Section 1 – Purpose
This Data Protection Addendum (“Addendum”) is between the parties signing below (each at “Party” and collectively, the “Parties”). This Addendum supplements and forms part of any existing, current, or future agreement between the Parties (collectively the “Agreement”). This Addendum will be in effect as of the effective date of the Agreement (“Effective Date”); provided, however, the relevant obligations apply only to the extent that (i) Personal Data is subject to the Applicable Data Privacy Laws; and (ii) an Applicable Data Privacy Law has taken effect.
Section 2 – Relationship with the Agreement
In the event of a conflict between this Addendum and the Agreement, the Addendum will control to the extent necessary to resolve the conflict. In the event the Parties use an International Data Transfer Mechanism and there is a conflict between the obligations in that International Data Transfer Mechanism and this Addendum, the International Data Transfer Mechanism will control.
Section 3 – Definitions
Capitalized terms used but not defined have the meanings given in the Agreement.
- “Applicable Data PrivacyLaws” means all data protection and privacy laws applicable to the Processing of Personal Data under the Agreement, including the California Consumer Privacy Act (“CCPA”); the Colorado Privacy Act, the Connecticut Act of 2022 Concerning Personal Data Privacy and Online Monitoring, the Utah Consumer Privacy Act of 2022, the Virginia Consumer Data Protection Act, Regulation 2016/679 (General Data Protection Regulation) (“GDPR”) and the UK General Data Protection Regulation, in each case as amended from time to time and including any regulations promulgated thereunder.
- “Consent” means a Data Subject’s freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which the Data Subject, through a statement or a clear affirmative action, signifies agreement to the Processing of Personal Data relating to that Data Subject.
- “Controller” means the entity that determines the purposes and means of Processing Personal Data. “Controller” includes equivalent terms in other Applicable Data Privacy Laws, such as the CCPA-defined terms “Business” and “Third Party,” as context requires.
- “Data Breach” means “breach of the security of the system,” “security breach,” “breach of security,” “breach of system security,” and other analogous terms referenced in Applicable Data Privacy Laws.
- “Data Exporter” means the Party that (1) has a corporate presence or other stable arrangement in a jurisdiction that requires an International Data Transfer Mechanism and (2) transfers Personal Data, or makes Personal Data available to, the Data Importer.
- “Data Importer” means the Party that (1) is located in a jurisdiction that is not the same as Data Exporter’s jurisdiction and (2) receives Personal Data from the Data Exporter or is able to access Personal Data made available by the Data Exporter.
- “Data Subject” means an identified or identifiable natural person.
- “Personal Data” means information that is linked or linkable, directly or indirectly, to an identified or identifiable natural person, including Personal Data that Tadpull processes on behalf of Customer as a processor in the course of providing Services. “Personal Data” includes equivalent terms in Applicable Data Protection Laws, such as the CCPA-defined term “Personal Information,” as context requires.
- “Processor” means an entity that Processes Personal Data on behalf of another entity. “Processor” includes equivalent terms in other Applicable Data Privacy Laws, such as the CCPA-defined term “Service Provider,” as context requires.
- “Sensitive Data” means the following types and categories of data: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or immigration status; genetic data; biometric data; government identification numbers; payment card information; unencrypted identifier or username in combination with a password or other access code that would allow access to an account; precise geolocation information; and information from a known child.
- “Standard Contractual Clauses” means the European Union standard contractual clauses for international transfers from the European Economic Area (“EEA”) to third countries, Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
- “Subprocessor” means a Processor engaged by a Party who is acting as a Processor.
- The following terms have the meanings assigned to them in Applicable Data Privacy Laws: “Business,” “Business Purpose,” “Cross-Context Behavioral Advertising,” “De-identified Data,” “Process” (and its cognates), “Pseudonymous Data,” “Sale” (and its cognates), “ServiceProvider,” “Share” (and its cognates), and “ThirdParty.
Section 4 – Description of the Parties’ Personal Data Processing Activities and Status of the Parties
Capitalized terms used but not defined have the meanings given in the Agreement.
- Schedule 1 describes the purposes of Parties’ Processing, the types or categories of Personal Data involved in the Processing, and the Categories of Data Subjects affected by the Processing.
- Schedule 1 lists the Parties’ statuses under Applicable Data Privacy Laws.
Section 5 – International Data Transfer
- Some jurisdictions require that an entity transferring Personal Data to a recipient in another jurisdiction take extra measures to ensure that the Personal Data has special protections if the law of the recipient’s jurisdiction does not protect Personal Data in a manner equivalent to the transferring entity’s jurisdiction (an “International Data Transfer Mechanism”). Parties will comply with an International Data Transfer Mechanism, including the Standard Contractual Clauses, that may be required by Applicable Data Privacy Laws.
- If the International Data Transfer Mechanism on which Parties rely is invalidated or superseded, Parties will work together in good faith to find a suitable alternative.
- With respect to Personal Data of Data Subjects located in a jurisdiction that requires an International Data Transfer Mechanism (e.g., the EEA, Switzerland, or the United Kingdom) that Data Exporter transfers to Data Importer, or permits Data Importer to access, the Parties agree that by executing this Addendum they also execute the Standard Contractual Clauses, which will be incorporated by reference and form an integral part of the Agreement. Parties agree that, with respect to the elements of the Standard Contractual Clauses that require Parties’ input, Schedules 1-4 contain information relevant to the Standard Contractual Clauses and their Annexes. Parties agree that, for Personal Data of Data Subjects in the United Kingdom, Switzerland, or another country specified in Schedule 4, they adopt the modifications to the Standard Contractual Clauses listed in Schedule 4 to adapt the Standard Contractual Clauses to local law, as applicable.
Section 6 – General Data Privacy Obligations
- Compliance. The parties will comply with their respective obligations under Applicable Data Protection Laws, including by providing the same level of privacy protection that is required of Businesses under the CCPA.
- Data Protection Assessments. Upon request, Tadpull will provide reasonably relevant information to Customer to enable Customer to fulfill its obligations (if any) to conduct data protection assessments or prior consultations with data protection authorities.
- Notification. Tadpull will notify Customer if it determines that it can no longer meet its obligations under Applicable Data Privacy Laws.
- Tracking Technologies. Customer acknowledges that in connection with the performance of the Services, Tadpull employs the use of cookies, unique identifiers, web beacons and similar tracking technologies (“Tracking Technologies”). Customer will maintain appropriate notice, consent, opt-in and opt-out mechanisms as are required by Applicable Data Privacy Laws to enable Tadpull to deploy Tracking Technologies lawfully on, and collect data from, the devices of Data Subjects in accordance with and as described in the Tadpull Cookie Statement.
Section 7 – Tadpull’s Obligations as a Third Party (if applicable)
If Tadpull is a Third Party with regard to Personal Data that is collected, exchanged, or otherwise Processed in connection with the Tadpull’s performance of the agreement (see Schedule 1), then:
- Tadpull acknowledges that Customer is making Personal Data available to Tadpull for the limited and specific purposes described in Schedule 1 and Tadpull agrees to use such Personal Data only for such purposes and for no other purpose.
- Tadpull will not Sell or Share Personal Data made available to it by Customer unless Customer provides data subjects with notice and the opportunity to opt out of such Sharing or Selling.
- Tadpull will allow Customer to take reasonable and appropriate steps to ensure that Tadpull is using the Personal Data provided or made available to Tadpull by or on behalf of Customer, or obtained or collected by Tadpull in connection with the purposes described in Schedule 1, in a manner consistent with Customer’s obligations under Applicable Data Privacy Laws.
- If Customer discovers unauthorized use of Personal Data by Tadpull, Customer may, upon notice, take reasonable and appropriate steps to stop and remediate such unauthorized use.
Section 8 – Tadpull’s Obligations as Independent Controller (if applicable)
If Tadpull is a Controller of Personal Data that is collected, exchanged, or otherwise Processed in connection with the Tadpull’s performance of the Agreement (see Schedule 1), then:
- Tadpull acknowledges and agrees that Tadpull is independently responsible for compliance and will comply with Applicable Data Privacy Laws (e.g., obligations of Controllers).
- Tadpull agrees to be responsible for providing notice to Data Subjects as may be required by Applicable Data Privacy Laws and responding to Data Subjects’ requests to exercise their rights under Applicable Data Privacy Laws.
- If Tadpull receives any type of request or inquiry from a governmental, legislative, judicial, law enforcement, or regulatory authority, or faces an actual or potential claim, inquiry, or complaint in connection with Parties’ Processing of Personal Data provided to Tadpull by or on behalf of Customer, its affiliates, or their respective end users, or obtained or collected by Tadpull in connection with the purposes described in Schedule 1 (collectively, an “Inquiry”), then Tadpull will notify Customer without undue delay, but in no event later than ten (10) business days, unless such notification is prohibited by applicable law. Tadpull will promptly provide Customer with information relevant to the Inquiry, including any information relevant to the defense of a claim, to enable Customer to respond to the Inquiry.
Section 9 – Tadpull’s Obligations as a Processor, Subprocessor, or Service Provider (if applicable)
If Tadpull is a Controller of Personal Data that is collected, exchanged, or otherwise Processed in connection with the Tadpull’s performance of the Agreement (see Schedule 1), then:
- Tadpull will have the obligations set forth in this Section 9 if it Processes the Personal Data of Data Subjects in its capacity as Customer’s Processor or Service Provider; for clarity, these obligations do not apply to Tadpull in its capacity as an Independent Controller or Third Party.
- Scope of Processing
(1) Tadpull will Process Personal Data solely for the Business Purposes specified in Schedule 1, to carry out its obligations under the Agreement, and to carry out Customer’s documented instructions.
(2) Processing any Personal Data outside the scope of the Agreement and this Addendum will require prior written agreement between Tadpull and Customer.
(3) Tadpull is prohibited from retaining, using, or disclosing the Personal Data (1) for any purpose other than the Business Purposes specified in Schedule 1, including retaining, using, or disclosing the Personal Data for a commercial purpose other than carrying out Customer’s instructions, (2) outside of the Parties’ direct business relationship, unless permitted by Applicable Data Privacy Laws, or (3) by combining Personal Data that Tadpull receives from, or on behalf of, Customer with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the Data Subject, provided that Tadpull may combine Personal Data or otherwise use it to perform any Business Purposes permitted by Applicable Data Privacy Law.
(4) Tadpull will not Sell or Share the Personal Data that it collects or obtains pursuant to the Agreement. - Confidentiality. Tadpull will ensure that each person who Processes Personal Data is subject to a duty of confidentiality with respect to such Personal Data.
- Compliance.
(1) Tadpull will assist Customer in complying with Data Subjects’ requests made pursuant to Applicable Data Privacy Laws, at Customer’s cost, after a request from Customer.
(1.1) Tadpull will promptly comply with a Data Subject’s request to opt out of Processing, in no event later than 15 business days after receiving the request, if Customer notifies Tadpull that it is required to do so under Applicable Data Privacy Laws.
(1.2) Tadpull will forward the opt-out request to any other person to whom it has made the Personal Data available. Tadpull will comply with Data Subjects’ requests to delete and correct Personal Data when Customer forwards such requests that it receives to
(2) Tadpull and will make available to Customer any Personal Data in its possession that Customer needs to respond to Data Subjects’ requests to access their Personal Data.Tadpull will make available to Customer, upon the Customer’s reasonable request, all information in its possession necessary to demonstrate Tadpull’s compliance with its obligations under Applicable Data Privacy Laws. - Permitted Activities. Notwithstanding the foregoing prohibitions, Parties agree that Tadpull may, and Customer instructs Tadpull to, Process Personal Data for the following activities when necessary to support the Business Purposes specified in Schedule 1; detect data security incidents; protect against fraudulent or illegal activity; effectuate repairs; and maintain and improve the quality of the services provided for the Business Purposes specified in Schedule 1.
- Subprocessors. If Tadpull discloses Personal Data to a Subprocessor for a Business Purpose, Tadpull and Subprocessor will enter into a written contract that prohibits the Subprocessor from (i) Selling or Sharing Personal Data; or (ii) retaining, using, or disclosing Personal Data for any purpose other than for the specific Business Purpose for which the Personal Data was disclosed. Tadpull will require any Subprocessor to comply with applicable obligations under Applicable Data Privacy Laws, including to provide the same level of privacy protection required of Businesses by the CCPA.
- Duration of Processing, Deletion and Return of Personal Data. Tadpull shall retain Personal Data for a period coterminous with the term of the Agreement. At the expiration or termination of the Agreement, or upon request by Customer, Tadpull will, without undue delay: (1) return all Personal Data to Customer; or (2) upon request by Customer, destroy all Personal Data, in each case unless applicable laws expressly require otherwise or the Parties agree otherwise expressly in writing. For any Personal Data that Tadpull retains after expiration or termination of the Agreement, Tadpull will continue to comply with this Addendum.
- Assessment and Remediation.
(1) Customer may take reasonable and appropriate steps, as provided in Applicable Data Privacy Laws, to ensure Tadpull Processes the Personal Data, including De-identified Data and Pseudonymous Data, in a manner consistent with Customer’s obligations under Applicable Data Privacy Laws, including by conducting reasonable assessments or audits, as provided by Applicable Data Privacy Laws.
(2) If Customer and Tadpull agree to an assessment by a qualified and independent third party, Tadpull agrees to provide a report of such assessment to Customer upon request.If Customer discovers unauthorized use of Personal Data by Tadpull or Tadpull’s Subprocessors, Customer may, upon notice, take reasonable and appropriate steps to remediate such unauthorized use.
Section 10 – Security
- Tadpull will implement appropriate technical and organizational measures to protect Personal Data from a Data Breach and to preserve the security and confidentiality of Personal Data.
- Upon becoming aware of a Data Breach, Tadpull will:
(1) Notify Customer without unreasonable delay of the Data Breach after becoming aware of the Data Breach;
(2) Promptly investigate or perform required assistance in the investigation of the Data Breach and provide Customer with detailed information about the Data Breach, including a description of the Data Breach, the approximate number of Data Subjects affected, the Data Breach’s current and foreseeable impact, and the measures Tadpull is taking to address the Data Breach and mitigate its effects; and
(3) Promptly take all commercially reasonable steps to mitigate the effects of the Data Breach or assist Customer in doing so. - Tadpull will comply with this Section 10 at Tadpull’s cost, unless the Data Breach arose from Customer’s negligent or willful acts, in which case Customer will promptly pay all Tadpull’s compliance costs.
- Tadpull must obtain Customer’s written approval before notifying any governmental entity, individual, the press, or other third party not subject to a duty of confidentiality that a Data Breach affected Personal Data that Tadpull obtained from, or Processed on behalf of, Customer (which does not prohibit disclosure of the Data Breach without identifying Customer specifically). Notwithstanding anything to the contrary in this Addendum, Tadpull may notify a third party about a Data Breach affecting Personal Data if it is under a legal obligation to do so.
Section 11 – Miscellaneous
- Entire agreement. This Addendum is the Parties’ entire agreement on this subject and merges and supersedes all related prior and contemporaneous oral understandings, representations, prior discussions, letters of intent, or preliminary agreements.
- No further amendment. Except as modified by this Addendum, the Agreement remains unmodified and in full force and effect.
Schedule 1: Description of the Processing
- Processing Activity. Unless otherwise specified within the agreement, Tadpull provides data analytics technology, and other related services, and Processes Personal Data connection with the Business Purpose(s) listed below.
- Status of the Parties. Customer is a Controller or a CCPA Business.Tadpull is a Processor/Service Provider.
- Categories of Personal Data Processed. Identification and contact data (name, date of birth, gender, general, occupation or other demographic information, address, title, contact details, including email address); personal interests or preferences (including: purchase history, marketing preferences and publicly available social media profile information); and IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data).
- Categories of Sensitive Data Processed. None.
- Categories of Data Subjects. Data subjects include Customer’s customers, employees, and business partners.
- Status of the Parties as Data Exporter or Importer. Customer is the Data Exporter.Tadpull is the Data Importer.
- Applicable SCCs Module. Module 2Module 3, if Tadpull acts as a Processor to another Controller.
Business Purposes may include (if provided for in the Agreement):
- Performing services on behalf of the Customer, such as maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the Business.
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured for, or controlled by the Business, and to improve, upgrade, or enhance such a service or device.
Schedule 2: Tadpull Subprocessors
These Subprocessors set out below provide cloud hosting and storage services; content delivery and review services; assist in providing customer support; as well as incident tracking, response, diagnosis and resolution services. Customer consents to the processing of its Personal Data by these Subprocessors.
- Subprocessor: Azure Ubuntu Virtual Machines
Location: Texas US
Function: Data science compute functions - Subprocessor: Azure SQL server databases
Location: Texas US
Function: Application Data Storage - Subprocessor: Azure Web Apps
Location: Texas US
Function: Application Compute - Subprocessor: Google Cloud Platform SQL databases
Location: California US
Function: User tracking data storage - Subprocessor: Google Cloud Platform Compute Engine virtual machines
Location: California US
Function: User tracking compute
Schedule 3: Technical and Organizational Security Measures
- Subject to the terms of the Agreement, Tadpull will implement and maintain appropriate technical and organizational security measures to protect Personal Data from Security Incidents and to preserve the security and confidentiality of the Personal Data.
- Updates to Security Measures. Customer is responsible for reviewing the information made available by Tadpull relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that Tadpull may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.
- Customer Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Services
- Tadpull’s Security Measures include:
a. Data Access Controls – Tadpull takes relevant industry standard measures to assure that Customer Personal Data is accessibleonly by its properly authorized personnel; Customer Personal Data cannot be read, copied, modified or removed without internalauthorization in the course of Processing; and direct database query access is restricted and application access rights areestablished and enforced to ensure that the personnel entitled to use a data processing system only have access to the CustomerPersonal Data to which they have privilege of access.
b. System Access Controls – Tadpull takes relevant industry standard measures to prevent Customer Personal Data from being usedwithout internal authorization. These measures may vary based on the nature of the Processing undertaken and may includeauthentication via passwords and/or two-factor authentication, documented authorization processes, documented changemanagement processes, and/or logging of access on several levels.
c. Input Controls – Tadpull takes relevant industry standard measures to ensure that it is possible to check and establish whetherand by whom Customer Personal Data has been entered into data processing systems, modified, or removed.
d. Transmission Controls – Tadpull takes relevant industry standard measures to prevent Customer Personal Data from being read,copied, altered, or deleted by unauthorized parties during the transmission thereof.
e. Logical Separation – Tadpull logically segregates Customer Personal Data from different company customer environments onTadpull’s systems so Personal Data that is collected for different purposes may be separately processed.
f. Data Backup – Tadpull backs up the databases used to provide the Services on a regular basis, and takes commercially reasonableefforts to ensure that such databases are secured, tokenized and/or encrypted so that Customer Personal Data is protectedagainst accidental loss or destruction when hosted by Tadpull.
g. Training – Tadpull implements and maintains an up-to-date training and awareness program regarding Personal Data security forits employees and Subprocessors who may have access to Customer Personal Data. Tadpull shall ensure that persons authorizedto process Customer Personal Data are properly trained in the Processing of Customer Personal Data and only have access to theCustomer Personal Data on a need-to-know basis subject to the obligation of confidentiality. Tadpull takes steps to ensure thatthe authorized persons do not Process Customer Personal Data except on instructions from Customer, unless Tadpull is requiredto do so by locale law.
h. Instructions to Authorized Persons – Tadpull requires that any authorized persons entrusted with Processing Customer PersonalData comply with the principle of confidentiality and have been appropriately instructed about applicable data protection laws
Schedule 4: Jurisdiction-Specific Clauses
- Jurisdiction-specific Obligations and Information for International Transfers
1.1. Generally. The parties agree that, for any jurisdiction not listed below that requires an International Data Transfer Mechanism, they hereby enter into and agree to be bound by the EEA Standard Contractual Clauses for transfers of personal data from that jurisdiction unless (1) the parties otherwise agree in writing or (2) a jurisdiction promulgates its own International Data Transfer Mechanism, in which case the parties hereby agree to negotiate an update to this DPA to incorporate such International Data Transfer Mechanism.
1.2. European Economic Area.
1.2.1.“EEA Standard Contractual Clauses” means the European Union standard contractual clauses for international transfers from theEuropean Economic Area to third countries, Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
1.2.2.For transfers from the EEA that are not subject to an adequacy decision or exception, the parties hereby incorporate the EEAStandard Contractual Clauses by reference and, by signing this DPA, also enter into and agree to be bound by the EEA StandardContractual Clauses. The parties agree to select the following options made available by the EEA Standard Contractual Clauses.
1.2.2.1. Clause 9, Module 2(a): The parties select Option 2. The time period is 30 days.
1.2.2.2. Clause 9, Module 3(a): The parties select Option 2. The time period is 30 days.
1.2.2.3. Clause 11(a): The parties do not select the independent dispute resolution option.
1.2.2.4. Clause 17: The parties select Option 1. The parties agree that the governing jurisdiction is Ireland.
1.2.2.5. Clause 18: The parties agree that the forum is Ireland.
1.2.2.6. Annex I(A): The statuses of the parties as Controllers or Processors and Data Exporters or Data Importers is described inSchedule
1.1.2.2.7. Annex I(B): The parties agree that Schedule 1 describes the transfer.
1.2.2.8. Annex I(C): The competent supervisory authority is the Irish data Protection Commission.
1.2.2.9. Annex II: The parties agree that Schedule 3 describes the technical and organizational measures applicable to the transfer
1.2.2.10. Annex III: The parties agree that Schedule 2 describes the relevant subprocessors and their roles in processing personal data.
1.3. Switzerland. The parties agree to the following modifications to the EEA Standard Contractual Clauses to make them applicable totransfers of personal data from Switzerland.
1.3.1.The parties adopt the GDPR standard for all data transfers from Switzerland.
1.3.2.Clause 13 and Annex I(C): The competent authorities under Clause 13, and in Annex I(C), are the Federal Data Protection andInformation Commissioner and, concurrently, the EEA member state authority identified above.
1.3.3.Clause 17: The parties agree that the governing jurisdiction is Switzerland.
1.3.4.Clause 18: The parties agree that the forum is Switzerland. The parties agree to interpret the EEA Standard Contractual Clauses so that data subjects in Switzerland are able to sue for their rights in Switzerland in accordance with Clause 18(c).
1.3.5.The parties agree to interpret the EEA Standard Contractual Clauses so that “data subjects” includes information about Swiss legal entities until the revised Federal Act on Data Protection becomes operative.
1.4. United Kingdom.
1.4.1.“IDTA” means the International Data Transfer addendum issued by the ICO and laid before Parliament in accordance with s119A(1)of the Data Protection Act 2018 on 2 February 2022, as modified by the UK Information Commissioner’s Office from time to time.
1.4.2.For transfers from the United Kingdom that are not subject to an adequacy decision or exception, the parties hereby incorporatethe IDTA by reference and, by signing this DPA, also enter into and agree to be bound by the Mandatory Clauses of the IDTA.
1.4.3.The parties agree that the following information is relevant to Tables 1 – 4 of the IDTA and that by changing the format and contentof the Tables neither party intends to reduce the Appropriate Safeguards (as defined in the IDTA).
1.4.3.1. Table 1: The parties’ details, key contacts, data subject contacts, and signatures are in the signature block of the DPA.
1.4.3.2. Table 2: The version of the Approved EU SCCs, modules, clauses and optional provisions are described in Schedules 1 and 4 ofthe DPA.
1.4.3.3. Table 3:
1.4.3.3.1. The statuses of the Data Exporter and Data Importer are described in Schedule 1.
1.4.3.3.2. Schedule 1 describes the transfer.
1.4.3.3.3. Schedule 3 describes the technical and organizational measures to ensure the security of the data.
1.4.3.3.4. Schedule 2 describes the relevant subprocessors and their roles in processing personal data.
1.4.3.4. Table 4:
1.4.3.4.1. The parties agree that neither party may end the IDTA as set out in Section 19 of the IDTA.