VeraSafe Data Processing Addendum

Effective Date: January 19, 2021

1. Introduction.

1.1. This VeraSafe Data Processing Addendum (this “Addendum”), including its two exhibits, is entered into by and between VeraSafe, LLC, a limited liability company incorporated under the laws of Delaware, and its relevant Affiliates (“VeraSafe”) and the entity who entered into the Agreement (as defined below) with VeraSafe (“Participant”).

1.2. This Addendum, which may be updated from time to time, forms an integral part of the Agreement and is effective upon its incorporation into the Agreement. This Addendum may be incorporated by reference in the Agreement or an executed amendment to the Agreement.

1.3. NOW, THEREFORE, in consideration of the mutual agreements set forth in this Addendum, the Parties agree as follows:

2. Definitions.

2.1. Capitalized definitions not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified or supplemented below, the definitions of the Agreement shall remain in full force and effect.

2.2. For the purpose of interpreting this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

  1. Affiliate” means any entity within a controlled group of companies that directly or indirectly, through one or more intermediaries, is controlling, controlled by, or under common control with one of the Parties;
  2. Agreement” means the Master Services Agreement, Master License Agreement, Master License and Services Agreement, or Technical and Professional Services Agreement in addition to any appendices, Program Addenda, and Statements of Work entered into between VeraSafe and Participant;
  3. Applicable Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including the laws of the European Union (or any member state thereof) and the laws of any other country, province, or state to which the Processing of Personal Data (both terms as defined below) is subject, including the laws specified in Exhibit B hereto;
  4. Contracted Processor” means any third party appointed by or on behalf of VeraSafe to Process Personal Data on behalf of Participant in connection with the Agreement;
  5. Contracted Processor Page” means the webpage, as may be updated from time to time by VeraSafe, currently available at: https://www.verasafe.com/legal-notices/subprocessors;
  6. Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;
  7.  “GDPR” or “General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 “on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC,” as may be amended from time to time;
  8. Personal Data” means any information relating to an identified or identifiable natural person (a “Data Subject”) pertaining to Participant (and the Data Subjects, respectively) Processed by VeraSafe on behalf of Participant pursuant to or in connection with the Agreement. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
  9. Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, or alteration or unauthorized disclosure of, or access to, Personal Data which VeraSafe Processes on behalf of Participant in connection with the Agreement;
  10. Personal Data Recipient” means VeraSafe, a Contracted Processor, or both, collectively;
  11. Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller;
  12. Processing” (or any cognate terms) means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;
  13. Services” means the services and other activities carried out by or on behalf of VeraSafe for Participant pursuant to the Agreement; and
  14. VeraSafe” means the Party, as indicated in the opening paragraph of this Addendum, that has entered into the Agreement with Participant, including all Affiliates of that Party that are also bound by the Agreement, if any.

3. Applicability.

3.1. This Addendum will apply to the Processing of all Personal Data, regardless of country of origin, place of Processing, location of Data Subjects, or any other factor.

4. Processing of Personal Data.

4.1. This Addendum shall only apply where, and to the extent that, VeraSafe factually acts as a Processor. For the avoidance of doubt, the following situations fall within the scope of and are covered by this Addendum: (1) when Participant acts as a Controller and VeraSafe acts as a Processor; and (2) when Participant acts as a Processor and VeraSafe acts as a subprocessor. 

4.2. VeraSafe shall:

  1. comply with all Applicable Laws in the Processing of Personal Data;
  2. at no time Process Personal Data other than at Participant’s documented instructions (including with regard to international transfers of Personal Data), unless such Processing is required by Applicable Laws to which the relevant Personal Data Recipient is subject, in which case VeraSafe shall, to the extent permitted by Applicable Laws, inform Participant of that legal requirement before Processing that Personal Data;
  3. only conduct transfers of Personal Data in compliance with all applicable conditions, as set forth in Applicable Laws; 
  4. promptly update, when necessary, all information as provided in Exhibit A, attached hereto and incorporated by reference, and keep all such information complete and up to date; and
  5. immediately inform Participant in the event that, in VeraSafe’s opinion, a Processing instruction given by Participant may violate Applicable Laws.

4.3. Participant instructs VeraSafe (and authorizes VeraSafe to instruct each Contracted Processor it engages) to Process Personal Data and, in particular, to transfer Personal Data to any country or territory only as reasonably necessary for the provision of the Services and as is consistent with the Agreement and this Addendum. 

4.4. Where Participant is acting as a Processor, it warrants that it:

  1. processes Personal Data only on behalf of its clients’ documented instructions and, in turn, instructs VeraSafe to carry out such Processing activities on behalf of Participant in accordance with said documented instructions; and
  2. has obtained the prior authorization from its client who is acting as a Controller regarding the Processing of Personal Data for subcontracting its activities to VeraSafe and any Contracted Processors.

5. VeraSafe Personnel.

5.1. VeraSafe shall take reasonable steps to ensure the reliability of its employees, agents, or contractors who may have access to Personal Data.

5.2. VeraSafe shall ensure that access to Personal Data is strictly limited to those individuals who need to know or access it, as strictly necessary to fulfill the documented Processing instructions given to VeraSafe by Participant or to comply with Applicable Laws.

5.3. VeraSafe shall ensure that all individuals referenced in Section 5.2 above are subject to formal confidentiality undertakings, professional obligations of confidentiality, or statutory obligations of confidentiality.

6. Security of Processing.

6.1. Taking into account the state of the art and the high sensitivity of Personal Data, VeraSafe shall, with regard to Personal Data, implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to that risk (including, as appropriate, the measures referred to in Article 32(1) of the GDPR), as well as assist Participant with regard to ensuring Participant’s compliance with its own obligations related to its security measures.

6.2. In assessing the appropriate level of security required to protect Personal Data, VeraSafe shall take account, in particular, of the risks that are presented by the nature of its Processing activities and in particular, those related to possible Personal Data Breaches.

7. Subprocessing.

7.1. Participant authorizes VeraSafe to appoint (and permit each Contracted Processor appointed in accordance with this Section 7 to appoint) Contracted Processors in accordance with this Section 7 and any restrictions as set forth in the Agreement.

7.2. VeraSafe may continue to use those Contracted Processors already engaged by VeraSafe as of the date of this Addendum, subject to VeraSafe meeting the obligations set out in Section 7.5. The list of VeraSafe’s Contracted Processors as of the Effective Date is available on the Contracted Processor Page. 

7.3. VeraSafe shall provide Participant prior notice of the appointment of any new Contracted Processors by updating the Contracted Processor Page. The Contracted Processor Page will reflect the “Last Updated” date at all times. Participant is solely responsible for periodically reviewing the Contracted Processors Page. 

7.4. If Participant does not explicitly notify VeraSafe in writing of any objections to the proposed appointment within fourteen (14) days of the receipt of such notice, Participant shall be deemed to have consented to the proposed appointment. If Participant objects to a proposed appointment, the Parties will, for a period of no more than thirty (30) days from the date of Participant’s refusal, work together in good faith to attempt to find a commercially reasonable solution for Participant that avoids the use of the objected-to Contracted Processor. If no solution can be found which is satisfactory to both Parties, Participant, upon written notice to VeraSafe, may terminate the Agreement immediately (or upon such date as Participant selects), with no further fees due, other than what has been accrued up to, and including, the date of termination.

7.5. With respect to each prospective Contracted Processor, VeraSafe shall:

  1. before the Contracted Processor first Processes Personal Data (or, where relevant, in accordance with Section 7.2), carry out adequate due diligence to ensure that the Contracted Processor is capable of providing the level of protection and security for Personal Data required by this Addendum, the Agreement, and Applicable Laws; and
  2. ensure that the arrangement between VeraSafe and the prospective Contracted Processor is governed by a written contract that includes terms which offer at least the same level of protection for Personal Data as those set forth in this Addendum, and that such terms meet the requirements of Applicable Laws.

7.6. Where any Contracted Processor fails to fulfill its data protection obligations under such written contract (or in the absence thereof, as the case may be), VeraSafe shall remain fully liable to Participant for the performance of the respective Contracted Processors’ obligations under such contract.

8. Rights of the Data Subjects.

8.1. Taking into account the nature of the Processing, VeraSafe shall assist Participant by implementing appropriate technical and organizational measures, insofar as this is possible, to respond to requests to exercise rights of the Data Subjects under Applicable Laws.

8.2. With regard to the rights of the Data Subjects within the scope of this Section 8, VeraSafe shall:

  1. promptly notify Participant if any Personal Data Recipient receives a request from a Data Subject under any Applicable Law with respect to Personal Data; 
  2. ensure that the Personal Data Recipient does not respond to that request, except on the documented instructions of Participant, or as required by Applicable Laws to which the Personal Data Recipient is subject, in which case VeraSafe shall, to the extent permitted by Applicable Laws, inform Participant of that legal requirement before the Personal Data Recipient responds to the request; and
  3. promptly comply with any documented instructions from Participant regarding response to a request to exercise rights of the Data Subjects under Applicable Laws.

9. Personal Data Breach.

9.1. If VeraSafe discovers, is notified of, or has reason to suspect a Personal Data Breach affecting Personal Data, VeraSafe will provide notice to Participant without undue delay.

9.2. VeraSafe shall provide Participant with sufficient information to assist Participant, or to allow Participant to assist its clients, so that each affected entity can meet its respective obligations pursuant to Applicable Laws, including any obligations to report the Personal Data Breach to the competent supervisory authorities and/or inform the Data Subjects.

9.3. VeraSafe shall cooperate with Participant and take all reasonable commercial steps to assist Participant in the investigation, mitigation, and remediation of each such Personal Data Breach.

10. Data Protection Impact Assessment and Prior Consultation.

10.1. VeraSafe shall provide Participant with relevant information and documentation and assist Participant in complying with its obligations with regard to any data protection impact assessments or prior consultations with supervisory authorities when Participant determines that such data protection impact assessments or prior consultations are required pursuant to Applicable Laws (including, without limitation, Article 35 or 36 of the GDPR), but in each such case solely with regard to the Processing of Personal Data by, and taking into account the nature of the Processing and information available to, the respective Personal Data Recipient.

10.2. Participant agrees to pay VeraSafe, upon receipt of invoice, a reasonable fee based on the Services provided in relation to Participant exercising its rights under this Section 10.

11. Deletion or Return of Personal Data.

11.1. VeraSafe shall provide Participant with the technical means, consistent with the way the Services are provided, to request the deletion of Personal Data upon the request of Participant, unless Applicable Laws require storage of any such Personal Data.

11.2. At Participant’s request, VeraSafe shall promptly, at the choice of Participant, delete or return all Personal Data to Participant, as well as delete existing copies, unless Applicable Laws require storage of any such Personal Data.

11.3. VeraSafe shall also cause all Contracted Processors that may have received any Personal Data to delete or return, as applicable, all such Personal Data without undue delay.

12. Audit Rights.

12.1. Participant may request, and VeraSafe shall make available to Participant (subject to obligations of confidentiality), information necessary to demonstrate (i) VeraSafe’s compliance with this Addendum, and (ii) Participant’s compliance with its undertakings under Applicable Laws with regard to the provision of Services. 

12.2. After having reviewed such information, if Participant deems that it requires additional information, VeraSafe shall further reasonably assist and make available to Participant all such additional information and/or documentation (including relevant provisions of contracts with Contracted Processors) necessary to demonstrate compliance with this Addendum and/or Applicable Laws.

12.3. In addition, VeraSafe shall allow for and contribute to audits, including remote inspections of the Services, by Participant (on behalf of itself or its clients) or an auditor mandated by Participant (on behalf of itself or its clients) with regard to the Processing of Personal Data by the Personal Data Recipient.

12.4. VeraSafe shall provide the assistance described in this Section 12, insofar as VeraSafe believes such audits, and the specific requests of Participant, do not interfere with VeraSafe’s business operations or cause VeraSafe to breach any legal or contractual obligation to which it is subject.

12.5. Participant agrees to pay VeraSafe, upon receipt of invoice, a reasonable fee based on the Services provided in relation to the Participant exercising its rights under this Section 12 or the Standard Contractual Clauses, as defined and referenced in Exhibit B.

13. Jurisdiction Specific Terms.

13.1. To the extent that VeraSafe processes Personal Data protected by Applicable Laws in one of the jurisdictions listed in Exhibit B, then the terms specified in Exhibit B with respect to the applicable jurisdiction(s) (“Jurisdiction Specific Terms”) shall apply in addition to the terms of this Addendum. VeraSafe may update Exhibit B from time to time to reflect changes in or additions to Applicable Laws to which VeraSafe is subject.

13.2. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this Addendum, the applicable Jurisdiction Specific Terms will take precedence.

14. No Selling of Personal Data.

14.1. VeraSafe acknowledges and confirms that it does not receive any Personal Data as consideration for any Services or products that VeraSafe provides to Participant. Participant retains all rights and interests in Personal Data. VeraSafe agrees to refrain from any actions that would cause any transfers of Personal Data to or from VeraSafe to qualify as selling Personal Data under Applicable Laws.

15. Liability and Indemnification.

15.1. Notwithstanding anything to the contrary in this Addendum or in the Agreement, this Addendum shall be subject to the limitations of liability and indemnification provisions included in the Agreement.

16. General Terms.

16.1. This Addendum supersedes and replaces all prior and contemporaneous proposals, statements, sales materials or presentations, and agreements, oral and written, with regard to the subject matter of this Addendum, including any prior data processing addenda entered into between VeraSafe and Participant.

16.2. All clauses of the Agreement, unless explicitly amended or supplemented by the clauses of this Addendum, remain in full force and effect, so long as they do not contradict with compulsory requirements of Applicable Laws under this Addendum.

16.3. In the event of any conflict between the Agreement (including any annexes and appendices thereto) and this Addendum, the provisions of this Addendum shall control, except as where the applicable Jurisdiction Specific Terms will apply and take precedence as discussed in Section 13.2 above.

16.4. Should any provision of this Addendum be found legally invalid or unenforceable, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of the Addendum will continue in effect.

16.5. If VeraSafe makes a determination that it can no longer meet any of its obligations in accordance with this Addendum, it shall promptly notify Participant of that determination and cease the Processing or take other reasonable and appropriate steps to remediate.

16.6. In the event that VeraSafe materially breaches this Addendum or suffers a material Personal Data Breach, Participant may, upon written notice to the VeraSafe, terminate the relevant Service Agreement immediately (or upon such date as Participant selects).

17. EU Representative.

17.1. The European Union Representative of VeraSafe, LLC pursuant to Article 27 of the GDPR is:

VeraSafe Czech Republic s.r.o.
Klimentská 46
Prague 1, 11002
Czech Republic

Contact form: https://verasafe.com/public-resources/contact-data-protection-representative

 

Exhibit A: Details of Processing

1. Further details of the Processing, in addition to the details set forth in the Agreement and this Addendum, include: 

1.1. The subject matter of the Processing of Personal Data is:

  1. the subject matter of the Processing of Personal Data pertains to the provision of Services, as requested by Participant.

1.2. The duration of the Processing of Personal Data is:

  1. the duration of the Processing of Personal Data is generally determined by Participant and is further subject to the terms of this Addendum and the Agreement, respectively, in the context of the contractual relationship between Participant and VeraSafe.

1.3. The nature and purpose of the Processing of Personal Data is:

  1. the purpose of Processing of Personal Data pertains to the provision of Services under the Agreement. 

1.4. The categories of Personal Data to be Processed are:

  1. contact information (first name, last name, email address, postal address, phone number, fax number, and IP address), professional information (job title, position, and information about company or business), and billing information. 

1.5. The special categories of Personal Data to be Processed are (if appropriate):

  1. not applicable, unless submitted by Participant or Data Subject.

1.6. The categories of Data Subjects to whom the Personal Data relates are:

  1. employees of Participant, employees of Participant’s vendors, and data subjects exercising their rights.

1.7. The basic Processing activities to which the Personal Data will be subject include, without limitation:

  1. collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction for the purpose of providing the Services to Client in accordance with the terms of the Agreement. 

1.8. Description of the technical and organisational security measures implemented by VeraSafe:

  1. taking into account the state of the art and the high sensitivity of the Personal Data, VeraSafe implements and maintains appropriate technical and organizational security measures to ensure a level of security appropriate to that risk (including, as appropriate, the measures referred to in Article 32(1) of the GDPR).

2. The following is deemed an instruction by Participant to Process Personal Data: 

  1. Processing in accordance with the Agreement;
  2. Processing initiated by Data Subjects in their use of the Services; and
  3. Processing to comply with other reasonable documented instructions provided by Client (e.g., via email) where such instructions are consistent with the terms of the Agreement.

 

Exhibit B: Jurisdiction Specific Terms

1. Transfers of EEA Personal Data.

1.1. Controller to Processor Standard Contractual Clauses” (as used in this Section) means the contractual clauses adopted by Decision of the European Commission of 5 February 2010 (decision 2010/87/EU) for the purpose of adducing adequate protection of Personal Data transferred from a Controller to a Processor established in a Third Country (as defined below), where the legislation in such Third Country has not been deemed to provide an adequate level of data protection.

1.2. European Economic Area” or “EEA” means the EU Member States and Iceland, Liechtenstein, and Norway.

1.3. Restricted Transfer of EEA Personal Data” (as used in this Section) means any transfer of Personal Data subject to GDPR regulations which is undergoing Processing or is intended for Processing after transfer to a Third Country or an international organization (including data storage on foreign servers).

1.4. Third Country” means a country outside of the EEA.

1.5. With regard to any Restricted Transfer of EEA Personal Data from Participant to VeraSafe within the scope of this Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:

  1. a valid adequacy decision adopted by the European Commission on the basis of Article 45 of the GDPR that provides that the Third Country, a territory or one or more specified sectors within that Third Country, or the international organization in question to which Personal Data is to be transferred ensures an adequate level of data protection;
  2. the Controller to Processor Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Article 46 of the GDPR); or
  3. any other lawful data transfer mechanism, as set forth in Chapter 5 of the GDPR.

1.6. This Exhibit hereby incorporates by reference the Controller to Processor Standard Contractual Clauses (updated from time to time if required by law or at the choice of Participant to reflect the latest version promulgated by the European Commission) provided that the content of Appendices 1 and 2 of the Standard Contractual Clauses is set forth in Exhibit A to this Addendum. For the purpose of the Controller to Processor Standard Contractual Clauses and this Section 1, Participant shall be deemed the “data exporter” and VeraSafe the “data importer”. The Parties are deemed to have accepted, executed, and signed the Controller to Processor Standard Contractual Clauses where necessary, in their entirety (including the Appendices thereto and the “Illustrative Indemnification Clause” as an operative clause). 

1.7. To the extent that the Controller to Processor Standard Contractual Clauses are applicable to a Restricted Transfer of EEA Personal Data, VeraSafe shall, if necessary, implement additional safeguards to ensure an adequate level of protection, as required by Applicable Laws. 

1.8. In cases where the Controller to Processor Standard Contractual Clauses apply, and there is a conflict between the terms of the Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall control. 

2. United Kingdom.

2.1. Applicable Laws” (as used in the Addendum) includes the Data Protection Act 2018, and when in full force and effect, the UK GDPR. 

2.2. Controller to Processor Standard Contractual Clauses” (as used in this Section) means the standard data protection clauses specified pursuant to Article 46(2) of the UK GDPR and Section 17C (13) or Section 119A(14) of the Data Protection Act 2018.

2.3. Restricted Transfer of UK Personal Data” (as used in this Section) means any transfer of Personal Data subject to the UK GDPR which is undergoing Processing or is intended for Processing after transfer to a Third Country (as defined below) or an international organization (including data storage on foreign servers).

2.4. Third Country” (as used in this Section) means a country outside of the United Kingdom.

2.5. UK GDPR” (as used in this Section) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it forms a part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the Withdrawal Agreement (as defined below).

2.6. Withdrawal Agreement” (as used in this Section) means the European Union (Withdrawal) Act of 2020. 

2.7. With regard to any Restricted Transfer of UK Personal Data from Participant to VeraSafe within the scope of this Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:

  1. a valid adequacy decision adopted pursuant to Article 45 of the UK GDPR that provides that the Third Country, a territory or one or more specified sectors within that Third Country, or the international organization in question to which Personal Data is to be transferred ensures an adequate level of data protection. 
  2. the Controller to Processor Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Article 46 of the UK GDPR); or
  3. any other lawful data transfer mechanism, as set forth in Chapter 5 of the UK GDPR.

3. Switzerland.

3.1. Applicable Laws” (as used in the Addendum) includes the Federal Act on Data Protection of 19 June 1992 (“FADP”) and the Ordinance to the Federal Act on Data Protection (“OFADP”) as may be amended from time to time.

3.2. Controller” (as used in the Addendum) includes “Controller of the Data File” as defined under the FADP.

3.3. Data Subject” (as used in the Addendum) includes the natural persons whose Personal Data is processed.

3.4. Personal Data” (as used in the Addendum) includes “Personal Data” as defined under the FADP.

3.5. Processing” (as used in the Addendum) includes “Processing” as defined under the FADP.

3.6. Restricted Transfer of Swiss Personal Data” (as used in this Section) means any transfer of Personal Data (including data storage in foreign servers) subject to the FADP to a Third Country (as defined below) or an international organization.

3.7. Third Country” (as used in this Section) means a country outside of the Swiss Confederation.

3.8. With regard to any Restricted Transfer of Swiss Personal Data from Participant to VeraSafe within the scope of the Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:

  1. the inclusion of the Third Country, a territory or one or more specified sectors within that Third Country, or the international organization in question to which Personal Data is to be transferred in the list published by the Swiss Federal Data Protection and Information Commissioner of states that provide an adequate level of protection for Personal Data within the meaning of the FADP;
  2. the Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Article 6.2 (a) of the FADP); or
  3. any other lawful transfer mechanism, as set forth in the Applicable Laws.

3.9. This Addendum hereby incorporates by reference the Controller to Processor Standard Contractual Clauses (updated from time to time if required by law or at the choice of Participant to reflect the latest version promulgated by the European Commission) provided that the content of Appendices 1 and 2 of the Standard Contractual Clauses is set forth in Exhibit A to this Addendum. For the purpose of the Controller to Processor Standard Contractual Clauses and this Section 3, Participant shall be deemed the “data exporter” and VeraSafe the “data importer”. The Parties are deemed to have accepted, executed, and signed the Controller to Processor Standard Contractual Clauses where necessary, in their entirety (including the Appendices thereto and the “Illustrative Indemnification Clause” as an operative clause). 

3.10. In cases where the Controller to Processor Standard Contractual Clauses apply, and there is a conflict between the terms of the Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall control. 

3.11. Where the Controller to Processor Standard Contractual Clauses apply, the Client shall inform the Federal Data Protection and Information Commissioner about the use of the Controller to Processor Standard Contractual Clauses.

Why VeraSafe?

Track record of successful GDPR implementations across industries.

Work directly with our in-house team of US and European attorneys, IT experts, and project managers.

Strategic, risked-based approach to compliance.

Fully customizable GDPR compliance program, tailored to fit your needs.

Holistic approach: We help you identify business opportunity hidden inside the GDPR.

Going beyond just EU privacy law, VeraSafe is your end-to-end partner for the entire privacy and cybersecurity domain.