3.1  With respect to Customer Personal Data originating from the European Economic Area (“EEA”), the United Kingdom (“UK”) or Switzerland that is transferred from Customer to Reclaim, the parties agree to comply with the general clauses and with “Module Two” (Controller to Processor) of the EU SCCs, which are incorporated herein by reference, with Customer as the “data exporter” and Reclaim as the “data importer.” The parties agree that Reclaim may process and store Customer Personal Data in the United States as necessary to provide services to Customer.

3.2  For purposes of the EU SCCs the parties agree that:
‍

3.3  If the transfer of Customer Personal Data is subject to the Swiss Federal Act on Data Protection, the parties agree to rely on the EU SCCs with the following modifications: (i) the Federal Data Protection and Information Commissioner (FDPIC) will be the competent supervisory authority under Clause 13 of the EU SCCs; (ii) the parties agree to abide by the GDPR standard in relation to all Processing of Customer Personal Data that is governed by the Swiss Federal Act on Data Protection; (iii) the term ‘Member State’ in the EU SCCs will not be interpreted in such a way as to exclude Data Subjects who habitually reside in Switzerland from initiating legal proceedings in Switzerland in accordance with Clause 18(c) of the EU SCCs; and (iv) references to the ‘GDPR’ in the EU SCCs will be understood as references to the Swiss Federal Act on Data Protection insofar as the transfer of Customer Personal Data is subject to the Swiss Federal Act on Data Protection.

3.4  With respect to transfers from Customer to Reclaim of Customer Personal Data originating from the United Kingdom, the parties agree to comply with the UK SCCs, which are incorporated herein by reference. The parties agree that, for the UK SCCs: (i) Customer is the “data exporter”, and Reclaim is the “data importer”; (ii) all references to the “Directive 95/46/EC” and its provisions shall be deemed to refer to the relevant provisions of the UK GDPR and the Data Protection Act 2018 of the United Kingdom; (iii) all references to the “Commission” shall be deemed to refer to the Information Commissioner; (iv) all references to the “European Economic Area” or the “European Union” shall be deemed to refer to the United Kingdom; (v) for Appendix 1 to the UK SCCs, information about the exporter and importer, the categories of Data Subjects, types of Personal Data and type of Processing operations are as set out in Schedule 1 to this DPA; and (vi) for Appendix 2 to the UK SCCs, the security measures are as described at the Security Page. The parties acknowledge that the Information Commissioner’s Office has not yet approved new standard contractual clauses under the UK GDPR. The UK SCCs will apply only until such time as the Information Commissioner’s Office issues new standard contractual clauses under the UK GDPR. If the Information Commissioner’s Office approves the EU SCCs for transfers from the UK, the parties agree to adopt the EU SCCS as the mechanism to legitimize such transfers. Where necessary, the parties shall work together, in good faith, to enter into an updated version of the UK SCCs or negotiate an alternative solution to enable transfers of Customer Personal Data in compliance with Data Protection Laws.

10.1  Customer may audit Reclaim’s compliance with its obligations under this DPA up to once per year. In addition, Customer may perform more frequent audits (including inspections) in the event: (1) Reclaim suffers a Personal Data Breach affecting Customer Personal Data; (2) Customer has genuine, documented concerns regarding Reclaim’s compliance with this DPA or the Data Protection Laws; or (3) where required by the Data Protection Laws, including where mandated by regulatory or governmental authorities with jurisdiction over Customer Personal Data. Reclaim will contribute to such audits by providing Customer or Customer’s regulatory or governmental authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Service, as described below.

10.2  To request an audit, Customer must submit a detailed proposed audit plan to [email protected] at least one month in advance of the proposed audit start date. The proposed audit plan must describe the proposed scope, duration, start date of the audit, and the identity of any third party Customer intends to appoint to perform the audit. Reclaim will review the proposed audit plan and provide Customer with any concerns or questions (for example, Reclaim may object to the third party auditor as described in Section 10.3, provide an Audit Report as described in Section 10.4, or identify any requests for information that could compromise Reclaim confidentiality obligations or security, privacy, employment or other relevant policies). The parties will negotiate in good faith to agree on a final audit plan at least two weeks in advance of the proposed audit start date.  Nothing in this Section 10 shall require Reclaim to breach any duties of confidentiality.

10.3  Reclaim may object to third party auditors that are, in Reclaim’s reasonable opinion, not suitably qualified or independent, a competitor of Reclaim, or otherwise manifestly unsuitable.  Customer will appoint another auditor or conduct the audit itself if the parties cannot resolve the objection after negotiating in good faith.

10.4  If the requested audit scope is addressed in an SSAE 16/ISAE 3402 Type 1, ISO, NIST or similar audit report performed by a qualified third party auditor on Reclaim’s systems that Process Customer Personal Data (“Audit Reports”) within twelve (12) months of Customer’s audit request and Reclaim confirms there are no known material changes in the controls audited, Customer agrees to accept the Audit Report in lieu of requesting an audit of the controls covered by the Audit Report.

10.5  The audit must be conducted at a mutually agreeable time during regular business hours at the applicable facility, subject to the agreed final audit plan and Reclaim’s health and safety or other relevant policies and may not unreasonably interfere with Reclaim business activities.

10.6  Any audits are at Customer’s expense and Customer will promptly disclose to Reclaim any perceived non-compliance or security concerns discovered during the audit, together with all relevant details.

10.7  The parties agree that the audits described in Clause 8.9 of the EU SCCs and Clause 5(f) of the UK SCCs, if applicable, shall be performed in accordance with this Section 10. 

Customer acknowledges and agrees that Reclaim may create and derive from Processing related to the Service anonymized and/or aggregated data that does not identify or relate to Customer or any Data Subject (“Analytics Data”), and use, publicize or share with third parties such Analytics Data to improve the Service and for Reclaim’s other legitimate business purposes.

12.1  Each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.

12.2  Customer acknowledges that Reclaim is reliant on Customer for direction as to the extent to which Reclaim is entitled to Process Customer Personal Data on behalf of Customer in performance of the Service.  Consequently, Reclaim will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by Reclaim in compliance with Customer’s instructions or (b) from Customer’s failure to comply with its obligations under the Data Protection Laws.

With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail. In the event of inconsistencies between the DPA and the EU or UK SCCs, the EU OR UK SCCs will prevail.