Data Processing Addendum

Online versions of these documents are not negotiable. Please do not cut and paste this into another program in order to edit.

This Data Processing Addendum (“DPA”) is entered into by and on behalf of the Client (“Client” or “Controller”) and Firstup, Inc. and its affiliates (collectively, “Firstup” or “Processor”). This DPA is incorporated into the Agreement by reference. Any capitalized terms not defined herein have the meanings ascribed to them in the Agreement. Each of Firstup and Client shall be referred to individually as a Party and collectively as the Parties. 

Schedule: To the extent the Model Clauses apply under Section 6 of this DPA with respect to restricted transfers of Personal Data to third countries from the EU/EEA, Switzerland, and/or the UK, then with respect to the:

1. EU/EEA Model Clauses, Annexes I, II, and III, the following shall apply:

Date of the Clauses	As of the date of the Agreement
Module	Module Two: Transfer Controller to Processor
Names of the parties	As set forth in the Agreement
Data Exporter	Client
Data Importer	Firstup (privacy@firstup.io)
Data Exporter is engaged in	Using Firstup’s software as a service platform
Data Exporter is using the personal data which is being transferred for the following purposes or activities	Enabling workforce communications
Data Importer is engaged in	Firstup is the provider of a cloud-based software communication platform (the “Platform”) which processes personal data upon the instruction of the Data Exporter in accordance with the Agreement
Categories of data subjects	Individuals employed by or who work for Controller/Data Exporter
Categories of personal data	Data Exporter decides and controls, at its sole discretion, what information is uploaded onto or obtained for Data Exporter through the Platform (including all Personal Data which is collected through the Platform, social media network/sites, and APIs in connection with the provision of the Platform to the Data Exporter) or otherwise provided by Data Exporter to Firstup. Personal Data may include the following categories of data, to the extent the following includes Personal Data: ● Contact details, such as name and email address ● Localisation data ● Connection data ● IP Address ● Communications, data, information or content not described above that is sent or received by Client through the Platform including services accessed via mobile devices
Sensitive or special category data	N/A
Frequency of the transfer	Continuous per Client’s use of the Platform
Nature of the processing	Data Importer will Process Personal Data as necessary to perform the services pursuant to the Agreement, as further specified in the Documentation, and as further instructed by Data Exporter in its use of the Platform. Processing operations include receiving data, collection, accessing, retrieval, recording, and data entry; holding data, including storage, organisation and structuring; and using data, including analysing and testing
Purpose of the data transfer and further processing	To Process Personal Data as necessary to perform the services pursuant to the Agreement, as further specified in the Documentation, and as further instructed by Data Exporter in its use of the services
Retention period (or criteria used to determine retention)	Personal data is retained for the period of the Agreement unless otherwise retained for legal or compliance purposes
For the purposes of Clause 7, the	Docking Clause is included
For the purpose of Clause 9(a), use of sub-processors, the Data Importer has the Data Exporter’s	General written authorization for the engagement of sub-processors according to Section 4 of this DPA (see also https://firstup.io/legal/subprocessor-list/ for the Firstup platform and https://firstup.io/legal/dynamic-signal/third-party-subprocessors/ for the Dynamic platform
For the purposes of the Clause 9(a), the Data Importer shall specifically inform the Data Exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least	Ten (10) days in advance
For the purposes of Clause 11, Redress	Option concerning redress with an independent dispute resolution body is not included
For the purposes of Clause 13, the competent supervisory authority is	Republic of Ireland
For the purposes of Clause 17, governing law shall be the law of the	Republic of Ireland
For the purposes of Clause 18, choice of forum and jurisdiction shall be the	Republic of Ireland
Technical and organisational measures including technical and organisational measures to ensure the security of the data	The technical and organization measures set forth in the applicable SOC 2 Type II annual report, available upon request, subject to the confidentiality provisions of the Agreement

2. UK Addendum to the EU/EEA Model Clauses, the Parties hereby agree to amend the format of UK IDTA Part 1: Tables, whereby in addition to the above, the following shall apply:

Start Date	As of the date of the Agreement
Data Exporter’s official registration number (if any) (company number or similar identifier)	N/A
Data Importer’s official registration number (if any) (company number or similar identifier)	N/A
Addendum EU SCCs	☒ the Approved EU SCCs, including the Appendix Information and with only the following [above] modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum
Ending this Addendum when the Approved Addendum changes	☒ Importer ☒ Exporter

Data Processing Addendum. 

Client enters into this DPA on behalf of itself and on behalf of its Authorized Affiliates to the extent Firstup processes Personal Data on behalf of Client and/or its Authorized Affiliates in the course of providing services. For clarity, this DPA applies exclusively to Client and its Authorized Affiliates and not to any other party unless otherwise expressly agreed to by Firstup. 

In order to enable the Parties to carry out their relationship in a manner that is compliant with Applicable Data Protection Law, the Parties agree follows:

1. Definitions

All terms and phrases not defined herein shall have the meanings set forth in the Agreement or in Applicable Data Protection Law.

“Agreement” means the agreement to which this DPA is linked, or if this DPA is referenced in another document, the “Agreement” between Firstup and Client as defined in such document. 

“Authorized Affiliate” means any Client affiliate that is permitted to use the services pursuant to the Agreement but that has not entered into its own Schedule/order form or the like.

“Applicable Data Protection Law” means the laws and regulations of (i) the European Union and European Economic Area and their respective member states, (ii) Switzerland, (iii) the United Kingdom, (iv) the U.S. state of California, and (v) any other laws and regulations that may be expressly agreed by Firstup applicable to the Processing of Personal Data under the Agreement.

“CCPA/CPRA” means the California Consumer Privacy Act of 2018 as amended and its implementing regulations, and the California Privacy Rights Act.

“Controller” “Business,” and “Personal Information Handler” means the entity which determines the purposes and means of the Processing of Personal Data.

“Client” means the entity that executed the Agreement together with its Affiliates, which Affiliates have signed a Schedule/order form.

“Client Content” means content, images, fonts, icons, videos, templates, information, text, audio, and other data, including but not limited to trademarks, trade names, and service marks uploaded by Client (including its Users) or created within the Platform, or otherwise transmitted by or on behalf of Client in connection with its use of the Platform.

“Data Subject” means an identified or identifiable person entitled to rights under Applicable Data Protection Law and to whom Personal Data relates.

“GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation).

“Model Clauses” shall mean (i) the clauses annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1692219871936, as may be updated, amended, and superseded from time-to-time; and (ii) and (2) the UK International Data Transfer Addendum (“UK IDTA”) to the EU Commission Standard Contractual Clauses, VERSION B1.0, in force 21 March 2022 available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as may updated, amended, and superseded from time-to-time.

“Personal Data” means any information relating to an identified or identifiable natural person where such information is protected as personal data, personal information, or personally identifiable information under Applicable Data Protection Law.

“Processing” means an operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, and whereas “Process,” “Processes,” and “Processed” shall be interpreted accordingly.

“Processor” “Service Provider,” and “Entrusted Person” mean an entity that processes Personal Data on behalf of a Controller.

“Security Breach” means a breach of the Firstup security standards leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

“Sub-processor” means any third party engaged by Firstup that Processes Personal Data.

“Supervisory Authority” means an applicable independent public authority which is established by an EU Member State pursuant to the GDPR, the UK Information Commissioner’s Office (ICO), or the Swiss Federal Data Protection and Information Commissioner (FDPIC).

“UK GDPR” as defined in Section 3 of the Data Protection Act 2018, including any amendments thereto.

2. Data Processing Terms 

2.1 Roles and Relationships. The Parties acknowledge and agree that with regard to Personal Data Processed under the Agreement, Client is the Controller and Firstup is the Processor with respect to such Processing. With respect to the CCPA/CPRA, Firstup shall be considered a Service Provider to Client to the extent that the CCPA/CPRA applies. 

2.2 Client’s Processing of Personal Data. Client shall, in its use of the services and provision of instructions to Firstup, process Personal Data in accordance with Applicable Data Protection Laws.  Client is solely responsible for its compliance with Applicable Data Protection law, including in regards to the accuracy, quality, and lawful basis of processing Personal Data and the means by which Client acquired such Personal Data and Client Content with respect to Client’s use of the services.

2.3 Documented Instruction. Client instructs Firstup to process Personal Data for the purposes of providing the services in accordance with the Agreement and any applicable Order Form(s) and any other documented reasonable instructions provided by Client where such instructions are consistent with the terms of the Agreement. 

2.4 Details of Processing. The subject matter of the Processing is the services under the Agreement, the nature of which Processing is as set forth in the Schedule/order form. The duration of Processing shall be for the duration of the provision of Services to Client and any time thereafter as may be expressly instructed or as may be permitted or required by applicable law. For purposes of the CCPA/CPRA, the nature of the Processing is for a Business Purpose and does not involve the “sale” of Personal Data by Firstup, as such term is defined by the CCPA/CPRA, nor shall Firstup “sell” Personal Data. Firstup shall not retain, use, or disclose Personal Data for any purpose other than for the business purposes specified in the Agreement and shall not combine Personal Data with other personal information except as expressly permitted by Client or the CCPA/CPRA. 

3. Processor Obligations

3.1 Confidentiality. Persons Firstup authorizes to process Personal Data shall be committed to a duty of confidentiality whether by contract or status. 

3.2 Processing Limitations. Firstup shall process Personal Data in accordance with the Client’s documented instructions and as may otherwise be required by Applicable Data Protection Law. Any further instructions that go beyond the instructions contained in this DPA or the Agreement must be within the subject matter of this DPA and the Agreement. If the implementation of such further instructions results in costs for Firstup, Firstup shall inform Client about such costs with an explanation of the costs before implementing the instructions. Only after Firstup’s confirmation to bear such costs for the implementation of the instructions shall Firstup be required to implement such further instructions. Firstup shall immediately inform Client if, in its opinion, an instruction infringes Applicable Data Protection Law and request Client to withdraw, amend, or confirm the relevant instruction. Pending the decision of Client on the withdrawal, amendment, or confirmation of the relevant instruction, Firstup shall be entitled to suspend the implementation of the relevant instruction.

3.3 Security of Processing. Firstup shall implement the technical and organizational measures, as set out in Annex II, to protect against the unauthorized or unlawful processing, accidental or unlawful destruction, loss or alteration or damage, and unauthorized disclosure or access to Personal Data. 

3.4 Security Breach Notification. Firstup shall notify Client without undue delay (in no event in more than forty-eight (48) hours) upon becoming aware of a breach of Personal Data for which notification to Client is required under Applicable Data Protection Law. 

3.5 Audits and Inspections. Firstup has obtained the third-party certifications and audits set forth in its information security policies. Upon Client’s written request at reasonable intervals and subject to the confidentiality obligations set forth in the Agreement, Firstup shall make available to Client (which Client is not a competitor of Firstup, or to Client’s independent, third-party auditor, which is not a competitor of Firstup) a copy of Firstup’s then most recent third-party audits or certifications, as applicable (“Audit Report”) subject to Firstup’s redaction of information reasonably determined by Firstup to constitute “High Sensitivity” security information, the disclosure of which could result in a serious risk to the security of Firstup, its systems, data, and customers. To the extent that additional information is necessary to satisfy Client’s audit requirements under Applicable Data Protection Law, upon not less than thirty (30) days’ notice and at Client’s reasonable expense, Client may reasonably request such additional information, up to and including remote inspections of the systems and processes involved in the processing of Personal Data. Remote audits must be performed in a manner that limits disruption to Firstup’s business operations and in accordance with Firstup’s security policies. Firstup willcomply, as legally necessary, with audits by a competent Supervisory Authority (or other competent regulator of Personal Data) under Applicable Data Protection Law. 

3.6 Data Subject Rights. Taking into account the nature of the processing and to the extent Client cannot respond to a Data Subject request through functionality made available via the Services, Firstup shall provide, upon Client’s reasonable request, commercially reasonable assistance, including by providing appropriate technical and organizational measures, and to the extent Firstup is legally permitted to do so and such assistance is requested under Applicable Data Protection Laws, to enable Client to fulfill its obligation with respect to responding to Data Subject requests and the exercise of Data Subject rights under Applicable Data Protection Law. 

3.7 Data Protection Impact Assessments and Prior Consultation. To the extent required by Applicable Data Protection Law in relation to the Processing of Personal Data by Firstup, Firstup shall render reasonable assistance to Client in performing Data Protection Impact Assessments and providing “prior consultation” in accordance with Applicable Data Protection Law. Firstup reserves the right to charge Client for its reasonable expense in providing such assistance if such assistance exceeds an ordinary level of expense or effort relative to the Agreement. 

3.8 Return or Deletion of Personal Data. As may be required by Applicable Data Protection Law, upon termination of the Services for which Firstup is processing Personal Data, Firstup shall, upon Client’s written request and/or as may be provided in the Agreement, return or delete Personal Data, including copies of such data in Firstup’s custody or control, unless and only to the extent Firstup has a legitimate legal basis for retaining such data. With respect to deletion, Firstup shall utilize a commercially reasonable means of deletion or disposal of its choosing. If Firstup retains Personal Data for legal reasons, Firstup will only actively process such Personal Data after the termination date in accordance with Applicable Data Protection Law. Notwithstanding the foregoing, Firstup may retain deidentified, anonymized, and aggregated data to the extent that such data does not constitute Personal Data under Applicable Data Protection Law. 

4. Subprocessing

4.1 Appointment of Sub-processors. Firstup may appoint and retain Sub-processors, which may include its Affiliates, in the Processing of Personal Data under the Agreement. Client further agrees Firstup and its Sub-processors, respectively, may engage third-party Sub-processors in connection with the Processing of Personal Data. Firstup shall remain responsible for any acts or omissions of its Sub-processors in the same manner as for its own acts and omissions. Sub-processors shall be bound to Processing Personal Data consistent with the requirements hereunder and Applicable Data Protection Law. 

4.2 General Authorization. Firstup shall have Client’s general authorization for the engagement of Sub-processor(s) from an agreed list. Such list of Firstup’s Sub-processors is available at https://firstup.io/legal/subprocessor-list/ for the Firstup platform and https://firstup.io/legal/dynamic-signal/third-party-subprocessors/ for the Dynamic platform as may be updated from time to time (the “Sub-processor Lists”). 

4.3 Change in Sub-processors. Firstup may remove, replace, and appoint new Sub-processors in its discretion in accordance with this provision upon thirty (30) days’ written notice provided through the Sub-processor Lists. Client may object in writing to the appointment of a new Sub-processor on the grounds of data protection within thirty (30) days of Firstup’s notice of such appointment, otherwise the appointment shall be deemed accepted by Client. Any objection by Client to the appointment of a Sub-processor shall be made in good faith and supported by reasonable information. Upon Client making such an objection, Firstup and Client shall negotiate in good faith to reach a mutually agreeable resolution within thirty (30) days of Firstup’s receipt of Client’s written objection. If a resolution cannot be reached within thirty (30) days of Firstup’s receipt of Client’s written objection, Client may terminate the Agreement within thirty (30) days following such period, without further liability of either Party.

5. Authorized Affiliates 

5.1 Contractual Relationship. The Parties acknowledge and agree that, by executing the Agreement, the Client enters into this DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Firstup and each such Authorized Affiliate subject to the provisions of the Agreement. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement, and is only a Party to this DPA. All access to and use of the Services and Client Content by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Client.

5.2 Communication. The Client that is the contracting party to the Agreement shall remain responsible for coordinating all communication with Firstup under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates. 

5.3 Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to this DPA with Firstup, it shall to the extent required under Applicable Data Protection Law be entitled to exercise the rights and seek remedies under this DPA, except where applicable Data Protection Laws require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against Firstup directly, the parties agree that (i) the Client that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Client that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Authorized Affiliate individually but in a combined manner for itself and all of its Authorized Affiliates together. 

6. Transfers to Third Countries 

This Section 6 applies only if and to the extent that Personal Data processed under the Agreement is transferred to a third country from the European Union/European Economic Area (“EU/EEA”), United Kingdom, and/or Switzerland.

6.1  Incorporation and Application of Model Clauses. This DPA incorporates by reference the Model Clauses for international transfers of Personal Data from the EU/EEA, Switzerland, and the UK, respectively, as permissibly customized by the Parties. The Model Clauses shall apply  to the transfer of personal data outside of the United Kingdom without an applicable adequacy regulation or outside of the European Union or Switzerland without an applicable adequacy decision. To the extent that the Model Clauses apply, the Model Clause shall prevail over contradictions between this DPA and the Model Clauses with respect to the subject matter of the Model Clauses. 

Where Personal Data is transferred to a third country from Switzerland, the Model Clauses shall be modified in accordance with the following:

(a) “FDPIC” means the Swiss Federal Data Protection and Information Commissioner.

(b) “Revised FADP” means the revised version of the FADP of 25 September 2020.

(c) The term “EU Member State” is not to be interpreted in such a way as to exclude data subjects in Switzerland from exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Model Clauses.

(d) The Model Clauses shall also protect the data of legal entities until the entry into force of the Revised FADP.

(e) The FDPIC shall act as the “competent supervisory authority” insofar as the relevant data transfer is governed by the FADP.

6.2 Invalidation Event. In the event that the Model Clauses are invalidated, replaced, superseded, or otherwise determined by an applicable competent authority to no longer provide adequate protection to the transfer of Personal Data to an applicable third country or third countries (an “Invalidation Event”), then the Parties shall cooperate to promptly adopt another appropriate transfer mechanism to prevent undue disruptions to the transfers of personal data to such third country or countries. 

6.3 Transfer Risk Assessment. To the extent required by Applicable Data Protection Law, the Parties agree to cooperate to assess the risks associated with the transfer of Personal Data to third countries not covered by an applicable adequacy decision. The Parties agree that such assessment(s) shall be Confidential Information provided that disclosure of the assessment to the Supervisory Authority is permitted by either Party upon the Supervisory Authority’s legitimate request for such information.

7. General Terms

7.1 Term and Termination. The term of this DPA is identical with the term of the Agreement. Except as otherwise agreed herein, termination rights and requirements shall be the same as set forth in the Agreement.

7.2 Governing Law and Dispute Resolution. Governing law and dispute resolution shall be the same as set forth in the Agreement, unless otherwise required by the Model Clauses.

7.3 Limitation of Liability. The limitation of liability provisions of the Agreement shall apply to this DPA.