Last updated: September 5, 2023

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) is hereby incorporated by reference into the agreement between Walnut Ltd. And its affiliates (“Walnut”) and Customer, that governs Customer’s use of the Walnut Platform and Services (“Agreement”). This DPA sets forth the parties’ responsibilities and obligations when Processing Personal Data during the Term and under the Agreement. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

WHEREAS, Walnut provides the Customer with access to Walnut’s sales experience platform (“Platform”) which enables Customer to create interactive product demos and collect insights about the usage of such demos by Customer’s prospects (“Services”); and  

WHEREAS, the parties wish to ensure the Processing of Personal Data is conducted in accordance with Data Protection Laws (as defined below);

NOW, THEREFORE THE PARTIES AGREE AS FOLLOWS:

1. DEFINITIONS

1.1 “Adequate Country” is a country that received an adequacy decision from the European Commission.

1.2 “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq.

1.3 “CPA” means the Colorado Privacy Act C.R.S.A. § 6-1-1301 et seq. (SB 21-190), including any implementing regulations and amendments.

1.4 “CTDPA” means the Connecticut Data Privacy Act, S.B. 6 (Connecticut 2022), including any implementing regulations and amendments thereto.

1.5“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing” (and “Process“), “Personal Data Breach”, “Special Categories of Personal Data” and “Supervisory Authority” shall have the meanings ascribed to them in the EU Data Protection Law, CPA, VCDPA, CTDPA The terms “Business”, “Business Purpose”, “Contractor”, “Cross-contextual Advertising”, “Consumer”, “Service Provider”, “Sale”, “Sell”, “Share”, ”Targeted Advertising” and “Third Party Business”  shall have the meanings ascribed to them in the US Data Protection Laws CCPA. “Data Subject” shall also mean and refer to a “Consumer”. “Personal Data” shall also mean and refer to “Personal Information,” as such term is defined under the US Data Protection Laws.

1.6 “Customer Data” means any and all Personal Data uploaded to Walnut’s Platform during the engagement between the parties, as detailed in ANNEX I. 

1.7 “Data Protection Law” means any and all applicable privacy and data protection laws and regulations, including, where applicable, the Israeli Privacy Protection Law, 5741-1981, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and other related privacy regulations (“Israeli Law”), the EU Data Protection Law, Swiss Data Protection Laws, the UK Data Protection Law and the CCPA, as all may be amended or superseded from time to time.

1.8 “EEA” means the European Economic Area.

1.9 “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) – (iii); and (iv) any legislation replacing or updating any of the foregoing.

1.10“Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data of the other party. 

1.11 “Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR, as adopted by the European Commission Decision 2021/914 of June 4, 2021 which is available at: https://eur-ex.europa.eu/legalcontent/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.

1.12 “Swiss Data Protection Laws” or “FADP” means the Swiss Federal Act on Data Protection of June 19, 1992, SR 235.1, and any other applicable data protection or privacy laws of the Swiss Confederation as amended, revised, consolidated, re-enacted or replaced from time to time, to the extent applicable to the processing of Personal Data under the Agreement. 

1.13 “Swiss SCC” shall mean the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner.

1.14“UK Data Protection Laws” means the Data Protection Act 2018 (DPA 2018), as amended, and the EU General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, as incorporated into UK law as the UK GDPR, and any other applicable UK data protection laws, or regulatory Codes of Conduct or other guidance that may be issued from time to time. 

1.15 “UK GDPR” means the GDPR as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or a part of the United Kingdom from time to time).

1.16 “UK SCC” means the UK ‘International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf as adopted, amended or updated by the UK’s Information Commissioner’s Office, Parliament or Secretary of State.

1.17 “US Data Protection Laws” means any U.S. federal and state privacy laws effective as of the Effective Date of this DPA and applies to Walnut Processing of Customer Data, and any implementing regulations and amendment thereto, including without limitation, the CCPA, the CPA, the CTDPA, and the VCDPA.

1.18 “VCDPA” means the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392), including any implementing regulations and amendments thereto.

Any other terms that are not defined herein shall have the meaning provided under the Agreement or applicable Data Protection Laws. A reference to any term or section of Data Protection Laws means the version as may be amended, modified, updated, or replaced from time to time. Any references to the GDPR in this DPA shall mean the GDPR and/or UK GDPR depending on the applicable Law.

2. RELATIONSHIP OF THE PARTIES

2.1.   The parties acknowledge that in relation to all Customer Data, as between the parties, Customer is the Controller of Customer Data, and Walnut is acting as a Processor on behalf of the Customer in the course of providing the Services. 

2.2.   The purpose, subject matter and duration of the Processing carried out by Walnut on behalf of the Customer, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in ANNEX I attached hereto.

2.3.   Additional US Data Protection Laws specifications are further detailed in ANNAX VII.

3. REPRESENTATIONS AND WARRANTIES

3.1.   The Customer represents and warrants that: (i) its Processing instructions shall comply with applicable Data Protection Law; (ii) it will comply with Data Protection Law, specifically with regards to the lawful basis principal for Processing Personal Data; and (iii) due to the nature of the Services, Walnut does not monitor or control the Customer Data obtained by Walnut’s system and thus, the type of Personal Data or Categories of the Data Subjects processed by it is subject to the Customer’s sole discretion.

3.2.   Walnut represents and warrants that it: (i) shall process Customer Data, on behalf of the Customer, solely for the purpose of providing the Services, all in accordance with Customer’s written instructions including the Agreement and this DPA;  (ii) in the event Walnut is required under applicable laws, including Data Protection Law or any union or member state regulation, to Process Customer Data other than as instructed by Customer, it shall inform the Customer of such requirement prior to Processing such Customer Data, unless prohibited under applicable law; and (iii) shall provide reasonable cooperation and assistance to Customer in ensuring compliance with its obligation to carry out data protection impact assessments.

3.3.   Walnut shall take reasonable steps to ensure: (i) the reliability of its personnel and any other person acting under its supervision who may come into contact with, or otherwise have access to Customer Data; (ii) that the personnel authorized to process the Customer Data (solely on a need to know basis) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. RIGHTS OF DATA SUBJECTS AND THE PARTIES’ COOPERATION OBLIGATIONS

4.1.   It is agreed that where Walnut receives a request from a Data Subject or an applicable authority in respect of Customer Data Processed by Walnut, where relevant, it will notify the Customer of such request and direct the Data Subject or the applicable authority to the Customer in order to allow the Customer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.

4.2.   Where applicable, Walnut shall assist the Customer in ensuring that Customer Data Processed is accurate and up to date, by informing the Customer without delay if it becomes aware of the fact that the Customer Data it is Processing is inaccurate or has become outdated.

5. SUB-PROCESSOR

5.1.   The Customer acknowledges that Walnut may transfer Customer Data to and otherwise interact with third party data processors (“Sub-Processor”). The Customer hereby, authorizes Walnut to engage and appoint such Sub-Processors to Process Customer Data, as well as permits each Sub-Processor to appoint a Sub Processor on its behalf. Walnut may continue to use those Sub-Processors already engaged by it, as listed in ANNEX III. Walnut may replace its existing Sub-Processors or add additional Sub-Processors provided it notifies the Customer before authorizing such Sub-Processor(s) to Process Customer Data in connection with the provision of the Services (email will suffice). Customer may reasonably object to the use of a new Sub-Processor by notifying Walnut promptly in writing within 10 days after receipt of Walnut’s notice. Customer shall explain its reasonable grounds for objection. In the event Customer objects to a new Sub-processor, Walnut will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Customer Data by the objected-to new Sub-processor without unreasonably burdening Customer. If Walnut is unable to make available such change within a reasonable period of time, either party may terminate without penalty the applicable Order Form(s) with respect only to those Services which cannot be provided by Walnut without the use of the objected-to new Sub-processor by providing written notice to the other party.

5.2.   Where Walnut engages a Sub-Processor, it shall impose on the Sub-Processor data protection obligations no less onerous than those set out in this DPA, through a legally binding contract between Walnut and the Sub-Processor (“Contract”). Walnut shall ensure that the Contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Law.

5.3.   Walnut shall remain fully responsible to the Customer for the performance of the Sub-Processor’s obligations in accordance with the Agreement. Walnut shall notify the Customer of any known failure by the Sub-Processor to fulfill its contractual obligations.

6. TECHNICAL AND ORGANIZATIONAL MEASURES

6.1.   Taking into account the state of the art, the costs of implementation and the nature, scope, context of the Customer Data available to Walnut and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties, Walnut shall implement appropriate physical, technical and organizational measures to protect the Customer Data as required under Data Protection Laws,  without prejudice to Walnut’s right to make future replacements or updates to the measures that do not lower the level of protection of Customer Data. 

6.2.   For more information on Walnut’s security measures please see ANNEX II attached hereto.

7. SECURITY INCIDENT

7.1.   Walnut shall notify the Customer upon becoming aware of a Security Incident involving Customer’s Data in, as determined by Walnut in its sole discretion, and Where such confirmed Security Incident affects the Customer Data, Walnut shall: (i) take such steps as necessary to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) co-operate with the Customer and provide the Customer with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; (iii) notify the Customer in writing of any request, inspection, audit or investigation by a supervisory authority or other authority; (iv) keep the Customer informed of all material developments in connection with the Security Incident and execute a response plan to address the Security Incident; and (v) cooperate with the Customer and assist Customer with the Customer’s obligation to notify affected individuals in the case of a Security Incident.

7.2.   Walnut’s notification of or response to a Security Incident under this Section 7 shall not be construed as an acknowledgment by Walnut of any fault or liability with respect to the Security Incident.

8. AUDIT RIGHTS

8.1.   Walnut shall respond promptly and adequately with respect to Customer’s reasonable inquiries regarding the Processing of Customer Data in accordance with this DPA. Walnut shall make available to the Customer all information necessary to demonstrate Customer’s compliance with the obligations under the EU Data Protection Law.

8.2.   Walnut shall make available, so long as the Agreement remains in effect, solely upon prior written notice and no more than once per calendar year during the Term (except for in the case of a Security Incident), information necessary to reasonably demonstrate compliance with this DPA to a reputable auditor nominated by the Customer, at Customer’s sole expense, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The Audit shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties). Walnut may object to an auditor appointed by the Customer in the event Walnut reasonably believes that the auditor is not suitably qualified or is a competitor of Walnut or otherwise unsuitable. Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to Walnut’s business operations. Any and all conclusions of such Audit shall be confidential and reported back to Walnut immediately.

8.3.   Nothing in this DPA will require Walnut either to disclose to Customer or its third-party auditor or to allow Customer or its third-party auditor to access: any data of any other customer; Walnut internal accounting or financial information; any trade secret of a Walnut or its affiliates; any information that, in Walnuts’ reasonable opinion, could compromise the security of any Walnuts’ systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or any information that Customer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under the Data Protection Laws.

9. DATA TRANSFER

9.1.   Where the GDPR, UK GDPR or the Swiss FADP is applicable, if the Processing of Customer Data by Walnut (or by a Sub-Processor) includes transfer of Customer Data (either directly or through an onward transfer) to a third country outside the EEA, the UK, or Switzerland that is not an Adequate Country, such transfer shall only occur if an appropriate safeguard approved by the applicable Data Protection Law (the GDPR (Article 46), UK GDPR (Article 46) or Swiss FADP (as applicable)) for the lawful transfer of Customer Data is in place.

9.2.   If Walnut or its Sub-processor relies on the Standard Contractual Clauses to facilitate a transfer to a third country that is not an Adequate Country, then: 

9.2.1.   Transfer of Personal Data from the EEA the terms set forth in Annex IV shall apply. 

9.2.2.   Transfer of Personal Data from the UK, the terms set forth in Annex V shall apply; and 

9.2.3.   Transfer of Personal Data from Switzerland, the terms set forth in Annex VI shall apply.

10. CONFLICT

10.1.   In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as explicitly set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.

11. TERM AND TERMINATION

11.1.   This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates or as long as Walnut processes Customer Data. The Customer shall be entitled to suspend the Processing of its Customer’s Data in the event Walnut is in breach of Data Protection Laws, or the terms of this DPA, subject to a final decision of a competent court or the competent supervisory authority.

11.2.   Walnut shall be entitled to terminate this DPA or cease the Processing of Customer Data if the Processing according to Customer’s instructions or this DPA infringes applicable laws and regulations. Such termination shall be subject to informing the Customer and the Customer insists on compliance with the instructions.

11.3.   Following the termination of this DPA, Walnut shall, at the choice of the Customer, delete all Customer’s Data processed on behalf of the Customer and certify to the Customer that it has done so, or otherwise, return all Customer’s Data to the Customer and delete existing copies unless applicable law or regulatory requirements requires that Walnut continue to store the Customer’s Data. Until the Customer  Data is deleted or returned, Walnut shall continue to ensure compliance with this DPA.

ANNEX I

DETAILS OF PROCESSING

This Annex I include certain details of the Processing of the Customer Data as under the Data Protection Laws.

Categories of Data Subjects:

Any Customer Data uploaded by Customer to Walnut’s Platform, including contact information of Customer’s employees (authorized users) and Customer’s prospects (which view the demo). 

Categories of Personal Data:

Contact information. 

Special Categories of Personal Data:

N/A

Process Frequency:

The Personal Data is transferred on a one-off basis.

Nature of the Processing:

Storage, recording, hosting, transferring and optimization.

Purpose(s) of Processing:

Providing the Services.  

Retention Period:

The duration of processing shall be for the term of the Agreement with an additional period of 30 days from the expiration of the Agreement until deletion of Personal Data by Walnut.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES

Below is a summary of the security measures Walnut adhering to: Implement and maintain current and appropriate technical and organizational measures to protect Customer Data against accidental, unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, disclosure or access;

1. Provide third-party attestation of static or dynamic application security testing or penetration testing on all software Processing Customer Data, remediate any identified high vulnerabilities prior to delivery to Customer, provide written remediation plans for medium and low vulnerabilities, and provide evidence of its remediation of any identified security vulnerabilities at Customer’s request;
2. Maintain a level of security appropriate to the harm that may result from any unauthorized or unlawful Processing or accidental loss, destruction, damage, denial of service, alteration or disclosure, and appropriate to the nature of Customer Data;
3. Oblige its employees, agents or other persons to whom it provides access to Customer Data to keep it confidential; take reasonable steps to ensure the integrity of any employees who have access to Customer Data; provide annual training to staff and subcontractors on the security requirements contained herein;
4. Maintain measures designed to ensure the ongoing confidentiality, integrity, availability and resilience of Walnut’s systems and services; 
5. Maintain a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing of Customer Data, regularly testing such measures to validate their appropriateness and effectiveness, and implementing corrective action where deficiencies are revealed by such testing; 
6. Log all individuals’ access to and activities on systems and at facilities containing Company Data.  Upon Customer’s request, and subject to applicable laws and the Walnut retention policy, Walnut will provide a report detailing a list of authorized users, their associated privileges, status of accounts, and history of activities;
7. For passwords applicable to Walnut’s access, adhere to password policies for standard and privileged accounts consistent with industry best practices; protect both Walnut’s and Customer’s user accounts with access to Customer Data using multi-factor authentication (e.g., using at least two different factors to authenticate such as a password and a security token or certificate);
8. Store and transmit Customer Data using strong cryptography, consistent with industry best practices, and pseudonymize Personal Data where appropriate; 
9. Ensure that only those Walnut’s personnel who need to have access to Customer Data are granted access, such access is limited to the least amount required, and only granted for the purposes of performing obligations under this DPA. Walnut shall conduct access reviews upon each individual’s scope of responsibility change, Walnut staffing change or other change impacting Walnut’s personnel access to Customer Data;
10. Maintain a physical security program that is consistent with industry best practices;
11. Ensure that any storage media (whether magnetic, optical, non-volatile solid state, paper, or otherwise capable of retaining information) that captures Customer Data is securely erased or destroyed before repurposing or disposal;

Measures and assurances regarding US government surveillance (“Additional Safeguards”): 

Walnut agrees and hereby represents it maintains, and will continue to maintain, the following additional safeguards in connection with any Personal Data transferred under this Annex: 

A) Walnut maintains industry standard measures to protect the Personal Data from interception (including in transit from Customer to Walnut and between different systems and services). This includes maintaining encryption of Personal Data in transit and at rest.

B) In the event that section 702 of the United States Foreign Intelligence Surveillance Court (“FISA”) applies to Walnut, Walnut will make reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under the GDPR or the UK GDPR, including (if applicable) under Section 702 of the FISA.   

C) If Walnut becomes aware of any law enforcement agency or other governmental authority (“Authority”) attempt or demand to gain access to or a copy of the Personal Data (or part thereof), whether on a voluntary or a mandatory basis, then, unless legally prohibited or under a mandatory legal compulsion that requires otherwise, Walnut shall: inform the relevant Authority that Walnut is a Processor of the Personal Data and that Customer, as the Controller has not authorized Walnut to disclose the Personal Data to the Authority; inform the relevant Authority that any and all requests or demands for access to the Personal Data should be directed to or served upon Customer in writing; and use reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the Walnut’s control. 

D) Notwithstanding the above, if, taking into account the nature, scope, context and purposes of the related Authority’s intended access to Personal Data, Walnut has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, these subsections shall not apply. In such event, Walnut shall notify Customer, as soon as possible, following the access by the Authority, and provide Customer with relevant details, unless and to the extent legally prohibited to do so. 

Walnut will inform Customer, upon written request (and not more than once a year), of the types of binding legal demands for Personal Data Walnut has received and complied with, including demands under national security orders and directives, specifically including any process under Section 702 of FISA.

ANNEX III

LIST OF SUB-PROCESSORS

Name	Location of Processing	Description of the Processing	Transfer Mechanism
AWS	410 Terry Avenue North Seattle, WA 98109, United States	Hosting	https://aws.amazon.com/blogs/security/aws-gdpr-data-processing-addendum/
Salesforce, Inc.	Salesforce, Inc., Salesforce Tower, 415 Mission Street, 3rd FloorSan Francisco, CA 94105, US	CRM	https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf
Intercom	55 2nd Street, 4th Floor, San Francisco, CA 94105, United States	Support chatbot	https://www.intercom.com/legal/data-processing-agreement
Mixpanel Inc.	One Front Street, 28th Floor, San Francisco, CA 94111, US	Analytics	https://mixpanel.com/legal/dpa/
Fullstory, Inc.	1745 Peachtree Rd NW Suite G, Atlanta, GA 30309, United States	Analytics	https://www.fullstory.com/legal/form-of-standard-dpa/
Segment.io, Inc.	California Street Suite 700 San Francisco, CA 94111 United States	Data Transfer Tool	https://segment.com/docs/privacy/complying-with-the-gdpr/#opting-into-the-data-processing-agreement-and-standard-contractual-clauses
Catalyst Software.	235 W 23rd St Fl 8, New York City, New York, 10011, United States	Customer success software for retention and growth	Yes – Offline DPA.
DataDog, Inc.	225 Franklin Street 24th FloorBoston, MA 02110, United States	IT Monitoring Service	https://www.datadoghq.com/legal/data-processing-addendum/
LaunchDarkly	1999 Harrison Street, Suite 1100, Oakland, CA 94612, United States	Feature Management	https://launchdarkly.com/policies/data-processing-addendum/
BlueSnap, Inc.	800 South Street Suite 640 Waltham, Massachusetts, United States	Payment Platform	https://home.bluesnap.com/legal/bluesnapdpa/
NetSuite, Inc.	2300 Oracle Way, Austin, TX 78741, United States	Payment Platform	https://www.oracle.com/a/ocom/docs/corporate/data-processing-agreement-062619.pdf
Green Invoice Ltd.	156th Menachem Begin St., 28th floor, Tel- Aviv, Israel	Invoice Provider	Yes – Offline DPA.
Gong.io Inc.	265 Cambridge Ave Suite60717, Palo Alto, CA 94306, USA	Calls and meeting  intelligence platform	Yes – Offline DPA.
Slack Technologies, Inc.	Sandyford Business District, Dublin 18, Ireland	Instant messaging services	https://slack.com/terms-of-service/data-processing
Stripe, Inc.	354 Oyster Point Blvd, South San Francisco	Payment provider	https://stripe.com/legal/ssa
OpenAI, LLC	OpenAI, L.L.C180 18th St, San Francisco, California 94110, US	content creation features	Yes – Offline DPA.
EverAfter Ltd.	82 Yigal Alon St. Tel-Aviv, Israel	Client’s onboarding	Yes – Offline DPA.

ANNEX IV

EU INTERNATIONAL TRANSFERS AND SCC

1. The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to transfer of Personal Data from the EEA to other countries that are not deemed as Adequate Countries.
2. Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the transfer is effectuated by Customer as the data controller of the Personal Data and Walnut is the data processor of the Personal Data.
3. The Parties agree that for the purpose of transfer of Personal Data between Customer (as Data Exporter) and the Walnut (as Data Importer), the following shall apply:
   1. Clause 7 of the Standard Contractual Clauses shall not be applicable.
   2. In Clause 9, option 2 (general written authorization) shall apply and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in the Sub-Processing Section of the DPA.
   3. In Clause 11, the optional language will not apply, and data subjects shall not be able to lodge a complaint with an independent dispute resolution body.
   4. In Clause 17, option 1 shall apply. The parties agree that the Standard Contractual Clauses shall be governed by the laws of the EU Member State in which the Customer is established (where applicable).
   5. In Clause 18(b) the parties choose the courts of the Republic of Ireland, as their choice of forum and jurisdiction.
4. Annex I.A of the Standard Contractual Clauses shall be completed as follows:
   1. “Data Exporter“: Customer
   2. “Data Importer“: Walnut
   3. Roles: (A) With respect to Module Two: (i) Data Exporter is a data controller and (ii) the Data Importer is a data processor. 
   4. Data Exporter and Data Importer Contact details: As detailed in the Agreement.
   5. Signature and Date: By entering into the Agreement and DPA, Data Exporter and Data Importer are deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
5. Annex I.B of the Standard Contractual Clauses shall be completed as follows:
   1. The purpose of the processing, nature of the processing, categories of data subjects, categories of personal data and the parties’ intention with respect to the transfer of special categories are as described in Annex I (Details of Processing) of this DPA.
   2. The frequency of the transfer and the retention period of the personal data is as described in Annex I (Details of Processing) of this DPA.
   3. The sub-processor which personal data is transferred are listed in Annex III. 
6. Annex I.C of the Standard Contractual Clauses shall be completed as follows: the competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 3 above.
7. Annex II of this DPA (Technical and Organizational Measures) serves as Annex II of the Standard Contractual Clauses.
8. Annex III of this DPA (List of Sub-processors) serves as Annex III of the Standard Contractual Clauses.

ANNEX V

UK INTERNATIONAL TRANSFERS AND SCC

1. The parties agree that the terms of the Standard Contractual Clauses as amended by the UK Standard Contractual Clauses, and as amended in this Annex V, are hereby incorporated by reference and shall apply to transfer of Personal Data from the UK to other countries that are not deemed as Adequate Countries.
2. This Annex V is intended to provide appropriate safeguards for the purposes of transfers of Personal Data to a third country in reliance on Article 46 of the UK GDPR and with respect to data transfers from controllers to processors or from the processor to its sub-processors. 
3. Terms used in this Annex V that are defined in the Standard Contractual Clauses, shall have the same meaning as in the Standard Contractual Clauses.
4. This Annex V shall (i) be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 of the UK GDPR, and (ii) not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws. 
5. Amendments to the UK Standard Contractual Clauses:
   1. Part 1: Tables
      1.  Table 1 Parties: shall be completed as set forth in Section 4 within Annex IV above. 
      2.  Table 2 Selected SCCs, Modules and Selected Clauses: shall be completed as set forth in Section 2 and 3 within Annex IV above.
      3. Table 3 Appendix Information: 

Annex 1A: List of Parties: shall be completed as set forth in Section 2 within Annex IV above. 

Annex 1B: Description of Transfer: shall be completed as set forth in Annex I above.

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: shall be completed as set forth in Annex II above.

Annex III: List of Sub processors: shall be completed as set forth in Annex III above.

4. Table 4 Ending this Addendum when the Approved Addendum Changes: shall be completed as “neither party”. 

ANNEX VI

SUPPLEMENTARY TERMS FOR SWISS DATA PROTECTION LAW TRANSFERS ONLY

The following terms supplement the Clauses only if and to the extent the Clauses apply with respect to data transfers subject to Swiss Data Protection Law, and specifically the FDPA:

• The term ’Member State’ will be interpreted in such a way as to allow data subjects in Switzerland to exercise their rights under the Clauses in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Clauses.
• The clauses in the DPA protect the Personal Data of legal entities until the entry into force of the Revised Swiss FDPA. 
• All references in this DPA to the GDPR should be understood as references to the FDPA insofar as the data transfers are subject to the FDPA.   
• References to the “competent supervisory authority”, “competent courts” and “governing law” shall be interpreted as Swiss Data Protection Laws and Swiss Information Commissioner, the competent courts in Switzerland, and the laws of Switzerland (for Restricted Transfers from Switzerland). 
• In respect of data transfers governed by Swiss Data Protection Laws and Regulations, the EU SCCs will also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws and Regulations until such laws are amended to no longer apply to a legal entity.
• The competent supervisory authority is the Swiss Federal Data Protection Information Commissioner.

ANNEX VII

CCPA ADDENDUM

This US Privacy Law Addendum (“US Addendum”) adds specification applicable to US Data Protection Laws. All terms used but not defined in this US Addendum shall have the meaning set forth in the DPA.

1. CCPA Specifications:  
   1. For the purpose of the CCPA, Customer is the Business and Walnut is the Service Provider. 
   2. Walnut shall process Customer Data on behalf of the Customer as a Service Provider under the CCPA and shall not: (1) sell or share the Customer Data; (2) retain, use or disclose the Customer Data for any purpose other than for Customer purpose specified in the Agreement; or (3) combine the Customer Data with other Personal Data that it receives from, or on behalf of, another customer, or collects from its own interaction with California residents, expect as otherwise permitted by the CCPA. 
   3. If, and to the extent applicable, Walnut shall assist Customer in respect of consumer request to limit the use of its Sensitive Personal Information (“SPI”),
   4. Walnut certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from Selling any Customer Data. 
2. US Applicable States Specifications: 
   1. For the purpose of this US Addendum “Applicable States” shall mean Virginia, California, Colorado, and Connecticut. 
   2. Walnut agrees to notify the Customer if Walnut makes a determination that it can no longer meet its obligations under this US Addendum or US Data Protection Laws. 
   3. Walnut shall provide information necessary to enable Customer to conduct and document any data protection assessments required by US Data Protection Laws. Notwithstanding the above, Walnut is responsible for only the measures allocated to it.
   4. Walnut shall provide assistance and procures that its subcontractors will provide assistance as Customer may reasonably request, where applicable, in connection with any obligation by Customer to respond to Consumer’s requests for exercising their rights under the US Data Protection Laws including without limitation, by taking appropriate technical and organizational measure, insofar as this is possible, for the fulfillment of the Customer’s respective obligation. 
   5. Walnut acknowledges and confirms that it does not receive any monetary goods, payments or discounts in exchange for processing the Customer Data . 
   6. Each party shall, taking into account the context of processing, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The parties are hereby establishing a clear allocation of the responsibilities between them to implement the measures. Walnut technical measures are detailed in the DPA and Annexes above. 
   7. The Processing instructions, including the nature of processing, purpose of processing, the duration of processing, the type of personal data and categories of data subjects, are set forth in Annex I above. 
   8. In addition to the Audit rights under Section 8 of the DPA, under US Data Protection Laws and subject to Customer’s consent, Walnut my alternately offer, in response to Customer’s on premise audit request, initiate a third-party auditor to verify Walnut’ compliance with its obligations under this US Data Protection Laws. During such an audit, Walnut will make available to the third-party auditor all information necessary to demonstrate such compliance.
   9. Each party will comply with the requirements set forth under US Data Protection Laws with regards to processing of de-identified data, as such term is defined under the applicable US Data Protection Law.
3. When processing Customer Data or Usage Data (as defined in the Agreement) for the permitted purposes under US Data Protection Laws Walnut shall ensure it complies with applicable laws and shall be liable for such Processing activities.