Common use of Sub-processors Clause in Contracts

Sub-processors. The Controller acknowledges and agrees that: (a) Subsidiaries of the Processor may be used as Sub-Processors; and (b) the Processor and its Subsidiaries respectively may engage Sub-Processors in connection with the provision of the Services. All Sub-Processors who process Personal Data in the provision of the Services to the Controller shall comply with the obligations of the Processor similar to those set out in this Data Processing Agreement. Where Sub-Processors are located outside of the EEA, the Processor confirms that such Sub-Processors: (a) are located in a third country or territory recognized by the EU Commission to have an adequate level of protection; or (b) have entered into Standard Contractual Clauses with the Processor; or (c) have other legally recognized appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules. The Processor shall make available to the Controller the current list of Sub- Processors (at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/policies/subprocessors/) which shall include the identities of Sub-Processors, what they’re used for, and their location. During the term of this DPA, the Processor shall provide the Controller with at least 14 days prior notification, via email (or in-application notice), of any changes to the list of Sub-Processor(s) who may process Personal Data before authorizing any new or replacement Sub-Processor(s) to process Personal Data in connection with the provision of the Services. If the Controller objects to a new or replacement Sub-Processor the Controller may terminate the Customer Terms with respect to those Services which cannot be provided by the Processor without the use of the new or replacement Sub- Processor. The Processor will refund the Controller any prepaid fees covering the remainder of the Term of the Customer Terms following the effective date of termination with respect to such terminated Services.

Sub-processors. 6.1 The Controller acknowledges and agrees that: : (ai) Subsidiaries Affiliates of the Processor may be used as Sub-Processorsprocessors; and and (bii) the Processor and its Subsidiaries Affiliates respectively may engage Sub-Processors Sub- processors in connection with the provision of the Services. . 6.2 All Sub-Processors processors who process Personal Data in the provision of the Services to the Controller shall comply with the obligations of the Processor similar to those set out in this Data Processing Agreement. Where DPA. 6.3 The Controller authorises the Processor to use the Sub-Processors are located outside already engaged by the Processor as at the date of the EEA, Agreement and the Processor confirms that such Sub-Processors: (a) are located in a third country or territory recognized by the EU Commission to have an adequate level of protection; or (b) have entered into Standard Contractual Clauses with the Processor; or (c) have other legally recognized appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules. The Processor shall make available to the Controller the current a list of Sub- Processors (at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/policies/subprocessors/) Sub-processors authorised to process the Personal Data which shall include the identities of Sub-Processors, what they’re used for, processors and their country of location. During the term of this DPA, the Processor shall provide the Controller with at least 14 days prior notification, via email (or in-application notice)email, of any changes to the list of Sub-Processor(sprocessor(s) who may process Personal Data before authorizing authorising any new or replacement Sub-Processor(sprocessor(s) to process Personal Data Data. 6.4 The Controller may object to the use of a new or replacement Sub-processor, by notifying the Processor promptly in connection with the provision writing within ten (10) Business Days after receipt of the ServicesProcessor’s notice. If the Controller objects to a new or replacement Sub-Processor processor, the Controller may terminate the Customer Terms Agreement with respect to those Services which cannot be provided by the Processor without the use of the new or replacement Sub- ProcessorSub-processor. The Processor will refund the Controller any prepaid fees covering the remainder of the Term of the Customer Terms Agreement following the effective date of termination with respect to such terminated Services. 6.5 All Sub-Processors who process Personal Data shall comply with the obligations of the Processor set out in this DPA. The Processor shall prior to the relevant Sub-Processor carrying out any processing activities in respect of the Personal Data; (i) appoint each Sub- Processor under a written contract containing materially the same obligations to those of the Processor in this DPA enforceable by the Processor; and (ii) ensure each such Sub- Processor complies with all such obligations. 6.6 The Controller agrees that the Sub-Processors may transfer Personal Data for the purpose of providing the Services to the Controller in accordance with the Agreement to countries outside the European Economic Area (EEA). The Processor confirms that such Sub- Processors: (i) are located in a third country or territory recognised by the EU Commission to have an adequate level of protection; or (ii) have entered into Standard Contractual Clauses with the Processor; or (iii) have other legally recognised appropriate safeguards in place.

Sub-processors. The Controller acknowledges and agrees that: (ai) Subsidiaries of the Processor may be used as Sub-Processorsprocessors; and (bii) the Processor and its Subsidiaries respectively may engage Sub-Processors processors in connection with the provision of the Services. All Sub-Processors processors who process Personal Data in the provision of the Services to the Controller shall comply with the obligations of the Processor similar to those set out in this Data Processing AgreementDPA. Where Sub-Processors processors are located outside of the EEA, the Processor confirms that such Sub-ProcessorsSub- processors: (ai) are located in a third country or territory recognized by the EU Commission to have an adequate level of protection; or (bii) have entered into Standard Contractual Clauses with the Processor; or (ciii) have other legally recognized appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules. The Processor shall make available upon request to the Controller the current list of Sub- Processors (at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/policies/subprocessors/) Sub-processors which shall include the identities of Sub-Processors, what they’re used for, processors and their country of location. During the term of this DPA, the Processor shall provide the Controller with at least 14 30 days prior notification, via email (or in-application notice), of any changes to the list of Sub-Processor(sprocessor(s) who may process Personal Data before authorizing any new or replacement Sub-Processor(sprocessor(s) to process Personal Data in connection with the provision of the Services. If the Controller objects to a new or replacement Sub-Processor processor the Controller may terminate the Customer Terms Agreement with respect to those Services which cannot be provided by the Processor without the use of the new or replacement Sub- ProcessorSub-processor. The Processor will refund the Controller any prepaid fees covering the remainder of the Term of the Customer Terms Agreement following the effective date of termination with respect to such terminated Services.

Sub-processors. The Controller acknowledges and agrees that: (a) Subsidiaries of that the Processor may be used as Sub-Processors; and (b) the Processor and its Subsidiaries respectively may engage Sub-Processors processors in connection with the provision of the Services. All Sub-Processors processors who process Personal Data in the provision of the Services to the Controller shall comply with the obligations of the Processor similar to those set out in this Data Processing AgreementDPA. Where Sub-Processors processors are located outside of the EEA, the Processor confirms that such Sub-Processors: processors: (ai) are located in a third country or territory recognized recognised by the EU Commission to have an adequate level of protection; or or (bii) have entered into Standard Contractual Clauses with the Processor; or or (ciii) have other legally recognized recognised appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules. The Processor shall make available to the Controller the current list of Sub- Sub-Processors (at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/policies/subprocessors/Info Cubic LLC) which shall include the identities of Sub-Processors, what they’re used for, processors and their country of location. During the term of this DPA, the Processor shall provide the Controller with at least 14 30 days prior notification, via email (or in-application notice), of any changes to the list of Sub-Processor(sSub- processor(s) who may process Personal Data before authorizing authorising any new or replacement Sub-Processor(sprocessor(s) to process Personal Data in connection with the provision of the Services. If the Controller objects to a new or replacement Sub-Processor processor the Controller may terminate the Customer Terms with respect to those Services which cannot be provided by the Processor without the use of the new or replacement Sub- ProcessorSub-processor. The Processor will refund the Controller any prepaid fees covering the remainder of the Term of the Customer Terms following the effective date of termination with respect to such terminated Services. The Processor may from time to time be requested by the Controller to request pre employment references, education certificates, professional subscriptions, credit checks in relation to their candidates from countries outside the EEA. In these circumstances, our Sub- Processor is Info Cubic LLC who have appropriate safeguards in places, EU-US Privacy Shield. However, where information is provided by a candidate to request references or certificates from specific contact details, the Processor will do so under the terms of the express consent provided by the candidate.

Sub-processors. The Controller acknowledges and agrees that: (a) a. Subsidiaries of the Processor may be used as Sub-Processors; and (b) b. the Processor and its Subsidiaries respectively may engage Sub-Processors in connection with the provision of the Services. All Sub-Processors who process Personal Data in the provision of the Services to the Controller shall comply with the obligations of the Processor similar to those set out in this Data Processing Agreement. Where Sub-Processors are located outside of the EEA, the Processor confirms confirms that such Sub-Processors: (a) a. are located in a third country or territory recognized recognised by the EU Commission to have an adequate level of protection; or (b) b. have entered into Standard Contractual Clauses with the Processor; or (c) c. have other legally recognized recognised appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules. The Processor shall make available to the Controller the current list of Sub- Sub-Processors (at ▇▇▇▇▇://https:/ ▇▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/policies▇▇▇▇▇/subprocessors/▇▇▇▇-▇▇▇▇▇▇▇▇▇▇▇▇▇) which shall include the identities of Sub-Processors, what they’re used for, and their location. During the term of this DPA, the Processor shall provide the Controller with at least 14 days prior notificationnotification, via email (or in-application notice), of any changes to the list of Sub-Processor(s) who may process Personal Data before authorizing authorising any new or replacement Sub-Processor(s) to process Personal Data in connection with the provision of the Services. If the Controller objects to a new or replacement Sub-Processor the Controller may terminate the Customer Terms with respect to those Services which cannot be provided by the Processor without the use of the new or replacement Sub- Sub-Processor. The Processor will refund the Controller any prepaid fees covering the remainder of the Term of the Customer Terms following the effective date of termination with respect to such terminated Services.

Sub-processors. 6.1 The Controller acknowledges and agrees that: : (ai) Subsidiaries Affiliates of the Processor may be used as Sub-Processorsprocessors; and and (bii) the Processor and its Subsidiaries Affiliates respectively may engage Sub-Processors Sub- processors in connection with the provision of the Services. . 6.2 All Sub-Processors processors who process Personal Data in the provision of the Services to the Controller shall comply with the obligations of the Processor similar to those set out in this Data Processing Agreement. Where DPA. 6.3 The Controller agrees that the Sub-Processors are located processors may transfer Personal Data for the purpose of providing the Services to the Controller in accordance with the Agreement to countries outside of the European Economic Area (EEA, the ). The Processor confirms that such Sub-Processors: Sub- processors: (ai) are located in a third country or territory recognized recognised by the EU Commission to have an adequate level of protection; or or (bii) have entered into Standard Contractual Clauses with the Processor; or or (ciii) have other legally recognized recognised appropriate safeguards in place, such . 6.4 The Controller authorises the Processor to use the Sub-processors already engaged by the Processor as at the EU-US Privacy Shield or Binding Corporate Rules. The date of the Agreement and the Processor shall make available to the Controller the current list of Sub- Processors (at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/policies/subprocessors/) Sub-processors which shall include the identities of Sub-Processors, what they’re used for, processors and their country of location. During the term of this DPA, the Processor shall provide the Controller with at least 14 days prior notification, via email (or in-application notice)email, of any changes to the list of Sub-Processor(sprocessor(s) who may process Personal Data before authorizing authorising any new or replacement Sub-Processor(sprocessor(s) to process Personal Data in connection with the provision of the Services. 6.5 The Controller may object to the use of a new or replacement Sub-processor, by notifying the Processor promptly in writing within ten (10) Business Days after receipt of the Processor’s notice. If the Controller objects to a new or replacement Sub-Processor processor, the Controller may terminate the Customer Terms Agreement with respect to those Services which cannot be provided by the Processor without the use of the new or replacement Sub- ProcessorSub-processor. The Processor will refund the Controller any prepaid fees covering the remainder of the Term of the Customer Terms Agreement following the effective date of termination with respect to such terminated Services. 6.6 All Sub-processors who process Personal Data shall comply with the obligations of the Processor set out in this DPA. The Processor shall prior to the relevant Sub-processor carrying out any processing activities in respect of the Personal Data; (i) appoint each Sub-processor under a written contract containing materially the same obligations to those of the Processor in this DPA enforceable by the Processor; and (ii) ensure each such Sub-processor complies with all such obligations.

Sub-processors. 6.1 The Controller acknowledges and agrees that: : (ai) Subsidiaries Affiliates of the Processor may be used as Sub-Processorsprocessors; and and (bii) the Processor and its Subsidiaries Affiliates respectively may engage Sub-Processors Sub- processors in connection with the provision of the Services. . 6.2 All Sub-Processors processors who process Personal Data in the provision of the Services to the Controller shall comply with the obligations of the Processor similar to those set out in this Data Processing Agreement. Where DPA. 6.3 The Controller authorises the Processor to use the Sub-Processors are located outside of processors included in the EEA, the Processor confirms that such Sub-Processors: (a) are located in a third country or territory recognized by the EU Commission to have an adequate level of protection; or (b) have entered into Standard Contractual Clauses with the Processor; or (c) have other legally recognized appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules. The Processor shall make available to the Controller the current list of Sub- Processors (processors published at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/policies/subprocessors/) which shall include sub-processor-list to process the identities of Sub-Processors, what they’re used for, and their locationPersonal Data. During the term of this DPA, the Processor shall provide the Controller with at least 14 30 days prior notification, via email (or in-application notice)email, of any changes to the list of Sub-Processor(s) who may process Personal Data processors before authorizing authorising any new or replacement Sub-Processor(s) processor to process Personal Data in connection with the provision of the Services. 6.4 The Controller may object to the use of a new or replacement Sub-processor, by notifying the Processor promptly in writing within fifteen (15) calendar days after receipt of the Processor’s notice. If the Controller objects to a new or replacement Sub-Processor processor, the Controller may terminate the Customer Terms Agreement with respect to those Services which cannot be provided by the Processor without the use of the new or replacement Sub- ProcessorSub-processor. The Processor will refund the Controller any prepaid fees covering the remainder of the Term term of the Customer Terms Agreement following the effective date of termination with respect to such terminated Services. 6.5 All Sub-processors who process Personal Data shall comply with the obligations of the Processor set out in this DPA. The Processor shall prior to the relevant Sub-processor carrying out any processing activities in respect of the Personal Data: (i) appoint each Sub-processor under a written contract containing materially the same obligations to those of the processor in this DPA enforceable by the Processor; and (ii) ensure each such Sub-processor complies with all such obligations. 6.6 The Controller agrees that the Processor and its Sub-processors may make Restricted Transfers of Personal Data for the purpose of providing the Services to the Controller in accordance with the Agreement. The Processor confirms that such Sub-processors: (i) are located in a third country or territory recognised by the EU Commission or a Supervisory Authority, as applicable, to have an adequate level of protection; or (ii) have entered into the applicable SCCs with the Processor; or (iii) have other legally recognised appropriate safeguards in place.

Sub-processors. 6.1 The Controller acknowledges and agrees that: : (ai) Subsidiaries Affiliates of the Processor may be used as Sub-Processorsprocessors; and and (bii) the Processor and its Subsidiaries Affiliates respectively may engage Sub-Processors Sub- processors in connection with the provision of the Solution and Services. . 6.2 All Sub-Processors processors who process Personal Data in the provision of the Solution and Services to the Controller shall comply with the obligations of the Processor similar to those set out in this Data Processing Agreement. DPA. 6.3 Where Sub-Processors processors are located outside of the EEA, the Processor confirms that such Sub-Processors: Sub- processors: (ai) are located in a third country or territory recognized recognised by the EU Commission to have an adequate level of protection; or or (bii) have entered into Standard Contractual Clauses with the Processor; or or (ciii) have other legally recognized recognised appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules. . 6.4 The Processor shall make available to the Controller the current list of Sub- Processors (at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/policies/subprocessors/) Sub-processors which shall include the identities of Sub-Processors, what they’re used for, processors and their country of location. During the term of this DPA, the Processor shall provide the Controller with at least 14 days prior notification, via email (or in-application notice)email, of any changes to the list of Sub-Processor(sprocessor(s) who may process Personal Data before authorizing authorising any new or replacement Sub-Processor(sprocessor(s) to process Personal Data in connection with the provision of the Solution and Services. 6.5 The Controller may object to the use of a new or replacement Sub-processor, by notifying the Processor promptly in writing within ten (10) Business Days after receipt of the Processor’s notice. If the Controller objects to a new or replacement Sub-Processor processor, the Controller may terminate the Customer Terms Agreement with respect to those parts of the Solution or Services which cannot be provided by the Processor without the use of the new or replacement Sub- ProcessorSub-processor. The Processor will refund the Controller any prepaid fees covering the remainder of the Term term of the Customer Terms Agreement following the effective date of termination with respect to such terminated Solutions or Services.

Sub-processors. 6.1 The Controller acknowledges and agrees that: : (ai) Subsidiaries Affiliates of the Processor may be used as Sub-Processorsprocessors; and and (bii) the Processor and its Subsidiaries Affiliates respectively may engage Sub-Processors Sub- processors in connection with the provision of the Solution or Services. . 6.2 All Sub-Processors processors who process Personal Data in the provision of the Solution or Services to the Controller shall comply with the obligations of the Processor similar to those set out in this Data Processing Agreement. DPA. 6.3 Where Sub-Processors processors are located outside of the EEA, the Processor confirms that such Sub-Processors: Sub- processors: (ai) are located in a third country or territory recognized recognised by the EU Commission to have an adequate level of protection; or or (bii) have entered into Standard Contractual Clauses with the Processor; or or (ciii) have other legally recognized recognised appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules. . 6.4 The Processor shall make available to the Controller the current list of Sub- Processors (Sub-processors at ▇▇▇.▇▇▇▇-▇▇▇▇▇://.▇▇▇/▇▇▇▇-▇▇▇-▇▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/policies/subprocessors/) ▇ which shall include the identities of Sub-Processors, what they’re used for, Sub- processors and their country of location. During the term of this DPA, the Processor shall provide the Controller with at least 14 days prior notification, via email (or in-application notice)email, of any changes to the list of Sub-Processor(sSub- processor(s) who may process Personal Data before authorizing authorising any new or replacement Sub-Processor(sprocessor(s) to process Personal Data in connection with the provision of the Solution or Services. 6.5 The Controller may object to the use of a new or replacement Sub-processor, by notifying the Processor promptly in writing within ten (10) Business Days after receipt of the Processor’s notice. If the Controller objects to a new or replacement Sub-Processor processor, and that objection is not unreasonable, the Controller may terminate the Customer Terms Agreement or applicable Order Form with respect to those the Solution or Services which cannot be provided by the Processor without the use of the new or replacement Sub- ProcessorSub-processor. The Processor will refund the Controller any prepaid fees covering the remainder of the Term of the Customer Terms Agreement (or applicable Order Form) following the effective date of termination with respect to such terminated Solution or Services.

Sub-processors. 6.1 The Controller acknowledges and agrees that: (ai) Subsidiaries Affiliates of the Processor may be used as Sub-Processorsprocessors; and (bii) the Processor and its Subsidiaries Affiliates respectively may engage Sub-Processors processors in connection with the provision of the Services. . 6.2 All Sub-Processors processors who process Personal Data in the provision of the Services to the Controller shall comply with the obligations of the Processor similar to those set out in this Data Processing Agreement. DPA. 6.3 Where Sub-Processors processors are located outside of the EEA, the Processor confirms that such Sub-Processorsprocessors: (ai) are located in a third country or territory recognized by the EU Commission to have an adequate level of protection; or (bii) have entered into Standard Contractual Clauses with the Processor; or (ciii) have other legally recognized appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules. . 6.4 The Processor shall make available to the Controller you the current list of Sub- Processors (Sub-processors at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/policies/subprocessors/) DPA PROCESSORS Appendix which shall include the identities of Sub-Processors, what they’re used for, processors and their country of location. During the term of this DPA, the Processor we shall provide the Controller you with prior notification of at least 14 days prior notification30 days, via email (or in-application notice)email, of any changes to the list of Sub-Processor(sprocessor(s) who may process Personal Customer Data before authorizing authorising any new or replacement Sub-Processor(sSub- processor(s) to process Personal Customer Data in connection with the provision of the Services. 6.5 The Controller may object to the use of a new or replacement Sub-processor by notifying the Processor promptly in writing within ten (10) Business Days after receipt of the Processor’s notice. If the Controller objects to a new or replacement Sub-Processor processor, and that objection is not unreasonable, the Controller may terminate the Customer Terms Agreement with respect to those Services which cannot be provided by the Processor without the use of the new or replacement Sub- ProcessorSub-processor. The Processor will refund the Controller any prepaid fees covering the remainder of the Term of the Customer Terms Agreement following the effective date of termination with respect to such terminated Services.

Sub-processors. The Controller acknowledges and agrees that: : (ai) Subsidiaries of the Processor may be used as Sub-Processorsprocessors; and and (bii) the Processor and its Subsidiaries respectively may engage Sub-Processors processors in connection with the provision of the Services. All Sub-Processors processors who process Personal Data in the provision of the Services to the Controller shall comply with the obligations of the Processor similar to those set out in this Data Processing AgreementDPA. Where Sub-Processors processors are located outside of the EEA, the Processor confirms that such Sub-Processors: processors: (ai) are located in a third country or territory recognized recognised by the EU Commission to have an adequate level of protection; or or (bii) have entered into Standard Contractual Clauses with the Processor; or or (ciii) have other legally recognized recognised appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules. The Processor shall make available to the Controller the current list of Sub- Sub-Processors (at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/policies/subprocessors/) which shall include the identities of Sub-Processors, what they’re used for, processors and their country of location. During the term of this DPA, the Processor shall provide the Controller with at least 14 30 days prior notification, via email (or in-application notice), of any changes to the list of Sub-Processor(sSub- processor(s) who may process Personal Data before authorizing authorising any new or replacement Sub-Processor(sprocessor(s) to process Personal Data in connection with the provision of the Services. The ever current list of Sub-processors can be found in our Privacy Policy. If the Controller objects to a new or replacement Sub-Processor processor the Controller may terminate the Customer Terms with respect to those Services which cannot be provided by the Processor without the use of the new or replacement Sub- ProcessorSub-processor. The Processor will refund the Controller any prepaid fees covering the remainder of the Term of the Customer Terms following the effective date of termination with respect to such terminated Services.

Sub-processors. 6.1 The Controller acknowledges and agrees that: : (ai) Subsidiaries Affiliates of the Processor may be used as Sub-Processorsprocessors; and and (bii) the Processor and its Subsidiaries Affiliates respectively may engage Sub-Processors Sub- processors in connection with the provision of the Services. . 6.2 All Sub-Processors processors who process Personal Data in the provision of the Services to the Controller shall comply with the obligations of the Processor similar to those set out in this Data Processing Agreement. Where DPA. 6.3 The Controller agrees that the Sub-Processors are located processors may transfer Personal Data for the purpose of providing the Services to the Controller in accordance with the Agreement to countries outside of the European Economic Area (EEA, the ). The Processor confirms that such Sub-Processors: Sub- processors: (ai) are located in a third country or territory recognized recognised by the EU Commission to have an adequate level of protection; or or (bii) have entered into Standard Contractual Clauses with the Processor; or or (ciii) have other legally recognized recognised appropriate safeguards in place, such . 6.4 The Controller authorizes the Processor to use the Sub-processors already engaged by the Processor as at the EU-US Privacy Shield or Binding Corporate Rules. The date of the Agreement and the Processor shall make available to the Controller the current list of Sub- Processors (at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/policies/subprocessors/) Sub-processors which shall include the identities of Sub-Processors, what they’re used for, Sub- processors and their country of location. During the term of this DPA, the Processor shall provide the Controller with at least 14 days prior notification, via email (or in-application notice)email, of any changes to the list of Sub-Processor(sSub- processor(s) who may process Personal Data before authorizing authorising any new or replacement Sub-Processor(sprocessor(s) to process Personal Data in connection with the provision of the Services. 6.5 The Controller may object to the use of a new or replacement Sub-processor, by notifying the Processor promptly in writing within ten (10) Business Days after receipt of the Processor’s notice. If the Controller objects to a new or replacement Sub-Processor processor, the Controller may terminate the Customer Terms Agreement with respect to those Services which cannot be provided by the Processor without the use of the new or replacement Sub- ProcessorSub-processor. The Processor will refund the Controller any prepaid fees covering the remainder of the Term of the Customer Terms Agreement following the effective date of termination with respect to such terminated Services. 6.6 All Sub-processors who process Personal Data shall comply with the obligations of the Processor set out in this DPA. The Processor shall prior to the relevant Sub-processor carrying out any processing activities in respect of the Personal Data; (i) appoint each Sub- processor under a written contract containing materially the same obligations to those of the Processor in this DPA enforceable by the Processor; and (ii) ensure each such Sub-processor complies with all such obligations.

Sub-processors. 6.1 The Controller acknowledges and agrees that: : (ai) Subsidiaries Affiliates of the Processor may be used as Sub-Processorsprocessors; and and (bii) the Processor and its Subsidiaries Affiliates respectively may engage Sub-Processors Sub- processors in connection with the provision of the Services. . 6.2 All Sub-Processors processors who process Personal Data in the provision of the Services to the Controller shall comply with the obligations of the Processor similar to those set out in this Data Processing Agreement. DPA. 6.3 Where Sub-Processors processors are located outside of the EEA, the Processor confirms that such Sub-Processors: Sub- processors: (ai) are located in a third country or territory recognized recognised by the EU Commission to have an adequate level of protection; or or (bii) have entered into Standard Contractual Clauses with the Processor; or or (ciii) have other legally recognized recognised appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules. . 6.4 The Processor shall make available to the Controller the current list of Sub- Processors (at ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/en-gb/policies/subprocessors/) data-sub-processors which shall include the identities of Sub-Processors, what they’re used for, processors and their country of location. During the term of this DPA, the Processor shall provide the Controller with at least 14 days prior notification, via email (or in-application notice)email, of any changes to the list of Sub-Processor(sprocessor(s) who may process Personal Data before authorizing authorising any new or replacement Sub-Processor(sprocessor(s) to process Personal Data in connection with the provision of the Services. 6.5 The Controller may object to the use of a new or replacement Sub-processor, by notifying the Processor promptly in writing within ten (10) Business Days after receipt of the Processor’s notice. If the Controller objects to a new or replacement Sub-Processor processor, and that objection is not unreasonable, the Controller may terminate the Customer Terms Agreement or applicable Sales Order with respect to those Services which cannot be provided by the Processor without the use of the new or replacement Sub- ProcessorSub-processor. The Processor will refund the Controller any prepaid fees covering the remainder of the Term of the Customer Terms Agreement (or applicable Sales Order) following the effective date of termination with respect to such terminated Services.

Sub-processors. 7.1 The Data Controller acknowledges and agrees that: (a) Subsidiaries of that the Data Processor may be used as Sub-Processors; and (b) the Processor and its Subsidiaries respectively may engage Sub-Processors in connection with the provision of the Services. . 7.2 All Sub-Processors who process Personal Data in the provision of the Services to the Data Controller shall comply with the obligations of the Data Processor similar to those set out in this DPA. 7.3 The Data Processing Agreement. Where Controller authorises the Data Processor to use the Sub-Processors are located outside included in the list of the EEA, the Processor confirms that such Sub-Processors: (a) are located in a third country or territory recognized by the EU Commission to have an adequate level of protection; or (b) have entered into Standard Contractual Clauses with the Processor; or (c) have other legally recognized appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules. The Processor shall make available to the Controller the current list of Sub- Processors (at accessible via: ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/policies/subprocessors/) which shall include subprocessors/ to process the identities of Sub-Processors, what they’re used for, and their locationPersonal Data. During the term of this DPA, the Data Processor shall provide the Data Controller with at least 14 30 days prior notification, via email (or in-application notice)email, of any changes to the list of Sub-Processor(s) who may process Personal Data Sub- Processors before authorizing authorising any new or replacement Sub-Processor(s) Processor to process Personal Data in connection with the provision of the Services. 7.4 The Data Controller may object to the use of a new or replacement Sub-Processor, by notifying the Data Processor promptly in writing within 14 days after receipt of the Data Processor’s notice. If the Data Controller objects to a new or replacement Sub-Processor Processor, the Data Controller may terminate the Customer Terms Agreement with respect to those Services which cannot be provided by the Data Processor without the use of the new or replacement Sub- Sub-Processor. 7.5 All Sub-Processors who process Personal Data shall comply with the obligations of the Data Processor set out in this DPA. The Data Processor will refund shall prior to the Controller relevant Sub-Processor carrying out any prepaid fees covering the remainder processing activities in respect of the Term Personal Data: 7.5.1 Appoint each Sub-Processor under a written contract containing materially the same obligations to those of the Customer Terms following Data Processor in this DPA enforceable by the effective date Data Processor; and 7.5.2 Ensure each such Sub-Processor complies with all such obligations. 7.6 The Data Controller agrees that the Processor and its Sub-Processors may make Restricted Transfers of termination Personal Data for the purpose of providing the Services to the Data Controller in accordance with respect the Agreement. The Data Processor confirms that such Sub-Processors: 7.6.1 Are located in a third country or territory recognised by the EU Commission or a Supervisory Authority, as applicable, to such terminated Serviceshave an adequate level of protection; or 7.6.2 Have entered into the applicable SCCs with the Data Processor; or 7.6.3 Have other legally recognised appropriate safeguards in place.

Sub-processors. The Controller acknowledges and agrees that: (a) a. Subsidiaries of the Processor may be used as Sub-Processors; and (b) b. the Processor and its Subsidiaries respectively may engage Sub-Processors in connection with the provision of the Services. All Sub-Processors who process Personal Data in the provision of the Services to the Controller shall comply with the obligations of the Processor similar to those set out in this Data Processing Agreement. Where Sub-Processors are located outside of the EEA, the Processor confirms that such Sub-Processors: (a) a. are located in a third country or territory recognized recognised by the EU Commission to have an adequate level of protection; or (b) b. have entered into Standard Contractual Clauses with the Processor; or (c) c. have other legally recognized recognised appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules. The Processor shall make available to the Controller the current list of Sub- Sub-Processors (at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/policies/subprocessors/data-subprocessors) which shall include the identities of Sub-Processors, what they’re used for, and their location. During the term of this DPA, the Processor shall provide the Controller with at least 14 days prior notification, via email (or in-application notice), of any changes to the list of Sub-Processor(s) who may process Personal Data before authorizing authorising any new or replacement Sub-Processor(s) to process Personal Data in connection with the provision of the Services. If the Controller objects to a new or replacement Sub-Processor the Controller may terminate the Customer Terms with respect to those Services which cannot be provided by the Processor without the use of the new or replacement Sub- Sub-Processor. The Processor will refund the Controller any prepaid fees covering the remainder of the Term of the Customer Terms following the effective date of termination with respect to such terminated Services.

Sub-processors. 6.1 The Controller acknowledges and agrees that: (ai) Subsidiaries Affiliates of the Processor may be used as Sub-Processorsprocessors; and (bii) the Processor and its Subsidiaries Affiliates respectively may engage Sub-Processors processors in connection with the provision of the Services. . 6.2 All Sub-Processors processors who process Personal Data in the provision of the Services to the Controller shall comply with the obligations of the Processor similar to those set out in this Data Processing Agreement. DPA. 6.3 Where Sub-Processors processors are located outside of the EEA, the Processor confirms that such Sub-Processorsprocessors: (ai) are located in a third country or territory recognized by the EU Commission to have an adequate level of protection; or (bii) have entered into Standard Contractual Clauses with the Processor; or or (ciii) have other legally recognized appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules. . 6.4 The Processor shall make available to the Controller you the current list of Sub- Processors (Sub-processors at ▇▇▇▇▇://▇▇▇▇▇▇▇.▇▇▇▇▇.▇▇▇/legal/policies/subprocessors/) /dpa-subprocessors which shall include the identities of Sub-Processors, what they’re used for, processors and their country of location. During the term of this DPA, the Processor shall provide the Controller with at least 14 days prior notification, via email (or in-application notice)email, of any changes to the list of Sub-Processor(sprocessors(s) who may process Personal Data before authorizing any new or replacement Sub-Processor(sprocessor(s) to process Personal Data in connection with the provision of the Services. 6.5 The Controller may object to the use of a new or replacement Sub-processor by notifying the Processor promptly in writing within ten (10) Business Days after receipt of the Processor’s notice. If the Controller objects to a new or replacement Sub-Processor processor, and that objection is not unreasonable, the Controller may terminate the Customer Terms Agreement with respect to those Services which cannot be provided by the Processor without the use of the new or replacement Sub- ProcessorSub-processor. The Processor will refund the Controller any prepaid fees covering the remainder of the Term of the Customer Terms Agreement following the effective date of termination with respect to such terminated Services.

Sub-processors. The Controller acknowledges and agrees that: (ai) Subsidiaries of the Processor may be used as Sub-Processorsprocessors; and (bii) the Processor and its Subsidiaries respectively may engage Sub-Processors processors in connection with the provision of the Services. All Sub-Processors processors who process Personal Data in the provision of the Services to the Controller shall comply with the obligations of the Processor similar to those set out in this Data Processing AgreementDPA. Where Sub-Processors processors are located outside of the EEA, the Processor confirms that such Sub-Processorsprocessors: (ai) are located in a third country or territory recognized recognised by the EU Commission to have an adequate level of protection; or (bii) have entered into Standard Contractual Clauses with the Processor; or (ciii) have other legally recognized recognised appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules. The Processor shall make available to the Controller the current list of Sub- Processors (at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/policies/subprocessors/) Sub-processors which shall include the identities of Sub-Processors, what they’re used for, processors and their country of location. During the term of this DPA, the Processor shall provide the Controller with at least 14 30 days prior notification, via email (or in-application notice), of any changes to the list of Sub-Processor(sprocessor(s) who may process Personal Data before authorizing authorising any new or replacement Sub-Processor(sSub- processor(s) to process Personal Data in connection with the provision of the Services. If the Controller objects to a new or replacement Sub-Processor processor the Controller may terminate the Customer Terms and Conditions with respect to those Services which cannot be provided by the Processor without the use of the new or replacement Sub- ProcessorSub-processor. The Processor will refund the Controller any prepaid fees covering the remainder of the Term of the Customer Terms and Conditions following the effective date of termination with respect to such terminated Services.

Sub-processors. 6.1 The Controller acknowledges and agrees that: : (ai) Subsidiaries Affiliates of the Processor may be used as Sub-Processorsprocessors; and and (bii) the Processor and its Subsidiaries Affiliates respectively may engage Sub-Processors Sub- processors in connection with the provision of the Services. . 6.2 All Sub-Processors processors who process Personal Data in the provision of the Services to the Controller shall comply with the obligations of the Processor similar to those set out in this Data Processing Agreement. Where DPA. 6.3 The Controller authorises the Processor to use the Sub-Processors are located outside of included in the EEA, the Processor confirms that such Sub-Processors: (a) are located in a third country or territory recognized by the EU Commission to have an adequate level of protection; or (b) have entered into Standard Contractual Clauses with the Processor; or (c) have other legally recognized appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules. The Processor shall make available to the Controller the current list of Sub- Processors (processors published at ▇▇▇▇▇://▇▇▇▇▇.▇▇▇▇▇▇.▇▇.▇/legal/policies/subprocessors/) which shall include ▇/subprocessing-list to process the identities of Sub-Processors, what they’re used for, and their locationPersonal Data. During the term of this DPA, the Processor shall provide the Controller with at least 14 30 days prior notification, via email (or in-application notice)email, of any changes to the list of Sub-Processor(s) who may process Personal Data processors before authorizing authorising any new or replacement Sub-Processor(s) processor to process Personal Data in connection with the provision of the Services. 6.4 The Controller may object to the use of a new or replacement Sub-processor by notifying the Processor promptly in writing within ten (10) Business Days after receipt of the Processor’s notice. If the Controller objects to a new or replacement Sub-Processor processor, the Controller may terminate the Customer Terms Agreement with respect to those Services which cannot be provided by the Processor without the use of the new or replacement Sub- ProcessorSub-processor. The Processor will refund the Controller any prepaid fees covering the remainder of the Term of the Customer Terms Agreement following the effective date of termination with respect to such terminated Services. 6.5 All Sub-Processors who process Personal Data shall comply with the obligations of the Processor set out in this DPA. The Processor shall prior to the relevant Sub-Processor carrying out any processing activities in respect of the Personal Data: (i) appoint each Sub-Processor under a written contract containing materially the same obligations to those of the Processor in this DPA enforceable by the Processor; and (ii) ensure each such Sub-Processor complies with all such obligations. 6.6 The Controller agrees that the Processor and its Sub-Processors may make Restricted Transfers of Personal Data for the purpose of providing the Services to the Controller in accordance with the Agreement. The Processor confirms that such Sub-processors: (i) are located in a third country or territory recognised by the EU Commission or a Supervisory Authority, as applicable, to have an adequate level of protection; or (ii) have entered into the applicable SCCs with the Processor; or (iii) have other legally recognised appropriate safeguards in place.