfer“):

(a)

if the recipient, or the country or territory in which it Processes GDPR Personal Data, ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of GDPR Personal Data as determined by the European Commission; or

(b)

in accordance with clause 6.

STANDARD CONTRACTUAL CLAUSES

6.1.

The Parties agree that the terms of the Standard Contractual Clauses Module Two (Controller to Processor) and Module Three (Processor to Processor) as further specified in Annex 3 of this DPA, are hereby incorporated by reference and shall be deemed to have been executed by the Parties and apply to any transfers of Customer Personal Information falling within the scope of the GDPR from Customer (as data exporter) to Priori (as data importer).

6.2.

The Standard Contractual Clauses apply where there is an International Transfer to a country or territory that does not ensure an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of GDPR Personal Data as determined by the European Commission.

6.3.

For Subprocessors based outside the EEA and outside any country for which the European Commission has published an adequacy decision (the “Third Country Subprocessors“), Priori will enter into an unchanged version of the Standard Contractual Clauses with Third Country Subprocessors prior to the Subprocessor’s processing of GDPR Personal Data. The Customer hereby accedes to the Standard Contractual Clauses between Priori and the Third Country Subprocessor. Priori will enforce the Standard Contractual Clauses against the Subprocessor on behalf of the Customer if a direct enforcement right is not available under EU Data Protection Laws.

6.4.

If there is an inconsistency between any of the provisions of this DPA and the provisions of the Standard Contractual Clauses, the provisions of the Standard Contractual Clauses shall prevail.

6.5.

Priori will provide Customer reasonable support to enable Customer’s compliance with the requirements imposed on the transfer of personal data to third countries with respect to data subjects located in the EEA, Switzerland, and UK. Priori will, upon Customer’s request, provide information to Customer which is reasonably necessary for Customer to complete a transfer impact assessment (“TIA”). Priori may charge Customer, and Customer shall reimburse Priori, for any assistance provided by Priori with respect to any TIAs, data protection impact assessments or consultation with any supervisory authority of Customer.

DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS

7.1.

Priori Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Priori shall implement appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk including, where applicable by virtue of Article 28(3)(c) of the GDPR, and as appropriate, the measures referred to in Article 32(1) of the GDPR. Without limiting the generality of the foregoing, Priori shall put in place and maintain the technical and organizational measures as set out in ANNEX 2 of this DPA. Priori may update or modify the security measures set out in ANNEX 2 from time to time, including (where applicable) following any review by Priori of such measures in accordance with clause 8.6 of the SCCs, provided that such updates and/or modifications do not reduce the overall level of protection afforded to the Customer Personal Information under this DPA.

7.2.

Security Audits. The Customer may audit (by itself or using independent third-party auditors so long as such auditors are suitably qualified and independent and are not a competitor of Priori) Priori’s compliance with this DPA (including the technical and organisational measures as set out in ANNEX 2), including by conducting audits, of Priori’s documents related to data processing, and such audits may be performed once annually. Any audits are at Customer’s expense. Customer shall reimburse Priori for any time expended by Priori or its Subprocessors in connection with such audits.

To request an audit, Customer must submit a detailed proposed audit plan to Priori at least two weeks in advance of the proposed audit date. Priori will review the proposed audit plan and work cooperatively with Customer to agree on a final audit plan. All such audits must be conducted during regular business hours, subject to the agreed final audit plan and Priori’s health and safety or other relevant policies and may not unreasonably interfere with Priori’s business activities. Nothing in this clause 7.2 shall require Priori to breach any duties of confidentiality.

7.3.

Security Incident Notification. If Priori becomes aware of a Security Incident, then Priori shall promptly notify the Customer, take any additional steps that are reasonably necessary to remedy any non-compliance with this DPA, including complying with all applicable requirements of the Agreement, and reasonably cooperate in the investigation of the Security Incident.

7.4.

Priori Employees and Personnel. Priori shall limit access to Customer Personal Information to those employees or other personnel who have a business need to have access to such Customer Personal Information. Further, Priori shall ensure that such employees or other personnel have agreed in writing to protect the confidentiality and security of such Customer Personal Information in accordance with the provisions of this DPA.

7.5.

Government Disclosure. Priori shall promptly notify the Customer of any request for the disclosure of Customer Personal Information by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.

ACCESS REQUESTS AND DATA SUBJECT RIGHTS

8.1.

Data Subject Requests. As between the Parties, Customer shall have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Customer Personal Information (“Data Subject Request”). Unless otherwise required by applicable law, Priori shall promptly notify Customer of any request received by Priori or any Subprocessor from a data subject in respect of the Customer Personal Information and shall not respond to the data subject, though Priori may advise the individual to submit their request directly to Customer.

8.2.

Priori shall, where possible, reasonably assist Customer with ensuring its compliance under applicable Data Protection Laws by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising data subject rights laid down in the Data Protection Laws and in particular shall:

(a)

provide Customer with the ability to correct, delete, block, access, or copy the Customer Personal Information, or

(b)

promptly correct, delete, block, access, or copy Customer Personal Information within the Services at Customer’s request.

DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

9.1.

Where applicable by virtue of the Data Protection Laws, Priori shall provide reasonable assistance to Customer with any data protection impact assessments and with any prior consultations to any regulatory authority of Customer which are referred, in each case solely in relation to Processing of Customer Personal Information and taking into account the nature of the Processing and information available to Priori.

10.

DURATION AND TERMINATION

10.1.

Deletion of data. Subject to clause 10.2 below, Priori shall, within sixty (60) days of the date of termination of the Agreement:

(a)

if requested to do so by the Customer, return a copy of all Customer Personal Information by secure file transfer in such a format as notified by the Customer to Priori; and

(b)

delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Information Processed by Priori or any Subprocessors.

10.2.

Priori and its Subprocessors may retain Customer Personal Information to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Priori shall ensure the confidentiality of all such Customer Personal Information and shall ensure that such Customer Personal Information is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.

11.

LAW AND JURISDICTION

Where the GDPR is applicable to the processing of the Customer Personal Information under this DPA, this DPA shall be governed by, and construed in accordance with the law of the Member State in which the Customer is established or, where the Customer is established in the United Kingdom or Switzerland, English law or Swiss law respectively. In all other cases, this DPA shall be governed by the same law as the Agreement.

12.

MISCELLANEOUS

12.1.

Amendment. The Parties acknowledge that the foregoing provisions are designed to comply with the mandates of Data Protection Laws. No change, amendment, or modification of this DPA shall be valid unless set forth in writing and agreed to by both Parties. Notwithstanding the foregoing, the Parties acknowledge that privacy and data protection laws are rapidly evolving and that amendment of this DPA may be required to ensure compliance with such developments. The Parties specifically agree to take such action as may be reasonably necessary from time to time for the Parties to comply with applicable Data Protection Laws.

12.2.

Interpretation. Any ambiguity in this Agreement shall be resolved to permit the Parties to comply with the Data Protection Laws.

12.3.

Effect of Agreement. In the event of any inconsistency between the provisions of this DPA and the Agreement, the provisions of the DPA shall control. In the event of inconsistency between the provisions of this DPA and mandatory provisions of the Data Protection Laws, or their interpretation by any court or regulatory agency with authority over the Customer or Priori, such interpretation shall control. Where provisions of this DPA are different from those mandated in the Data Protection Laws but are nonetheless permitted by such rules as interpreted by courts or agencies, the provisions of this DPA shall control.

12.4.

General. If any part of a provision of this DPA is found to be illegal or unenforceable, it shall be enforced to the maximum extent permissible, and the legality and enforceability of the remainder of that provision and all other provisions of this DPA shall not be affected. All notices relating to the Parties’ legal rights and remedies under this DPA shall be provided in writing to a Party, shall be sent to its address or email address set forth in the signature block below, or to such other address or email address as may be designated by that Party by notice to the sending Party, and shall reference this DPA. Nothing in this DPA shall confer any right, remedy or obligation upon anyone other than Customer and Priori. This DPA and its Annexes is the complete and exclusive agreement between the Parties with respect to the subject matter hereof, superseding and replacing all prior agreements, communications and understandings (written and oral) regarding its subject matter.

(a)

This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any processing of Customer Personal Information.

(b)

With respect to Customer Affiliates, by signing the Agreement Customer warrants it is duly authorised to enter into the Agreement for and on behalf of any such Customer Affiliates and, subject to clause 12.4(c), each Customer Affiliate shall be bound by the terms of this DPA as if they were the Customer.

(c)

Customer warrants that it is duly mandated by any Customer Affiliates on whose behalf Priori processes Customer Personal Information in accordance with this DPA to (a) enforce the terms of this DPA on behalf of the Customer Affiliates, and to act on behalf of the Customer Affiliates in the administration and conduct of any claims arising in connection with this DPA; and (b) receive and respond to any notices or communications under this DPA on behalf of Customer Affiliates.

(d)

The Parties agree that any notice or communication sent by Priori to Customer shall satisfy any obligation to send such notice or communication to a Customer Affiliate.

12.5.

Customer Personal Information Subject to the UK and Swiss Data Protection Laws. To the extent that the processing of Customer Personal Information is subject to UK or Swiss data protection laws, the UK Addendum and/or Swiss Addendum (as applicable) set out in Annex 4 shall apply.

12.6.

Customer Personal Information Subject to the CCPA. If Customer or Customer Affiliates provide Priori any Customer Personal Information that is “personal information” under the CCPA, Priori will:

(a)

act as a service provider with regard to such personal information;

(b)

retain, use, and disclose such personal information solely for the purpose of performing the Services or as otherwise permitted under the CCPA;

(c)

not sell Customer Personal Information to another business or third party. Notwithstanding the foregoing, disclosures to a third party in the context of a merger, acquisition, bankruptcy, or other transaction shall be permitted in accordance with the terms of the Agreement; and

(d)

provide reasonable assistance to Customer in responding to requests from consumers pursuant to the CCPA with regard to their personal information, and in accordance with clause 6 of this DPA.

ANNEX 1

DETAILS OF PROCESSING

List of Parties

1. Data Exporter

Customer and/or the Customer Affiliates operating in the countries which comprise the European Economic Area, UK and/or Switzerland and/or – to the extent agreed by the Parties – Customer and/or the Customer Affiliates in any other country to the extent the GDPR or corresponding Swiss law applies.

Customer and Customer Affiliate’s contact person’s position and contact details as well as (if appointed) the data protection officer’s and (if relevant) the representative’s contact details will be notified to Priori prior to the processing of personal data via email to privacy@priorilegal.com or an available form provided by Priori in Customer’s account in the Services.

The activities relevant to the data transfer under these Clauses are defined by the Agreement and the data exporter who decides on the scope of the processing of personal data in connection with the Services further described in this Annex 1 and in the Agreement.

2. Data Importer

Priori Legal, Inc.
HearstLab, 40th Floor,
300 West 57th Street,
New York, NY, 10019

The data importer’s contact person can be contact at privacy@priorilegal.com.

The data importer’s activities relevant to the data transfer under these Clauses are as follows: the data importer processes personal data provided by the data exporter on behalf of the data exporter in connection with providing the Services to the data exporter as further specified in clause 7 and 8 of this Annex 1 and in the Agreement.

Description of Transfer

3. Categories of Data Subject

The categories of data subjects whose personal data are transferred: Customer, Employees of Customer.

4. Categories of Personal Data

The transferred categories of personal data are: Determined by Customer’s configuration of the Services, and may include name, business phone numbers, business email address, office address data, legal practice experience, bar and court admissions, education, publications, certifications, court experience, and languages spoken.

5. Special Categories of Personal Data (if appropriate)

The transferred personal data includes the following special categories of data: Determined by Customer’s configuration of the Services, and may include, at Customer’s option, racial/ethnic origin, sexual orientation.

The applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures are: The security measures described in Annex 2 of this DPA.

6. Frequency of the Transfer

The frequency of the transfer is: determined by the Customer’s configuration and use of the Services.

7. Subject Matter and Nature of the Processing

The subject matter of the processing is data on Customer and Customer’s professional employees. The nature of the processing is determined by Customer’s configuration of the Services, which may include (i) sourcing and request-for-proposal flows from Customer’s Law Department Clients, and (ii) to create a customized, searchable data base that Customer’s Law Department Clients may access to enhance and deepen their relationships with Customer.

8. Purpose(s) of the data transfer and further processing

The purpose of the data transfer and further processing is: to provide the Services to Customer pursuant to the Agreement

9. Duration

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: the duration is defined in clause 10 of the DPA.

10. Sub-processor (if applicable)

For transfers to sub-processors, specify subject matter, nature, and duration of the processing: as stipulated in clause 10 of the DPA. The Sub-processors may have access to the Personal Data for the term of this DPA or until the service contract with the respective Sub-processor is terminated or the access by the Sub-processor has been excluded as agreed between Priori and Customer.

Processing Operations

The transferred GDPR Personal Data is subject to the following basic processing activities:

use of GDPR Personal Data to set up, operate, monitor and provide the Services (including operational and technical support)
communication to authorized users
storage of GDPR Personal Data in dedicated data centers
back up of GDPR Personal Data
computer processing of GDPR Personal Data, including data transmission, data retrieval, data access

Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with clause 13 of the SCCs

Where the data exporter is established in an EU Member State: The supervisory authority of the country in which the data exporter established is the competent authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR: The competent supervisory authority is the one of the Member State in which the representative is established.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of the GDPR: The competent supervisory authority is the supervisory authority in Ireland, namely the Data Protection Commission (https://www.dataprotection.ie/ ).

ANNEX 2

Technical and Organisational Security Measures

Service Provider maintains internal policies and procedures, and procures that its Subprocessors also maintain internal policies and procedures, which are designed to:

secure any Customer Personal Information Processed by Service Provider against accidental or unlawful loss, access, or disclosure;
identify reasonably foreseeable and internal risks to security and unauthorised access to any Customer Personal Information Processed by Service Provider; and
minimise security risks, including through risk assessment and regular testing.

These measures may include:

Preventing unauthorised persons from gaining access to data processing systems with which personal data are processed or used (physical access control) by taking measures such as:
- Documenting security and other incidents, maintaining an incident log;
- Protecting and managing physical access to assets and facilities; and
- Implementing and maintaining security controls for each computer room and/or data centre and any area containing personal data.
Preventing data processing systems from being used without authorisation (logical access control) by taking measures such as:
- Using appropriate network security devices such as intrusion detection systems, routers and firewalls;
- Periodic review of user access to sensitive applications;
- Secure log-in with unique user-ID/password for each user;
- Locking of unattended workstations;
- Role-based access for critical systems containing personal data;
- Implementing and maintaining process for routine system updates for known vulnerabilities;
- Monitoring for security vulnerabilities on critical systems and applications;
- Deployment and updating of antivirus software; and
- Compliance with applicable laws, regulations and industry standards (including, where relevant, the Payment Card Industry Data Security Standard).
Ensuring that persons entitled to use a data processing system can gain access only to the data to which they have a right of access, and that, in the course of processing or use and after storage, personal data cannot be read, copied, modified or deleted without authorisation (access control to data) by taking measures such as:
- Using appropriate network security devices such as intrusion detection systems, routers and firewalls;
- Monitoring the network to detect potential cybersecurity events (i.e. malware, DDoS etc);
- Secure log-in with unique user-ID/password for each user;
- Logging and analysis of system usage;
- Role based access for critical systems containing personal data;
- Deployment and updating of antivirus software;
- Maintaining a documented incident response plan that addresses actions to be carried out should an incident occur;
- Maintaining documented policy and procedure for record retention and destruction; and
- Implementing and maintaining response and recovery procedures which are tested in the event of a disaster.
Ensuring that personal data cannot be read, copied, modified or deleted without authorisation during electronic transmission, transport or storage and that it is possible to verify and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged (data transfer control) by taking measures such as:
- Where appropriate in light of the types or nature of the data processed, encryption of communication, tunnelling (VPN = Virtual Private Network), content filter for outgoing data, firewall and secure transport containers in case of physical transport.
Ensuring that personal data are protected against accidental destruction or loss (availability control) by taking measures such as:
- Maintaining backup procedures and recovery systems, storing redundant servers in separate location, mirroring of hard disks, maintaining uninterruptible power supply and auxiliary power unit, remote storage, climate monitoring and control for servers, fire resistant doors, fire and smoke detection, fire extinguishing system, anti-virus/firewall systems, malware protection, disaster recovery and emergency plan.
Ensuring that data collected for different purposes or different principals can be processed separately (separation control) by taking measures such as:
- Implementing data segregation.

ANNEX 3

STANDARD CONTRACTUAL CLAUSES

For the purposes of the Standard Contractual Clauses:

Module Two shall apply in the case of the processing under clause 3.1(a) of the DPA and Module Three shall apply in the case of processing under clause 3.1(a)(i) of the DPA.

Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.

Clause 9(a) Option 2 (General written authorization) is selected, and the time period to be specified is determined in clause 4.1 of the DPA.

The option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.

4.1.

With regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that, option two shall apply according to the following:

4.2.

where the Customer is established in the EEA, the law of the Member State in which the Customer is established, provided such Member State law allows for third-party beneficiary rights;

4.3.

where the Customer is established in the UK, the law of England and Wales;

4.4.

where the Customer is established other than in the UK or EEA, the law of the Member State in which the Customer has appointed its representative under Article 27 of the GDPR; or

4.5.

otherwise, the law of the Republic of Ireland.

In Clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of that country whose law applies according to clause 4 of this Annex 3.

For the Purpose of Annex I of the Standard Contractual Clauses, Annex 1 contains the specifications regarding the parties, the description of transfer, and the competent supervisory authority

For the Purpose of Annex II of the Standard Contractual Clauses, Annex 2 contains the technical and organizational measures.

The specifications for Annex III of the Standard Contractual Clauses, are determined by clause 4.1 of the DPA. The Sub-processor’s contact person’s name, position and contact details will be provided by Priori upon request.

ANNEX 4

UK AND SWISS ADDENDUM

UK Addendum

With respect to any transfers of Customer Personal Information falling within the scope of the UK GDPR from Customer (as data exporter) to Priori (as data importer):

1.1.

neither the Standard Contractual Clauses nor the DPA shall be interpreted in a way that conflicts with rights and obligations provided for in any laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018 (together, the “UK Data Protection Laws“);

1.2.

the Standard Contractual Clauses are deemed to be amended to the extent necessary so they operate:

(a)

for transfers made by Customer to Priori, to the extent that UK Data Protection Laws apply to the Customer’s processing when making that transfer;

(b)

to provide appropriate safeguards for the transfers in accordance with Article 46 of the UK GDPR;

1.3.

the amendments referred to in clause 1.2 of this Annex 4 include (without limitation) the following:

(a)

references to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK GDPR” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article of the UK GDPR;

(b)

references to Regulation (EU) 2018/1725 are removed;

(c)

references to the “Union”, “EU” and “EU Member State” are all replaced with the “UK”;

(d)

the “competent supervisory authority” shall be the Information Commissioner;

(e)

clause 17 of the Standard Contractual Clauses is replaced with the following:

“These Clauses are governed by the laws of England and Wales“;

(f)

clause 18 of the Standard Contractual Clauses is replaced with the following:

“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts“;

(g)

any footnotes to the Standard Contractual Clauses are deleted in their entirety.

Swiss Addendum

As stipulated in clause 12.5 of the DPA, this Swiss Addendum shall apply to any processing of Customer Personal Information subject to Swiss data protection law or to both Swiss data protection law and the GDPR.

2.1.

Interpretation of this Addendum

(a)

Where this Addendum uses terms that are defined in the Standard Contractual Clauses as further specified in Annex 3 of this DPA, those terms shall have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:

This Addendum	This Addendum to the Clauses
Clauses	The Standard Contractual Clauses as further specified in Annex 3 of this DPA
Swiss Data Protection Laws	The Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force from time to time.

(b)

This Addendum shall be read and interpreted in the light of the provisions of Swiss Data Protection Laws, and so that if fulfills the intention for it to provide the appropriate safeguards as required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.

(c)

This Addendum shall not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.

(d)

Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

2.2.

Hierarchy

In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to data subjects shall prevail.

2.3.

Incorporation of the Clauses

(a)

In relation to any processing of personal data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends the DPA including as further specified in Annex 3 of this DPA to the extent necessary so they operate:

(i)

for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws or Swiss Data Protection Laws and the GDPR apply to the data exporter’s processing when making that transfer; and

(ii)

to provide appropriate safeguards for the transfers in accordance with Article 46 of the GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.

(b)

To the extent that any processing of personal data is exclusively subject to Swiss Data Protection Laws, the amendments to the DPA including the SCCs, as further specified in Annex 3 of this DPA and as required by clause 2.1 of this Swiss Addendum, include (without limitation):

(i)

References to the “Clauses” or the “SCCs” means this Swiss Addendum as it amends the SCCs.

(ii)

Clause 6 Description of the transfer(s) is replaced with:

“The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are those specified in Annex 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s processing when making that transfer.”

(iii)

References to “Regulation (EU) 2016/679” or “that Regulation” or ““GDPR” are replaced by “Swiss Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” or “GDPR” are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.

(iv)

References to Regulation (EU) 2018/1725 are removed.

(v)

References to the “European Union”, “Union”, “EU” and “EU Member State” are all replaced with “Switzerland”.

(vi)

Clause 13(a) and Part C of Annex I are not used; the “competent supervisory authority” is the Federal Data Protection and Information Commissioner (the “FDPIC”) insofar as the transfers are governed by Swiss Data Protection Laws;

(vii)

Clause 17 is replaced to state:

“These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by Swiss Data Protection Laws“.

(viii)

Clause 18 is replaced to state:

“Any dispute arising from these Clauses relating to Swiss Data Protection Laws shall be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts.”

Until the entry into force of the revised Swiss Data Protection Laws, the Clauses shall also protect personal data of legal entities and legal entities shall receive the same protection under the Clauses as natural persons.

2.4.

To the extent that any processing of personal data is subject to both Swiss Data Protection Laws and the GDPR, the DPA including the Clauses as further specified in Annex 3 of this DPA will apply (i) as is and (ii) additionally, to the extent that a transfer is subject to Swiss Data Protection Laws, as amended by clauses 2.1 and 2.3 of this Swiss Addendum, with the sole exception that Clause 17 of the SCCs shall not be replaced as stipulated under clause 2.3(b)(vii) of this Swiss Addendum.

2.5.

Customer warrants that it and/or Customer Affiliates have made any notifications to the FDPIC which are required under Swiss Data Protection Laws.

Get started with Priori

Find the right legal talent for any need

Find Legal Talent

Explore Software

If you’re interested in joining Priori’s Talent Network, learn more and sign up here.