Idera-Inc-Facelift-logo

Jurisdiction Specific Terms

(Customer-Facing DPA)

These Jurisdiction Specific Terms are an integral part of the Data Processing Agreement (“DPA”) entered into between the entity identified as “Customer” and Idera, Inc. or any of Idera Affiliates (collectively, “Idera”).

Capitalized terms which are used but not defined in this document shall have the meaning given to those terms in the DPA. By signing the DPA, the Parties have agreed to comply with these Jurisdiction Specific Terms which apply to the extent that the Parties Process Customer Personal Data originating from, or protected by, Applicable Data Protection Laws in one of the jurisdictions identified herein.

  1. European Economic Area –
    1. Definitions:
      1. For the purpose of interpreting the DPA, the following terms shall have the meanings set out below
        1. "Applicable Data Protection Laws" ” includes the EEA Data Protection Laws
        2. “EEA” means the European Economic Area, consisting of the EU Member States, and Iceland, Liechtenstein, and Norway.
        3. “EEA Data Protection Laws” means the EU Data Protection Directive 95/46/EC and implementing legislation, the EU GDPR and the laws implementing or supplementing the EU GDPR
        4. “EU 2021 Standard Contractual Clauses” means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
        5. “EEA Restricted Transfer” includes any transfer of Personal Data subject to EEA Data Protection Laws (including data storage on foreign servers) which is undergoing Processing or is intended for Processing after transfer, to a Third Country (as defined below) or to an international organization
        6. “Standard Contractual Clauses” (as defined in the DPA) includes the EU 2021 Standard Contractual Clauses
        7. “Third Country” (as used in this Section) means a country outside of the EEA.
    2. Transfer Mechanisms:
      1. With regard to any EEA Restricted Transfer from Customer to Idera within the scope of this DPA, one of the following transfer mechanisms shall apply, in the following order of precedence:
        1. a valid adequacy decision pursuant to the requirements under the EU GDPR that provides that the third country, a territory or one or more specified sectors within that third country, or the international organization in question to which Jurisdiction Specific Terms to Idera’s Customer-Facing Data Processing Addendum Page 1 of 13 Customer Personal Data is to be transferred ensures an adequate level of data protection;
        2. Idera’s certification to any successor to the Privacy Shield Framework (only to the extent that such self-certification constitutes an “appropriate safeguard” pursuant to the EU GDPR, as the case may be), provided that the Services are covered by the self-certification, if applicable;
        3. the EU 2021 Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under EEA Data Protection Laws, as the case may be); or
        4. any other lawful basis, as laid down in EEA Data Protection Laws, as the case may be.
    3. EU 2021 Standard Contractual Clauses:
      1. This DPA hereby incorporates by reference the EU 2021 Standard Contractual Clauses. The Parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses where necessary in their entirety (including the annexures thereto).
      2. The content of EU 2021 Annex I and Annex II of the EU 2021 Standard Contractual Clauses is set forth in the Idera Affiliates Data Processing Terms.
      3. The text contained in Annex A to these Jurisdiction Specific Terms supplements the EU 2021 Standard Contractual Clauses.
      4. The Parties agree to apply the following modules:
        1. Module two of the EU 2021 Standard Contractual Clauses when, in accordance with Section 2(a) of the DPA, the Data Exporter is Customer and acts as a Controller and the Data Exporter is Idera and acts as a Processor; and
        2. Module three of the EU 2021 Standard Contractual Clauses when, in accordance with Section 2(a) of the DPA, the Data Exporter is Customer and acts as a Processor and the Data Exporter is Idera and acts as a sub-Processor.
      5. For the purposes of Annex I.A:
        1. The Parties have provided each other with the identity information contact details required under Annex I.A.
        2. The Parties’ controllership roles are set forth in Section 3.1 of this DPA
        3. The details of Idera’s data protection officer and data protection representative in the EU are set forth in the Idera Affiliate Processing Terms.
        4. The activities relevant to the Customer Personal Data transferred under the Standard Contractual Clauses are set forth in the Idera Affiliate Processing Terms
      6. Parties’ Choices under the EU 2021 Standard Contractual Clauses:
        1. With respect to Clause 9 of the EU 2021 Standard Contractual Clauses, the Parties select the “Option 2 General Written Authorization” and the time period set forth in Section 2(e) of the DPA.
        2. For the purpose of Annex I.C and with respect to Clause 13 (when applicable) of the EU 2021 Standard Contractual Clauses: If Customer, the data exporter, is established in an EU Member State, it elects the supervisory authority of the jurisdiction where it established as the competent supervisory authority responsible for ensuring compliance by the data exporter with the EU GDPR as regards to the data transfer. If Customer, the data exporter, is not established in an EU Member State, but falls within the territorial scope of application of Article 3(2) of the EU GDPR and it has appointed a representative established in a EU Member State, the supervisory authority of the jurisdiction where the representative is established shall act as the competent supervisory authority and be responsible for ensuring compliance by the data exporter with the EU GDPR as regards to the data transfer. If the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Article 3(2) of the EU GDPR and it has not appointed a representative according to Art. 27 EU GDPR, the competent supervisory authority shall be the Data Protection Commission (Ireland).
        3. With respect to Clause 17 of the EU 2021 Standard Contractual Clauses, the Parties select the law of the Republic of Ireland.
        4. With respect to Clause 18 of the EU 2021 Standard Contractual Clauses, the Parties agree that any dispute arising from the EU 2021 Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland
    4. In cases where the EU 2021 Standard Contractual Clauses apply and there is a conflict between the terms of the DPA and the terms of the EU 2021 Standard Contractual Clauses, the terms of the EU 2021 Standard Contractual Clauses shall prevail
    5. Agreements with Subprocessors:
      1. Idera shall ensure that the arrangement between Idera and any Subprocessor is governed by a written contract that includes data protection obligations compatible with those of Idera under the DPA (excluding its Exhibits) and this Section 1. Customer agrees that older versions of the Standard Contractual Clauses concluded between Idera and Subprocessor provide for the same level of protection for Customer Personal Data as those set out in the DPA between Customer and Idera
  2. California –
    1. Definitions:
      1. For the purpose of interpreting the DPA, the following terms shall have the meanings set out below:
        1. “Applicable Data Protection Laws” includes California Data Protection Laws, as may be amended from time to time.
        2. “California Data Protection Laws” includes the CCPA and the CCPA Regulations
        3. “CCPA” means the California Consumer Privacy Act of 2018;
        4. “CCPA Regulations” means the California Consumer Privacy Act Regulations
      2. The terms “Business Purpose”, “Commercial Purpose”, “Sale”, “Sell”, along with their cognates whether capitalized or not, shall have the same meaning as in the CCPA, and their related terms shall be construed accordingly.
      3. For the purpose of interpreting this DPA, the following terms shall be interpreted as follows:
        1. “Controller” includes “Business” as defined under the CCPA;
        2. “Data Subject” includes “Consumer” as defined under the CCPA;
        3. “Personal Data” includes “Personal Information” as defined under the CCPA;
        4. “Personal Data Breach” includes “Breach of the Security of the System” as defined in Section 1798.8 of the California Civil Code;
        5. “Processor” includes “Service Provider” as defined under the CCPA
    2. Idera as a Service Provider:
      1. Where Idera acts as a Data Processor or a sub-Processor on behalf of Customer in accordance with Section 2(a) of the DPA
        1. Customer discloses Customer Personal Data to Idera solely for: (i) valid Business Purposes; and (ii) to enable Idera to perform the Processor Services under the Main Agreement(s)
        2. Idera shall not: (i) sell Personal Data; (ii) retain, use or disclose Customer Personal Data for any purpose other than providing the Processor Services specified in the Main Agreement(s) or as otherwise permitted by the CCPA and the CCPA Regulations. Idera certifies that it understands these restrictions and will comply with them
  3. Canada –
    1. Definitions:
      1. For the purpose of interpreting this DPA, the following terms shall have the meanings set out below:
        1. “Applicable Data Protection Laws” includes PIPEDA (as defined below)
        2. “Personal Data” includes “Personal Information” defined under PIPEDA (as defined below).
        3. “Personal Data Breach” includes “Breach of the Security of the System” as defined under PIPEDA (as defined below)
        4. "PIPEDA" means the Federal Personal Information Protection and Electronic Documents Act.
        5. “Sub-Processor” includes “Third Party Organization” as defined under PIPEDA.
    2. Necessary Consent. Customer confirms that it has obtained valid consent (as defined under PIPEDA), where necessary to Process Personal Data of each Data Subject
  4. Switzerland –
    1. Definitions:
      1. For the purpose of interpreting this DPA, the following terms shall have the meanings set out below:
        1. “Applicable Data Protection Laws” (as used in the DPA) includes Swiss Data Protection Laws.
        2. “Controller” includes “Controller of the Data File” as defined under the FADP (as defined below).
        3. “Data Subject” includes the natural persons whose Personal Data is Processed
        4. “EU 2021 Standard Contractual Clauses” means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
        5. “Personal Data” includes “Personal Data” as defined under the FADP
        6. “Processing” includes “Processing” as defined under the FADP.”
        7. “Standard Contractual Clauses” (as used in the DPA) includes the EU 2021 Standard Contractual Clauses.
        8. “Swiss Data Protection Laws” includes the Swiss Federal Act on Data Protection of 19 June 1992 (“FADP”) and the Ordinance to the Federal Act on Data Protection (“OFADP”), as they may be amended from time to time.
        9. “Restricted Transfer of Swiss Data” includes any transfer of Personal Data (including data storage in foreign servers) subject to the FADP to a Third Country or an international organization.
        10. “Third Country” means a country outside the Swiss Confederation.
    2. With regard to any Restricted Transfers of Swiss Data within the scope of this DPA, one of the following transfer mechanisms shall apply, in the following order of precedence:
      1. The inclusion of the Third Country, a territory, or one or more specified sectors within that Third Country, or the international organization in question to which Personal Data is to be transferred in the list published by the Swiss Federal Data Protection and Information Commissioner of states that provide an adequate level of protection for Personal Data within the meaning of Swiss Data Protection laws.
      2. Idera’s certification to any successor/replacement framework to the Swiss-U.S. Privacy Shield Framework (only to the extent that such self-certification constitutes an “appropriate safeguard” pursuant to Swiss Data Protection Laws, as the case may be), provided the Services are covered by such certification.
      3. The EU 2021 Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Swiss Data Protection Laws).
      4. Any other lawful transfer mechanism, as laid down in Swiss Data Protection Laws.
    3. EU 2021 Standard Contractual Clauses:
      1. This DPA hereby incorporates by reference the EU 2021 Standard Contractual Clauses. The Parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses where necessary in their entirety (including the annexures thereto).
      2. The content of EU 2021 Annex I and Annex II of the EU 2021 Standard Contractual Clauses is set forth in the Idera Affiliate Processing Terms
      3. The text contained in Annex A to these Jurisdiction Specific Terms supplements the EU 2021 Standard Contractual Clauses.
      4. The Parties agree to apply the following modules:
        1. Module two of the EU 2021 Standard Contractual Clauses when, in accordance with Section 2(a) of the DPA, the Data Exporter is Customer and acts as a Controller and the Data Exporter is Idera and acts as a Processor; and
        2. Module three of the EU 2021 Standard Contractual Clauses when, in accordance with Section 2(a) of the DPA, the Data Exporter is Customer and acts as a Processor and the Data Exporter is Idera and acts as a sub-Processor.
      5. For the purposes of Annex I.A:
        1. The Parties have provided each other with the identity information contact details required under Annex I.A.
        2. The Parties’ controllership roles are set forth in Section 3.1 of this DPA
        3. The details of Idera’s data protection officer and data protection representative in the EU are set forth in the Idera Affiliate Processing Terms.
        4. The activities relevant to the Customer Personal Data transferred under the Standard Contractual Clauses are set forth in the Idera Affiliate Processing Terms
      6. Parties’ Choices under the EU 2021 Standard Contractual Clauses:
        1. With respect to Clause 9 of the EU 2021 Standard Contractual Clauses, the Parties select the “Option 2 General Written Authorization” and the time period set forth in Section 2(e) of the DPA.
        2. For the purpose of Annex I.C and with respect to Clause 13 of the Standard Contractual Clauses: the competent authority shall be the Swiss Federal Data Protection and Information Commissioner, insofar as the data transfer constitutes a Restricted Transfer of Swiss Data.
        3. With respect to Clause 17 of the EU 2021 Standard Contractual Clauses, the Parties select the law of the Swiss Confederation.
        4. With respect to Clause 18 of the EU 2021 Standard Contractual Clauses, the Parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland. The Parties choose the Swiss courts are an alternative place of jurisdiction for data subjects habitually resident in Switzerland.
      7. The term “member state” included in the EU 2021 Standard Contractual Clauses must not be interpreted in such a way as to exclude data subjects in Switzerland from the Jurisdiction Specific Terms to Idera’s Customer-Facing Data Processing Addendum Page 1 of 13 possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 (c) of the EU 2021 Standard Contractual Clauses.
    4. With respect to Restricted Transfers of Swiss Personal Data, the Parties acknowledge that the EU 2021 Standard Contractual Clauses also protect the data of legal entities until the entry into force of the revised FADP.
    5. In cases where the EU 2021 Standard Contractual Clauses apply and there is a conflict between the terms of the DPA and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail.
  5. United Kingdom –
    1. Definitions:
      1. For the purpose of interpreting this DPA, the following terms shall have the meanings set out below:
        1. “Applicable Data Protection Laws” includes UK Data Protection Law.
        2. “EU 2004 Standard Contractual Clauses” means the contractual clauses adopted by the Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries.
        3. “EU 2010 Standard Contractual Clauses” means the contractual clauses adopted by the Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council
        4. “EU 2021 Standard Contractual Clauses” means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
        5. “Standard Contractual Clauses” (as used in the DPA) includes the EU 2010 Standard Contractual Clauses and the 2004 Standard Contractual Clauses and the EU 2021 Standard Contractual Clauses.
        6. “UK Data Protection Law” includes the UK GDPR and the UK Data Protection Act 2018
        7. “UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 “on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation)” as has been amended, adopted, and forming part of the law of England, Wales, Scotland, and Northern Ireland by virtue of Section 3 of the European Union (Withdraw) Act 2020.
        8. “Restricted Transfer of UK Data” includes any transfer of Personal Data (including data storage in foreign servers) subject to UK Data Protection Law to a Third Country or an international organization.
        9. “Third Country” (as used in this Section) means a country outside of the United Kingdom.
    2. Restricted Transfers of UK Data:
      1. With regard to any Restricted Transfer of UK Data from Customer to Idera within the scope of this DPA, one of the following transfer mechanisms shall apply, in the following order of precedence
        1. a valid adequacy decision pursuant to the requirements under the UK Data Protection Law that provides that the third country, a territory or one or more specified sectors within that third country, or the international organization in question to which Personal Data is to be transferred ensures an adequate level of data protection;
        2. Service Provider’s self-certifications to the E.U.-U.S. Privacy Shield Framework or any successor to the Privacy Shield Framework (only to the extent that such self-certification constitutes an “appropriate safeguard” pursuant to the UK Data Protection Law, as the case may be), provided that the Services are covered by the self-certification, if applicable
        3. the EU 2021 Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under the UK Data Protection Law);
        4. the EU 2010 Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under the UK Data Protection Law and the data importer acts as a processor) or the EU 2003 Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under the UK Data Protection Law and the data importer acts as a controller)
        5. any other lawful basis, as laid down in the UK Data Protection Law , as the case may be.
      2. If the relevant UK authorities recognize the EU 2021 Standard Contractual Clauses as a valid data transfer mechanism for Restricted Transfers of UK Data, the Parties shall be deemed to have accepted the EU 2021 Standard Contractual Clauses and any necessary addenda to make them applicable to Restricted Transfers of UK Data and agree to replace the EU 2010 Standard Contractual Clauses with the EU 2021 Standard Contractual Clauses as of the day the relevant UK authorities recognize the new EU 2021 Standard Contractual Clauses as a valid data transfer mechanism for Restricted Transfers of UK Data.
    3. EU 2021 Standard Contractual Clauses:
      1. When the EU 2021 Standard Contractual Clauses are the applicable data transfer mechanism according to Section 1.2 (a) of this Exhibit, this DPA hereby incorporates by reference the EU 2021 Standard Contractual Clauses. The Parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses where necessary in their entirety (including the annexures thereto)
      2. The content of EU 2021 Annex I and Annex II of the EU 2021 Standard Contractual Clauses is set forth in the Idera Affiliate Processing Terms
      3. The text contained in Annex A to these Jurisdiction Specific Terms supplements the EU 2021 Standard Contractual Clauses.
      4. The Parties agree to apply the following modules:
        1. Module two of the EU 2021 Standard Contractual Clauses when, in accordance with Section 2(a) of the DPA, the Data Exporter is Customer and acts as a Controller and the Data Exporter is Idera and acts as a Processor; and
        2. Module three of the EU 2021 Standard Contractual Clauses when, in accordance with Section 2(a) of the DPA, the Data Exporter is Customer and acts as a Processor and the Data Exporter is Idera and acts as a sub-Processor.
      5. For the purposes of Annex I.A of the EU 2021 Standard Contractual Clauses:
        1. The Parties have provided each other with the identity information contact details required under Annex I.A.
        2. The Parties’ controllership roles are set forth in Section 3.1 of this DPA
        3. The details of Idera’s data protection officer and data protection representative in the EU are set forth in the Idera Affiliate Processing Terms.
        4. The activities relevant to the Customer Personal Data transferred under the EU 2021 Standard Contractual Clauses are set forth in the Idera Affiliate Processing Terms
      6. Parties’ Choices under the EU 2021 Standard Contractual Clauses:
        1. With respect to Clause 9 of the EU 2021 Standard Contractual Clauses, the Parties select the “Option 2 General Written Authorization” and the time period set forth in Section 2(e) of the DPA.
        2. For the purpose of Annex I.C and with respect to Clause 13 of the EU 2021 Standard Contractual Clauses: the competent supervisory authority shall be the UK Information Commissioner’s Office (ICO).
        3. With respect to Clause 17 of the EU 2021 Standard Contractual Clauses, the Parties select the law of the United Kingdom.
        4. With respect to Clause 18 of the EU 2021 Standard Contractual Clauses, the Parties agree that any dispute arising from the EU 2021 Standard Contractual Clauses shall be resolved by the courts of the United Kingdom.
    4. EU 2010 Standard Contractual Clauses:
      1. When the EU 2021 Standard Contractual Clauses are the applicable data transfer mechanism according to Section 1.2(a) of this Exhibit, Customer (which will take on the obligations of the “data exporter” for the purposes of the EU 2010 Standard Contractual Clauses) and Idera (which will take on the obligations of the “data importer” for the purposes of the EU 2010 Standard Contractual Clauses) hereby enter into, as of the Effective Date, the EU 2010 Standard Contractual Clauses (including their additional constituent elements, as set out in the Idera Affiliate Processing Terms, as applicable and as updated from time to time if required by law or at the choice of Customer to reflect the latest version promulgated by the UK Authorities), which are incorporated by this reference and constitute an integral part of this DPA. The Parties are deemed to have signed, accepted, and executed the EU 2010 Standard Contractual Clauses in their Jurisdiction Specific Terms to Idera’s Customer-Facing Data Processing Addendum Page 1 of 13 entirety, including the appendices. The text contained in Annex A to these Jurisdiction Specific Terms supplements the EU 2004 Standard Contractual Clauses
      2. In cases where the EU 2010 Standard Contractual Clauses apply and there is a conflict between the terms of the DPA and the terms of the EU 2010 Standard Contractual Clauses, the terms of the EU 2010 Standard Contractual Clauses shall prevail.
    5. Agreements with Subprocessors:
      1. Idera shall ensure that the arrangement between Idera and any Subprocessor is governed by a written contract that includes data protection obligations compatible with those of Idera under the DPA (excluding its Exhibits) and this Section 5. Customer agrees that:
        1. The EU 2010 Standard Contractual Clauses concluded between Idera and Subprocessor provide data protection obligations compatible with those of Idera under the DPA and this Section 5.
        2. Idera shall ensure that the arrangement between Idera and any Subprocessor is governed by a written contract that includes data protection obligations compatible with those of Idera under the DPA and this Section. Customer agrees that the EU 2010 Standard Contractual Clauses concluded between Idera and Subprocessor provide for the same level of protection for Customer Personal Data as those set out in the DPA between Customer and Idera.

Annex A to Jurisdiction Specific Terms

Supplemental Clauses to the Standard Contractual Clauses

By this Annex A (this “Annex”), the Parties provide additional safeguards and redress to the Data Subjects whose Personal Data is transferred to Idera pursuant to Standard Contractual Clauses. This Annex supplements and is made part of, but is not in variation or modification of, the Standard Contractual Clauses that may be applicable to the Restricted Transfer

  1. Applicability of this Annex –
    1. This Annex only applies with respect to Restricted Transfers when the Standard Contractual Clauses apply to such Restricted Transfers pursuant to the DPA and its Annexes and Idera is the data importer.
  2. Definitions –
    1. For the purpose of interpreting this Annex, the following terms shall have the meanings set out below:
      1. “Disclosure Request” means any request from law enforcement authority or other governmental authority with competent authority and jurisdiction over Idera for disclosure of transferred Customer Personal Data.
      2. “EO 12333” means the U.S. Executive Order 12333.
      3. “FISA” means the U.S. Foreign Intelligence Surveillance Act.
      4. “Schrems II Judgment” means the judgment of the European Court of Justice in Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems.
  3. Applicability of Surveillance Laws to Idera –
    1. U.S surveillance laws
      1. Idera represents and warrants that, as of the Effective Date, it has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II judgment.
      2. Idera represents that it reasonably believes that it is not eligible to be required to provide information, facilities, or assistance of any type under FISA Section 702 because:
        1. Idera is not, (i) a telecommunications carrier, (ii) a provider of electronic communication service; (iii) a provider of processing services by means of an electronic communications system to the general public, given the nature of its business-to-business services; (iv) any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored; nor any other type of “electronic communications service provider” within the meaning of 50 U.S.C. § 1881(b)(4).
        2. If Idera were to be found eligible for process under FISA Section 702, which it believes it is not, it is nevertheless also not the type of provider that is eligible to be subject to UPSTREAM collection pursuant to FISA Section 702, as described in paragraphs 62 and 179 of the Schrems II judgment.
      3. EO 12333 does not provide the U.S. government the ability to order or demand that Idera provide assistance for the bulk collection of information and Idera shall take no action pursuant to U.S. Executive Order 12333
    2. General provisions about surveillance laws applicable to Idera
      1. Data Importer has no reason to believe that the laws and practices in the third country of destination of Customer Personal Data applicable to the Processing of Customer Personal Data by Idera, including any requests to disclose personal data or measures authorizing access by public authorities, prevent Idera from fulfilling its obligations under the Standard Contractual Clauses (where applicable).
      2. Data Importer commits to provide upon reasonable request information about the laws and regulations in the destination countries of the transferred Customer Personal Data applicable to Data Importer that would permit access by public authorities to the transferred Customer Personal Data, in particular in the areas of intelligence, law enforcement, administrative and regulatory supervision applicable to the transferred data. The Data Importer providing the information referred to in this subparagraph 4 may choose the means to provide the information. Data Exporter agrees to cover the costs associated with any required research.
  4. Obligations on Idera Related to Disclosure Requests –
    1. In the event Idera receives a Disclosure Request, Idera shall:
      1. Promptly (and, when possible, before disclosing the Customer Personal Data to the public authority) notify Customer of the Disclosure Request, and, where possible, the Data Subject, unless prohibited by law, or, if so prohibited from notifying Customer, use all lawful efforts to obtain the right to waive the prohibition to communicate information relating to the Disclosure Request to Customer as soon as possible. This includes, but is not limited to, informing the requesting public authority of the incompatibility of the Disclosure Request with the safeguards contained in Standard Contractual Clauses and the resulting conflict of obligations for Idera and documenting this communication.
      2. Ask the public authority that issued the Disclosure Request to redirect its request to the Customer to control conduct of the disclosure.
      3. Not disclose the requested Customer Personal Data until required to do so under the applicable procedural rules.
      4. Provide the minimum amount of information permissible when responding to the request, based on a reasonable interpretation of the request.
      5. Document all the steps taken by Idera related to the Disclosure Request.
    2. For the purposes of this Section, lawful efforts do not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.
  5. Information on Requests for Personal Data by Public Authorities –
    1. Where allowed by law, Idera commits to provide Customer with information on all requests for Personal Data by US public authorities which Idera has received over the last five (5) years (if any), in particular in the areas of intelligence, law enforcement, administrative, and regulatory supervision applicable to the transferred data and comprising information about the requests received, the data requested, the requesting body, and the legal basis for Jurisdiction Specific Terms to Idera’s Customer-Facing Data Processing Addendum Page 1 of 13 disclosure and to what extent Idera has disclosed the requested Personal Data. Idera may choose the means to provide this information.
  6. Backdoors –
    1. Idera certifies that:
      1. It has not purposefully created backdoors or similar programming for governmental agencies that could be used to access Idera’s Systems or Customer Personal Data subject to the Standard Contractual Clauses.
      2. It has not purposefully created or changed its business processes in a manner that facilitates governmental access to Customer Personal Data or systems.
      3. National law or government policy does not require Idera to create or maintain back doors or to facilitate access to Customer Personal Data or systems.
    2. Customer will be entitled to terminate the contract on short notice in cases in which Idera does not reveal the existence of a back door or similar programming or manipulated business processes or any requirement to implement any of these or fails to promptly inform Customer once their existence comes to its knowledge.
  7. Information About Legal Prohibitions –
    1. Where allowed by law, Idera will provide Customer information about the legal prohibitions on Idera to provide information under this Annex. Idera may choose the means to provide this information
  8. Termination –
    1. This Annex shall automatically terminate with respect to the Processing of Customer Personal Data transferred in reliance of the Standard Contractual Clauses if the European Commission or a competent regulator approves a different transfer mechanism that would be applicable to the Restricted Transfers covered by the Standard Contractual Clauses (and if such mechanism applies only to some of the data transfers, this Annex will terminate only with respect to those transfers) and that does not require the additional safeguards set forth in this Annex.