Data Processing Addendum

Data Processing Addendum

This Data Processing Addendum (“Addendum”) supplements the agreement in which it is linked or referenced entered into by and between Defiant, Inc. (“Defiant”) and the entity indicated on the applicable agreement (“Customer”). This Addendum is deemed accepted and incorporated into the Agreement by reference. Any terms not defined in this Addendum shall have the meaning set forth in the Agreement.

1. Definitions

   1. “Affiliate” means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but such entity shall only be deemed to be an Affiliate so long as such ownership exists.
   2. “Applicable Laws” means any applicable laws, rules, and regulations in any relevant jurisdiction applicable to the Addendum, the Agreement, or the use or Processing of Personal Data, including those concerning privacy, data protection, confidentiality, information security, availability and integrity, or the handling of Personal Data. Applicable Laws expressly include, as applicable: the EU/UK Data Protection Laws and US Data Protection Laws.
   3. “Authorized Employee” means an employee of either Party or an employee of a Party’s Affiliate who has a need to know or otherwise access Personal Data in order to enable a Party to perform its obligations under this Addendum or the Agreement and who has committed themselves to confidentiality or is subject to confidentiality obligations, who has been apprised of the confidential nature of Personal Data before they may access such data and who has undergone appropriate background screening and training.
   4. “Authorized Persons” means those persons who are authorised or permitted to act on behalf of the relevant Party under this Agreement (and, if named, expressly set out in the Instructions).
   5. “Authorized Subcontractor” means any subcontractor who is authorised to act as a subcontractor under, in accordance with and subject to the terms of this Agreement.
   6. “Data Controller” means the Customer which alone determines the purposes and means of the Processing of Personal Data.
   7. “Data Processor” means the Defiant which Processes Personal Data on behalf of and pursuant to the instructions of Customer.
   8. “Data Subject” means a natural person who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, an online identifier, or to one more factors specific to the identity of that natural person.
   9. “Data Subject Rights” means the rights recognized and granted to Data Subjects with respect to their Personal Data under Applicable Laws, including, when effective, the GDPR.
   10. “EU/UK Data Protection Laws” means (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR” or “GDPR”), (ii) the Swiss Federal Act on Data Protection, (iii) the EU GDPR as it forms part of the law of England and Wales by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iv) the UK Data Protection Act 2018; (v) the Privacy and Electronic Communications (EC Directive) Regulations 2003, including any implementing regulations or directives to each EU/UK Data Protection Laws, as amended, made effective, or supplemented from time to time.
   11. “EU SCCs” means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of Personal Data to countries not otherwise recognized as offering an adequate level of protection for Personal Data by the European Commission; available at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en (as amended and updated from time to time).
   12. “ex-EEA Transfer” means the transfer of Personal Data, which is Processed in accordance with the GDPR, outside the European Economic Area (the “EEA”), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.
   13. “ex-UK Transfer” means the transfer of Personal Data, which is Processed in accordance with the UK GDPR and the Data Protection Act 2018, outside the United Kingdom (the “UK”), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
   14. “ex-Swiss Transfer” means the transfer of Personal Data outside of Switzerland.
   15. “Instructions” means those instructions, whether oral (where subsequently confirmed in writing) or in writing, which are conveyed to Defiant by Customer.
   16. “Personal Data” means any information relating to an identified or identifiable living individual that is processed by either Party as a result of, or in connection with, the provision of the Services under the Agreement. An identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual. Personal Data includes “personal data,” “personal information,” “nonpublic personal information,” “nonpublic information,” “sensitive data,” “sensitive personal information,” “protected health information,” and other similar terms as defined in Applicable Laws.
   17. “Personal Data Breach” or “Reportable Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed that needs to be reported to a Competent Supervisory Authority or other applicable government entity.
   18. “Processing” or the equivalent term has the meaning given to in the Applicable Laws;
   19. “Sell” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, an individual’s Personal Data by the business to another business or a third party for monetary or other valuable consideration. Without limitation, Sell includes “sell,” “selling,” “sale,” or “sold” as defined in Applicable Laws.
   20. “Services” shall have the meaning set forth in the Agreement.
   21. “Share” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, an individual’s Personal Data to a third party, including, but not limited to, for purposes of Targeted Advertising. Without limitation, Share includes “share,” “shared,” or “sharing” as defined in Applicable Laws.
   22. “Standard Contractual Clauses” means the EU SCCs and the UK Data Transfer Addendum.
   23. “Supervisory Authority/ies” or “Competent Supervisory Authority/ies” means those supervisory authorities who have authorised to oversee, issue guidance in relation to and enforce UK GDPR or GDPR.
   24. “Targeted Advertising” means the targeting of advertising to an individual based on the individual’s Personal Data obtained from the individual’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the individual intentionally interacts. Without limitation, Targeted Advertising includes “cross-context behavioral advertising” as defined in the Applicable Laws, “targeted advertising” and other similar terms as may be defined in Applicable Laws.
   25. “UK Data Transfer Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses Version B1.0, in force 21 March 2022 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018, available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/,
   26. “US Data Protection Laws” means (i) the Federal Trade Commission Act, (ii) federal and state data breach notification laws, (iii) the California Consumer Privacy Act as amended by the California Privacy Rights Act, (iv) the Virginia Consumer Data Protection Act, (v) the Colorado Privacy Act, (vi) the Utah Consumer Privacy Act and (vii) Connecticut Data Privacy Act, and other state and federal statutes relating to Processing of information, including any implementing regulations to each US Data Protection Laws, as amended, made effective, or supplemented from time to time.

2. Processing of Data

   1. The Parties shall comply with this Addendum at all times during the term of the Agreement. Any failure by either party to comply with the obligations set forth in this Addendum, or any Personal Data Breach, will be considered a material breach of the Agreement, and the other party will have the right, without limiting any of the rights or remedies under this Addendum or the Agreement, or at law or in equity, to immediately terminate the Agreement for cause.
   2. The rights and obligations of Defiant with respect to Processing are described herein and in the Agreement. The subject matter, nature, purpose, and duration of this Processing, as well as the types of Personal Data collected and categories of Data Subjects involved, are described in Exhibit 1 to this Addendum.
   3. Defiant shall only Process Personal Data for the limited and specified purposes described in Exhibit 1, the terms and conditions set forth in this Addendum and in any Instructions, which shall include rights and obligations regarding onward transfer.
   4. Each Party will comply with its respective obligations under Applicable Laws. Customer will: (i) use the Services in a manner designed to ensure a level of security appropriate to the Personal Data Processed, such as pseudonymizing and backing-up Personal Data; and (ii) obtain all necessary consents, permissions and rights under the Applicable Laws for Defiant to lawfully Process the Personal Data provided by Customer for the purposes set forth in this Addendum and the Agreement, including, without limitation, Customer’s sharing or receiving of Personal Data with third-parties in connection with the Services.
   5. Defiant shall have no obligation to assess the contents or accuracy of Personal Data provided by Customer, including to identify information subject to any specific legal, regulatory, or other requirement. Customer is responsible for making an independent determination as to whether its use of the Service will meet Customer’s requirements and legal obligations under Applicable Laws.
   6. Defiant acknowledges and confirms that it does not receive any Personal Data from Customer as consideration for any services or other items provided to Customer. Except as expressly set forth in the Agreement, Defiant shall not have, derive or exercise any rights or benefits regarding Personal Data and Defiant shall not Sell or Share any Personal Data, or use Personal Data for Targeted Advertising. Defiant shall not retain, use or disclose any Personal Data except as necessary for the specific purpose of performing the services for Customer pursuant to the Agreement. Defiant certifies, represents, and warrants that it understands the rules, restrictions, requirements and definitions of the US Data Protection Laws and agrees to refrain from taking any action that would cause any transfers of Personal Data to or from Defiant to qualify as a sale of Personal Data under the US Data Protection Laws.

3. Technical and Organizational Measures

   At a minimum, and without limiting the foregoing, Defiant represents and warrants that it shall maintain all Personal Data in strict confidence and provide a level of security appropriate to the particular risks of accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure or access of Personal Data presented by the processing and the Personal Data (collectively, “Risks”), including (i) limiting access to Personal Data to Authorized Persons only; (ii) ensuring that all Authorized Persons have committed themselves to confidentiality or are subject to confidentiality obligations, or are made aware of the confidential nature of Personal Data before they may access such data; (iii) securing its physical, technical, and administrative infrastructure, including all relevant business facilities, data centers, paper files, servers, networks, platforms, databases, cloud computing resources, back-up systems, passwords and credentials, hardware, and mobile devices; (iv) implementing authentication and access controls within all relevant media, applications, networks, operating systems and equipment; (v) encrypting Personal Data when transmitted over public or wireless networks or where otherwise appropriate in light of the Risks; (vi) strictly segregating Personal Data from information of Defiant or its employees or other customers; (vii) maintaining appropriate personnel security and integrity procedures and practices, as set forth in Section 3; (viii) maintaining written plans and policies for responding to Personal Data Breaches; (ix) maintaining and regularly testing processes for restoring the availability and access to Personal Data in a timely manner in the event of a Personal Data Breach; (x) regularly testing, assessing, and evaluating the effectiveness of its technical and organizational security measures; and (xi) any other measures necessary to ensure the ongoing confidentiality, integrity, and availability of Personal Data and the ongoing security and resilience of systems and services used for processing.

4. Authorized Persons and Affiliates

   1. Customer acknowledges and agrees that Defiant may engage the Authorized Subcontractors listed in Exhibit 2(D) to this Addendum to access and process Personal Data in connection with the Services. Defiant represents, warrants, and covenants that it has not and will not permit any other third party other than Defiant and its Authorized Employees to Process Personal Data on behalf of Defiant in its provision of Services to Customer without the prior written consent of Customer. Only upon such prior written consent shall any such third party be considered an Authorized Subcontractor. Defiant shall submit the request for Customer’s prior written authorization at least ten (10) days prior to the engagement of any such third party, together with any information necessary to enable Customer to decide on such authorization.
   2. Defiant represents, warrants, and covenants that it has executed written agreements with each Authorized Subcontractor that bind them to all obligations set forth in this Addendum with respect to the Processing of the Personal Data.
   3. Defiant shall be responsible for the acts and omissions of Authorized Subcontractors and any other of its subcontractors, independent contractors, and other service providers to the same extent that Defiant would itself be liable under this Addendum had it conducted such acts or omissions.
   4. Defiant’s obligations set forth in this addendum also extend to Affiliates of Customer, subject to the following conditions:
      1. Customer must exclusively communicate any additional Processing instructions requested directly to Defiant, including instructions from Affiliates of Customer;
      2. Customer shall be responsible for Customer’s Affiliates’ compliance with this Addendum and all acts and omissions by an Affiliate with respect to Customer’s obligations in this Addendum shall be considered the acts and omissions of Customer; and
      3. Affiliates of Customer shall not bring a claim directly against Defiant. If an Affiliate of Customer seeks to assert a legal demand, action, suit, claim, proceeding or other forms of complaints or proceedings against Defiant (“Affiliate Claim”): (i) Customer must bring such Affiliate Claim directly against Defiant on behalf of such Affiliate, unless Applicable Laws require the Affiliate be a party to such claim; and (ii) all Affiliate Claims shall be considered claims made by Customer and shall be subject to any liability restrictions set forth in the Agreement, including, but not limited to, any aggregate limitation of liability.

5. Personal Data Breach Notification

   1. Defiant shall notify Customer promptly and without undue delay, but in any event, not more than forty-eight (48) hours after becoming aware of a Personal Data Breach and shall, in a written report, provide sufficient information to enable Customer to comply with its obligations under Applicable Laws with respect to such Personal Data Breach, including any obligation to report or notify such Personal Data Breach to Supervisory Authorities and/or Data Subjects, as applicable.
   2. As soon as reasonably practicable after providing the report described in Section 5.1, Defiant shall provide Customer with a report on its initial findings regarding the Personal Data Breach, and thereafter shall provide regular updates describing subsequent findings with respect to such Personal Data Breach. As soon as reasonably practicable after Defiant has concluded its examination of the Personal Data Breach, it shall provide Customer with a final report regarding the Personal Data Breach.
   3. Defiant and/or any relevant Authorized Subcontractor shall use its best efforts to immediately mitigate and remedy any Personal Data Breach and prevent any further Personal Data Breach or recurrence thereof, in accordance with Applicable Laws.
   4. Defiant nor any Authorized Subcontractor shall publicly disclose any information regarding any Personal Data Breach without Customer’s prior written consent, except that Defiant and any relevant Authorized Subcontractor may disclose any Personal Data Breach to (i) its own employees, customers, advisors, agents, or contractors, or (ii) where and to the extent explicitly compelled to do so by Applicable Laws, to applicable Supervisory Authorities and/or Data Subjects without Customer’s prior written consent. Such consent will not be unreasonably withheld.
   5. Defiant and any relevant Authorized Subcontractor shall, at Customer’s reasonable expense other than where the Personal Data Breach results from and/or arises in any way from the Defiant’s and/or any Authorized Subcontractor’s breach, act, delay or commission, fully cooperate with Customer and provide any assistance necessary for Customer to comply with any obligations under Applicable Laws with respect to a Personal Data Breach, including obligations to report or notify a Personal Data Breach to Supervisory Authorities and/or Data Subjects. Such assistance may include drafting disclosures, press releases and/or other communications for Customer with respect to such Personal Data Breach.

6. Transfers of Personal Data

   1. If Defiant transfers Personal Data protected under this Addendum to a jurisdiction for which the European Commission has not issued an adequacy decision (each, a “Restricted Transfer”), Defiant represents, warrants, and covenants that (i) Restricted Transfer by Defiant may only be made to Authorized Persons as approved by Customer in accordance with Section 4 of this Addendum; (ii) any Restricted Transfer conducted by Defiant or any Authorized Person shall be undertaken in accordance with the appropriate Standard Contractual Clauses entered into in accordance with Applicable Law; and (iii) that each Restricted Transfer will be made after appropriate safeguards have been implemented for the Restricted Transfer of Personal Data in accordance with Applicable Laws.
   2. Ex-EEA Transfers. Ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into and incorporated into this Addendum by reference. For the purposes of the EU SCCs, the appropriate module shall be Module Two (Controller to Processor), with the following options:
      1. The optional docking clause in Clause 7 does apply;
      2. Option 2 in Clause 9 is selected and the time period is 10 days;
      3. In Clause 11, the optional language does not apply;
      4. All square brackets in Clause 13 are hereby removed;
      5. In Clause 17 (Option 1), the EU SCCs will be governed by Irish law;
      6. In Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland;
      7. Exhibit 2 to this Addendum contains the information required in Annex I of the EU SCCs;
      8. Exhibit 3 to this Addendum contains the information required in Annex II of the EU SCCs; and
      9. By entering into this Addendum, the parties are deemed to have signed the EU SCCs incorporated herein, including its Annexes.
   3. Ex-UK Transfers. Ex-UK Transfers are made pursuant to the UK Data Transfer Addendum, which is deemed entered into and incorporated into this Addendum by reference. For the UK Data Transfer Addendum, where applicable the following applies:
      1. Exhibit 4 to this Addendum contains the information required in Part 1 – Tables, of the UK Data Transfer Addendum; and
      2. By entering into this Addendum, the parties are deemed to have signed the UK Data Transfer Addendum incorporated herein.
   4. Ex-Swiss Transfers. Transfers from Switzerland are made pursuant to the EU SCCs with the following modifications:
      1. The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 1992 (the “FADP,” and as revised as of 25 September 2020, the “Revised FADP”) with respect to data transfers subject to the FADP.
      2. The terms of the EU SCCs shall be interpreted to protect the data of legal entities until the effective date of the Revised FADP.
      3. Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU supervisory authority shall have authority over data transfers governed by the GDPR. Subject to the foregoing, all other requirements of Clause 13 shall be observed.
      4. The term “EU Member State” as utilized in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs.
   5. People’s Republic of China. Customer will not transfer personal data or other information to Defiant that is subject to the Personal Information Protection Law of the People’s Republic of China (“PIPL”). In the event that Customer requests Defiant to process the personal data or other information of Chinese data subjects, the parties agree to negotiate separate terms and conditions, in good faith, addressing the lawful transfer of such data under PIPL and other applicable Chinese laws.
   6. Non-Defined Data Protection Law. If Customer wishes to process data under a governing jurisdiction not otherwise defined in this Addendum, Customer has the obligation to inform Defiant prior to commencing such processing activities. The parties agree to negotiate separate terms and conditions, in good faith, addressing such law on a case-by-case basis.
   7. Supplementary Measures. In respect of any ex-EEA Transfer or ex-UK Transfer, the following supplementary measures shall apply:
      1. As of the date of this Addendum, Defiant has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the Personal Data is being exported, for access to (or for copies of) either Party’s Personal Data (“Government Agency Requests”).
      2. Where allowed by Applicable Law, if after the date of this Addendum, Defiant receives any Government Agency Requests, Defiant shall attempt to redirect the law enforcement or government agency to request that data directly from Customer. As part of this effort, Defiant may provide Customer’s basic contact information to the government agency. If compelled to disclose Customer’s Personal Data to a law enforcement or government agency, Defiant shall give Customer reasonable notice of the demand, where allowed by Applicable Law, and cooperate to allow Customer to seek a protective order or other appropriate remedy unless Defiant is legally prohibited from doing so. Defiant shall not voluntarily disclose Personal Data to any law enforcement or government agency. Defiant shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of Personal Data pursuant to this Addendum should be suspended in the light of such Government Agency Requests.
      3. If Applicable Laws require the Parties to execute the Standard Contractual Clauses applicable to a particular transfer of Personal Data as a separate agreement, the Parties shall, promptly execute such Standard Contractual Clauses incorporating such amendments as may reasonably be required to reflect the applicable appendices and annexes, the details of the transfer and the requirements of the relevant Applicable Laws.
      4. If either (i) any of the means of legitimizing transfers of Personal Data outside of the EEA or UK set forth in this Addendum cease to be valid or (ii) any supervisory authority requires transfers of Personal Data pursuant to those means to be suspended, each Party agrees to amend the means of legitimizing transfers or alternative arrangements with Customer, with effect from the date set out in such notice, amend or put in place alternative arrangements in respect of such transfers, as required by Applicable Laws.

7. Data Governance

   1.  Defiant will retain any Personal Data provided by Customer for the term of the Agreement plus one month or a term otherwise agreed between the parties in writing (the “Data Retention Period”). Upon expiration of the Data Retention Period, all Personal Data will be destroyed or anonymized. Customer is responsible for notifying Defiant, if the destruction or anonymization of Personal Data pursuant to this Section 7.1 is not in compliance with Applicable Law.
   2. Where and to the extent disposal of Personal Data in accordance with Section 7.1 is explicitly prevented by Applicable Law(s) or technically infeasible, Defiant and/or Authorized Persons, as applicable, shall (i) take measures to block such Personal Data from any further Processing (except to the extent necessary for continued Processing explicitly required by Applicable Law(s)), and (ii) continue to exercise appropriate technical and organizational security measures to protect such Personal Data until it may be disposed of in accordance with Section 7.1.
   3. In addition to any indemnification set forth in the Agreement, Customer will indemnify, hold harmless, and, at Defiant option, defend Defiant from and against any losses resulting from any third-party Claim alleging or based on Customer’s breach of its obligations as a Data Controller under this Agreement.

8. Rights of Data Subjects

   Defiant will provide such assistance as is reasonably required to enable Customer including by appropriate technical and organisational measures insofar as this is possible, to comply with Data Subject Rights requests within the time limits imposed by Applicable Laws.

9. Data Protection Impact Assessments and Consultations with Supervisory Authorities

   If applicable, Defiant will assist Customer in conducting data protection impact assessments (DPIAs) of any processing operations and consulting with Supervisory Authorities, Data Subjects and their representatives accordingly, provided such assistance is limited to no more than one request per calendar year. Defiant reserves the right to invoice customer for reasonable fees incurred as part of any request made under this Section.

10. Information Provision

    Upon written request from Customer, Defiant will make available to Customer information necessary to reasonably demonstrate compliance with the obligations set out in this Addendum.

11. Miscellaneous

    1. The Parties agree that this Addendum shall replace and supersede any existing data processing addendum, attachment, exhibit or standard contractual clauses that Defiant and Customer may have previously entered into in connection with the Services.
    2. Both parties may disclose this Addendum to third parties (including other controllers, Data Subjects and regulators) for purposes of demonstrating compliance with Applicable Laws.
    3. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms in the EU SCCs or UK Data Transfer Addendum (where applicable); and (2) the terms of this Addendum; (3) the Agreement.

Exhibit 1

Details of Processing

Categories of data subjects whose personal data is transferred

Data exporter’s employees, users, customers, and the personal data of any data subject the data exporter provides the data importer in connection with the services.

Categories of personal data transferred

• Business Transactions: Defiant processes the following categories of information in connection with its business transactions with customers: contact information (e.g., phone number, address, email address), identity information (e.g., first name, last name, country), website credentials (e.g., username, password), and payment information (e.g., credit card or payment card number).
• Wordfence Security Plugin: Defiant processes the following categories of information in connection with the Wordfence Security Plugin: website admin email address, visitor IP address, visitor proxy IP address, IP address of the device that triggered the audit log entry, customer website user username and email address, URL accessed, complete HTTP header, HTTP request body, and filename if malware detected.
• Wordfence Care and Response Service: Defiant processes the following categories of information in connection with the Wordfence Care and Response Service: customer website credentials, customer server credentials, customer website files, customer website database, and customer server log files.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Data importer does not collect or otherwise process personally identifiable sensitive data as defined under the GDPR.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous for the term of the services agreement between the data exporter and data importer.

Nature of the processing

The nature of processing personal data in connection with the data importer’s services is as described in the Defiant Privacy Policy, available at https://www.wordfence.com/privacy-policy.

Purpose(s) of the data transfer and further processing

The data exporter will transfer data to the data importer for the purpose of: engaging in a business transaction, the provisioning of the Wordfence Plugin services, and/or the provision of Wordfence Care and Response Services. A description of the specific services provided by the data importer to the data exporter is included in the agreement between the parties.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The data importer will retain personal data for as long as necessary to provide the services and fulfil the transactions requested by the data exporter, or for other business purposes such as complying with our legal obligations, resolving disputes, and enforcing the data importer’s agreements.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The data importer may share personal data with sub-processors for the subject matter and nature described in the Defiant Privacy Policy, available at https://www.wordfence.com/privacy-policy. Sub-processors retain personal data for the duration of time necessary to perform sub-processing activities under the agreement between the data importer and the sub-processor.

Exhibit 2

The following includes the information required by Annex I and Annex III of the EU SCCs.

A. LIST OF PARTIES

For transfers of EU Personal Data:

Data exporter(s):

Name:	Customer (as set forth in the Agreement referenced herein)
Address:	As set forth in the Agreement referenced herein.
Contact person’s name, position and contact details: As set forth in the Agreement referenced herein.
Activities relevant to the data transferred under these Clauses: The data importer provides services to the data exporter in accordance with the Agreement.
Signature and date: The Parties agree that execution of the Agreement by the data importer and the data exporter shall constitute execution of the Addendum by both parties on the effective date of the Agreement.
Role:	Controller

 

Data importer(s):

Name:	Defiant, Inc.
Address:	Attn: Legal Department, 1700 Westlake Ave N Ste 200, Seattle, WA 98109
Contact person’s name, position and contact details: Kerry Boyte, Chief Operating Officer, privacy@defiant.com
Activities relevant to the data transferred under these Clauses: The data importer provides services to the data exporter in accordance with the Agreement.
Signature and date: The Parties agree that execution of the Agreement by the data importer and the data exporter shall constitute execution of the Addendum by both parties on the effective date of the Agreement.
Role:	Processor

 

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose Personal Data is transferred As described in Exhibit 1.

Categories of Personal Data transferred As described in Exhibit 1.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). As described in Exhibit 1.

Nature of the processing As described in Exhibit 1.

Purpose(s) of the data transfer and further processing As described in Exhibit 1.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period As described in Exhibit 1.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing As described in Exhibit 1.

 

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13.

For transfers of EU Personal Data:

Name:	Data Protection Commission, Ireland
Address:	21 Fitzwilliam Square South Dublin 2 D02 RD28 Ireland

For transfers of UK Personal Data:

Name:	UK Information Commissioner’s Office
Address:	Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

 

D. LIST OF SUB-PROCESSORS

Sub-processors utilized by Defiant and associated solutions are identified below. Customer acknowledges that the location of the server(s) is solution dependent and may vary depending on the Agreement. Customer further acknowledges that, pursuant to Section 4 of this Addendum, the list of sub-processors may be updated from time to time.

The controller has authorised the use of the following sub-processors:

Sub-processor List

 

Exhibit 3

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

As described in Section 3 of the Addendum.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

Data importer’s sub-processors are required by contract to implement technical and organizational controls at a minimum as strict as those controls identified in this Annex II.

 

Exhibit 4

Table 1: Parties

Start date	The Start Date shall be the Effective Date of the Agreement.
The Parties	Importer/Exporter (who sends/receives the Restricted Transfer)	Importer/Exporter (who sends/receives the Restricted Transfer)
Parties’ details	Full legal name: Defiant, Inc. Trading name (if different): Main address (if a company registered address): 1700 Westlake Ave N Ste 200, Seattle, WA 98109 Official registration number (if any) (company number or similar identifier):	Full legal name: Customer (as set forth in the Agreement) Trading name (if different): Main address (if a company registered address): Official registration number (if any) (company number or similar identifier):
Key Contact	Full Name (optional): Job Title: Chief Operating Officer Contact details including email: privacy@defiant.com	Full Name (optional): Job Title: Contact details including email: As set forth in the Agreement referenced herein.
Signature (if required for the purposes of Section 2)

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

[X] The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: The Date shall be the Effective Date of the Agreement. Reference (if any): None Other identifier (if any): None Or [  ] the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum.

Module Module in operation Clause 7 (Docking Clause) Clause 11 (Option) Clause 9a (Prior Authorisation or General Authorisation) Clause 9a (Time period) Is personal data received from the Importer combined with personal data collected by the Exporter? 1 No N/A N/A 2 Yes Yes No General 10 days 3 No N/A N/A N/A N/A 4 No N/A N/A N/A

 

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: As set forth in Annex 1A of the EU SCCs.

Annex 1B: Description of Transfer: As set forth in Annex 1B of the EU SCCs.

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As set forth in Annex II of the EU SCCs.

Annex III: List of Sub processors (Modules 2 and 3 only): As set forth in Annex 3 to the EU SCCs.

 

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes	Which Parties may end this Addendum as set out in Section 19 of the ICO’s Standard Data Protection Clauses [X] Importer [X] Exporter [  ] neither Party