1. Definitions

1. 1.1"CCPA" means the California Consumer Privacy Act, as amended.
2. 1.2"Data Protection Laws" means all applicable worldwide privacy and data protection laws and regulations, including, where applicable, the California Consumer Privacy Act, as amended (CCPA), the EU General Data Protection Regulation 2016/679 (GDPR), and the UK General Data Protection Regulation (UK GDPR).
3. 1.3"Data Subject" means the identified or identifiable natural person to whom Personal Information relates.
4. 1.4"GDPR" means the EU General Data Protection Regulation 2016/679.
5. 1.5"Personal Information" means any information the Provider processes for the Customer that identifies or relates to an identified or identifiable natural person.
6. 1.6"Security Breach" means any unauthorized access, disclosure, or loss of Personal Information.
7. 1.7"UK GDPR" means the UK General Data Protection Regulation.

2. Processing Instructions & US Privacy Compliance

3. European Data & International Transfers

To the extent the Provider processes Personal Information originating from the European Economic Area (EEA), the United Kingdom, or Switzerland that is protected by the GDPR or UK GDPR, the parties agree that such transfers are subject to the Standard Contractual Clauses (as adopted by the European Commission Decision (EU) 2021/914) ("SCCs"). The SCCs are hereby incorporated by reference into this DPA as follows: Module Two (Controller to Processor) applies where Customer is a Controller, and Module Three (Processor to Processor) applies where Customer is a Processor. For the purposes of the SCCs, the Customer is the data exporter, the Provider is the data importer, and the governing law shall be the Republic of Ireland.

4. Confidentiality & Security

The Provider will ensure that all employees authorized to process Personal Information are bound by confidentiality obligations. The Provider will implement and maintain appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, loss, or damage.

5. Data Subject Rights & Security Breaches

The Provider will reasonably assist the Customer in responding to any request from a Data Subject exercising their rights under Data Protection Laws. If the Provider becomes aware of any unauthorized access, disclosure, or loss of Personal Information (a "Security Breach"), the Provider will notify the Customer without undue delay and reasonably cooperate to investigate and mitigate the breach.

6. Subcontractors

The Customer grants the Provider general authorization to engage third-party subcontractors to process Personal Information. The Provider will enter into a written contract with any subcontractor containing privacy terms substantially similar to this DPA. The Provider remains responsible for the subcontractor's performance, subject to the limitations and exclusions of liability set forth in the Agreement.

7. Audits & Compliance

Upon reasonable notice, the Provider will permit the Customer to verify the Provider's compliance with this DPA, which may be satisfied by the Provider making recent, relevant third-party security audit reports (e.g., SOC 2) available for review.

8. Return or Destruction of Data

On termination or expiration of the Agreement, the Provider will, upon the Customer's written direction, securely destroy or return (at the Provider's election) all Personal Information in its possession, unless legally required to retain it.

9. Limitation of Liability

Any claims or disputes arising under or in connection with this DPA are subject to the disclaimers, exclusions, and limitations of liability set forth in the underlying Agreement.