This Data Processing Agreement (“DPA”) sets out the obligations for the processing of personal data during the execution, and after the termination of, the Main Services Agreement or an End User License Agreement (the “Agreement”). Notabene is qualified as a Processor (defined below) and this DPA shall apply where, while performing the Services under the Agreement, Notabene processes Customer Data or End User Data, respectively, that are “personal data” or “personal information” under applicable data protection laws, on behalf of Customer/End User, which are not the names or professional contact details of the representatives of Customer/End User. This DPA was last updated on July 14, 2025.
1. Definitions
a. “Data Protection Laws” means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of Personal Data, including: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”) and the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”); (ii) the Swiss New Federal Act on Data Protection (the “Swiss FADP”); (iii) the Personal Data Protection Act 2012 of Singapore (“PDPA”); and (iv) the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (“CCPA”); in each case, as updated, amended, or replaced from time to time.
b. The terms “Data Subject,” “Personal Data,” “Personal Data Breach,” “processing,” “processor,” “controller,” and “supervisory authority” shall have the meanings set forth, as applicable, in the EU GDPR, UK GDPR, Swiss FADP, PDPA, or CCPA. If no definition is provided by the applicable law, the definition set in the EU GDPR shall prevail. Notwithstanding the foregoing, all references to “Personal Data,” “Data Subject,” “Controller,” and “Processor” in the DPA (the latter two terms as defined below) shall be deemed to be references to “Personal Information,” “Consumer,” “Business,” and “Service Provider,” respectively, as defined in the CCPA.
c. “Persons in Charge of Data Processing” means the employees and any natural persons who, authorised by the Processor and/or its Sub-Processors, if any, can process the Processed Data (as defined below);
d. “Platform” means the relevant web, online platform or other software service or application developed by Notabene, and shall include any modifications, customizations and derivatives of the same;
e. “Processed Data” means all the personal data processed by the Processor on behalf of the Controller under the Services, as better defined in Appendix 1 – Details of Processing Activities;
f. “Customer Personal Data” means any Customer Data or End User Data provided to Notabene by the Customer or End User, respectively, in connection with Notabene’s delivery of its Services, which qualifies as “personal data” or “personal information” under applicable data protection laws.
g. “Security Measures” means the security measures and any other obligations under the Data Protection Laws for the purposes of guaranteeing the security and confidentiality of the Processed Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures, as well as procedures and activities to be performed in case of a personal data breach to prevent and reduce the adverse effects of the breach on the affected data subjects, in particular, those described in Appendix 2 – Technical and Organisational Measures and the security policies available in the Processor’s Trust Center at https://trust.notabene.id/;
h. “Sub-Processor” means the legal person, company, or independent professional that, authorized by the Controller and engaged by the Processor, is allowed to carry out activities entailing the processing of the Processed Data, as permitted under Data Protection Laws and this DPA. Authorized Sub-Processors are detailed in Appendix 3 – General Authorization for Sub-processing;
i. “EU SCCs” means the Standard Contractual Clauses based on the Commission Implementing Decision (EU) 2021/914, of 4 June 2021, as amended or updated from time to time, incorporated into this DPA by reference.
j. “UK Addendum” means the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses, issued by the UK Information Commissioner’s Office under section 119A of the Data Protection Act 2018, as may be amended, updated, or replaced from time to time.
k. “ASEAN MCCs” means the Model Contractual Clauses, to which Singapore adheres, developed by the Association of Southeast Asian Nations (“ASEAN”) to facilitate the lawful transfer of personal data across borders.
Capitalized terms not otherwise defined in this DPA will have the meanings given to those terms in the applicable Agreement.
2. Scope
2.1. Notabene shall act as the Processor (“Processor”) in relation to the processing of Processed Data on behalf of the Customer/End User which is qualified as the Controller (“Controller”), exclusively for the purposes of executing the Agreement or as required by law, according to the terms and conditions of this DPA and of the Data Protection Laws.
2.2. The type of personal data and processing activities to be handled by the Processor are described in Appendix 1 – Details of Processing Activities. Any amendment to this list must be done in writing by the signature of both Parties, and a copy of said updated list must be enclosed on the final versions of this DPA.
2.3. In relation to any processing of Processed Data carried out by the Processor or by a Sub-Processor, directly or through the respective Persons in Charge of Data Processing, for purposes other than those within the scope of this DPA and the Services engaged, and on the basis of different relationships with data subjects, the Processor or its subsequent Subcontractors shall not act as processors of the Controller in relation to the Processed Data, but as independent data controllers, or processors of entities other than the Controller, as the case may be.
2.4. The Parties further acknowledge and agree that, to the extent the processing of personal information or personal data is subject to the CCPA, such processing shall be carried out in accordance with the terms set forth in Appendix 4 – CCPA Specific Terms and Obligations.
3. Term
3.1. This DPA shall be effective from the date of acceptance of the Agreement up to the end of the transitional period of thirty (30) days granted after the termination of such Agreement or its related Services.
3.2. During this transitional period, the Controller will be able to delete, remove or transfer the Processed Data resulting from the Services. After this transitional period, the Processor may permanently delete all the Processed Data from the Platform and all the existing copies, unless any applicable law requires storage of the Processed Data.
3.3. The Processor shall ensure that all Persons in Charge of Data Processing, its Sub-Processors, if any, and their Persons in Charge of Data Processing, comply with the obligations laid down in this DPA, as applicable, in the manner and in accordance with the timing indicated in this DPA.
4. Obligations of the Controller
4.1. The Controller undertakes to:
4.1.1. Ensure that the collection and further processing of all Processed Data is done in a lawful manner;
4.1.2. Provide clear and timely written instructions to the Processor regarding the Processed Data;
4.1.3. Assist and cooperate, in a reasonable manner, with the Processor whenever required under the processing of the Processed Data, namely if it suspects of any data breach that could undermine the availability, integrity, privacy, and/or security of the Processed Data;
4.1.4. Inform the Processor of any restriction required to the processing of any Processed Data, regardless if required by a Data Subject or instructed by a relevant data protection supervisory authority;
4.1.5. Keep the Processor up to date about the Processed Data or any other relevant information for its processing by the Processor or by its Sub-Processors, namely about any notification or request for information from a relevant data supervisory authority.
5. Obligations of the Processor
5.1. The Processor undertakes to:
5.1.1. Process the Processed Data for the sole purpose of performing the Services, subject to the limits and in the manner provided for by the Agreement between Controller and Processor for the provision of such Services, this DPA, and the Data Protection Laws, and in strict compliance with the written instructions given by the Controller, and shall immediately inform in writing the Controller should it deem that any of the these instructions is in breach of any Data Protection Laws;
5.1.2. Process exclusively the Processed Data that is strictly necessary to correctly and fully perform the Services or meet the obligations set out under applicable Data Protection Laws;
5.1.3. Process the Processed Data lawfully, fairly, and in full compliance with the principles applicable to data processing, with the requirements laid down by the Data Protection Laws and the information on the processing of the Processed Data provided to the relevant data subjects by the Controller;
5.1.4. Assist and cooperate, in a reasonable manner, with the Controller whenever required under the processing of the Processed Data, namely if it suspects of any data breach that could undermine the availability, integrity, privacy, and/or security of the Processed Data;
5.1.5. Inform the Controller of any restriction required for the processing of any Processed Data, regardless if required by a Data Subject or instructed by a relevant data protection supervisory authority, unless prohibited by law;
5.1.6. Keep the Controller up to date about the Processed Data or any other relevant information, namely about any notification or request for information from a relevant data supervisory authority;
5.1.7. Cooperate with and assist the Controller in the response to any notifications from a supervisory authority in connection with the Processed Data, including, without limitation, the provision of supporting documentation to be submitted to the relevant supervisory authority as evidence that the Processor is legally bound by the terms of this DPA;
5.1.8. Provide to the Controller, upon request, all the information in its possession or control referring to the processing of the Processed Data under this DPA, namely for the Controller to assess whether such processing is carried out in accordance with this DPA;
5.1.9. Disclose the information reasonably required by the Controller for the performance of privacy impact assessments concerning the processing activities and cooperate on the implementation of mitigation actions agreed by the Parties to address privacy risks which may have been identified; and
5.1.10. Permit, provide information for, and cooperate with the Controller regarding audits, including any inspections conducted by the Controller or another auditor mandated by the Controller.
5.2. With regard to the Persons in Charge of Data Processing, the Processor further undertakes to:
5.2.1. guarantee that the Persons in Charge of Data Processing can access and process only the Processed Data that is strictly necessary for correctly and fully performing the Services or meeting the legal requirements, in each case, subject to the limits and in accordance with the conditions of this DPA;
5.2.2. guarantee that the Persons in Charge of Data Processing are subject to confidentiality undertakings or professional or statutory obligations of confidentiality;
5.2.3. consent that the Processed Data are processed only by the Persons in Charge of Data Processing who (i) on the basis of their experience, capabilities, and training, can ensure compliance with Data Protection Laws and the need to access the data for the purpose of performing the Services; and (ii) periodically attend training courses on the obligations prescribed by the Data Protection Laws;
5.2.4. adopt any physical, technical and organizational measure aimed at enabling:
5.2.4.1. each Person in Charge of Data Processing to access exclusively the Processed Data that he/she is authorized to process, by taking into account the activity that he/she is required to carry out to perform the Services;
5.2.4.2. any processing of the Processed Data that is in breach of the DPA and/or the Data Protection Laws to be promptly identified and reported to the Controller; and
5.2.4.3. upon termination of the Services and, with respect to each Person in Charge of Data Processing, upon termination of the appointment of such Person in Charge of Data Processing, including, without limitation, when the employment or collaboration relationship between the Person in Charge of Data Processing and the relevant Processor or Sub-Processor is terminated, ensure total confidentiality, availability, and integrity of the Processed Data.
6. Sub-processors
6.1. Regarding the Processed Data, the Processor undertakes to engage and work only with sub- processors to which the Controller did not reasonably oppose in writing to said collaboration.
6.2. Sub-Processors identified in Appendix 3 – General Authorization for Sub-processing are hereby authorized by the Controller to process Processed Data provided that said Sub- Processor:
6.2.1. has committed to confidentiality obligations and enters into a written agreement providing the same data protection obligations as set out in this DPA and other obligations as may be required by the Controller under the instructions of the Processor.
6.2.2. acts exclusively on behalf of the Controller’s or Processor’s instructions;
6.2.3. provides adequate guarantees with reference to the technical and organizational measures adopted for the processing of the Processed Data, including, without limitation, ensuring that the Sub-Processor immediately ceases the processing of the Processed Data should such guarantee be no longer available.
6.3. In case of any intended changes concerning the addition or replacement of any of the Sub- Processors identified in Appendix 3 – General Authorization for Sub-processing, the Processor undertakes to notify the Controller, giving the Controller the opportunity to reasonably object to such change within 30 (thirty) days from this notification. If the Controller notifies the Processor of any objection to the proposed appointment, the Parties shall work together to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed sub-processor. Costs related to this change, if any, will be borne by the Controller.
6.4. The Processor shall completely adopt all the Security Measures in compliance with the Data Protection Laws and this DPA.
7. Security measures
7.1. Without limiting the foregoing, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of the processing of the Processed Data, and the likelihood and severity of the risk to the rights and freedoms of natural persons, Processor shall implement appropriate technical and organizational measures to ensure a level of security that is proportionate to the risk associated with the processing of the Processed Data, including, without limitation, measures such as encryption, access controls, regular testing of systems, and procedures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems, and particularly including, but not limited to, the measures set forth in Section 7.2.
7.2. Processor shall maintain and enforce various policies, standards and processes, available in the Processor’s Trust Center at https://trust.notabene.id/, which are designed to secure personal data and other data to which Processor employees are provided access, and updates to such policies, standards, and processes from time to time consistent with industry standards. Without prejudice to the rules contained within Section 7.1 above, the Processor shall implement appropriate technical and organizational measures, available in the Processor’s Trust Center at https://trust.notabene.id/. These measures ensure a level of security adequate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the data subjects.
8. Processed Data Breach
8.1. In the event of a Personal Data Breach or any other incidents that may compromise the security of the Processed Data (such as loss, damage, or destruction of the Processed Data in an electronic or hard copy format, third party unauthorized access to the Processed Data, or any other breach of the Processed Data) including, without limitation, any breach or other incident resulting from the conduct of, if any, the Processor’s Sub-Processors and/or its Persons in Charge of Data Processing, the Processor shall:
8.1.1. without undue delay, not to exceed within forty-eight (48) hours, inform the Controller by email which shall include at least information regarding the type and description of the Personal Data Breach, identification of the Processed Data and the Data Subjects affected, and potential consequences of said breach, as well as any remedies already put in place (if any). To the extent it is not possible to provide all the relevant information at the same time, the information may be provided in phases without undue delay; and
8.1.2. in collaboration with the Controller, adopt immediately, and in any case without undue delay, all necessary measures to minimize any type of risk that may derive for the Data Subjects from such breach or incident, remedy such breach or incident, and mitigate any possible adverse effect.
8.2. The Controller is fully liable, whenever required, for notifying such Personal Data Breach to the relevant data protection supervisory authority and to the Data Subjects, if applicable.
9. Data Subjects’ Rights
9.1. The Controller shall ensure that the rights granted to the Data Subjects under applicable Data Protection Laws are effectively executed. The Processor undertakes to notify the Controller in writing within five (5) Business Days of receipt of any request made in this respect by the Data Subjects.
9.2. The Processor shall cooperate with the Controller to ensure that all requests by Data Subjects exercising their rights under the Data Protection Laws (including, without limitation, the right to object to the processing and the right to the Processed Data portability) are complied with within the time period and in accordance with all other requirements provided for by the Data Protection Laws.
10. Audits
The Processor acknowledges and accepts that the Controller may assess the organizational, technical, and security measures adopted by the Processor in the processing of the Processed Data by way of audit no more frequently than annually (unless in the context of a Processed Data Breach). To this end, upon no less than ten (10) Business Days’ prior written notice (except if there is a reasonable urgency of the Controller for an earlier prior notice), the Controller will be entitled to access, directly or through any authorized third party, the premises, computers, and any other IT system/file of the Processor and its Sub-Processors, if, at its sole discretion, the Controller deems it necessary to verify compliance by the Processor and/or one of its Sub-Processors with this DPA and the Data Protection Laws or to ascertain any Processed Data Breach.
11. Data Transfer
11.1. The Processor will carry out the processing only in the European Economic Area (“EEA”) and agrees not to transfer the Processed Data outside the EEA, except if the Processor: (i) is required to do so by any applicable law to which the Processor is subject, in which case the Processor shall notify the Controller of such legal requirement before processing, unless that law prohibits such notification, or (ii) receives Controller’s prior written consent, which shall be in accordance with applicable Data Protection Laws and the instructions that the Controller provides to the Processor.
11.2. In the event that Personal Data is transferred to a country not covered by an adequacy decision or alternative mechanism under applicable Data Protection Laws, the Processor shall implement and maintain appropriate technical, organizational, and legal safeguards, such as the EU SCCs, the UK Addendum, or equivalent mechanisms, to ensure the continued protection of the data.
11.3. If any of the Sub-Processors engaged by the Processor begins processing the Controller’s Personal Data outside the EEA, the Processor shall notify the Controller of such change and shall ensure that the Sub‑Processor enters into the EU SCCs or the UK Addendum, as applicable, or implements equivalent safeguards, as required by applicable Data Protection Laws.
11.4. In the event that Subsection 11.2 or Subsection 11.3 above applies, the following shall be implemented, respectively:
11.4.1. Transfers of Personal Data, which are processed in accordance with the EU GDPR, from the Data Exporter (Controller) to the Data Importer (Processor) outside of the European Economic Area, are made pursuant to the Module Two (Controller to Processor) EU SCCs https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, which are deemed entered into (and incorporated into this DPA by this reference). For Module Two (Controller to Processor) of the EU SCCs, the following applies:
a. The optional docking clause in Clause 7 does not apply;
b. In Clause 9, Option 2 (general written authorisation) applies;
c. In Clause 11, the optional language does not apply;
d. All square brackets in Clause 13 are hereby removed;
e. In Clause 17 (Option 1), the SCCs will be governed by Irish law;
f. In Clause 18(b), disputes will be resolved before the courts of Ireland;
g. Appendix 1, to this DPA contains the information required in Annex I of the SCCs;
h. Appendix 2 to this DPA contains the information required in Annex II of the SCCs; and
i. Appendix 3 to this DPA contains the information required in Annex III of the SCCs.
11.4.2. For Personal Data that is protected by the UK GDPR, the EU SCCs: (i) apply as completed in accordance with item 11.4.1 above; and (ii) are be deemed amended as specified by the UK Addendum, which is deemed executed by the Parties and incorporated into and form an integral part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum are to be completed respectively with the information set out in Appendices 1, 2, and 3 of this DPA, and Table 4 in Part 1 is to be deemed completed by selecting “neither party.”
11.4.3. Transfers from Switzerland are made pursuant to the EU SCCs with the following modifications:
a. References to “General Data Protection Regulation” or “Regulation (EU) 2016/679” are interpreted as references to the Swiss FADP;
b. References to specific Articles of “Regulation (EU) 2016/679” are replaced with the equivalent article or section of the Swiss FADP;
c. References to “EU”, “Union”, “Member State” and “Member State law” are replaced with references to “Switzerland”, or “Swiss law;”
d. The term “member state” are not interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland);
e. Clause 13(a) and Item 10 of Appendix 1 are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner;
f. References to the “competent supervisory authority” and “competent courts” are replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland;”
g. In Clause 17, the Standard Contractual Clauses are governed by the laws of Switzerland; and
h. With respect to transfers to which the Swiss FADP applies, Clause 18(b) states that disputes shall be resolved before the applicable courts of Switzerland.
11.5. The Parties acknowledge and agree that Personal Data protected under the PDPA may be transferred from Singapore to, and processed in, the EEA. The Processor represents and warrants that: (a) it shall process such Personal Data in compliance with the applicable provisions of the EU GDPR and shall ensure a standard of protection for the Personal Data that is at least comparable to the protection under the PDPA; (b) it is bound by legally enforceable obligations under the GDPR which provide comparable protection to that under the PDPA; (c) it shall implement and maintain technical and organisational measures to ensure the security and confidentiality of the Personal Data consistent with Appendix 2 to this DPA; and (d) it shall not transfer Singapore Personal Data to any country outside the EEA without first ensuring that such transfer complies with the PDPA and this DPA. Where required by the PDPA, or where reasonably requested by the Controller, the Parties shall enter into the ASEAN MCCs for cross-border data transfers. The details required to complete the ASEAN MCCs are those set out in Appendix 1 to this DPA, and the ASEAN MCCs shall be governed by the laws of Singapore, with disputes subject to the jurisdiction of the Singapore courts.
12. Local Law
12.1. As of the Effective Date, Notabene has no reason to believe that the laws and practices in any third country of destination applicable to its Processing of the Personal Data prevent Notabene from fulfilling its obligations under this DPA. In the event either Party is legally required to amend this Agreement in order to comply with applicable privacy laws, the Parties will negotiate such amendments in good faith.
12.2. If Notabene receives a legally binding request from a public authority to access Personal Data that Notabene processes on behalf of the Customer/End User, Notabene shall, unless otherwise legally prohibited, promptly notify the Customer/End User including a summary of the nature of the request.
Appendix 1 - Details of Processing Activities
1. CATEGORIES OF DATA SUBJECTS WHOSE PERSONAL DATA IS PROCESSED:
- Controller(s) – customers, end users, and ultimate counterparties of value transfers
- Authorised Users – employees and contractors of controller
2. CATEGORIES OF PERSONAL DATA PROCESSED:
- Name
- Address
- Nationality
- Account number
- E-mail address
- Customer ID
- Date and place of birth
- National Identification number
- Wallet address
- Other personal data required by FATF Recommendation 16 and its implementation in local regulations
3. SENSITIVE DATA:
The parties do not anticipate the processing of sensitive data under the Agreement.
4. NATURE OF THE PROCESSING:
- Nature of the processing: The Services pursuant to the Agreement, which are the collection, analysis, transmission, and record keeping of personal identifying information of originator and beneficiary of a value transfer, and the collection and further processing of the names, email addresses, and activities of Controller employees in the software dashboard.
- Brief description of the processing activities: The data processing activities are performed to allow the Controller to benefit from the Services, according to the purposes further explained below.
5. PURPOSE OF THE PROCESSING:
The provision of the Services requires two data processing activities:
a. Enabling the Controller to perform counterparty verification using FATF Recommendation 16 and its implementation in local regulations; and
b. Granting authorization of access to the dashboard and Personal Data of Controller’s customers/end users to authorized staff only.
6. DURATION OF PROCESSING:
Processor will process Personal Data for the duration of the Agreement, unless otherwise agreed in writing or required by law. Upon termination of the Services by either party, Processor shall cease processing Personal Data on behalf of Customer/End User upon completion of the termination provisions described herein (unless required by law to keep processing such data). Processor shall provide written confirmation to Controller of the deletion or return of Personal Data.
7. SUB-PROCESSOR:
Sub-Processors set forth at https://trust.notabene.id/subprocessors will process Personal Data as necessary to provide the Services pursuant to the Agreement. Subject to the provisions of this DPA specific to Sub-Processors, the Sub-Processors will process Personal Data for the duration of the Agreement, unless otherwise agreed by Customer/End User in writing.
8. COMPETENT SUPERVISORY AUTHORITY
Data competent supervisory authority: Irish Data Protection Commission
Appendix 2 - Technical and Organisational Measures
1. Without limiting the foregoing, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of the processing of the Processed Data, and the likelihood and severity of the risk to the rights and freedoms of natural persons, Processor shall implement appropriate technical and organizational measures to ensure a level of security that is proportionate to the risk associated with the processing of the Processed Data.
2. Processor shall maintain and enforce various policies, standards, and processes, available in the Processor’s Trust Center at https://trust.notabene.id/, which are designed to secure personal data and other data to which Processor employees are provided access, and update such policies, standards, and processes from time to time consistent with industry standards. Without prejudice to the rules contained within Section 1 above, the Processor shall implement appropriate technical and organizational measures available in the Processor’s Trust Center at https://trust.notabene.id/. These measures ensure a level of security adequate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the data subjects.
Appendix 3 – General Authorization for Sub-processing
Appendix 4 - CCPA Specific Terms and Obligations
This Appendix supplements the DPA and includes additional information required by the CCPA, as updated, amended, or replaced from time to time. Any terms not defined in this Appendix shall have the meanings set forth in the DPA and/or the Agreement.
This Appendix is entered into by and between Notabene (the “Service Provider”) and the entity identified as the Customer or End User in the Agreement (“Customer”).
I. Definitions
1. For purposes of this Appendix, the terms “Business Purpose,” “Commercial Purpose,” “Processing,” “Sell,” “Share,” “Security Incident” and “Verifiable Consumer Request” shall have the meanings set forth in the CCPA.
II. Obligations
1. The parties acknowledge and agree that Notabene is a Service Provider for the purposes of the CCPA (to the extent it applies) and Notabene is receiving Personal Information from Customer in order to provide the Services pursuant to the Agreement, which constitutes a Business Purpose.
2. Customer shall disclose Personal Information to the Service Provider only for the limited and specified purposes described in Appendix 1 to this DPA.
3. The Service Provider shall not Sell or Share Personal Information provided by Customer under the Agreement.
4. The Service Provider shall not retain, use, or disclose Personal Information provided by Customer pursuant to the Agreement for any purpose, including a Commercial Purpose, other than as necessary for the specific purpose of performing the Services for Customer pursuant to the Agreement, or as otherwise set forth in the Agreement or as permitted by the CCPA.
5. The Service Provider shall not retain, use, or disclose Personal Information provided by Customer pursuant to the Agreement outside of the direct business relationship between the Service Provider and Customer, except where and to the extent permitted by the CCPA.
6. The Service Provider shall notify Customer if it makes a determination that it can no longer meet its obligations under the CCPA.
7. The Service Provider will not combine Personal Information received from, or on behalf of, Customer with Personal Information that it receives from, or on behalf of, another party, or that it collects from its own interaction with the Consumer.
8. The Service Provider shall comply with all obligations applicable to Service Providers under the CCPA, including by granting Personal Information provided by Customer under the Agreement the level of privacy protection required by the CCPA.
9. The Service Provider shall only engage a new sub-processor to assist Service Provider in providing the Services to Customer under the Agreement in accordance with Section 6 of the DPA, including, without limitation, by: (i) notifying Customer of such engagement as described in Section 6 of the DPA; and (ii) entering into a written contract with the sub-processor which requires such sub-processor to observe all of the applicable requirements set forth in the CCPA.
III. Consumer Rights
The Service Provider shall assist Customer in responding to Verifiable Consumer Requests to exercise the Consumer’s rights under the CCPA as set forth in Section 9 of the DPA.
IV. Security and Security Incidents
1. The Service Provider shall implement and maintain appropriate security procedures and practices to protect Personal Information against a Security Incident as described in Appendix 2 – Technical and Organisational Measures.
2. The Service Provider shall notify the Customer without undue delay, and in any case within forty-eight (48) hours of becoming aware of a Security Incident, and shall provide all relevant information reasonably requested by the Customer.
V. Audit Rights
To the extent required by CCPA, the Service Provider shall allow Customer to conduct inspections or audits in accordance with Section 10 of the DPA.