Pure Protect Terms Of Use

DATA PROCESSING ADDENDUM Azure Native ɫ�ش�ý Cloud Service

This Data Processing Addendum (���ٱʴ��) supplements the Pure End User Agreement, available at /legal/pure-end-user-agreement.html, as updated from time to time between End User and Pure, or other agreement between End User and Pure governing End User��s use of the Services (the ��/legal/pure-end-user-agreement.html��). This DPA is entered into by and between you and the entity you represent (��you��, or ��End User��) and ɫ�ش�ý. (��Pure��) and is effective as of the date of order acceptance for the Product requiring this DPA.?

1. PROCESSING OF PERSONAL DATA. End User will make End User Personal Data available to Pure for the limited and specified purpose of providing the applicable Product purchase. A list of categories of Data Subjects, types of End User Personal Data, and Processing activities to be provided by Pure is set out in a Details of Processing Addendum, attached below as Exhibit 1. The duration of the Processing is the duration in which Pure is providing the Product according to the applicable Order. The subject matter and the purpose of the Processing is as described herein.??

1.1 Pure as Processor. Pure acknowledges and agrees that: (a) with regard to the Processing of End Personal Data, Pure is acting as a Processor; (b) Pure understands the obligations and restrictions imposed on it by applicable Data Protection Laws in its role as a Processor; (c) Pure will comply with all such obligations, including providing the same level of privacy protection as required by applicable Data Protection Laws; and (d) will notify End User if Pure determines it can no longer meet its obligations under applicable Data Protection Laws or this DPA.?

1.2 Processing of End User Personal Data. Pure will only Process End User Personal Data on behalf of End User (a) to the extent, and in such a manner, as is necessary for the purposes of fulfilling its obligations under the Agreement; and (b) in accordance with the terms of the Agreement and this DPA, which together constitute End User��s instructions. The restrictions set forth in this section shall not restrict Pure��s ability to Process End User Personal Data where required to do so by applicable laws to which Pure is subject; provided, however, Pure shall promptly notify End User of such legal requirement before Processing, unless such law prohibits such notification. Pure will promptly inform End User if, in Pure��s opinion, a Processing instruction violates applicable Data Protection Laws. Without limiting Pure��s obligations herein, Pure will not: (i) retain, use, or disclose End User Personal Data for any purpose other than to perform its obligations under the Agreement; (ii) ��sell�� or ��share�� (as those terms are defined by applicable Data Protection Laws) End User Personal Data; or (iii) combine End User Personal Data with Personal Data Pure receives from or on behalf of another person or entity or collects from its own interactions with a Data Subject except to perform a business purpose as defined in regulations adopted pursuant to Cal. Civ. Code 1798.185(a)(10).?

1.3 Deidentified Information. If Pure receives Deidentified Information from End User, or creates Deidentified Information at Customers instruction, Pure will (a) take reasonable measures to ensure the Deidentified Information cannot be associated with a Data Subject or household, (b) publicly commit to maintain and use the Deidentified Information in deidentified form, and (c) not attempt to reidentify the Deidentified Information except for the sole purpose of determining whether the Pure��s deidentification processes satisfy the requirements of applicable Data Protection Laws.

2. Pure Personnel. Pure will take reasonable steps to ensure that access to End User Personal Data is limited to those of its Affiliates, employees, agents, and subcontractors who (a) have a need to know or otherwise access End User Personal Data to enable Pure to perform its obligations under the Agreement and this DPA, and (b) who are bound in writing by confidentiality obligations sufficient to protect the confidentiality of End User Personal Data in accordance with the terms of this DPA.?

3. Security. Pure will implement and maintain appropriate technical and organizational safeguards to protect End User Personal Data that are no less rigorous than accepted industry standards for information security and will ensure that such safeguards comply with applicable Data Protection Laws. Such safeguards are further specified in a Description of Technical and Organizational Security Measures entered into between the parties. In assessing the appropriate level of security, Pure will take into account the risks that are presented by Processing, in particular from accidental, unauthorized, or unlawful destruction, loss, alteration, damage, disclosure of, or access to End User Personal Data transmitted, stored, or otherwise Processed.?

4. Personal Data Breach. In the event of a Personal Data Breach impacting End User Personal Data, Pure will (a) notify End User without undue delay after Pure or any Subprocessor becomes aware of such Personal Data Breach; (b) provide End User with sufficient details of the Personal Data Breach to allow End User to meet any obligations under Data Protection Laws to report or inform Data Subjects or relevant Regulators of the Personal Data Breach; and (c) cooperate, and require any Subprocessor to cooperate, with End User in the investigation, mitigation, and remediation of any such Personal Data Breach.?

5. Subprocessors. Pure will not engage any Subprocessor without notifying End User. End User may object to the use of such Subprocessor within 30 days of Pure��s notification on the basis that subprocessor does not offer sufficient guarantees to meet the requirements under applicable Data Protection Laws. Any such objection will be in writing and include End User��s specific reasons for its objection and options to mitigate, if any. Notwithstanding the foregoing, End User hereby authorizes those Subprocessors listed in a Pure��s Annex 1 to the Standard Contractual Clauses, attached as Exhibit 3.?

5.1 Authorized Subprocessors. With respect to any authorized Subprocessor, Pure will: (a) enter into a written agreement with each Subprocessor containing the substantially similar but no less protective data protection obligations imposed on Pure under this DPA and applicable Data Protection Laws with respect to End User Personal Data; and (b) remain liable to End User for the performance of its Subprocessors�� obligations.?

6. Data Subject Rights. Where the data subject provides information to identify End User, Pure will notify End User if it receives a request from a Data Subject regarding End User Personal Data, including a request by a Data Subject to exercise a right under Data Protection Laws. Otherwise, Pure will ask Data Subject to redirect its request to the End User and End User shall be responsible for the handling of such requests with the reasonable assistance of Pure.

7. Deletion or Return of End User Personal Data. At any time during the term of the Agreement at End User��s request, or upon the termination or expiration of the Agreement for any reason, Pure will, and will instruct all Subprocessors to, promptly or in any event within sixty (60) calendar days of the effective date of termination] (a) return to End User all copies of End User Personal Data in its possession, or the possession of such Subprocessor, or (b) delete and procure the deletion of all other copies of End User Personal Data Processed by Pure or any Subprocessor. Pure will comply with all reasonable directions provided by End User with respect to the return or deletion of End User Personal Data. Notwithstanding the foregoing, Pure may retain End User Personal Data if required by applicable Data Protection Laws.?

8. Compliance and Audits. Upon End User��s request, Pure will provide such assistance as End User reasonably requires in ensuring compliance with End User��s obligations under applicable Data Protection laws, including but not limited to data protection impact assessments and prior consultations with a Regulator where required. In addition to any audit rights End User may have under the Agreement, Pure will make available to End User all information necessary to demonstrate Pure��s compliance with this DPA, as well as any applicable Data Protection Laws, and will allow for and contribute to audits, including inspections, by End User, or a third-party auditor mandated by End User, in order to assess Pure��s compliance. Pure will cooperate with such audits or assessments to the extent required by the applicable Data Protection Laws and not more than annually unless required by law.?

9. International Data Transfers from EEA. If the Processing (including storage) of End User Personal Data involves the transfer of End User Personal Data from the European Economic Area (��EEA��) to a jurisdiction outside of the EEA where the transfer would be prohibited by Data Protection Laws in the absence of standard contractual clauses or another adequate transfer mechanism as approved by the European Commission, the parties agree that such transfer(s) will be carried out in accordance with and subject to the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council annexed to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (��EU SCCs��) as set out in Exhibit 3 attached to this DPA. To the extent there is any conflict between this DPA and the EU SCCs, the terms of the EU SCCs will prevail.?

9.1 International Data Transfers from the UK. If the Processing (including storage) of End User Personal Data involves the transfer of End User Personal Data from the United Kingdom (��UK��) to a jurisdiction outside of the UK where the transfer would be prohibited by Data Protection Laws in the absence of standard contractual clauses or another adequate transfer mechanism as approved by the UK Information Commissioners Office (��ICO��), the Parties agree that such transfer(s) will be carried out in accordance with and subject to the International Data Transfer Agreement A1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (��UK IDTA��) as set out in the UK International Data Transfer Agreement, attached as Exhibit 4. To the extent there is any conflict between this DPA and the UK IDTA, the terms of the UK IDTA will prevail.

9.2 International Data Transfers from Switzerland. If the Processing (including storage) of End User Personal Data involves the transfer of End User Personal Data from Switzerland to a jurisdiction outside of Switzerland where the transfer would be prohibited by Data Protection Laws in the absence of standard contractual clauses or another adequate transfer mechanism as approved by the Swiss Federal Data Protection and Information Commissioner (��FDPIC��), the parties agree that such transfer(s) will be carried out in accordance with and subject to the EU SCCs as amended by the DPA to the EU SCCs, attached as Exhibit 5.??

9.3 International Data Transfers from Other Jurisdictions. Insofar as the Agreement involves the transfer of End User Personal Data from any other jurisdiction where applicable Data Protection Laws requires that additional steps, or safeguards, be imposed before the data can be transferred to a second jurisdiction, Pure agrees to cooperate with End User to take appropriate steps to comply with applicable Data Protection Laws.

10. Business Contact Information. The parties anticipate they will need to exchange business contact information to facilitate a normal and customary business relationship (e.g., communication, invoicing, etc.). Business contact information may include Personal Data, such as name, business function, and contact information, for the parties�� respective personnel (��Party Personnel��). The parties acknowledge and agree that they independently control the purpose and means of Processing Personal Data relating to Party Personnel, and, as such, each party is solely responsible for how it uses, collects, protects, and shares Personal Data about Party Personnel received from the other party. The parties further acknowledge that the sharing of Personal Data about Party Personnel is incidental to the Agreement and does not form a part of the consideration provided by either party to fulfill its contractual obligations under the Agreement. Each party will, to the extent required by applicable Data Protection Laws, be responsible for notifying the Party Personnel about whom it receives Personal Data of its privacy practices and obtaining any required consents. The parties agree that if Personal Data about Party Personnel will be transmitted across national borders they will, to the extent required by law, enter into a separate cross-border transfer agreement to facilitate the transfer of Personal Data from a controller to a controller.?

11. Changes in Data Protection Laws. If any variation is required to this DPA as a result of a change in or subsequently applicable Data Protection Laws, the parties agree to discuss and negotiate in good faith any variations to this DPA necessary to address such changes, with a view to agreeing and implementing those or alternative variations as soon as practicable.

12. Standard Contractual Clauses and Annex to Standard Contractual Clauses. This DPA includes the Standard Contractual Clauses and the Annex to the Standard Contractual Clauses.?

13. Definitions. For purposes of this DPA, the following terms will have the meanings set forth below. Capitalized terms used but not otherwise defined herein have the meaning given to them in the Agreement.?

13.1 Affiliate: an entity that owns or controls, is owned or controlled by, or is under common control or ownership with, either Company or Service Provider respectively. ��Control,�� for purposes of this definition, means the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.?

13.2 Data Protection Laws: laws, rules and regulations related to privacy, security, data protection, and/or the Processing of Personal Data, in any relevant jurisdiction discussed in the Agreement, each as amended, replaced or superseded from time to time.?

13.3 Data Subject: the identified or identifiable natural person to whom Personal Data relates.??

13.4 Deidentified Information: information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular Data Subject.

13.5 Description of Technical and Organizational Security Measures: description of the technical and organizational safeguards to protect End User Personal Data that are no less rigorous than accepted industry standards for information security and comply with applicable Data Protection Law.?

13.6 End User Personal Data: any Personal Data received by Pure or a Subprocessor on behalf of End User in connection with the Agreement, or any Personal Data created or otherwise Processed by Pure or Subprocessor pursuant to the Agreement.

13.7 Personal Data: (a) information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household; and (b) any information defined as ��personal data��, ��personal information,�� or other similar terms under applicable Data Protection Laws.?

13.8 Personal Data Breach:?the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, End User Personal Data transmitted, stored or otherwise Processed by Pure or any Subprocessor.

13.9 Processing: any operation or set of operations that is performed upon Personal Data,? such as access, storage, use, or reading. The terms ��Process��, ��Processes�� and ��Processed�� will be construed accordingly.?

13.10 Processor: any person or entity which Processes End User Personal Data, including as applicable any ��service provider�� or ��contractor�� as those terms are defined by applicable Data Protection Laws.?

13.11 Regulator: any independent public authority, government agency, and any similar regulatory authority responsible for the enforcement of Data Protection Laws.?

13.12 Subprocessor: any other Processor who may Process Company Personal Data.

14. General Terms. This DPA supplements the Agreement (or other written agreement covering the same subject matter executed by Pure) for the applicable hardware Product purchased by End User. Capitalized terms not specifically defined in this DPA have the same meaning as in the Agreement. Pure reserves the right to update this DPA from time to time, as noted by the ��Last Updated�� date below.?

Last Updated: April 2025

Exhibit 1

Details of Processing Azure Native ɫ�ش�ý Cloud Service

Subject Matter of Processing?

The subject-matter of Processing of End User Personal Data by Pure is the delivery of the Products pursuant to the Agreement.

Nature and Purpose of Processing?

End User Personal Data will be Processed as necessary to deliver the Product pursuant to the Agreement and will be subject to the processing activities described in any Statement of Work or Order Form that makes reference to, is incorporated under, or is subject to the Agreement.?

Duration of Processing

Subject to section 7 of the DPA, Pure will Process End User Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

Categories of Data Subjects

The types of Data Subject shall be as is contemplated or related to the Processing described in any Statement of Work or Order Form that makes reference to, is incorporated under, or is subject to the Agreement.? ?

Types of Personal Data?

The types of End User Personal Data shall be as is contemplated or related to the Processing described in any Statement of Work or Order Form that makes reference to, is incorporated under, or is subject to the Agreement.?

Exhibit 2

Technical and Organizational Measures (TOMs) Azure Native ɫ�ش�ý Cloud Service

The technical and organizational measures (TOMs) listed herein are applicable to all instances of Azure Native ɫ�ش�ý Cloud Service, except in cases where the Client assumes responsibility for security and privacy TOMs.

Document Management

ɫ�ش�ý will ensure that all essential documentation is established between ɫ�ش�ý and the Client for the processing of Personal Data governed by GDPR. If there are any alterations to the specified scope, adjustments to the handling of Personal Data will undergo evaluation to identify any implications for necessary TOMs and other contractual agreements.
?

ɫ�ش�ý will create and maintain the following security and privacy documentation:
?

a. DPA and DPA Exhibit

b. Technical and Organizational Measures (TOMs)

c. Sub-processor Agreement (as required)

d. European Data Protection Board Model Clause (as required)

Incident Management

ɫ�ش�ý will maintain an incident response plan and follow documented incident response policies including data breach notification to Data Controller without undue delay where a breach is known or reasonably suspected to affect Client Personal Data.

Security Policies

ɫ�ش�ý will maintain, follow, and annually review Information security policies and standards that are integral to ɫ�ش�ý��s business and mandatory for all ɫ�ش�ý employees. ɫ�ش�ý employees will complete security and privacy education annually and certify each year that they will comply with ɫ�ش�ý's Code of Conduct and Information Security Policy.

ɫ�ش�ý will maintain an inventory of Personal Data reflecting the instructions set out in the DPA and DPA Exhibit.? Computing environments with resources containing Personal Data will be logged and monitored.?

Business Conduct Guidelines

Additional policy and process training will be provided to persons granted administrative access to security components that is specific to their role within ɫ�ش�ý��s operation and support of the service, and as required to maintain compliance and certifications.

User Access Management

ɫ�ش�ý will maintain controls for requesting, approving, granting, modifying, and revoking user access to systems containing customer data. Only employees with clear business need access customer data will be granted access to do so. Other than a small number of critical employees who have long-term access, all other employee access will be temporary and will be revoked after a set period of time. All employee access will be through verified single-sign on with multi-factor authentication.

Business Continuity

ɫ�ش�ý will maintain availability of data through business continuity and disaster recovery planning in support of our documented risk management guidelines. ɫ�ش�ý will maintain availability of data with documented, maintained and annually validated business continuity and disaster recovery plans consistent with industry standard practices, requirements and guidelines. Backup data intended for off-site storage will be encrypted prior to transport.

Workstation Protection

ɫ�ش�ý will implement protections on end-user devices including but not limited to full-disk encryption, screen lock timeouts, strong password requirements, host-based firewalls, Endpoint Detection and Response (��EDR��) agents, and web content filtering policies.? ɫ�ش�ý also has controls in place to check for specific compliance elements at time of connecting to Pure��s network.

Threat and Vulnerability Management

ɫ�ش�ý will maintain measures meant to identify, manage, mitigate and/or remediate vulnerabilities within the ɫ�ش�ý computing environments.?

Security measures include:

Patch management
Network and host event monitoring
Development of cybersecurity threat detections
Monitoring threat notification advisories
Vulnerability scanning (all internal and external systems)?
Periodic penetration testing and Red Team engagements

Exhibit 3

ANNEX I TO THE STANDARD CONTRACTUAL CLAUSES

A. LIST OF PARTIES

Data exporter(s):

Name:	End User
Address:	See Agreement
Contact person��s name, position and contact details:	Refer to Signatories of the Agreement
Activities relevant to the data transferred under these Clauses:	For the provision of products as set out in the Agreement
Signature and date:	Refer to Signatories of the Agreement
Role (controller/processor):	Controller

Slide

Data importer(s):

Name:	ɫ�ش�ý.
Address:	See Agreement
Contact person��s name, position and contact details:	Refer to Signatories of the Agreement
Activities relevant to the data transferred under these Clauses:	For the provision of products as set out in the Agreement
Signature and date:	Refer to Signatories of the Agreement
Role (controller/processor):	Processor

Slide

B. DESCRIPTION OF TRANSFER

Refer to the Details of Processing, Exhibit 1, documentation.

C. COMPETENT SUPERVISORY AUTHORITY

Irish Data Protection Commission

Exhibit 4

UK International Data Transfer Agreement

Part 1: Tables

Table 1: Parties and Signatures

Start date	The Effective Date of the DPA
The Parties	Exporter (who sends the Restricted Transfer)	Importer (who receives the Restricted Transfer)
Parties�� details	End User	ɫ�ش�ý.
Key Contact	Refer to Signatories of the Agreement	Refer to Signatories of the Agreement
Importer Data Subject Contact	Refer to Signatories of the Agreement	Refer to Signatories of the Agreement
Signatures confirming each Party agrees to be bound by this IDTA	Refer to Signatories of the Agreement	Refer to Signatories of the Agreement

Slide

i. Table 2: Transfer Details

UK country��s law that governs the IDTA:	? England and Wales ? Northern Ireland ? Scotland
Primary place for legal claims to be made by the Parties	? England and Wales ? Northern Ireland ? Scotland
The status of the Exporter	In relation to the Processing of the Transferred Data: ? Exporter is a Controller ? Exporter is a Processor or Sub-Processor
The status of the Importer	In relation to the Processing of the Transferred Data: ? Importer is a Controller ? Importer is the Exporter��s Processor or Sub-Processor ? Importer is not the Exporter��s Processor or Sub-Processor (and the Importer has been instructed by a Third Party Controller)
Whether UK GDPR applies to the Importer	? UK GDPR applies to the Importer��s Processing of the Transferred Data ? UK GDPR does not apply to the Importer��s Processing of the Transferred Data
Linked Agreement	If the Importer is the Exporter��s Processor or Sub-Processor �C the agreement(s) between the Parties which sets out the Processor��s or Sub-Processor��s instructions for Processing the Transferred Data: Name of agreement: Data Processing Addendum (the ��ٱʴ��) Date of agreement: See DPA Parties to the agreement: See DPA Reference (if any): N/A Other agreements �C any agreement(s) between the Parties which set out additional obligations in relation to the Transferred Data, such as a data sharing agreement or service agreement: Name of agreement: See DPA Date of agreement: See DPA Parties to the agreement: See DPA Reference (if any): N/A If the Exporter is a Processor or Sub-Processor �C the agreement(s) between the Exporter and the Party(s) which sets out the Exporter��s instructions for Processing the Transferred Data: Name of agreement: See DPA Date of agreement: See DPA Parties to the agreement: See DPA Reference (if any): N/A?
Term	The Importer may Process the Transferred Data for the following time period: ? the period for which the Linked Agreement is in force ? time period: ? (only if the Importer is a Controller or not the Exporter��s Processor or Sub-Processor) no longer than is necessary for the Purpose.
Ending the IDTA before the end of the Term	? the Parties cannot end the IDTA before the end of the Term unless there is a breach of the IDTA or the Parties agree in writing. ? the Parties can end the IDTA before the end of the Term by serving: ____ months�� written notice, as set out in Section 29 (How to end this IDTA without there being a breach).
Ending the IDTA when the Approved IDTA changes	Which Parties may end the IDTA as set out in Section ?29.2: ? ? Importer ? Exporter ? neither Party
Can the Importer make further transfers of the Transferred Data?	? The Importer MAY transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data). ? The Importer MAY NOT transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data).
Specific restrictions when the Importer may transfer on the Transferred Data	The Importer MAY ONLY forward the Transferred Data in accordance with Section 16.1: ? if the Exporter tells it in writing that it may do so. ? to: ????? ? to the authorised receivers (or the categories of authorised receivers) set out in: Details of Processing Addendum to the DPA ? there are no specific restrictions.
Review Dates	First review date: Effective Date of the DPA The Parties must review the Security Requirements at least once: ? each ____ month(s) ? each quarter ? each 6 months ? each year ? each ____ year(s) ? each time there is a change to the Transferred Data, Purposes, Importer Information, TRA or risk assessment, to the extent that Importer is made aware of such changes; Importer will conduct a review at the time of contract renewal

Slide

ii. Table 3: Transferred Data

Transferred Data	The personal data to be sent to the Importer under this IDTA consists of that data outlined in Details of Processing Addendum to the DPA. ? The categories of Transferred Data will update automatically if the information is updated in the Linked Agreement referred to.
Special Categories of Personal Data and criminal convictions and offences	The Transferred Data includes data relating to that data outlined in Details of Processing Addendum to the DPA. The categories of special category and criminal records data will update automatically if the information is updated in the Linked Agreement referred to.
Relevant Data Subjects	The Data Subjects of the Transferred Data are those data subjects outlined in Details of Processing Addendum to the DPA. The categories of Data Subjects will update automatically if the information is updated in the Linked Agreement referred to.
Purpose	The Importer may Process the Transferred Data for the purposes set out in the DPA. The purposes will update automatically if the information is updated in the Linked Agreement referred to.

Slide

iii. Table 4: Security Requirements

Security of Transmission	As set out in Technical and Organizational Measures of the DPA.
Security of Storage	As set out in Technical and Organizational Measures of the DPA.
Security of Processing	As set out in Technical and Organizational Measures of the DPA.
Organisational security measures	As set out in Technical and Organizational Measures of the DPA.
Technical security minimum requirements	As set out in Technical and Organizational Measures of the DPA.
Updates to the Security Requirements	The Security Requirements will update automatically if the information is updated in the Linked Agreement referred to.

Slide

Part 2: Extra Protection Clauses

Extra Protection Clauses:

N/A

Slide

Part 3: Commercial Clauses

Commercial Clauses

Commercial Clauses are not used

Slide

Part 4: Mandatory Clauses

Mandatory Clauses

Part 4: Mandatory Clauses of the Approved IDTA, being the template IDTA A.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ?5.4 of those Mandatory Clauses.

Slide

Exhibit 5

Standard Contractual Clauses - Controller to Processor

The parties hereby agree that they will comply with the EU Standard Contractual Clauses: Module 2, which are incorporated herein by reference, a copy of which can be found at . The Parties agree that the following terms apply:

1. Clause 7. The Parties have chosen not to include Clause 6.

2. Clause 9(a). OPTION 2: GENERAL WRITTEN AUTHORISATION The data importer has the data exporter��s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub- processors at least [Specify time period] in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

3. Clause 11(a). The Parties do not incorporate the optional language allowing a data subject to lodge a complaint with an independent dispute resolution body at no cost to the data subject.

4. Clause 13(a): Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

5. Clause 17: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

6. Clause 18(b): The Parties agree that those shall be the courts of Ireland.