a. “Data Protection Laws” means all applicable laws, regulations, and other legal requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of personal data, including without limitation, to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); the United Kingdom Data Protection Act of 2018; the Swiss Federal Act on Data Protection (“FADP”); and the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended and including its regulations (“CCPA”) and other applicable U.S. state and federal privacy and data protection laws. For the avoidance of doubt, if the Parties’ Processing activities involving Personal Data are not within the scope of a given Data Protection Law, such law is not applicable for purposes of this DPA.

b. “Data Subject” means an identified or identifiable natural person to whom Personal Data relates, and is deemed to also refer to “consumer” as defined in Data Protection Laws.

c. “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as set forth herein.

d. “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and analogous terms, as defined by applicable Data Protection Laws, that CloudCard Processes to provide the Services.

e. “Process” and its cognates “Processing,” “Processed,” etc. mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

f. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

g. “Services” means the services that CloudCard performs on behalf of Customer pursuant to the Agreement.

h. “Subprocessor” means any third party or CloudCard Affiliate that CloudCard engages to Process Personal Data to provide the Services.

i. “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office, located at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-tranfer-addendum.pdf and completed as set forth herein.

j. The terms “Business,” “Controller,” “Processor,” and “Service Provider” are defined as in Data Protection Laws. “Controller” is deemed to also refer to “Business,” and “Processor” is deemed to also refer to “Service Provider.”

a. This DPA applies to all Personal Data that CloudCard Processes to provide the Services.

b. To the extent that Customer is the Controller of Personal Data, CloudCard is its Processor. To the extent that Customer is a Processor of Personal Data, CloudCard is its Subprocessor.

c. CloudCard will Process Personal Data solely in accordance with Data Protection Laws, on Customer’s behalf, and to provide the Services to Customer under the Agreement for the business purposes set forth in the Agreement and as set forth in this DPA, unless required otherwise to comply with Data Protection Laws (in which case, CloudCard shall, to the extent legally permitted, provide prior notice to Customer of such legal requirement).

d. To the extent that the CCPA applies to CloudCard’s Processing of Personal Data, Customer retains the right to take reasonable and appropriate steps to (i) ensure that CloudCard Processes Personal Data in a manner consistent with the CCPA, and (ii) upon notice, stop and remediate unauthorized Processing of Personal Data subject to the CCPA.

e. Customer is responsible for providing any notices, obtaining any consents or authorizations, and otherwise satisfying its own compliance obligations with respect to the Processing of Personal Data under this DPA. Customer will not instruct CloudCard to Process Personal Data in a violation of Data Protection Laws or any third party’s legal, contractual, or other rights.

a. Not retain, use, or disclose Personal Data outside of the direct business relationship between Customer and CloudCard, or for any purpose (including any commercial purpose) not set forth in this DPA.

b. Not “sell” or “share” any Personal Data, or use Personal Data for purposes of “targeted advertising,” as such terms are defined in Data Protection Laws.

c. Comply with any applicable restrictions under the CCPA on combining Personal Data with personal data that CloudCard receives from, or on behalf of, another person or persons, or that CloudCard collects from any interaction between it and any individual.

d. Ensure that the persons it authorizes to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

e. To the extent required by Data Protection Laws, assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests for exercising Data Subjects’ rights as set forth in Data Protection Laws, taking into account the nature of the Processing.

f. To the extent required by Data Protection Laws, provide reasonable assistance to Customer for the fulfillment of Customer’s obligation to complete a data protection impact assessment or consult with supervisory authorities regarding CloudCard’s Processing of Personal Data.

g. Promptly notify Customer if CloudCard determines that it is unable to comply with its obligations under Data Protection Laws or if, in CloudCard’s opinion, an instruction from Customer infringes Data Protection Laws (to the extent CloudCard is legally permitted to notify Customer).

a. Customer acknowledges and agrees that CloudCard may use Subprocessors to Process Personal Data in accordance with this DPA and Data Protection Laws. Customer specifically authorizes CloudCard to engage any Subprocessors listed at https://trust.cloudcard.us/subprocessors.

b. CloudCard will maintain an up-to-date list of its Subprocessors. CloudCard will provide Customer with thirty (30) days’ notice of any new Subprocessor added to the list prior to providing the new Subprocessor with Personal Data or access thereto. If within that 30-day period, Customer makes a reasonable objection to a new Subprocessor on grounds relating to the protection of Personal Data, CloudCard shall have the right to cure the objection through one of the following options (to be selected at CloudCard’s sole discretion): (i) CloudCard will cancel its plans to use the Subprocessor with regard to Personal Data or will offer an alternative to provide the Services without such Subprocessor; (ii) CloudCard will take the corrective steps requested by Customer in its objection (which remove Customer’s objection) and proceed to use the Subprocessor with regard to Personal Data; or (iii) CloudCard may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of the Services that would involve the use of such Subprocessor with regard to Personal Data, subject to a mutual agreement of the Parties to adjust the remuneration for the Services considering the reduced scope of the Services. If the objection has not been resolved within 30 days, Customer will have the right to terminate the relevant Processing and Customer will be entitled to a pro-rata refund for prepaid fees for Services not performed as of the date of termination.

a. CloudCard may engage in cross-border transfers of Personal Data in compliance with Data Protection Laws. To the extent required by Data Protection Laws, CloudCard shall ensure that a lawful data transfer mechanism is in place prior to engaging in any onward transfers of Personal Data from one country to another.

b. To the extent legally required, by entering into the Agreement, Customer and CloudCard are deemed to have signed the EU SCCs, which form part of this DPA and (except as described in Sections 7(c) and (d) below) are deemed completed as follows:

c. To the extent legally required, by entering into the Agreement, the Parties are deemed to be signing the UK Addendum, which forms part of this DPA and takes precedence over the rest of this DPA as set forth in the UK Addendum. The Tables within the UK Addendum are deemed completed as follows:

d. For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 7(b) of this DPA, but with the following differences to the extent required by the FADP: (i) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (ii) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (iii) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).