Terms of Service and Privacy Policy

Parties and Background

(A) Partner has entered into an agreement with Gigs Wireless, LLC. (“Gigs”) (each a “Party” and collectively the “Parties”) under which Gigs has agreed to provide Services to Partner (as amended from time to time) entered into on the date of signature (the “Agreement”).

(B) In the course of providing the Services under the Agreement, Gigs will process Partner Personal Data. This Data Processing Agreement (“DPA”) regulates the data protection obligations of the Parties when processing Partner Personal Data.

1. Definitions

1.1. Capitalized terms used but not defined within this DPA shall have the meaning set forth in the Agreement. The following capitalized terms used in this DPA shall be defined as follows:

“Applicable Law” means all laws, rules and regulations applicable to either Party’s performance under this DPA, including but not limited to those applicable to the processing of personal data. This means, in particular, the GDPR and all national laws validly amending the applicable rules for the processing of personal data as well as the CCPA.

“Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Mandatory Clauses;

“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq., including any amendments and any implementing regulations;

“EEA” means the European Economic Area including the European Union (“EU”);

“GDPR” means Regulation (EU) 2016/679 (the “EU GDPR”) or, where applicable, the “UK GDPR” as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the UK European Union (Withdrawal) Act 2018 or, where applicable, the equivalent provision under Swiss data protection law;

“Instruction” means any documented instruction, submitted by Partner to Gigs, directing Gigs to perform a specific action with regard to personal data, including but not limited to the description of the Services to be provided by Gigs under the Agreement.

“Mandatory Clauses” means “Part 2: Mandatory Clauses” of the Approved Addendum;

“Member State” means a member state of the EEA, being a member state of the European Union, Iceland, Norway, or Liechtenstein;

“Partner Affiliate” means an Affiliate of the Partner who is a beneficiary to the Agreement;

“Partner Personal Data” means Personal Data processed by Gigs (as a processor) on behalf of Partner or Partner Affiliate in connection with the provision of the services under the Agreement;

“Personal Data” means any information relating to an identified or identifiable individual or device, or is otherwise “personal data,” “personal information,” “personally identifiable information” and similar terms, and such terms shall have the same meaning as defined by Applicable Law(s);

“Processor” means a person or entity that processes Personal Data on behalf of and under the instructions of the Controller and includes the term “service provider” as defined under the CCPA;

“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Partner Personal Data;

“Standard Contractual Clauses” or “SCCs” means Module Two (controller to processor) and/or Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914;

“Sub-processor” means Gigs’ subsidiaries and affiliates and third-party processors appointed by Gigs to process Partner Personal Data; and

“Supervisory Authority” means “supervisory authority” as defined by the GDPR or a regulatory authority with jurisdiction to enforce applicable laws, including data protection laws, against one of the Parties; and

“UK” means the United Kingdom of Great Britain and Northern Ireland.

2. Interaction With The Agreement

2.1. This DPA is incorporated into and forms an integral part of the Agreement and shall be effective and replace any previously applicable data processing and security terms as of the effective date of the Agreement (“Effective Date”). This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any processing of Partner Personal Data.

2.2. Any processing operation as described in clause 4 and Schedule 1 to this DPA shall be subject to this DPA.

2.3. Partner Affiliates shall be beneficiaries under this DPA and – through Partner (see clauses 2.4 and 2.5) – be entitled to enforce all rights in relation to the Partner Personal Data provided by the respective Affiliate. Partner will ensure that all obligations under this DPA will be passed on to the respective Affiliate.

2.4. Partner warrants that it is duly mandated by any Partner Affiliates on whose behalf Gigs processes Partner Personal Data in accordance with this DPA to (a) enforce the terms of this DPA on behalf of the Partner Affiliates, and to act on behalf of the Partner Affiliates in the administration and conduct of any claims arising in connection with this DPA; and (b) receive and respond to any notices or communications under this DPA on behalf of Partner Affiliates.

2.5. Partner shall be the only point of contact for all communication between the Partner Affiliates and Gigs.

4. Details of Data Processing

4.1. The details of the data processing (such as subject matter, nature and purpose of the processing, categories of Personal Data and Affected Individuals) are described in the Agreement and in Schedule 1 to this DPA.

4.2. Partner Personal Data will only be processed on behalf of and under the instructions of Partner and in accordance with Applicable Law. The Agreement and this DPA shall generally constitute Instructions for the processing of Partner Personal Data unless otherwise agreed to by the Parties in writing.

4.3. To the extent that any of the Instructions require processing of Partner Personal Data in a manner that falls outside the scope of the Gigs Platform Services or the Connectivity Services, Gigs may:

(a) make the performance of any such Instructions subject to the payment by the Partner of any costs and expenses incurred by Gigs or such additional charges as Gigs may reasonably determine; or

(b) terminate the Agreement and the Services.

4.4. Where Partner processes Personal Data in the scope of this DPA based on consent, this consent shall include the anonymization of said Personal Data for research and development purposes by Gigs. Partner shall inform Gigs if such consent has been obtained.

4.5. In case Partner anonymizes Personal Data in the scope of this DPA, Partner shall make this anonymized Personal Data available to Gigs for research and development purposes.

4.6. Gigs may (without prejudice to clause 12) store and process Partner Personal Data anywhere Gigs or its Sub-processors maintain facilities, subject to clause 5 of this DPA.

5. Sub-Processors

5.1. Partner agrees that Gigs may engage subprocessors, subcontractors and other providers who may process Personal Data on behalf of Gigs and as necessary to enable Gigs to provide the services pursuant to the Agreement.

5.2. To the extent Gigs acts as a processor (or Sub-processor), Partner grants Gigs general authorization to engage Sub-processors, subject to this Clause 5.

5.3. Gigs shall (i) enter into a written agreement with each Sub-processor imposing data protection obligations that, in substance, are no less protective of Partner Personal Data than Gigs’ obligations under this DPA to the extent applicable to the nature of the services provided by such Sub-processor; and (ii) remain liable for each Sub-processor’s compliance with the obligations under this DPA.

5.4. Gigs shall provide Partner with at least two (2) weeks’ notice of any proposed changes to the Sub-processors it uses to process Partner Personal Data (including any addition or replacement of any Sub-processors via email including a link to the updated list of processors as referred to in clause 5.1.). Partner may object to Gigs’ use of a new Sub-processor (including when exercising its right to object under clause 9(a) of the SCCs if applicable) by providing Gigs with written notice of the objection within ten (10) days after Gigs has provided notice to Partner of such proposed change (an “Objection”). If Partner does not object to the engagement within the objection period, consent regarding the engagement shall be assumed. In the event Partner objects to Gigs’ use of a new Sub-processor, Partner and Gigs will work together in good faith to find a mutually acceptable resolution to address such Objection. If the Parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, either Party may, as its sole and exclusive remedy, terminate the portion of the Agreement relating to the Gigs Platform Service affected by such change by providing written notice to the other Party. During any such Objection period, Gigs may suspend the affected portion of the Gigs Platform Services. Partner may only request a pro-rata refund if Partner can prove that the Objection is based on justified reasons of incompliance with Applicable Law.

6. Data Subject Rights Requests

6.1. Either party will forward to the other Party, without undue delay, any Data Subject Request received by Gigs, in its capacity as a Processor, or by any Sub-processor from an individual in relation to their Partner Personal Data and may advise the individual to submit their request directly to Partner.

6.2. Gigs will (taking into account the nature of the processing of Partner Personal Data) provide Partner with self-service functionality through the Services or other reasonable assistance as necessary for Partner to fulfill its obligation under Applicable Law to respond to Data Subject Requests, including if applicable, Partner’s obligation to respond to requests for exercising the rights set out in the GDPR or CCPA.

7. Security and Audits

7.1. Gigs will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Partner Personal Data, including, without limitation, protection against unauthorized or unlawful processing (including, without limitation, unauthorized or unlawful disclosure of, access to and/or alteration of Partner Personal Data) and against accidental loss, destruction, or damage of or to it. When assessing the appropriate level of security, account shall be taken in particular of the nature, scope, context and purpose of the processing as well as the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

7.2. Gigs will implement and maintain as a minimum standard the measures set out in Schedule 2. Gigs may update or modify the security measures set out in Schedule 2 from time to time, including (where applicable) following any review by Gigs of such measures in accordance with clause 7.3 of the SCCs, provided that such updates and/or modifications will not reduce the overall level of protection afforded to the Partner Personal Data by Gigs under this DPA. By notifying, Gigs grants to Partner the opportunity to object to such modifications within four (4) weeks. Partner shall only be entitled to object to any modification in the case that the modification does not meet the requirements pursuant to clause 7.1. If Partner does not object to the modification within the objection period, consent regarding the modifications shall be assumed. In case of an objection, Gigs may suspend the portion of the Service which is affected by the objection of Partner. Partner shall not be entitled to a pro-rata refund of remuneration for the Services, unless Partner can prove that the obligations pursuant to clause 7.1 have not been met.

7.3. With respect to any audits the Parties agree that:

(a) all such audits shall be conducted:

(i) upon reasonable written notice to Gigs;

(ii) only once per year, unless there are specific indications that require a more frequent audit or to the extent further audits are required by Applicable Law;

(iii) only during Gigs’ normal business hours; and

(iv) in a manner that does not disrupt Gigs ‘s business;

(b) the Partner shall:

(i) enter into a confidentiality agreement with Gigs prior to conducting the audit; and

(ii) ensure that its personnel comply with Gigs’ policies and procedures when attending Gigs’ premises, as notified to the Partner by Gigs.

7.4. To conduct such audit, Partner may engage a third-party auditor subject to such auditor complying with the requirements under clause 7.3 and provided that such auditor is suitably qualified, independent and not a competitor of Gigs.

7.5. To request an audit, Partner must submit a detailed proposed audit plan to Gigs at least two weeks in advance of the proposed audit date. Gigs will review the proposed audit plan and work cooperatively with Partner to agree on a final audit plan. All such audits must be conducted subject to the agreed final audit plan and Gigs’ health and safety or other relevant policies. Nothing in this clause 7.5 shall require Gigs to breach any duties of confidentiality.

7.6. Partner will promptly notify Gigs of any non-compliance discovered during the audit and provide Gigs any audit reports generated in connection with any audit, unless prohibited by applicable law or otherwise instructed by a regulatory or governmental authority. Partner may use the audit reports only for the purposes of meeting Partner’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA.

7.7. Partner shall bear the costs for any audit initiated by Partner, unless the audit reveals material non-compliance with the requirements of this DPA.

7.8. Upon request, Gigs shall provide to Partner documentation reasonably evidencing the implementation of the technical and organizational data security measures in accordance with industry standards. Gigs may, in its discretion provide data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing company. If the requested audit scope is addressed in such a certification produced by a qualified third-party auditor within twelve (12) months of Partner’s audit request and Gigs confirms there are no known material changes in the controls audited, Partner agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.

7.9. Gigs shall audit its Sub-processors on a regular basis and will, upon Partner’s request, confirm their compliance with data protection law and the obligations set upon Sub-processors according to the data processing agreement concluded with them. Partner may request Gigs to conduct further audits only in the event reasonably justified, and in such cases Gigs will conduct further audits to the extent permissible.

8. Security Incidents

Gigs shall notify Partner in writing without undue delay after becoming aware of any Security Incident, and reasonably cooperate in any obligation of Partner under Applicable Law to make any notifications, such as to individuals or supervisory authorities. Gigs shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall send Partner timely information about the Security Incident, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation. Gigs’ notification of or response to a Security Incident under this clause 8 will not be construed as an acknowledgement by Gigs of any fault or liability with respect to the Security Incident.

Gigs will provide reasonable assistance with Partner’s investigation of the possible Security Incident and any obligation of Partner under applicable law to make any notifications necessary under applicable data protection law, such as in relation to individuals or supervisory authorities.

9. Costs

The Partner shall pay to Gigs on demand all costs and expenses incurred by Gigs in connection with:

(a) implementing any changes to the Gigs Platform Services under clause 5.4;

(b) facilitating and contributing to any audits of Gigs under or clauses 8.9(c) and (d) of the Standard Contractual Clauses (if applicable);

(d) responding to queries or requests for information from the Partner relating to the processing of Partner Personal Data under clauses 8.9(a), 8.9(c) or 8.9(e) of the Standard Contractual Clauses (if applicable);

(e) any assistance provided by the Processor to the Partner with its fulfillment of its obligations to respond to data subjects’ requests that go beyond of what is provided as self-service functionality through the Services for the exercise of their rights under the GDPR; and

(f) any assistance provided by the Processor to the Partner with any TIAs (as defined below), data protection impact assessments or prior consultation with any supervisory authority of the Partner.

13. Support for Cross Border Data Transfers

Gigs will provide Partner reasonable support to enable Partner’s compliance with the requirements imposed on the transfer of Personal Data to third countries with respect to data subjects located in the EEA, Switzerland, and UK. Gigs will, upon Partner’s request, provide information to Partner which is reasonably necessary for Partner to complete a transfer impact assessment (“TIA”). Gigs further agrees to implement the supplementary measures agreed upon and set forth in Schedule 4 of this DPA in order to enable Partner’s compliance with requirements imposed on the transfer of personal data to third countries under the GDPR.

15. Partner Personal Data Subject to the CCPA

15.1. If the CCPA applies and Partner or Partner Affiliates provide Gigs any Partner Personal Data that is “personal information” under the CCPA, Gigs will:

(a) act as a service provider with regard to such personal information;

(b) retain, use, and disclose such personal information solely for the purpose of performing the Services or as otherwise permitted under the CCPA;

(c) not sell Partner Personal Data to another business or third party. Notwithstanding the foregoing, disclosures to a third party in the context of a merger, acquisition, bankruptcy, or other transaction shall be permitted in accordance with the terms of the Agreement; and

(d) provide reasonable assistance to Partner in responding to requests from consumers pursuant to the CCPA with regard to their personal information, and in accordance with clause 6 of this DPA.

15.2. If the CCPA applies, then Gigs certifies that it understands the foregoing obligations and shall comply with them for the duration of the Agreement and for as long as Gigs processes Partner Personal Data.

16. Schedule 1: Details of Processing

A. List of Parties

1. Data Exporter

Partner and/or the Partner Affiliates operating in the countries which comprise the European Economic Area, UK and/or Switzerland and/or – to the extent agreed by the Parties - Partner and/or the Partner Affiliates in any other country to the extent the GDPR applies.

Partner and Partner Affiliate’s contact person’s name, position and contact details as well as (if appointed) the data protection officer’s name and contact details and (if relevant) the representative’s contact details will be notified to Gigs prior to the processing of personal data via email to support@gigs.com.

The activities relevant to the data transfer under these Clauses are defined by the Agreement and the data exporter who decides on the scope of the processing of personal data in connection with the Services further described in Section B of this Schedule 1.

2. Data Importer

Gigs, 2261 Market Street #4288, San Francisco, CA 94114

The data importer’s contact person and contact details will be disclosed to Partner upon request.

The data importer’s activities relevant to the data transfer under these Clauses are as follows: the data importer processes personal data provided by the data exporter on behalf of the data exporter in connection with providing the services under this Agreement to the data exporter as further described in Section B of this Schedule 1 and in the Agreement.

B. Description of Transfer

3. Categories of data subjects

The categories of data subjects whose Personal Data are transferred: the End Users of Partner.

4. Categories of personal data

The transferred categories of Personal Data are: full name, email address, residential address, payment method, payment amount.

5. Frequency of the transfer

The transfer is performed from time to time and is determined by Partner’s configuration of the Gigs Platform Services.

6. Purpose(s) of the data transfer and further processing

The purpose/s of the data transfer and further processing is: Partner’s management of the End Users’ use of Connectivity Services and/or User Facing Platform Services.

7. Duration

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: the retention period corresponds to the duration of this DPA as defined in clause 11 of the DPA.

C. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with clause 13 of the SCCs

Where the data exporter is established in an EU Member State: The supervisory authority of the country in which the data exporter established is the competent authority.

Where the data exporter is not established in an EU Member State but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR: The competent supervisory authority is the one of the Member State in which the representative is established.

Where the data exporter is not established in an EU Member State but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of the GDPR: The competent supervisory authority is the supervisory authority [Germany].

17. Schedule 2: Technical and Organizational Measures

1. Pseudonymisation and Encryption, Art. 32 para 1 point a GDPR

Pseudonymisation contains measures that enable one to process personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures. Encryption contains measures that enable one to convert clearly legible information into an illegible string by means of a cryptographic process.

Stored data is encrypted where appropriate, including any backup copies of the data

2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, Art. 32 para 1 point b GDPR

Confidentiality and integrity is ensured by the secure processing of personal data, including protection against unauthorized or unlawful processing and integrity and availability by measures to protect against accidental loss, destruction or damage.

2.1 Confidentiality

2.1.1. Physical access control

Measures that prevent unauthorized persons from gaining access to data processing systems with which personal data are processed or used.

Physical access control systems
Definition of authorizes persons; management and documentation of individual authorizations
Regulation of visitors and external staff
Monitoring of all facilities housing IT systems
Logging of physical access

2.1.2 System/Electronic access control

Measures that prevent data processing systems from being used without authorization.

User authentication by simple authentication methods (using username/password), including two-factor authentication where adequate
Secure transmission of credentials (using TSL)
Automatic account locking
Suspending inactive sessions
Guidelines for handling passwords and certificates
Definition of authorized persons
Managing means of authentication
Access control to infrastructure that is hosted by cloud service provider
In-time revocation of access for people who no longer need access / leave the company
Automated alerting on illegal attempts of logging systems directly or indirectly connected to Personal Data
Unique credentials per user
Use of jump server to restrict access where adequate

2.1.3 Internal Access Control

Measures that ensure that persons entitled to use a data processing system have access only to the Personal Data to which they have a right of access, and that Personal Data cannot be read, copied, modified or removed without authorization in the course of processing or use and after storage.

Automatic and manual locking
Access right management
Access right management including authorization concept, implementation of access restrictions, implementation of the “need-to-know” principle, managing of individual access rights

2.1.4 Isolation/Separation Control

Measures to ensure that Personal Data collected for different purposes can be processed (storage, amendment, deletion, transmission) separately.

Network separation
Segregation of responsibilities and duties
Document procedures and applications for the separation

2.1.5 Job Control

Measures that ensure that, in the case of commissioned processing of Personal Data, the Personal Data is processed strictly corresponding the instructions of the principal.

Training and confidentiality agreements for internal staff and external staff
Information security assessment for vendors/partners

2.2. Integrity

2.2.1 Data Transmission Control

Measures ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of Personal Data by means of data transmission facilities is envisaged.

Secure transmission between client and server and to external systems by using industry-standard encryption
Secure network interconnections ensured by Firewalls, anti-virus programs, routinely patching software etc.
Logging of transmissions of data from IT system that stores or processes Personal Data

2.2.2 Data Input Control

Measures that ensure that it is possible to check and establish whether and by whom Personal Data have been input into data processing systems, modified or removed.

Logging authentication and monitored logical system access
Logging of data access including, but not limited to access, modification, entry and deletion of Personal Data
Documentation of data entry rights and partially logging security related entries.

2.3 Availability and Resilience of Processing Systems and Services

Availability includes measures that ensure that Personal Data is protected from accidental destruction or loss due to internal or external influences. Resilience of processing systems and services includes measures that ensure the ability to withstand attacks or to quickly restore systems to working order after an attack.

Tape-media based backup solution
Implementation of transport policies
Backup concept
Protection of stored backup media

3. The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident, Art. 32 para 1 point c GDPR

Organizational measures that ensure the possibility to quickly restore the system or Personal Data in the event of a physical or technical incident.

Continuity planning (Recovery Time Objective)

4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing, Art. 32 para 1 point d GDPR

Organizational measures that ensure the regular review and assessment of technical and organizational measures.

Testing of emergency equipment
Documentation of interfaces and personal data fields

Internal assessments

18. Schedule 3: Standard Contractual Clauses

For the purposes of the Standard Contractual Clauses:

Module Two respectively Module Three shall apply in the case of the processing under clause 3.1(a)(i) of the DPA and Module Three shall apply in the case of processing under clause 3.1(a)(ii) of the DPA.
Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.
Clause 9(a) option 2 (General written authorization) is selected, and the time period to be specified is determined in clause 5.3 of the DPA.
The option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.
With regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that, option 1 shall apply and the governing law shall be the law of the Republic of Ireland.
In Clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of the Republic of Ireland.
For the Purpose of Annex I of the Standard Contractual Clauses, Schedule 1 of the DPA contains the specifications regarding the Parties, the description of transfer, and the competent supervisory authority.
For the Purpose of Annex II of the Standard Contractual Clauses, Schedule 2 of the DPA contains the technical and organizational measures.
The specifications for Annex III of the Standard Contractual Clauses, are determined by clause 5.1 of the DPA. The Sub-processor’s contact person’s name, position and contact details will be provided by Gigs upon request.

19. Schedule 4: Additional Supplementary Measures

Gigs further commits to implementing supplementary measures based on guidance provided by EU supervisory authorities in order to enhance the protection of Partner Personal Data and Personal Data in relation to the processing in a third country, as described in this Schedule 4.

Additional Technical Measures
Encryption

☒ The Personal Data is transmitted (between the Parties and by Processor between data centers as well as to a Sub-processor and back) using strong encryption.

Hereby, it is ensured that the encryption protocols employed are state-of-the-art and provide effective protection against active and passive attacks with resources known to be available to the public authorities of this third country, the parties involved in the communication agree on a trustworthy public-key certification authority or infrastructure, specific protective and state-of-the-art measures are used against active and passive attacks on the sending and receiving systems providing transport encryption, including tests for software vulnerabilities and possible backdoors, in case the transport encryption does not provide appropriate security by itself due to experience with vulnerabilities of the infrastructure or the software used, personal data is also encrypted end-to-end on the application layer using state-of-the-art encryption methods, the encryption algorithm and its parameterization (e.g., key length, operating mode, if applicable) conform to the state-of-the-art and can be considered robust against cryptanalysis performed by the public authorities when data is transiting to this third country taking into account the resources and technical capabilities (e.g., computing power for brute-force attacks) available to them, the strength of the encryption takes into account the specific time period during which the confidentiality of the encrypted personal data must be preserved, the encryption algorithm is implemented correctly and by properly maintained software without known vulnerabilities the conformity of which to the specification of the algorithm chosen has been verified, e.g., by certification, the keys are reliably managed (generated, administered, stored, if relevant, linked to the identity of the intended recipient, and revoked), by Partner or by an entity trusted by Partner under a jurisdiction offering an essentially equivalent level of protection.

Additional Organizational Measures

2.1. Internal policies for governance of transfers especially with groups of enterprises

☒ Adoption of adequate internal policies with clear allocation of responsibilities for data transfers, reporting channels and standard operating procedures for cases of formal or informal requests from public authorities to access the data.

Especially in case of transfers among groups of enterprises, these policies may include, among others, the appointment of a specific team, composed of experts on IT, data protection and privacy laws, to deal with requests that involve personal data transferred from the EEA; the notification to the senior legal and corporate management and to Partner upon receipt of such requests; the procedural steps to challenge disproportionate or unlawful requests and the provision of transparent information to data subjects.

☒ Development of specific training procedures for personnel in charge of managing requests for access to personal data from public authorities, which should be periodically updated to reflect new legislative and jurisprudential developments in the third country and in the EEA.

The training procedures should include the requirements of EU law as to access by public authorities to personal data, in particular as following from Article 52(1) of the Charter of Fundamental Rights. Awareness of personnel should be raised in particular by means of assessment of practical examples of public authorities’ data access requests and by applying the standard following from Article 52(1) of the Charter of Fundamental Rights to such practical examples. Such training should take into account the particular situation of the Processor, e.g. legislation and regulations of the third country to which Processor is subject to, and should be developed where possible in cooperation with Partner.

2.2. Organizational methods and data minimization measures

☒ Already existing organizational requirements under the accountability principle, such as the adoption of strict and granular data access and confidentiality policies and best practices, based on a strict need-to-know principle, monitored with regular audits and enforced through disciplinary measures. Data minimization should be considered in this regard, in order to limit the exposure of personal data to unauthorized access. For example, in some cases it might not be necessary to transfer certain data (e.g. in case of remote access to EEA data, such as in support cases, when restricted access is granted instead of full access; or when the provision of a service only requires the transfer of a limited set of data, and not an entire database).

2.3. Others

☒ Adoption and regular review by Processor of internal policies to assess the suitability of the implemented complementary measures and identify and implement additional or alternative solutions when necessary, to ensure that an essentially equivalent level of protection to that guaranteed within the EEA of the personal data transferred is maintained.

3. Additional Contractual Measures

3.1. Transparency obligations

☒ Processer declares that (1) it has not purposefully created back doors or similar programming that could be used to access the system and/or personal data, (2) it has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems, and (3) that national law or government policy does not require Processor to create or maintain back doors or to facilitate access to personal data or systems or for Processor to be in possession or to hand over the encryption key.

3.2. Obligations to take specific actions

☒ In case of any order to disclose or to grant access to the personal data, Processor commits to inform the requesting public authority of the incompatibility of the order with the safeguards contained in the Article 46 GDPR transfer tool and the resulting conflict of obligations for Processor.

3.3. Empowering data subjects to exercise their rights

☒ The Parties commit to reasonably assist the data subject in exercising his/her rights in the third country jurisdiction through ad hoc redress mechanisms and legal counselling.

☒ The Parties commit to reasonably assist the data subject to seek information and an effective redress in the EU (e.g., by lodging a claim with a competent supervisory authority and/or judicial authority in the EU).

☒ Processor commits to fairly compensate the data subject for any material and non-material damage suffered because of the disclosure of his/her personal data transferred under the chosen transfer tool in violation of the commitments it contains.

Notwithstanding the foregoing, Gigs shall have no obligation to indemnify the data subject to the extent the data subject has already received compensation for the same damage.

Compensation is limited to material and non-material damages as provided in the GDPR and excludes consequential damages and all other damages not resulting from Gigs´ infringement of the GDPR.

20. Schedule 5

1. UK Addendum

With respect to any transfers of Customer Personal Data falling within the scope of the UK GDPR from Customer (as data exporter) to Gigs (as data importer):

1.1 the Approved Addendum as further specified in this Schedule 5 shall form part of this DPA, and the Standard Contractual Clauses shall be read and interpreted in light of the provisions of the Approved Addendum, to the extent necessary according to Clause 12 lit. 1 of the Mandatory Clauses;

1.2 In deviation to Table 1 of the Approved Addendum and in accordance with Clause 16 of the Mandatory Clauses, the parties are further specified in Schedule 1,A. of this DPA.

1.3 The selected Modules and Clauses to be determined according to Table 2 of the Approved Addendum are further specified in Schedule 3 of this DPA as amended by the Mandatory Clauses.

1.4 Annex 1 A and B of Table 3 to the Approved Addendum are specified by Schedule 1 of this DPA, Annex II of the Approved Addendum is further specified by Schedule 2 of this DPA, and Annex III of the Approved Addendum is further specified by Schedule 1,B.10 of this DPA.

1.5 Gigs (as data importer) may end this DPA, to the extent the Approved Addendum applies, in accordance with clause ‎19 of the Mandatory Clauses;

1.6 Clause 16 of the Mandatory Clauses shall not apply.

2. Swiss Addendum

As stipulated in clause 13 of the DPA, this Swiss Addendum shall apply to any processing of Customer Personal Data subject to Swiss data protection law or to both Swiss data protection law and the GDPR.

2.1 Interpretation of this Addendum

(a) Where this Addendum uses terms that are defined in the Standard Contractual Clauses as further specified in Schedule 3 of this DPA, those terms shall have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:

Clauses: The Standard Contractual Clauses as further specified in Schedule 3 of this DPA

Swiss data protection laws: The Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force from time to time.

(b) This Addendum shall be read and interpreted in the light of the provisions of Swiss Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.

(c) This Addendum shall not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.

(d) Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

2.2 Hierarchy

In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to data subjects shall prevail.

2.3 Incorporation of the Clauses

(a) In relation to any processing of personal data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends the DPA as further specified in Schedule 3 of this DPA to the extent necessary so they operate:

(i) for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws or Swiss Data Protection Laws and the GDPR apply to the data exporter’s processing when making that transfer; and

(ii) to provide appropriate safeguards for the transfers in accordance with Article 46 of the GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.

(b) To the extent that any processing of personal data is exclusively subject to Swiss Data Protection Laws, the amendments to the DPA including the SCCs, as further specified in Schedule 3 of this DPA and as required by clause 2.1 of this Swiss Addendum, include (without limitation):

(i) References to the "Clauses" or the "SCCs" means this Swiss Addendum as it amends the SCCs.

(ii) Clause 6 Description of the transfer(s) is replaced with:

"The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s processing when making that transfer."

(iii) References to "Regulation (EU) 2016/679" or "that Regulation" or "“GDPR" are replaced by "Swiss Data Protection Laws" and references to specific Article(s) of "Regulation (EU) 2016/679" or "GDPR" are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.

(iv) References to Regulation (EU) 2018/1725 are removed.

(v) References to the "European Union", "Union", "EU" and "EU Member State" are all replaced with "Switzerland".

(vi) Clause 13(a) and Part C of Annex I are not used; the "competent supervisory authority" is the Federal Data Protection and Information Commissioner (the "FDPIC") insofar as the transfers are governed by Swiss Data Protection Laws;

(vii) Clause 17 is replaced to state

"These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by Swiss Data Protection Laws".

(viii) Clause 18 is replaced to state:

"Any dispute arising from these Clauses relating to Swiss Data Protection Laws shall be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts."

Until the entry into force of the revised Swiss Data Protection Laws, the Clauses shall also protect personal data of legal entities and legal entities shall receive the same protection under the Clauses as natural persons.

2.4 To the extent that any processing of personal data is subject to both Swiss Data Protection Laws and the GDPR, the DPA including the Clauses as further specified in Schedule 3 of this DPA will apply (i) as is and (ii) additionally, to the extent that a transfer is subject to Swiss Data Protection Laws, as amended by clauses 2.1 and 2.3 of this Swiss Addendum, with the sole exception that Clause 17 of the SCCs shall not be replaced as stipulated under clause 2.3(b)(vii) of this Swiss Addendum.

2.5 Customer warrants that it and/or Customer Affiliates have made any notifications to the FDPIC which are required under Swiss Data Protection Laws.

Data Processing Agreement