Accept all cookies
Cookie settings
×

We use cookies to improve your experience on our site. By using our site, you are agreeing to the collection and use of data as described in our Privacy Policy.

Cookie Settings×

Data Processing Agreement

This Data Processing Agreement, including its Annexes (“DPA”), is entered into as of the last date executed below by Merge API, Inc., a Delaware corporation having its principal place of business at 353 Sacramento Street, San Francisco CA 94111 (“Merge”), and Customer. 

Merge provides its proprietary, Software-as-a-Service solution for integrating HR, payroll, recruiting, and accounting platforms (the “Service”) to Customers and End Users (as defined below). The provision of the Service involves the Processing of Personal Data subject to the Data Protection Laws, and the purpose of this DPA is to set forth the terms under which Merge Processes the Personal Data. In the provision of the Service by Merge to Customer, Customer acts as the Processor and Merge acts as a Subprocessor.  

THIS DPA APPLIES BETWEEN THE PARTIES WHERE A REPRESENTATIVE OF CUSTOMER CLICKS A BOX INDICATING ACCEPTANCE, TRANSFERS PERSONAL DATA TO MERGE FOR PROCESSING BY MEANS OF THE SERVICE, OR OTHERWISE AFFIRMATIVELY INDICATES ACCEPTANCE OF THIS DPA. BY DOING SO, YOU: (A) AGREE TO THIS DPA ON BEHALF OF THE ORGANIZATION, COMPANY, OR OTHER LEGAL ENTITY FOR WHICH YOU ACT (“CUSTOMER”); AND (B) REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND CUSTOMER AND ITS AFFILIATES TO THIS DPA. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THIS DPA, YOU MAY NOT DIRECTLY OR INDIRECTLY TRANSFER PERSONAL DATA TO MERGE. MERGE RESERVES THE RIGHT TO MODIFY OR UPDATE THE TERMS OF THIS DPA IN ITS DISCRETION, THE EFFECTIVE DATE OF WHICH WILL BE THE EARLIER OF (I) 30 DAYS FROM THE DATE OF SUCH UPDATE OR MODIFICATION AND (II) CUSTOMER’S CONTINUED TRANSFER OF PERSONAL DATA. 

If Customer and Merge have executed a written data processing agreement governing the processing of personal data by means of the Service, then the terms of such signed data processing agreement between the parties will supersede this DPA.

This DPA is incorporated into and made part of the Agreement (as defined below). 

  1. Definitions.

All capitalized terms used in this DPA will have the meanings given to them herein, in applicable Data Protection Laws, or as set forth in the applicable Agreement between Merge and the Customer.

Agreement” means the applicable terms between Merge and Customer regarding use of or integration with the Service.

Controller” means the entity or Business which solely or jointly with other entities determines the purposes and means of the Processing of Personal Data and for the purposes of this DPA is generally the End User.

Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, or alteration, unauthorized disclosure of, or access to, Personal Data Processed by Merge on behalf of Customer.

"Data Protection Laws” means all applicable data protection and privacy laws, their implementing regulations, regulatory guidance, and secondary legislation, each as updated or replaced from time to time, including, as they may apply: (i) the General Data Protection Regulation ((EU) 2016/679) (the “GDPR”) and any applicable national implementing laws; (ii) the UK General Data Protection Regulation (“UK GDPR”) and the UK Data Protection Act 2018; (iii) U.S. legislation (e.g., the California Consumer Privacy Act and the California Privacy Rights Act); and (iv) any other laws that may be applicable. 

“Data Subject” means the identified or identifiable person to whom the Personal Data relates, as defined in the applicable Data Protection Laws. 

End User” means the Customer’s customer that enables the integration between the Service and Partner’s platform in order for Merge to Process End User Personal Data for the benefit of the Customer.

EU Standard Contractual Clauses” or “SCCs” or “Clauses” means the terms available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN and promulgated pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council 4 June.

Personal Data” means any information relating to a Data Subject that is subject to the Data Protection Laws and that Merge Processes on behalf of Customer as described in Section 4 of this DPA.

Processing” has the meaning given to it in the Data Protection Laws and “process”, “processes” and “processed” will be construed accordingly.

Processor” means the entity or Service Provider which Processes Personal Data on behalf of the Controller, as defined in the applicable Data Protection Laws and for the purposes of this DPA means Customer.

Subprocessor” means an entity or Service Provider engaged by Processor to Process Personal Data on behalf of the Controller, as defined in applicable Data Protection Laws and for purposes of this DPA means Merge or its Subprocessors.

  1. Compliance With Laws.

Each party will comply with the Data Protection Laws as applicable to it.

  1. Personal Data Obligations.

Customer undertakes that all instructions for the Processing of Personal Data under the Agreement or this DPA or as otherwise agreed will comply with the Data Protection Laws, and such instructions will not cause Merge to be in breach of any Data Protection Laws. Customer, to the extent that it shares Personal Data with Merge, is responsible for the means by which the Personal Data was acquired.

  1. Data Processing.

Merge will Process the Personal Data solely for the purposes of providing the Service and in accordance with Customer’s instructions as outlined in the Agreement and this DPA, or as otherwise documented by Customer, in either event only as permitted by applicable Data Protection Laws.

Unless prohibited by applicable law, Merge will notify Customer if in its opinion, an instruction infringes any Data Protection Laws to which it is subject, in which case Merge will be entitled to suspend performance of such instruction without liability to Merge, until Customer confirms in writing that such instruction is valid under the Data Protection Laws. Any additional instructions regarding the manner in which Merge Processes the Personal Data will require prior written agreement between Merge and Customer.

Merge will not disclose Personal Data to any government, except as necessary to comply with applicable law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If Merge receives a binding order from a law enforcement agency for Personal Data, Merge will notify Customer of the request it has received so long as Merge is not legally prohibited from doing so.

Merge will ensure that individuals with access to or involved in the Processing of Personal Data are subject to appropriate confidentiality obligations and/or are bound by related obligations under Data Protection Laws or other applicable laws.

Where Merge acts as Customer’s Service Provider, Merge shall not: (i) sell or share Personal Data; (ii) collect, retain, use, or disclose Personal Data (a) for any purpose other than providing the Service specified in the Agreement and this Addendum or (b) outside of the direct business relationship between Merge and Customer; or (iii) combine this Personal Data with Personal Data that Merge obtains from other sources except as permitted by applicable Data Protection Laws. Merge certifies that it understands the prohibitions outlined in this Section and will comply with them.

The duration of the Processing, the nature and specific purposes of the Processing, the types of Personal Data Processed, and categories of Data Subjects under this Addendum are further specified in the Annexes to this Addendum and, on a more general level, in the Agreement.

  1. Transfers of Personal Data.

Merge shall transfer Personal Data between jurisdictions as a Data Processor in accordance with applicable Data Protection Laws.

  1. Transfers of Personal Data Outside the EEA.

    1. Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from EEA to other jurisdictions where such jurisdictions are deemed to provide an adequate level of data protection under applicable Data Protection Laws.

    2. Transfers to other third countries. If the Processing of Personal Data includes transfers from EEA/EU Member States to countries outside the EEA/EU which have not been deemed adequate under applicable Data Protection Laws, the parties’ EU Standard Contractual Clauses are hereby incorporated into and form part of this Addendum. The Parties agree to include the optional Clause 7 (Docking clause) to the EU SCCs incorporated into this Addendum. With regards to clauses 8 to 18 of the EU SCCs, the module and options will apply as follows:

      1. Module Three shall apply. 
      2. The Option within Clause 11(a) of the EU SCCs, providing for the optional use of an independent dispute resolution body, is not selected. 
      3. The Options and information required for Clauses 17 and 18 of the EU SCCs, covering governing law and jurisdiction, are outlined in Section 12 of this Addendum.
      4. Option 2 within Clause 9(a) of the EU SCCs, covering authorization for subprocessors, is selected, as discussed within Section 11 of this Addendum.
  2. Transfers of Personal Data Outside Switzerland. If Personal Data is transferred from Switzerland in a manner that would trigger obligations under the Federal Act on Data Protection of Switzerland (“FADP”), the EU SCCs shall apply to such transfers and shall be deemed to be modified in a manner to that incorporates relevant references and definitions that would render such EU SCCs an adequate tool for such transfers under the FADP.
  3. Transfers of Personal Data Outside the UK. If Personal Data is transferred in a manner that would trigger obligations under UK GDPR, the parties agree (i) that Annex IV shall apply.
  4. Annexes. This Addendum and its Annexes, together with the Agreement, including as relevant applicable Clauses, serve as a binding contract that sets out the subject matter, duration, nature, and purpose of the Processing, the type of Personal Data and categories of data subjects as well as the obligations and rights of the parties. Merge may execute relevant contractual addenda, including as relevant the EU SCCs (Module 3) with any relevant Subprocessor (as hereinafter defined, including Affiliates). Unless Merge notifies Customer to the contrary, if the European Commission subsequently amends the EU SCCs at a later date, such amended terms will supersede and replace any EU SCCs executed between the parties.
  5. Alternative Data Export Solution. The parties agree that the data export solutions identified in this Section 5 will not apply if and to the extent that Merge adopts an alternative data export solution for the lawful transfer of Personal Data (as recognized under applicable Data Protection Laws), in which event, Customer shall reasonably cooperate with Merge to implement such solution and such alternative data export solution will apply instead (but solely to the extent such alternative data export solution extends to the territories to which Personal Data is transferred under this Addendum).
  1. Technical and Organizational Measures.

Merge will implement appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the risk, as further described in Annex II hereto. In assessing the appropriate level of security, Merge will take into account the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.

  1. Data Subject Rights.

Merge will assist Customer in responding to Data Subjects’ requests exercising their rights under the Data Protection Laws. To that effect, Merge will (a) to the extent permitted by applicable law, promptly notify Customer of any request received directly from Data Subjects to access, correct or delete its Personal Data without responding to that request, and (b) upon written request from Customer, provide Customer with information that Merge has available to reasonably assist Customer in fulfilling its obligations to respond to Data Subjects exercising their rights under the Data Protection Laws.

  1. Data Protection Impact Assessments.

If Customer is required under the Data Protection Laws to conduct a Data Protection Impact Assessment, then upon written request from Customer, Merge will assist where reasonably possible in the fulfilment of the Customer’s obligation as related to its use of the Service, to the extent Customer does not otherwise have access to the relevant information. If required under Data Protection Laws Merge will provide reasonable assistance to Customer in the cooperation or prior consultation with Data Protection Authorities in relation to any applicable Data Protection Impact Assessment.

  1. Audit of Technical and Organizational Measures.

Merge agrees to make available all information necessary to demonstrate its compliance with data protection policies and procedures implemented as part of the Service. To this end, upon written request (not more than once annually) Customer may, at its sole cost and expense, verify Merge’s compliance with its data protection obligations as specified in this DPA by: (i) submitting a security assessment questionnaire to Merge; and (ii) if Customer is not satisfied with Merge’s responses to the questionnaire, then Customer may conduct an audit in the form of meetings with Merge’s information security experts upon a mutually agreeable date. Such interviews will be conducted with a minimum of disruption to Merge’s normal business operations and subject to Merge’s agreement on scope and timings. The Customer may perform the audit described above either by itself or through a mutually agreed upon third party auditor, provided that Customer or its authorized auditor executes a mutually agreed upon non-disclosure agreement. Customer will be responsible for any actions taken by its authorized auditor. All information disclosed by Merge under this Section 9 will be deemed Merge Confidential Information, and Customer will not disclose any audit report to any third party except as obligated by law, court order or administrative order by a government agency. Merge will remediate any mutually agreed, material deficiencies in its technical and organizational measures identified by the audit procedures described in this Section 9 within a mutually agreeable timeframe.

  1. Breach notification

If Merge becomes aware of a Data Breach that results in unlawful or unauthorized access to, or loss, disclosure, or alteration of the Personal Data, then Merge will notify the Customer without undue delay and in any event, within seventy-two hours after becoming aware of such Data Breach and will co-operate with the Customer and take such reasonable commercial steps as agreed with the Customer to assist in the investigation, mitigation and remediation of such Data Breach. Merge will provide all reasonably required support and cooperation necessary to enable Customer to comply with its legal obligations in case of a Data Breach pursuant to applicable Data Protection Laws.

  1. Sub-processing.

Customer agrees that Merge may engage either Merge affiliated companies or third party providers as Subprocessors and hereby authorizes Merge to engage such Subprocessors in the provision of the Service. Merge will restrict the Processing activities performed by Subprocessors to only what is necessary to accomplish the purposes of the Agreement and this DPA. Merge will impose appropriate contractual obligations in writing upon the Subprocessors that are no less protective than this DPA, and Merge will remain responsible for the Subprocessors’ compliance with the obligations under this DPA.

Merge maintains a list of all Subprocessors at www.merge.dev/data-subprocessors. Merge may amend the list of Subprocessors by adding or replacing Subprocessors at any time and will use commercially reasonable efforts to provide Customer with fifteen (15) days’ advance notice of any updates so long as Customer subscribes to Merge’s notification list. Customer will be entitled to object to a new Subprocessor by notifying Merge in writing of the reasons for its objection. Merge will work in good faith to address Customer’s objections. If Merge is unable or unwilling to adequately address Customer’s objections to its reasonable satisfaction, then Customer may terminate this DPA and the Agreement, as specified in the Agreement.

  1. Governing Law.

This Addendum shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws. For the purposes of Clauses 17 and 18 of the EU SCCs, where applicable, to the extent that the governing law and jurisdiction provisions in the Agreement do not meet the requirements of the EU SCCs, the parties select Option 2 of Clause 17, and agree that the EU SCCs shall be governed by the law of the EU Member State in which the data exporter is established; where such law does not allow for third-party beneficiary rights, the EU SCCs shall be governed by the laws of the country of Ireland. Pursuant to Clause 18, any dispute between the Parties arising from the EU SCCs shall be resolved by the courts of Ireland, and the Parties submit themselves to such jurisdiction. For the purposes of Clause 13 of the EU SCCs, the Supervisory Authority shall be the data exporter’s applicable Supervisory Authority. Data exporter shall notify data importer of the applicable Supervisory Authority by email at privacy@merge.dev and shall provide any necessary updates without undue delay.

  1. Return or Deletion of Personal Data.

Unless otherwise required by applicable Data Protection Laws, Merge will delete or return, in Customer’s discretion and upon Customer’s written request, Personal Data within a reasonable period of time following the termination or expiration of the Agreement.

  1. Termination.

This Addendum shall automatically terminate upon the termination or expiration of the Agreement. This Addendum cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this Addendum shall automatically terminate.

  1. Entire Agreement; Conflict.

Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control.

APPENDIX

ANNEX I

A. LIST OF PARTIES

Data exporters(s):

The Customer as defined above.

Role: Processor 

Activities relevant to the data transferred under these Clauses: Purchase of access to and use of the Service under the Agreement

Data importer(s):

 Merge API Inc.

Role: Subprocessor 

Activities relevant to the data transferred under these Clauses: Processing of personal data for the Service pursuant to the Agreement.

Contact person’s name, position and contact details: Shensi Ding, Chief Executive Officer, privacy@merge.dev

Address:  353 Sacramento Street, San Francisco CA 94111

B. DESCRIPTION OF TRANSFER

  • Categories of data subjects whose personal data is transferred

    • Data subjects interacting with Data Exporter and its customers (e.g., account holders, job applicants, end-customers, prospective customers, employees, contractors, suppliers and end-users of the Data Exporter and the Data Exporter’s customers, vendors and partners).

  • Categories of personal data transferred

    • Categories of personal data selected by Data Exporter and shared with Data Importer via the Service. Categories may include data typically collected by ATS, HRIS and Accounting platforms, and may more specifically include name, address, email, phone number, authentication information, work history, transactional and account information, pay rate and tax information, health plan information, gender, marital status, veteran status, and other categories.

  • Note: Data Importer does not process sensitive data except to the extent transferred via the Service by Data Exporter’s end users.

    The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

    • On a continuous basis during the Term of the Agreement

  • Nature of the processing

    • API integration services between platforms selected by the Data Exporter and made available by the Data Importer

  • Purpose(s) of the data transfer and further processing

    • For the Data Importer to provide the API integration Service to Data Exporter Processor as required under the Agreement.

  • The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

    • For the term of the Agreement and until notified by Data Exporter, or until deletion (via Service API) by Data Exporter or its customers

  • For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

  • For the Term of the Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

  • Identify the competent supervisory authority/ies in accordance with Clause 13

    • The competent supervisory authority/ies applicable to Data Exporter as notified to Data Importer in accordance with Section 12 of the Addendum.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Merge processes all personal data received from Customer, or on its behalf, under this DPA in conformity with the following technical and organizational measures:

Information Security Organization

  • Merge’s Information Security Policy outlines roles and responsibilities for personnel with responsibility for the security, availability, and confidentiality of the Product and Service.
  • The Head of Security is responsible for the design, implementation, and management of the organization’s security policies, which are reviewed at least annually. Annual review includes assessment of internal controls used in the achievement of Merge’s Service commitments and system requirements. Following review, any deficiencies are resolved in accordance with the Risk Assessment and Management Program.
  • The Security team also performs an annual formal risk assessment, which includes the identification of relevant internal and external threats related to security, availability, confidentiality, and fraud, and an analysis of risks associated with those threats. The Security team maintains a risk register, which records the risk mitigation strategies for identified risks, and the development or modification of controls consistent with the risk mitigation strategy.
  • The Security team is responsible for identifying and tracking incidents and creating a ‘lessons learned’ document and sharing it with the engineering team. The Engineering team is responsible for Software development and deployment.

Personnel Security

  • Merge has established a Code of Conduct outlining ethical expectations, behavior standards, and ramifications of noncompliance, as well as Acceptable Use, Data Protection, and Information Security Policies. Internal personnel acknowledge all codes and procedures within 30 days of hire.
  • Background checks are performed on full-time employees within 30 days of the employee’s start date as permitted by local laws. Reference checks are performed on contractors who have access to production data.
  • Internal personnel complete annual training programs for information security to help them understand their obligations and responsibilities related to security.

Access Controls and Asset Management

  • Internal users are provisioned access to systems based on role as defined in the access matrix, which is reviewed and approved annually by the Head of Security.  Designated system owners approve any additional access required outside the access matrix.
  • The Security team conducts quarterly user access reviews of production servers, databases, and applications to validate internal user access is commensurate with job responsibilities. Identified access changes are tracked to remediation.
  • Access to production machines, network devices, and support tools requires a unique ID.
  • Internal user access to systems and applications with service data requires two-factor authentication in the form of user ID / password, one-time passcode or other industry best practice.
  • Merge has formal policies for password strength and use of authentication mechanisms. 
  • Production infrastructure is restricted to users with a valid SSH key; administrative access to production servers and databases is restricted to the Back-end Engineering team.
  • Upon termination or when internal users no longer require access, infrastructure and application access is removed within one business day.
  • Internal use of the internal admin tool is logged. These logs are reviewed monthly for appropriateness.
  • Firewall configurations help ensure available networking ports and protocols are restricted to approved business rules.
  • The Engineering team maintains a list of the company’s system components, owners, and their business function, and the Head of Security reviews this list annually.

Incident Management and Business Continuity

  • Merge’s Incident Response Plan outlines the process of identifying, prioritizing, communicating, assigning, and tracking incidents through to resolution.
  • The Security team tracks identified incidents according to the Incident Response Plan and creates a ‘lessons learned’ document after each high or critical incident. This document is shared with the Engineering team to make any required changes.
  • The Developer Operations team maintains a disaster recovery plan, which is tested at least annually. The Engineering team reviews test results and makes changes to the plan accordingly.

Change Controls

  • Merge’s Change Management Process and Standard governs the system development life cycle, including documented policies for tracking, testing, approving, and validating changes.
  • System changes are tested via automated test scripts prior to being deployed into production. 
  • Code merge requests are independently peer reviewed prior to integrating the code change into the master branch.
  • System users who make changes to the development system are unable to deploy their changes to production without independent approval.
  • The Engineering team uses a tool to enforce standard production images for production servers.
  • Configuration changes are tested (if applicable) and approved prior to being deployed into production.
  • The production and testing environments are segregated; production data is not used in the development and testing environments.

Data and Availability Controls

  • Merge’s Data Protection Policy details the security and handling protocols for service data.
  • Full backups are performed daily and retained in accordance with the Backup Policy. The Engineering team restores backed-up data at least annually to validate the integrity of backups.
  • Access to erase or destroy customer data is limited to the Chief Technology Officer and back-end engineers.
  • Data that is no longer needed is deleted from databases and other file stores in accordance with agreed-upon customer requirements. Merge further provides Customers with tools to delete certain data directly.
  • Merge’s Encryption and Key Management Policy supports the secure encryption and decryption of app secrets, and governs the use of cryptographic controls.
  • Encryption is used to protect the transmission of data over the internet; service data is encrypted at rest.
  • The Engineering team encrypts hard drives for portable devices with full disk encryption.
  • System tools monitor company load balancers and notify appropriate personnel of any events or outages based on predetermined criteria. Any identified issues are tracked through resolution in accordance with the Incident Response Plan.
  • The platform is configured to operate across availability zones to support continuous availability.

Vendor and Vulnerability Management

  • Merge’s Vendor Risk Management Policy defines a framework for the onboarding and management of the vendor relationship lifecycle. The Security team assesses new vendors according to the Vendor Risk Management Policy prior to engaging with the vendor.
  • Merge’s Vulnerability Management and Patch Program outlines the procedures to identify, assess, and remediate identified vulnerabilities.
  • Vulnerability scans are executed monthly on production systems. The Chief Technology Officer and the Engineering team track critical or high-risk vulnerabilities through resolution. Management has implemented intrusion prevention and detection tools to provide monitoring of network traffic to the production environment.
  • The Engineering team uses logging and monitoring software to collect data from servers and endpoints, and detect potential security threats and unusual system activity.
  • Malware detection software is installed on susceptible endpoints that can access the production environment and is configured to perform daily scans.
  • The Engineering team uses alerting software to notify impacted teams of potential security and availability events.

ANNEX III

LIST OF SUB-PROCESSORS

The controller has authorised the use of the Subprocessors listed at the following website:

merge.dev/data-subprocessors

ANNEX IV

UK ADDENDUM TO EU STANDARD CONTRACTUAL CLAUSES

PART 1: TABLES

Table 1: Parties

Start date Effective the date of the execution of the Addendum
The Parties Exporter (who sends the Restricted Transfer) Importer (who receives the Restricted Transfer)
As listed in Annex I As listed in Annex I
Parties’ Details As listed in Annex I As listed in Annex I
Key Contacts As listed in Annex I As listed in Annex I

Table 2: Selected SCCs, Modules and Selected Clauses

“Addendum EU SCCs” The version of the approved EU SCCs agreed to in the Addendum to which this UK Addendum is appended to, including the Appendix Information.

Table 3: Appendix Information

"Appendix Information" means the information which must be provided for the selected modules as set out in the Appendix of the Approved SCCs (other than the Parties), and which for this UK Addendum is set out in:

Annex 1A: List of Parties: See Annex I
Annex 1B: Description of Transfer: Annex I
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Annex II
Annex III: List of Sub processors: Annex III

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the
Approved Addendum changes 		Which Parties may end this Addendum:
☐ Importer
☐ Exporter
☐ neither Party

PART 2: MANDATORY CLAUSES
“Mandatory Clauses” Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.

Last Updated: June 6, 2025