This Is Blythe Global Data Processing Agreement

The Client agreeing to these terms (“Customer”), and This Is Blythe Global Inc. or any other entity that directly or indirectly controls, is controlled by, or is under common control with This Is Blythe Global Inc. (as applicable, “This Is Blythe”) (each, a “party” and collectively, the “parties”), have entered into an agreement under which This Is Blythe has agreed to provide a marketplace where Clients and Freelancers can identify each other and advertise, buy, and sell Freelancer Services online, with such other services, if any, described in the agreement (the “Service”) to Customer (as amended from time to time, the “Agreement”).

Unless otherwise agreed to in writing by you and This Is Blythe, to the extent This Is Blythe processes any EU personal data for you as a controller (as defined by the General Data Protection Regulation (EU) 2016/679) in your role as a Customer as defined in this Global Data Processing Agreement (the “DPA”), this DPA applies. This DPA, including its appendices, supplements the Agreement. To the extent of any conflict or inconsistency between this DPA and the remaining terms of the Agreement, this DPA will govern.

1. IntroductionThis DPA reflects the parties’ agreement with respect to the processing and security of Customer Data under the Agreement.
2. Definitions
   1. The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” have the meanings given in the GDPR, and the terms “data importer” and “data exporter” have the meanings given in the Standard Contractual Clauses, in each case irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies.
   2. Unless stated otherwise:
      • “Affiliate” means any entity that controls or is under common control with a specified entity.
      • “Agreed Liability Cap” means the maximum monetary or payment-based amount at which a party’s liability is capped under the Agreement.
      • “Confidential Information” means any information or materials (regardless of form or manner of disclosure) that are disclosed by or on behalf of one party to the other party that (i) are marked or communicated as being confidential at or within a reasonable time following such disclosure; or (ii) should be reasonably known to be confidential due to their nature or the circumstances of their disclosure. The term “Confidential Information” does not include any information or materials that: (a) are or become generally known or available to the public through no breach of this Agreement or other wrongful act or omission by the receiving party; (b) were already known by the receiving party without any restriction; (c) are acquired by the receiving party without restriction from a third party who has the right to make such disclosure; or (d) are independently developed by or on behalf of the receiving party without reference to any Confidential Information.
      • “Customer Account Data” means personal data that relates to Customer’s relationship with This Is Blythe, including the names and/or contact information of individuals authorized by Customer to access Customer’s This Is Blythe account and billing information of individuals that Customer has associated with its This Is Blythe account.
      • “Customer Personal Data” means the personal data contained within the Customer Data.
      • “Customer Data” means the data entered into the Service by or on behalf of any End User, but excludes Customer Account Data.
      • “End User” means an authorized user of the Service under Customer’s account.
      • “Data Incident” means a breach of This Is Blythe’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by This Is Blythe. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
      • “EEA” means the European Economic Area, Switzerland, and/or the United Kingdom.
      • “European Data Protection Legislation” means, as applicable: (a) the GDPR and its respective national implementing legislations; and/or (b) the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”).
      • “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
      • “EU SCCs” means the EU Standard Contractual Clauses approved by the European Commission in decision 2021/914 located at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
      • “Non-European Data Protection Legislation” means, as applicable, the data protection or privacy laws, regulations, and other legal requirements other than the European Data Protection Legislation.
      • “Notification Email Address” means the contact email address that you provided to This Is Blythe for the purpose of receiving notices from This Is Blythe.
      • “Security Measures” has the meaning given in Section 7.1.1 (This Is Blythe’s Security Measures).
      • “Subprocessors” means third parties authorized under this DPA to have logical access to and process Customer Data in order to provide parts of the Service. For clarity, freelancers that clients engage via This Is Blythe are not Subprocessors under this DPA.
      • “Term” means the period from the DPA’s effective date until the end of This Is Blythe’s provision of the Service, including, if applicable, any period during which provision of the Service may be suspended and any post- termination period during which This Is Blythe may continue providing the Service for transitional purposes.
      • “United Kingdom International Data Transfer Agreement or Addendum” (“UK IDTA”) means either, as applicable, (a) the International Data Transfer Agreement when used under the UK GDPR, or (b) the International Data Transfer Addendum to the EU SCCs issued by the Commissioner under s119A(1) of the Data Protection Act 2018, version A1.0, in force from March 21, 2022.
3. Duration of this DPAThis DPA will remain in effect until, and automatically expire upon, deletion of all Customer Data by This Is Blythe as described in this DPA.
4. Data Protection Legislation
   1. Application of European Legislation. The parties acknowledge that the European Data Protection Legislation will apply to the processing of Customer Personal Data to the extent provided under the European Data Protection Legislation.
   2. Application of Non-European Legislation. The parties acknowledge that Non-European Data Protection Legislation may also apply to the processing of Customer Personal Data.
5. Processing of Data
   1. Roles and Regulatory Compliance; Authorization.
      1. Processor and Controller Responsibilities. If the European Data Protection Legislation applies to the processing of Customer Personal Data, the parties acknowledge and agree that:
         1. Customer is a controller (or processor, as applicable), of the Customer Personal Data under European Data Protection Legislation;
         2. This Is Blythe is a processor (or subprocessor, as applicable) of the Customer Personal Data under the European Data Protection Legislation; and
         3. each party will comply with the obligations applicable to it under the European Data Protection Legislation with respect to the processing of that Customer Personal Data.
      2. Responsibilities under Non-European Legislation. If Non-European Data Protection Legislation applies to either party’s processing of Customer Personal Data, the parties acknowledge and agree that the relevantparty will comply with any obligations applicable to it under that legislation with respect to the processing of that Customer Personal Data.
      3. Authorization by Third Party Controller. If Customer is a processor, Customer warrants to This Is Blythe that Customer’s instructions (defined below) and actions with respect to that Customer Personal Data, including its appointment of This Is Blythe as another processor, have been authorized by the relevant controller to the extent required by applicable law.
   2. Scope of Processing.
      1. The subject matter and details of the processing are described in Appendix 1.
      2. Customer’s Instructions. By entering into this DPA, Customer instructs This Is Blythe to process Customer Personal Data only in accordance with applicable law: (a) to provide the Service; (b) as further specified through Customer’s use of the Service; (c) as documented in the Agreement, including this DPA; and (d) as further documented in any other written instructions given by Customer and acknowledged by This Is Blythe as constituting instructions for purposes of this DPA (each and collectively, “Customer’s Instructions”) and only for the foregoing purposes and not for the benefit of any other third party. This Is Blythe may condition the acknowledgement described in (d) on the payment of additional fees or the acceptance of additional terms.
      3. This Is Blythe’s Compliance with Instructions. With respect to Customer Personal Data subject to European Data Protection Legislation, This Is Blythe will comply with the instructions described in Section 5.2.2 (Customer’s Instructions) (including with regard to data transfers) unless EU or EU Member State law to which This Is Blythe is subject requires other processing of Customer Personal Data by This Is Blythe, in which case This Is Blythe will inform Customer (unless that law prohibits This Is Blythe from doing so on important grounds of public interest) via the Notification Email Address.
6. Data Deletion
   1. Deletion by Customer. This Is Blythe will enable Customer to delete Customer Data during the Term in a manner consistent with the functionality of the Service. If Customer uses the Service to delete any Customer Data during the Term and that Customer Data cannot be recovered by Customer, this use will constitute an instruction to This Is Blythe to delete the relevant Customer Data from This Is Blythe’s systems in accordance with applicable law. This Is Blythe will comply with this instruction as soon as reasonably practicable, unless applicable law requires storage. Nothing herein requires This Is Blythe to delete Customer Data from files created for security, backup, and business continuity purposes sooner than required by This Is Blythe’s existing data retention processes.
   2. Deletion on Termination. On expiry of the Term, Customer instructs This Is Blythe to delete all Customer Data (including existing copies) from This Is Blythe’s systems in accordance with applicable law. This Is Blythe will comply with this instruction as soon as reasonably practicable, unless applicable law requires storage. Without prejudice to Section 9.1 (Access; Rectification; Restricted Processing; Portability), Customer acknowledges and agrees that Customer will be responsible for exporting, before the Term expires, any Customer Data it wishes to retain afterwards. If the EU or the UK SCCs are applicable to This Is Blythe’s processing of Customer Personal Data, the parties agree that the certification of deletion referenced in Clauses 8.5 and 16(d) of the EU and the UK SCCs shall be provided only upon Customer’s written request. Nothing herein requires This Is Blythe to delete Customer Data from files created for security, backup, and business continuity purposes sooner than required by This Is Blythe’s existing data retention processes.
7. Data Security
   1. This Is Blythe’s Security Measures, Controls and Assistance.
      1. This Is Blythe’s Security Measures. This Is Blythe will implement and maintain technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the “Security Measures”). As described in Appendix 2, the Security Measures include measures to encrypt personal data; to help ensure ongoing confidentiality, integrity, availability and resilience of This Is Blythe’s systems and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. This Is Blythe may update or modify the Security Measures from time to time provided that such updates and modifications do notdegrade the overall security of the Service.
      2. Security Compliance by This Is Blythe Staff. This Is Blythe will take appropriate steps to ensure compliance with the Security Measures by its staff to the extent applicable to their scope of performance, including ensuring that all such persons it authorizes to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
      3. This Is Blythe’s Security Assistance. Customer agrees that This Is Blythe will (taking into account the nature of the processing of Customer Personal Data and the information available to This Is Blythe) assist Customer in ensuring compliance with any of Customer’s obligations in respect of security of personal data and personal data breaches, including if applicable Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by:
         1. implementing and maintaining the Security Measures in accordance with Section 7.1.1 (This Is Blythe’s Security Measures);
         2. complying with the terms of Section 7.2 (Data Incidents); and
         3. providing Customer with the information contained in the Agreement including this DPA.
   2. Data Incidents.
      1. Incident Notification. If This Is Blythe becomes aware of a Data Incident, This Is Blythe will: (a) notify Customer of the Data Incident promptly and without undue delay after becoming aware of the Data Incident; and (b) promptly take reasonable steps to minimize harm and secure Customer Data.
      2. Details of Data Incident. Notifications made pursuant to this section will describe, to the extent practicable, details of the Data Incident, including steps taken to mitigate the potential risks and any steps This Is Blythe recommends Customer take to address the Data Incident.
      3. Delivery of Notification. Notification(s) of any Data Incident(s) will be delivered to the Notification Email Address or, at This Is Blythe’s discretion, by direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for ensuring that the Notification Email Address is current and valid.
      4. No Assessment of Customer Data by This Is Blythe. This Is Blythe will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with legal requirements for incident notification applicable to Customer and fulfilling any third party notification obligations related to any Data Incident(s).
      5. No Acknowledgement of Fault by This Is Blythe. This Is Blythe’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) is not an acknowledgement by This Is Blythe of any fault or liability with respect to the Data Incident.
   3. Customer’s Security Responsibilities and Assessment.
      1. Customer’s Security Responsibilities. Customer agrees that, without prejudice to This Is Blythe’s obligations under Section 7.1 (This Is Blythe’s Security Measures, Controls and Assistance) and Section 7.2 (Data Incidents):
         1. Customer is solely responsible for its use of the Service, including:
            1. making appropriate use of the Service to ensure a level of security appropriate to the risk in respect of the Customer Data;
            2. securing the account authentication credentials, systems and devices Customer uses to access the Service;
            3. backing up its Customer Data; and
         2. This Is Blythe has no obligation to protect Customer Data that Customer elects to store or transfer outside of the Service.
      2. Customer’s Security Assessment.
         1. Customer is solely responsible for reviewing This Is Blythe’s security processes and evaluating for itself whether the Service, the Security Measures, and This Is Blythe’s commitments under this Section 7 (DataSecurity) will meet Customer’s needs, including with respect to any security obligations of Customer under the European Data Protection Legislation or Non-European Data Protection Legislation, as applicable.
         2. Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by This Is Blythe as set out in Section 7.1.1 (This Is Blythe’s Security Measures) provide a level of security appropriate to the risk in respect of the Customer Data.
   4. Reviews and Audits of Compliance.
      1. Customer’s Audit Rights.
         1. If the European Data Protection Legislation applies to the processing of Customer Personal Data, This Is Blythe will allow Customer or an independent auditor appointed by Customer to conduct audits (including inspections) to verify This Is Blythe’s compliance with its obligations under this DPA in accordance with Section 7.4.2 (Additional Business Terms for Reviews and Audits). This Is Blythe will contribute to such audits as described in this Section 7.4 (Reviews and Audits of Compliance).
         2. If the Standard Contractual Clauses as described in Section 10 (International Data Transfers) are applicable to This Is Blythe’s processing of Customer Personal Data, without prejudice to any audit rights of a supervisory authority under such Standard Contract Clauses, the parties agree that Customer or an independent auditor appointed by Customer may conduct audits as described in Clauses 8.9(c) and(d) of the EU and the UK SCCs in accordance with Section 7.4.2 (Additional Business Terms for Reviews and Audits).
      2. Additional Business Terms for Reviews and Audits.
         1. If the European Data Protection Legislation applies to the processing of Customer Personal Data, Customer may exercise its right to audit This Is Blythe under Sections 7.4.1(a) or 7.4.1(b): (1) where there has been a Data Incident within the previous six (6) months or there is reasonable suspicion of a Data Incident within the previous six (6) months or (2) where Customer will pay all reasonable costs and expenses incurred by This Is Blythe in making itself available for an audit. Any third party who will be involved with or have access to the audit information must be mutually agreed to by Customer and This Is Blythe and must execute a written confidentiality agreement acceptable to This Is Blythe before conducting the audit.
         2. To request an audit under Section 7.4.1(a) or 7.4.1(b), Customer must submit a detailed audit plan to This Is Blythe’s Privacy Contact as described in Section 12 (Privacy Contact; Processing Records) at least thirty (30) days in advance of the proposed audit date, describing the proposed scope, duration, and start time of the audit. The scope may not exceed a review of This Is Blythe’s compliance with the Standard Contractual Clauses or its compliance with the European Data Protection Legislation, in each case with respect to the Customer Data. The audit must be conducted during regular business hours at the applicable facility, subject to This Is Blythe policies, and may not interfere with This Is Blythe business activities.
         3. Following receipt by This Is Blythe of a request for an audit under Section 7.4.1(a) or 7.4.1(b), This Is Blythe and Customer will discuss and agree in advance on: (i) the reasonable date(s) of and security and confidentiality controls applicable to any review of documentation; and (ii) the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit under Section 7.4.1(a) or 7.4.1(b).
         4. Customer will be responsible for any fees it incurs, including any fees charged by any auditor appointed by Customer to execute any such audit.
         5. Customer will provide This Is Blythe any audit reports generated in connection with any audit under this section, unless prohibited by law. Customer may use the audit reports only to meet its regulatory audit requirements and to confirm compliance with the requirements of the Standard Contractual Clauses or European Data Protection Legislation. The audit reports, and all information and records observed or otherwise collected in the course of the audit, are Confidential Information of This Is Blythe under the terms of the Agreement.
         6. This Is Blythe may object in writing to an auditor appointed by Customer if the auditor is, in This Is Blythe’s reasonable opinion, not suitably qualified or independent, a competitor of This Is Blythe, or otherwise unsuitable. Any such objection by This Is Blythe will require Customer to appoint another auditor or conductthe audit itself.
         7. Nothing in this DPA will require This Is Blythe either to disclose to Customer or its auditor, or to allow Customer or its auditor to access:
            1. any data of any other customer of This Is Blythe;
            2. This Is Blythe’s internal accounting or financial information;
            3. any trade secret of This Is Blythe;
            4. any information that, in This Is Blythe’s reasonable opinion, could: (A) compromise the security of This Is Blythe systems or premises; or (B) cause This Is Blythe to breach its obligations under applicable law or its security and/or privacy obligations to Customer or any third party; or
            5. any information that Customer or its third party auditor seeks to access for any reason other than the good faith fulfilment of Customer’s obligations under the Standard Contractual Clauses or European Data Protection Legislation.
      3. No Modification of Standard Contractual Clauses. Nothing in this Section 7.4 (Reviews and Audits of Compliance) varies or modifies any rights or obligations of Customer or This Is Blythe under any Standard Contractual Clauses entered into as described in Section 10 (International Data Transfers).
8. Impact Assessments and ConsultationsCustomer agrees that This Is Blythe will (taking into account the nature of the processing and the information available to This Is Blythe) assist Customer in ensuring compliance with any obligations of Customer in respect of data protection impact assessments and prior consultation, including if applicable Customer’s obligations pursuant to Articles 35 and 36 of the GDPR, by providing the information contained in the Agreement including this DPA.
9. Data Subject Rights; Data Export
   1. Access; Rectification; Restricted Processing; Portability. During the Term, This Is Blythe will, in a manner consistent with the functionality of the Service, enable Customer to access, rectify and restrict processing of Customer Data, including via the deletion functionality provided by This Is Blythe as described in Section 6.1 (Deletion by Customer), and to export Customer Data.
   2. Data Subject Requests.
      1. Customer’s Responsibility for Requests. During the Term, if This Is Blythe receives any request from a data subject under European Data Protection Legislation in relation to Customer Personal Data, This Is Blythe will advise the data subject to submit their request to Customer, and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Service.
      2. This Is Blythe’s Data Subject Request Assistance. Customer agrees that This Is Blythe will (taking into account the nature of the processing of Customer Personal Data) reasonably assist Customer in fulfilling an obligation to respond to requests by data subjects described in Section 9.2.1 (Customer’s Responsibility for Requests), including, if applicable, Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, by complying with the commitments set out in Section9.1 (Access; Rectification; Restricted Processing; Portability) and Section 9.2.1 (Customer’s Responsibility for Requests).
10. International Data Transfers
    1. Data Storage and Processing Facilities. This Is Blythe may, subject to this Section 10 (International Data Transfers), store and process the relevant Customer Data anywhere This Is Blythe or its Subprocessors maintain facilities.
    2. Data Transfers under the EU SCCs. The EU SCCs are incorporated into this DPA and apply where the application of the EU SCCs, as between the parties, is required under applicable European Data Protection Legislation for the transfer of personal data. The EU SCCs shall be deemed completed as follows:
       1. Where Customer acts as a controller and This Is Blythe acts as Customer’s processor with respect to Customer Personal Data subject to the EU SCCs, Module 2 applies.
       2. Where Customer acts as a processor and This Is Blythe acts as Customer’s Subprocessor with respect to Customer Personal Data subject to the EU SCCs, Module 3 applies.
       3. Clause 7 (the optional docking clause) is not included.
       4. Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization).
       5. Under Clause 11 (Redress), the optional language will not apply.
       6. Under Clause 17 (Governing law), the parties choose Option 1 and select the law of Ireland.
       7. Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Ireland.
       8. Annexes I, II, and III of the EU SCCs are set forth in Appendix 1 below.
    3. Data Transfers under the IDTA. When used as an addendum to the EU SCCs and the UK IDTA is otherwise required under applicable European Data Protection Law for the transfer of Customer Personal Data, the UK IDTA addendum shall incorporate the selections above and be deemed further completed as follows:
       1. Table 1: the parties’ details shall be the parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in Appendix 1, and the Key Contact shall be the contacts set forth in Appendix 1.
       2. Table 2: The referenced Approved EU SCCs shall be the EU SCCs incorporated into this DPA.
       3. Table 3: Annex 1A, 1B, and II shall be set forth in Appendix 1.
       4. Table 4: Either party may end the EU SCCs as set out in Section 19 of the EU SCCs.
    4. Data Transfers from Switzerland. Where the EU SCCs are required under Swiss data protection law applicable to the transfer of Customer Personal Data, the following additional provisions will apply:
       1. References to the GDPR in the EU SCCs are to be understood as references to the Swiss Federal Act on Data Protection (“FADP”) insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.
       2. The term “member state” in the EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.
       3. References to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.
       4. Under Annex I(C) of the EU SCCs: where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the EU SCCs insofar as the transfer is governed by the GDPR.
11. Subprocessors
    1. Consent to Subprocessor Engagement. Customer specifically authorizes the engagement of This Is Blythe’s Affiliates as Subprocessors. In addition, Customer generally authorizes the engagement of any other third parties as Subprocessors (“Third Party Subprocessors”). If the Standard Contractual Clauses as described in Section 10 (International Data Transfers) are applicable to This Is Blythe’s processing of Customer Personal Data, the above authorizations will constitute Customer’s prior written consent to the subcontracting by This Is Blythe of the processing of Customer Personal Data if such consent is required under the Standard Contractual Clauses.
    2. Information about Subprocessors.
       1. Information about Subprocessors is available upon request by emailing  info@thisisblythe.com (as may be updated by This Is Blythe from time to time in accordance with this DPA). Subprocessor information will be provided only upon request and is the Confidential Information of This Is Blythe under this Agreement and must be treated with the level of confidentiality afforded to Confidential Information hereunder.
    3. Requirements for Subprocessor Engagement. When engaging any Subprocessor, This Is Blythe will:
       1. ensure via a written contract that:
          1. the Subprocessor only accesses and uses Customer Data to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this DPA) and any Standard Contractual Clauses entered into or Alternative Transfer Solution adopted by This Is Blythe as described in Section 10 (International Data Transfers); and
          2. if the GDPR applies to the processing of Customer Personal Data, the data protection obligations set out in Article 28(3) of the GDPR, as described in this DPA, are imposed on the Subprocessor; and
       2. remain liable for all obligations subcontracted to, and all related acts and omissions of, the Subprocessor.
    4. Opportunity to Object to Subprocessor Changes.
       1. This Is Blythe may add or remove Subprocessors from time to time. This Is Blythe will inform Customer of new Subprocessors via a subscription mechanism described in the list of Subprocessors as described above. If Customer objects to a change, it will provide This Is Blythe with notice of its objection to info@thisisblythe.com including reasonable detail supporting Customer’s concerns within sixty days of receiving notice of a change from This Is Blythe or, if Customer has not subscribed to receive such notice, within sixty days of This Is Blythe publishing the change. This Is Blythe will then use commercially reasonable efforts to review and respond to Customer’s objection within thirty days of receipt of Customer’s objection. If This Is Blythe does not respond to a Customer objection as described above, or cannot reasonably accommodate Customer’s objection, Customer may terminate the Agreement by providing written notice to This Is Blythe. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Subprocessor.
12. Privacy Contact; Processing Records
    1. This Is Blythe’s Privacy Contact. Privacy inquiries related to this DPA can be submitted to privacyrequests@This Is Blythe.com (and/or via such other means as This Is Blythe may provide from time to time).
    2. This Is Blythe’s Processing Records. Customer acknowledges that This Is Blythe is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which This Is Blythe is acting and, where applicable, of such processor’s or controller’s local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, if the GDPR applies to the processing of Customer Personal Data, Customer will, where requested, provide such information to This Is Blythe via the Service or other means provided by This Is Blythe, and will use the Service or such other means to ensure that all information provided is kept accurate and up-to-date.
13. Liability
    1. Liability Cap. For clarity, the total combined liability of either party and its Affiliates towards the other party and its Affiliates under or in connection with the Agreement (such as under the DPA or the Standard Contractual Clauses) will be limited to the Agreed Liability Cap for the relevant party, subject to Section 13.2 (Liability Cap Exclusions).
    2. Liability Cap Exclusions. Nothing in Section 13.1 (Liability Cap) will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).
14. Miscellaneous

Notwithstanding anything to the contrary in the Agreement, where This Is Blythe Global, Inc. is not a party to the Agreement, This Is Blythe Global, Inc. will be a third-party beneficiary of Section 7.4 (Reviews and Audits of Compliance), Section 11.1 (Consent to Subprocessor Engagement) and Section 13 (Liability) of this DPA.

Appendix 1:

Subject Matter and Details of the Data Processing

Subject Matter

This Is Blythe’s provision of the Service to Customer.

Duration of the Processing

The Term plus the period from the expiry of the Term until deletion of all Customer Data by This Is Blythe in accordance with the DPA.

Nature and Purpose of the Processing

This Is Blythe will process Customer Personal Data for the purposes of providing the Service to Customer in accordance with the DPA.

Categories of Data

Data relating to End Users or other individuals provided to This Is Blythe via the Service, by (or at the direction of) Customer or by End Users. The open nature of the Service does not impose a technical restriction on the categories of data Customer may provide. The personal data transferred may include: name, username, password, email address, telephone and fax number, title and other business information, general information about interest in and use of This Is Blythe services; and demographic information.

Data Subjects

Data subjects include End Users and the individuals about whom data is provided to This Is Blythe via the Service by (or at the direction of) Customer or by End Users.

Appendix 2: Security Measures

This Is Blythe will implement and maintain the Security Measures set out in this Appendix 2. This Is Blythe may update or modify such Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Service. This Is Blythe will:

• Conduct information security risk assessments at least annually and whenever there is a material change in the organization’s business or technology practices that may impact the privacy, confidentiality, security, integrity or availability of Customer Personal Data.
• Regularly and periodically train personnel who have access to Customer Personal Data or relevant This Is Blythe Systems.
• Maintain secure user authentication protocols, secure access control methods, and firewall protection for This Is Blythe Systems that Process Customer Personal Data.
• Maintain policies and procedures to detect, monitor, document and respond to actual or reasonably suspected Information Security Incidents.
• Implement and maintain tools that detect, prevent, remove and remedy malicious code designed to perform an unauthorized function on or permit unauthorized access to This Is Blythe Systems.
• Implement and maintain up-to-date firewalls.
• Implement and use cryptographic modules to protect Customer Personal Data in transit and, when commercially reasonable, at rest.
• Maintain reasonable restrictions on physical access to Customer Personal Data and relevant This Is Blythe Systems.

Appendix 3 Annex I of the EU SCCs

A. LIST OF PARTIES

Data exporter(s):

Name: Customer

Activities relevant to the data transferred under these Clauses: Obtaining the Services from Data Importer

Role (controller/processor): Controller or Processor, as applicable

Data importer(s):

Name: This Is Blythe Global Inc.

Address: 655 Montgomery St., STE 490, DPT 17022, San Francisco, CA 94111-2676

Contact person’s name, position and contact details: Privacy Counsel, info@thisisblythe.com Activities relevant to the data transferred under these Clauses: Providing the Services to Data Exporter. Role (controller/processor): Processor

В. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Data subjects include End Users and the individuals about whom data is provided to This Is Blythe via the Service by (or at the direction of) Customer or by End Users.

Categories of personal data transferred

Data relating to End Users or other individuals provided to This Is Blythe via the Service, by (or at the direction of) Customer or by End Users. The open nature of the Service does not impose a technical restriction on the categories of data Customer may provide. The personal data transferred may include: name, username, password, email address, telephone and fax number, title and other business information, general information about interest in and use of This Is Blythe services; and demographic information.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

None anticipated.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuously, for the length of the Agreement between the parties.

Nature of the processing

This Is Blythe will process Customer Personal Data to provide the Service to Customer in accordance with the DPA.

Purpose(s) of the data transfer and further processing

This Is Blythe will process Customer Personal Data for the purposes of providing the Service to Customer in accordance with the DPA.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The Term plus the period from the expiry of the Term until deletion of all Customer Data by This Is Blythe in accordance with the DPA.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

This Is Blythe’s subprocessors will process personal data to assist This Is Blythe in providing the Services pursuant to the Agreement, for as long as needed for This Is Blythe to provide the Services.

C. COMPETENT SUPERVISORY AUTHORITY

The Irish Data Protection Commission.

Annex II of the EU SCCs

TECHNICAL AND ORGANIZATIONAL MEASURES

INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

See Appendix 2 to the DPA.