Data Processing Addendum

Controller to Processor

Published: Apr 12 2018
Last revised: Apr 12 2023

This SourceFound Data Processing Addendum (the "Addendum") is entered into by and between SourceFound, Inc. ("SourceFound") and you (the "Client") (each, a "Party" and, collectively, the "Parties"). If you are accepting the terms of this Addendum on behalf of an entity, you represent and warrant to SourceFound that you have the authority to bind that entity and its affiliates, where applicable, to the terms and conditions of this Addendum. This Addendum is effective as of the date on which you agree to it (the "Effective Date") by checking "I Accept" in the applicable online form or webpage that makes reference to this Addendum.

WHEREAS the Parties wish to supplement the Terms of Service (the "Service Agreement") to ensure that Client Personal Data (as defined below) transferred between the Parties is Processed (as defined below) in compliance with applicable data protection principles and requirements; and

WHEREAS the Parties agree that in the event of any conflict or ambiguity between the Service Agreement and this Addendum, the provisions of this Addendum will prevail.

NOW, THEREFORE, in consideration of the mutual agreements set forth in this Addendum and for other good and valuable consideration, the receipt and sufficiency of which the Parties both acknowledge, the Parties agree as follows:

  1. Definitions
    1. The terms used in this Addendum shall have the definitions and meanings set forth or referenced in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Service Agreement. Except as modified or supplemented below, the definitions of the Service Agreement, as well as all the other terms and conditions of the Service Agreement, shall remain in full force and effect.
    2. For the purpose of interpreting this Addendum, the following terms shall have the meanings set out below:
      1. "Applicable Data Protection Laws" means all laws and regulations applicable to the Processing of Client Personal Data, including but not limited to the GDPR and the laws and regulations identified in Exhibit B hereto, as may be amended, modified, or supplemented from time to time, as applicable.
      2. "Client" means the party that has entered into this Addendum with SourceFound, as indicated in the opening paragraph of this Addendum, including all affiliates of that entity that are also bound by the Service Agreement, if any.
      3. "Client Personal Data" means any Personal Data Processed by SourceFound or a Sub-processor on behalf of the Client pursuant to or in connection with the Service Agreement.
      4. "Contracted Processor" means SourceFound, a Sub-processor, or both collectively.
      5. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 "on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC," as may be amended from time to time (General Data Protection Regulation).
      6. "Restricted International Transfer" means any transfer of Client Personal Data subject to Applicable Data Protection Laws to a Third Country or an international organization in a Third Country (including data storage on foreign servers).
      7. "Services" means the services and other activities to be supplied to or carried out by or on behalf of SourceFound for the Client pursuant to the Service Agreement.
      8. "Standard Contractual Clauses" are the model clauses for Restricted International Transfers adopted from time to time by the relevant authorities of the jurisdictions indicated in Exhibit B, insofar as their use is approved by the relevant authorities as an appropriate mechanism or safeguard for Restricted International Transfers.
      9. "Sub-processor" means any person (including any third party but excluding an employee of SourceFound or an employee of any of its sub-contractors) appointed by or on behalf of SourceFound to Process Client Personal Data on behalf of the Client in connection with the Service Agreement.
    3. The terms "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing", "Processor", "Rights of the Data Subject(s)", and "Supervisory Authority", whether capitalized or not, shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
  2. Applicability
    1. This Addendum will not apply to the Processing of Client Personal Data where such Processing is not regulated by Applicable Data Protection Laws. The Parties to this Addendum hereby agree that the terms and conditions set out herein shall be added as an addendum to the Service Agreement. Except where the context requires otherwise, references in this Addendum to the Service Agreement are to the Service Agreement as amended or supplemented by, and including, this Addendum.
  3. Processing of Client Personal Data
    1. In the context of this Addendum, the Client acts as a Controller and SourceFound acts as a Processor with regard to the Processing of Client Personal Data.
    2. SourceFound warrants that it will:
      1. comply with all Applicable Data Protection Laws in the Processing of Client Personal Data;
      2. not Process Client Personal Data other than on the Client's relevant documented instructions, including with regard to transfers of Client Personal Data to a Third Country or an international organization, unless such Processing is required by Applicable Data Protection Laws to which the relevant Contracted Processor is subject, in which case SourceFound shall, to the extent permitted by Applicable Data Protection Laws, inform the Client of that legal requirement before the respective act of Processing of that Client Personal Data; and
      3. only conduct Restricted International Transfers of Client Personal Data in compliance with Applicable Data Protection Laws and the requirements of Exhibit B.
    3. The Client will provide all information that is applicable to the Client and requested in the form located under Organization Settings > GDPR at https://membershipworks.com/admin/. The Client warrants that it will promptly update, when necessary, all such information, and keep all such information complete and up to date.
    4. The Client instructs SourceFound (and authorizes SourceFound to instruct each Sub-processor) to Process Client Personal Data, and in particular, transfer Client Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Service Agreement and this Addendum.
  4. SourceFound Personnel
    1. SourceFound shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of any Contracted Processor who may have access to the Client Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Client Personal Data, as strictly necessary for the purposes of the Service Agreement, and to comply with Applicable Data Protection Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to formal confidentiality undertakings or professional or statutory obligations of confidentiality.
  5. Security of Processing
    1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, SourceFound shall, with regard to Client Personal Data, implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR, as well as assist Client with regard to ensuring Client's compliance with its own obligations related to its security measures pursuant to Applicable Data Protection Laws.
    2. In assessing the appropriate level of security, SourceFound shall take account, in particular, of the risks that are presented by the nature of such Processing activities, and particularly those related to possible Personal Data Breaches.
    3. Client is responsible for reviewing the information made available by SourceFound relating to data security and making an independent determination as to whether the Services meet Client's requirements and legal obligations under Applicable Data Protection Laws. Client acknowledges that the security measures are subject to technical progress and development and that SourceFound may update or modify the security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by Client.
    4. Notwithstanding the above, Client agrees that, except as provided by this Addendum, Client is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of the Client Personal Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any Client Personal Data downloaded, uploaded, or inputted while utilizing the Services.
  6. Sub-processing
    1. The Client authorizes SourceFound to appoint (and permit each Sub-processor appointed in accordance with this Section 6 to appoint) Sub-processors in accordance with this Section 6 and any possible further restrictions, as set out in the Service Agreement and this Addendum.
    2. SourceFound may continue to use those Sub-processors already engaged by SourceFound as of the Effective Date, subject to SourceFound meeting the obligations set out in Section 6.4. The list of SourceFound's Sub-processors, current as of the Effective Date, is included as Exhibit D.
    3. Client consents to SourceFound engaging additional Sub-processors, provided that SourceFound shall give the Client prior written notice of the appointment of any new Sub-processor, by way of sending an email to the Client. If, within thirty (30) days of receipt of each such notice, the Client notifies SourceFound in writing of any objections (on reasonable grounds) to the proposed appointment, SourceFound shall not appoint (or disclose any Client Personal Data to) that proposed Sub-processor until reasonable steps have been taken to address the objections raised by the Client and, in turn, the Client has been provided with a reasonable written explanation of the steps taken to account for any such objections. If the Client, nevertheless, objects to the proposed appointment, it shall be entitled to terminate the Service Agreement as a remedy.
    4. With respect to each Sub-processor, SourceFound shall:
      1. before the Sub-processor first Processes Client Personal Data (or, where relevant, in accordance with Section 6.2), carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Client Personal Data required by this Addendum, the Service Agreement, and Applicable Data Protection Laws; and
      2. ensure that the arrangement between: on the one hand, (i) SourceFound, or (ii) the relevant intermediate Sub-processor; and on the other hand, the respective prospective Sub-processor, is governed by a written contract including terms which offer at least the same level of protection for Client Personal Data as those set out in this Addendum, and that such terms meet the requirements of Applicable Data Protection Laws, in particular Article 28(3) of the GDPR, where applicable.
  7. Rights of the Data Subjects
    1. Taking into account the nature of the Processing, SourceFound shall assist the Client by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Client's obligations, as reasonably understood by the Client, to respond to requests to exercise Rights of the Data Subjects under the Applicable Data Protection Laws.
    2. With regard to Rights of the Data Subjects within the scope of this Section 7, SourceFound shall:
      1. promptly notify the Client if any Contracted Processor receives a request from a Data Subject under any Applicable Data Protection Laws in respect of Client Personal Data; and
      2. ensure that the Contracted Processor does not respond to that request except on the documented instructions of the Client, or as required by Applicable Data Protection Laws to which the Contracted Processor is subject, in which case SourceFound shall, to the extent permitted by Applicable Data Protection Laws, inform the Client of that legal requirement before the Contracted Processor responds to the request.
  8. Personal Data Breach
    1. SourceFound shall notify the Client without undue delay upon SourceFound becoming aware of a Personal Data Breach affecting Client Personal Data under SourceFound's direct control or upon SourceFound being notified of a Personal Data Breach affecting Client Personal Data under the direct control of a Sub-processor.
    2. The notification shall provide the Client with sufficient information to allow the Client to meet any obligations pursuant to the Applicable Data Protection Laws to report to the Supervisory Authorities or any other competent authorities, and/or inform the Data Subjects of the Personal Data Breach.
    3. SourceFound shall cooperate with the Client and take all reasonable commercial steps to assist the Client in the investigation, mitigation, and remediation of each such Personal Data Breach.
    4. SourceFound's notification of or response to a Personal Data Breach under this Section 8 will not be construed as an acknowledgement by SourceFound of any fault or liability with respect to the Personal Data Breach.
  9. Data Protection Impact Assessment and Prior Consultation
    1. SourceFound shall provide the Client with relevant documentation, such as, if available, an audit report (upon a written request and subject to obligations of confidentiality), with regard to any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, when the Client reasonably considers that such data protection impact assessments or prior consultations are required pursuant to Applicable Data Protection Laws (including, without limitation, Article 35 or 36 of the GDPR), but in each such case solely with regard to Processing of Client Personal Data by, and taking into account the nature of the Processing and information available to, the respective Contracted Processors. Such reasonable cooperation will be at Client's expense if it will require SourceFound to assign significant resources to that effort.
  10. Deletion or Return of Client Personal Data
    1. SourceFound shall provide the Client with the technical means, consistent with the way the Services are provided, to request the deletion of Client Personal Data within the term of this Addendum and the Service Agreement, unless Applicable Data Protection Laws require or allow storage of any such Client Personal Data.
    2. SourceFound shall promptly following the date of cessation of Services involving the Processing of Client Personal Data, at the choice of the Client, delete or return all Client Personal Data to the Client, as well as delete existing copies, unless Applicable Data Protection Laws require or allow storage of any such Client Personal Data.
  11. Audit Rights
    1. Where the Client is entitled to and desires to review SourceFound's compliance with the Applicable Data Protection Laws or this Addendum, the Client may request, and SourceFound will provide (subject to obligations of confidentiality) relevant documentation, or any relevant audit report SourceFound might have been issued.
    2. If the Client, after having reviewed such documentation or audit report(s), still reasonably deems that it requires additional information, SourceFound shall further reasonably assist and make available to the Client, upon a written request and subject to obligations of confidentiality, all other information (excluding legal advice) and/or documentation necessary to demonstrate compliance with this Addendum and/or Applicable Data Protection Laws (including, without limitation, Articles 32 to 36 of the GDPR).
    3. SourceFound shall allow for and contribute to audits, including remote inspections of the Services, by the Client or an auditor mandated by the Client, with regard to the Processing of the Client Personal Data by SourceFound, provided that such auditor is not a competitor of SourceFound and is subject to obligations of confidentiality. SourceFound shall provide the assistance described in this Section 11, insofar as in SourceFound's reasonable opinion, such audits and the specific requests of Client do not interfere with SourceFound's business operations or cause SourceFound to breach any legal or contractual obligation to which it is subject. If SourceFound is required to assign significant resources to such audits, Client shall bear the reasonable expenses incurred by SourceFound.
  12. Jurisdiction Specific Terms
    1. To the extent SourceFound Processes Client Personal Data originating from, or protected by, Applicable Data Protection Laws in one of the jurisdictions listed in Exhibit B, then the terms and definitions specified in Exhibit B with respect to the applicable jurisdiction(s) ("Jurisdiction Specific Terms") shall apply in addition to the terms of this Addendum.
    2. SourceFound may update Exhibit B from time to time to reflect changes in or additions to Applicable Data Protection Laws to which relevant Processing operations are subject. If SourceFound updates Exhibit B, it will notify Client in writing. If Client does not object to the updated Exhibit B within ten (10) days of receipt, Client will be deemed to have consented to the updated Exhibit B.
    3. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this Addendum, the applicable Jurisdiction Specific Terms will prevail.
  13. Restricted International Transfers
    1. Restricted International Transfers of Client Personal Data within the scope of this Addendum shall be conducted in accordance with the applicable terms and requirements of Exhibit B and Applicable Data Protection Laws.
    2. Where the Standard Contractual Clauses are the applicable data transfer mechanism according to the terms and requirements set out in Exhibit B, the applicable module of the Standard Contractual Clauses (if any) will be the module applicable to the role of the Parties as described in Section 3.1 of this Addendum and in Exhibit B.
    3. SourceFound may update Exhibits A and B from time to time to reflect changes in or additions necessary to conclude the Standard Contractual Clauses or any other applicable mechanisms for Restricted International Transfers in accordance with the terms of Exhibit B. Without limiting the generality of the foregoing, if the execution of a new version of the Standard Contractual Clauses adopted by the relevant authorities in the jurisdiction governing the processing of Client Personal Data is later required in order for the Parties to rely on the Standard Contractual Clauses as a lawful mechanism for Restricted International Transfers, the Parties are deemed to have agreed to the new version of the Standard Contractual Clauses by signing this Addendum, and, if necessary, SourceFound shall be entitled to update Exhibits A and B accordingly.
    4. SourceFound may update Exhibit C from time to time to provide for additional safeguards to Client Personal Data subject to the requirements of Applicable Data Protections Laws for Restricted International Transfers. If SourceFound updates Exhibit C, it will provide the updated Exhibit C to Client. If Client does not object to the updated Exhibit C within ten (10) days of receipt, Client will be deemed to have consented to the updated Exhibit C.
  14. Indemnification
    1. Client agrees to indemnify and hold harmless SourceFound and its officers, directors, employees, agents, affiliates, successors, and permitted assigns against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind which SourceFound may sustain as a consequence of the breach by Client of its obligations pursuant to this Addendum and Applicable Data Protection Laws.
  15. General Terms
    1. This Addendum supersedes and replaces all prior and contemporaneous proposals, statements, sales materials, or presentations and agreements, oral and written, with regard to the subject matter of this Addendum, including any prior data processing addenda entered into between SourceFound and Client in connection with the Service Agreement.
    2. All clauses of the Service Agreement, that are not explicitly amended or supplemented by the clauses of this Addendum, and as long as this does not contradict with compulsory requirements of Applicable Data Protection Laws under this Addendum, remain in full force and effect and shall apply.
    3. SourceFound may amend the terms of this Addendum, insofar as the revised Addendum continues to comply with the relevant requirements of Applicable Data Protection Laws, upon notice to the Client by email to the primary contact on the account. Any such amendments will automatically become effective within ten (10) days as of SourceFound's transmission of each such notice.
    4. Should any provision of this Addendum be found invalid or unenforceable pursuant to any applicable law, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of the Addendum will continue in effect.
    5. If SourceFound makes a determination that it can no longer meet its obligations in accordance with this Addendum, its exhibits, or the Standard Contractual Clauses (where applicable), it shall promptly notify the Client of that determination, and cease the Processing or take other reasonable and appropriate steps to remediate the lack of compliance.

Exhibit A

  1. Pursuant to Article 28(3) of the GDPR, further details of the Processing, in addition to the ones laid down in the Service Agreement and this Addendum, include:
    1. The subject matter of the Processing of Client Personal Data is:
      1. The subject matter of the Processing of Client Personal Data pertains to the provision of Services, as requested by the Client.
    2. The duration of the Processing of Client Personal Data is:
      1. The duration of the Processing of Client Personal Data is generally determined by the Client and is subject to the term of this Addendum and the Service Agreement, respectively, in the context of the contractual relationship between SourceFound and the Client.
    3. The nature and purpose of the Processing of Client Personal Data is:
      1. The purpose of Processing of Client Personal Data pertains to the provision of Services, as requested by the Client. The nature of such Processing is related to these purposes and is elaborated on in this Addendum and the Service Agreement, including but not limited to the transmission, storage, and other Processing of Personal Data submitted to the Services.
    4. The types of Client Personal Data to be Processed are:
      1. The types of Client Personal Data are determined by the Client. Such data includes unique identifiers (e.g., user IDs, IP addresses); contact information (e.g., name, address, email, phone numbers); and information about transactions and communications. Client Personal Data may include Special Categories of Personal Data if Client is a trade union and provides data relating to trade union membership.
    5. The categories of Data Subjects to whom the Client Personal Data relates are:
      1. The categories of Data Subjects are determined by the Client. Such data subjects include members of professional and other associations, as well as donors, customers, and website users of the Client.
    6. The obligations and rights of the Client are:
      1. The rights and obligations of the Client are set out in the Service Agreement and this Addendum.
    7. The categories of third-party recipients to which the Client Personal Data may be disclosed or shared are:
      1. The list of approved Sub-processors, as of the date of this Addendum, to whom Client Personal Data may be disclosed, is set out in Exhibit D.
    8. The basic Processing activities to which the Client Personal Data will be subject include, without limitation:
      1. Collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction for the purpose of providing the Services to Client in accordance with the terms of the Service Agreement.
    9. Description of the technical and organizational security measures ("TOMs") implemented by SourceFound:
      Type of TOMsDescription of TOMs
      Measures for pseudonymization and encryption of Personal Data:
      • Secure implementation of the Transport Layer Security (TLS) protocol version 1.2 or higher for Personal Data in transit using a minimum of 128-bit encryption or 256-bit encryption if applicable
      • Encryption of Personal Data in transit through TLS
      • Encryption of all remote accesses for system maintenance or configuration relating to Personal Data
      Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services:
      • Implementation and enforcement of internal security policies, including logging of employee data access
      • Implementation of an in-house detection system and intrusion prevention system to protect system infrastructure
      • Firewall protection of external points of connectivity in network architecture
      • Storage of Personal Data on servers with redundancy and regular back-up
      • Identity and Access Management that includes separation of duties and least privilege
      • Expedited patching of known exploitable vulnerabilities in the software applications and IT systems
      Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident:
      • Maintain database and server redundancies with automatic failover
      • Create and maintain backups of Personal Data
      • Documented disaster recovery plan for recreating servers and restoring Personal Data from backups
      Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of the Processing:
      • Periodic vulnerability scans on system used for Processing Personal Data by an Approved Scanning Vendor (ASV)
      • Regular review of organizational security and employee adherence to information security policy
      Measures for user identification and authorization:
      • Software design to restrict access to only authorized users
      • Role-based access authorization policy based on least privilege and need to know
      • Maintenance of logs of all user access authorizations
      • Assignment of a uniquely identifiable ID to each user
      Measures for the protection of Personal Data during transmission:
      • Encryption of Personal Data during transmission using the Transport Layer Security (TLS) protocol version 1.2 or higher with a minimum of 128-bit encryption or 256-bit encryption if applicable
      Measures for the protection of Personal Data during storage:
      • Secure configuration for database servers and network devices, such as firewalls, routers, and switches
      • Implementation of secure access to storage based on least privilege and need to know
      Measures for ensuring physical security of locations at which Personal Data are Processed:
      • Physical access controls implemented by sub-processors. SourceFound has no physical access to servers.
      Measures for ensuring events logging:
      • Retention of audit logs in accordance with legal requirements
      Measures for ensuring system configuration, including default configuration:
      • Regular synchronisation of servers to a secure master image or template
      • Storage of the master images and templates on securely configured devices, validated by personnel, to ensure that only authorized changes to the images are possible
      Measures for internal IT and IT security governance and management:
      • Documented information security policy
      • Employee training on information security policy
      Measures for certification/assurance of processes and products:
      • Policies and procedures to ensure compliance with applicable legislative and regulatory requirements
      • Maintenance of relevant certifications such as PCI DSS
      Measures for ensuring data minimization:
      • Software development process focused on data minimization.
      • Internal processes to remove Personal Data from its systems as soon as that Personal Data is no longer required under the terms of the Service Agreement
      Measures for ensuring data quality:
      • Implement and maintain appropriate technical controls to prevent, detect, and correct data integrity
      Measures for ensuring limited data retention:
      • Implementation of an internal retention schedule for Personal Data, including backups, based on legal and regulatory requirements
      Measures for ensuring accountability:
      • Information security training for all employees
      • Procedures for discipline and sanctions when employees violate information security policy, non-disclosure agreements, and other policies relating to Personal Data
      Measures for allowing data portability and ensuring erasure:
      • Maintenance of a data model that identifies all locations where a Data Subject's Personal Data is stored
      • Allow Client to create and configure a self-service portal for Data Subjects to access, export, or update their Personal Data
      • Client is able to export Personal Data in CSV format (to the extent allowed by the format)
      • Provide API access upon demand for Client to export their Personal Data in JSON format
      • Client is able to anonymize or erase Personal Data via a self-service portal
      Information about Contracted Processors' TOMs:

      In addition to the requirements set forth in Section 6.4 of this Addendum, SourceFound must ensure that the agreement with each Sub-processor allows SourceFound to meet its respective obligations with respect to Client. In addition to implementing technical and organizational measures to protect Client Personal Data, Sub-processors must:

      • notify SourceFound in the event of a Personal Data Breach so that SourceFound may immediately notify Client;
      • delete Client Personal Data when instructed by SourceFound in accordance with Client's instructions to SourceFound;
      • not engage additional Sub-processors without SourceFound's authorization;
      • not change the location where Client Personal Data is processed without SourceFound's authorization; and
      • not process Client Personal Data in a manner which conflicts with Client's instructions to SourceFound.
    10. Frequency of the transfer:
      1. Regular and repeating for as long as the Client uses the Services.
    11. Further processing:
      1. SourceFound shall not carry out any further Processing of Client Personal Data beyond the provision of the Services under the Service Agreement.
    12. The identity and contact information of the Data Protection Officer of SourceFound:
      1. Not applicable.
    13. The identity and contact information of the EU representative of SourceFound:
      1. VeraSafe Czech Republic s.r.o.
        Klimentská 46
        Prague 1, 11002
        Czech Republic

        VeraSafe Ireland Ltd.
        Unit 3D North Point House
        North Point Business Park
        New Mallow Road
        Cork T23AT2P
        Ireland
    14. The identity and contact information of the UK representative of SourceFound:
      1. VeraSafe United Kingdom Ltd.
        37 Albert Embankment
        London SE1 7TL
        United Kingdom
    15. The identity and contact information of the Data Protection Officer of the Client:
      1. Client shall provide the identity and contact details of Client's Data Protection Officer in the form located under Organization Settings > GDPR at https://membershipworks.com/admin/, if applicable.
    16. The identity and contact information of the EU representative of the Client:
      1. Client shall provide the identity and contact details of Client's European Union Representative in the form located under Organization Settings > GDPR at https://membershipworks.com/admin/, if applicable.
    17. The identity and contact information of the UK representative of the Client:
      1. Client shall provide the identity and contact details of Client's United Kingdom Representative in the form located under Organization Settings > GDPR at https://membershipworks.com/admin/, if applicable.
    18. The period for which the Client Personal Data will be retained:
      1. Client Personal Data is retained for the duration of the Service Agreement plus an additional ninety (90) days from the date of termination of the Service Agreement due to backup retention periods.
    19. The following is deemed an instruction by Client to Process Client Personal Data:
      1. Processing in accordance with the Service Agreement.
      2. Processing initiated by Data Subjects in their use of the Services.
      3. Processing to comply with other reasonable documented instructions provided by Client (e.g. via account configuration, via email).

Exhibit B

  1. European Economic Area
    1. Definitions
      1. "EEA" means the European Economic Area, consisting of the EU Member States, and Iceland, Liechtenstein, and Norway.
      2. "EEA Data Protection Laws" means the EU GDPR and all laws and regulations of the EEA, applicable to the Processing of Client Personal Data.
      3. "EU 2021 Standard Contractual Clauses" means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
    2. With regard to any Restricted International Transfer subject to EEA Data Protection Laws from Client to SourceFound within the scope of this Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:
      1. A valid adequacy decision adopted by the European Commission on the basis of Article 45 of the EU GDPR.
      2. The EU 2021 Standard Contractual Clauses (insofar as their use constitutes an "appropriate safeguard" under Article 46 of the EU GDPR).
      3. Any other lawful data transfer mechanism, as laid down in the EEA Data Protection Laws, as the case may be.
    3. EU 2021 Standard Contractual Clauses:
      1. This Addendum hereby incorporates by reference the EU 2021 Standard Contractual Clauses. The Parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses where necessary in their entirety (including the annexures thereto).
      2. The Parties agree that any references to sections, annexures, exhibits, modules and choices within the Standard Contractual Clauses as set out in this Section 1.3 of Exhibit B, shall be deemed to be the same as the cognate and corresponding references to sections, annexures, exhibits, modules, and choices within any appropriate, updated Standard Contractual Clauses as may be applicable from time to time pursuant to this Addendum.
      3. For the purposes of the annexures to the EU 2021 Standard Contractual Clauses and any substantially similar Standard Contractual Clauses which may be adopted by the relevant authorities in the future:
        1. Annex I(A): The content of Annex I(A) is set forth in Exhibit A, except that the Parties' controllership roles are set forth in Section 3.1 of this Addendum.
        2. Annex I(B): The content of Annex I(B) is set forth in Exhibit A.
        3. Annex I(C): The content of Annex I(C) is set forth in Section 1.3(e)(iv) of this Exhibit B.
        4. Annex II: The content of Annex II is set forth in Exhibit A.
      4. The Parties agree to apply the following modules:
        1. Module two of the EU 2021 Standard Contractual Clauses when, in accordance with Section 3.1 of the Addendum, the Data Exporter is the Client and acts as a Controller and the Data Importer is SourceFound and acts as a Processor.
      5. The Parties further agree to the following choices under the EU 2021 Standard Contractual Clauses:
        1. Clause 7: The parties choose not to include the optional docking clause.
        2. Clause 9(a): The Parties select Option 2, "General Written Authorization" and the time period set forth in Section 6.3 of this Addendum. The procedures for designation and notification of new Sub-processors are set forth in more detail in Section 6 of this Addendum.
        3. Clause 11: The Parties choose not to include the optional language relating to the use of an independent dispute resolution body.
        4. Clause 13 and Annex I.C: The Parties agree that the competent Supervisory Authority shall be determined by the location of the data exporter or its data protection representative in the EEA. If the data exporter is not established in an EEA country and the processing activities are subject to the GDPR by virtue of application of Article 3(2) GDPR, and the data exporter does not have a data protection representative under Article 27 GDPR, the exporter will select the relevant Supervisory Authority and Territory and inform the data importer accordingly.
        5. Clause 17: The clauses shall be governed by the laws of the Republic of Ireland.
        6. Clause 18: The Parties agree that any dispute arising from the EU 2021 Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland.
    4. The terms contained in Exhibit C to this Addendum supplement the EU 2021 Standard Contractual Clauses.
    5. In cases where the EU 2021 Standard Contractual Clauses apply and there is a conflict between the terms of the Addendum and the terms of the EU 2021 Standard Contractual Clauses, the terms of the EU 2021 Standard Contractual Clauses shall prevail.
  2. Switzerland
    1. Definitions
      1. "FDPIC" means the Swiss Federal Data Protection and Information Commissioner.
      2. "Swiss Data Protection Laws" includes the Federal Act on Data Protection of 19 June 1992 ("FADP") and the Ordinance to the Federal Act on Data Protection.
    2. With regard to any Restricted International Transfer subject to Swiss Data Protection Laws from the Client to SourceFound within the scope of this Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:
      1. The inclusion of the Third Country, a territory, or one or more specified sectors within that Third Country, or the international organization in question to which Client Personal Data is to be transferred in the list published by the Swiss Federal Data Protection and Information Commissioner of states that provide an adequate level of protection for Client Personal Data within the meaning of the FADP.
      2. The Standard Contractual Clauses (insofar as their use constitutes an "appropriate safeguard" under Swiss Data Protection Laws).
      3. Any other lawful transfer mechanism, as laid down in Swiss Data Protection Laws.
    3. Standard Contractual Clauses:
      1. This Addendum hereby incorporates by reference the EU 2021 Standard Contractual Clauses, which have been adopted for use by the FDPIC with certain modifications. The Parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses with the modifications required by the FDPIC where necessary in their entirety (including the annexures thereto).
      2. The Parties incorporate and adopt the EU 2021 Standard Contractual Clauses for Restricted International Transfers subject to Swiss Data Protection Laws in the same manner set forth in Sections 1.3 and 1.4 of this Exhibit B, subject to the following:
        1. Clause 13 (Annex I.C): The competent authority shall be the FDPIC. Nothing about the Parties' designation of the competent Supervisory Authority shall be interpreted to preclude Data Subjects in Switzerland from applying to the FDPIC for relief.
        2. Clause 18: The Parties' selection of forum may not be construed as forbidding Data Subjects habitually resident in Switzerland from suing for their rights in Switzerland.
        3. References to "Regulation (EU) 2016/679" and specific articles therein shall be replaced with references to the FADP and the equivalent articles or sections therein, insofar as there any Restricted International Transfers subject to Swiss Data Protection Laws.
        4. The Standard Contractual Clauses also protect the data of legal entities until the entry into force of the revised FADP.
    4. In cases where the Standard Contractual Clauses apply and there is a conflict between the terms of this Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail with regard to the Restricted International Transfer in question.
  3. United Kingdom
    1. Definitions
      1. "UK Data Protection Laws" includes the Data Protection Act 2018 and the UK GDPR (as defined below).
      2. "UK GDPR" means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
      3. "UK ICO" means the UK Information Commissioner's Office.
      4. "UK IDTA" means the International Data Transfer Agreement Version A1.0 issued pursuant to Section 119A(1) of the Data Protection Act 2018 and approved by the UK Parliament.
    2. With regard to any Restricted International Transfer subject to UK Data Protection Laws from the Client to SourceFound within the scope of this Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:
      1. A valid adequacy decision adopted pursuant to Article 45 of the UK GDPR.
      2. The UK IDTA.
      3. Any other lawful data transfer mechanism, as laid down in the UK Data Protection Laws, as the case may be.
    3. UK IDTA:
      1. This Addendum hereby incorporates by reference the UK IDTA, as accepted, executed and signed by the Parties, the terms of which are available at https://membershipworks.com/uk-international-data-transfer-addendum/.
      2. In cases where the UK IDTA applies and there is a conflict between the terms of this Addendum and the terms of the UK IDTA (as accepted, executed, and signed by the Parties), the terms of the UK IDTA shall prevail.

Exhibit C

Supplemental Clauses to the Standard Contractual Clauses

By this Exhibit C (this "Exhibit"), the Parties provide additional safeguards and redress to the Data Subjects whose Personal Data is transferred to SourceFound pursuant to the Standard Contractual Clauses. This Exhibit supplements and is made part of, but is not in variation or modification of, the Standard Contractual Clauses that may be applicable to the Restricted International Transfer.

  1. Applicability of this Exhibit
    1. This Exhibit only applies with respect to Restricted International Transfers when the Standard Contractual Clauses apply to such Restricted International Transfers pursuant to the Addendum and its exhibits.
    2. Definitions. For the purpose of interpreting this Exhibit, the following terms shall have the meanings set out below:
      1. "Data Importer" and "Data Exporter" shall have the same meaning assigned to them in Exhibit B.
      2. "EO 12333" means U.S. Executive Order 12333.
      3. "FISA" means the U.S. Foreign Intelligence Surveillance Act.
      4. "Schrems II Judgment" means the judgment of the European Court of Justice in Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems.
  2. Applicability of Surveillance Laws to Data Importer
    1. U.S. Surveillance Laws:
      1. Data Importer represents and warrants that, as of the Effective Date, it has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II Judgment.
      2. Data Importer represents that it reasonably believes that it is not eligible to be required to provide information, facilities, or assistance of any type under FISA Section 702 because:
        1. No court has found Data Importer to be an entity eligible to receive process issued under FISA Section 702: (i) an "electronic communication service provider" within the meaning of 50 U.S.C. § 1881(b)(4); or (ii) an entity belonging to any of the categories of entities described within that definition.
        2. If Data Importer were to be found eligible for process under FISA Section 702, which it believes it is not, it is nevertheless also not the type of provider that is eligible to be subject to UPSTREAM collection pursuant to FISA Section 702, as described in paragraphs 62 and 179 of the Schrems II Judgment.
      3. EO 12333 does not provide the U.S. government the ability to order or demand that Data Importer provide assistance for the bulk collection of information and Data Importer shall take no action pursuant to U.S. Executive Order 12333.
    2. General provisions about surveillance laws applicable to Data Importer:
      1. Data Importer commits to provide, upon request, information about the laws and regulations in the destination countries of the transferred Client Personal Data applicable to Data Importer and the Sub-processors directly contracted by Data Importer that would permit access by public authorities to the transferred Client Personal Data, in particular in the areas of intelligence, law enforcement, or administrative and regulatory supervision applicable to the transferred Client Personal Data. In the absence of laws governing the public authorities' access to Client Personal Data, Data Importer shall provide Data Exporter with information and statistics based on the experience of Data Importer or reports from various sources (such as partners, open sources, national case law, and decisions from oversight bodies) on access by public authorities to Personal Data in situations of the kind of data transfer at hand. Data Importer providing the information referred to in this subparagraph may choose the means to provide the information.
  3. Backdoors
    1. Data Importer certifies that:
      1. It has not purposefully created backdoors or similar programming for governmental agencies that could be used to access Data Importer's systems or Client Personal Data subject to the Standard Contractual Clauses;
      2. It has not purposefully created or changed its business processes in a manner that facilitates government access to Client Personal Data or systems; and
      3. National law or government policy does not require Data Importer to create or maintain back doors or to facilitate access to Client Personal Data or systems.
    2. Data Exporter will be entitled to terminate the Service Agreement on short notice in cases in which Data Importer does not reveal the existence of a back door or similar programming or manipulated business processes or any requirement to implement any of these or fails to promptly inform Data Exporter once their existence comes to its knowledge.
  4. Information About Legal Prohibitions
    1. Data Importer will provide Data Exporter information about the legal prohibitions on Data Importer to provide information under this Exhibit. Data Importer may choose the means to provide this information.
  5. Additional Measures to Prevent Authorities from Accessing Client Personal Data
    1. Notwithstanding the application of the security measures set forth in the Addendum, Data Importer will implement internal policies establishing that:
      1. Data Importer must require an official, signed document issued pursuant to the applicable laws of the requesting third party before it will consider a request for access to transferred Client Personal Data;
      2. Data Importer's senior legal team and corporate management shall be notified upon receipt of each request or order for transferred Client Personal Data;
      3. Data Importer shall scrutinize every request for legal validity and, as part of that procedure, will reject any request Data Importer considers to be invalid;
      4. If Data Importer is legally required to comply with an order, it will respond as narrowly as possible to the specific request; and
      5. If Data Importer receives a request from public authorities to cooperate on a voluntary basis, Client Personal Data transmitted in plain text may only be provided to public authorities with the express agreement of Data Exporter.
  6. Termination
    1. This Exhibit shall automatically terminate with respect to the Processing of Client Personal Data transferred in reliance of the Standard Contractual Clauses if the European Commission or a competent regulator approves a different transfer mechanism that would be applicable to the Restricted International Transfers covered by the Standard Contractual Clauses (and, if such mechanism applies only to some of the data transfers, this Exhibit will terminate only with respect to those transfers) and that does not require the additional safeguards set forth in this Exhibit.

Exhibit D

List of Subprocessors

Below is a list of the Sub-processors of SourceFound, current as of the Effective Date of the Addendum, pursuant to Article 6.2 of the Addendum:

  1. Amazon Web Services, Inc – U.S.A.;
  2. Twilio, Inc – U.S.A.;
  3. Quality Unit, LLC – U.S.A.;
  4. G Suite (Google, Inc.) – U.S.A.;
  5. MongoDB, Inc. – U.S.A.