Data Processing Addendum

Last updated: February 24, 2026

This Data Processing Addendum ("DPA") forms part of the Master Subscription Agreement or other written or electronic agreement between Aspect Ratio, Inc. ("Aspect") and the customer identified on the applicable order form ("Customer") for the provision of the Services (the "Agreement"). This DPA is incorporated into and made a part of the Agreement and reflects the parties' agreement with respect to the Processing of Customer Personal Data in connection with the Services.

1. Subject Matter and Duration

1.1 Subject Matter

This DPA governs Customer's provision of, and Aspect's Processing of, Customer Personal Data pursuant to the Agreement. All capitalized terms not expressly defined in this DPA have the meanings given to them in the Agreement. If and to the extent any language in this DPA or any of its annexes conflicts with the Agreement, this DPA controls.

1.2 Duration and Survival

This DPA becomes binding upon the effective date of the Agreement and survives until expiration or termination of the Agreement or the return or deletion of Customer Personal Data in accordance with Section 8, whichever is later.

2. Definitions

For the purposes of this DPA, the following terms and those defined within the body of this DPA apply:

"Aspect Security Standards" means Aspect's security standards, as updated from time to time, available at trust.aspectfs.com/security.

"CCPA" means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and any associated regulations and amendments, including the California Privacy Rights Act amendments.

"Controller" means the person who, alone or jointly with others, determines the purposes and means of the Processing of personal data; for purposes of this DPA, "Controller" also includes "business" as such term is defined under the CCPA.

"Customer Personal Data" means Service Data, Customer Content, Filespace data, operational metadata, or other data Processed through the Services that constitutes "personal data," "personal information," or similar term under applicable Data Protection Law.

"Data Protection Law(s)" means all worldwide data protection and privacy laws and regulations applicable to Customer Personal Data, including, where applicable, EU/UK Data Protection Law, the Swiss Federal Act on Data Protection ("FADP"), and the CCPA.

"EEA" means the European Economic Area.

"EU/UK Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively, the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to, or that apply in conjunction with any of (i), (ii), or (iii); in each case as may be amended or superseded from time to time.

"Process" or "Processing" means any operation or set of operations performed on Customer Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

"Processor" means the person who, alone or jointly with others, Processes personal data on behalf of the Controller; for purposes of this DPA, "Processor" also includes "service provider" as such term is defined under the CCPA.

"Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA that is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country not subject to adequacy regulations pursuant to Section 17A of the UK Data Protection Act 2018; in each case whether such transfer is direct or via onward transfer.

"SCCs" means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 ("EU SCCs"); (ii) where the UK GDPR applies, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner under s.119A(1) of the UK Data Protection Act 2018 (the "UK IDTA"); and (iii) where the FADP applies, the EU SCCs as adapted by the Swiss Federal Data Protection and Information Commissioner.

"Security Incident(s)" means any unauthorized or unlawful breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Customer Data Processed under or in connection with the Agreement, including but not limited to Customer Personal Data.

"Subprocessor(s)" means a third party engaged by Aspect to Process Customer Personal Data under the Agreement.

"Subprocessor List" means the current list of Aspect Subprocessors maintained at trust.aspectfs.com/subprocessors.

3. Data Use and Processing

3.1 Data Processing Relationship

Customer is either the Controller of Customer Personal Data or else Processes Customer Personal Data as a Processor on behalf of a third-party Controller, such as an end customer of Customer. In either case, the parties acknowledge and agree that Aspect has been appointed by Customer to Process Customer Personal Data as a Processor or sub-Processor, as applicable, on behalf of Customer. If Customer is a Processor on behalf of a third-party Controller, Customer will ensure that any Processing instructions it provides to Aspect pursuant to this DPA are consistent with the instructions the Controller has issued to Customer.

3.2 Documented Instructions

Aspect shall Process Customer Personal Data solely: (1) to fulfill its obligations to Customer under the Agreement, including this DPA; (2) on Customer's behalf; and (3) in compliance with Data Protection Laws. Aspect shall Process Customer Personal Data strictly for the business purpose(s) agreed between the parties and as provided under the Agreement, this DPA, and any instructions expressly agreed upon by the parties in writing (together, the "Business Purpose(s)"). Customer will not instruct Aspect to Process Customer Personal Data in violation of applicable law, including Data Protection Laws.

Aspect has no obligation to monitor the compliance of Customer's use of the Services with applicable law and will have no liability for any harm or damages resulting from Aspect's compliance with unlawful instructions received from Customer. However, Aspect will, unless legally prohibited from doing so, (i) inform Customer in writing if it reasonably believes that there is a conflict between Customer's instructions and applicable law, or otherwise seek to Process Customer Personal Data in a manner that is inconsistent with Customer's instructions, and (ii) in either such event, cease all Processing of the affected Customer Personal Data other than merely storing and maintaining the security of the affected Customer Personal Data until Customer issues new instructions with which Aspect is able to comply. If this provision is invoked, Aspect will not be liable to Customer under the Agreement for failure to perform the Services until the parties agree on new instructions. Customer retains the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.

3.3 Service Provider Certification

Aspect shall not: (a) "sell" Customer Personal Data as that term is defined in the CCPA; (b) "share" or Process Customer Personal Data for purposes of "cross-context behavioral advertising" or "targeted advertising" as those terms are defined in the CCPA; (c) retain, use, or disclose Customer Personal Data for any purpose other than the Business Purpose(s), including for any commercial purpose other than performing the Services under the Agreement; or (d) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Aspect. Aspect (i) will not attempt to re-identify any pseudonymized, anonymized, aggregated, or de-identified Customer Personal Data without Customer's express written permission; and (ii) will comply with any applicable restrictions under Data Protection Laws on combining Customer Personal Data with personal data Aspect receives from, or on behalf of, another person. Aspect certifies that it understands the restrictions set out in this Section 3.3 and will comply with them.

3.4 No Use of Customer Personal Data for Model Training

Aspect shall not use Customer Personal Data, including Customer files, source code, configuration files, logs, prompts, fixtures, datasets, operational metadata, or other Customer Content, to train artificial intelligence or machine learning models operated by Aspect or its Subprocessors. Customer Personal Data Processed through Customer-authorized agents, automation systems, developer tools, or integrations is used solely to deliver the requested functionality to Customer and is not retained by Aspect for model training purposes.

3.5 Authorization to Use Subprocessors

Customer hereby authorizes Aspect to engage affiliates and other Subprocessors to Process Customer Personal Data in accordance with this DPA and Data Protection Laws. The current list of Aspect's Subprocessors is set forth in the Subprocessor List. Customer acknowledges and agrees that Aspect's use of such Subprocessors satisfies the requirements of this DPA.

3.6 Aspect and Subprocessor Compliance

Aspect agrees to (i) enter into a written agreement with each Subprocessor regarding such Subprocessor's Processing of Customer Personal Data that imposes data protection requirements consistent with this DPA; and (ii) remain responsible to Customer for its Subprocessors' failure to perform their obligations with respect to the Processing of Customer Personal Data.

3.7 Notice of New Subprocessors

Aspect will provide notice of new Subprocessors via the Subprocessor List, and, where Customer has subscribed to notifications, by email, at least thirty (30) days before authorizing such Subprocessor to Process Customer Personal Data. Customer may object to the engagement of a new Subprocessor on reasonable data protection grounds by notifying Aspect in writing within thirty (30) days of such notice. If the parties cannot resolve the objection in good faith within thirty (30) days, Customer's sole and exclusive remedy is to terminate the affected portion of the Services and receive a pro-rata refund of any prepaid fees for the unused portion of the then-current term.

4. Confidentiality and Personnel

4.1 Personnel

Aspect ensures that its personnel authorized to Process Customer Personal Data are bound by appropriate obligations of confidentiality, whether contractual or statutory, have received training on data protection and information security, and access Customer Personal Data only on a need-to-know basis.

5. Security

5.1 Security Measures

Aspect implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data against Security Incidents and to preserve the security, confidentiality, and integrity of Customer Personal Data. Such measures are described in the Aspect Security Standards and include, at a minimum, encryption of Customer Personal Data at rest using AES-256 and in transit using TLS 1.2 or higher, encrypted backups, role-based access controls, multi-factor authentication for personnel access to production systems, and an ongoing SOC 2 program.

5.2 Updates

Aspect may update its security measures from time to time, provided that such updates do not materially diminish the overall level of protection afforded to Customer Personal Data.

5.3 Customer Responsibility for Local and External Copies

Aspect's security measures apply to Customer Personal Data while Processed within Aspect-managed infrastructure. Once Customer Personal Data is synced, hydrated, pinned, cached, downloaded, mounted, or otherwise stored on Customer-controlled devices, servers, cloud environments, containers, agent runtimes, or third-party integrations, Customer is solely responsible for securing such copies, including managing access controls, device encryption, credentials, agent permissions, environment isolation, and deletion.

6. Security Incidents

6.1 Notice

Upon becoming aware of a Security Incident, Aspect will provide written notice to Customer without undue delay. Any such notification is not an acknowledgment of fault or responsibility. Where possible, such notice will include all details known to Aspect and required under Data Protection Laws for Customer to comply with Customer's own notification obligations to regulatory authorities or individuals affected by the Security Incident, which may include, as applicable and if known: how the Security Incident occurred, the categories and approximate number of data subjects concerned, the categories and approximate number of Customer Personal Data records concerned, the likely consequences of the Security Incident, and measures taken or proposed to be taken by Aspect to address the Security Incident, including, where appropriate, measures designed to mitigate its possible adverse effects.

6.2 Investigation and Mitigation

Aspect shall use commercially reasonable efforts to: (i) investigate and identify the cause of such Security Incident; (ii) remedy or mitigate the possible adverse effects of such Security Incident; and (iii) reduce the likelihood that such Security Incident recurs. Aspect will not assess the contents of Customer Personal Data in order to identify information subject to any specific legal requirements or assess the applicability of any specific privacy, data protection, or cybersecurity requirement pertaining to such information.

6.3 Customer Responsibility

Customer is solely responsible for complying with Security Incident notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident. At Customer's written request and subject to Customer paying Aspect's reasonable fees at then-current rates and expenses, Aspect will provide Customer with assistance reasonably necessary to enable Customer to notify relevant security breaches to the competent data protection authorities and/or affected data subjects, if Customer is required to do so under Data Protection Laws.

7. Audits

7.1 Third-Party Audit Reports

Aspect obtains the third-party audits set forth in the Aspect Security Standards. Upon Customer's request, and subject to the confidentiality obligations set forth in the Agreement and the entry into specific non-disclosure agreements, Aspect shall make available to Customer or Customer's independent, reputable, third-party auditor information regarding Aspect's compliance with the obligations set forth in this DPA by providing Customer with summaries of the most recent third-party audit reports referenced in the Aspect Security Standards. All such summaries, to the extent not made generally publicly available by Aspect, constitute Aspect's Confidential Information.

7.2 Audit of Aspect

Where Data Protection Laws afford Customer an audit right, Customer or Customer's independent, reputable, third-party auditor may contact Aspect in accordance with the Notices section of the Agreement to request an audit of Aspect's policies, procedures, and records relevant to the Processing of Customer Personal Data necessary to confirm Aspect's compliance with this DPA, provided that the foregoing are within Aspect's control and Aspect is not precluded from disclosure by applicable law, a duty of confidentiality, or any other obligation owed to a third party. Customer shall reimburse Aspect for its costs and expenses, including any time expended in connection with any such audit at Aspect's then-current rates. Before the commencement of any such audit, Customer and Aspect shall mutually agree upon the scope, timing, and duration of the audit, in addition to the reimbursement rate. Audits shall be conducted no more than once per calendar year, except where required by a competent supervisory authority, during normal business hours, and in a manner that does not interfere with Aspect's day-to-day operations or compromise the security or confidentiality of any other Aspect customer's data.

8. Return and Deletion of Customer Personal Data

8.1 Return or Deletion

Upon termination or expiration of the Agreement, Customer shall have a sixty (60) day retrieval period (the "Retrieval Period") to export Customer Personal Data from the Services using available self-service export tools or by contacting Aspect support. Upon expiration of the Retrieval Period, Aspect shall delete Customer Personal Data across applicable storage systems used by the Services, including primary distributed storage, application metadata, operational metadata, indexes, backups, and caches, except to the extent applicable law requires storage of Customer Personal Data.

8.2 Deletion Certification

Upon Customer's written request following deletion under Section 8.1, Aspect shall provide Customer with written certification of such deletion.

8.3 Retention Exceptions

Notwithstanding Section 8.1, Aspect may retain Customer Personal Data: (i) in encrypted backups, subject to Aspect's standard backup rotation schedule, until such backups are overwritten or expire in the ordinary course; and (ii) where required by applicable law or regulatory obligation, for the period required by such law or obligation. Customer Personal Data retained pursuant to this Section 8.3 remains subject to the confidentiality and security obligations of this DPA.

9. International Data Transfers

9.1 Restricted Transfers

Where Aspect makes a Restricted Transfer, the parties agree that such Restricted Transfer shall be governed by the SCCs, which are incorporated into this DPA by reference. The EU SCCs Module Two (Controller to Processor) shall apply where Customer is a Controller and Aspect is a Processor; the EU SCCs Module Three (Processor to Processor) shall apply where Customer is a Processor and Aspect is a sub-Processor. The UK IDTA shall apply where the UK GDPR governs the transfer. The EU SCCs as adapted by the Swiss FDPIC shall apply where the FADP governs the transfer.

9.2 Order of Precedence

In the event of any conflict between the SCCs and any other terms of this DPA or the Agreement with respect to a Restricted Transfer, the SCCs shall prevail to the extent of such conflict.

9.3 Data Residency

Customer may elect a primary storage region for Customer files from among the regions made available by Aspect for the Services. Backup, recovery, metadata, cache, and archival data residency may be determined by Aspect unless otherwise agreed in writing. All storage tiers are subject to appropriate security controls, encryption standards, and retention policies.

10. Data Subject Rights and Assistance

10.1 Self-Service Tools

Aspect provides Customer with available in-platform tools to enable Customer to fulfill its obligations under Data Protection Laws to respond to requests from data subjects to exercise their rights of access, rectification, erasure, restriction, portability, objection, and not to be subject to automated decision-making.

10.2 Direct Requests

If Aspect receives a request from a data subject directly in relation to Customer Personal Data, Aspect will, without undue delay, direct the data subject to make their request to Customer and will not respond to such request except to confirm Aspect's role as Processor on behalf of Customer.

10.3 Reasonable Assistance

Taking into account the nature of the Processing, Aspect shall provide reasonable assistance to Customer, insofar as possible, for the fulfillment of Customer's obligations to respond to requests for the exercise of data subject rights, as well as for the fulfillment of Customer's obligations under Articles 32 to 36 of the EU GDPR, including security, breach notification, data protection impact assessments, and prior consultations, taking into account the nature of the Processing and the information available to Aspect.

11. Customer-Authorized Agents and Integrations

11.1 Customer Instructions

Customer may use the Services to connect filespaces to AI coding agents, automation systems, CI/CD tools, development environments, repositories, cloud platforms, local machines, servers, containers, and other third-party systems. Customer is responsible for configuring such access and ensuring that it constitutes a documented instruction to Aspect where Customer Personal Data is Processed.

11.2 Customer Responsibility

Customer is responsible for the acts and omissions of Customer-authorized agents, integrations, tools, users, devices, and external systems, including their access to Customer Personal Data and any onward Processing outside Aspect-managed infrastructure.

11.3 Aspect Obligations

Aspect shall Process Customer Personal Data made available through Customer-authorized agents and integrations only as necessary to provide the Services and in accordance with this DPA. Aspect shall not use such Customer Personal Data for model training, cross-customer profiling, advertising, or any purpose outside the Agreement.

12. Limitation of Liability

Each party's liability under or in connection with this DPA shall be subject to the exclusions and limitations of liability set forth in the Agreement. To the extent the SCCs apply to a Restricted Transfer, nothing in this DPA shall be construed to limit either party's liability to data subjects under the SCCs.

13. General

13.1 Governing Law and Jurisdiction

This DPA is governed by, and shall be construed in accordance with, the governing law and jurisdiction provisions set forth in the Agreement, except to the extent that the SCCs or applicable Data Protection Laws require otherwise.

13.2 Notices

Notices under this DPA shall be delivered in accordance with the Notices section of the Agreement.

13.3 Amendments

Aspect may amend this DPA from time to time to reflect changes in Data Protection Laws or changes to the Services, provided that Aspect provides Customer with at least thirty (30) days' prior written notice of any such amendment and such amendment does not materially diminish the overall level of protection afforded to Customer Personal Data.

13.4 Severability

If any provision of this DPA is held by a court of competent jurisdiction to be unenforceable, such provision shall be modified by the court and interpreted so as to best accomplish the original provision to the fullest extent permitted by law, and the remaining provisions of this DPA shall remain in effect.

13.5 Entire Agreement

This DPA, together with the Agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, proposals, or representations, written or oral, concerning the subject matter hereof.

Annex I: Data Processing Description

This Annex I forms part of the DPA and describes the Processing that Aspect, as Processor or sub-Processor as applicable, will perform on behalf of Customer, as Controller or Processor as applicable. This Annex I also serves as Annex I to the EU SCCs where applicable.

A. List of Parties

Controller / Data Exporter, or Processor / Data Exporter, as applicable:

  • Name: Customer as set forth in the applicable order form.
  • Address: As set forth in the applicable order form.
  • Contact person's name, position, and contact details: As set forth in the applicable order form.
  • Activities relevant to the data transferred under these Clauses: Processing necessary to receive the Services pursuant to the Agreement.
  • Signature and date: This Annex I shall automatically be deemed executed when Customer accepts the Agreement.
  • Role: Controller or Processor, as applicable.

Processor / Data Importer, or sub-Processor / Data Importer, as applicable:

  • Name: Aspect Ratio, Inc.
  • Contact person's name, position, and contact details: Gurish Sharma, Chief Executive Officer, [email protected].
  • EU/UK Representative under Article 27 of the EU GDPR / UK GDPR: To be designated.
  • Activities relevant to the data transferred under these Clauses: Processing necessary to provide the Services pursuant to the Agreement.
  • Signature and date: This Annex I shall automatically be deemed executed when Customer accepts the Agreement.
  • Role: Processor or sub-Processor, as applicable.

B. Description of Processing / Transfer

EU SCC Module: Module Two (Controller to Processor) or Module Three (Processor to sub-Processor), as applicable.

Categories of data subjects: The personal data Processed concerns the following categories of data subjects:

  • Customer's Authorized Users and their employees, contractors, consultants, agents, and other personnel.
  • Individuals identified in or referenced by Customer files, source code, configuration files, logs, prompts, fixtures, datasets, documents, metadata, or other Customer Content within the Services.
  • Customer's clients, end customers, business contacts, and other individuals whose personal data Customer chooses to Process through the Services.
  • Individuals whose access, device, network, or activity information appears in authentication logs, audit logs, mount logs, sync logs, API logs, or support records.

Categories of personal data: The personal data Processed includes:

  • Account information such as name, business email address, IP address, billing contact details, authentication identifiers, and workspace membership.
  • The contents of Customer files and directories, which may include personal data at Customer's discretion.
  • File metadata, directory metadata, object metadata, content hashes, timestamps, version references, indexes, sync state, mount state, hydration state, cache state, and transfer metadata.
  • Access control records, workspace configuration, device registrations, invitation records, API tokens, and integration configuration.
  • Audit logs and activity records reflecting Authorized User, device, agent, API, mount, and sync activity within the Services.
  • Support communications and related troubleshooting information.

Sensitive data Processed, if applicable: Customer Content may, at Customer's discretion, contain special categories of personal data, sensitive personal information, credentials, secrets, source code, proprietary information, or regulated data. Customer is responsible for determining the appropriateness of Processing such categories through the Services and for configuring the Services accordingly.

Frequency of the transfer: Continuous for the duration of the Agreement.

Nature of the Processing: Cloud-based file storage; directory and metadata management; sync; mount access; on-demand file hydration; local cache coordination; file indexing and search; permissions management; authentication; authorization; workspace administration; device and agent access; migration; backup; recovery; logging; monitoring; support; and deletion.

Purpose(s) of the data transfer and further Processing: The performance of the Services pursuant to the Agreement.

Period for which the personal data will be retained, or, if not possible, the criteria used to determine that period: For the duration of the Agreement plus the sixty (60) day Retrieval Period, except as otherwise provided in Section 8 of this DPA or as required by applicable law.

For transfers to sub-Processors, also specify subject matter, nature, and duration of the Processing: Subprocessor Processing is as described in the Subprocessor List and is limited to the activities necessary to provide the Services pursuant to the Agreement.

C. Competent Supervisory Authority

In accordance with Clause 13 of the EU SCCs, the competent supervisory authority shall be determined based on the EU member state in which the Controller / Data Exporter (Customer) is established, or, where Customer is not established in the EEA, the EU member state in which Customer's designated EU representative under Article 27 of the EU GDPR is established, or, in the absence of such representative, the EU member state in which the data subjects whose personal data is transferred are located.

For transfers governed by the UK GDPR, the competent supervisory authority is the United Kingdom Information Commissioner's Office (ICO). For transfers governed by the Swiss FADP, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC).

Annex II: Technical and Organizational Measures

The technical and organizational measures implemented by Aspect to ensure an appropriate level of security for Customer Personal Data are set forth in the Aspect Security Standards, available at trust.aspectfs.com/security, which are incorporated into this DPA by reference and form part of Annex II to the EU SCCs.

The Aspect Security Standards include, at a minimum, measures relating to:

  • Pseudonymization and encryption of personal data, including AES-256 at rest, TLS 1.2 or higher in transit, and encrypted backups.
  • The ongoing confidentiality, integrity, availability, and resilience of Processing systems and services.
  • The ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident.
  • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures, including an ongoing SOC 2 program and periodic vendor security reviews.
  • Logical workspace isolation, role-based access controls, and multi-factor authentication for personnel access to production systems.
  • Personnel security, including background checks where permitted by law, security and privacy training, and confidentiality obligations.
  • Asset management, change management, vulnerability management, and incident response programs.

Annex III: List of Sub-Processors

The current list of Aspect Sub-Processors is maintained and made available to Customer at trust.aspectfs.com/subprocessors, which is incorporated into this DPA by reference and forms part of Annex III to the EU SCCs.

Aspect provides notice of additions to the Sub-Processor list in accordance with Section 3.7 of this DPA.

Annex IV: UK International Data Transfer Addendum

For transfers of personal data subject to the UK GDPR, the UK IDTA is incorporated into this DPA by reference and completed as follows:

  • Table 1 (Parties): The parties identified in Annex I.A of this DPA.
  • Table 2 (Selected SCCs, Modules and Selected Clauses): The EU SCCs, as completed by this DPA, with Modules Two and Three as applicable and all optional clauses as completed in this DPA.
  • Table 3 (Appendix Information): As set forth in Annexes I, II, and III of this DPA.
  • Table 4 (Ending this Addendum when the Approved Addendum Changes): Either party may end the UK IDTA in accordance with Section 19 of the UK IDTA.

Annex V: Swiss FADP Adaptations

For transfers of personal data subject to the Swiss FADP, the EU SCCs apply with the following adaptations: (i) references to the EU GDPR shall be deemed to include the FADP to the extent the FADP applies; (ii) the term "member state" shall not be interpreted to exclude data subjects in Switzerland from exercising rights in their place of habitual residence; and (iii) the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner (FDPIC).

Contact Us

If you have any questions about this Data Processing Addendum, please contact us at [email protected].