Idera-Inc-Facelift-logo

Jurisdiction Specific Terms

  1. European Economic Area –
    1. Definitions:
      1. "Applicable Data Protection Laws" (as used in the Addendum) includes EEA Data Protection Laws (as defined below).
      2. “EEA” (as used in this Section) means the European Economic Area, consisting of the EU Member States, and Iceland, Liechtenstein, and Norway.
      3. “EEA Data Protection Laws” means the GDPR and all laws and regulations of the EEA (as defined below), applicable to the Processing of Idera Personal Data.
      4. “EU 2021 Standard Contractual Clauses” (as used in this Section) means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
      5. “Restricted International Transfer of EEA Personal Data” (as used in this Section) means any transfer of Idera Personal Data subject to the GDPR which is undergoing Processing or is intended for Processing after transfer to Third Country (as defined below) or an international organization in a Third Country (including data storage on foreign servers).
      6. “Standard Contractual Clauses” (as used in the Addendum) includes the EU 2021 Standard Contractual Clauses.
      7. “Third Country” (as used in this Section) means a country outside of the EEA.
    2. With regard to any Restricted International Transfer of EEA Personal Data from Idera to Service Provider within the scope of the Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:
      1. A valid adequacy decision adopted by the European Commission on the basis of Article 45 of the GDPR that provides that the Third Country, a territory, or one or more specified sectors within that Third Country, or the international organization in question to which EEA Idera Personal Data is to be transferred ensures an adequate level of data protection.
      2. Service Provider’s certification to any successor/replacement framework to the EU-U.S. Privacy Shield Framework (only to the extent that such self-certification constitutes an “appropriate safeguard” pursuant to EEA Data Protection Laws, as the case may be), provided that the Services are covered by such certification.
      3. The EU 2021 Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Article 46 of the GDPR).
      4. Any other lawful data transfer mechanism, as laid down in EEA Data Protection Laws, as the case may be.
    3. EU 2021 Standard Contractual Clauses:
      1. The Addendum hereby incorporates by reference the EU 2021 Standard Contractual Clauses. The Parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses where necessary in their entirety (including the annexures thereto).
      2. The content of EU 2021 Annex I and Annex II of the EU 2021 Standard Contractual Clauses is set forth in Exhibit A to the Addendum, and the contents of Annex III of the EU 2021 Standard Contractual Clauses, if applicable, is set out in Exhibit B to the Addendum.
      3. The text contained in Exhibit C to the Addendum supplements the EU 2021 Standard Contractual Clauses.
      4. The Parties agree to apply the following modules:
        1. Module two of the EU 2021 Standard Contractual Clauses when, in accordance with Section 3.1 of the Addendum, the Data Exporter is Idera and acts as a Controller and the Data Importer is Service Provider and acts as a Processor.
        2. Module three of the EU 2021 Standard Contractual Clauses when, in accordance with Section 3.1 of the Addendum, the Data Exporter is Idera and acts as a Processor and the Data Importer is Service Provider and acts as a sub-Processor.
        3. Module four of the EU 2021 Standard Contractual Clauses when, in accordance with Section 3.1 of the Addendum, the Data Exporter is Service Provider and acts as a Processor and the Data Importer is Idera and acts as a Controller.
      5. For the purposes of Annex I.A:
        1. The Parties have provided each other with the identity information contact details required under Annex I.A.
        2. The Parties’ controllership roles are set forth in Section 3.1 of the Addendum.
        3. The details of the Parties’ data protection officer and data protection representative in the EU are set forth in Exhibit A and Sections 19 and 20 of the Addendum.
        4. The activities relevant to Idera Personal Data transferred under the Standard Contractual Clauses are set forth in Exhibit A to the Addendum.
      6. Parties’ Choices under the EU 2021 Standard Contractual Clauses:
        1. With respect to Clause 9 of the EU 2021 Standard Contractual Clauses, the Parties select the “Option 2 General Written Authorization” and the time period set forth in Section 6.3 of the Addendum.
        2. For the purpose of Annex I.C and with respect to Clause 13 of the EU 2021 Standard Contractual Clauses, the competent supervisory authority is set forth in Exhibit A of the Addendum.
        3. With respect to Clause 17 of the EU 2021 Standard Contractual Clauses, the Parties select the laws of the Republic of Ireland.
        4. With respect to Clause 18 of the EU 2021 Standard Contractual Clauses, the Parties agree that any dispute arising from the EU 2021 Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland.
    4. In cases where the EU 2021 Standard Contractual Clauses apply and there is a conflict between the terms of the Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail.
  2. Brazil –
    1. Definitions:
      1. "Applicable Data Protection Laws” (as used in the Addendum) includes “Brazilian Data Protection Laws” (as defined below).
      2. "Brazilian Data Protection Laws” (as used in this Section) includes the Lei Geral de Proteção de Dados, Law No. 13.709 of 14 August 2018 (“LGPD”).
      3. “Controller” (as used in the Addendum) includes “Controlador” as defined under the LGPD.
      4. “Personal Data Breach” (as used in the Addendum) includes “Security Incident” as defined under the LGPD.
      5. “Processor” includes “Operador” as defined under the LGPD.
  3. California –
    1. Definitions:
      1. “Applicable Data Protection Laws” (as used in the Addendum) includes California Data Protection Laws, as they may be amended from time to time.
      2. “Business Purpose” (as used in this Section) shall have the meaning ascribed to it by California Data Protection Laws.
      3. “CCPA” means the California Consumer Privacy Act of 2018;
      4. “California Data Protection Laws” includes the California Consumer Privacy Act of 2018, Assembly Bill 375 of the California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the California Governor on 28 June 2018 (“CCPA”), and the California Consumer Privacy Act Regulations (“CCPA Regulations”), and the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the 3 November 2020, state-wide general election, amended, added to, and re-enacted the CCPA (“CPRA”).
      5. “Commercial Purpose” (as used in this Section) shall have the meaning ascribed to it in the CPRA.
      6. Controller (as used in the Addendum) includes “Business” as defined under the CPRA.
      7. “Data Subject” (as used in the Addendum) includes “Consumer” as defined under the CPRA.
      8. “Idera Personal Data” (as used in the Addendum) includes “Personal Information” as defined under the CPRA.
      9. “Personal Data Breach” (as used in the Addendum) includes “Breach of the Security of the System” as defined under paragraph (g) of Section 1798.82. of the California Civil Code.
      10. “Processor” (as used in the Addendum) includes “Service Provider” as defined under the CCPA.
      11. “Sell” (as used in this Section) shall have the meaning ascribed to it in the CPRA.
      12. “Share” (as used in this Section) shall have the meaning ascribed to it in the CPRA
    2. Idera discloses Idera Personal Data to Service Provider solely for: (i) valid Business Purposes; and (ii) to enable Service Provider to perform the Services under the Agreement.
    3. Service Provider shall not: (i) Sell or Share Idera Personal Data; (ii) retain, use, or disclose Idera Personal Data for a Commercial Purpose other than providing the Services specified in the Agreement or as otherwise permitted by the California Data Protection Laws; nor (iii) retain, use, or disclose Idera Personal Data except where permitted under the Agreement between Idera and Service Provider. Service Provider certifies that it understands these restrictions and will comply with them.
  4. Canada –
    1. Definitions:
    2. “Applicable Data Protection Laws” (as used in the Addendum) includes Canadian Data Protection Laws.
    3. “Canadian Data Protection Laws” includes the Canadian Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”).
    4. “Idera Personal Data” (as used in the Addendum) includes “Personal Information” as defined under PIPEDA.
    5. "Personal Data Breach" (as used in the Addendum) includes “Breach of Security Safeguards” as defined under PIPEDA.
    6. “Subprocessor” (as used in the Addendum) includes “Third Party Organization” as defined under PIPEDA.
  5. Switzerland –
    1. Definitions:
      1. “Applicable Data Protection Laws” (as used in the Addendum) includes Swiss Data Protection Laws, as they may be amended from time to time.
      2. “Controller” (as used in the Addendum) includes “Controller of the Data File” as defined under the FADP.
      3. “Data Subject” (as used in the Addendum) includes the natural persons whose Idera Personal Data is Processed.
      4. “Idera Personal Data” (as used in the Addendum) includes “Personal Data” as defined under the FADP.
      5. “Processing” (as used in the Addendum) includes “Processing” as defined under the FADP.
      6. “Restricted International Transfer of Swiss Personal Data” (as used in this Section) means any transfer of Idera Personal Data (including data storage in foreign servers) subject to the FADP to a Third Country (as defined below) or an international organization.
      7. “Standard Contractual Clauses” (as used in the Addendum) includes the EU 2021 Standard Contractual Clauses (as defined under Section 2.1(d) of this Exhibit).
      8. “Swiss Data Protection Laws” includes the Federal Act on Data Protection of 19 June 1992 (“FADP”) and the Ordinance to the Federal Act on Data Protection (“OFADP”).
      9. “Third Country” (as used in this Section) means a country outside of the Swiss Confederation.
    2. With regard to any Restricted International Transfer of Swiss Personal Data from Idera to Service Provider within the scope of the Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:
      1. The inclusion of the Third Country, a territory, or one or more specified sectors within that Third Country, or the international organization in question to which Idera Personal Data is to be transferred in the list published by the Swiss Federal Data Protection and Information Commissioner of states that provide an adequate level of protection for Idera Personal Data within the meaning of the FADP.
      2. Service Provider’s certification to any successor/replacement framework to the Swiss-U.S. Privacy Shield Framework (only to the extent that such self-certification constitutes an “appropriate safeguard” pursuant to Swiss Data Protection Laws, as the case may be), provided the Services are covered by such certification.
      3. The EU 2021 Standard Contractual Clauses (as defined under Section 2.1(d) of this Exhibit) (insofar as their use constitutes an “appropriate safeguard” under Swiss Data Protection Laws).
      4. Any other lawful transfer mechanism, as laid down in Swiss Data Protection Laws.
    3. EU 2021 Standard Contractual Clauses:
      1. The Addendum hereby incorporates by reference the EU 2021 Standard Contractual Clauses. The Parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses where necessary in their entirety (including the annexures thereto).
      2. The content of EU 2021 Annex I and Annex II of the EU 2021 Standard Contractual Clauses is set forth in Exhibit A to the Addendum, and the contents of Annex III of the EU 2021 Standard Contractual Clauses, if applicable, is set out in Exhibit B to the Addendum.
      3. The text contained in Exhibit C to the Addendum supplements the EU 2021 Standard Contractual Clauses.
      4. The Parties agree to apply the following modules:
        1. Module two of the EU 2021 Standard Contractual Clauses when, in accordance with Section 3.1 of the Addendum, the Data Exporter is Idera and acts as a Controller and the Data Importer is Service Provider and acts as a Processor.
        2. Module three of the EU 2021 Standard Contractual Clauses when, in accordance with Section 3.1 of the Addendum, the Data Exporter is Idera and acts as a Processor and the Data Importer is Service Provider and acts as a sub-Processor.
        3. Module four of the EU 2021 Standard Contractual Clauses when, in accordance with Section 3.1 of the Addendum, the Data Exporter is Service Provider and acts as a Processor and the Data Importer is Idera and acts as a Controller.
      5. For the purposes of Annex I.A:
        1. The Parties have provided each other with the identity information contact details required under Annex I.A.
        2. The Parties’ controllership roles are set forth in Section 3.1 of this Addendum.
        3. The details of the Parties’ data protection officer are set forth in Exhibit A and Sections 19 and 20 of the Addendum.
        4. The activities relevant to Idera Personal Data transferred under the EU 2021 Standard Contractual Clauses are set forth in Exhibit A to the Addendum.
      6. Parties’ Choices under the EU 2021 Standard Contractual Clauses:
        1. With respect to Clause 9 of the EU 2021 Standard Contractual Clauses, the Parties select the “Option 2 General Written Authorization” and the time period set forth in Section 6.3 of the Addendum.
        2. For the purpose of Annex I.C and with respect to Clause 13 of the Standard Contractual Clauses, the competent authority shall be the Swiss Federal Data Protection and Information Commissioner, insofar as the data transfer constitutes a Restricted International Transfer of Swiss Personal Data.
        3. With respect to Clause 17 of the EU 2021 Standard Contractual Clauses, the Parties select the laws of the Republic of Ireland.
        4. With respect to Clause 18 of the EU 2021 Standard Contractual Clauses, the Parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland. The Parties choose the Swiss courts as an alternative place of jurisdiction for Data Subjects habitually resident in Switzerland.
      7. The term “member state” included in the EU 2021 Standard Contractual Clauses must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU 2021 Standard Contractual Clauses.
      8. The EU 2021 Standard Contractual Clauses also protect the data of legal entities until the entry into force of the revised FADP.
    4. In cases where the EU 2021 Standard Contractual Clauses apply and there is a conflict between the terms of the Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail.
  6. United Kingdom –
    1. Definitions:
      1. “Applicable Data Protection Laws” (as used in the Addendum) includes UK Data Protection Laws (as defined below).
      2. “EU 2010 Standard Contractual Clauses” (as used in this Section) means the contractual clauses adopted by the European Commission Decision 2010/87/EU, Standard Contractual Clauses for the transfer of personal data to processors established in third countries (controller to non-EU or EEA Processor).
      3. “Restricted International Transfer of UK Personal Data” (as used in this Section) means any transfer of Idera Personal Data subject to the UK GDPR to a Third Country (as defined below) or an international organization (including data storage on foreign servers).
      4. “Standard Contractual Clauses” (as used in the Addendum) includes the EU 2021 Standard Contractual Clauses (as defined under Section 2.1(d) of this Exhibit) and the EU 2010 Standard Contractual Clauses.
      5. “Third Country” (as used in this Section) means a country outside of the United Kingdom.
      6. “UK Data Protection Law” (as used in this Section) includes the Data Protection Act 2018 and the UK GDPR (as defined below).
      7. “UK GDPR” (as used in this Section) means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018
    2. With regard to any Restricted Transfer of UK Data from Customer to Idera within the scope of this DPA, one of the following transfer mechanisms shall apply, in the following order of precedence
      1. A valid adequacy decision adopted pursuant to Article 45 of the UK GDPR that provides that the Third Country, a territory, or one or more specified sectors within that Third Country or the international organization in question to which Idera Personal Data is to be transferred ensures an adequate level of data protection.
      2. Service Provider’s certification to any successor/replacement framework to the EU-U.S. Privacy Shield Framework (only to the extent that such self-certification constitutes an “appropriate safeguard” pursuant to the UK GDPR, as the case may be), provided that the Services are covered by such certification.
      3. The EU 2021 Standard Contractual Clauses (as defined in Section 1.1(d) of this Exhibit) (insofar as their use constitutes an “appropriate safeguard” under UK Data Protection Laws).
      4. The EU 2010 Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under UK Data Protection Laws).
      5. Any other lawful data transfer mechanism, as laid down in the UK Data Protection Laws, as the case may be.
      6. If the relevant UK authorities recognize the EU 2021 Standard Contractual Clauses as a valid data transfer mechanism for Restricted International Transfers of UK Personal Data, the Parties shall be deemed to have accepted the EU 2021 Standard Contractual Clauses and any necessary addenda to make them applicable to Restricted International Transfers of UK Personal Data and agree to replace the EU 2010 Standard Contractual Clauses with the EU 2021 Standard Contractual Clauses as of the day the relevant UK authorities recognize the new EU 2021 Standard Contractual Clauses as a valid data transfer mechanism for Restricted International Transfers of UK Personal Data.
    3. EU 2021 Standard Contractual Clauses:
      1. The Addendum hereby incorporates by reference the EU 2021 Standard Contractual Clauses. The Parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses where necessary in their entirety (including the annexures thereto).
      2. The content of EU 2021 Annex I and Annex II of the EU 2021 Standard Contractual Clauses is set forth in Exhibit A to the Addendum, and the contents of Annex III of the EU 2021 Standard Contractual Clauses, if applicable, is set out in Exhibit B to the Addendum.
      3. The text contained in Exhibit C to the Addendum supplements the EU 2021 Standard Contractual Clauses.
      4. The Parties agree to apply the following modules:
        1. Module two of the EU 2021 Standard Contractual Clauses when, in accordance with Section 3.1 of the Addendum, the Data Exporter is Idera and acts as a Controller and the Data Importer is Service Provider and acts as a Processor.
        2. Module three of the EU 2021 Standard Contractual Clauses when, in accordance with Section 3.1 of the Addendum, the Data Exporter is Idera and acts as a Processor and the Data Importer is Service Provider and acts as a sub-Processor.
        3. Module four of the EU 2021 Standard Contractual Clauses when, in accordance with Section 3.1 of the Addendum, the Data Exporter is Service Provider and acts as a Processor and the Data Importer is Idera and acts as a Controller.
      5. For the purposes of Annex I.A:
        1. The Parties have provided each other with the identity information contact details required under Annex I.A.
        2. The Parties’ controllership roles are set forth in Section 3.1 of the Addendum.
        3. The details of the Parties’ data protection officer and data protection representative in the UK are set forth in Exhibit A and Sections 19 and 20 of the Addendum.
        4. The activities relevant to Idera Personal Data transferred under the Standard Contractual Clauses are set forth in Exhibit A to the Addendum.
      6. Parties’ Choices under the EU 2021 Standard Contractual Clauses:
        1. With respect to Clause 9 of the EU 2021 Standard Contractual Clauses, the Parties select the “Option 2 General Written Authorization” and the time period set forth in Section 2(e) of the Addendum.
        2. For the purpose of Annex I.C and with respect to Clause 13 of the EU 2021 Standard Contractual Clauses: the competent supervisory authority shall be the UK Information Commissioner’s Office (ICO).
        3. With respect to Clause 17 of the EU 2021 Standard Contractual Clauses, the Parties select the law of the United Kingdom.
        4. With respect to Clause 18 of the EU 2021 Standard Contractual Clauses, the Parties agree that any dispute arising from the EU 2021 Standard Contractual Clauses shall be resolved by the courts of the United Kingdom.
    4. EU 2010 Standard Contractual Clauses:
      1. Idera (which will take on the obligations of the “Data Exporter” for the purposes of the EU 2010 Standard Contractual Clauses) and Service Provider (which will take on the obligations of the “Data Importer” for the purposes of the EU 2010 Standard Contractual Clauses) hereby enter into, as of the Effective Date, the EU 2010 Standard Contractual Clauses (including their additional constituent elements, as set out in Exhibit A to the Addendum, as applicable and as updated from time to time if required by law or at the choice of Idera to reflect the latest version promulgated by the UK Authorities), which are incorporated by this reference and constitute an integral part of the Addendum. The Parties are deemed to have signed, accepted, and executed the UK Standard Contractual Clauses in their entirety, including the appendices. The text contained in Exhibit C to the Addendum serves to supplement the EU 2010 Standard Contractual Clauses.
      2. In cases where the EU 2010 Standard Contractual Clauses apply and there is a conflict between the terms of the DPA and the terms of the EU 2010 Standard Contractual Clauses, the terms of the EU 2010 Standard Contractual Clauses shall prevail.