SHIFT DATA PROCESSING ADDENDUM

THIS DATA PROCESSING ADDENDUM (the “DPA”) is incorporated by reference into any and all operative agreements and forms a part of the Software End User License Agreement located at https://tryshift.com/app/eula or if the Parties execute a superseding written agreement for use of the Software, then this DPA forms part of that executed agreement (collectively, the “Agreement”), between the individual, company, organization, or other entity (“Customer”) entering into the Agreement with Shift Technologies Inc. (“Shift”). This DPA (a) establishes the Parties’ relationship and obligations with respect to personal data and/or personal information accessed in accordance with Customer’s use of the Software and any services provided by Shift to Customer under the Agreement; and (b) replaces and supersedes any existing data processing addendum, attachment, exhibit, or standard contractual clauses that Customer and Shift may have entered into previously in connection with the Agreement. References to the Agreement will be construed as including this DPA. Certain capitalized terms used in this DPA and not otherwise defined in the Agreement shall be defined in Section 1 below. Shift and Customer are each from time to time referred to herein as a “Party” and collectively as the “Parties”. Capitalized terms used but not defined herein have the meanings given in the Agreement.

The Parties agree as follows:

DEFINITIONS. For the purposes of this DPA, any terms defined by Applicable Data Law (including any capitalized terms herein) shall have the same meaning in this DPA. If Applicable Data Law does not define such terms, then definitions given in Applicable Data Law for functionally similar terms will apply. References to “Sections” in this DPA are to sections of this DPA, excluding the Standard Contractual Clauses. References to “Clauses” in this DPA will be to clauses of the Standard Contractual Clauses. All other capitalized terms used herein, but not otherwise defined, shall have the meanings assigned to them in the Agreement. In addition to terms defined elsewhere in this DPA, the following definitions will apply to capitalized words in this DPA:

“Applicable Data Law” means all data protection and privacy laws, regulations and self-regulatory codes applicable to the personal data in question, including, where applicable and without limitation, the CPRA, the CPA, the CTDPA, the UCPA, the VCDPA, European Data Law, the LGPD, Israeli Law, and all FTC guidelines and any other applicable laws, rules and regulations with respect to data privacy. “CPRA” as used herein means the California Privacy Rights Act (formerly, CCPA (California Consumer Privacy Act)), as amended, including without limitation any and all applicable implementing regulations. “CPA” as used herein means the Colorado Privacy Act, as amended, including without limitation any and all applicable implementing regulations. “CTPDA” as used herein means the Connecticut Data Protection Act, as amended, including without limitation any and all applicable implementing regulations. “UCPA” as used herein means the Utah Consumer Privacy Act, as amended, including without limitation any and all applicable implementing regulations. “VCDPA” as used herein means the Virginia Consumer Data Protection Act, as amended, including without limitation any and all applicable implementing regulations. “European Data Law” as used herein shall mean, without limitation, (i) the EU General Data Protection Regulation (“EU GDPR”); (ii) the EU e-Privacy Directive; (iii) the United Kingdom’s European Union (Withdrawal) Act (“UK GDPR”); (iv) the Swiss Federal Act on Data Protection (“Swiss FADP”); and (v) any and all applicable national laws made under or pursuant to (i), (ii), (iii) and (iv); in each case as may be amended or superseded from time to time. “LGPD” as used herein means the Lei Geral de Proteção de Dados, as amended, including without limitation any and all applicable implementing regulations, as may be amended or superseded from time to time. “Israeli Law” means Israeli Privacy Protection Law, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), and other related privacy regulations, as may be amended or superseded from time to time.

ii. “Customer Data” means any personal data that Shift processes as a processor on behalf of the Customer in the course of providing the Software and any applicable services under the Agreement.

iii.

“Restricted Transfer” means (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; (iii) where the Swiss FADP applies, a transfer of personal data from Switzerland to any other country which is not determined to provide adequate protection for personal data by the Federal Data Protection and Information Commission or Federal Council (as applicable); and (iv) where another Applicable Data Law applies, a cross-border transfer of personal data from that jurisdiction to any other country which is not based on adequacy regulations pursuant to that Applicable Data Law.

iv.

“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Data on systems managed or otherwise controlled by Shift.

“Sensitive Information” means: (a) protected health information (“PHI”), as that term is defined under the Health Insurance Portability and Accountability Act (“HIPAA”); (b) "non-public personal information" as defined under the Gramm-Leach-Bliley Financial Modernization Act of 1999 (“GLBA”); (c) data on any minor under the age of thirteen that would be subject to the Children Online Privacy Protection Act (“COPPA”); (d) card holder data under the Payment Card Industry Data Security Standard; (e) personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (the “special categories of personal data” identified in Article 9 of GDPR); or (f) social security numbers, driver’s license or state identification number or other government related identifier, financial account numbers (i.e., credit card, checking account, savings account, etc.), medical, employment, criminal records, or insurance numbers, passport numbers, or other sensitive personally identifiable information.

vi.

“Shift Data” means data related to the operation, performance, support, provisioning, and/or use of the Software, including, but not limited to information related to: (i) invoicing, billing and other business inquiries, (ii) information on usage of the Software, and (iii) contract management.

vii.

“Standard Contractual Clauses” or “SCCs” means the Standard Contractual Clauses implemented by the European Commission Decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Counsel (as updated, amended, or superseded from time to time by the European Commission), a version which is currently available at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en which may be amended, updated, replaced, or superseded from time to time.

viii.

"Sub-processor" means any third party (including applicable Shift Affiliates) engaged directly or indirectly by Shift to process any personal data relating to this DPA and/or the Agreement.

ix.

“Sub-processor DPA” means an agreement entered into by and between Shift and its Sub-processors that incorporates the Standard Contractual Clauses and defines the terms and conditions of personal data processing by the Sub-processor.

“Tracking Technologies” means cookies, tags, web beacons, pixels and/or other similar technologies.

xi.

“business”, “consumer”, “controller”, “data subject”, “personal data”, “personal information”, “processor”, “processing” (“process”, “processes” and “processed”), “recipient”, “sale”, “service provider”, “sharing” (and “share(s)”), and “third party” shall have the meanings given in Applicable Data Law.

ROLES AND RESPONSIBILITIES

2.1

Each Party shall disclose or make available personal data to the other Party for the sole purpose provided in Schedule 1 to this DPA (the “Purpose”). The Parties shall be treated as separate data controllers and not as joint controllers. If Applicable Data Law applies to either Party’s processing of Customer Data, the Parties acknowledge and agree that with regard to the processing of Customer Data, Shift is a processor acting on behalf of Customer (whether itself a controller or a processor). For the avoidance of doubt, this DPA shall not apply to instances where Shift is the controller (as defined by Applicable Data Law) unless otherwise described in this DPA.

2.2

Each Party shall be individually and separately responsible for complying with the obligations that apply to it under Applicable Data Law in respect of the performance of their respective obligations under this DPA and the Agreement. Without limiting the foregoing, each Party shall (i) maintain a publicly accessible privacy policy on its website that satisfies the requirements of Applicable Data Law, and in particular advises data subjects of their rights and remedies under Applicable Data Law; (ii) conduct and document a data protection assessment that satisfies the requirement of Applicable Data Law; and (iii) implement and maintain appropriate technical and organizational measures for processing of personal data appropriate to the risk and designed to be adequate under Applicable Data Law.

2.3

Each Party (the “Discloser”) may disclose personal information of data subjects to a Sub-processor in order to fulfill the Purpose, provided the Discloser prohibits the Sub-processor from (i) selling or sharing such personal information to any third party in violation of Applicable Data Law; (ii) retaining, using, or disclosing such personal information for any reason other than for the Purpose, including without limitation, detecting data security incidents, and/or protecting against fraudulent or illegal activity; (iii) combining such personal information with other personal information unless permitted by Applicable Data Law; (iv) in the case of a contractor, accessing such personal information without first certifying that said contractor understands the restrictions and requirements of Applicable Data Law; (v) accessing such personal information unless the Parties can monitor the Sub-processor’s compliance. Without limiting the foregoing, each Party will ensure that any Sub-processor that may receive such personal information first executes a written agreement compatible with Applicable Data Law.

2.4

Shift shall process Customer Data only in accordance with this DPA and Customer’s documented lawful instructions, as necessary to comply with Laws, Applicable Data Law, or as otherwise agreed in writing: (i) to perform any services associated with the Software; (ii) to perform any steps necessary for the performance of the Agreement and this DPA; (iii) to perform any processing initiated by Customer in its use of the Software; and/or (iv) to comply with other reasonable instructions provided by Customer (e.g., via email or support tickets) provided such instructions are consistent with the terms of the Agreement and this DPA. The Parties agree that the Agreement, including this DPA, along with the Customer’s configuration of or use of any settings, features, or options in the Software (as the Customer may be able to modify from time to time) constitute the Customer’s complete and final instructions to Shift in relation to the processing of Customer Data (including for the purposes of the SCCs), and processing outside the scope of these instructions (if any) shall require prior written agreement between the Parties.

2.5

Customer understands and acknowledges that the Software and any services provided by Shift are not configured to process, receive, and/or store Sensitive Information. As such, Customer agrees not to include, request, provide Shift with access to, submit, store, and/or transmit any Sensitive Information through the Software. Customer agrees that Shift may terminate the Agreement immediately if Customer is in violation of this clause.

2.6

Customer represents and warrants that (i) it has complied, and will continue to comply (and shall cause each User to comply) with all Laws, including Applicable Data Law, in respect of its obligations as a Controller and the processing of Customer Data and any processing instructions it issues to Shift; (ii) Shift’s processing of the Customer Data in accordance with Customer’s instructions will not cause Shift to violate any Laws and/or Applicable Data Law; and (iii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Applicable Data Law for Shift to collect and process Customer Data for the purposes of performing and providing the Software and any services as described in the Agreement. Customer shall have sole responsibility for the accuracy, quality, collection, and processing of Customer Data. Customer agrees that it shall be responsible for complying with all Laws (including Applicable Data Law) applicable to Customer’s use of the Software and any services provided by Shift, and Customer Content created, sent, or managed through the Software, including without limitation, obtaining consents where required and applicable.

2.7

Customer understands and acknowledges that the Software may use Tracking Technologies to provide certain services to Customer. Customer shall maintain appropriate notice and consent mechanisms as required by Applicable Data Law and industry best practices, or as Shift may reasonably request from time to time, to enable Shift and/or its Sub-processors to deploy such Tracking Technologies lawfully on, and collect data from, the devices of individuals whose personal data is processed via the Software by virtue of Customer’s use of the Software. Shift shall provide Customer with all details about the Tracking Technologies reasonably requested by the Customer. Customer shall promptly notify Shift if it is unable to comply with its obligations under this DPA with respect to Shift’s use of Tracking Technologies.

SUB-PROCESSING

3.1

Customer hereby provides its consent to the processing of Customer Data by the Sub-processors listed at https://tryshift.com/app/privacy/relationships. As permitted by Clause 9 under Section II of the Standard Contractual Clauses, Shift may engage additional Sub-processors by entering into Sub-processor agreements with such Sub-processors.

3.2

If Customer objects, on reasonable data protection grounds, to the appointment or replacement of a Sub-processor, Customer must notify Shift in writing. In such event, the Parties shall discuss in good faith commercially reasonably alternative solutions. If the Parties cannot reach resolution within thirty (30) days of Customer’s written notice of objection (the “Resolution Period”), Shift will either not appoint or replace the Sub-processor or, if this is not possible, Customer may terminate the Agreement by providing written notice to Shift within ten (10) days following the Resolution Period.

3.3

Where Customer acts as a processor on behalf of a third-party controller (or other intermediary to the ultimate controller), Customer represents and warrants that its processing instructions as set out in the Agreement and this DPA, including any authorizations granted to Shift for the processing of any Customer Data, have been authorized by the applicable third-party controller. Customer shall be responsible for forwarding any notifications received under this DPA to the applicable third-party controller, where appropriate.

3.4

All Sub-processor DPAs shall include the Standard Contractual Clauses which shall include the Docking Clause, Clause 7 (the “Docking Clause”). By signing this DPA and as permitted by the Docking Clause, Customer hereby accedes to the Standard Contractual Clauses included in such Sub-processor DPAs which incorporates by reference the terms of the Appendix and Annex I.A of any such Sub-processor DPAs.

SECURITY

4.1

Customer acknowledges that the Security Measures described in Annex II are subject to technical progress and development and that Shift may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Software. Notwithstanding Shift’s obligations under Annex II, Customer is responsible for its secure use of the Software, including securing its account authentication credentials (if applicable), protecting the security of Customer Data when in transit to the Software, protecting the security of Customer Data during any transit from the Software unless the Customer Data is transferred using technology developed by Shift, and taking any appropriate steps to protect account passwords and/or backup any Customer Data uploaded to the Software.

4.2

Upon becoming aware of a Security Incident, Shift shall: (i) notify Customer without undue delay; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and (iii) promptly take reasonable steps to contain and investigate any Security Incident. Any notification of or response to a Security Incident shall not be construed as an acknowledgment by Shift of any fault or liability with respect to the Security Incident.

AUDIT

5.1

Upon Customer's request, Shift will provide Customer with copies of any relevant data protection audit report summaries and/or certifications and/or responses to questionnaires as reasonably required by Customer to verify Shift's compliance with Applicable Data Law ("Audit Information"). Customer agrees to leverage any existing documentation and certifications provided by Shift to the extent such documentation satisfies the requirements of Applicable Data Law. Shift shall further provide written responses to all reasonable written requests for information made by Customer related to data protection that Customer may have in connection with the Audit Information. If Customer determines in its reasonable discretion that the Audit Information does not provide all information necessary to demonstrate compliance with Applicable Data Law, upon prior written request by Customer, Shift shall contribute to further audits to the extent required by Applicable Data Law. Customer acknowledges that the Audit Information and any information collected or derived from any audit constitutes Shift's confidential information and it will protect such information in accordance with confidentiality provisions of the Agreement.

INTERNATIONAL TRANSFERS

6.1

Shift may, in the provision of the Software, process Customer Data that is protected by European Data Law. To that end, the Parties hereby enter into the Standard Contractual Clauses which are an integral part of this DPA. For the purposes of this DPA and the Standard Contractual Clauses, Shift and any Sub-processors shall be the "data importer" (notwithstanding that Shift and/or the Sub-processor may be located inside or outside the European Economic Area, Switzerland and/or the United Kingdom) and Customer (and/or the Customer Affiliates, as applicable) is the "data exporter" (notwithstanding that Customer may be located inside or outside the European Economic Area, Switzerland and/or the United Kingdom). It is not the intention of either Party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses. Accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA, the Standard Contractual Clauses shall prevail. In no event does this DPA restrict or limit the rights of any Data Subject or of any competent supervisory authority.

6.2

Shift may transfer and process personal data to the United States and anywhere else in the world where Shift, its Affiliates, or its Sub-processors maintain data processing operations, provided that Shift complies with the terms of this DPA.

6.3

Shift and/or its Sub-processors shall not process or transfer any personal data in or to a territory other than the territory in which the personal data was first collected (nor permit such data to be so processed or transferred) unless it takes all such measures as are necessary to ensure such processing or transfer is in compliance with Applicable Data Law (including such measures as may be communicated by Customer to Shift). Shift shall inform Customer of any international transfers of personal data in advance of making the transfer and shall assist Customer in assessing the Parties' respective obligations to comply with Applicable Data Law.

6.4

The Parties agree that when the transfer of personal data under the Agreement is a Restricted Transfer, the SCCs shall be incorporated into this DPA by this reference, with each Party being deemed to have entered into the SCCs in its own name and on its own behalf as follows:

EU SCCs. In relation to personal data that is protected by the EU GDPR, the EU SCCs shall apply completed as follows:

(i) Module One of Section II on controller to controller transfers shall apply;
(ii) Module Two of Section II on controller to processor transfers shall apply;
(iii) Modules Three and Four shall not apply;
(iv) Shift shall ensure that the information called for by Section II, Clause 8.2(a) of the EU SCCs, as well as a copy of the EU SCCs, are supplied free of charge to all data subjects;
(v) In Section I, Clause 7, the optional docking clause shall not apply;
(vi) For the purposes of Section 2, Clause 8, Module 2, Clauses 8.9(c) and (d) of the Standard Contractual Clauses, audits will be performed in accordance with Section 5 of this DPA;
(vii) For the purposes of Section II, Clause 9 of the Standard Contractual Clauses, Customer consents to Shift appointing Sub-processors in accordance with Section 3 of this DPA;
(viii) In Section II, Clause 11, the optional redress language and clause shall not apply;
(ix) In Section IV, Clause 17, Option 1 shall apply, and the EU SCCs shall be governed by the laws of Ireland;
(x) In Section IV, Clause 18(b), disputes shall be resolved before the courts of Ireland;
(xi) Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 1 to this DPA; and
(xii) Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2 to this DPA.

UK SCCs. In relation to personal data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:

(i) as set out above in Section 6.5(a) of this DPA, the EU SCCs shall be deemed amended as specified by Part 2 of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner’s Office under s.119A(1) of the UK Data Protection Act 2018 (“UK Addendum”) in respect of the transfer of such personal data; and
(ii) tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out above at Section 6.5(a) (as applicable), in Schedule 1 and Schedule 2 of this DPA and table 4 in Part 1 shall be deemed completed by selecting “neither party”.

Swiss SCCs. In relation to personal data that is protected by the Swiss DPA, the EU SCCs shall apply as set out in Section 6.5(a) of this DPA amended as follows:

(i) references to ‘Regulation (EU) 2016/679’ in the EU SCCs shall be deemed to refer to the Swiss DPA;
(ii) references to specific articles of ‘Regulation (EU) 2016/679’ shall be deemed replaced with the equivalent article or section of the Swiss DPA;
(iii) references to ‘EU’, ‘Union’ and ‘Member State’ shall be deemed replaced with ‘Switzerland’;
(iv) references to the ‘competent supervisory authority’ shall be replaced with the ‘Swiss Federal Data Protection Information Commissioner’; and
(v) in Clause 18(b), disputes shall be resolved before the competent courts of Switzerland.

LGPD. In respect of data subjects whose personal data is processed in the course of providing the Software, Shift will be responsible for providing notice in accordance with the LGPD, including but not limited to notice as required under Article 18 of the LGPD. Each Party shall separately be responsible for fulfilling requests they receive from data subjects to exercise their rights under the LGPD.

United States. To the extent either Party collects and shares the personal information of California residents, each Party (i) shall be considered a business under the CPRA; and (ii) will only process personal information in furtherance of the Purpose, unless required by Applicable Data Law. In the event that Shift is deemed to process personal data of a data subject for the Purpose, it will be regarded as a service provider and Shift will process such personal data solely to provide the Software to Customer. Such processing does not constitute a sale under the CPRA.

Other jurisdictions. In relation to personal data that is protected by another Applicable Data Law, the Parties agree that such SCCs shall automatically apply to the transfer of personal data from Customer to Shift and, where applicable shall be deemed completed on a mutatis mutandis basis to the completion of the SCCs as described above.

CUSTOMER AFFILIATES

7.1

Customer enters into this DPA on behalf of itself and, as applicable, in the name and on behalf of its Customer Affiliates, thereby establishing a separate DPA between Shift and each such Customer Affiliate and for the purposes of such DPA, wherever the DPA references “Customer” or “data exporter” it shall mean “Customer Affiliate”. Customer represents and warrants that it has the power and authority to bind each Customer Affiliate to the terms and conditions of this DPA. Any breach by Customer Affiliate of this DPA shall be deemed a breach by Customer.

7.2

Customer shall remain responsible for coordinating all communication with Shift under this DPA and is entitled to make and receive any communication in relation to this DPA on behalf of its Customer Affiliates.

7.3

If a Customer Affiliate becomes a party to this DPA, it shall, to the extent required under Applicable Data Law, also be entitled to exercise its rights and seek remedies under this DPA, provided that: (i) solely the Customer (that is the contracting party to the Agreement entered into by the Parties) shall exercise any such right or seek any such remedy on behalf of the Customer Affiliate; and (ii) the Customer (that is the contracting party to the Agreement) shall exercise any such rights under this DPA only in the aggregate on behalf of itself and all of its Customer Affiliates. The foregoing shall not apply to the extent Applicable Data Law require the Customer Affiliate to exercise a right or seek any remedy under this DPA against Shift directly by itself.

MISCELLANEOUS

8.1

Conflicts. In the event of any inconsistency between the Agreement, this DPA and/or any SCCs, the superiority of governing terms and conditions are: first, the SCCs for the relevant jurisdiction; second, this DPA; and third, the Agreement.

8.2

Regulatory Changes. If changes to Applicable Data Law, or their interpretation or implementation, arise through legislation, claim or regulator guidance or action, which in Shift’s reasonable opinion make changes to this DPA necessary or prudent, Shift may, on written notice to Customer, make such changes to this DPA, which Customer agrees will be binding on Customer.

8.3

Return/Deletion of Data Upon Termination. Return or deletion of all personal data pursuant to Section II, Module Two, Clause 8.5 shall be initiated by Shift only after receipt of Customer’s written request. In the absence of a specific written request from Customer to delete Customer Data, the Customer Data will be deleted in accordance with Shift’s established data retention policies.

8.4

Entire agreement. This Addendum is the Parties’ entire agreement as it relates to the Parties’ obligations under Applicable Data Law and supersedes all related prior and contemporaneous oral understandings, representations, prior discussions, letters of intent, or agreements (executed or otherwise).

8.5

No further amendment. Except as modified by this DPA, the Agreement remains unmodified and in full force and effect.

SCHEDULE 1
ANNEX 1

A. LIST OF PARTIES

Data exporter(s): Same as Customer (see information in the Customer’s Account or as defined in the Agreement).

Signature and date: See above. The Parties agree that execution of the Agreement by the data importer and the data exporter constitutes execution of these Clauses by both parties as follows: (a) on the effective date of the Agreement; or (b) on December 27, 2022, where the effective date of the Agreement is before December 27, 2022.

Role (controller/processor): Controller

Data importer(s): Shift

Role (controller/processor): Controller and/or Processor

B. DESCRIPTION OF TRANSFER

i. Categories of data subjects whose personal data is transferred:

Users of data exporter: personal data transferred in relation to individual employees, contractors, agents, contacts, subscribers, customers, website visitors, or suppliers.

ii. Categories of personal data transferred:

Contact information, including without limitation, name, email address, phone number, physical address, online identifiers provided by devices, applications, tools and protocols, such as internet protocol addresses, geo-location, cookie identifiers or other identifiers such as radio frequency identification tags; and any other personal data submitted by, sent to, or received by Shift via the Software.
Other data:
Data exporter’s general marketing and transactional communications and personal data use may span broad categories of any data relevant to data exporter’s relationship with the data subject, and may vary from time to time.

iii. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

None.

iv. The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):

Daily. Personal data is transferred on a continuous basis.

v. Nature of the processing:

For the data importer to provide the Software, any related services, and the processing of personal data of end users, Users, Contacts, and Subscribers of data exporter. Personal data will be processed in accordance with the Agreement (including this DPA).

vi. Purpose(s) of the data transfer and further processing:

For the data importer to provide the Software and any related services, including but not limited to the following:

Storage and other processing necessary to provide, maintain and improve the Software and any related services provided to Customer; and/or
Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by Law and/or Applicable Data Law.

vii. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

The greater of the Term or twelve (12) months.

viii. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

Not applicable to the extent each party is an independent data controller. Notwithstanding the foregoing, each Party shall for all personal data exchanged as part of this Agreement and independently enter into an agreement with their respective processors specifying subject matter, nature, and duration of the processing. In the event of the use of processors and/or sub-processors, each Party shall be responsible for complying with the requirements of Article 28 of the EU GDPR. Accordingly, each Party shall, inter alia: use only processors that can provide the necessary guarantees that they implement appropriate technical and organizational measures in such a way as to ensure that processing complies with the requirements of Applicable Data Law and safeguards the rights of the data subject; ensure that a valid data processing arrangement is in place between the relevant Party and the processor; and ensure that there is a valid sub-processor arrangement between the processor and any sub-processor.

SCHEDULE 1
ANNEX 2

1. TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA:

Each Party shall be responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that processing is in compliance with the EU GDPR; taking into account the nature, scope, context and purposes of the processing involved, as well as the risks of varying degrees of likelihood and severity for the rights and freedoms of natural persons. The measures shall be reviewed and updated as necessary (Article 24 of the EU GDPR). This may involve, for example, each Party establishing procedures for dealing with security breaches, access requests or compliance with the obligation to provide information. Such measures shall include but not be limited to encryption of personal data; ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data; ensuring availability of and access to personal data in a timely manner in the event of a physical or technical incident; and maintaining a process for regularly testing, assessment and evaluation of the effectiveness of technical and organisational measures for ensuring the security of processing.

2. PROTECTING DATA STORED

Personal, private, confidential, and Sensitive Information, including but not limited to user data, employee data, research and market data, and customer, vendor, and partner proprietary data, are all considered “protected data”. Each Party shall reasonably prevent unauthorized access to protected data by employing industry standard technical safeguards.

3. PROTECTING TRANSMITTED DATA

All protected data transferred past the boundaries of each Party’s infrastructure must use either authenticated and encrypted communication protocols (SCP, SFTP, and SSL) or internal private networks, point to point external networks, or a combination thereof wherever practically possible, to protect the data in transit.

SCHEDULE 2

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1; Tables:

Table 1; Parties:
As in Schedule 1, Annex I(A)

Table 2; Selected SCCs, Modules and Selected Clauses:
As set forth under Section 3(a) of this Addendum. Addendum SCCs – The version of the Approved EU SCCs which this Schedule 2 is appended to, detailed below, including the Appendix Information:

Date: The parties agree that execution of the DPA by the data importer and the data exporter constitutes execution of these Clauses by both parties on the effective date of the DPA

Reference (if any): Module One: Controller to Controller as incorporated into the Agreement. Module Two: Controller to Processor as incorporated into the Agreement.

Other identifier(s) (if any): N/A

Table 3; Appendix Information:

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex I(A): List of Parties: Schedule 1, Annex I(A)
Annex I(B): Description of Transfer: Schedule 1, Annex I(B)
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Schedule 1, Annex II
Annex III: List of Sub processors (Modules 2 and 3 only): N/A

Table 4: Ending this DPA when the Approved Addendum Changes

Ending this DPA when the Approved Addendum changes – Which Parties may end the Approved Addendum as set out in Section 19:

✔ Importer
✔ Exporter
▢ neither Party

Part 2; Mandatory Clauses:

Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.

Shift is headquartered on the traditional Coast Salish territory and we respectfully acknowledge the Lekwungen and W̱SÁNEĆ People of this region. With gratitude, we live, work, and play on this beautiful land.

Shift is not sponsored by or affiliated with Google, Inc., registered in the U.S. and other countries. Gmail is a trademark of Google, Inc. All company names, products, and logos are registered trademarks of their respective owners. Shift is not affiliated with or endorsed by the owners of these trademarks.

Shift is part of the Redbrick family of brands.