Data Processing Agreement

Prior DPA versions:
DPA Jul 14, 2025 to Feb 12, 2026
DPA before Jul 14, 2025

PART A – INTRODUCTION

This section outlines the content of the DPA.

  1. 1. This data processing addendum (“DPA”) is part of the Agreement (as defined in Part C, Section 1 below) between Customer and Notabene, and consists of five parts:
  2. Part A – Introduction
  3. Part B – Cover Page
  4. Part C – Data Processing Terms for Notabene Transact and Notabene Flow (collectively, the “Services”)
  5. Part D – Data Processing Terms for Notabene Flow only
  6. Part E – Annexes 1-7 – Comprising mandatory forms required under the European Commission’s Standard Contractual Clauses, the UK Information Commissioner’s International Data Transfer Addendum, and Switzerland’s Federal Act on Data Protection, including a Subprocessor list, and United States specific terms.
  7. 2. For the purposes of this DPA, capitalized terms shall have the meaning given to them in the Agreement unless specified in Section 1 of Part C to this DPA.
  8. 3. This DPA forms part of and is incorporated by reference into the Agreement, and it governs Notabene’s processing of Personal Data in connection with the Notabene Flow and Notabene Transact Services.
  9. 4. Following are selected definitions, in addition to those provided in Part C, Section 1:
    1. a) “Notabene Flow,” referred to herein as “Flow,” is a unified, open-loop payment coordination network that enables Customers to conduct compliant digital asset transactions. Flow utilizes its standard Transaction Authorization Protocol (TAP) for secure pre-settlement authorization messages and coordination between Customers and to exchange authorization, identity, compliance, and policy information among Customers. Flow also enables unique payment links to coordinate transactions without requiring direct blockchain address exchange. Flow includes the software platform, systems, interfaces, tools and APIs operated by Notabene and any updates thereto.
    2. b) “Notabene Transact,” referred to herein as “Transact,” is a Software as a Service (SaaS) compliance solution for implementing and operationalizing the crypto Travel Rule requirements. The solution encompasses an end-to-end encrypted messaging protocol and a unified transaction risk management platform that enables real-time compliance with the Travel Rule and the identification and verification of counterparties’ and end-users’ information in a transaction. Transact includes the software platform, systems, interfaces, tools and APIs operated by Notabene and any updates thereto.
    3. c) “Agreement” means the Main Services Agreement, Subscription Services Agreement, or any other customer or services agreement between Customer and Notabene, and/or any Addendum, Exhibit, or other document incorporated therein or amendment thereto, together with any applicable Order Forms or other binding ordering terms that reference the relevant agreement or document, under which Customer subscribes to one or more Services, including Flow and/or Transact, as well as any End User License Agreement (e.g., through resellers) or Network Participation Agreement (each, a “EULA”) between Notabene and an end user of Transact. (Note: “End User” as used in a EULA is a “Customer” herein.)

PART B – COVER PAGE

This Part B – Cover Page includes Parts B(1), B(2) and B(3).

Part B(1) includes definitions of key terms that are important for interpreting the roles and processing descriptions in Part B.

Part B(2) is a listing of the potential roles of each party acting as a controller or processor related to the processing of personal data, setting forth the nature of each role based upon the service (Transact or Flow) being used.

Part B(3) includes additional terms that apply globally to this DPA.

PART B(1) – LIST OF PARTIES

Customer The legal entity that has entered into an Agreement with Notabene.
in Transact (Controller) For Transact Services, the Customer acts as the Controller of Personal Data that Notabene processes on its behalf in connection with Travel Rule and counterparty verification use cases.
in Flow (Processor/Controller) The Customer for Flow Services may act as an Initiating Agent, a Responding Agent, or Infrastructure Provider (each, an “Agent”) when using Flow. Depending on the processing activities in Flow, Customer may be a processor or a controller (see below for additional explanation).
Notabene The entity operating the Transact platform and the Flow platform.
in Transact (Processor) Notabene acts as a processor when following the instructions of the Customer under the Agreement when using the Services, including Transact.
in Flow (Processor/Controller) Notabene acts as a processor when following the instructions of the Initiating and Responding Agents under the Agreement when using the Services, including Flow, and acts as controller when selecting and directing Infrastructure Providers (Subprocessors) for transaction completion and for other Notabene Controller Purposes as described in this DPA.
Contact Details For each party, the contact details as entered by that party on Order Forms or otherwise during an online registration or acceptance process for the Agreement, (b) as specified in the signature block or key contact section of the Agreement when executed by email or other written means, or (c) as otherwise notified by the party in accordance with the Agreement’s notice procedures.

FLOW ONLY PARTIES:

End User Users who have a relationship with Customer and its Affiliates (including beneficiaries and originators) which do not directly access or interact with Flow or perform activities on Flow.
Infrastructure Provider A Customer that provides technical services to other Agents and does not hold direct End User relationships.
(Subprocessor/Processor/Controller for compliance) User relationships. Services provided include, but are not limited to:
  • Custodial services – secure storage and management of digital assets;
  • Multi-Party Computation wallet APIs – programmatic blockchain interaction;
  • Liquidity provision – currency conversion and cross-chain operations; and
  • Orchestration services – on-ramp/off-ramp, fiat-to-crypto conversion.
Infrastructure Providers are Subprocessors delegated by Notabene for processing activities in connection with Flow, acting under the instructions of Notabene, except when processing Personal Data for its own Regulatory Compliance Purposes as an independent Controller.
Initiating Agent (Controller) A Customer that initiates transactions on behalf of End Users that are payment originators (for payouts/push payments) or beneficiaries (for pay-ins/pull payments).
Responding Agent (Controller) A Customer that responds to a Transaction request, representing the counterparty End User in the payment or collection, and is responsible for authorizing, processing, and settling payments, including compliance and End User management.

PART B(2) – PROCESSING DESCRIPTION:

TRANSACT ONLY:
Module 2: Controller to Processor (Transact)
(A)  Transfers from Customer to Notabene
  • Data Exporter/Controller: Customer, acting in its role as controller of Personal Data under the Agreement.
  • Data Importer/Processor: Notabene
  • Categories of data subjects: Customers’ end users and counterparties involved in value transfers, and Customer’s authorized users (employees and contractors) that access the Services dashboard or APIs.
  • Categories of personal data: Identifying information, know-your-customer (KYC) / anti-money laundering (AML) data, transaction details, payment instructions, virtual asset transfer details including originator and beneficiary names, wallet or blockchain addresses or account numbers, customer account identifiers, identification numbers such as passport or national ID, and the identities of the relevant virtual asset service providers or financial institutions, together with any other personal data required under applicable implementations of the FATF Travel Rule and corresponding local regulations, and related payment instructions, and Account Data.
  • Sensitive data (if any): None anticipated.
  • Frequency: Continuous
  • Nature and subject matter: Collection, storage, transfer, and processing of personal data to support Travel Rule messaging, counterparty verification, and related processing of virtual asset transfer information.
  • Purposes: Execution of payment by Customer, compliance with Customer instructions, and enabling Travel Rule messaging, counterparty verification, and related regulatory compliance for virtual asset transfer.
  • Duration/retention: For the duration of the contractual relationship, or as required by applicable legal or regulatory obligations.
FLOW ONLY:
Module 2: Controller to Processor (Flow)
(B)  Transfers from Customers to Notabene
  • Data Exporter/Controller: Initiating Agent or Responding Agent. In this Section (B), “Customer” will only refer to Initiating Agent or Responding Agent.
  • Data Importer/Processor: Notabene
  • Categories of data subjects: Customers/End Users, including originators and beneficiaries.
  • Categories of personal data: Identifying information, KYC/AML data, transaction details, payment instructions, and Account Data.
  • Sensitive data (if any): None anticipated.
  • Frequency: Continuous
  • Nature and subject matter: Collection, storage, transfer, processing per Customer instruction, to execute payment or comply with Agent requirements.
  • Purposes: Execution of payment, compliance with Customer instructions.
  • Duration/retention: For the duration of the contractual relationship, or as required by applicable legal or regulatory obligations.
Module 2: Controller to Processor (Flow)
(C)  Transfers from Notabene (as Controller) to Infrastructure Provider (as Processor)
  • Data Exporter/Controller: Notabene
  • Data Importer/Processor: Infrastructure Provider
  • Categories of data subjects: Same as above
  • Categories of personal data: Same as above
  • Sensitive data (if any): None anticipated.
  • Frequency: Continuous
  • Nature and subject matter: Transmission, transaction processing, technical facilitation by Infrastructure Providers on Notabene’s instructions.
  • Purposes: Completion of payment transaction and related technical processes.
  • Duration/retention: For transaction completion or as required by law.
Module 4: Processor to Controller (Flow)
(D)  Processing by Infrastructure Provider for Regulatory Compliance
  • Data Exporter/Controller: Notabene
  • Data Importer/Processor: Infrastructure Provider
  • Categories of data subjects: Individuals associated with business clients of the Initiating Agent or Responding Agent, including directors, officers, employees, authorized signers, Beneficial Owners, or any other natural person whose information is required for regulatory compliance (including AML/KYC) in connection with transactions.
  • Categories of personal data: KYC/AML information (for example identification details, ownership and control information), transaction‑related information, unique identifiers, and other personal data required for the Infrastructure Provider’s regulatory compliance obligation.
  • Sensitive data (if any): Only to the extent required by applicable regulatory processes (for example where mandated by AML/KYC rules); no special categories of personal data are intentionally sought beyond what is necessary for compliance.
  • Frequency: As needed for Infrastructure Provider’s legal requirements.
  • Nature and subject matter: Infrastructure Provider’s processing of personal data for its own legal, compliance, and audit obligations connected to the transaction flow.
  • Purposes: Compliance with AML, KYC, and other legal and regulatory obligations imposed on the Infrastructure Provider.
  • Duration/retention: As required by local law and regulations governing the Infrastructure Provider.
Module 1: Controller to Controller (Flow)
(E)  (If applicable) Direct transfers between Initiating and Responding Agents
  • Data Exporter/Controller: Initiating Agent
  • Data Importer/Processor: Responding Agent
  • Categories of data subjects: End-customers/user(s) of the Initiating Agent and/or Responding Agent
  • Categories of personal data: Same as above
  • Sensitive data (if any): As above
  • Nature, frequency, purposes: As above, but explicitly for bilateral compliance/settlement between two controllers where Notabene is not acting as intermediary.
  • Duration/retention: As agreed between controllers and required by law.

PART B(3) – OTHER INFORMATION (Transact and Flow)
  • Competent Supervisory Authority: As appropriate for each controller or processor; e.g., Irish DPC for Notabene if EU-based.
  • Governing Law: As established in the Agreement (e.g., Irish or English law for Notabene).
  • Choice of forum and jurisdiction: As above, per contractual agreement.
  • Subprocessors:
  • Notabene:

    For Transact and Flow:
    Subprocessors are listed in Annex 6 and at https://trust.notabene.id/subprocessors; this list may be updated online, upon sixty (60) days’ prior notice

    For Flow only:
    Infrastructure Providers, as disclosed for each transaction
  • Each Customer: As specified.
  • Retention:

    Per each party’s documented business need and legal obligations. The Services, including Flow and Transact, may be used by Customers to support compliance with anti money laundering (AML), counter terrorism financing (CTF), sanctions, and Travel Rule obligations including implementations of FATF Recommendation 16, to the extent such obligations apply to each Customer as controller under Applicable Law.
PART C – DATA PROCESSING TERMS
Part C of the DPA sets forth the remaining definitions, describes in detail the obligations related to the transfer and processing of Personal Data, sets forth the parties obligations related to Personal Data, including compliance with applicable law and confidentiality obligations, termination and the effect of termination, controlling law and venue for enforcement. The following terms apply to both Transact and Flow, except where expressly stated, in which case, those terms only apply to Flow.
1. Definitions
For the purposes of this DPA, the following terms are in addition to the terms set forth in Part B and shall have the following meanings unless the context otherwise requires:
(a) 
The terms “Data Subject,” “Personal Data,” “Personal Data Breach,” “processing,” “processor,” “controller,” and “supervisory authority” shall have the meanings set forth, as applicable, in the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR” or “GDPR”), the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”), the Argentina Personal Protection Law, Argentine Law No. 25.326, Regulatory Decree 1558/2001 (“Argentina PDPL”), Bahrain Law No. 30 of 2018 of the Kingdom of Bahrain (“Bahrain PDPL”), Brazil Law No. 13.709/18 (“LGPD”), the Swiss New Federal Act on Data Protection (“FADP” or “Swiss FADP”), the Personal Data Protection Act 2012 of Singapore (“PDPA”), United Arab Emirates (“UAE”) Personal Data Protection Law (Federal Decree Law No. 45 of 2021 Regarding the Protection of Personal Data)(“UAE PDPL”), the Abu Dhabi Global Market (“ADGM”) Data Protection Regulations 2021 and the Dubai International Financial Center (“DIFC”) Law No. 5 of 2020, Law on Protection of Personal Data No.6698 of Türkiye (“Turkish PDPL”), or the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (“CCPA”). If no definition is provided by the applicable law, the definition set in the EU GDPR shall prevail. Notwithstanding the foregoing, all references to “Personal Data,” “Data Subject,” “Controller,” and “Processor” in the DPA (the latter two terms as defined below) shall be deemed to be references to “Personal Information,” “Consumer,” “Business,” and “Service Provider,” respectively, as defined in the CCPA. 
(b) 
“Account Data” means, in respect of any Customer or Subprocessor's platform or flow, any contact details, financial data (transaction history, account numbers, balances), details of payors and payees (including name, payment references, card/account identifiers), and any other business client or transaction-related information Processed for the purposes of Flow. 
(c) 
“ADGM” means the data protection regulations issued by the Abu Dhabi Global Market, establishing a comprehensive framework, broadly aligned with GDPR-style principles, for the lawful processing and cross-border transfer of personal data within the ADGM financial free zone.
(d) 
“Applicable Data Protection Laws” means all laws and regulations applicable to a party’s Processing of Data under the Agreement, including, without limitation, the GDPR, UK GDPR, Brazil PDPL, LGPD, UAE PPDL, Swiss FADP, PDPA, Turkish PDPL, the CCPA, and the United States and its states (in addition to California), and any other applicable privacy/data protection laws worldwide, as amended from time to time.
(e) 
“Argentina PDPL” means the Personal Data Protection Law of Argentina, namely Argentine Law No. 25.326 and its Regulatory Decree 1558/2001, enacted to regulate the protection and lawful processing, including cross-border transfers, of personal data.
(f) 
“Bahrain PDPL” means Law No. 30 of 2018 of the Kingdom of Bahrain with respect to Personal Data protection, together with its implementing resolutions and regulatory guidelines, enacted to govern the protection and lawful processing, including cross border transfers, of personal data.

(g) 
“ASEAN MCCs” means the Model Contractual Clauses, to which Singapore adheres, developed by the Association of Southeast Asian Nations (“ASEAN”) to facilitate the lawful transfer of personal data across borders.
(h) 
“Beneficial Owners” means any individual natural persons such as directors, shareholders, UBOs, or authorized signatories associated with any Customer or business entity whose data is necessary for compliance or transaction processing.
(i) 
"Controller Purposes" means actions required to fulfill contractual and legal/regulatory duties for which a party is an independent controller under applicable law, including AML/KYC, recordkeeping, regulatory audits, and compliance-related retention or disclosure.
(j) 
“Controller to Controller Clauses” means the standard contractual clauses for transfers between independent controllers under GDPR Module 1, UK IDTA, or equivalent.
(k) 
"Customer Controlled Data" means Personal Data provided by or on behalf of Customer that Notabene processes in accordance with the documented instructions of Customer.
(l) 
"Data" and “Personal Data” means any personal information processed by or on behalf of a party in connection with Transact or Flow, including Notabene Controlled Data, Customer Controlled Data, or any regulated data flow.
(m) 
“Data Controller” (also “Controller”, “Data Processor” (also “Processor”), “Data Subject,”“Personal Data,” “Process,” “Processing” have the meanings set out in Applicable Data Protection Laws.
(n) 
"Data Exporter" and "Data Importer" have the meanings given in Part B and, as relevant, the SCCs or IDTA.
(o) 
“Data Protection Impact Assessment” (“DPIA”) means an assessment carried out to evaluate the impact of envisaged processing operations on the protection of personal data, as may be required under Applicable Data Protection Laws.
(p) 
“Data Subject” means the natural person that the Personal Data relates to.
(q) 
“Data Subject Rights” means the rights of individuals under Applicable Data Protection Laws, including but not limited to the rights of access, rectification, restriction, erasure, portability, and objection to processing.
(r) 
“DIFC” means the Data Protection Law of the Dubai International Financial Center, which sets out a GDPR-influenced regime governing the protection, lawful processing, and cross-border transfer of personal data within the DIFC financial free zone.
(s) 
“EU SCCs” means the Standard Contractual Clauses based on the Commission Implementing Decision (EU) 2021/914, of 4 June 2021, as amended or updated from time to time, incorporated into this DPA by reference.
(t) 
“FADP” or “Swiss FADP” means the Swiss Federal Act on Data Protection, effective September 1, 2023, a federal statute of Switzerland that protects the personal and fundamental rights of individuals whose personal data is processed and governs, among other matters, the lawful cross-border transfer of such data.
(u) 
"Independent Controller Onboarding Data" means Onboarding Data for which both Notabene and the Customer or Infrastructure Provider are acting as controllers under their respective Controller Purposes.
(v) 
"Infrastructure Controlled Data" means Personal Data that an Infrastructure Provider processes as a Controller for Regulatory Compliance Purposes that Notabene processes.
(w) 
“KYC Persons” means any natural person associated with a business entity (such as a director, shareholder, signatory, or representative) whose Personal Data is required for KYC and/or onboarding as part of the Flow compliance process.
(x) 
“Lawful Export Measure” means any contract clause, mechanism, or approval required for lawful cross-border transfers of Personal Data as stipulated by applicable Data Protection Laws.
(y) 
“LGPD” means the Brazilian General Data Protection Law, Brazil Law No. 13.709/18, which establishes a comprehensive legal framework for the protection and lawful processing, including cross‑border transfers, of personal data in Brazil.
(z) 
“Notabene Controlled Data” means Personal Data provided to Notabene in connection with the operation and management of Flow for which Notabene acts as a Controller, as specified in Part B. For clarity, Notabene Controlled Data does not include Personal Data that Notabene processes solely in its capacity as a processor under the Transact service.
(aa) 
“Notabene Controller Purposes” means to:
  • discharge obligations under the Agreement and provide Flow and related services to the Customers;
  • select and direct Infrastructure Providers or Subprocessors;
  • comply with Notabene’s obligations under Applicable Law, including AML, identity verification, and KYC requirements;
  • ulfill regulatory or law enforcement requests and monitor, prevent, or detect fraud or illegal activity; and
  • any purpose set out in Notabene’s Privacy Policy at https://notabene.id/privacy-policy as relates to the provision of Flow or Transact.
(bb) 
“Onboarding Data” means all information and documents required to establish or verify identity or business association for any business entity, including identification documents, Beneficial Owner statements, regulatory declarations, and credential/authorization proof, as well as relevant verification results.
(cc) 
"Payment and Fee Instructions Data" means data required to execute payment instructions, allocate funds, and collect fees, including instructions about splitting/distribution, fee amounts, and settlement details.
(dd) 
“Personal Data Breach” a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
(ee) 
“Processed Data” means all personal data processed by the Processor on behalf of the Customer under the Services, as set forth in the Annex 1.
(ff) 
“Processor to Controller Clauses” means SCC Module 4 or equivalent, for Processor-to-Controller cross-border transfers.
(gg) 
“Regulator” means any regulatory or data protection authority with lawful oversight over a party’s Processing.
(hh) 
“Regulatory Compliance Purposes” means processing activities undertaken by a party as a controller to fulfil obligations under AML, KYC, sanctions screening, anti-fraud, reporting or any other legal or regulatory requirement applicable to that party independently of any instructions from other parties, including obligations implementing FATF Recommendation 16 the Travel Rule and equivalent requirements under Applicable Law.
(ii) 
“Security Documents” means any security documentation or compliance certifications reasonably demonstrating adherence to required technical/organizational measures for the protection of Personal Data.
(jj) 
“Security Incident” means any breach or threat to the security, confidentiality, integrity, or availability of Personal Data.
(kk) 
"Subprocessor" means any third party appointed by Notabene to process Personal Data on Notabene’s behalf in the capacity of processor. For Flow, Subprocessors include Infrastructure Providers, except where such parties act as controllers for Regulatory Compliance Purposes, and third parties appointed by Infrastructure Providers to process Personal Data on Notabene’s behalf.
(ll) 
“Support Data” means Personal Data Processed by Notabene or its Subprocessors for the provision of technical or account support related to Flow.
(mm) 
“Third Country” means any country outside the EEA, UK, or other jurisdictions as defined by Applicable Data Protection Laws, except those recognized as providing adequate protection.
(nn) 
“Turkish PDPL” means Law on Protection of Personal Data numbered 6698, the national data protection law of Republic of Türkiye that protects the personal and fundamental rights of individuals whose personal data is processed and governs, among other matters, the lawful cross-border transfer of such data.
(oo) 
“UAE PDPL” or “Federal Decree Law No. 45 of 2021 Regarding the Protection of Personal Data” means the federal law of the United Arab Emirates establishing an integrated framework to ensure the confidentiality and lawful processing, including cross-border transfers, of personal data and to protect the privacy of individuals in the UAE.
(pp) 
“UK IDTA” or “UK Addendum” means the UK’s International Data Transfer Addendum to the SCCs, as may be amended from time to time.

2. Scope of Transfer and Processing
(a) 
In connection with the provision of the Services, each party acting as a Data Exporter may provide or make available to another party certain Personal Data in its capacity as a Data Importer, as more particularly described in Part B and in the Processing Description. This DPA governs the terms for transfers of Data in the following scenarios:
  • FOR TRANSACT: from a Customer to Notabene for the purpose of Notabene providing its Travel Rule compliance solution
  • FOR FLOW:
(A) 
from an Initiating Agent or Responding Agent (acting as Data Controller) to Notabene (acting as Data Processor), for the purposes of enabling payment, regulatory compliance, or transaction processing
(B) 
from Notabene (acting as Data Controller) to an Infrastructure Provider (acting as Data Processor), for the purposes of executing payment transactions or fulfilling Notabene’s platform-related obligations
(C) 
from Notabene (acting as Data Processor) to an Infrastructure Provider (acting as Data Controller), where the Infrastructure Provider is required to process Personal Data independently to fulfil its own Regulatory Compliance Purposes (such as AML/KYC)
(b) 
The specific roles of Data Exporter and Data Importer, as well as the purpose and legal basis for each Data transfer, are set out in the Processing Description (Part B(2)) and corresponding Annexes.
(c) 
This DPA shall be effective from the date of acceptance of the Agreement up to the end of the transitional period of thirty (30) days granted after the termination of such Agreement or its related Services.
(d) 
During this transitional period, the Data Controller will be able to delete, remove or transfer the processed Personal Data resulting from the Services. After this transitional period, the Processor may permanently delete all the Processed Data from the Platform and all the existing copies, unless any applicable law requires storage of the Processed Data.

3. Mutual Obligations
(a) 
Compliance and Representations. Each Party, to the extent acting as a Data Exporter, represents, warrants, and undertakes that it: (i) has complied with Applicable Data Protection Laws in the collection, storage, use, disclosure, and transfer of Data to the relevant Data Importer; and (ii) except where otherwise agreed in writing, has provided all necessary disclosures and obtained all required consents or authorizations to enable the lawful transfer and Processing of Data by the receiving party, as contemplated by this Agreement and DPA.
(b) 
Security Requirements. Each Party shall implement and maintain appropriate technical and organizational measures designed for the purpose of protecting the security, confidentiality, and integrity of Data Processed in connection with Transact and Flow, including against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Data ("Security Measures"). Such Security Measures shall reflect the state of the art, costs of implementation, nature and context of Processing, and the risks for Data Subjects. Each Party, acting as Data Importer, shall ensure all authorized individuals commit to relevant confidentiality or statutory obligations. Security Measures shall:
  • include pseudonymization and encryption of Data where appropriate;
  • ensure ongoing confidentiality, integrity, availability, and resilience of Processing systems and services;
  • enable timely restoration of Data availability in the event of a physical or technical incident; and
  • involve regular review and assessment of Security Measures’ effectiveness.
(c) 
Transparency and Audits. Each Party shall, upon written request and not more than once annually, provide to the other Party sufficient documentation or executive summaries of certifications or audits, and other Security Documents solely as reasonably necessary to confirm compliance with the Security Measures described in this DPA.
(d) 
Mutual Assistance and Data Subject Rights. Each Party will provide reasonable cooperation and assistance to the other in responding to Data Subject requests, regulatory inquiries, or mandatory data protection impact assessments, as may be required to comply with Applicable Data Protection Laws relevant to that party. Each Party may charge a reasonable fee for assistance if the request is excessive or demands significant external resources.
(e) 
Ongoing Compliance Information. Each Party shall, upon reasonable written request, provide information necessary to demonstrate its compliance with this DPA and Applicable Data Protection Laws. Parties shall cooperate in good faith to address compliance gaps or obligations identified because of such requests.

4. Internal Transfers of Controlled Data between Notabene and Its Affiliate(s)
(a) 
This Section applies to the extent that Notabene (or its Affiliates) receives and Processes Notabene Controlled Data as a Data Importer where Notabene (or its Affiliate) is also acting as a Data Controller.
(b) 
Where Notabene Processes Notabene Controlled Data in a country that is not subject to the GDPR or UK GDPR, Notabene shall ensure that such transfer is carried out using a Lawful Export Measure. This includes implementing:
  • Appropriate contractual safeguards (such as Controller-to-Controller Clauses/Module 1 of the EU SCCs or UK IDTA)
  • Descriptions of Processing activity and technical and organizational security measures as referenced in this DPA and Annex 2 (Notabene Technical and Organizational Security Measures)
(c) 
For data onward transferred to Subrocessors and for Flow, Infrastructure Providers in third countries, Notabene shall require those parties comply with the same data importer obligations, including executing the appropriate SCC Module or UK IDTA as required.
(d) 
Notabene may update its list of Subprocessors by maintaining a public list or Schedule linked to the DPA, notifying Customers as required.
(e) 
Upon becoming aware of a Security Incident affecting Data processed or transferred under this DPA, Notabene (or the relevant Affiliate or Infrastructure Provider) shall notify any affected Customers and, where required, Notabene’s Subprocessor(s), without undue delay and in any event within forty-eight (48) hours of first becoming aware of the incident. Such notification shall, to the extent possible at the time, include:
  • All necessary information for compliance with Applicable Data Protection Laws.
  • Co-operate in good faith with Customers, Regulators, or other relevant authorities for investigation, containment, mitigation, and required reporting of the Security Incident.
  • Not make any public or regulatory announcement naming Customers/account holders, unless required by law or agreed in writing, without prior consultation.

5. Processing by Notabene as Data Processor
(a) 
Applicability; Prevailing Terms. This Section applies solely to the extent that Notabene Processes Customer Controlled Data or Infrastructure Controlled Data as a Data Processor (or functionally equivalent role under Applicable Data Protection Law) as set forth in Part B and in the Processing Description and Annexes. Where any conflict or inconsistency arises between this Section 5 and any other sections of this DPA, the terms of this Section 5 shall govern in respect of such processing. The subject-matter, nature and duration of Processing, categories of Personal Data, and categories of Data Subjects Processed by Notabene as Data Processor are as set out in Part B, Processing Description, and Annexes to this DPA.
(b) 
Processing Instructions, Lawful Basis, and International Transfers
  • Notabene shall Process Customer Controlled Data and Infrastructure Controlled Data only on documented, lawful instructions received from the relevant Customer or Infrastructure Provider and in compliance with this DPA and all Applicable Data Protection Laws.
  • If Notabene cannot comply with any instruction or requirement under this DPA in any material respect (including if Notabene determines an instruction violates an Applicable Law), Notabene shall promptly inform the Customer, which includes the Infrastructure Provider when acting as a controller, in writing, and shall not continue such Processing until the issue is resolved or the Customer suspends Processing. The Customer, including the Infrastructure Provider when acting as a controller, may suspend Notabene’s Processing in the meantime.
  • Customer and/or Infrastructure Provider, as applicable, instructs Notabene to Process Customer Controlled Data or Infrastructure Controlled Data only as necessary for the Processor Purposes described in Part B, Processing Description, or Flow schedules. Notabene shall not Process such data for any other purpose except as required by law or as instructed in writing by the Customer or Infrastructure Provider, as applicable.
  • Notabene shall not transfer or allow the transfer of Customer Controlled Data or Infrastructure Controlled Data to a jurisdiction outside of the EEA, UK, or countries recognized as providing adequate protection unless (a) expressly directed by the Customer or, if applicable, the Infrastructure Provider; and (b) subject to a valid Lawful Export Measure (e.g., SCCs/UK IDTA), unless Notabene is required to do so by law, in which case Notabene shall notify the Customer and/or Infrastructure Provider, as applicable (unless prohibited by law).
(c) 
Data Use Restrictions, Confidentiality, and Recordkeeping
i. 
Notabene represents, warrants, and agrees that, unless expressly authorized by the Customer in writing:
(A)
Notabene will not combine, merge, or link Customer Controlled Data or Infrastructure Controlled Data with any other data except as strictly required for technical performance or Processor Purposes;
(B)
Notabene will not Process Customer Controlled Data or Infrastructure Controlled Data for any purpose other than the agreed Processor Purposes;
(C)
Notabene will not sell, share, license, or otherwise commercially exploit such data except as directly instructed by the Customer with respect to Customer Controlled Data and/or the Infrastructure Provider with respect to Infrastructure Controlled Data.
ii. 
All Notabene personnel authorized to access Customer Controlled Data or Infrastructure Controlled Data shall be bound in writing by confidentiality undertakings or statutory confidentiality obligations.
ii. 
Notabene shall maintain up-to-date records of processing activities carried out on behalf of each Customer for Customer Controlled Data and for Infrastructure Controlled Data, as required by Article 30(2) of the GDPR or equivalent, and provide such records to the Customer upon request.
(d) 
Personnel Access, Training, and DPO Requirement
i. 
Notabene shall grant access to Customer Controlled Data and Infrastructure Controlled Data only to such personnel as are strictly necessary for the implementation, management and monitoring of this DPA.
ii. 
Notabene shall provide annual data protection, privacy, and security training to all such personnel and retain cross-referenceable documentation of such training, available for review upon reasonable request.
iii. 
Notabene shall provide the Customer and, if applicable, Infrastructure Provider, as set forth in Part B or by written notice, with the contact details of its designated Data Protection Officer or privacy compliance contact, promptly notifying of any changes.
iv. 
Notabene is responsible for ensuring that all such personnel involved in the provision of the Services comply with this DPA and Applicable Data Protection Laws, and Customer is not required under this DPA to designate, appoint, or manage any separate persons in charge of processing within Notabene.
(e) 
Security Requirements
i. 
Notabene will implement (and cause personnel to comply with) all technical and organizational security measures set forth in Section 3.b) of this DPA and Annex 2 (Notabene Technical and Organizational Security Measures).
ii. 
Notabene shall keep written records and evidence of all relevant technical and organizational measures and produce them for Customer or Infrastructure Provider (if Notabene is processing Infrastructure Controlled Data for that Infrastructure Provider) audit upon reasonable written request, not more than once annually unless required for regulatory or specific risk-based investigation.
(f) 
Audit and Regulatory Assistance
i. 
Notabene shall, as required by law or upon the Customer’s (including Infrastructure Provider if Notabene is processing Infrastructure Controlled Data for that Infrastructure Provider) reasonable written request (not more than once annually unless otherwise required), contribute to audits or inspections, including:
(A)
providing access to audit or compliance reports and certifications,
(B)
completing written data security or compliance questionnaires, and
(C)
facilitating Customer or Infrastructure Provider (if Notabene is processing Infrastructure Controlled Data for that Infrastructure Provider) on-site audits where justified by regulatory finding or serious breach risk and agreed upon scheduling grounds.
ii. 
Notabene shall promptly notify the Customer or Infrastructure Provider (if Notabene is processing Infrastructure Controlled Data for that Infrastructure Provider) of any legally binding request for disclosure of Customer Controlled Data by a regulatory body, government agency, or law enforcement authority unless law prohibits such notice.
iii. 
Notabene shall review the legality of such requests, challenge any it deems inappropriate or legally unsound, and provide the Custome, including Infrastructure Provider (when Notabene is processing Infrastructure Controlled Data for that Infrastructure Provider) with all relevant information regarding the review, challenge, and guidance or outcome. Only the minimum necessary data will be disclosed after such review.
iv. 
Notabene will, at the Customer’s or Infrastructure Provider’s (if Notabene is processing Infrastructure Controlled Data for that Infrastructure Provider) written request (and at the Customer’s or Infrastructure Provider’s cost if significant non-routine effort is required), provide all reasonable assistance to the Customer and Infrastructure Provider (if Notabene is processing Infrastructure Controlled Data for that Infrastructure Provider) in connection with regulatory assessments, responses, data protection impact assessments (DPIA), prior consultations with regulators, or other legally required evaluations relating to Customer Controlled Data or Infrastructure Controlled Data.
(g) 
Data Subject Rights
i. 
If Notabene receives any request, complaint, or inquiry from a data subject in relation to Customer Controlled Data or Infrastructure Controlled Data (e.g., for access, rectification, erasure, objection, restriction, portability, or automated decision-making):
(A)
Notabene will notify the Customer within five (5) business days and without directly responding (unless expressly authorized);
(B)
Provide all relevant request details and any information reasonably requested by the Customer within five (5) business days of receipt;
(C)
Provide all reasonable assistance as the Customer or Infrastructure Provider (if Notabene is processing Infrastructure Controlled Data for that Infrastructure Provider) requires for compliance, at the Customer’s or Infrastructure Provider’s cost, as applicable, if excessive or extraordinary.
ii. 
Notabene shall promptly comply with any Customer and Infrastructure Provider (if Notabene is processing Infrastructure Controlled Data for that Infrastructure Provider) instruction to amend, correct, transfer, block, or delete Customer Controlled Data or Infrastructure Controlled Data. If there is any conflict or inconsistency in instructions between a Customer or Infrastructure Provider, the instructions of the Customer that is also the Controller will supersede and control.
(h) 
Data Breach and Security Incident Management
i. 
In the event of any: (1) improper, unauthorized, or unlawful access, use, disclosure, or loss of Customer Controlled Data or Infrastructure Controlled Data, or (2) any compromise that affects the availability, integrity, or confidentiality of Customer Controlled Data or Infrastructure Controlled Data (each, a “Data Breach”), Notabene shall:
(A)
Without undue delay and in any event within forty-eight (48) hours after becoming aware of a Data Breach, notify the Customer, including Infrastructure Provider (if Notabene is processing Infrastructure Controlled Data for that Infrastructure Provider), in writing, setting out:
(aa)
The nature and scope of the Data Breach (including, if possible, categories and approximate number of affected data subjects and records);
(bb)
Name and contact information of Notabene’s incident coordinator or DPO;
(cc)
The likely consequences of the Data Breach;
(dd)
The measures taken or proposed to address and mitigate the Data Breach’s effects;
(B)
Consult with the Customer, including Infrastructure Provider (if Notabene is processing Infrastructure Controlled Data for that Infrastructure Provider), on an ongoing basis, and provide regular status updates and additional information as details emerge or are requested;
(C)
Implement all reasonable remediation and mitigation measures, and assist the Customer, including Infrastructure Provider (if Notabene is processing Infrastructure Controlled Data for that Infrastructure Provider), in meeting its own legal obligations relating to breach notification and remedial action (including required data subject or regulator notifications);
(D)
Within six (6) weeks of incident close-out, provide a written incident report detailing the breach, root cause, response actions, and proposed additional security measures;
(E)
Not make any regulatory, public, or data subject notifications without the Customer’s or Infrastructure Provider’s (if Notabene is processing Infrastructure Controlled Data for that Infrastructure Provider) prior written and express approval, except as required by law, in which case Notabene must notify the Customer, including Infrastructure Provider (if Notabene is processing Infrastructure Controlled Data for that Infrastructure Provider), as soon as legally possible;
(F)
All information and reports provided in relation to a Data Breach constitute Notabene’s Confidential Information.
(i) 
Subprocessing
i. 
The Customer and each Infrastructure Provider grants Notabene a general written authorization to engage Subprocessors subject always to the following:
(A)
Notabene must update its listing of Subprocessors on its website as set forth in Part B in advance of engaging any new or replacement Subprocessor;
(B)
The Customer, including Infrastructure Provider (if Notabene is processing Infrastructure Controlled Data for that Infrastructure Provider), may object on legitimate data protection grounds within thirty (30) days of Notabene posting on its website the new Subprocessor; and, if not resolved, Notabene and the Customer, including Infrastructure Provider (if Notabene is processing Infrastructure Controlled Data for that Infrastructure Provider) will work in good faith to amend or modify the services to avoid processing by the objected-to Subprocessor;
(C)
Notabene shall ensure each Subprocessor enters into binding written agreements with data protection and security obligations no less protective than those in this DPA;
(D)
Notabene shall perform appropriate due diligence on all Subprocessors and monitor ongoing compliance.
(j) 
Return and Deletion of Data
i. 
Upon the termination or expiration of the DPA, cessation of the relevant services, or at any time upon written instruction from the Customer, Notabene shall promptly and securely delete or return all Customer Controlled Data and Infrastructure Controlled Data to the Customer and Infrastructure Provider (if Notabene is processing Infrastructure Controlled Data for that Infrastructure Provider), unless applicable law requires further retention. Notabene shall certify in writing the deletion of all such data unless return or deletion is impossible, in which case Notabene shall inform the Customer, including Infrastructure Provider (if Notabene is processing Infrastructure Controlled Data for that Infrastructure Provider), of the reasons and the measures taken to ensure ongoing protection.

6. Cross-Border Transfers of Customer Controlled Data to Customer
a) 
Applicability and General Principle. This Section 6 applies whenever a Customer (including, but not limited to, an Initiating Agent or Responding Agent) imports and Processes Customer Controlled Data in a Third Country, as defined in this DPA, where that Customer is acting as the data importer and controller in relation to such data.
b) 
Transfers to Countries Not Covered by the GDPR/UK GDPR (No Adequacy Decision)
(i)
Where Customer Controlled Data is to be Processed in a Third Country that is not recognized by the European Commission (under Article 45 of the GDPR), or under equivalent UK adequacy regulations, and is not otherwise covered under Section 6.c) below, the parties shall, as required by Applicable Data Protection Laws and before any such transfer, cooperate and take all necessary steps to ensure that such transfer is subject to a valid Lawful Export Measure, including but not limited to:
(A)
execution of appropriate Standard Contractual Clauses (SCCs), UK International Data Transfer Addendum (IDTA), or other contractually binding instruments providing appropriate safeguards;
(B)
ensuring the transfer is adequately described in the DPA and in Part B—Cover Page/Annexes, including the Data flows, purpose, types of data, categories of data subjects, and location of data importers;
(C)
documenting technical and organizational measures to secure the data transfer, as further described in Annex 3 (Customer and Infrastructure Provider Technical and Organizational Security Measures) and as required for any onward transfer.
(ii)
Any onward transfer of Customer Controlled Data or Infrastructure Controlled Data by the recipient Customer or Infrastructure Provider in a Third Country shall be subject to the same or equivalent Lawful Export Measure and technical/organizational safeguards.
c) 
Transfers to Third Countries Subject to GDPR or UK GDPR
(i)
Where Customer Controlled Data or Infrastructure Controlled Data is Processed or imported in a jurisdiction subject to the GDPR or UK GDPR, or the transfer is made from or to such jurisdiction (including within the EEA or UK), the applicable parties shall undertake to comply with all data importer obligations in the applicable transfer mechanisms, which are by this reference fully incorporated, including but not limited to:
(A)
Where required, the Standard Contractual Clauses for international transfers of personal data to third countries outlined in Commission Decision 2021/914 of 4 June 2021 (including the Module applicable to the specific controller-controller or controller-processor relationship involved), or UK Addendum to the SCCs;
(B)
All references to “Annex I” or "Part 1" of such Standard Contractual Clauses or UK IDTA shall be populated using the parties and Processing details in Part B of this DPA, and the Effective Date shall be the date specified therein;
(C)
All technical and organizational security measures required under the SCCs/IDTA shall adopt or incorporate those described in Annex 3 (Customer and Infrastructure Provider Technical and Organizational Security Measures);
(D)
The competent supervisory authority, governing law, and competent courts for dispute resolution shall all be those specified in Part B of this DPA or, where not specified, as required by the SCCs/IDTA and mutually agreed in writing by the parties.
(ii)
For the avoidance of doubt, where the SCCs/IDTA adopt "Option 1" or "Option 2" for governing law, forum, or authority, the parties will specify in Part B or exercise such selection jointly in writing.
d) 
Supplemental Measures and Customer and Infrastructure Provider Cooperation
(i)
The parties acknowledge that evolving legal requirements (regulatory guidance or judicial decisions) may necessitate additional or alternative measures for cross-border transfers. If Notabene, any Customer or a data subject challenges the sufficiency of the applied Lawful Export Measure, all parties will act in good faith to implement any additional contractual, technical, or organizational requirements necessary to ensure continued validity of the transfer.
(ii)
If a supervisory authority, government, or court determines any cross-border transfer under this DPA does not provide adequate protection, the parties will take all actions (including suspension of transfer, execution of supplementary contract terms, implementation of enhanced security, or deletion/return of data as required) promptly and in accordance with all applicable timeframes specified in regulatory notice or applicable law.
(iii)
Upon request, each party shall provide documentation evidencing the legal basis of any transfer and all associated risk assessments, supplementary measures, and safeguard evaluations, subject to applicable confidentiality.
(iv)
In the event of an inquiry, audit, investigation, or information request from any competent regulatory authority relating to a cross-border transaction, onward transfer, or instant data processing event facilitated by the Notabene platform, all parties agree to provide immediate good-faith cooperation. This includes, but is not limited to, supplying log files, assignment notifications, processing records, compliance policies, and any data relating to the selection or operation of Infrastructure Providers, Subprocessors, or onward transferees, within two (2) business days (or such shorter period as may be specified by the authority or legally required).The parties shall designate and maintain up-to-date points of contact for prompt communication regarding such regulatory events and shall coordinate on the content and timing of any responses or disclosures required by a regulator. All regulatory cooperation shall be documented and retained for not less than six (6) years, or such longer period as required by law or regulatory guidance.
e) 
Timeframes and Disclosure Obligations
(i)
Prior to any transfer to a Third Country, Notabene, the Customer and the Infrastructure Provider will reasonably cooperate (responding within ten (10) business days unless otherwise mutually agreed or required under applicable law) to execute required SCCs, IDTA, or other formal transfer instruments and to document completion of any transfer impact assessments or approvals.
(ii)
Each party agrees to promptly notify the other (and no later than five (5) business days from learning thereof) of any regulatory, judicial, or data subject inquiry or challenge concerning cross-border transfers covered by this DPA.
f) 
Regulatory Variation and Contractual Flexibility
(i)
This Section 6.f) shall be interpreted to the fullest extent permissible by law so as to enable compliant and uninterrupted lawful transfers of Customer Controlled Data and Infrastructure Controlled Data in all jurisdictions in which the parties operate, regardless of subsequent changes in law or regulation.
(ii)
Where unusual data transfer circumstances arise (e.g., urgent need to avoid harm to data subjects), the parties may agree in writing to invoke alternative or additional transfer mechanisms, including explicit consent or legally recognized derogations.
g) 
Regulatory Cooperation and Onward Transfer Support
(i)
In the event of an inquiry, audit, or investigation by any competent regulatory, supervisory, or governmental authority related to any cross-border data transfer, instant transaction, or onward transfer performed via the Notabene platform, all parties agree to provide immediate cooperation and timely regulatory assistance.

Such cooperation includes, but is not limited to:
(A)
Supplying responses, supporting documents, or information required by a regulator within five (5) business days of written request, or such shorter time as required by law or regulatory directive;
(B)
Designating up-to-date points of contact for regulatory or data protection inquiries and updating such contact information as necessary;
(C)
Coordinating with other parties to align the timing and content of responses to any regulator or authority to ensure accuracy and prevent duplication or omission;
(D)
Retaining documentation of regulatory cooperation and audit response for at least six (6) years, or as required by applicable law or regulatory requirement;
(E)
Facilitating any necessary interviews, systems access, or witness support required by regulators regarding Transact and/or Flow transaction flows or onward transfer assignments;
(F)
(Flow Only) Promptly providing access to transaction records, routing logs, assignment details for Infrastructure Providers and Subprocessors, and compliance documentation relevant to the onward transfer or transaction.
(ii)
All cooperation is subject to the confidentiality and data protection requirements of this DPA, and nothing herein limits the right of any party to seek legal guidance or to escalate urgent issues for expedited handling.

7. Changes in Applicable Data Protection Laws
a) 
The parties acknowledge and agree that Applicable Data Protection Laws, including the GDPR, the UK General Data Protection Regulation, the Data Protection Act 2018, the CCPA, and all related statutory instruments, regulations, or guidance from supervisory authorities, are subject to ongoing legislative and regulatory change as well as evolving judicial and administrative interpretation.
b) 
If, at any time during the term of this DPA:
(i)
a change in Applicable Data Protection Laws (including, but not limited to, changes to the GDPR, UK GDPR, CCPA, or other jurisdictional regimes);
(ii)
the implementation of new secondary or delegated legislation, regulatory guidance, or official interpretive statements from a competent data protection authority;
(iii)
any judicial or administrative decision or government action invalidates, limits, or imposes new requirements on existing mechanisms, including the Controller to Controller Clauses, Processor to Controller Clauses, SCCs, UK IDTA, or findings of adequacy;
(iv)
the approval, withdrawal, or modification of any adequacy finding, SCC, or international transfer regime; or
(v)
any change in the membership status, legal framework, or territorial scope of the European Union, European Economic Area, United Kingdom, Switzerland, or other relevant jurisdiction;
b) 
reasonably requires amendment, supplementation, or replacement of this DPA (in whole or in part) or associated transfer mechanisms, the parties shall negotiate promptly, in good faith, and in no event later than thirty (30) calendar days after notice of such change, such modifications as are reasonably necessary to ensure both ongoing lawful Processing and protection of Personal Data in compliance with (and for the full duration required by) Applicable Data Protection Laws.
c) 
Pending the implementation of any required modifications pursuant to this Section 7, the parties shall take all necessary and reasonable steps (including the implementation of supplementary contractual, technical, or organizational measures or, as a last resort, suspension of relevant transfers or processing) to ensure ongoing compliance with Applicable Data Protection Laws, minimization of regulatory and legal risks, and protection of data subjects’ fundamental rights and freedoms. In no event shall the parties delay good faith negotiations or implementation of required amendments beyond the minimum period necessary.
d) 
If, after good faith negotiation within the above timeframe, the parties cannot reach consensus as to the changes required to comply with Applicable Data Protection Laws, either party shall be entitled to suspend or terminate the affected processing activities and/or international transfers on written notice, without penalty, until the parties agree and document required changes.
e) 
No amendment to this DPA pursuant to this Section 7 shall have retroactive effect except as required for ongoing compliance with applicable regulatory requirements or legal orders.
f) 
Any amendments made pursuant to this Section 7 shall be documented and published on Notabene’s website, and made available to affected data subjects upon request to the extent required by law.

8. Confidentiality
a) 
Confidentiality Undertakings. Each party (the “Recipient”) undertakes to the other party (the “Discloser”) that it shall:
(i)
keep strictly confidential and shall not disclose, reveal, make available, or in any way communicate to any third party (without the prior express written consent of the Discloser) any Data, Confidential Information, or trade secrets of the Discloser which it obtains or accesses in connection with this DPA, except as strictly necessary for the performance of the DPA and only on a legitimate “need-to-know” basis;
(ii)
ensure that all employees, agents, officers, consultants, Subprocessors, subcontractors, and advisers authorized to Process or access such Confidential Information/Data are bound by written confidentiality obligations that are no less protective than those set out in this Section 8 or, if applicable, are under appropriate statutory or regulatory obligations of confidentiality;
(iii)
implement appropriate technical, organizational, and communications safeguards (including encryption, access logs, and secure destruction protocols) to prevent unauthorized disclosure, access, or misuse of Confidential Information/Data, whether in physical or electronic form;
(iv)
immediately inform the Discloser in writing if it becomes aware of any unauthorized access to, disclosure, or suspected breach of such Confidential Information/Data.
b) 
Exceptions to Confidentiality. The obligations in Section 8.a) shall not apply to the extent that a disclosure of Confidential Information/Data is:
(i)
required to be disclosed by law, regulation, or valid order of a court or regulatory body with competent jurisdiction; provided that (where legally permitted) the Recipient shall: (A) promptly notify the Discloser in writing of such requirement to allow the Discloser (at its expense) to contest, intervene, or seek a protective order, and (B) cooperate (at Discloser’s cost) with any such actions by the Discloser; and
(ii)
required for regulatory audit, investigation, or compliance with legally binding obligations, provided any disclosure is strictly limited to only that information necessary for such purpose and subject to any applicable legal privilege.
c) 
Confidentiality of Security Documents. The confidentiality obligations in Section 8.a) apply to all Security Documents, audit/compliance reports, technical evaluations, and any similar extrinsic evidence or documentation exchanged by Notabene, Customers, or their Affiliates/agents (regardless of which party created the documentation).
d) 
Duration and Survival. The obligations of confidentiality in this Section 8 shall commence as of the first disclosure of Confidential Information/Data and shall continue:
(i)
for as long as the DPA is in effect and thereafter for a period of at least five (5) years after termination or expiry; and
(ii)
indefinitely with respect to trade secrets or information protected by law as confidential or privileged.
e) 
Return and Destruction of Confidential Information. Upon termination or expiration of this DPA, or upon written request of the Discloser, each Recipient shall promptly and securely return or, at the Discloser’s election, destroy all Confidential Information/Data (including all copies, extracts, backups, and derived data) in its possession, custody, or control, and shall provide a written certification of such destruction to the Discloser, subject always to legal or regulatory retention requirements.
f) 
Order of Precedence. This Section 8 is in addition to (and shall not limit) any broader confidentiality provision in the main Agreement or any other document between the parties. In the event of any conflict between the confidentiality provisions of this DPA and those of the main Agreement, the order of precedence shall be as follows:
(i)
Section 8.b) (Required Disclosures);
(ii)
Section 8.c) (Confidentiality of Security Documents);
(iii)
the confidentiality provisions of the main Agreement; then
(iv)
Section 8.a) (Confidentiality Undertakings).
g) 
Marking and Reasonable Understanding. Notwithstanding any provision addressing the marking of Confidential Information, any information that a reasonable person would understand to be confidential, given its nature and the circumstances of disclosure, shall be treated as Confidential Information whether or not it is marked.

9. Termination
Termination of this DPA shall be governed by the terms of the Agreement.

10. Consequences of Termination
a) 
Return or Deletion of Data. Upon the termination or expiry of this DPA, or the cessation of the services to which it relates, each party (the “Processor”) currently Processing Data as a Data Processor on behalf of the other party (the “Controller”) shall:
(i)
At the written election of the Data Controller (to be specified within thirty (30) calendar days of termination or expiration):
(A)
Return to the Data Controller (or another party designated in writing) all Data and any copies thereof (including data held by any Subprocessors), using means reasonably specified by the Controller, or
(B)
Securely destroy all Data in its possession, custody, or control, as well as all copies, derivative data sets, back-ups, and any data maintained for business continuity or disaster recovery purposes, using industry standard deletion and/or destruction methods. Upon request, the Processor shall provide the Controller with a certificate of destruction signed by an officer or legal representative.
(ii)
Unless applicable law requires storage of Data (as demonstrated by written notice from Processor to Controller prior to deletion/return), the Processor shall comply with the Controller’s choice above and certify, in writing, the completion of the required return or secure deletion.
(iii)
Except as otherwise expressly required by law, after the end of the provision of services relating to Processing and after satisfaction of the other requirements of this section, the Processor shall immediately and permanently cease all Processing of the Controller’s Data.
b) 
Copies and Retention Exceptions
(i)
If, and only to the extent, applicable law or binding regulatory obligation requires the Processor to retain any of the Data after termination, the Processor shall:
(A)
notify the Data Controller in writing of the legal rationale and expected duration for retention;
(B)
continue to comply with all confidentiality, security, and other applicable obligations under this DPA and law for so long as any Data is retained; and
(C)
ensure that retained Data is used solely for the purposes and no longer than required by applicable law, after which all Data shall be securely deleted.
c) 
Subprocessor and Third Party Data Management. The Processor must ensure, and provide documented confirmation to the Data Controller, that all Subprocessors and authorized third parties promptly comply with the same return/deletion requirements, including obtaining certificates of destruction or documented evidence of compliance.
d) 
Timelines. All return or deletion (and, if applicable, related certification obligations) must be completed as soon as reasonably practicable and in any event no later than sixty (60) calendar days following termination, expiration, or service cessation, unless otherwise agreed in writing or required by law.
e) 
Ongoing Duties and Remedies
(i)
The duties of confidentiality, security, regulatory cooperation, and data subject rights enforcement under this DPA shall survive with respect to all Data retained by legal necessity until such Data is securely deleted.
(ii)
For avoidance of doubt, these obligations shall not affect any broader rights of the Data Controller to seek damages, injunction, reporting to authorities, or other remedies for any continued Processing inconsistent with this section.

11. Law and Jurisdiction
a) 
This DPA shall be governed by the governing law provision set out in the Agreement and any dispute shall be governed by the dispute resolution procedure set out in the Agreement, except as expressly provided otherwise in this DPA.
b) 
Personal Data protected under the PDPA may be transferred from Singapore to, and processed in, the EEA. The Processor represents and warrants that: (a) it shall process such Personal Data in compliance with the applicable provisions of the EU GDPR and shall ensure a standard of protection for the Personal Data that is at least comparable to the protection under the PDPA; (b) it is bound by legally enforceable obligations under the GDPR which provide comparable protection to that under the PDPA; (c) it shall implement and maintain technical and organizational measures to ensure the security and confidentiality of the Personal Data consistent with Appendix 2 to this DPA; and (d) it shall not transfer Singapore Personal Data to any country outside the EEA without first ensuring that such transfer complies with the PDPA and this DPA. Where required by the PDPA, or where reasonably requested by the Controller, the Parties shall enter into the ASEAN MCCs for cross-border data transfers. The details required to complete the ASEAN MCCs are those set out in Appendix 1 to this DPA, and the ASEAN MCCs shall be governed by the laws of Singapore, with disputes subject to the jurisdiction of the Singapore courts.

12.Changes to this DPA

Notabene may update or modify this DPA from time to time to reflect changes in Applicable Data Protection Laws, regulatory guidance, or the Services, by posting an updated version at https://notabene.id/agreements/dpa, or by otherwise providing notice to Customer in accordance with the Agreement. If Customer reasonably objects in writing to a material change to this DPA that would cause Customer to be in breach of Applicable Data Protection Laws and the parties cannot reach mutual agreement in good faith within thirty (30) calendar days after Notabene’s notice of the updated DPA, Customer’s sole and exclusive remedy shall be to terminate the affected Services at the end of the then current subscription term, without penalty to either party.

PART D – DATA PROCESSING TERMS FOR FLOW ONLY
Part D of the DPA sets forth the terms and obligations related to Flow only.

Scope of Transfer and Processing
1. Processing by Infrastructure Provider as a Data Processor (Flow Only).
a) 
Applicability; Conflicts. This Section 5 shall only apply to the extent that a Infrastructure Provider Processes Notabene Controlled Data as a Data Processor (or functionally equivalent role under Applicable Data Protection Law) acting on behalf of Notabene. With respect to such Processing, if there is any conflict or inconsistency between the terms of this Section 5 and any other sections of this DPA, the terms of this Section 5 shall prevail.
b) 
Processing on Documented Instructions
i) 
The Infrastructure Provider shall only Process Notabene Controlled Data on behalf of Notabene and in accordance with documented lawful instructions received from Notabene and the terms of this DPA.
ii) 
If the Infrastructure Provider determines it cannot comply with any documented instruction or the terms of this DPA in any material respect (including if, in its reasonable opinion, the instruction infringes Applicable Data Protection Law), the Infrastructure Provider shall inform Notabene promptly in writing. In such event, Notabene will be entitled to suspend the relevant Processing until such non-compliance is resolved.
iii) 
For clarity, Notabene instructs the Infrastructure Provider to Process Notabene Controlled Data solely for the purposes described in Part B or agreed processing instructions (“Processor Purposes”), and not otherwise.
c) 
Data Use Restrictions. The Infrastructure Provider represents, warrants, and undertakes that, unless expressly authorized in writing by Notabene, the Infrastructure Provider shall not:
i) 
combine, merge, or link Notabene Controlled Data with any other data prior to or in connection with transfer to Notabene;
ii) 
sell or share Notabene Controlled Data; and
iii) 
Process Notabene Controlled Data for any purpose except the agreed Processor Purposes.
d) 
Personnel & Training
i) 
The Infrastructure Provider shall grant access to Notabene Controlled Data to only such personnel as are strictly necessary for implementation, management, and monitoring of this DPA. The Infrastructure Provider shall ensure such personnel are bound by confidentiality undertakings or statutory obligation of confidentiality.
ii) 
The Infrastructure Provider shall provide relevant data protection and security training to such personnel and maintain documentation evidencing such training.
e) 
Security
i) 
When Processing Notabene Controlled Data, the Infrastructure Provider shall implement, and ensure its personnel comply with, appropriate technical and organizational security measures at least equivalent to those in Section 3.b) of this DPA.
ii) 
The Infrastructure Provider shall maintain written records of technical and organizational safeguards and shall produce these to Notabene upon reasonable written request.
f) 
Audit & Regulatory Assistance
i) 
To the extent required by Applicable Data Protection Laws and following Notabene’s written request, the Infrastructure Provider shall contribute to audits or inspections by making available to Notabene audit reports or compliance documentation, and shall, no more than once annually, complete security questionnaires of reasonable scope regarding the Processing of Notabene Controlled Data.
ii) 
The Infrastructure Provider shall promptly notify and reasonably assist Notabene with any legally binding request for disclosure of Notabene Controlled Data by a regulator, government, or law enforcement authority, unless such notification is prohibited by law.
iii) 
The Infrastructure Provider shall review the legality of any such disclosure request and challenge the request if it believes there are reasonable grounds to do so, providing Notabene all relevant details regarding its review, challenge, and outcome.
iv) 
Where Notabene must respond to any assessment, inquiry, or investigation by a regulator, or conduct a DPIA (data protection impact assessment) regarding data Processed under this DPA, the Infrastructure Provider shall cooperate as reasonably required to enable Notabene’s compliance.
g) 
Data Subject Requests
i) 
Where the Infrastructure Provider directly receives a request from a Data Subject regarding Notabene Controlled Data—including access, rectification, erasure, objection, restriction, portability, or automated decision-making, the Infrastructure Provider shall:
(A) 
immediately notify Notabene in writing, without independently responding except to direct the data subject to Notabene, unless Notabene authorizes otherwise;
(B) 
provide all relevant information and details (and any further information Notabene may reasonably require) within five (5) business days of receipt of any such request;
(C) 
provide such assistance as Notabene may reasonably require for responding and compliance.
ii) 
The Infrastructure Provider shall promptly execute Notabene’s instructions to amend, correct, transfer, block, or delete Notabene Controlled Data.
h) 
Data Breach
i) 
If the Infrastructure Provider knows or reasonably suspects any actual or threatened improper, unauthorized or unlawful access to, use of, or disclosure of, or any other compromise of Notabene Controlled Data (“Data Breach”), it shall:
(A) 
notify Notabene immediately and in any event within forty-eight (48) hours, including all known facts such as:
(aa) 
nature, categories, and approximate number of affected individuals and records,
(bb) 
relevant contact for incident management,
(cc) 
likely consequences,
(dd) 
measures taken or planned to mitigate and remediate;
ii) 
consult on an ongoing basis, provide regular status updates, and further information as available or as reasonably requested by Notabene;
iii) 
implement all reasonably necessary remediating or mitigating technical/organizational measures to limit harm and prevent recurrence;
iv) 
assist Notabene in regulatory notification and data subject communication as required by law;
v) 
provide a detailed written report within two weeks of incident resolution describing root cause, response, and preventive actions;
vi) 
not make public or regulatory filings or notifications without Notabene’s express written approval unless required by law (and then only following consultation).
vii) 
All breach-related materials shared are Infrastructure Provider’s Confidential Information, which Notabene may share with the Customers.
i) 
Subprocessing by Infrastructure Provider
i) 
Notabene grants the Infrastructure Provider general written authorization to engage Subprocessors, subject to:
(A) 
twenty (20) business days’ prior written notice to Notabene for any new or replacement Subprocessor;
(B) 
Notabene’s right to reasonably object on legitimate data protection grounds within notice period;
(C) 
binding agreements between Infrastructure Provider and all Subprocessors with confidentiality, data protection, and security terms no less protective than this DPA;
(D) 
Infrastructure Provider retaining liability for all onward Processing by Subprocessors.
j) 
Return and Deletion of Data
i) 
Upon termination or expiry of this DPA, or at Notabene’s written instruction, the Infrastructure Provider shall immediately delete or return (at Notabene’s election) all Notabene Controlled Data and confirm destruction of all copies, unless retention is required by law.
2. Data Breach and Security Incident Management (supplemented)
The following supplements Section 5.h:
ii) 
Selection and Notification of Infrastructure Providers

(A) 
Due to the dynamic and compliance-driven nature of transactions through Flow, Notabene selects Infrastructure Providers (including Subprocessors) for each transaction in Flow, utilizing automated routing information, compliance logic, and other technical criteria to support participating agents in regulatory compliance and transaction execution. Notabene acts solely as a utility providing technical and compliance services and does not host, execute, or facilitate the value transmission itself; the actual movement of funds is conducted directly between agents or Customers outside the Notabene platform.
(B) 
Because advance notice of a specific Infrastructure Provider’s assignment is not practical for transactions in Flow, the following applies:
(aa) 
Notabene shall maintain and promptly update a publicly accessible schedule or website listing all eligible Infrastructure Providers and Subprocessors, updating the list promptly as new parties are added or removed.
(bb) 
Customers, including Infrastructure Providers (if Notabene is processing Infrastructure Controlled Data for that Infrastructure Provider), may review and, subject to documented and reasonable grounds, object in writing to the prospective use of any listed Infrastructure Provider for future transactions, with disputes governed under the DPA’s objection and remediation procedures.
(cc) 
Notabene maintains transaction and assignment logs for all selections and makes such logs available to Customers, including Infrastructure Providers (if Notabene is processing Infrastructure Controlled Data for that Infrastructure Provider), upon reasonable notice, for audit, regulatory inquiry, or evidentiary purposes, subject to confidentiality obligations.
(C) 
All appointed Infrastructure Providers remain subject to the requirements outlined in the DPA and relevant international data transfer mechanisms (e.g., SCCs, UK Addendum, or local equivalents).
iii) 
Dynamic Role Switching and Regulatory Compliance Processing: Infrastructure Provider as Independent Controller for Regulatory Compliance Purposes
(A) 
Notwithstanding any other provision of this DPA, each party acknowledges and agrees that Infrastructure Providers (including, but not limited to, banks, financial institutions, and regulated service providers selected by Notabene to process or facilitate transactions) may transition from acting solely as processors, under Notabene’s documented instructions, to independent controllers of personal data, but exclusively to the extent required to comply with legal, regulatory, or supervisory obligations, which include, without limitation, compliance with anti-money laundering (“AML”), know-your-customer (“KYC”), sanctions screening, tax evasion prevention, suspicious activity reporting, or any applicable law or regulation (including, but not limited to, The Travel Rule, EU/UK or US AML/KYC regimes, or any similar requirements in other jurisdictions).

This transition may occur automatically and in real time, and is triggered:
i.
whenever an Infrastructure Provider is required, by enforceable demand of a competent regulator or mandatory law, to process, retain, report, or otherwise use personal data for its own compliance or audit purposes, independent of any further instructions from Notabene or a Customer,
ii.
or whenever operation of platform or regulatory logic dictates that a transaction or data set be escalated for regulatory review, flagged for compliance checks, or subject to conditions for fulfillment of legal/reporting requirements.
(C) 
When acting as Controller, the Infrastructure Provider shall:
iii.
Process the personal data only as strictly necessary to fulfill its independent legal, regulatory, or supervisory obligations,
iv.
Apply all applicable technical, organizational, and security measures outlined in the DPA,
v.
Cooperate with Notabene and all Customers, including Infrastructure Providers (if Notabene is processing Infrastructure Controlled Data for that Infrastructure Provider),  to provide information about such processing, compliance steps, and regulatory interactions, in a timely manner and as required for ongoing platform operation or regulatory audit,
vi.
Clearly log and distinguish each instance of data processing performed for Regulatory Compliance Purposes, and
vii.
Ensure audit trails and evidence of such role switches are maintained for a minimum of six (6) years or such longer period required by applicable law.
(B) 
All parties further agree to provide, without undue delay, all cooperation, documentation, and reasonably requested access to transaction details, assignment logs, communications, or other data, as legally permitted, needed to enable the other parties to satisfy any inquiry or demand from a competent authority related to compliance-driven controller processing.
(C) 
Nothing in this clause authorizes Infrastructure Providers to use personal data for their own purposes outside legal and regulatory requirements, and all controller actions under this clause are subject to the restrictions, audit rights, and dispute procedures set out in the DPA and governing law.
iii) 
Data Transfer and Technology-Specific Flow
(A) 
Consistent with the technology-enabled operation of Flow, all cross-border transactions and related personal data processing activities are supported through automated routing and assignment based on technical and compliance integrations. The process includes the collection, encryption, Subprocessor assignment, and onward transfer of personal data according to transaction and compliance logic. Notification and audit obligations regarding Subprocessor selection or onward transfer may, where needed, be met by maintaining an accessible list of eligible Infrastructure Providers and by providing transaction and assignment confirmation upon written request or regulatory inquiry. All transaction logs and technical assignment records are retained as provided in this DPA and made available to Customers for audit, compliance, or regulatory review as required.

PART E – ANNEXES
Annex 1

EU/UK STANDARD CONTRACTUAL CLAUSES – DESCRIPTION OF TRANSFERS.

A. LIST OF PARTIES

Data Exporter(s):

As set out in Part B and Processing Description— Notabene (when acting as Controller or Processor) or Customer, Initiating Agent, or Responding Agent (when acting as Controller).

Data Importer(s):

As set out in Part B and Processing Description—may include Notabene (when acting as Processor or Controller), or Customer, including Infrastructure Provider (when acting as Processor, Subprocessor, or independent Controller for compliance), or any other approved Subprocessor/Transferee.

B. PROCESSING DETAILS / DESCRIPTION OF TRANSFER
  • Categories of Data Subjects:
    Refer to Part B. Commonly includes: Individuals associated with business clients of Customer, Initiating or Responding Agents (directors, officers, authorized signers, Beneficial Owners, representatives, employees, contractors).
  • Categories of Personal Data Processed/Transferred:
    Refer to Part B and Processing Description. May include: Identification data, KYC/AML data, account and transaction details, contact data, Onboarding Data, payment and fee instruction data, and any data required by law or for regulatory compliance.
  • Sensitive Data and Safeguards:
    See Part B and relevant Schedules. Where sensitive data (as defined under the GDPR or applicable local law) is processed (e.g., KYC documentation, government IDs), appropriate safeguards are documented, including: Access controls and training, encryption in transit and at rest, restricted personnel, granular audit trails, strict purpose limitation, restrictions on onward transfer, and additional controls as specified in Annex 2.
  • Frequency of the Transfer:
    As set out in Part B and Processing Description. Typically continuous or as required by the Customer-initiated transaction within Transact or on Flow, as the case may be.
  • Nature of the Processing:
    As described in Part B and Processing Description. This includes collection, recording, structuring, storage, retrieval, consultation, use, disclosure (including transmission and dissemination), restriction, erasure, and destruction.
  • Purpose(s) of Data Processing / Transfer:
    As described in Part B and Processing Description: Execution of payment/compliance transactions, regulatory and legal due diligence (AML/KYC/Sanctions screening), recordkeeping, customer service, lawful reporting, and, where applicable, onboarding, fraud detection, network and information security, and any other purposes authorized in writing in the DPA.
  • Duration/Retention:
    As described in Part B and Processing Description: For as long as necessary to fulfill the transaction, regulatory, and recordkeeping purposes required by law or agreement; subject to explicit purging upon instructions or service termination, except where retention is legally mandated.
  • Processing by / Transfers to (Sub-)Processors:
    Subject matter, nature, and duration of all transfers to Infrastructure Providers and Approved Subprocessors/Transferees are as described in Part B, Processing Description, and relevant Annexes. All Subprocessors are bound by the terms outlined in the DPA and corresponding SCCs/IDTA, with details and schedules available upon request or at the Notabene-designated URL.
Annex 2

NOTABENE TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, considering the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons; this Annex 2 shall also be deemed incorporated by reference into Annex 2 (Technical and Organizational Measures Including Technical or Organizational Measures to Ensure the Security of Personal Data) of the Standard Contractual Clauses for all Restricted Transfers carried out under this DPA.

Notabene has implemented an information security management system aligned with ISO27001 and certified as meeting SOC2 Type II, as summarized below:

1. Information security policies

Notabene has implemented security policies and standards that are constantly reviewed in line with the overall direction of the organization’s information security practices. Risk assessments are performed on a regular basis and agreed mitigating controls are included in the policies, standards and procedures to address security globally.

2. Organization of information security

Notabene’s information security policies and standard assign responsibilities for information security related tasks. It ensures that the organization has established a framework that can adequately implement and maintain information security practices within the organization supported by senior leadership.

3. Human resource security

Notabene ensures individuals are screened before employment, makes sure that employees and contractors understand their responsibilities and addresses their responsibilities when they no longer hold that role – either because they’ve left the organization or changed positions.

4. Security controls

Notabene has implemented a set of information security controls to mitigate risks. These controls are developed through risk assessments and a cybersecurity strategy, and demonstrate commercially reasonable efforts to protect sensitive data stored and processed by Notabene.
Annex 3

CUSTOMER TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

This Annex describes the technical and organizational measures implemented by each Customer to ensure an appropriate level of security for the processing of personal data, considering the nature, scope, context, and purpose of the processing, as well as the risks posed to the rights and freedoms of natural persons.

1. Physical Access Control

Each Customer shall implement measures designed to verify the identity of authorized persons and to prevent unauthorized access to Customer premises and facilities where personal data is processed, including but not limited to:
  • All entrances and access points secured by locked doors, key card, biometric, or similar secure authentication mechanisms;
  • Windows and doors protected by a monitored alarm system;
  • All visitors required to present identification and be registered by authorized personnel;
  • Video surveillance at access points and sensitive areas, with recording retention policies;
  • Visitors to be accompanied by authorized Customer personnel at all times;
  • Use of motion detectors or other intrusion detection systems to monitor sensitive areas;
  • Use of dedicated and physically isolated server suites or data centers with controlled access and security checks.
2. System Entry Control

Each Customer shall implement technical safeguards to prevent unauthorized access to data processing systems, including but not limited to:
  • Unique user authentication with strong passwords, enforced password change policies, and account locking after failed attempts;
  • Deployment of modern antivirus and anti-malware software with automatic updates, email filtering, and threat detection;
  • Use of firewalls and intrusion detection/prevention systems at network boundaries;
  • Automatic locking of user and administrator devices during inactivity;
  • Password complexity and expiration requirements (minimum 90 days), supporting multi-factor authentication, especially for remote access;
  • Principle of least privilege governing system and network access, with formal authorization for elevated rights;
  • Documented onboarding, role change, and offboarding processes to manage user privileges (starter, mover, leaver);
  • Regular review and recertification of user access rights at least quarterly by designated security personnel;
  • 24/7 network monitoring and alerting for unauthorized activities;
  • Regular vulnerability scanning and timely remediation of identified weaknesses;
  • Periodic penetration testing of data centers and applications.
3. Data Access Control

Each Customer shall control user and administrator access strictly, including:
  • Implementation of a role-based access rights model granting data access only on a need-to-know basis;
  • Centralized administration of user rights by qualified system administrators;
  • Minimization of administrator accounts to necessary personnel only;
  • Annual external audits and regular internal control audits for compliance with security policies;
  • Continuous network monitoring to identify and report unauthorized access attempts.
4. Data Transfer Control

To protect data during transmission or transport, each Customer shall:
  • Provide secure remote access to systems only via encrypted VPN tunnels or comparable state-of-the-art secure channels;
  • Use email encryption protocols for sensitive communications;
  • Ensure data stored on carriers or devices is encrypted with industry-standard solutions;
  • Lock away physical storage devices and documents when not in use, implementing a clean desk policy;
  • Transport physical data only in locked, tamper-evident containers or guarded vehicles;
  • Deploy secure shredding processes compliant with industry standards and maintain certificates of disposal;
  • Regularly update encryption and secure transfer methods to remain state-of-the-art (guided by authoritative standards such as the BSI data protection manual);
  • Employ third-party secure off-site tape storage facilities;
  • Use encrypted authentication certificates and secure communication protocols (such as HTTPS and SFTP) for all services.
5. Input Control

Each Customer shall maintain auditable logs to verify and trace who entered, modified, or deleted personal data, including:
  • Systematic documentation of access to electronic documents and applications;
  • Protocols for access to physical documents and storage locations;
  • Use of individual user identification for data operations (create, update, delete).
6. Control of Instructions

Each Customer shall ensure compliance with Data Controller instructions by implementing:
  • Formal, clear internal policies for data processing;
  • Language in agreements reflecting data protection obligations;
  • Rigorous selection of subcontractors based on data protection criteria;
  • Continuous service quality monitoring and adherence to contractual and regulatory requirements;
  • Independent third-party audits verifying contract compliance;
  • Regular, comprehensive staff training on data protection and contractual obligations;
  • Secure destruction processes conforming to industry standards and certification;
  • Periodic risk assessments focusing on the control and monitoring of insider access;
  • Network segmentation to separate personnel and services to reduce data exposure.
7. Availability Control

Each Customer shall implement measures to protect against accidental destruction or loss of data, including:
  • Modern firewalls and network protections for storage environments;
  • Anti-virus software with email filtering and malware detection on all endpoints;
  • Regular data integrity verification using checksums or comparable methods;
  • Encrypted and redundant data backup systems;
  • Periodically tested backup recovery procedures.
8. Separation and Purpose Control

Each Customer shall maintain logical and physical separation of data collected for different purposes:
  • Physical storage locations clearly segregated and labeled per client or data category;
  • Strict authorization concepts ensuring only permitted personnel can access specific data;
  • Logical separation of electronically stored Personal Data, including separate designated databases per client;
  • Strong isolation between virtual environments to prevent unauthorized cross-access.

Annex 4

POPULATION OF SCCS

1. Incorporation and Completion of SCCs

1.1  In the context of any EEA or Swiss Restricted Transfer, the Standard Contractual Clauses (SCCs) completed in accordance with the data export/import structure, modules, and appendices set forth in this DPA and its annexes are incorporated by reference and form an effective and binding part of this DPA for all relevant transfers.

1.2  For Restricted Transfers from the United Kingdom, the SCCs (as varied and supplemented by the UK International Data Transfer Addendum), completed in accordance with this DPA and all incorporated schedules, are incorporated by reference and form an effective part of this DPA.

1.3  For Swiss Restricted Transfers, the SCCs (as amended for Swiss law and regulatory requirements—see below) are incorporated by reference and form an effective part of this DPA.

1.4  For Chinese Restricted Transfers, the SCCs (as varied or supplemented as required to comply with the Personal Information Protection Law (PIPL), relevant guidance, and the latest legally mandated SCC version for China) are incorporated by reference and form a binding part of this DPA, until local legislation or regulator mandates replacement.

1.5 For Restricted Transfers from the Republic of Türkiye, the SCCs (as varied and supplemented by the Turkish Standard Contractual Clauses), completed in accordance with this DPA and all incorporated schedules, are incorporated by reference and form an effective part of this DPA.

2. EEA and Swiss Transfers: Selection of SCC Modules and Clauses

2.1  The exact SCC module(s) (Controller-to-Controller, Controller-to-Processor, Processor-to-Processor, Processor-to-Controller) will be determined by party role in each transfer as set out in Part B and Data Processing Description. Unless otherwise agreed:
  • Controller-to-Controller transfers: Module One applies
  • Controller-to-Processor transfers: Module Two applies
  • Processor-to-Processor transfers: Module Three applies
  • Processor-to-Controller transfers: Module Four applies
2.2  The SCCs will be deemed completed and incorporated as follows:
  • The Docking Clause (Clause 7) is not used unless expressly agreed in writing.
  • The audit terms in Clause 8.9 are governed by the audit provision in this DPA.
  • Option 2 (“general written authorization”) applies for Subprocessors, with the advance notice set out in this DPA.
  • Clause 11 optional language is not used and is deleted.
  • Clause 13: all square brackets are removed and text retained.
  • Clause 17: The law governing the SCCs shall be the law set forth in Part B or, by default, Ireland for EEA/Swiss Transfers.
  • Clause 18: The courts set forth in Part B or, if not specified, Ireland, have exclusive jurisdiction.
3. Population of SCC Annexes

3.1  Annex I (Appendix to the SCCs): Populated with the data exporter and data importer details in Part B, and the data processing details described in Annex 1 of this DPA.

3.2  Annex II (Technical and Organizational Measures): Populated with the information in Annex 2 (Notabene) and, when applicable, Annex 3 (Customer/Infrastructure Provider).

3.3  Annex III (Subprocessors): Populated with the list of Subprocessors and onward transfer recipients maintained as a schedule to this DPA.

3.4  The competent Supervisory Authority for Clause 13 is determined as follows:
  • Where the data exporter is established in an EU Member State: that State’s Supervisory Authority.
  • Where the exporter is not established in an EU Member State but has an EU representative, then it is the Authority in the State where that representative is based.
  • If neither applies, the Supervisory Authority notified in writing by the exporter to the importer, as permitted by the SCCs.
4. UK Restricted Transfers

4.1  Where required, the SCCs are supplemented and varied by the UK International Data Transfer Addendum, which is fully incorporated and completed using the parties, processing, and security measures set forth in the DPA and its annexes.

4.2  Reference to “SCCs” in this DPA means the SCCs as varied by the UK Transfer Addendum for relevant transfers.

5. Swiss and Other Non-EEA Jurisdictions

5.1  For Swiss Restricted Transfers, all references to “EU,” “Member State,” etc. in the SCCs shall be read to include or be replaced by “Switzerland” as necessary; the Federal Data Protection and Information Commissioner (FDPIC) is the competent authority.

5.2  For Chinese Restricted Transfers, references to the GDPR or EU are to be replaced with the PIPL and “People’s Republic of China” and the “Cyberspace Administration of China,” as required, with governing law and jurisdictions updated accordingly as described in the latest guidance.

5.3 For Turkish Restricted Transfers, references to the GDPR or EU are to be replaced with the LPPD and “Republic of Türkiye” and the “Turkish Data Protection Authority,” as required, with governing law and jurisdictions updated accordingly as described in the latest guidance.

Annex 5

INTERNATIONAL DATA TRANSFER ADDENDUMTO THE EU COMMISSION STANDARD CONTRACTUAL CLAUSES

I. International Transfers from the UK

This part of the Addendum is issued by the UK Information Commissioner’s Office for parties making Restricted Transfers under the UK GDPR. When used as a legally binding contract attached to the EU SCCs, it provides Appropriate Safeguards for Restricted Transfers from the UK.

Table 1: Parties

Start date:
  • Refer to the Effective Date as set out in Part B of the DPA.
Annex 1 – The Parties:
  • Exporter (who sends the Restricted Transfer):
    Defined as per Part B and the Processing Description—may be Customer, Notabene, Initiating Agent, or Responding Agent, depending on the data flow.
  • Importer (who receives the Restricted Transfer):
    Defined as per Part B and the Processing Description—may be Notabene, Infrastructure Provider, Subprocessor, or any data recipient under the DPA.
  • Parties' details and key contacts:
    Refer to Part B of the DPA for each party's legal name, address, and primary point of contact.
Table 2: Selected SCCs, Modules, and Selected Clauses
  • Addendum EU SCCs:
  • The Approved EU SCCs, including all Schedules and Appendix Information, as set forth in Part B (as applicable) and Annex 2 of the DPA.
Table 3: Appendix Information
  • “Appendix Information” means the required information for completing the selected Modules of the SCCs (other than the Parties). For this Addendum, the relevant details are:
    • Annex 1A: List of Parties: See Part B—Cover Page of the DPA and Annex 1 of the DPA.
    • Annex 1B: Description of Transfer: See Part B and Processing Description of the DPA.
    • Annex 2: Notabene Technical and Organizational Security Measures: See Annex 2 of the DPA.
    • Annex 3: Customer and Infrastructure Provider Technical and Organizational Security Measures: See Annex 3 of the DPA.

Table 4: Ending this Addendum

Ending this Addendum:

As permitted in Section 19 of the UK Addendum, either party (Exporter or Importer) may end this Addendum with written notice, subject to any mandatory statutory notice periods or contractual notice periods set forth in the DPA or the underlying service agreement.
  • ☒ Importer (Notabene / Customer / Infrastructure Provider)
  • ☒ Exporter (Notabene / Customer / Infrastructure Provider)
  • ☐ Neither Party
Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.

[At the time of drafting, the Mandatory Clauses are set out in full at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf]

II. International Transfers from Argentina

This part of the Addendum is to be used for transfers of Personal Data by Customer from Argentina to countries outside Argentina, as governed by the Argentina PDPL, and its implementing regulations, the parties agree that, for such transfers, this Addendum incorporates the following terms:  
1) 
The Model Agreement of International Transfer of Personal Data for the case of Provision of Services (Contrato modelo de transferencia internacional de datos personales con motivo de prestación de servicios), approved by the National Directorate for Personal Data Protection (currently Agency for the Access to Public Information) of the Republic of Argentina as set out in Disposition 60 – E/2016 on November 2, 2016, Annex I and II, as amended or superseded from time to time, currently available at: https://servicios.infoleg.gob.ar/infolegInternet/anexos/265000-269999/267922/norma.htm (the “Argentine Model Clauses”) will be incorporated by reference and form an integral part of this Addendum with the following modifications: (a) Annex A of the Argentine Model Clauses will be deemed completed with the information provided in this Addendum; and (b) if and to the extent the Argentine Model Clauses conflict with any provision of this Addendum, the Argentine Model Clauses will prevail to the extent of such conflict.
III. International Transfers from Bahrain

This part of the Addendum is to be used for transfers of Personal Data by Customer from Bahrain to countries outside Bahrain and is governed by the Bahrain PDPL, and its implementing regulations, the parties agree that, for such transfers, this Addendum incorporates the following:
1) 
The parties acknowledge that the Bahrain PDPL permits cross border transfers of Personal Data from Bahrain only where (a) the destination country or territory ensures an adequate level of protection as determined in accordance with the Bahrain PDPL or is included on any list of adequate jurisdictions approved by the competent data protection authority, or (b) another transfer ground, safeguard or derogation permitted under the Bahrain PDPL applies, including where the data subject has given valid consent, the transfer is necessary for the performance of a contract to which the data subject is party or for pre contractual measures taken at the data subject’s request, the transfer is necessary for the performance or conclusion of a contract concluded in the interest of the data subject, or the transfer is authorized or permitted by the competent data protection authority.
2) 
For the purposes of such transfers, Customer shall be deemed the Controller and the data exporter, and Notabene shall be deemed the Processor and the data importer. Customer, as data exporter, is responsible for determining, in accordance with the Bahrain PDPL, whether the destination country or territory ensures an adequate level of protection or whether another lawful transfer mechanism, safeguard or derogation under the Bahrain PDPL applies to the relevant transfer, including where transfers take place through or via the Services.
3) 
If a transfer or a category of processing activities involving Personal Data originating from Bahrain and carried out under the Agreement would, in the written opinion of Customer acting reasonably, infringe the Bahrain PDPL and such infringement cannot be remedied by reasonable changes to the processing, supplementary measures, or alternative transfer mechanisms permitted under the Bahrain PDPL, the parties shall cooperate in good faith to suspend the affected transfers and, where necessary, to terminate the relevant processing activities to the extent required to comply with the Bahrain PDPL, without penalty to Notabene or Customer for such suspension or termination.
4) 
In the event of any conflict between this Bahrain specific section of the Addendum and any other provision of this Addendum or the Existing DPA, this Bahrain specific section shall prevail solely with respect to the processing and transfer of Personal Data subject to the Bahrain PDPL, to the extent necessary to ensure compliance with the Bahrain PDPL.
IV. International Transfers from Brazil

This part of the Addendum is to be used for transfers of Personal Data by Customer from Brazil to countries outside Brazil and is governed by LGPD, and its implementing regulations, the parties agree that, for such transfers, this Addendum incorporates the following:
1) 
The approved Regulation on International Transfer of Personal Data and the Standard Contractual Clauses Model, as amended or superseded from time to time, currently available at: https://www.gov.br/participamaisbrasil/regulation-on-international-transfer-of-personal-data (the “LGPD SCCs”) will be incorporated by reference and form an integral part of this Addendum with the following modifications: (a) Option B, for Clause 3.1 with respect to onward transfers is selected permitting Processor as the data importer to carry out an onward transfer of Personal Data subject to the LGPD SCCs; (b) with respect to who is responsible for the items listed in Clauses 14, 15 and 16 of the LGPD SCCs, it is the Customer when acting as the data exporter; (c) Sections I, III and IV of the LGPD SCCs will be deemed completed with the information provided in this Addendum; and (d) if and to the extent the LGPD SCCs conflict with any provision of this Addendum, the LGPD SCCs will prevail to the extent of such conflict.
V. International Transfers from Switzerland

This part of the Addendum is to be used if the EU SCCs are used as a transfer mechanism for transfers of Personal Data by Customer in Switzerland to an inadequate country, as governed by the FADP, the parties agree that, for such transfers, this Addendum incorporates the relevant module(s) of EU SCCs attached in the SCCs, which are deemed to be amended in accordance with the Swiss Specific Terms set out below:
1) 
References to “Regulation (EU) 2016/679” or “that Regulation” are replaced by references to the “FADP”; references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of the FADP; and references to Regulation (EU) 2018/1725 are removed.
2) 
For the purposes of Clause 13(a) of the EU SCCs, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (“FDPIC”);
3) 
For the purposes of Clause 17 of the EU SCCs, the EU SCCs shall be governed by Swiss law or the law of a country that allows and grants rights as a third-party beneficiary;
4) 
For the purposes of Clause 18 of the EU SCCs, the parties agree that any dispute between the parties arising from the EU SCCs shall be resolved by the courts of Switzerland and the term “Member State” must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs;
5) 
The EU SCCs also protect the data of legal entities until the entry into force of the Revised FADP. For the avoidance of doubt, the above amendments apply to the extent that the transfer of Personal Data is subject to the FADP.
VI. International Transfers from UAE (Dubai and Abu Dhabi)

This part of the Addendum is to be used for transfers of Personal Data by Customer from UAE (Dubai and Abu Dhabi) to countries outside UAE (Dubai and Abu Dhabi) and is governed by the UAE PDPL, ADGM and DIFC, the parties agree that, for such transfers, this Addendum incorporates the following terms: 

1) 
Any transfer of Personal Data outside the UAE will comply with applicable Data Protection Laws, including the PDPL, ADGM’s Module Two (controller to processor clauses) and Module Three (processor to processor clauses) Standard Contractual Clauses (“ADGM SCCs”), currently available at: https://www.adgm.com/operating-in-adgm/office-of-data-protection/guidance/ and DIFC Standard Contractual Clauses, currently available at: https://www.difc.ae/business/registrars-and-commissioners/commissioner-of-data-protection/data-export-and-sharing (“DIFC SCCs”), as amended or superseded from time to time, and such model clauses will be incorporated by references and form part of this Addendum;
2) 
With respect to the DIFC SCCs and ADGM’s SCCs, the clauses (including the Module Two and Three clauses of the ADGM) are incorporated by reference and form part of this Addendum with the following modifications: (a) in Clause 9, Option 2 for Module Two and Three of the ADGM SCCs and Option 2 for the DIFC SCCs apply and changes to Sub-processors will be notified in accordance with the ‘Sub-processors’ section of this DPA; (b) the Annexes of the ADGM SCCs and DIFC SCCs will be deemed completed with the information provided in this Addendum; (c) if and to the extent the ADGM SCCs conflict with any provision of this Addendum, the ADGM SCCs will prevail to the extent of such conflict; and (d) if and to the extent the DIFC SCCs conflict with any provision of this Addendum, the DIFC SCCs will prevail to the extent of such conflict.
VII. International Transfers from the Republic of Türkiye

This part of the Addendum is to be used for transfers of Personal Data by Customer from the Republic of Türkiye to countries outside the Republic of Türkiye and is governed by the Turkish PDPL. The parties agree that, for such transfers, this Addendum incorporates the following terms and the relevant Standard Contracts published by the Turkish Data Protection Authority (“Turkish SCCs”) are deemed to have been validly entered into by the parties:
1) 
Any transfer of Personal Data outside the Republic of Türkiye will comply with applicable Data Protection Laws, including the Turkish PDPL and the Turkish SCCs Module One (controller to controller), currently available at: https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/d4577ac6-d2cd-4ff4-839f-4218812c3cdc.pdf, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/edfed565-f2bf-4826-ab0e-ec46e745da2d.pdf , Module 2 (controller to processor)currently available at:  https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/e6d8e2b8-227b-4f6b-ac44-7fa53af79cc9.pdf, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/b531d656-9cea-4cdb-84ce-1ab92198c9b1.pdf , Module Three (processor to processor) currently available at: https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/79643c8e-4960-4d7b-8955-e20f3bbb5926.pdf, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/f2840ffa-4fcb-404f-ae01-573afb37ae85.pdf, Module Four (processor to controller) currently available at: https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/1021771b-9af0-4976-b3eb-85b6c52743a2.pdf, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/014912d2-ee35-437e-95a9-dbb6f256e3e1.pdf
2) 
With respect to the Turkish SCCs, the clauses are incorporated by reference and form part of this Addendum with the following modifications: (a) in Clause 8, Option 2 for Module Two and Three of the Turkish SCCs apply and changes to Sub-processors will be notified in accordance with the ‘Sub-processors’ section of this DPA; (b) the Annexes of the Turkish SCCs will be deemed completed with the information provided in this Addendum; (c) if and to the extent the Turkish SCCs conflict with any provision of this Addendum, the Turkish SCCs will prevail to the extent of such conflict;
3) 
As per the additional information requirements set forth in the Annexes of the Turkish SCCs; 
a) 
The VERBIS registration information included shall be pertained to the Exporter (who sends the Restricted Transfer) and of importer Notabene, INC with its VERBIS registration information can be accessed at https://verbis.kvkk.gov.tr/sicil-sorgula.

Annex 6 

SUBPROCESSOR LIST FOR RESTRICTED TRANSFERS FROM THE EU OR UK

This Annex sets forth additional terms governing Restricted Transfers of Personal Data from the European Economic Area, Switzerland, and the United Kingdom under the EU GDPR, UK GDPR, and Swiss FADP, and identifies the Subprocessors engaged by Notabene for the provision of Transact and Flow. It applies solely to the extent that such Subprocessors receive or Process Personal Data as Data Importers under the EU SCCs and or the UK International Data Transfer Addendum, and the then current version of this Annex, as maintained by Notabene online at https://trust.notabene.id/subprocessors and updated from time to time in accordance with this DPA, shall be deemed incorporated by reference into Annex 3 (Subprocessors) to the Standard Contractual Clauses.

NOTE: This table applies only to Customers using the EU infrastructure.
Sub-Processor Purpose Entity Country Jurisdiction where data is stored Onward Transfers
Amazon Web Services EMEA SARL Hosting of data and web services Luxembourg Entity Germany and France Y
Okta Authorisation services for Customer or End User’s staff US Entity Germany Y
CloudFlare CDN, DDoS prevention US Entity EU Y
Datadog Log management US Entity Germany Y
Google Workspace Email and collaboration US Entity EU Y
SVIX Webhook as a Service US Entity Germany Y
Intercom Support ticketing system US Entity EU Y
Mailgun Email notifications US Entity EU Y


Annex 7

UNITED STATES SPECIFIC TERMS AND OBLIGATIONS

This Annex sets forth terms and obligations required under state privacy laws of the United States; this section applies to the extent applicable to Customers of both Transact and Flow.
1.
Definitions
a)
“US Privacy Laws” means any applicable laws, rules and regulations, currently in effect, or as such laws, rules, and regulations come into effect during the term of the Agreement, concerning privacy, data protection, confidentiality, information security, availability and integrity, or the handling of Personal Data. Applicable laws may include, without limitation:: CCPA, Colorado Privacy Act ("CPA"), Connecticut Data Privacy Act ("CTDPA"), Florida Digital Bill of Rights (“FDBR”), Indiana Consumer Data Protection Act (“ICDPA”), Iowa Data Protection Act (“IDPA”), Kentucky Consumer Data Protection Act (“KCDPA”), Montana Consumer Data Privacy Act (“MCDPA”), Oregon Consumer Privacy Act (“OCPA”), Tennessee Information Protection Act (“TIPA”), Texas Data Privacy and Security Act (TDPSA”), Utah Consumer Privacy Act (“UCPA”), and Virginia Consumer Data Protection Act ("VCDPA")
b)
For purposes of this Addendum/DPA, the terms “Business,” “Service Provider,” “Consumer”, “Personal Data,” “Processing,” “Deidentified”, “Sell/Sale/Sold”, “Share/Shared/Sharing,” “Controller,” and “Processor,” shall have the meanings set forth in the applicable US Privacy Laws.
c)
All references to “Data Subject” in this Annex 7 to the DPA shall be deemed to be references to similar terms used under US Privacy Law, including without limitation, “Consumer” as defined in the CPRA.
2.
Obligations
a)
The Service Provider in respect of Personal Data processed on behalf of the Business shall NOT:
(i)
sell or share the Personal Data;
(ii)
retain, use or disclose Personal Data for any purpose (including Service Provider’s own commercial, direct marketing, or advertising purposes) other than for the business purposes specified in the contract, including retaining, using, or disclosing Personal Data for a commercial purpose other than the business purposes specified in the contract or as otherwise permitted by the CPRA or other US Privacy Laws allowing for such purposes that are reasonably necessary (and proportionate, adequate, relevant, and limited) to the Services (e.g., processing that is required to comply with the Agreement between parties or any legal obligation).
(iii)
retain, use, or disclose the Personal Data outside of the direct business relationship between the Service Provider and the Business;
(iv)
where it processes Personal Data for different Businesses, and for itself (including from its own interaction with Consumers), combine Personal Data from different sources, provided that the Service Provider may combine Personal Data to perform any business purpose as defined in regulations adopted under the CPRA.
b)
The Service Provider shall:
(i)
only process the Business’ Personal Data in accordance with Annex 7 of this DPA, and any documented instructions given from time to time by the Business, which may identify the limited purposes, methods, and duration of data processing with respect to specific types of Personal Data;
(ii)
notify the Business of Subprocessor(s) it may engage to process Personal Data on behalf of the Business;
(iii)
bind such Subprocessor(s) by written contract to the same processing obligations imposed on the Service Provider by the Data Protection Agreement between parties) to the extent applicable to the subcontracted Services, and shall describe the subcontracted Services;
(iv)
permit the Business to monitor contractual compliance (including to ensure that Personal Data transferred to the Service Provider is processed in a manner consistent with the Business' obligations under US Privacy Laws, through manual reviews, automated scans, regular assessments, audits, technical and operational testing, and such other means at least once a year;
(v)
provide the same level of privacy protection as is required by US Privacy Laws, and assist the Business by providing appropriate technical and organizational measures in complying with the requirement to implement reasonable security procedures and practices;
(vi)
pursuant to this Annex, and Service Provider’s relationship with the Business, refrain from using sensitive Personal Data upon instructions from the Business;
(vii)
assist the Business in responding to a verifiable Consumer request, including by: 
(A)
providing to the Business the Consumer’s Personal Data in the Service Provider’s possession;
(B)
correcting or enabling the Business to correct inaccurate information;
(C)
notifying any of its own service providers or contractors to delete Personal Data about the Consumer collected, used, processed, retained, or accessed by the service provider or the contractor, unless the Personal Data was accessed at the direction of the Business;
(D)
deleting or helping the Business delete Personal Data received, at the Business's direction.
(viii)
notify the Business immediately if the Service Provider makes a determination that it can no longer meets its obligations under US Privacy Laws or provide the protections within this Annex 7 and will cease processing or take other reasonable or appropriate steps to remediate. Provided that where such notification is given, the Business shall have the right to take reasonable and appropriate steps to stop and remediate the unauthorized Personal Data use/processing;
(ix)
grant the Business the right to take reasonable and appropriate steps to help ensure that Personal Data processing is consistent with the Business’ US Privacy Law obligations;
(x)
comply with such other relevant and applicable obligations under US Privacy Laws that may be made pursuant to it or as an amendment.
(xi)
Where Service Provider processes de-identified data, ensure that:
(A)
it takes reasonable measures to ensure the data cannot be associated with an individual;
(B)
publicly commits to maintain and use the information in deidentified form and not to attempt to reidentify the information, except that the Business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of this subdivision.
(C)
contractually obligates any recipients of the information to comply with all provisions of this subdivision.
c)
Compliance with US Privacy Laws
(i)
Service Provider will process Personal Data only in compliance with US Privacy Laws.
(ii)
Service Provider hereby certifies that it understands its restrictions and obligations set forth in this DPA, specifically this Annex, including its obligation to comply with US Privacy Laws.
(iii)
Business shall: 1. Comply with all US Privacy Laws in the written instructions it provides to Services Provider; and 2. Make the required disclosures and obtain the necessary consents for Service Provider to process Personal Data. Business shall notify Service Provider if, in the opinion of Business, an instruction it gave Service Provider breaches US Privacy Laws.
(iv)
If Business cannot comply with US Privacy Laws in the performance of its obligations to Service Provider, Business agrees to promptly inform Service Provider of its inability to comply, in which case Service Provider is entitled to suspend the processing of Personal Data, terminate the Agreement or otherwise stop and remediate any issues that arise as a result of Business’ failure to comply with US Privacy Law.
d)
Audit Rights
(i)
Service Provider shall make available to Business on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to written audits, by Business or an auditor mandated by Business in relation to the processing of Personal Data by the Subprocessor(s).
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
DenyAccept