Data Processing Addendum (DPA)
This Data Processing Addendum (including its Annexes) (“DPA”) is supplementary to and forms part of the terms and conditions of the services agreement, software license agreement, end user license agreement, or other written or electronic agreement (the “Agreement”) by and between you (“Customer”) and ThreatDown Inc. (“Company”). All capitalized terms that are not expressly defined in this DPA shall have the meanings given to them in the Agreement.
1. Definitions.
For the purposes of this DPA, the following terms and those defined within the body of this DPA apply.
a) “Controller” means the entity that determines the purpose and means of Processing Personal Data, and includes the terms “controller” or “business” under applicable Data Protection Laws.
b) “Customer Personal Data” means Personal Data Processed by Company on behalf of Customer in connection with the Agreement, as more particularly described in Annex I.
c) “Data Protection Laws” means the applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which Customer Personal Data is subject. “Data Protection Laws” may include, but are not limited to (i) the California Consumer Privacy Act (as amended by the California Privacy Rights Act) and its implementing regulations (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and other U.S. state data protection and privacy laws in effect; (ii) the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; (iii) the Swiss Federal Act on Data Protection and its Ordinance (“Swiss FADP”); and (iv) the UK General Data Protection Regulation, the Data Protection Act 2018, and the Data (Use and Access) Act 2025 (collectively, “UK Data Protection Laws”); in each case, as amended or superseded from time to time.
d) “Data Subject” means the identified or identifiable individual to whom Personal Data relates.
e) “DPF Principles” means the EU-U.S. Data Privacy Framework Principles, the Swiss-U.S. DPF Principles, and UK Extension to the EU-U.S. Data Privacy Framework Principles, in each case, including the Supplemental Principles, currently available at: https://www.dataprivacyframework.gov/EU-US-Framework.
f) “Personal Data” means any information that is protected as “personal data” or “personal information” under applicable Data Protection Laws.
g) “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
h) “Processor” means the entity that Processes Personal Data on behalf of the Controller, and includes the terms “processor” and “service provider” under applicable Data Protection Laws.
i) “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data attributable to Company. “Security Incident” shall not include unsuccessful attempts or activities that
do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts,
pings, port scans, denial of service attacks, and other network attacks on firewalls or
networked systems.
j) “Services” means the services that Company provides to Customer under the Agreement.
k) “Standard Contractual Clauses” the standard contractual clauses adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021, currently available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj
l) “Subprocessor(s)” means Company’s authorized vendors and third-party service providers that Process Customer Personal Data on Company’s behalf.
m) “UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the UK
Information Commissioners Office under the Data Protection Act 2018, as amended or superseded from time to time.
2. Scope and Processing Details.
a) Scope of DPA. This DPA applies where and to the extent that Company Processes Customer Personal Data in connection with the Agreement as a Processor on Customer’s behalf, whether Customer is itself a Controller or a Processor acting on behalf of a third-party Controller. Notwithstanding anything to the contrary, this DPA does not apply to any Processing of Personal Data by Company as a Controller or where Company otherwise determines the purpose and means of Processing Personal Data.
b) Processing Details. The subject matter, nature, and purpose of the Processing, and the categories of Personal Data and Data Subjects, are described in Annex I.
c) Duration and Survival. This DPA will become legally binding upon the effective date of the Agreement, provided it is properly incorporated into the Agreement, and will survive until the relationship between Customer and Company terminates as specified in the Agreement.
3. Processing Terms for Customer Personal Data.
For the purposes of this DPA, the following terms apply.
a) Documented Instructions. Company shall Process Customer Personal Data to provide the Services in accordance with Customer’s instructions, as set out in the Agreement, this DPA, any applicable Statement of Work, and any instructions agreed upon by the parties in writing. Company will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and Data Protection Laws or Company otherwise Processes Customer Personal Data in a manner that is inconsistent with Customer’s instructions.
b) Authorization to Use Subprocessors. Customer provides a general authorization for Company to engage Subprocessors to Process Customer Personal Data. Company maintains a list of its current Subprocessors, currently available at www.threatdown.com/legal/subprocessors (the “Subprocessor List”).
c) Subprocessor Compliance. Company shall (i) enter into a written agreement with each Subprocessor regarding such Subprocessor’s Processing of Customer Personal Data that imposes data protection requirements for Customer Personal Data that are consistent with this DPA; and (ii) remain responsible to Customer for any failure by Company’s Subprocessors to perform their obligations with respect to the Processing of Customer Personal Data.
d) Objection to Subprocessors. Company shall notify Customer prior to engaging any new Subprocessor by updating the Subprocessor List and give Customer ten (10) days to object from the date the Subprocessor List is updated. Customer may also sign up to receive notifications of Subprocessor changes. If Customer has legitimate objections to the appointment of any new Subprocessor, the parties will work together in good faith to resolve the grounds for the objection.
e) Confidentiality. Any person authorized to Process Customer Personal Data shall be subject to a duty of confidentiality, whether through contractual agreement to maintain the confidentiality of such information, or through an appropriate statutory obligation of confidentiality.
f) Inquiries and Requests. Where required by Data Protection Laws, Company agrees to provide reasonable assistance and comply with reasonable instructions from Customer at Customer’s expense related to any requests from Data Subjects seeking to exercise their rights under Data Protection Laws or inquiries from relevant data protection authorities.
g) Data Protection Impact Assessments. Where required by Data Protection Laws, Company agrees to provide reasonable assistance and information at Customer’s expense where, in Customer’s reasonable judgement, the type of Processing performed by Company requires a data protection assessment, data protection impact assessment, and/or prior consultation with the relevant data protection authorities.
h) Demonstrable Compliance. Company agrees to provide information reasonably necessary to demonstrate compliance with this DPA upon Customer’s reasonable request. Customer acknowledges and agrees that it shall exercise its audit rights under this DPA by instructing Company to comply with the audit measures described in Section 7 below.
i) Aggregation and De-Identification. Customer agrees that Company may: (i) compile aggregated and/or de-identified information in connection with providing the Services provided that such information cannot reasonably be used to identify Customer or any Data Subject to whom Customer Personal Data relates (“Aggregated and/or De-Identified Data”); and (ii) use such Aggregated and/or De-Identified Data for its lawful business purposes.
j) California Specific Terms. To the extent that Company’s Processing of Customer Personal Data is subject to the CCPA, this Section 3(j) will also apply. Customer discloses or otherwise makes available Customer Personal Data to Company for the limited and specific purpose of Company providing the Services to Customer in accordance with the Agreement and this DPA. Company shall: (i) comply with its applicable obligations under the CCPA; (ii) provide the same level of protection for Customer Personal Data as is required under the CCPA; (iii) notify Customer if it can no longer meet its obligations under the CCPA; (iv) not “sell” or “share” (as such terms are defined by the CCPA) Customer Personal Data; (v) not retain, use, or disclose Customer Personal Data for any purpose (including any commercial purpose) other than to provide the Services under the Agreement or as otherwise permitted under the CCPA; (vi) not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Company, unless otherwise permitted by the CCPA; and (vii) not combine Customer Personal Data with Personal Data that Company receives from another person or collects from its own interactions with Data Subjects, unless otherwise permitted by the CCPA. Company will permit Customer, upon reasonable request, to take reasonable and appropriate steps to ensure that Company Processes Customer Personal Data in a manner consistent with the obligations applicable to a “business” under the CCPA by requesting that Company attest to its compliance with this Section 3(j). If Customer reasonably believes that Company is engaged in unauthorized Processing of Customer Personal Data that is subject to the CCPA, Customer will immediately notify Company of such belief, and the parties will work together in good faith to remediate the allegedly violative Processing.
4. Information Security Program. Company shall implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data from Security Incidents. The measures adopted by Company to protect Customer Personal Data shall include, at a minimum, those measures described in Annex II (“Security Measures”). Customer acknowledges that the Security Measures are subject to technical development and that Company may update the Security Measures from time to time, provided that such updates do not result in a degradation to the overall security provided to Customer Personal Data.
5. Security Incidents. Upon becoming aware of a Security Incident, Company agrees to provide written notice without undue delay to Customer’s Designated POC. Where possible, such notice will include all available details for Customer to comply with its own notification obligations under applicable Data Protection Laws, including notification obligations to regulatory authorities or Data Subjects affected by the Security Incident. Company’s notification of a Security Incident to Customer shall not be construed as an acknowledgment by Company of any fault or liability with respect to the Security Incident.
6. Data Transfers.
a) Cross-Border Transfers of Customer Personal Data. Customer authorizes Company and its Subprocessors to transfer Customer Personal Data across international borders, including Customer Personal Data originating from the European Economic Area, Switzerland, and/or the United Kingdom to the United States. Company shall ensure that such transfers are made in compliance with the requirements of applicable Data Protection Laws.
b) Data Privacy Framework. Company is a participant in the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework (collectively, the “Data Privacy Framework”). If Customer Personal Data originating in the European Economic Area, Switzerland, or the United Kingdom is transferred by Customer to Company in the United States, then Company will: (i) provide at least the same level of protection to such Customer Personal Data as is required by the DPF Principles; (ii) Process such Customer Personal Data in a manner consistent with the DPF Principles; and (iii) notify Customer if Company makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles. Customer acknowledges that Customer may provide a copy of this DPA and the relevant privacy provisions of the Agreement to the U.S. Department of Commerce upon request.
c) Standard Contractual Clauses. If Customer Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Customer to Company in a country that does not provide an adequate level of protection under applicable Data Protection Laws, the parties agree that such transfer of Customer Personal Data shall be governed by the Standard Contractual Clauses and UK Addendum (as applicable), as set forth in Annex III. For clarity, the Standard Contractual Clauses and UK Addendum (as applicable) do not apply to transfers of Customer Personal Data from Customer to Company in the United States and that are subject to the Data Privacy Framework.
d) Alternative Transfer Mechanisms. If and to the extent that a court of competent jurisdiction or a supervisory authority with binding authority orders or determines (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer Customer Personal Data from Customer to Company, Customer acknowledges and agrees that Company may implement any additional measures or safeguards that may be reasonably required to enable the lawful transfer of such Customer Personal Data.
7. Audits and Assessments.
a) Customer Audit. Where Data Protection Laws afford Customer an audit or assessment right, Customer (or its appointed representative) may carry out an audit or assessment of Company’s policies, procedures, and records relevant to the Processing of Customer Personal Data. Any audit or assessment must be conducted: (i) during Company’s regular business hours; (ii) with reasonable advance notice to Company; (iii) in a manner that prevents unnecessary disruption to Company’s operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit or assessment shall be limited to once per year, unless an audit or assessment is carried out at the direction of a government authority having proper jurisdiction.
8. Data Deletion and Return. At the expiry or termination of the Agreement, Company will delete all Customer Personal Data (excluding any back-up or archival copies, which shall be deleted in accordance with Company’s data retention schedule), except where Company is required to retain copies under applicable laws, in which case Company will protect and isolate that Customer Personal Data from any further Processing except to the extent required by applicable laws.
9. Customer’s Obligations. Customer represents and warrants that: (i) it has complied and will comply with Data Protection Laws; (ii) it has provided Data Subjects whose Customer Personal Data will be Processed in connection with the Agreement with a privacy notice or similar document that clearly and accurately describes Customer’s practices with respect to the Processing of Customer Personal Data; (iii) it has obtained and will obtain and continue to have, during the term, all necessary rights, lawful bases, authorizations, consents, and licenses for the Processing of Customer Personal Data as contemplated by the Agreement; and (iv) Company’s Processing of Customer Personal Data in accordance with the Agreement will not violate Data Protection Laws or cause a breach of any agreement or obligations between Customer and any third party.
10. Miscellaneous.
a) Conflicts. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict or inconsistency between this DPA and the Agreement, the provisions of the following documents shall prevail in order of precedence: (i) the Standard Contractual Clauses or UK Addendum (where applicable); (ii) the DPA; and then (iii) the Agreement.
b) Liability. Any provisions excluding or limiting either party’s liability under the Agreement shall apply to each party’s liabilities under this DPA, except that they shall not apply to any claim made by a Data Subject under the Standard Contractual Clauses or UK Addendum (where applicable) pursuant to their rights as a third-party beneficiary.
c) Governing Law. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless otherwise required under Data Protection Laws or otherwise stated in the Standard Contractual Clauses or UK Addendum (where applicable).
d) Contact Information. Customer and Company agree to designate a point of contact for urgent privacy and security issues (a “Designated POC”). The Designated POC for both parties are:
• Customer Designated POC: shall be the primary email address associated with Customer’s account for the Services.
• Company Designated POC: VP, General Counsel, Ameet Matharu
______________________________________________________________________________
Annex I: Data Processing Information
A. List of Parties
Data Exporter: Customer.
Address: As set forth in the Agreement.
Contact person’s name, position, and contact details: Customer’s Designated POC.
Activities relevant to the data transferred under these Clauses: The Services.
Role: Controller (Module Two), Processor (Module Three).
Data Importer: Company.
Address: As set forth in the Agreement.
Contact person’s name, position, and contact details: Company’s Designated POC.
Activities relevant to the data transferred under these Clauses: The Services.
Role: Processor.
B. Description of the Transfer:
Categories of Data Subjects: The categories of Data Subjects whose Personal Data is transferred include, but are not limited to: past, current, and future personnel of Customer and its affiliates; advisers, clients, consultants, service providers, and other professional experts of Customer and its affiliates.
Categories of Personal Data: The categories of Personal Data transferred include, but are not limited to: name, email address, contact information, title, position, address(es), IP address, device identifiers, machine identification numbers, endpoint and network domain information, operating system user account names, GeoIP data (approximate location, ISP, connection type), and device information.
Sensitive data transferred (if applicable): The parties do not anticipate the transfer of sensitive data or special categories of data (as defined under applicable Data Protection Laws). To the extent any sensitive data is incidentally included in Customer Personal Data transferred under the Agreement, Customer is solely responsible for ensuring it has a valid legal basis for such transfer.
Frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Personal Data is transferred in accordance with the standard functionality of the Services, or as otherwise agreed upon by the parties.
Nature of the Processing: The performance of the Services under the Agreement.
Purpose(s) of the transfer and Processing: The performance of the Services under the Agreement, which for the avoidance of doubt shall include Processing (i) to perform the Services; (ii) to provide technical support requested by Customer; (iii) to maintain the security of the Services and fraud prevention; and (iv) to fulfil other obligations under the Agreement.
Period for which the Personal Data will be retained: Company will retain Customer Personal Data in accordance with the Agreement.
Subject matter, nature and duration of the processing: See above.
C. Competent Supervisory Authority: For the purpose of the Standard Contractual Clauses, the competent supervisory authority shall be as mandated by Clause 13 of the Standard Contractual Clauses. If no supervisory authority is mandated by Clause 13, then the competent supervisory authority shall be the Irish Data Protection Commission (DPC).
______________________________________________________________________________
Annex II: Technical and Organizational Security Measures
Company shall implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data as set forth below:
| Measure | Description |
|---|---|
| Measures of pseudonymization and encryption of Personal Data | Company implements encryption for Personal Data in transit using TLS or equivalent secure transfer protocols. Where appropriate based on risk assessment, Company implements encryption for Personal Data at rest using AES-256 or equivalent. Where required or determined necessary, Company applies pseudonymization or anonymization techniques such that Personal Data cannot be attributed to a specific data subject without the use of additional information, with such additional information kept separately and subject to appropriate technical and organizational measures. |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | Access to Personal Data is limited in accordance with least privilege and need-to-know principles. Role-based access controls are implemented such that each role has only those rights necessary for the task to be performed. Company maintains secure network architecture designed to support segmentation, isolation, and defense in depth. Logical separation measures are designed to prevent Customer Personal Data from being exposed to or accessed by unauthorized persons. |
| Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident | Company maintains business continuity and disaster recovery plans that are validated on a regular basis. Backup procedures include storage at remote locations separate from production systems, with regular restoration testing. Company maintains redundancy throughout its infrastructure designed to minimize unavailability or loss of data. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | Company performs penetration testing and vulnerability assessments, including automated system and application security scanning, on a regular basis. Company engages qualified independent third parties to perform security assessments. Company performs automated verification of compliance with security configuration requirements and remediates identified vulnerabilities based on associated risk. Company conducts internal audits to assess operating effectiveness of technical and organizational measures. |
| Measures for user identification and authorization | Access to data processing systems requires authentication using unique credentials. Company maintains technical measures enforcing timeout of inactive sessions, lockout of accounts after multiple sequential failed login attempts, and secure password or passphrase requirements. Privileged access is individual, role-based, and subject to approval and regular validation. Company maintains measures to identify and remove redundant and dormant accounts and to promptly revoke access upon separation. |
| Measures for the protection of data during transmission | Personal Data in transit is protected using TLS or equivalent cryptographic protocols. Company enables use of secure transfer protocols for transfer of Personal Data to and from the Services over public networks. |
| Measures for the protection of data during storage | Where applicable, Personal Data at rest is encrypted using AES-256 or equivalent. Company utilizes third-party data center providers that maintain appropriate security certifications. Company maintains documented procedures for secure key generation, storage, rotation, and destruction where the Services include management of cryptographic keys. |
| Measures for ensuring physical security of locations at which Personal Data are processed | Company maintains or requires data center providers to maintain appropriate physical entry controls, such as barriers, card-controlled entry points, surveillance systems, and reception procedures designed to protect against unauthorized entry. Access to data centers is limited by job role and subject to authorized approval, with access logged. Visitors are registered, required to provide proof of identity, and escorted by authorized personnel. Company takes precautions to protect physical infrastructure against environmental threats. |
| Measures for ensuring events logging | Company maintains security information and event management measures designed to identify unauthorized access and activity and to facilitate timely and appropriate response. Privileged access and activity are recorded in logs retained in accordance with Company’s records retention policy. Company maintains measures designed to protect logs against unauthorized access, modification, and accidental or deliberate destruction. |
| Measures for ensuring system configuration, including default configuration | Company maintains policies and procedures designed to manage risks associated with changes to the Services. Changes to systems, networks, and underlying components are documented and subject to approval by authorized personnel prior to implementation. Company maintains measures designed to assess, test, and apply security patches based on severity and risk assessment guidelines. |
| Measures for internal IT and IT security governance and management | Company maintains an information security program informed by risk assessment processes designed to identify, evaluate, and address security risks to Customer Personal Data. Personnel authorized to Process Personal Data are subject to confidentiality obligations. Company separates development, testing, and production environments. Separate access credentials and authentication are used for production and corporate operations. Company maintains an inventory of information technology assets used in operation of the Services and continuously monitors health and availability. |
| Measures for certification/assurance of processes and products | Company maintains SOC 2 Type II and ISO 27001 certifications. Company utilizes third-party data center providers that maintain appropriate security certifications. Upon Customer’s written request (no more than once per twelve (12) month period), Company shall provide a summary or copy of its most recent relevant certification or attestation reports, subject to the confidentiality provisions of the Agreement. |
| Measures for ensuring data minimization | Company Processes Customer Personal Data only as necessary for the purposes set forth in the Agreement and this DPA. Personal Data that is no longer required for the purposes for which it was processed is deleted in accordance with Company’s data retention practices. |
| Measures for ensuring limited data retention | Company retains Customer Personal Data in accordance with the Agreement. Upon expiry or termination of the Agreement, Company will delete Customer Personal Data in accordance with Section 8 of this DPA. |
| Measures for ensuring accountability | Company maintains documented information security policies that are reviewed on a regular basis.Personnel who handle Personal Data are trained on information security policies. Company maintains and follows documented incident response policies consistent with industry standards. |
| Measures for allowing data portability and ensuring erasure | The Services include functionality and processes designed to allow Customer to export and delete Customer Personal Data through a combination of self-service tools and support-assisted processes. Company will delete Customer Personal Data in accordance with Section 8 of this DPA. |
| Measures for Subprocessor compliance | Company enters into written agreements with Subprocessors that impose data protection requirements consistent with this DPA. Personal Data is transferred to Subprocessors only for the specific purposes set forth in the Agreement. Where Personal Data is transferred outside the EEA, UK, or Switzerland, Company ensures an adequate level of data protection exists in accordance with Data Protection Laws, including through use of the Standard Contractual Clauses where applicable. |
______________________________________________________________________________
Annex III: Standard Contractual Clauses
Where applicable, the terms of the Standard Contractual Clauses and UK Addendum (as applicable) will be incorporated by reference and apply as follows:
A. EEA Transfers. In relation to transfers of Customer Personal Data that is protected by the GDPR, the Standard Contractual Clauses will apply completed as follows:
1. Module Two will apply where Customer is a Controller and Module Three will apply where Customer is a Processor of Customer Personal Data;
2. Clause 7 (docking clause) is incorporated;
3. in Clause 9, Option 2 (general authorization) will apply and the time period for notice of Subprocessor changes shall be as set out in Section 3(d) of the DPA;
4. in Clause 11, the optional language (alternative dispute resolution mechanism) will not apply;
5. in Clause 17, Option 1 will apply and the Standard Contractual Clauses will be governed by Irish law;
6. in Clause 18(b), disputes will be resolved before the courts of Ireland;
7. Annex I of the Standard Contractual Clauses will be deemed completed with the information set out in Annex I of the DPA; and
8. Annex II of the Standard Contractual Clauses will be deemed completed with the information set out in Annex II of the DPA.
B. Swiss Transfers. In relation to transfers of Customer Personal Data that is protected by the Swiss FADP, the Standard Contractual Clauses will apply in accordance with Section (A) above, with the following modifications: (i) any references in the Standard Contractual Clauses to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss FADP; (ii) any references to “EU”, “Union” and “Member State” law will be interpreted as references to Swiss law; and (iii) any references to the “competent supervisory authority” and “competent courts” in the Standard Contractual Clauses will be interpreted as references to the relevant data protection authority and courts in Switzerland.
C. UK Transfers. In relation to transfers of Customer Personal Data that is protected by UK Data Protection Laws, the Standard Contractual Clauses will apply in accordance with Section (A) above but as modified and interpreted by the UK Addendum, which will be incorporated into and form an integral part of the DPA. Any conflict between the terms of the SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum. In addition, tables 1 to 3 in Part 1 of the UK Addendum will be deemed completed respectively with the information set out in Annex 1 and Annex II of the DPA, and table 4 in Part 1 will be deemed completed by selecting “neither party”.
D. Clarifying Terms: The parties further agree that: (i) the certification of deletion required by Clause 8.5 and Clause 16(d) of the Standard Contractual Clauses will be provided upon Customer’s written request; (ii) the measures Company is required to take under Clause 8.6(c) of the Standard Contractual Clauses will only cover Company’s impacted systems; (iii) the audit described in Clause 8.9 of the Standard Contractual Clauses will be carried out in accordance with Section 7 of the DPA; (iv) under Clause 9(a), Module Three, Customer will be solely responsible for communicating any information to the applicable controller; (v) the termination right contemplated by Clause 14(f) and Clause 16(c) of the Standard Contractual Clauses will be limited to the termination of the Standard Contractual Clauses; (vi) unless otherwise agreed by the parties, Customer will be responsible for communicating with Data Subjects pursuant to Clause 15.1(a) of the Standard Contractual Clauses; (vii) the information required under Clause 15.1(c) of the Standard Contractual Clauses will be provided upon Customer’s written request; and (viii) notwithstanding anything to the contrary, Customer will reimburse Company for all costs and expenses incurred by Company in connection with the performance of its obligations under Clause 15.1(b) and Clause 15.2 of the Standard Contractual Clauses without regard for any limitation of liability set forth in the Agreement.