Common use of SUB-PROCESSORS AND THIRD COUNTRY TRANSFERS Clause in Contracts

SUB-PROCESSORS AND THIRD COUNTRY TRANSFERS. 4.1. Subject to clause 4.2, Data Processor may engage additional or replacement sub-processors to process the personal data on behalf of Data Processor without obtaining any further written, specific authorisation from Data Controller. Prior to Data Processor engaging any new sub-processor to carry out processing activities of the personal data on behalf of Data Controller, Data Processor will notify Data Controller of such change ("Initial Notice"). If Data Controller initially objects to an additional or replacement sub-processor: a) Data Processor shall provide Data Controller with any additional information reasonably requested by Data Controller to enable Data Controller to assess whether the use of the proposed sub-processor will ensure Data Controller's compliance with this Data Processing Agreement and the data protection laws; and b) subsequently, if Data Controller (acting reasonably) can demonstrate to Data Processor that such compliance will not be maintained through the proposed sub-processor, Data Controller shall be entitled to terminate the Agreement on 28 days' written notice provided such notice is given within 14 days of the Initial Notice. For clarity, this shall represent Data Controller's sole and exclusive remedy in connection with the change to Data Processor's sub-processing arrangements and Data Processor shall not be entitled to any other refund in respect of other amounts paid pursuant to the Agreement. 4.2. Where Data Processor authorises any sub-processor as described in clause 4.1, Data Processor shall: a) restrict the sub-processor's access to Data Controller's personal data only to what is necessary to maintain the Services or to provide the Services to Data Controller in accordance with Appendix 1A and Data Processor will prohibit the sub-processor from accessing the personal data for any other purpose; b) enter into a written contract with the sub-processor that requires it to comply with the same data processing obligations to those contained in this Data Processing Agreement, and, upon Data Controller's written request, provide Data Controller with copies of such contracts; and c) be accountable to Data Controller for the acts or omissions of any sub-processor as if such acts or omissions were acts or omissions of Data Processor. 4.3. Appendix 1B contains a list of pre-approved sub-processors as of the date of entry into force of the Data Processing Agreement. All Affiliates of Data Processor shall be deemed to be included in that list of pre-approved sub-processors and, as a result, Data Controller hereby authorises the Data Processor to engage such Affiliates of Data Processor to carry out any such sub-processing activities as Data Processor considers reasonably necessary in order to provide the Service and Solutions to Data Controller provided that Data Processor ensures that any transfers of personal data to such Affiliates of Data Processor are made in accordance with all applicable data protection laws. 4.4. Data Controller recognises and accepts that Data Processor, in accordance with what is stated in Appendix 1B, is engaging Amazon Web Services (“Amazon”) as an Approved Sub-Processor, and that Data Processor has entered into a data processing agreement with Amazon based on Amazon’s standards for data processing agreements. Provided that and to the extent it does not cause Data Controller or Data Processor to be in breach of any applicable data protection laws, Data Processor shall not be obligated to enforce on Amazon other obligations regarding the processing of personal data other than what is contained in the Amazon standard data processing agreement that has been entered into between Amazon and Data Processor. 4.5. Data Processor (or any relevant sub-processor) shall not transfer any personal data outside of the EEA/UK without Data Controller's prior written approval. If any personal data is transferred outside of the EEA/UK the Data Processor shall ensure that: a) the personal data is processed in a territory which the European Commission has found to have adequate protection for the privacy rights of individuals (pursuant to data protection laws); or b) there is a valid cross-border transfer mechanism in place in accordance with applicable data protection laws. Such transfer mechanism can consist of, e.g., the standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR, which grant a legal basis for data controllers and/or data processors within the EEA to transfer personal data to data controllers or data processors outside of the EEA.

SUB-PROCESSORS AND THIRD COUNTRY TRANSFERS. 4.1. Subject to clause 4.2, Data Processor may engage additional or replacement sub-processors to process the personal data on behalf of Data Processor without obtaining any further written, specific authorisation from Data Controller. Prior to Data Processor engaging any new sub-processor to carry out processing activities of the personal data on behalf of Data Controller, Data Processor will notify Data Controller of such change ("Initial Notice"). If Data Controller initially objects to an additional or replacement sub-processor: a) Data Processor shall provide Data Controller with any additional information reasonably requested by Data Controller to enable Data Controller to assess whether the use of the proposed sub-processor will ensure Data Controller's compliance with this Data Processing Agreement and the data protection laws; and b) subsequently, if Data Controller (acting reasonably) can demonstrate to Data Processor that such compliance will not be maintained through the proposed sub-processor, Data Controller shall be entitled to terminate the Agreement on 28 days' written notice provided such notice is given within 14 days of the Initial Notice. For clarity, this shall represent Data Controller's sole and exclusive remedy in connection with the change to Data Processor's sub-processing arrangements and Data Processor shall not be entitled to any other refund in respect of other amounts paid pursuant to the Agreement. 4.2. Where Data Processor authorises any sub-processor as described in clause 4.1, Data Processor shall: a) restrict the sub-processor's access to Data Controller's personal data only to what is necessary to maintain the Services or to provide the Services to Data Controller in accordance with Appendix 1A and Data Processor will prohibit the sub-processor from accessing the personal data for any other purpose; b) enter into a written contract with the sub-processor that requires it to comply with the same data processing obligations to those contained in this Data Processing Agreement, and, upon Data Controller's written request, provide Data Controller with copies of such contracts; and c) be accountable to Data Controller for the acts or omissions of any sub-processor as if such acts or omissions were acts or omissions of Data Processor. 4.3. Appendix 1B contains a list of pre-approved sub-processors as of the date of entry into force of the Data Processing Agreement. All Affiliates of Data Processor shall be deemed to be included in that list of pre-approved sub-processors and, as a result, Data Controller hereby authorises the Data Processor to engage such Affiliates of Data Processor to carry out any such sub-processing activities as Data Processor considers reasonably necessary in order to provide the Service and Solutions to Data Controller provided that Data Processor ensures that any transfers of personal data to such Affiliates of Data Processor are made in accordance with all applicable data protection laws. 4.4. Data Controller recognises and accepts that Data Processor, in accordance with what is stated in Appendix 1B, is engaging Amazon Web Services (“Amazon”) as an Approved Sub-Processor, and that Data Processor has entered into a data processing agreement with Amazon based on Amazon’s standards for data processing agreements. Provided that and to the extent it does not cause Data Controller or Data Processor to be in breach of any applicable data protection laws, Data Processor shall not be obligated to enforce on Amazon other obligations regarding the processing of personal data other than what is contained in the Amazon standard data processing agreement that has been entered into between Amazon and Data Processor. 4.5. Data Processor (or any relevant sub-processor) shall not transfer any personal data outside of the EEA/UK EEA without Data Controller's prior written approval. If any personal data is transferred outside of the EEA/UK EEA the Data Processor shall ensure that: a) the personal data is processed in a territory which the European Commission has found to have adequate protection for the privacy rights of individuals (pursuant to data protection laws); or b) there is a valid cross-border transfer mechanism in place in accordance with applicable data protection laws. Such transfer mechanism can consist of, e.g., the standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR, which grant a legal basis for data controllers and/or data processors within the EEA to transfer personal data to data controllers or data processors outside of the EEA.

SUB-PROCESSORS AND THIRD COUNTRY TRANSFERS. 4.1. Subject to clause 4.2, Data Processor may engage additional or replacement sub-processors to process the personal data Personal Data on behalf of Data Processor Controller without obtaining any further written, specific authorisation from Data Controller. 4.2. Prior to Data Processor will inform Data Controller in an appropriate manner (typically via publication in a release note) at least 30 days prior to engaging any new sub-processor to carry out processing activities of the personal data on behalf of Data Controller, Data Processor will notify Data Controller of such change under this DPA (an "Initial Notice"). If , and shall on Data Controller initially objects to an additional or replacement sub-processor: a) Data Processor shall Processor’s request provide Data Controller with any additional information reasonably requested by Data Controller to enable Data Controller to assess whether the use of the proposed sub-processor will ensure Data Controller's compliance with this Data Processing Agreement and the data protection laws; and b) subsequently, if processor. Data Controller may object to such engagement to the extent it (acting reasonably) can demonstrate to Data Processor that such compliance with this DPA and the data protection laws will not be maintained through the proposed sub-processor. In such an event, and where the parties cannot find a mutually acceptable solution, Data Controller shall as sole consequence be entitled to suspend or terminate the Agreement with immediate effect on 28 days' written notice and without liability provided such notice is given within 14 30 days of the Initial Notice. For clarity, this shall represent If Data Controller's sole and exclusive remedy in connection with Controller has not objected to the change to Data Processor's new sub-processing arrangements and Data Processor processor within 30 days from the Initial Notice, the new sub-processor shall not be entitled to any other refund in respect of other amounts paid pursuant to the Agreementconsidered approved. 4.24.3. Where Data Processor authorises any sub-processor as described in clause 4.1clauses 4.1 and 4.2, Data Processor shall: a) restrict the sub-processor's access to Data Controller's personal data Personal Data only to what is necessary to maintain the Services or to provide the Services to Data Controller in accordance with Appendix 1A and Data Processor will prohibit the sub-processor from accessing the personal data Personal Data for any other purpose; b) enter into a written contract with the sub-processor that requires it to comply with the same data processing obligations that are equivalent to those contained in this Data Processing AgreementDPA, and, upon Data Controller's written request, provide Data Controller with copies of the material provisions of such contracts; and c) be accountable to Data Controller for the acts or omissions of any sub-processor as if such acts or omissions were acts or omissions of Data Processor. 4.34.4. Appendix 1B contains a list of pre-approved sub-processors as of the date of entry into force of the Data Processing AgreementDPA. All Affiliates of Data Processor from time to time shall be deemed to be included in that list of pre-approved sub-processors and, as a result, Data Controller hereby authorises the Data Processor to engage such Affiliates of Data Processor to carry out any such sub-processing activities as Data Processor considers reasonably necessary in order to provide the Service and Solutions to Data Controller provided that Data Processor ensures that any transfers of personal data Personal Data to such Affiliates of Data Processor are made in accordance with all applicable data protection laws. The parties agree that Appendix 1B may be updated by Data Processor from time to time, in accordance with clauses 4.1 and 4.2. 4.44.5. Notwithstanding clause 4.3 b) and clause 7.1, Data Controller recognises and accepts that Data Processor, in accordance with what is stated in Appendix 1B, is engaging Amazon Web Services (“Amazon”) as an Approved Sub-Processor, and that Data Processor has entered into a data processing agreement with Amazon based on Amazon’s standards for data processing agreements. Provided that and to the extent it does not cause Data Controller or Data Processor to be in breach of any applicable data protection laws, Data Processor shall not be obligated to enforce on Amazon other obligations regarding the processing of personal data Personal Data other than what is contained in the Amazon standard data processing agreement and terms of service that has been entered into between Amazon and Data Processor. 4.54.6. Data Processor (or any relevant sub-processor) shall not transfer any personal data Personal Data outside of the EEA/EEA or UK without Data Controller's prior written approval. If any personal data is transferred outside of the EEA/UK the Data Processor shall ensure thatunless: a) the personal data Personal Data is processed in a territory which the European Commission or the UK's Information Commissioner's Office (as appropriate), has found to have determined as having adequate protection for the data protection and privacy rights of individuals (pursuant to data protection laws)individuals; or b) there is a valid cross-border transfer mechanism in place in accordance with provided by applicable data protection laws. Such transfer mechanism can consist of, e.g., the standard contractual clauses clauses, binding corporate rules or approved codes of conduct or certification methods for the transfer of personal data Personal Data to third countries pursuant to GDPR, which grant a legal basis for data controllers and/or data processors within the EEA to transfer personal data to data controllers or data processors outside of the EEA.

SUB-PROCESSORS AND THIRD COUNTRY TRANSFERS. 4.1. 4.1 Subject to clause 4.2, the Data Processor may engage additional or replacement sub-processors to process the personal data on behalf of the Data Processor without obtaining any further written, specific authorisation from the Data Controller. Prior to Data Processor engaging any new sub-processor to carry out processing activities of the personal data on behalf of the Data Controller, the Data Processor will notify the Data Controller of such change ("Initial Notice"). If the Data Controller initially objects to an additional or replacement sub-processor: a) the Data Processor shall provide the Data Controller with any additional information reasonably requested by the Data Controller to enable the Data Controller to assess whether the use of the proposed sub-processor will ensure the Data Controller's compliance with this Data Processing Processor Agreement and the data protection laws; and; b) subsequently, if the Data Controller (acting reasonably) can demonstrate to Data Processor that such compliance will not be maintained through the proposed sub-processor, the Data Controller shall be entitled to terminate the Agreement on 28 days' written notice provided such notice is given within 14 days of the Initial Notice. For clarity, this shall represent Data Controller's sole and exclusive remedy in connection with the change to Data Processor's sub-processing arrangements and Data Processor shall not be entitled to any other refund in respect of other amounts paid pursuant to the Agreement. 4.2. 4.2 Where Data Processor authorises any sub-processor as described in clause 4.1, the Data Processor shall: a) restrict the sub-processor's access to Data Controller's data (including any personal data data) only to what is necessary to maintain the Services or to provide the Services to Data Controller in accordance with Appendix 1A and Data Processor will prohibit the sub-processor from accessing the data (including any personal data data) for any other purpose; b) enter into a written contract with the sub-processor that requires it to comply with the same data processing obligations to those contained in this Data Processing Processor Agreement, and, upon the Data Controller's written request, provide provides the Data Controller with copies of such contracts; and c) be accountable to the Data Controller for the acts or omissions of any sub-processor as if such acts or omissions were acts or omissions omission of the Data Processor. 4.3. Appendix 1B contains a list of pre-approved sub-processors as of the date of entry into force of the Data Processing Agreement. All Affiliates of Data Processor shall be deemed to be included in that list of pre-approved sub-processors and, as a result, Data Controller hereby authorises the Data Processor to engage such Affiliates of Data Processor to carry out any such sub-processing activities as Data Processor considers reasonably necessary in order to provide the Service and Solutions to Data Controller provided that Data Processor ensures that any transfers of personal data to such Affiliates of Data Processor are made in accordance with all applicable data protection laws. 4.4. Data Controller recognises and accepts that Data Processor, in accordance with what is stated in Appendix 1B, is engaging Amazon Web Services (“Amazon”) as an Approved Sub-Processor, and that Data Processor has entered into a data processing agreement with Amazon based on Amazon’s standards for data processing agreements. Provided that and to the extent it does not cause Data Controller or Data Processor to be in breach of any applicable data protection laws, Data Processor shall not be obligated to enforce on Amazon other obligations regarding the processing of personal data other than what is contained in the Amazon standard data processing agreement that has been entered into between Amazon and Data Processor. 4.5. Data Processor (or any relevant sub-processor) shall not transfer any personal data outside of the EEA/UK without Data Controller's prior written approval. If any personal data is transferred outside of the EEA/UK the Data Processor shall ensure that: a) the personal data is processed in a territory which the European Commission has found to have adequate protection for the privacy rights of individuals (pursuant to data protection laws); or b) there is a valid cross-border transfer mechanism in place in accordance with applicable data protection laws. Such transfer mechanism can consist of, e.g., the standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR, which grant a legal basis for data controllers and/or data processors within the EEA to transfer personal data to data controllers or data processors outside of the EEA.