Data Processing Addendum
Your privacy is important to us at Wauld. We respect your privacy regarding any information we may collect from you across our website.
This Data Processing Addendum (the “DPA”) forms an integral part of the separate commercial agreement(s) between you, the User (the “Controller” or “Data Controller”) and the Wauld LLC (the “Processor” or “Data Processor”, each on behalf of themselves and their Affiliates (together, the “Parties”) that pertains to Terms of Use linked at [please provide Terms link here] (the “Principal Agreement”). This DPA governs the processing of any personal information that Controller may make accessible to the Processor or Data Processor and is effective as of the last signature hereto (“Effective Date”).
DEFINITIONS
Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
“Anonymization" means the irreversible process by which Personal Data is altered in such a way that the data subject is no longer identifiable, directly or indirectly, particularly by reference to an identifier or any other means.
"Controller Personal Data" means any Personal Data Processed by the Processor on behalf of Controller pursuant to or in connection with the Principal Agreement;
"Data Protection Law” means all data protection laws applicable to the Processing of Personal Data under this DPA, including local, state, national and/or foreign laws, treaties, and/or regulations, including without limitation the GDPR, and implementations of the GDPR into national law, and the California Consumer Privacy Act (“CCPA”), in each case as amended, repealed, consolidated or replaced from time to time.
“Data Breach” means a security incident that involves the exposure, loss, theft, destruction, or alteration of Personal Data or Sensitive Information – either intentional or accidental.
“Europe” or “European” means the European Economic Area (“EEA”), the United Kingdom (“UK”), and Switzerland.
“GDPR” means (a) the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “EU GDPR”) and (b) the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”).
“Personal Data” or “Personal Information” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as Personal Data or personally identifiable information under applicable Data Protection Laws and Regulation), where for each (i) or (ii), such data is Controller’s Personal Data. Data Controllers shall take necessary permissions from the Data Subjects prior to gathering and sending their data to the Data Processor.
“Principal Agreement” means the MSA, the Professional Services Agreement, and Order Forms, including any exhibits or attachments applicable to the Service provided by the Processor.
“Process” or “Processing” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of Personal Data.
“Processor Product” means the services being offered by the Processor to the Controller.
"Restricted Transfer" means any export of Controller Personal Data by Controller to the Processor from its country of origin, either directly or via onward transfer, to a third country in the course of Processor’s provision of the Offerings under the Agreement that is prohibited under Applicable Laws, unless (a) the destination has been recognized as providing an adequate level of data protection by competent data protection authority, or otherwise in a legally binding way, or (b) Processor has adopted an appropriate, under Applicable Laws recognized, adequacy mechanism ensuring an adequate level of data protection;
“Sensitive Information” means any religious or philosophical beliefs, trade union membership, medical information, financial information, social security number, health or genetic information, sex life or sexual orientation. In addition, sensitive information in accordance with CCPA/ CPRA means Personal information that reveals the consumer's social security, driver's license, state identification card, or passport number, consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account, consumer's precise geolocation, consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership.
Data Controller shall ensure that Sensitive Information is not submitted to Processor unless expressly intimated to the Data Processor. In case any such data is submitted to the Processor unless expressly notified by the Data Controller, the Processor shall promptly, and without any undue delay, refrain from retaining or processing any of the Sensitive Information. The Processor is obligated to take immediate action to return and destroy all such Sensitive Information to ensure compliance with data protection requirements.
“Standard Contractual Clauses" means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time.
“Security Incident” means a breach of security of the Processor’s Services or Processor’s systems used to Process Personal Data leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by the Processor in the context of this Addendum.
“Services” means the service offering provided by Processor to Controller under the Services Agreement.
"Sub-Processor" means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Controller in connection with the DPA.
“Supervisory Authority” means an independent public authority responsible for monitoring the application of applicable Data Protection Law, including the Processing of Personal Data covered by this Addendum.
“Third parties” means the other organizations or individuals who may be involved in the processing of Personal Data by a personal information controller.
“UK Addendum” means the International Data Transfer Addendum to the Standard Contractual Clauses issued by the UK Information Commissioner’s Office, in force as of 21 March 2022, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (ico.org.uk).
GENERAL TERMS AND SCOPE
The purpose of this DPA is to describe the work to be carried out by the Processor in relation with the Agreement. This DPA shall be deemed to take effect from the Effective Date and shall continue in full force and effect until termination of the Agreement.
This Agreement applies to all activities in which employees of the Processor or Sub-processor commissioned by the Processor process Personal Data of the Company on its behalf.
This DPA applies to the Processing of Personal Data, including local, state, national and/or foreign laws, treaties, and/or regulations, including without limitation the GDPR, and implementations of the GDPR into national law, and CCPA, in each case as amended, repealed, consolidated or replaced from time to time, by the Processor on behalf of the Controller.
This DPA does not limit or reduce any data protection commitments relating to Processing of Data previously negotiated by the Processor in the Agreement (including any existing data processing addendum to the Principal Agreement).
While Wauld acts as a Processor for Personal Data uploaded by the Customer (including Recipient data), Wauld may act as an independent Controller with respect to certain data collected directly from users, such as analytics, onboarding interactions, support logs, or feature usage data. Such data use is governed by Wauld’s Privacy Policy.
Processing listed in Annex I is in scope of this DPA. Processing where Wauld acts as an independent Controller (including platform analytics, product telemetry, feature usage logs, and Processor-generated support data) is outside the scope of this DPA and is governed by Wauld’s Privacy Policy.
PROCESSING OF PERSONAL DATA
The Parties acknowledge that the Processor may process Personal Data on behalf of the Controller during the term of this Agreement. A description of the Personal Data and the processing activities (including the subject matter, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects) undertaken by the Processor is set out in Annex 1.
Both Parties will comply with all applicable requirements of the Data Protection Law. This clause is in addition to, and does not relieve, remove or replace a Party's obligations or rights under the Data Protection Law.
The Controller instructs the Processor to Process Personal Data for the following purposes:
Processing in accordance with the Principal Agreement and applicable orders;
Processing to comply with other reasonable instructions provided by the Controller where such instructions are consistent with the terms of the Principal Agreement;
Processor will comply with additional written instructions issued by Controller if they are consistent with the terms and scope of the Agreement.
Processing of Personal Data that is required under applicable law to which the Processor or Processor’s Affiliate is subject, including but not limited to applicable Data Protection Laws, in which case the Processor or the relevant Affiliate of the Processor shall to the extent permitted by applicable law, inform the Controller of such legally required processing of Personal Data.
PROCESSOR PERSONNEL
Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Sub-Processor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data, as strictly necessary for the purposes of providing Services according the Principal Agreement, and to comply with applicable laws in the context of that individual's duties to the Sub-Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
The Processor shall ensure that its personnel and all Sub-Processors engaged in the processing of Personal Data have received appropriate training on their responsibilities and shall handle the data meticulously in adherence to the security measures provided under Annex III.
DUTIES OF PROCESSOR
The Processor confirms that it is aware of the legal provisions of the applicable Data Protection Laws and the Processor observes the principles of correct data processing.
The Processor undertakes to maintain strict confidentiality during Processing.
Processor shall comply with all Data Protection Laws applicable to the Processor in its role as a Processor Processing Personal Data. Controller shall comply with all Data Protection Laws applicable to Controller as a Controller and shall obtain all necessary consents, and provide all necessary notifications, to Data Subjects to enable the Processor to carry out lawfully the Processing contemplated by this DPA. Controller will ensure that any instruction it issues to the Processor complies with applicable Data Protection Laws. The Processor shall inform Controller without undue delay if, in its reasonable opinion, an instruction issued by Controller violates applicable European Data Protection Laws.
If the Controller is subject to inspection by supervisory authorities or other bodies, or if data subjects assert rights against it, the Processor undertakes to support the Controller to the extent necessary insofar as the Processing is concerned.
The Processor may provide information to Third-Parties or Sub-Processors or the data subjects only after obtaining a prior written consent from the Controller. It shall immediately forward requests received directly to the Controller.
The Processor shall appoint a competent and reliable person as Data Protection Officer (“DPO”). The Processor shall ensure that the DPO has no conflicts of interest. In cases of doubt, the Controller can contact the DPO directly. The Processor shall inform the Controller immediately of the contact details of the DPO or give a reason why no DPO has been appointed. The Processor shall inform, in writing, to the Controller immediately about any changes in the identity or internal tasks of the DPO.
The Processor shall promptly notify the Controller of any legally binding request for disclosure of Personal Data by a law enforcement authority, unless legally prohibited from doing so (e.g., under national security laws).
SUB-PROCESSORS
Controller may authorize the Processor to engage Sub-Processors and agrees that Processor may disclose Personal Data to its Sub-Processors for purposes of providing the Processor Product (“Sub-Processors”), provided that Processor shall:
shall enter into an agreement with its Sub-Processors that imposes on the Sub-Processors obligations regarding the Processing of Personal Data that are consistent with those obligations that apply to Processor hereunder, and
shall remain fully liable for all obligations subcontracted to the Sub- Processors. Processor shall provide a detailed list of current Sub-Processors attached with this DPA, as set forth in Annex II.
The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors and Controller will have an opportunity to object to such changes on reasonable grounds within ten (10) business days after being notified of the engagement of the Sub-Processor.
If the Controller objects to a new Sub-processor, as permitted in the Clause 6.2 of this DPA, the Processor shall use reasonable efforts to make available to the Controller a change in the Processor’s Services or recommend a commercially reasonable change to Controller’s configuration or use of the Processor’s Services to avoid processing of Personal Data by the objected-to new Sub-Processor without unreasonably burdening the Controller.
If Processor is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, the Controller may terminate the component of the Processor Product which cannot be provided by the Processor without the use of the objected-to new Sub-processor by providing written notice to the other party.
The Processor will refund Controller any prepaid fees covering the remainder of the term of Controller’s subscription following the effective date of termination with respect to such terminated component of the Processor Product, without imposing a penalty for such termination on Controller.
DATA ANONYMIZATION
Subject to the Privacy Policy at [please include link to Privacy Policy] and the Principal Agreement, Processor undertakes to use industry-accepted anonymization techniques to ensure that Personal Data, as shared by the Controller, is anonymized prior to any use, processing, sale, or distribution for the Processor product or service enhancement or to any third-party entity.
Liability for Inadequate Anonymization. In the event the Processing Party fails to adequately anonymize the Personal Data, as evidenced by the identification of any individual directly or indirectly, the Processing Party shall:
Promptly notify the Controller upon becoming aware of such failure; and
Take immediate remedial measures to prevent further disclosures and to properly anonymize the data
SECURITY
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
In assessing the appropriate level of security, the Processor shall take account in particular of the risks that are presented by Processing, in particular from a Data Breach.
Upon Controller’s written request at reasonable intervals, the Processor shall provide a copy of the Processor’s then most recent Third- Party audits or certifications, as applicable, or any summaries thereof, related to the processing of Personal Data of Data Subjects, that the Processor generally makes available to its customers at the time of such request. The Processor shall make available to the Controller, upon reasonable written request, such information necessary to demonstrate compliance with this DPA, and shall allow for written audit requests by the Controller or an independent auditor in relation to the processing of Personal Data to verify that the Processor employs reasonable procedures in compliance with this DPA.
Any copies or duplicates shall not be made without the prior written consent of the Controller. Technically necessary, temporary duplications are excluded, as far as an impairment of the data protection level agreed to herein is excluded.
The Processor shall adhere to the written description of the security measures that shall be taken under the Agreement as Annex V of the Agreement.
The Processor and Controller shall use reasonable efforts to identify the cause of such Security Breach and shall promptly and without undue delay: (a) investigate the Security Breach and provide Controller with information about the Security Breach, including if applicable, such information a Data Processor must provide to a Data Controller under Article 33(3) of the GDPR to the extent such information is reasonably available; and (b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Breach to the extent the remediation is within the Processor’s reasonable control under Article 33(3) of GDPR.
SECURITY INCIDENT
In the event that the Processor becomes aware of a Security Incident, the Processor will notify Controller promptly.
In the event of such a Security Incident, the Processor shall provide Controller with a detailed description of the Security Incident and the type of Personal Data concerned, unless otherwise prohibited by law or otherwise instructed by a law enforcement or supervisory authority.
In addition, in the course of any Security Incident, the Controller is held liable to communicate the Personal Data Breach to the Data Subjects without any undue delay under Article 34 of GDPR. The Processor’s liability will only be extended for providing the cause along with reasonable investigation within the Processor’s scope for the Data Breach to the Controller. At Controller’s request, the Processor shall provide reasonable assistance and cooperation with respect to any notifications that Controller is legally required to send to affected Data Subjects and regulators.
RIGHTS OF DATA SUBJECTS
Taking into account the nature of the Processing, the Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligations, as reasonably understood by the Controller, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
The Processor shall:
promptly notify the Controller if it receives a request from a Data Subject under any Data Protection Law in respect of the Personal Data; and
ensure that it does not respond to that request except on the documented instructions of the Controller or as required by Applicable Laws to which the Processor is subject, in which case the Processor shall to the extent permitted by Applicable Laws inform the Controller of that legal requirement before the Sub-Processor responds to the request. .
Compliance with FERPA and COPPA
Where the Controller is an educational institution subject to the Family Educational Rights and Privacy Act (FERPA), the Controller represents and warrants that it has the necessary authority to share educational records with the Processor and that such disclosure complies with FERPA.
Where the Controller uploads Personal Data relating to children under 13 years of age, the Controller represents and warrants that it has obtained verifiable parental or guardian consent in compliance with the Children’s Online Privacy Protection Act (COPPA) and other applicable laws. The Processor shall not be responsible for verifying the age of data subjects uploaded by the Controller.
PERSONAL DATA BREACH
The Processor shall notify the Controller without undue delay upon the Processor becoming aware of a Personal Data Breach affecting Personal Data, providing the Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of the Personal Data by, and taking into account the nature of the Processing and information available to, the Sub-Processors.
INFORMATION AND AUDIT
The Processor may make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by Controller.
Where the Processor has obtained third-party audit reports and certifications for its Services (“Audit Reports and Certifications”), the Processor shall, at Controller’s request and subject to the confidentiality terms set forth in the Principal Agreement, make its most recent Audit Reports and Certifications available to Controller for the applicable covered service.
DATA TRANSFER
The Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Company. If Personal Data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
When Personal Data is accessed or processed by Wauld HQ Private Limited (an affiliate of Wauld LLC based in India) for the purpose of providing support or development services, such transfer is governed by the applicable provisions of Indian data privacy laws. The parties acknowledge that Wauld LLC and Wauld HQ Private Limited have established an intercompany agreement to ensure compliance with these regulations.
International Transfers: The Processor will transfer Personal Data of Controller only for the provision of Services to Controller under the Agreement. Controller hereby authorizes the Processor to make routine transfers of Personal Data to the Sub-Processors of the Processor.
The Processor shall ensure that any international transfers of Personal Data comply with applicable Data Protection Legislation as applicable. In the event that Personal Data is transferred from the European Economic Area to outside the European Economic Area, either directly or via onward transfer, to any country or recipient not recognized by the European Commission as providing an adequate level of protection for personal data then the Standard Contractual Clauses approved by the European Commission in Decision 2021/914/EU (the “SCCs”), shall also apply.
Other Privacy Laws: To the extent that Processing relates to Personal Data originating from a jurisdiction or in a jurisdiction which has any mandatory requirements in addition to those in this DPA, including Standard Contractual Clauses, the Parties may agree to any additional measures required to ensure compliance with applicable Privacy Laws as an Annexure to this DPA or in a duly executed written addendum or amendment to this DPA or in an Order.
If any variation is required to this DPA as a result of a change in Privacy Laws then either party may provide written notice to the other party of that change in law. The parties will discuss and negotiate in good faith any necessary variations to this DPA, including incorporation of the Standard Contractual Clauses, to address such changes.
DELETION OR RETURN OF THE PERSONAL DATA
The Processor shall promptly [but in any event not later than sixty (60) calendar days] return all Personal Data transferred and any copies to the Controller or delete any particular or all Personal Data in its possession and certify in writing to the Controller that it has complied with the requirements of this section.
In any situation whatsoever, the Processor shall not retain the Personal Data in accordance with the Processor’s standard data retention policies (including but not limited to AI tools and other similar software).
GENERAL TERMS
CONFIDENTIALITY - Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
disclosure is required by law;
the relevant information is already in the public domain.
Processor may disclose Confidential Information to subprocessors bound by written confidentiality obligations
NOTICES - All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the Principal Agreement at such other address as notified from time to time by the Parties changing address.
ANNEX I
DETAILS OF PROCESSING
A. LIST OF PARTIES
Name of Data Importer: | Wauld LLC |
Address: | |
Contact person’s name, position, and contact details: | Will be provided upon request. |
Activities relevant to the data transferred under these Clauses: | See Annex 1(B) below and the Agreement. |
Signature and date: | This Annex I shall automatically be deemed executed when the Addendum is executed by Controller. |
Role (controller/processor): | Processor |
Name of Data Exporter: | The party identified as the “Controller” in this Addendum. |
Address: | Reference is made to the Agreement. |
Contact person’s name, position, and contact details: | Reference is made to the Agreement. |
Activities relevant to the data transferred under these Clauses: | See Annex 1(B) below and the Agreement. |
Signature and date: | This Annex I shall automatically be deemed executed when the Addendum is executed by Controller. |
Role (controller/processor): | Controller |
B. DESCRIPTION OF PROCESSING/ TRANSFER
Categories of Data Subjects whose Personal Data is transferred | Issuers (organization admins), Recipients (credential holders), Verifiers (credential viewers) |
Categories of Personal Data transferred | Name, contract information and other information necessary to provide the Services under the Agreement. |
Sensitive data transferred (if applicable) and applied restrictions or safeguards | As per the knowledge of the Processor, no Sensitive Information is processed under the Agreement. If the Controller sends any Sensitive Information, they must immediately notify the Processor and allow the Processor to return the data and delete the data. |
Frequency of Transfer | Continuous. |
Nature and purpose(s) of the data | Processor will process Personal Data to provide and improve the Services under the Principal Agreement. |
Retention period (or, if not possible to determine, the criterial used to deter- mine the period) | Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with Applicable Laws. |
ANNEX II
List of Sub Processors
Sub-Processor Name | Activity | Certification Number | Processing Location |
ANNEX III
PROCESSORS DATA SECURITY REQUIREMENTS
The Processor shall maintain a comprehensive, written information security program that contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of the Processor’s business; (b) the type of information that Processor will store; and (c) the need for security and confidentiality of such information. (as mentioned in the privacy policy)
Processor’s security program includes:
Security Awareness and Training. A mandatory security awareness and training program for all members of Processor’s workforce (including management), which includes:
Training on how to implement and comply with its Information Security Program; and
Promoting a culture of security awareness through periodic communications from senior management with employees.
Access Controls. Policies, procedures, and logical controls:
To limit access to its information systems and the facility or facilities in which they are housed to properly authorized persons;
To prevent persons who should not have access from obtaining access; and
To remove access on a timely basis in the event of a change in job responsibilities or job status or security risk.
Technical & Organizational Measures
All Personal Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption.
Wauld maintains a written Information Security Policy and Business Continuity Plan.
Role-Based Access Control (RBAC) is implemented across all systems with regular access reviews.
Physical and Environmental Security. Controls that provide reasonable assurance that access to physical servers at the production data center, if applicable, is limited to properly authorized individuals and that environmental controls are established to detect, prevent, and control destruction due to environmental extremes.
Specific to Processor’s:
Logging and monitoring of unauthorized access attempts to the data center by the data center security personnel.
Camera surveillance systems at critical internal and external entry points to the data center, with retention of data per legal or compliance requirements.
Security Incident Procedures. *Breach Protocols Inserted Here*
Contingency Planning. *Breach Protocols Inserted Here*
Audit Controls. Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information.
Data Integrity. Policies and procedures to ensure the confidentiality, integrity, and availability of Controller Data and protect it from disclosure, improper alteration, or destruction.
Storage and Transmission Security. Security measures to guard against unauthorized access to Controller Data that is being transmitted over a public electronic communications network or stored electronically. Such measures include requiring encryption of any Controller Data stored on desktops, laptops or other removable storage devices.
Secure Disposal. Policies and procedures regarding the secure disposal of tangible property containing Controller Data, taking into account available technology so that Controller Data cannot be practicably read or reconstructed.
ANNEX IV
International Transfers of European Personal Data
Definitions
“Data Privacy Framework” means the EU-U.S., Swiss-U.S., and UK-U.S. Extension to the Data Privacy Framework maintained by the United States Department of Commerce determined to provide an adequate level of protection for Personal Data transfers to certified commercial organizations in the United States under (i) the European Commission’s Adequacy Decision 2023/4745 of 10 July 2023 and (ii) other applicable Data Protection Laws.
"Restricted Transfer" means (i) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country or commercial organization outside of the EEA which is not subject to a valid adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the UK to a country or commercial organization outside the UK which is not based on adequacy regulations pursuant to section 17A of the UK Data Protection Act 2018 (“UK DPA”); and (iii) where the Swiss Federal Act on Data Protection of June 19, 1992 (“Swiss FADP”) applies, a transfer of Personal Data from Switzerland to a country or commercial organization outside Switzerland which has not been recognized to provide an adequate level of protection by the Federal Data Protection and Information Commissioner.
“SCCs” means (i) where the EU GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 ("EU SCCs"); and (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the UK DPA (version B1.0 of 21 March 2022) as updated or amended ("UK Addendum").
Transfer Mechanisms. To the extent Controller’s use of the Services requires a transfer mechanism to lawfully transfer Personal Data from Europe, the following terms will apply:
Where more than one transfer mechanism applies, the transfer of Personal Data will be subject to a single transfer mechanism in accordance with the following order of precedence: (i) the Data Privacy Framework, and (ii) the SCCs.
Data Privacy Framework. The Processor, is self-certified to and complies with the Data Privacy Framework and will remain certified for the term of the Agreement.
Standard Contractual Clauses
Processor-to-Processor SCCs. Where Controller is contracting with the Processor, all Restricted Transfers of Personal Data will be governed by SCCs Module 3 implemented between the Processor (as “data exporter”) and its Sub processors (as “data importers”).
Controller-to-Processor SCCs. Where the transfer from Controller to the Processor is a Restricted Transfer, the SCCs will apply to such Restricted Transfers between Controller (as “data exporter”) and the Processor (as “data importer”) as follows:
EU Personal Data. In relation to Personal Data protected by the EU GDPR, the EU SCCs will apply (and be incorporated into this DPE by this reference) completed as follows:
Module 2 applies unless the Controller is a Processor in which case Module 3 applies;
in Clause 7, the optional docking clause will not apply;
in Clause 9(a) option 2 is implemented and the time period therein is specified as thirty 30 days; the optional redress clause
in Clause 17 option 1 is implemented and the governing law is the laws of France; the court
in Clause 18(b) are the Courts of________;
Annex I of the EU SCCs shall be deemed completed with the information set out in Annex II to this DPA; and
Annex II of the EU SCCs shall be deemed completed.
UK Personal Data. In relation to Personal Data protected by the UK GDPR (“UK Personal Data”), the UK Addendum will apply as follows:
for the purpose of table 1 of part 1, the exporter is Processor and the importer is Controller, and the table is deemed to be completed with the information set out in Annex I.
For the purpose of table 2 of part 1, the “Approved EU SCCs” which the UK Addendum is appended to are the Standard Contractual Clauses incorporated into this Addendum and completed as set out in the foregoing paragraph.
For the purpose of table 3 of part 1, the information requested in Annex 1 and 2 of the Standard Contractual Clauses is provided in Annex I and II to this Addendum respectively and the list of Sub-processors is available at Annex II.
Swiss Personal Data. In relation to Personal Data protected by the Swiss FADP, the EU SCCs will apply amended and adapted as follows:
the Swiss Federal Data Protection and Information Commissioner is the exclusive supervisory authority;
the term "member state" must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18; and
references to the GDPR in the EU SCCs shall also include the reference to the equivalent provisions of the Swiss FADP.
The SCCs will be subject to the following clarifications:
Processor will allow Controller to conduct audits as described in the SCCs in accordance with Clause 13 of this DPA.
Controller authorizes the Processor to appoint Sub-processors in accordance with Clause 6 of this DPA, and Controller may exercise its right to object to Sub-processors under the SCCs in the manner set out in Clause 6.
The Processor shall return and delete Controller’s data in accordance with Clause 15 of this DPA.
Nothing in this Section 2.3.2 of this Annex V varies or modifies the SCCs nor affects any supervisory authority’s or Data Subject’s rights under the SCCs. If any provision of this DPE contradicts, directly or indirectly, the SCCs, the SCCs shall prevail.
ANNEX V
California Privacy Law
This California Privacy Law (“Addendum”) supplements the DPA to which it is attached. Any term not defined in this Addendum shall have the meaning assigned to it, if any, in the DPA or the Agreement. To the extent the Agreement and this Addendum conflict, the terms of this Addendum shall take precedence with respect to Processing of Personal Information under the CCPA.
When Processor (Wauld) processes Personal Information on behalf of a Controller/Issuer, Processor acts solely as a “Service Provider” (as defined in the CCPA/CPRA). In this role, Processor shall not sell or share Controller Personal Information, shall not retain, use, or disclose such information for any purpose other than providing or improving the Services.
When Wauld acts as an independent “Business” under the CCPA/CPRA (for example, when it collects information directly from users of wauld.com or recipients who create Wauld-managed accounts), Wauld will comply with all obligations all applicable Privacy laws.
To the extent the Processor Processes Personal Information under the CCPA, as defined above, the following supplemental terms shall apply to such Processing:
The terms “Business,” “Business Purpose,” “Consumer,” “Sell,” “Service Provider,” and “Share,” shall have the same meanings as provided for in the CCPA. As used in this Addendum, the term “Personal Information” shall refer to any Personal Data that constitutes Personal Information under the CCPA.
Roles of the Parties. Controller, as a Business under the CCPA, is disclosing Personal Information to the Processor, and the Processor is Processing the disclosed Personal Information solely as a Service Provider.
Business Purpose. The Processor will Process Personal Information for the purpose of providing the Services described in the Agreement, including in the associated Order Forms.
Service Provider Processing Limitations. The Processor will not (i) Sell Personal Information, or (ii) retain, use or disclose Personal Information outside the direct business relationship with Controller or for any purpose other than to provide the Covered Services as articulated in the Agreement, including this Addendum, or as permitted by the CCPA.
No Combining Personal Information. The Processor will not combine Personal Information that it receives from, or on behalf of, Controller with Personal Information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with a consumer, except as otherwise permitted by CCPA.
Consumer Requests. The Processor shall, in a manner consistent with the functionality of the applicable Service and the Processor’s role as a Service Provider, provide reasonable support to Controller to enable Controller to respond to Consumer requests to exercise their rights under the CCPA, as set forth in Clause 10 of the DPA.
Security of Processing. The Processor shall maintain technical and organizational measures to protect Personal Information as set forth in the DPA and as required by the CCPA.
Ongoing Compliance. The Processor agrees to comply with all applicable requirements of CCPA pertaining to its role under the Principal Agreement, including by providing the same level of privacy protection for Personal Information as required under CCPA.