Syandus Data Processing Addendum

Effective Date: June 14, 2025

This Syandus Data Processing Addendum and its Annexes (“DPA”) is incorporated into each Terms of Service agreement (“Terms”) between Syandus, Inc. (“Syandus”, “we”, “our”) and the customer (“Customer”, “you”, “your”) for Syandus’ provision of Services on behalf of the Customer as defined below. Syandus and Customer are each referred to individually as a "Party" and collectively as the "Parties". This DPA is supplemental to, and an integral part of the Terms, including any amendments in a signed Addendum, and is effective when the Terms are accepted, and shares the same term.

In case of any conflict or inconsistency between the Terms and this DPA, this DPA will take precedence regarding the conflict or inconsistency.

All capitalized terms not otherwise defined herein will have the meanings as set forth in the Terms.

1  Definitions

1.1 - “Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

1.2 - “Customer Data” shall include all Customer Content and any Customer Account, Authorized User, or End User data collected during the use of the Services.

1.3 - “Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Terms, including without limitation European Data Protection Laws (GDPR and UK Data Protection Law), the CCPA and other applicable U.S. federal and state privacy laws, and other data protection and privacy laws, in each case as amended, repealed, consolidated or replaced from time to time.

1.4 - “Data Subject” means the individual to whom Personal Data relates.

1.5 - “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

1.6 - “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

1.7 - “Personal Data” means any information relating to an identified or identifiable individual where (a) such information is contained within Customer Data; and (b) is protected similarly as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.

1.8 - “Instructions” means the written directions provided by a Controller to a Processor, specifying actions to be taken with Personal Data. These actions can include, but are not limited to, depersonalizing, blocking, deleting, or making the data available.

1.9 - “Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Syandus and/or our Subprocessors in connection with the provision of the Services. A Personal Data Breach will not include unsuccessful attempts or activities that do not compromise the security of Personal Data including unsuccessful log-in attempts, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

1.10 - “Subprocessor” means any subcontractor engaged by Syandus for the Processing of Personal Data.

2  Customer Responsibilities

2.1 - Scope. This DPA applies only to the Personal Data in Customer Account. For such Personal Data, Customer is the Controller, or you represent that you are acting with full authority on behalf of the Controller, and Syandus is your Processor. As stated in the Terms, Personal Data shall not contain Sensitive Data, as defined by the General Data Protection Regulation (GDPR), unless an Addendum to the Terms, agreed in writing, permits such Processing.

2.2 - Compliance with Laws. Within the scope of these Terms and in your use of the Services, you will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions you issue to us. Specifically, without limiting the generality of the foregoing, you acknowledge and agree that you will be solely responsible for: (a) the accuracy, quality, and legality of Customer Data; (b) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data; (c) ensuring you have the right to transfer, or provide access to, the Personal Data to us for Processing in accordance with the Terms (including this DPA); and (d) ensuring that your Instructions to us regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws.

2.3 - Controller Instructions. The Parties agree that the Terms (including this DPA), together with Customer’s use of the Services in accordance with the Terms, constitute your complete Instructions to Syandus in relation to the Processing of Personal Data, including for purposes of the Standard Contractual Clauses, if they apply. However, you may provide additional written Instructions during the Term, provided they are consistent with the Terms and the nature and lawful use of the Services.

2.4 - Security. Customer is responsible for independently determining whether the data security provided for in the Services adequately meets Customer’s obligations under applicable Data Protection Laws. You may use the Services only if the security commitments in this DPA would provide a level of security appropriate to the risk in respect of the Personal Data. We have provided a Transfer Impact Assessment (TIA) in Annex 4 of this DPA to assist you in your risk assessment.

3  Syandus Obligations

3.1 - Compliance with Instructions. We will only Process Personal Data for the purposes described in this DPA, including Annex 1 (Details of Processing), or as otherwise agreed within the scope of your lawful Instructions, except where and to the extent otherwise required by applicable law. While we are not responsible for compliance with any Data Protection Laws specific to your industry or jurisdiction, we will comply with all applicable Data Protection Laws, including the GDPR, in our Processing activities.

3.2 - Conflict of Laws. If we become aware that we cannot Process Personal Data according to your Instructions due to a legal requirement under any applicable law, we will (i) promptly notify you to the extent permitted by the applicable law; and (ii) where necessary, suspend all Services (and Processing) until such time as the legal requirement no longer prevents us from complying with your Instructions. If this provision is invoked, we will not be liable to you under the Terms for any failure to perform the applicable Services during the period of suspension.

3.3 Security. We will implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described under Annex 2 to this DPA ("Technical and Organizational Security Measures"). Notwithstanding any provision to the contrary, we may modify or update the Technical and Organizational Measures at our discretion provided that such modification or update does not materially lower the level of security of the Personal Data.

3.4 - Confidentiality. We will ensure that any personnel whom we authorize to Process Personal Data on our behalf is subject to appropriate confidentiality obligations with respect to that Personal Data.

3.5 - Deletion or Return of Personal Data. We will delete or return all Personal Data Processed pursuant to this DPA, on termination or expiration of your Services in accordance with the Terms except to the extent Applicable Law requires storage of the Personal Data. To the extent that we have archived Personal Data on back-up systems and such data has not deleted in accordance with our deletion practices, such data will be protected from any further Processing, and until the data is deleted, we will continue to ensure compliance with the Standard Contractual Clauses referenced herein. Customer is encouraged to export Customer Data and Personal Data from within the Services before terminating Services. The certification of deletion required by the Standard Contractual Clauses (if they apply) will be provided only on written request.

4  Personal Data Breach

4.1 -Syandus will notify you without undue delay after we become aware of any Personal Data Breach and will provide timely information relating to the Personal Data Breach which may include the nature of the breach, likely consequences based on the information known, and measures taken or proposed by us to address or mitigate its possible adverse effects, if applicable. At your request, we will promptly provide you with such reasonable assistance as necessary to enable you to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if you are required to do so under Data Protection Laws.

5  Data Subject Requests

5.1 - If a Data Subject Request or other communication regarding the Processing of Personal Data under this DPA is made directly to us, we will promptly inform you and will advise the Data Subject to submit their request to you. You will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.

5.2 - The Services provide you with several controls that you can use to retrieve, correct, delete or restrict Personal Data, which you can use to assist it in connection with its obligations under Data Protection Laws, including your obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws ("Data Subject Requests").

5.3 - To the extent that you are unable to independently address a Data Subject Request through the Services, then upon your written request Syandus will provide reasonable assistance to you to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under the Terms. You will reimburse us for the commercially reasonable costs arising from this assistance.

6  Subprocessors

6.1 - Syandus engages Subprocessors to Process Personal Data in connection with providing the Services, which may include hosting and infrastructure, supporting features within the Services, or assisting in service and support. Prior to a Subprocessor's Processing of Personal Data, Syandus will impose contractual obligations on the Subprocessor that are substantially the same as those imposed on Syandus under this DPA. Syandus is liable for its Subprocessors' performance to the same extent Syandus is liable for its own performance under these Terms.

6.2 - A current list of Subprocessors is available in Annex 3 of this DPA.

6.3 - Syandus will provide Notice to Customers thirty (30) days before a new Subprocessor is scheduled to begin Processing Personal Data. We will give you the opportunity to object to the engagement of new Subprocessors on reasonable grounds relating to the protection of Personal Data within 30 days of notifying you. If you do notify us in writing of such an objection, the Parties will discuss your concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Syandus will, at our sole discretion, either not appoint the new Subprocessor, or permit you to terminate the affected Services in accordance with the termination provisions of the Terms without liability to either party (but without prejudice to any fees incurred by you prior to termination). If you do not object to use of the new Subprocessor and terminate as set forth above, the Subprocessor is deemed to be accepted by you.

7  Data Transfers

7.1 - You acknowledge and agree that Syandus may access and process Personal Data globally to provide the Services as outlined in the Terms. Specifically, Personal Data may be transferred to and processed in the United States and other countries where Subprocessors have operations. Each party will ensure that any transfer of Personal Data outside its country of origin complies with Data Protection Laws.

7.2 - EU Standard Contractual Clauses (2021 SCCs) Compliance. To the extent legally required, the 2021 SCCs for Module 2 (transfer from Controller to Processor), are incorporated into this DPA and take precedence over any conflicting terms, except as specified in Section 7.4 (Swiss Federal Act on Data Protection). The 2021 SCCs, will be completed as follows:

1. 1. Clause 7 (optional docking clause). This is included.
   2. Clause 9 (Use of Subprocessors). The Parties select Option 2 (General Written Authorization) and changes to Subprocessors will be notified in accordance with the ‘Subprocessors’ section of this DPA.
   3. Clause 11 (Redress). The optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
   4. Clause 17 (Governing law) and Clause 18 (Choice of Forum and Jurisdiction). The Parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The Parties also agree that the law of Ireland and the courts of Ireland provide a neutral and fair forum for resolving disputes, ensuring compliance with EU data protection standards. However, if the Parties mutually agree to specify a different governing law and forum in an Addendum to the Terms, such specification will take precedence over the default choice of Ireland, provided it complies with applicable Data Protection Laws and does not undermine the rights and obligations under this DPA.
   5. Annex 1 List of Parties (A) and Description of Transfer (B) is provided in Annex 1 of this DPA.
   6. Annex 1 Competent Supervisory Authority (C). The Parties shall follow the rules for identifying the competent supervisory authority under Clause 13 of the Standard Contractual Clauses, in accordance with GDPR.
   7. Annex 2. Technical and organizational measures are set forth in Annex 2 of this DPA.
   8. By agreeing to the Terms, which includes this DPA, the Parties are deemed to be signing Annex I(A) of the 2021 SCCs.

7.3 - UK SCC Addendum. To the extent legally required under UK Data Protection Law, the UK SCC Addendum forms part of this DPA and takes precedence over the rest of this DPA as specified in the UK SCC Addendum. Undefined capitalized terms used in this Section 7.3 shall have the definitions set forth in the UK SCC Addendum. For purposes of the UK SCC Addendum:

1. 1. Table 1 of the UK SCC Addendum: The start date is the Effective Date in the Terms. The Parties are defined in Annex 1(A) of this DPA.
   2. Table 2 of the UK SCC Addendum: the Approved Standard Contractual Clauses are the Standard Contractual Clauses as set forth in Section 7.2 (EU Standard Contractual Clauses (2021 SCCs) Compliance) of this DPA.
   3. Table 3 of the UK SCC Addendum: Annex 1A and 1B are set forth in Annex 1 in this DPA. Annex II is set forth in Annex II of this DPA (Technical and Organizational Security Measures). Annex III is not applicable; however, the list of Subprocessors relative to Clause 9, Option 2 (General Written Authorization) is provided in Annex 3 of this DPA (Subprocessors).
   4. Table 4 of the UK SCC Addendum: neither Party has the termination right set forth in Section 19 of the UK SCC Addendum.
   5. By agreeing to the Terms, which includes this DPA, the Parties are deemed to be signing the UK SCC Addendum.

7.4 - Swiss Federal Act on Data Protection. For transfers of Personal Data subject to the Swiss Federal Act on Data Protection (“FADP”), the 2021 SCCs form part of this DPA as outlined in Section 7.2 (EU Standard Contractual Clauses (2021 SCCs) Compliance), with the following modifications to ensure compliance with the FADP:

1. 1. References to the GDPR in the 2021 SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.
   2. The term “member state” in the 2021 SCCs includes Switzerland, allowing Swiss data subjects to sue for their rights in Switzerland, as per Clause 18 of the 2021 SCCs.
   3. References to Personal Data in the 2021 SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.
   4. Under Annex I(C) of the 2021 SCCs (Competent Supervisory Authority): If the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner. If the transfer is subject to both the FADP and the GDPR: (a) the supervisory authority for matters governed by the FADP is the Swiss Federal Data Protection and Information Commissioner; and (b) the supervisory authority for matters governed by the GDPR is as specified in Section 7.2 (EU Standard Contractual Clauses (2021 SCCs) Compliance) of this DPA.

8  Demonstration of Compliance

8.1 - Syandus will make all information reasonably necessary to demonstrate compliance with this DPA available to you (on a confidential basis) and allow for and contribute to audits (“Audits”) as set forth below, including inspections conducted by you or your auditor in order to assess compliance with this DPA, where required by applicable law.

8.2 - You acknowledge and agree you will not exercise this right more than once per calendar year unless you have reasonable grounds to suspect non-compliance with the DPA and that you will exercise your Audit rights under this DPA by instructing us to comply with the Audit measures described in this 'Demonstration of Compliance' section.

8.3 - You acknowledge that the Services are hosted by our hosting Subprocessors who maintain independently validated security programs (including SOC 2 and ISO 27001).

8.4 - Any Audit requested by a Customer: (i) requires sixty (60) day’s advanced notice in writing; (ii) is conducted during Syandus’ normal business hours with minimal business disruption; and (iii) to the extent legally permissible, and to the extent that Audit disrupts Syandus’ normal course of business, Customer will reimburse Syandus for any time expended for Audit-related assistance at the rates mutually agreed upon by the Parties.

9  Restrictions on Use and Disclosure of Personal Data

9.1 - Prohibition of the Sale and Sharing of Personal Data. Syandus will not retain, use, or disclose Personal Data outside of the direct business relationship between Customer and us. We will only keep, use, or share Personal Data as needed for our direct business relationship with the Customer.

9.2 - Legal Obligations to Disclose Personal Data. In the case of a legal obligation to provide Personal Data to a third party, to the extent legally permitted: (a) Syandus will promptly give the Customer a reasonable opportunity to contest the legal requirement or seek protection for the disclosure; and (b) after consulting with the Customer, Syandus will disclose only the minimum amount of Personal Data necessary to comply with the legal requirement.

9.3 - Compliance with CPRA Restrictions. Syandus will comply with any applicable CPRA restrictions on combining Personal Data in Customer Data with Personal Data received from other sources or collected from interactions with Data Subjects.

10 General

10.1 - Assignment. Neither Party may assign or transfer any of its rights or obligations under this DPA without the prior written consent of the other Party, except as permitted under the “Assignment” section of the Terms. No permitted assignment or delegation will relieve the contracting Party or assignees of their obligations under this DPA. This DPA will bind and inure to the benefit of the Parties and their respective permitted successors and assigns.

10.2 - Liability. To the extent legally permitted, this DPA is subject to the limitations of liability within the “Warranties and Limits on Liability” Section of the Terms.

10.3 - Miscellaneous. This DPA represents the complete understanding between the Parties regarding its subject matter of this DPA, combining all prior communications, understandings, and agreements. Any changes to this DPA must be made through a written agreement signed by both Parties. The failure of either party to enforce any provision at any time does not constitute a waiver of that provision or any other provision, nor the right to enforce any provision in the future. If any provision of this DPA is found to be invalid or unenforceable, it will be modified to the extent necessary to make it valid and enforceable. The invalidity or unenforceability of any provision does not affect the validity or enforceability of any other provision, and the DPA will continue in full force and effect as if the invalid or unenforceable provision had been modified or excluded as necessary.

Annex 1: Details of Processing

Data exporter:

Name: Customer, as defined in the Terms

Address: Customer's address, as set out in the Order Form

Contact person’s name, position and contact details: Customer's contact details, as set out in the Order Form and/or as set out in the Customer’s Account as defined in the Terms.

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer's use of the Services under the Terms.

Role (controller/processor): Controller (either as the Controller; or acting in the capacity of a Controller, as a Processor, on behalf of another Controller)

Data importer:

Name: Syandus, Inc.

Address: 600 Eagleview Blvd, Ste 300, Exton, PA, 19341, USA

Contact person’s name, position and contact details: InfoSec Officer, Syandus, Inc., support[at]syandus[.]com (subject: InfoSec Officer), or mail to Syandus, Inc. c/o InfoSec Officer

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer's use of the Services under the Terms.

Role (controller/processor): Processor

B. Description of Transfer

Categories of Data Subjects whose Personal Data is Transferred. You may submit Personal Data while using the Services, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects: (a) Authorized Users of AliveSim Studio, and (b) End Users of the AliveSim platform.

Categories of Personal Data Transferred. You may submit Personal Data to the Services, the extent of which is determined and controlled by you in your sole discretion, and which may include but is not limited to the following categories of Personal Data: (a) contact details such as name, email, title, or address, and (b) any other Personal Data submitted by, sent to, or received by you, or your Users, via the Services. You agree that Sensitive Data, as defined by GDPR, shall not be transferred to us, as stipulated in the Terms, unless agreed in writing through an Addendum to the Terms.

Frequency of the transfer. Continuous

Nature of the Processing. Personal Data will be Processed in accordance with the Terms, including this DPA, and may be subject to the following Processing activities: (a) storage and other Processing necessary to provide, maintain and improve the Services provided to you; and/or (b) disclosure in accordance with these Terms, including this DPA, and/or as compelled by applicable laws.

Purpose of the transfer and further Processing. We will Process Personal Data as necessary to provide the Services pursuant to the Terms, as further specified in the Order Form, and as further instructed by you in writing, if any.

Period for which Personal Data will be retained. Subject to Section 3.5 (Deletion or Return of Personal Data) of this DPA, we will Process Personal Data for the duration of the Terms, unless otherwise agreed in writing.

Annex 2: Technical and Organizational Security Measures

Syandus (the data importer) implements the following technical and organizational security measures.

Platform Infrastructure. The AliveSim platform is a cloud based multi-tenant infrastructure utilizing Amazon Web Services (AWS) to provide hosting and infrastructure services. The AWS data centers utilized are housed in nondescript facilities in the United States, with strictly controlled physical access.

Encryption of Data at Rest. Data is encrypted at rest via AES-256 (FIPS 140-2). Keys are managed by Syandus’ hosting environment provider, AWS.

Encryption of Data in Transit. Data in transit is encrypted via SSL and TLS 1.2.

Access controls: Our network access control mechanisms are designed to prevent unauthorized network traffic from reaching the Services infrastructure. These controls are regularly reviewed and will be audited as part of our ongoing efforts to achieve SOC2 compliance, ensuring they meet stringent security standards. The technical measures implemented include:

• Two-Factor Authentication (2FA) and restricted access by essential personnel to our network, ensuring that only authorized individuals can access sensitive systems and data.
• Virtual Private Cloud (VPC) Infrastructure to create isolated network environments, ensuring that our Services are protected from unauthorized access and external threats.
• Security Groups acting as virtual firewalls, controlling inbound and outbound traffic to our instances.
• Processing data in secure, isolated micro virtual machines that do not persistently store data.

Monitoring and Vulnerability Assessment. To ensure ongoing confidentiality, integrity, availability and resilience of processing systems and Services we implement:

• AWS Threat Detection Services that monitor for malicious activity and anomalous behavior to protect our AWS account, workloads, and data.
• Event Logging such as AWS CloudWatch and AWS CloudTrail where the review cycle and storage duration vary with log type.
• Patch Management that includes automated security vulnerability monitoring for opensource software deployed.>
• Security Assessments: We are committed to conducting regular security assessments, including vulnerability scanning and penetration testing, to ensure system integrity and safety.
• Annual Evaluations: Yearly evaluations to improve these processes.

Continuous Improvement. We are committed to continuous improvement of our security practices.

• Risk Assessments are conducted to identify and mitigate potential threats to personal data based on identified threats, or at least on an annual basis.
• Incident Response Plan. The detailed incident response plan includes procedures for detecting, reporting, and responding to data breaches. The plan is evaluated annually for effectiveness.
• Compliance Certifications. We are deploying Sprinto, an InfoSec platform to provide continuous compliance and security monitoring as we work toward a SOC2 Type 2 compliance audit.

Backup. Services data is backed up in a separate AWS region outside of the Services environment, and operational data is routinely backed up external to operational services with daily monitoring.

Recovery. Disaster policies and procedures are in place, with an annual plan review. With respect to disaster recovery:

• RTO. Our target Recovery Time Objective (RTO) is 48 hours from the occurrence of a disruption. This means we aim to recover the platform and Services within 48 hours.
• RPO. The target Recovery Point Objective (RPO), which is the maximum period that may lie between two data backups, is 24 hours. This means we aim to ensure that no more than 24 hours of data is lost in the event of a disruption.

User Identification and Authorization. Customer’s Users must authenticate their identity to access confidential Customer Data via either AliveSim authentication (password-less OTA, JWT), Customer single sign on, or a Customer LMS-SCORM API. Customer’s Users can only access the Services through authorized role-based permissions controlled by the Customer through their Account interfaces.

Data Separation. AliveSim servers and Customer facing Services are logically and physically secured from our internal corporate information systems.

Data Minimization. We do not ask for more Personal Data than is needed to provide our Services.

Least Privilege Access. Access control policies and procedures are based on the principle of least privilege and the need to know, to limit the access to personal data to authorized personnel only. Access privileges are evaluated on at least an annual basis.

Staff Controls. Syandus employees, contractors, and consultants sign agreements to adhere to confidentiality and company policies. Staff are trained upon hire and annually on their GDPR obligations and responsibilities, covering data protection, data privacy, cybersecurity, incident detection and response, endpoint protection, and access control. Training includes team review meetings for feedback, and policies are evaluated and updated annually as needed.

Additional Operational Controls. Microsoft 365 is used with additional protection for email attachments and links. Syandus staff are required to adhere to the following:

• Endpoint Protection: Antivirus and malware protection installed on all work computers.
• Two-Factor Authentication: Required to access all sensitive systems.
• Password Management: Use of an approved password manager to generate strong passwords and prevent reuse.

Annex 3: List of Approved Subprocessors

Syandus engages Subprocessors to assist us with our data processing activities in delivering the Services. A list of our Subprocessors and our purpose for engaging them is located on a Subprocessors webpage (available here) which is incorporated into this DPA.

Annex 4. Transfer Impact Assessment (TIA)

1. Introduction. This Transfer Impact Assessment (TIA) evaluates the adequacy of data protection measures for transfers from the EU/UK to the US, ensuring compliance with GDPR.
2. Data Transfer Overview
• Nature of Data: No Sensitive Personal Data, as defined by GDPR.
• Data Subjects: The Users of the Services as specified by the Customer.
3. Legal Framework. The recent developments in data transfer agreements between the US and the EU/UK have established a framework of equivalency, ensuring that Personal Data transferred from the EU/UK to the US is adequately protected. Here’s a summary:
• EU-US Data Privacy Framework: The European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (DPF) in July 2023. This framework addresses concerns about US government access to EU data and provides EU individuals with a new independent Data Protection Review Court for redress.
• UK-US Data Bridge: Similarly, the UK has agreed to a data bridge with the US, extending the principles of the EU-US DPF. This allows UK businesses to transfer personal data to US organizations certified under this framework without needing additional safeguards.>
• Standard Contractual Clauses (SCCs): As we have not yet initiated the process of obtaining certification under the DPF, we currently rely on SCCs to ensure compliance with GDPR. SCCs provide a legal mechanism for transferring personal data from the EU/UK to the US, ensuring that data protection standards are maintained.
4. Risk Assessment. The primary risk involves potential access to data by US government authorities and below are three mitigation measures.
• Legal Protections: While we are working towards certification under the EU-US DPF, we currently rely on SCCs to provide legal protections equivalent to GDPR standards. The DPF and the UK-US Data Bridge, once fully implemented, will further enhance these protections.
• Technical Measures: Robust encryption and strict access controls are in place (details in the main DPA).
• Organizational Measures: Regular compliance checks ensure ongoing adherence to data protection standards.
5. Conclusion. Based on our assessment, we believe that the risks associated with transferring personal data to the US are low and effectively mitigated through the use of SCCs, the existence of the EU-US Data Privacy Framework, and the UK-US Data Bridge, as well as our robust technical and organizational measures. Additionally, since we do not process sensitive data or engage in large-scale processing, the overall risk is further reduced. We have conducted this assessment to ensure compliance and transparency, and we encourage our customers to review this TIA as part of their own due diligence process.