SharpCloud | Data Processing Addendum

This Data Processing Addendum (“DPA”) shall regulate all the transactions between the parties, related to the subject matter as provided to in this agreement. This document (together with the documents referred to in it) sets out the terms on which SharpCloud users, as a business or individual guest or registered user subscribing to the SharpCloud software service as identified in any contract, purchase order, or otherwise in writing from time to time (User/Client), may make use of and access, the SharpCloud software services provided via www.sharpcloud.com, and any subdomains thereof (our site) or otherwise.

SharpCloud shall be referred to as SharpCloud in this agreement
Any and all the user(s) accessing the services of SharpCloud shall be referred to as the “Client” and shall be considered as the Client for all the purposes related to this agreement. The term Client shall mean a legal entity as well as an individual, as the case may be.

each individually referred to as a “Party” and collectively as the “Parties”.

SPECIAL PROVISION

The party’s electronic acceptance or acknowledgement of this document on the website, or commencement of consuming the services of SharpCloud and utilization of the same constitutes such party’s acceptance of the terms and conditions mentioned in this document. The parties are advised to consult an attorney to understand the terms of this agreement before utilizing the services offered by SharpCloud on any of its platforms.

The User/Client acknowledges that they/it has had all the rights to consult with independent legal counsel prior and have had a reasonable opportunity to do so, and that the User either has consulted, or on their own volition chosen not to consult, with such counsel. The User/Client further acknowledges that they have read the terms of this agreement carefully and understands and accepts the obligations which it imposes upon them without reservation. No promises or representations have been made to induce consultant to sign this agreement.

This is an addendum to the SharpCloud End User License Agreement published at [www.sharpcloud.com/end-user-license-agreement], or if a separate agreement has been entered into by the parties, then such agreement (“the Agreement”). The terms of the Agreement shall apply to this Addendum except where there is a clear conflict between the Agreement and the terms of this Addendum in which case, as to any data processing issues for the purposes of the Data Privacy Laws (as defined below), this Addendum shall prevail.

This DPA sets out the terms that apply when Customer Personal Data is Processed by SharpCloud under the Agreement. The purpose of the DPA is to ensure such Processing is conducted in accordance with the Data Privacy Laws and respects the rights of individuals whose Personal Data is Processed under the Agreement. This DPA applies to the SharpCloud entity that is a party to the Agreement as set out therein.

DPA OPERATIVE PROVISIONS

1. Definitions

1.1 Words and phrases used in this DPA shall have the meanings ascribed to them in the Agreement and as set out below unless the context requires otherwise:

Applicable Law	shall mean all regional, national and international laws, rules, regulations and standards including those imposed by any governmental or regulatory authority which apply from time to time to the person or activity in the circumstances in question;
CCPA	shall mean California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 to 1798.198), as may be amended from time to time, and any legally binding regulations, requirements, orders, or decisions of any regulatory, judicial, or governmental authority in connection with the enforcement thereof (“CCPA”);
Confidential Information	shall have the meaning set forth in the Agreement;
Controller	Customer means “Controller” or “Business” as those terms are defined by applicable Data Privacy Laws;
Customer Data	shall mean all data of the Customer including any Personal Data that Customer or its Affiliate(s) processes as a Processor on behalf of Customer or as a Controller in order to provide the Services;
Data Privacy Laws	shall mean, as the case may be and as applicable, the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK’s implementation of the GDPR into UK law (“UK GDPR”) by virtue of section 3 of the UK’s European Union (Withdrawal) Act 2018, the CCPA and other US data privacy laws, the Canadian Federal Personal Information Protection and Electronic Documents Act, and/or any other Applicable Law or regulation worldwide relating to the protection of Personal Data, personally identifiable information or protected health information, including but not limited to all other municipal, state, provincial, regional, national laws or regulations governing the protection of personal information or Personal Data, as may be amended or superseded from time to time;
Data Subject	shall have the meaning set forth in the GDPR or UK GDPR when Customer is subject to EU law or UK law, or, when Customer is not subject to UK or EU law, shall mean the individual affected by the data processing or otherwise defined under that region’s Data Privacy Laws;
Personal Data	means any data or information that constitutes “personal data,” “personal information,” or any analogous term as defined by applicable Data Privacy Laws; if Customer is subject to the CCPA the term “Personal Data” shall include the meaning of “Personal Information” as defined under the CCPA and other US data privacy laws;
DPA	shall mean this DPA including the recitals and Schedules;
Process	shall have the meaning set forth in the GDPR or UK GDPR when Customer is subject to EU or UK law respectively, or, when Customer is not subject to EU or UK law, shall mean any use of Personal Data;
Processor	shall have the meaning set forth in the GDPR and UK GDPR as applicable when Customer is subject to EU or UK law, or, when Customer is not subject to EU or UK law, shall mean the Processor processing Personal Data on behalf of the Controller, or when Customer is subject to the CCPA or any other US Data Privacy Laws, shall mean “Processor” as defined under the CCPA or “Recipient” under the respective US Data Privacy Laws;
Restricted Transfer	means: (i) where the GDPR applies, a transfer of Personal Data from the European Economic Area (“EEA”) to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom (“UK”) to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018;
Services	means the provision of services by SharpCloud as set out in the Agreement, and such other services as the parties shall agree from time to time in writing;

2. SharpCloud processor obligations

2.1 Scope and Purpose of Processing. This DPA applies only where and to the extent Data Privacy Laws govern SharpCloud’s Processing of Customer Data on behalf of Customer in the course of providing the Services pursuant to the Agreement, including SharpCloud’s Processing of Customer’s Personal Data for the nature, purposes, and duration set forth in Schedule I. SharpCloud will not collect, use, disclose, release, disseminate, transfer, or otherwise communicate or make available to a third-party Customer’s Personal Data except to provide the Services or as expressly permitted by the Agreement or this DPA. For the avoidance of doubt, any Customer Data collected pursuant to data analytics or monitoring carried out by SharpCloud in connection with the provision of the Services or otherwise connected with Customer's use of the Services may include Personal Data which Customer hereby authorizes SharpCloud to use solely in accordance with carrying out its obligations under the Agreement and this DPA

2.2 Processor and Controller Responsibilities. The parties acknowledge and agree that: (a) SharpCloud is a Processor of Customer’s Personal Data under the Data Privacy Laws; (b) Customer is a Controller or Processor, as applicable, of Customer’s Personal Data under the Data Privacy Laws; and (c) each party will comply with the obligations applicable to it under the Data Privacy Laws regarding the Processing of Customer’s Personal Data.

2.3 Authorization by Third-Party Controller. If Customer is a Processor, Customer warrants to SharpCloud that Customer’s instructions and actions with respect to Customer’s Personal Data, including its appointment of SharpCloud as another Processor, have been authorized by the relevant Controller.

2.4 Customer Instructions. Customer instructs SharpCloud to Process Customer’s Personal Data: (a) in accordance with the Agreement, this DPA, any applicable order, and Customer’s use of the Services; and (b) to comply with other reasonable instructions provided by Customer or a user where such instructions are consistent with the terms of the Agreement. Customer will ensure that its instructions for the Processing of Customer’s Personal Data comply with the Data Privacy Laws. Customer has sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer obtained the Personal Data. Customer will disclose Personal Data to SharpCloud solely pursuant to a valid business purpose.

2.5 SharpCloud’s Compliance with Customer Instructions. SharpCloud will only Process Personal Data in accordance with Customer’s instructions and will treat Personal Data as Confidential Information. SharpCloud may Process Personal Data other than on the written instructions of Customer if it is required under applicable law to which SharpCloud is subject. In this situation, SharpCloud will inform Customer of such requirement before SharpCloud Processes the Personal Data unless prohibited by applicable law.

2.6 Assistance with Customer’s Obligations. Customer may request in writing SharpCloud to, correct, amend, restrict, block or delete Personal Data provided to SharpCloud or uploaded when using the Services to the extent Customer is not able to do so itself. SharpCloud will promptly comply with reasonable requests by Customer to assist with such actions to the extent SharpCloud is legally permitted and able to do so. SharpCloud may charge a reasonable fee for any assistance not strictly required by Data Privacy Laws. Any such fee shall be communicated to Customer prior to being incurred.

2.7 Impact Assessments. SharpCloud will take reasonable measures to cooperate and assist Customer in conducting a data protection impact assessment and related consultations with any Supervisory Authority, if Customer is required to do so under applicable Data Privacy Laws.

2.8 Notification Obligations. SharpCloud will, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the Processing of Customer’s Personal Data relating to such individual. SharpCloud will forward such Data Subject request relating to Personal Data to Customer and Customer will be responsible for responding to any such request. SharpCloud will provide Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject request, to the extent legally permitted and to the extent Customer does not have access to such Personal Data through its use or receipt of the Services.

2.9 In relation to Personal Data that is protected by the Data Privacy Laws of the United States of America, the additional statutory required provisions as set out in Schedule 5 – United States Privacy Provisions shall apply.

3. Security measures

3.1 SharpCloud Personnel. SharpCloud will inform its personnel engaged in the Processing of Customer’s Personal Data of the confidential nature of the Personal Data, and ensure they are subject to obligations of confidentiality that protect the confidentiality of Customer Data and survive the termination of that individual’s engagement with SharpCloud.

3.2 Third Party Disclosure. SharpCloud will not disclose Customer Data to any third party unless authorized by Customer or required by law. If a government entity (including a law enforcement agency) or Supervisory Authority (as defined in applicable Data Privacy Laws) demands access to Customer Data, SharpCloud will attempt to redirect the request or to request the data directly from Customer or notify Customer prior to disclosure, in each case unless prohibited by law.

3.3 Security. SharpCloud will implement commercially reasonable technical and organizational measures to safeguard Customer’s Personal Data taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. At a minimum, SharpCloud shall implement the measures that are set out in Schedule 2.

3.4 Separation of Data. SharpCloud shall keep Customer Data logically separate from other data held by SharpCloud, wherever reasonably practicable by implementing necessary security controls such as access control, encryption, passwords.

4. Security incident

4.1 Notification Obligations. Upon becoming aware of any Security Incident affecting Personal Data, the parties shall notify each other without undue delay and shall provide timely updates and information relating to the Security Incident as it becomes known or as is reasonably requested by the other party. Such information will include the nature of the Security Incident, the categories and number of Data Subjects affected, the categories and amount of Personal Data affected, the likely consequences of the Security Incident, and the measures taken or proposed to be taken to address the Security Incident and mitigate possible adverse effects. SharpCloud’s obligations in this Section 4 do not apply to Security Incidents that are caused by Customer or Customer's personnel or users or to unsuccessful attempts or activities that do not compromise the security of Customer’s Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

4.2 Manner of Notification. Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s business, technical or administrative contacts by any means SharpCloud selects, including via email. It is Customer’s sole responsibility to provide and maintain accurate contact information to and on SharpCloud’s systems at all times. Furthermore, it is Customer’s sole responsibility to notify the relevant data protection Supervisory Authority and, when applicable, the Data Subjects of a Security Incident as required under the Article 33 and 34 of the GDPR and equivalent provisions under all other applicable Data Privacy Laws. SharpCloud will promptly comply with reasonable requests by Customer to assist it with meeting such notification requirements to the extent SharpCloud is legally permitted and able to do so.

5. Sub-processors and audit rights

5.1 General Authorization for Sub-processors. Customer generally authorizes the use of sub-processors by SharpCloud to process Customer’s Personal Data in connection with fulfilling SharpCloud’s obligations under the Agreement and/or this DPA and explicitly approves the list of sub-processors located at https://www.sharpcloud.com/subprocessors

5.2 New Subprocessors. When SharpCloud engages a new sub-processor to Process Customer’s Personal Data, SharpCloud will, at least thirty (30) days before the new sub-processor Processes any Customer Personal Data, notify Customer and give Customer the opportunity to object to such sub-processor. If Customer has reasonable grounds to object to SharpCloud’s change in sub-processors related to data protection concerns, Customer shall notify SharpCloud promptly within no more than thirty (30) days after receipt of SharpCloud’s notice. SharpCloud will use reasonable efforts find an acceptable, reasonable, alternate solution; otherwise, Customer may suspend or terminate its subscription to the Services. If Customer terminates, SharpCloud will promptly refund any fees paid in advance by Customer to SharpCloud pro rata for the remaining duration of the subscription to the Services.

5.3 SharpCloud Obligations. SharpCloud will remain liable for the acts and omissions of its sub-processors to the same extent SharpCloud would be liable if performing the service provided by the sub-processor directly. SharpCloud will contractually impose data protection obligations on its sub-processors that are at least equivalent to those data protection obligations imposed on SharpCoud under this DPA.

5.4 Selection of Sub-Processors. SharpCloud will select sub-processors with due diligence and will verify prior to engaging the new sub-processor that such sub-processor is capable of complying with the obligations of SharpCloud towards Customer, to the extent applicable to the services assigned to that sub-processor. Further SharpCloud will verify, prior to engaging the sub-processsor, that the sub-processor has taken and will take the appropriate technical and organizational measures to protect Customer Data.

5.5 Audit Rights. Upon Customer’s written request by email to legal@sharpcloud.com no more than once per year, SharpCloud will provide a copy of any recent third-party audits or certifications, as applicable, or any summaries thereof, such that Customer may reasonably verify SharpCloud’s compliance with the technical and organizational measures required under this DPA. Where required by the applicable Data Privacy Laws, SharpCloud will permit Customer or a mutually agreed upon independent auditor appointed by Customer to conduct an audit (including inspection of SharpCloud facilities and relevant information but not in respect of a sub-processor), no more than once per year upon eight weeks’ notice sent to legal@sharpcloud.com complete with a detailed audit plan describing the proposed scope, duration, and start date of the audit. SharpCloud will contribute to such audits whose sole purpose will be to verify SharpCloud’s compliance with its obligations under this DPA. The auditor must execute a written confidentiality agreement reasonably acceptable to SharpCloud before conducting the audit. The audit must be conducted during SharpCloud’s normal business hours, subject to SharpCloud’s reasonable policies, and may not unreasonably interfere with SharpCloud’s business activities. Any audits are at Customer’s sole cost and expense.

5.6 Separate Service. Any request for SharpCloud to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required by law. Customer will reimburse SharpCloud for any time spent for such separate services for any such audit at rates mutually agreed to by the parties, taking into account the resources expended by SharpCloud. Customer will promptly notify SharpCloud with information regarding any non-compliance discovered during the course of an audit and not disclose the results of any audit with any third party except as approved in writing by SharpCloud.

5.7 Limits on Auditing Party. Nothing in this DPA will require SharpCloud to disclose to an independent auditor or Customer, or to allow an independent auditor or Customer to access: (a) any data of any other user or customer of SharpCloud; (b) SharpCloud 's internal accounting or financial information; (c) any trade secret of SharpCloud; (d) any premises or equipment not controlled by SharpCloud; or (e) any information that, in SharpCloud 's reasonable opinion, could: (i) compromise the security of SharpCloud’s systems or premises; (ii) cause SharpCloud to breach its obligations under Data Privacy Laws or the rights of any third-party; or (iii) any information that an independent auditor seeks to access for any reason other than the good faith fulfilment of Customer's rights under the Data Privacy Laws. Customer will contractually impose, and designate SharpCloud as a third-party beneficiary of, any contractual terms that prohibit any independent auditor from disclosing the existence, nature, or results of any audit to any party other than Customer unless such disclosure is required by applicable law.

6. International data transfers

6.1 SharpCloud have data centres in the locations stated in Schedule 2. Upon first registration of Customer’s account, Customer will be allocated the default data centre included in Schedule 2 - 1.11 unless otherwise agreed in writing with the Customer. All Personal Data will then be processed and shall be stored in the stated data centre and/or processed by SharpCloud’s sub-processors listed at: https://www.sharpcloud.com/subprocessors Where there are Restricted Transfers, the parties acknowledge that steps must be taken to ensure that such Restricted Transfers comply with Data Privacy Laws..

6.2 Where Personal Data subject to the GDPR or UK GDPR is transferred from Customer (as data exporter) to SharpCloud (or its sub-processor) (as data importer) outside the EEA (either directly or via onward transfer), to a country which has been recognized by the European Commission as offering an adequate level of protection for Personal Data transferred to it, then the Parties shall enter into the Standard Contractual Clauses as further specified in Schedule 4. The terms ‘data exporter’ and ‘data importer’ shall have the meanings given to them in the EU SCCs.

6.3 Pursuant to Section 6.2, the Standard Contractual Clauses are hereby incorporated into this DPA by reference.

6.4 Where the SCCs apply under this Agreement:

Customer and SharpCloud agree to observe the terms of the SCCs without modification (save for the specifications in the Schedules) and the SCCs shall be considered to be duly executed by the Parties immediately upon the date on which the DPA enters into force;

the rights and obligations afforded by the SCCs will be exercised in accordance with the terms of the Agreement;

the Parties' signature to this DPA or the Agreement that explicitly incorporates this DPA shall be considered as signature to the SCCs;

if so required by the laws or regulatory procedures of any jurisdiction, the Parties shall execute or re-execute the SCCs as separate documents setting out the proposed transfers of Personal Data in such manner as may be required; and

in the event that the SCCs are amended, replaced or otherwise invalidated by the Data Privacy Laws, the Parties shall work together in good faith to enter into any updated version of such SCCs or negotiate in good faith a solution to enable a transfer of the Personal Data to meet the requirements of Chapter V of the GDPR (or UK GDPR as applicable).

6.5 In relation to Personal Data that is protected by the UK GDPR, the EU SCCs as modified by the "International Data Transfer Addendum to the EU Standard Contractual Clauses” which includes the mandatory clauses (in template Addendum B.1.0) issued by the Information Commissioner’s Office and laid before Parliament in accordance with s.119A(1) of the Data Protection Act 2018 on 28 January 2022 (“UK Addendum”) shall apply to the Restricted Transfer of Personal Data protected by the UK GDPR as follows: 

the EU SCCs, completed as set out in Schedule 4 of this DPA shall also apply to any transfers of such Personal Data, and shall be modified by the UK Addendum (completed as set out in the remainder of this clause);

Tables 1 to 3 of the UK Addendum shall be deemed completed with the relevant information from the EU SCCs as set out in Schedule 4 of this DPA and technical and organisational measures as set out in Schedule 2 of this DPA; 

the option "Exporter" shall be deemed checked in Table 4 of the UK Addendum; and 

the start date of the UK Addendum (as set out in Table 1 of the UK Addendum) shall be the date of this DPA. 

6.6 Where SharpCloud carries out an onward transfer to a sub-processor located in a country deemed as not adequate under applicable Data Privacy Laws and acts as a data exporter, SharpCloud shall enter into the SCCs with each such sub processor as the data importer. Module 3 (Processor to Processor) of the SCCs shall apply.

6.7 Changes to Transfer Mechanism. If SharpCloud’s compliance with Data Privacy Laws applicable to international data transfers is affected by circumstances outside of SharpCloud’s control, including if a legal instrument for international data transfers is invalidated, amended, or replaced, then Customer and SharpCloud will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative transfer mechanisms, standard contractual clauses or UK standard contractual clauses are approved by Supervisory Authorities, SharpCloud reserves the right to choose the transfer mechanism of its preference, and amend the Agreement and this DPA by adding to or replacing, the existing transfer mechanism; provided that SharpCloud will ensure continued compliance with Data Privacy Laws.

7. Return and destruction

7.1 Without prejudice to any obligations under this Section 7, following termination or expiration of this DPA for whatever reason, SharpCloud shall cease processing Customer’s Personal Data and shall procure that any sub-processors also shall cease processing Customer’s Personal Data.

7.2 Upon termination or expiration of the Agreement and this DPA for whatever reason, SharpCloud shall:

provide Customer with the opportunity to retrieve its Customer Data within 30 days; and/or

provide Customer on request within 30 days with all Customer Data then held or stored by SharpCloud including all copies and back-ups.

7.3 Following termination or expiration of this DPA for whatever reason, SharpCloud shall securely, irrevocably and/ or irretrievably delete or over-write Customer Data in accordance with SharpCloud´s standards which must be recognized industry standards to achieve secure deletion, and SharpCloud shall certify to Customer, if so requested by Customer, in writing, that SharpCloud has complied with their obligations to delete Customer Data. This shall not apply to any Personal Data that SharpCloud is required to retain by applicable laws which shall continue to be stored by SharpCloud and subject to the duties of confidentiality until the same can be deleted.

8. Termination

8.1 This DPA shall commence on the Effective Date and shall terminate on the earlier of (a) termination or expiry of the Agreement; or (b) termination of this DPA by 30 days’ written notice served on the other party. The rights of termination for cause as set out in the Agreement between the parties remain unaffected.

9. Amendments

9.1 SharpCloud may amend this DPA from time to time to reflect changes in Data Privacy Laws or the delivery of the Services to Customer. When changes are made, SharpCloud will make a new copy of the DPA available at www.sharpcloud.com/terms-and-conditions. To the extent an amendment is required to comply with applicable Data Privacy Laws, it will become effective immediately; otherwise, it will be effective upon renewal of Customer’s subscription to the Services.

SCHEDULE 1

Scope and Manner of Processing of Personal Data

SCOPE AND PURPOSE OF PROCESSING

SharpCloud will process Personal Data provided by Customer or collected by SharpCloud in order to manage Customer’s account and to fulfil contractual obligations to Customer. SharpCloud may also process Personal Data in an aggregated and anonymized manner to analyze trends and to track your usages of and interactions with its Services to the extent necessary for SharpCloud’s legitimate interest in developing and improving its Services and providing customers with more relevant content and service offerings.

SharpCloud will process the Personal Data for the duration of the period in which it provides Services to Customer.

CATEGORIES OF DATA SUBJECTS AND PERSONAL

DATA PROCESSED

Personal Data provided by Customer to SharpCloud or collected by SharpCloud in order to manage Customer’s account. This includes the following:

Customer users’ names.

Customer users email addresses.

Customers users business address.

Customers users telephone numbers.

If paying by credit or debit card, we will also collect contact information of the person using the card as well as details of the credit/debit card used for payment.

Our Services allow the Customer’s users to upload other information onto the system and/or forums that we make available to our customers generally and any such information uploaded or entered by those users will be stored by us but we do not use any of that information for delivery of the Services to Customer.

No sensitive data is processed by us unless Customer provides the same.

NATURE OF PROCESSING

Personal Data provided by Customer to SharpCloud or collected by SharpCloud in order to manage Customer’s account.

SUBPROCESSORS

SharpCloud uses sub-processors to assist it in providing the Services to Customer as stated in Schedule 3

DURATION AND FREQUENCY OF PROCESSING

For the duration of Customer’s subscription to the Services and frequency is determined by the number of Customer’s users’ interactions within the Services – usually daily

CONTACT

legal@sharpcloud.com or write to us at FAO: The DPO, SharpCloud Software Ltd, 8 Leake Street, London SE1 7NN, UK or The DPO, SharpCloud Software Inc., 3500 S Dupont Hwy, Camden, DE 19934 United States

SCHEDULE 2

Technical and organizational measures

1. Measures

1.1 Access Control

The Processor will implement the following measures:

Establishing and maintaining staggered access authorizations for employees and third parties;

Regulating and restricting access authorities; providing respective keys and card keys;

Reviewing and updating the keys and card keys regularly;

Identifying and reviewing all persons having access authority;

Using time recording equipment;

Recording all visitors.

1.2 Access Control

The Processor will implement the following measures:

Running central data processing equipment (servers) only in specially protected areas to which only selected employees (administrators) and Processors, who are committed to diligence and secrecy, have access;

Prepare and establish rules of behaviour for the use of mobile devices, which, among other things, undertake the Processor’s employees not to leave their mobile devices unattended while travelling;

Logical (e.g. by using passwords) and physical (e.g. by using lockable or otherwise secured repositories) protection of all data media (external hard drives, USB sticks, CD-ROMs, DVDs, etc.).

1.3 Access Control

The Processor will implement the following measures:

Authorizing and enforcing a usage policy for the reading, alteration and deletion of stored data;

Using the data processing equipment only after identifying and authenticating the user;

Using secure passwords;

Changing the passwords regularly;

Blocking passwords when several erroneous passwords have been entered;

Automatically blocking desktop computers in the case of longer inactivity of the user;

Using separation columns for safety-critical files and Personal Data;

Authorizing and enforcing a policy for the systematic storage of data;

Restricting the users‘ rights for the employees who are not administrators;

Separation of test and production systems.

1.4 Transmission Control

The Processor will implement the following measures:

Authorizing and enforcing a policy which regulates the transmission and transport of data;

Using the data processing equipment only after identifying and authenticating the user;

Using encryption for safety-critical files;

Encrypting all files with Personal Data, especially if they are transmitted between the Parties via e-mail or in another electronic way;

Establishing documentations for all programs which encrypt, send or receive data;

Monitoring all interfaces (ports) to the internet of the Processor’s data processing equipment and blocking all interfaces which are not necessary for the normal activity (e.g. ports which are used for file sharing programs or chat programs);

Monitoring decentralized entity locations in the case that these send or receive data.

1.5 Input Control

The Processor will implement the following measures:

Authorizing and enforcing a usage policy for the reading, alteration and deletion of stored data;

Using the data processing equipment only after identifying and authenticating the user;

Recording of data accesses.

1.6 Order Control

The Processor will implement the following measures:

Using the data processing equipment only after identifying and authenticating the user;

Recording all data accesses;

Regular controls by the Processor.

1.7 Data Separation

The Processor will implement the following measures:

Logical separation of data of the Processor and/or the Processor’s clients and other data;

Using encryption for safety-critical files and files with Personal Data with different data keys depending on the files’ owner;

1.8 Availability Control

The Processor will implement the following measures:

Regularly creating back-up copies;

1.9 Recovery Plan

The Processor will implement the following measures:

Prepare a plan for ensuring the ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident

1.10 Testing Process

The Processor will implement the following measures:

Establish and document a process for regularly testing, assessing and evaluating the effectiveness of the measures for ensuring the security of the Processing of Personal Data described in this DPA.

1.11 Data Centre Allocation

SharpCloud have data centres in the locations stated below. Upon first registration of Customer’s account, Customer will be allocated the default data centre stated in the table below unless otherwise agreed in writing with the Customer. All Personal Data will then be processed and shall be stored in the stated data centre and/or processed by SharpCloud’s sub-processors listed at: https://www.sharpcloud.com/subprocessors.

Region	Data Centre Location
UK Region	United Kingdom
EU Region	The Netherlands or Ireland
Rest of the World	United States of America
SharpCloud Free Version	United States of America

SCHEDULE 3

List of approved Sub-Processors

The Parties agree that this Attachment 3 constitutes Annex III of the EU SCCs (where applicable).

The list of sub-processors is available at: https://www.sharpcloud.com/subprocessors

SCHEDULE 4

International Data Transfers and Description of Processing

Part 1 – Modules and Options

The Parties confirm that the following Module(s) from the EU SCCs shall apply with the following options to the international data transfer of Personal Data under this DPA (without prejudice to any transfers subject to the UK Addendum as set out at Section 6.6 of the DPA):

	Transfer 1
Relevant Module	Module Two
Description of processing	As set out in Schedule 1.
Clause 7 – Docking clause	Included
Clause 9 (a) – Use of sub-processors	Option 1
Clause 9 (a) – Time period	10 days
Clause 11(a) – Redress	Included
Clause 17 – Governing Law – Which option	Option 1
Clause 17 – Governing Law – Which law	IRELAND
Clause 18 – Choice of forum and jurisdiction	IRELAND

Part 2 – List of Parties

The Parties agree that this Part 2 of Schedule 4 constitutes Annex I.A of the EU SCCs (where applicable).

Data Exporter(s):

Name:	Customer entity indicated on the Agreement
Address:	Customer address indicated on the Agreement
Contact person’s name, position and contact details:
Activities relevant to data transferred:	As set out in Schedule 1.
Role (controller/ processor):	Controller

Data Importer(s):

Name:	SharpCloud Software Limited
Address:	8 Leake Street, London SE1 7NN, UK
Contact person’s name, position and contact details:	The DPO – legal@sharpcloud.com
Activities relevant to data transferred:	As set out in Schedule 1.
Role (controller/ processor):	Processor

Part 3 – Description of Transfers/ Processing and Supervisory Authority

The Parties agree that this Part 3 of Attachment 2 constitutes Annex I.B and I.C of the EU SCCs (where applicable) and that this Part 3 applies in all instances where this DPA is entered into.

	Transfer 1
Categories of data subjects	See Schedule 1 – Customer’s employees, contact persons, consultants and agents
Categories of Personal Data	See Schedule 1 - Communication data (e.g. telephone, email), contract contact details)
Sensitive data transferred and applied restrictions or safeguards applied	Not Applicable
Frequency of transfer	Daily
Subject-matter of processing	See Schedule 1
Duration of processing	See Schedule 1
Nature of the processing	See Schedule 1
Purpose of the transfer/ processing	See Schedule 1
Period for which Personal Data will be retained or criteria used to determine period	See Schedule 1
For transfers to sub-processors, specify subject-matter, nature and duration of processing	See Schedule 1
Competent Supervisory Authority	Information Commissioners Office (ICO) Ireland

SCHEDULE 5

United States Privacy Provisions

Applicability. This Schedule 5 only applies to SharpCloud’s Processing of Customer’s Personal Data subject to applicable Data Privacy Laws in the USA (“US Privacy Laws”). This Schedule 5 shall override any conflicting terms in the Agreement or the DPA where the US Privacy Laws apply but does not other amend the Agreement or DPA. SharpCloud Processes personal information (as defined in the CCPA) on behalf of Customer under the Agreement as a Service Provider (as defined under the CCPA) (hereinafter, the “Personal Information”). This Addendum shall only apply and bind the Parties if and to the extent Customer is a Business under the CCPA or equivalent under any other US Privacy Laws.

This Schedule 5 applies to the collection, retention, use, and disclosure of the Personal Information to provide Services to Customer pursuant to the Agreement or to perform a Business Purpose (as defined in CCPA).

Customer is a Business and appoints SharpCloud as a Service Provider to process the Personal Information on behalf of Customer. Customer is responsible for compliance with the requirements of the CCPA and other US Privacy Laws applicable to Businesses.

Compliance Assurance. If the provision of Personal Information provided pursuant to the DPA above does not fulfil the requirements of the applicable U.S. Privacy Laws, Customer has the right to take reasonable and appropriate steps to ensure that SharpCloud uses Customer Personal Information consistent with Customer’s obligations under applicable U.S. Privacy Laws.

Compliance Remediation. SharpCloud shall promptly notify Customer after determining that it can no longer meet its obligations under applicable U.S. Privacy Laws. Upon receiving notice from SharpCloud in accordance with this paragraph, Customer may direct SharpCloud to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Information.

Limitations on Processing. SharpCloud will Process Customer Personal Information solely as described in the Agreement and this DPA. Except as expressly permitted therein or by the U.S. Privacy Laws, SharpCloud is prohibited from (a) Selling or Sharing (as defined in appliable US Privacy Laws) Customer Personal Information, (b) retaining, using, or disclosing Customer Personal Information for any other purpose, (c) retaining, using, or disclosing Customer Personal Information outside of the direct business relationship between the parties, and (d) combining Customer Personal Information with Personal Information obtained from, or on behalf of, sources other than Customer or its users, except as expressly permitted under applicable U.S. Privacy Laws.

Deletion Requests. SharpCloud shall not be required to delete any Customer Personal Information to comply with a Data Subject’s request directed by Customer if retaining such information is specifically permitted by applicable U.S. Privacy Laws; provided, however, that in such case, SharpCloud will promptly inform Customer of the exceptions relied upon under applicable U.S. Privacy Laws and SharpCloud shall not use Customer Personal Information retained for any purpose other than provided for by that exception.

Deidentified Data. In the event that Customer discloses or makes available deidentified data (as such term is defined in the U.S. Privacy Laws) to SharpCloud, SharpCloud shall not attempt to reidentify the information.

Sale of Data. The parties acknowledge and agree that the exchange of Personal Data between the parties does not form part of any monetary or other valuable consideration exchanged between the parties with respect to the Agreement or this DPA. SharpCloud will never sell Customer’s Personal Information.

Compliance with Laws. SharpCloud shall make reasonable information in its possession available to Customer necessary to demonstrate compliance with the obligations of this Schedule 5 and permit Audits and Assessments. Customer to take reasonable and appropriate steps to help ensure the Processing of Customer’s Personal Information is consistent with the obligations herein. This includes reasonable audits or assessments in accordance with the DPA. Any audits or assessments conducted in accordance with this Schedule 5 shall be limited to one per calendar year upon 8 weeks prior notice to SharpCloud as per the terms of the DPA.

Default. To the extent that Customer determines that SharpCloud is not in compliance with the requirements of the US Privacy Laws or the terms of this Schedule 5, Customer shall have the right to (i) stop the transmission of Personal Information to SharpCloud; (ii) request that SharpCloud not further process Personal Information received from Customer, and (iii) terminate the Agreement consistent with its terms.

Warranty. Customer represents and warrants that it has provided notice to its end users that the Personal Information is being used or shared consistent with Cal. Civ. Code 1798.130.

Consumer Rights. SharpCloud shall provide reasonable assistance to Customer in facilitating compliance with Consumer rights requests under the CCPA.

Deletion of Personal Information. Upon direction by Customer and within a commercially reasonable amount of time, SharpCloud shall delete or, upon Customer’s written request, return the Personal Information, except that SharpCloud may retain Personal Information as permitted by the DPA.

De-indentified Information. In the event that either Party shares Deidentified Information with the other Party, the receiving Party warrants that it: (i) has implemented technical safeguards that prohibit reidentification of the Consumer to whom the information may pertain; (ii) has implemented business processes that specifically prohibit reidentification of the information; (iii) has implemented business processes to prevent inadvertent release of Deidentified Information; (iv) will make no attempt to reidentify the information; and (v) has publicly committed to maintain and use the Deidentified Information in a Deidentified form.

Law Enforcement. Notwithstanding any provision to the contrary of the Agreement, the DPA or this Schedule 5, SharpCloud may cooperate with law enforcement agencies concerning conduct or activity that it reasonably and in good faith believes may violate international, federal, state, or local law or as required by applicable laws.