This Data Processing Agreement ("DPA") reflects the parties’ agreement with respect to the terms governing data processing under Shuffl’s Terms of Service, Privacy Policy, and any written agreement or references to this DPA (the "Agreement") between Shuffl LLC ("Shuffl") and the customer that is party to the Agreement ("Customer"). This DPA is incorporated into and made a part of the Agreement. Please contact us at legal@shuffl.ai to request mutual signatures on this copy, if required.

This DPA may be updated on a continual quarterly basis with respect to our product releases. Notifications of said updates will be included within our public posts as found on our website in the "News" section.

DPA Sections

• Definitions
• Data Processing
• Data Controller Responsibilities
• Data Processor Responsibilities
• Audits
• Sub-Processors
• Data Transfers
• General Provisions
• Additional Provision for California Personal Information

Exhibit and Appendix

1. Definitions

"Controller" or "Data Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

"California Personal Information" means Personal Data that is subject to the protection of the CCPA.

"CCPA" means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).

"Consumer", "Business", "Sell" and "Service Provider" will have the meanings given to them in the CCPA.

"Personal Data" means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data or personally identifiable information under applicable Data Protection Law

"Data Protection Laws" means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, the CCPA, or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time.

"Data Subject" means the individual to whom Personal Data relates.

"GDPR" means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

"Instructions" means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).

"Personal Data" means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data, personal information or personally identifiable information under applicable Data Protection Laws.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by us and/or our Sub-Processors. "Personal Data Breach" will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

"Processing" means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms "Process", "Processes" and "Processed" will be construed accordingly.

"Processor" or "Data Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

"Sub-Processor" means any Processor engaged by us to assist in fulfilling our obligations with respect to the provision of "Providing the Services" under the Agreement. Sub-Processors may include third parties and excludes Shuffl employees or consultants.

"Standard Contractual Clauses" means the clauses attached hereto as Exhibit 1 pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

2. Data Processing

a. Categories of Data Subjects. Customer’s employees, contractors, collaborators, business partners, customers, prospects, suppliers and/or subcontractors.

b. Types of Personal Data. Identification and contact data (name, email, contact information etc.); and optional employment details (location, job title, department, etc.) that is user-submitted; usage-related data for the Services and the systems used to provide and support the Services; and other electronic data submitted, stored, sent, or received by end users in the Services.

c. Subject-Matter and Nature of the Processing. The subject-matter of Processing of Personal Data by Processor is the provision of the Services to the Data Controller that involves the Processing of Personal Data. Personal Data will be subject to those Processing activities as specified in the Agreement.

d. Purpose of the Processing. Personal Data will be Processed for purposes of providing the Services set out and otherwise agreed to in the Agreement.

e. Duration of the Processing. Personal Data will be Processed for the duration of the Agreement, subject to Section 4 of this DPA.

3. Data Controller Responsibilities

Within the scope of the Agreement and in its use of the Services, Data Controller shall be solely responsible for complying with the statutory requirements relating to data protection and privacy, in particular regarding the disclosure and transfer of Personal Data to the Processor and the Processing of Personal Data.

Customer instructs to process Personal Data only in accordance with applicable laws to provide the Services as defined and authorized by the Agreement.

This DPA is Customer’s instruction in relation to Personal Data and additional instructions outside the scope of DPA would require prior written agreement between the parties. Instructions shall initially be specified in the Agreement and may, from time to time thereafter, be amended or replaced by Data Controller in separate written instructions (as individual instructions).

Data Controller shall inform Processor comprehensively and without undue delay about any errors or irregularities related to statutory provisions on the Processing of Personal Data.

4. Data Processor Responsibilities

The parties acknowledge and agree that Customer is the Data Controller of Personal Data and Shuffl is the Processor of the Personal Data. Customer Personal Data will only be processed for the purposes described in this DPA or as otherwise agreed within the scope of Customer’s lawful Instructions, except where and to the extent otherwise required by applicable law. Processor is not responsible for compliance with any Data Protection Laws applicable to Data Controller that is not generally applicable.

If Data Processor becomes aware that they cannot Process Personal Data in accordance with Instructions due to a legal requirement under any applicable law, Data Processor will (i) promptly notify Data Controller of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as new Instructions are issued with which Data Processor is able to comply. If this provision is invoked, Data Processor will not be liable to Data Controller under the Agreement for any failure to perform the applicable Service until such time as new lawful Instructions are issued with regard to the Processing.

Data Processor shall take the appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, described under Appendix 2 to the Standard Contractual Clauses. Upon Controller’s request, Processor shall provide a current data protection and security program relating to the Processing hereunder.

Data Processor will facilitate Data Controller’s compliance with the Data Controller’s obligation to implement security measures with respect to Personal Data (including if applicable Data Controller’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR), by (i) implementing and maintaining the security measures described under Appendix 2, (ii) complying with the terms of Section 4(d) (Personal Data Breaches); and (iii) providing the Data Controller with information in relation to the Processing in accordance with Section 5 (Audits).

Data Processor shall ensure that any personnel whom Data Processor authorizes to process Personal Data on its behalf is subject to confidentiality obligations with respect to that Personal Data. The undertaking to confidentiality shall continue after the termination of the above-entitled activities.

Data Processor will notify the Data Controller as soon as reasonable after it becomes aware of any Personal Data Breach or Data Incidents affecting any Personal Data. At the Data Controller’s request, Data Processor will provide the Data Controller with all reasonable assistance necessary to enable the Data Controller to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Controller is required to do so under the Data Protection Law.

Data Processor will provide reasonable assistance, including by appropriate technical and organizational measures and taking into account the nature of the Processing, to enable Data Controller to respond to any request from Data Subjects seeking to exercise their rights under the Data Protection Law with respect to Personal Data (including access, rectification, restriction, deletion or portability of Personal Data, as applicable), to the extent permitted by the law. If such request is made directly to Data Processor, Data Processor will inform Data Controller and will advise Data Subjects to submit their request to the Data Controller. Data Controller shall be solely responsible for responding to any Data Subjects’ requests.

To the extent that Data Controller does not have the ability to address a Data Subject request, then upon Data Controller’s request Data Processor shall provide reasonable assistance to the Data Controller to facilitate such Data Subject request to the extent able and only as required by applicable Data Protection Law. Data Controller shall reimburse Data Processor for the commercially reasonable costs arising from this assistance.

Data Processor will delete or return all Customer Data, including Personal Data (including copies thereof) Processed pursuant to this DPA, on termination or expiration of your Subscription Service in accordance with the procedures and timeframes set out in the Agreement, save that this requirement shall not apply to the extent we are required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which data we will securely isolate and protect from any further Processing and delete in accordance with its deletion practices.

5. Audits

Data Processor shall, in accordance with Data Protection Laws and in response to a reasonable written request by Data Controller, make available to Data Controller such information in Data Processor’s possession or control related to Data Processor’s compliance with the obligations of data processors under Data Protection Law in relation to its Processing of Personal Data.

Data Controller may, upon written request and at least 60 days’ notice to Data Processor, during regular business hours conduct an inspection of Data Processor’s business operations or have the same conducted by a qualified third-party auditor subject to Data Processor’s approval, which shall not be unreasonably withheld and incurred at the Data Processor’s expense.

Data Processor shall, upon Data Controller’s written request and on at least 60 days’ notice to the Data Processor, provide Data Controller with all information necessary for such audit, to the extent that such information is within Data Processor’s control and Data Processor is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.

6. Sub-processors

Data Controller acknowledges and agrees to (i) the engagement as sub-Data Processors of the third parties listed on our Sub-Data Processors Page, as linked below, and (ii) that Data Processor may engage third-party sub-Data Processors in to deliver Services as defined in the Agreement. For the avoidance of doubt, the above authorization constitutes Data Controller’s prior written consent to the sub-Processing by Data Processor for purposes of Clause 11 of the Standard Contractual Clauses.

Where Data Processor engages sub-Data Processors, Data Processor will enter into a contract with the sub-Data Processor that imposes on the sub-Data Processor data protection obligations to the standard required by Data Protection law. Where the sub-Data Processor fails to fulfill its data protection obligations, Data Processor will remain liable to the Data Controller for the performance of such sub-Data Processors obligations.

The provisions of this Section 6 shall mutually apply if the Data Processor engages a sub-Data Processor in a country outside the European Economic Area (“EEA”) not recognized by the European Commission as providing an adequate level of protection for personal data. If, in the performance of this DPA, Data Processor transfers any Personal Data to a sub-Data Processor located outside of the EEA, in advance of any such transfer, ensure that a legal mechanism to achieve adequacy of data protection in respect of that processing is in place.

If Data Processor engages sub-Data Processors other than the companies listed on the Sub-Data Processors Page, the Data Processor will notify the Data Controller by updating the Sub-Data Processors Page. The Data Controller may object to the engagement of the new sub-Data Processors. The objection must be received within 30 days after the Sub-Data Processors Page is updated and must be based on reasonable grounds relating to data protection. If the Data Processor and Data Controller are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party. Data Controller shall receive a refund of any prepaid but unused fees for the period following the effective date of termination. If the Data Controller would like to receive an email notification when we update the Sub-Data Processors Page, the Data Controller must notify the Data Processor at support@shuffl.ai

Sub-Data Processors Page: https://learn.shuffl.ai/en/articles/5054352-what-sub-data-processors-does-shuffl-use

7. Data Transfers

a. If the Data Controller is established in the EEA and transfers personal data to Shuffl, the Standard Contractual Clauses, as described under Exhibit 1, are incorporated by reference into this Agreement and apply to that transfer.

b. With respect to Personal Data of EEA and UK data subjects, the Data Controller and Shuffl agree that Shuffl may process Customer Personal Data outside the EEA and the UK where the Data Protection Law requirements (including, where applicable, Articles 44 through 47 GDPR) are fulfilled, or an exception (including, where applicable, those listed in Article 49 GDPR) applies.

8. General Provision

With respect to updates and changes to this DPA, the terms that apply in the “Modifications” section in the Agreement shall apply.

In case of any conflict, this DPA shall take precedence over the terms of the Agreement and the Privacy Policy. Where individual provisions of this DPA are invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected.

Upon the incorporation of this DPA into the Agreement, the parties to this DPA are agreeing to the Standard Contractual Clauses (where and as applicable) and all appendixes attached thereto. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses in Exhibit 1, the Standard Contractual Clauses shall prevail, provided however: (a) Controller may exercise its right of audit under clause 5(f) of the Standard Contractual Clauses as set out in, and subject to the requirements of, Section 5 of this DPA; and (b) Processor may appoint sub-Processors as set out, and subject to the requirements of, Section 4 and Section 6 of this DPA.

9. Additional Provision for California Personal Information

When processing California Personal Information in accordance with Data Controller’s Instructions, the parties acknowledge and agree that Data Controller is a Business and Data Processor is a Service Provider for the purposes of the CCPA.

The parties agree that Data Processor will Process California Personal Information as a Service Provider strictly for the purpose of performing the Services under the Agreement or as otherwise permitted by the CCPA.

Exhibit 1

Standard Contractual Clauses (processors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Data Controller as defined in the Data Processing Agreement (the “Data Exporter”),

And

Shuffl, 4317 Dayton Ave N 108, Seattle, WA 98103, USA (the “Data Importer”)

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the “Clauses”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

These Standard Contractual Clauses are incorporated into the Agreement.

Clause 1

Definitions

For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the data exporter’ means the controller who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25 (1) of Directive 95/46/EC;

(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) ‘technical and organizational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

(ii) any accidental or unauthorized access; and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject;

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9

Governing law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Sub-processing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.

2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

1. The parties agree that on the termination of the provision of data processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Clauses

Data exporter

The data exporter is the Customer according to the Data Processing Agreement to which the Clauses are attached.

Data importer

The data importer Shuffl LLC.

Data subjects

The personal data transferred concern the following categories of data subjects: data subjects include individuals about whom data that originated in the EEA is provided by the data exporter. 

Categories of data

The personal data transferred concern the following categories of data: Data relating to individuals provided to Data Importer as specified in Section 2: Data Processing, of the Data Processing Agreement.

Processing operations

Data Importer will process the personal data for the purposes of providing the Service to the Data Exporter in accordance with and as described in the Agreement, the Data Processing Agreement, and these Clauses.

Appendix 2 to the Standard Contractual Clauses

This Appendix forms part of the Clauses.

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(c) and 5(c). The data importer may update or modify these security standards from time to time provided such updates and modifications will not result in a degradation of the overall security of the Service during the term of the Business Services Terms.

Shuffl to follow strict guidelines: a) to encrypt personal data in its lifecycle including transmission and at-rest (b) to help ensure the ongoing stability, confidentiality, integrity, availability and hardiness of platform services; (c) to restore timely access to personal data following an incident; and (d) for regular testing of organizational and technical safeguards in place.

1. Implementation and compliance of an information security program consistent with established industry standards. These include administrative, technical, and physical safeguards to ensure the protection of Customer Personal Data from unauthorized access, destruction, use, modification, or disclosure; unauthorized access to or use that could result in substantial harm or inconvenience to the Data Controller, the Data Controller's customers, or the Data Controller's employees; and any anticipated threats or hazards to the security or integrity of such information.

2. Enforce internal access design to ensure the right people have access to the right level of customer data. If a role does not require access to customer data, access will be restricted. Customers who interact with our products through all endpoints must authenticate before accessing non-public customer data. All personnel are required adhere to strict non-disclosure and confidentially agreements with respect to data

10. Conduct regular training for employees with access to Customer Personal Data to ensure awareness of information security risks and compliance with data protection standards.

11. Preventing unauthorized access to the Customer Personal Data through the use of secure log-on procedures, system access to ensure only personnel entitled to use a data processing system have access only to the data to which they have a right of access, and that the Customer Personal Data cannot be read, copied, modified, or removed without authorization.

12. We use AWS exclusively for our processing and delivering our service. AWS data centers and its network are architected to protect data information, identities, applications, and devices using latest firewalls and DDoS safeguards. Ensure all data is encrypted in transit, in use, and at rest. Our external facing servers all transfer data over TLS 1.2. All data is then stored in AWS with encryption at rest. Core security and compliance requirements related to data locality, protection, and confidentiality ensure our services adhere to industry security standards.

13. Using the latest in application and infrastructure monitoring to handle error logging and traffic monitoring to ensure appropriate automated technical safeguards are in place. This allows for complete visibility, automation of risk tasks, and building our entire service stack with the highest standards around privacy and data security. This native monitoring service provides proactive tooling such as logging data and actionable insights to monitor our applications, respond to system-wide performance changes, optimize resource utilization, and have a unified view of operational health.

14. Sub-Processor selection and supervision to ensure that Customer Personal Data is processed strictly in accordance with the Data Controller's instructions. These sub-processors must provide at least the same or higher level of protection for Personal Data as we do, to the extent applicable.

15. Provide a highly available service supported by a scalable technical infrastructure. Using the latest innovations in serverless computing allows our data architecture to reflect delivering capacity close to actual demand. Leverage backup technologies to ensure customer data protection in the event of data corruption, outages, or unplanned maintenance where data loss occur, and disaster recovery policies apply.