Scrunch Data Processing Addendum

This Data Processing Addendum (“DPA”) amends and forms part of the written agreement between Customer and between the Sitecore entity which has entered into the Agreement (“Company”) (collectively, “the parties”) for the provision of the Scrunch SaaS Product (as such term is defined in the applicable Order made part of the Agreement) to Customer (the “Agreement”). This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.

Definitions
1. In this DPA:
  1. “Data Protection Law” means all laws that apply to the Processing of Personal Data under the Agreement, including European Data Protection Law and the laws and regulations of the United States and its states, as amended from time to time, to the extent such laws and regulations apply to the relevant party.
  2. “European Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 ("GDPR") and all other privacy and data protection laws of the European Economic Area (“EEA”), and their respective Member States, Switzerland and the United Kingdom (“UK”) and all laws implementing or supplementing the foregoing.
  3. “Personal Data” means any information that reasonably relates, directly or indirectly, to an identified or identifiable natural person that Company may Process on Customer’s behalf in performing the services under the Agreement.
  4. “Processing” (including its cognate "Process”) means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  5. “Security Incident” means a breach of security leading to the unauthorized or unlawful access by a third party, or confirmed accidental or unlawful destruction, loss or alteration, of Personal Data.
  6. “Standard Contractual Clauses” means (i) Module 2 of the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj (the “EU SCCs”), and (ii) where the UK GDPR applies, the EU SCCs as supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018 (the “UK SCCs”).
2. Capitalized terms used but not defined herein have the meaning given to them in the Agreement.
Scope and Roles
1. The subject matter, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are set out in Annex I.
2. Company agrees that it will Process Personal Data only in accordance with the Agreement and this DPA. To the extent applicable, Company will Process Personal Data as a “processor” or “service provider” as such terms are defined under applicable Data Protection Law.
Data Protection
1. When Company Processes Personal Data, it will:
  1. Process the Personal Data in accordance with Customer's documented instructions as described in the Agreement or this DPA. Company will notify Customer if it considers that an instruction from Customer is in breach of Data Protection Law, unless it is prohibited from doing so by law on important grounds of public interest;
  2. assist Customer, taking into account the nature of the Processing and the information available to Company, in complying with Customer's obligations to respond to requests concerning Personal Data from individuals under applicable Data Protection Law;
  3. implement and maintain appropriate physical, technical and organizational measures to ensure a level of security appropriate to the risk, which include the technical and organizational measures required by applicable Data Protection Law;
  4. only entrust the Processing of Personal Data to personnel who have undertaken to comply with confidentiality requirements; and
  5. upon termination of the Agreement, as instructed by Customer, to the extent that Company retains Personal Data, permit Customer to delete or obtain copies of such Personal Data consistent with the functionality of the Services and applicable law.
2. Company certifies that it will not (a) “sell” (as defined in Data Protection Law) the Personal Data; (b) retain, use, or disclose the Personal Data for any purpose other than as permitted under this DPA and in accordance with the Agreement; or (c) retain, use, or disclose the Personal Data other than in the context of the direct relationship with Customer in accordance with the Agreement.
Customer Responsibilities
1. Customer is responsible for the lawfulness of Personal Data processing under or in connection with the services. Customer will (i) provide all required notices and obtain all required consents, permissions and rights necessary under applicable Data Protection Law for Company to lawfully Process Personal Data for the purposes contemplated by the Agreement; (ii) make appropriate use of the services to ensure a level of security appropriate to the particular content of the Personal Data; (iii) comply with all Data Protection Law applicable to the collection of Personal Data and the transfer of such Personal Data to Company; and (iv) ensure its processing instructions comply with applicable laws (including applicable Data Protection Law).
Subprocessing
1. Customer agrees that Company may use the third-party suppliers listed in Annex III to Process Personal Data on its behalf for the provision of the services under the Agreement (each a “Subprocessor”).
2. Company will maintain a list of Subprocessors and, prior to authorizing any new Subprocessor to access Personal Data, Company will update the list of Subprocessors. Company will notify Customer by email prior to the appointment of a new Subprocessor. If Customer objects to the appointment of such Subprocessor within ten (10) days, it may terminate the portion of the services that cannot be provided without such Subprocessor on written notice to Company that includes Customer’s legitimate and documented grounds for non-approval.
3. Company will ensure that any Subprocessors to which it transfers Personal Data enter into written agreements with Company requiring that the Subprocessor abide by terms substantially similar to those contained in this DPA.
4. Company will remain liable for any breaches of this DPA caused by its Subprocessors.
Restricted Data Transfers
1. In the event that Customer is subject to European Data Protection Law and the transfer of Personal Data to Company would be restricted in the absence of the Standard Contractual Clauses, the Parties agree that the Standard Contractual Clauses shall be incorporated into this DPA with Customer as the “data exporter” and Company as the “data importer.”
2. The Standard Contractual Clauses are further completed as follows: the optional docking clause in Clause 7 is implemented; Clause 9(a) option 2 is implemented and the time period therein is specified as thirty (30) days; the optional redress clause in Clause 11(a) is struck; the governing law in Clause 17 is the law of the Republic of Ireland; the court in Clause 18(b) are the Courts of the Republic of Ireland; and Annex 1, 2 and 3 to the Standard Contractual Clauses are Paragraph 3, 4, and 5 of this DPA respectively. To the extent required by Data Protection Law in the UK, Part 1, tables 1, 2 and 3 of the UK SCCs will be deemed to be completed like its equivalent provisions in the EU SCCs. For the purpose of Part 1, Table 4, the party that may end the UK SCCs in accordance with Section 19 of the UK Addendum is the importer.
Assistance and Notifications
1. Upon Customer’s request, Company will provide Customer with reasonable cooperation and assistance to the extent required to fulfil Customer’s obligation under European Data Protection Law to:
  1. reply to investigations and inquiries from data protection regulators; and
  2. carry out a data protection impact assessment related to the services, where Client does not otherwise have access to the relevant information necessary to perform such assessment.
2. Unless prohibited by Data Protection Law, Company must inform Customer without undue delay if Company:
  1. receives a request, complaint or other inquiry regarding the Processing of Personal Data;
  2. receives a binding or non-binding request to disclose Personal Data from law enforcement, courts or any government body;
  3. is subject to a legal obligation that requires Company to Process Personal Data in contravention of Customer’s instructions; or
  4. is otherwise unable to comply with Data Protection Law or this DPA.
3. Upon becoming aware of a Security Incident, Company will inform Customer without undue delay and will provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer to allow Customer to fulfil its data breach reporting obligations under applicable Data Protection Law.
Audit
1. Company will make available to Customer at Customer’s request information which is necessary to demonstrate compliance with this DPA and allow for any audits, including inspections, conducted by Customer or another auditor, as requested by Customer.
2. To the extent Company makes available to Customer confidential summary reports ("Audit Report") prepared by third-party security professionals, Customer agrees to accept such Audit Report, subject to confidentiality requirements, in satisfaction of its audit right; however, if Customer can demonstrate that it requires additional information, beyond the Audit Report, then Customer may request, at Customer's cost, Company to provide for an audit subject to reasonable confidentiality procedures, which will: (i) not include access to any information that could compromise confidential information relating to other Company customers or suppliers, Company's technical and organizational measures, or any trade secrets; and (ii) be performed upon not less than thirty (30) days’ notice, during regular business hours and in such a manner as not to unreasonably interfere with Company’s normal business activities.
General
1. If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict in connection with the Processing of Personal Data.
2. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
3. Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party under this DPA is subject to the limitations of liability set out in the Agreement.
4. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.

ANNEXES

ANNEX I

LIST OF PARTIES
Customer is the controller and the data exporter and Company is the processor and the data importer.

DESCRIPTION OF TRANSFER

Subject Matter	Customer employee names & email addresses
Duration of the Processing	Lifetime of customer account or customer's employee user account
Nature and Purpose of the Processing	Used to allow customer employees to log in to the app and receive related notifications
Frequency of the Processing	Continuous
Categories of Data	Email Addresses; Personal Names
Special Categories of Data Processed	None
Data Subjects	Customer user account holders

COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority is the Irish Data Protection Commission.

ANNEX II

Company shall implement and maintain the controls listed in this Annex II in accordance with industry standards generally accepted by information security professionals as necessary to reasonably protect Personal Data during storage, processing and transmission.

Physical access control

Company relies on public cloud service providers to host processing & data storage workloads. Company shall ensure that such providers have appropriate physical security measures in place.

Virtual access control

Technical and organizational measures to prevent data Processing systems from being used by unauthorized persons include: (a) user authentication & authorization controls with strong password rules (b) centrally managed access control (c) encryption.

Data access control

Technical and organizational measures to ensure that persons entitled to use a data Processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, include: (a) internal policies and procedures; (b) control authorization schemes; (c) differentiated access rights (profiles, roles, transactions and objects); (d) monitoring and logging of accesses; (e) disciplinary action against employees who access Personal Data without authorization; (f) reports of access; (g) deletion procedure; and (h) encryption.

Disclosure control

Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, include: (a) encryption/tunneling; (b) logging; and (c) transport security.

Entry control

Technical and organizational measures to monitor whether Personal Data have been entered, changed or removed (deleted), and by whom, from data Processing systems, include: (a) logging and reporting systems; and (b) audit trails and documentation.

Control of instructions

Technical and organizational measures to ensure that Personal Data are Processed solely in accordance with the instructions of the Controller include: (a) unambiguous wording of the contract; (b) formal commissioning (request form); and (c) criteria for selecting the Processor.

Availability control

Technical and organizational measures to ensure that Personal Data are protected against accidental destruction or loss (physical/logical) include: (a) secure cloud-based storage with replication (b) backup procedures; (c) disaster recovery plan

Separation control

Technical and organizational measures to ensure that Personal Data collected for different purposes can be Processed separately include: (a) separation of databases; (b) “internal Customer” concept / limitation of use; (c) segregation of functions (production/testing); and (d) procedures for storage, amendment, deletion, transmission of data for different purposes.

ANNEX III

List of Subprocessors

Customer authorizes Company to engage the list of subprocessors as defined at the following URL:

https://trust.scrunchai.com/subprocessors (for the sake of clarity, as may be updated from time to time, including if the foregoing is relocated to Sitecore’s Leegal Hub at https://www.sitecore.com/legal)

Scrunch Data Processing Addendum

Definitions
1. In this DPA:
  1. “Data Protection Law” means all laws that apply to the Processing of Personal Data under the Agreement, including European Data Protection Law and the laws and regulations of the United States and its states, as amended from time to time, to the extent such laws and regulations apply to the relevant party.
  2. “European Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 ("GDPR") and all other privacy and data protection laws of the European Economic Area (“EEA”), and their respective Member States, Switzerland and the United Kingdom (“UK”) and all laws implementing or supplementing the foregoing.
  3. “Personal Data” means any information that reasonably relates, directly or indirectly, to an identified or identifiable natural person that Company may Process on Customer’s behalf in performing the services under the Agreement.
  4. “Processing” (including its cognate "Process”) means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  5. “Security Incident” means a breach of security leading to the unauthorized or unlawful access by a third party, or confirmed accidental or unlawful destruction, loss or alteration, of Personal Data.
  6. “Standard Contractual Clauses” means (i) Module 2 of the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj (the “EU SCCs”), and (ii) where the UK GDPR applies, the EU SCCs as supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018 (the “UK SCCs”).
2. Capitalized terms used but not defined herein have the meaning given to them in the Agreement.
Scope and Roles
1. The subject matter, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are set out in Annex I.
2. Company agrees that it will Process Personal Data only in accordance with the Agreement and this DPA. To the extent applicable, Company will Process Personal Data as a “processor” or “service provider” as such terms are defined under applicable Data Protection Law.
Data Protection
1. When Company Processes Personal Data, it will:
  1. Process the Personal Data in accordance with Customer's documented instructions as described in the Agreement or this DPA. Company will notify Customer if it considers that an instruction from Customer is in breach of Data Protection Law, unless it is prohibited from doing so by law on important grounds of public interest;
  2. assist Customer, taking into account the nature of the Processing and the information available to Company, in complying with Customer's obligations to respond to requests concerning Personal Data from individuals under applicable Data Protection Law;
  3. implement and maintain appropriate physical, technical and organizational measures to ensure a level of security appropriate to the risk, which include the technical and organizational measures required by applicable Data Protection Law;
  4. only entrust the Processing of Personal Data to personnel who have undertaken to comply with confidentiality requirements; and
  5. upon termination of the Agreement, as instructed by Customer, to the extent that Company retains Personal Data, permit Customer to delete or obtain copies of such Personal Data consistent with the functionality of the Services and applicable law.
2. Company certifies that it will not (a) “sell” (as defined in Data Protection Law) the Personal Data; (b) retain, use, or disclose the Personal Data for any purpose other than as permitted under this DPA and in accordance with the Agreement; or (c) retain, use, or disclose the Personal Data other than in the context of the direct relationship with Customer in accordance with the Agreement.
Customer Responsibilities
1. Customer is responsible for the lawfulness of Personal Data processing under or in connection with the services. Customer will (i) provide all required notices and obtain all required consents, permissions and rights necessary under applicable Data Protection Law for Company to lawfully Process Personal Data for the purposes contemplated by the Agreement; (ii) make appropriate use of the services to ensure a level of security appropriate to the particular content of the Personal Data; (iii) comply with all Data Protection Law applicable to the collection of Personal Data and the transfer of such Personal Data to Company; and (iv) ensure its processing instructions comply with applicable laws (including applicable Data Protection Law).
Subprocessing
1. Customer agrees that Company may use the third-party suppliers listed in Annex III to Process Personal Data on its behalf for the provision of the services under the Agreement (each a “Subprocessor”).
2. Company will maintain a list of Subprocessors and, prior to authorizing any new Subprocessor to access Personal Data, Company will update the list of Subprocessors. Company will notify Customer by email prior to the appointment of a new Subprocessor. If Customer objects to the appointment of such Subprocessor within ten (10) days, it may terminate the portion of the services that cannot be provided without such Subprocessor on written notice to Company that includes Customer’s legitimate and documented grounds for non-approval.
3. Company will ensure that any Subprocessors to which it transfers Personal Data enter into written agreements with Company requiring that the Subprocessor abide by terms substantially similar to those contained in this DPA.
4. Company will remain liable for any breaches of this DPA caused by its Subprocessors.
Restricted Data Transfers
1. In the event that Customer is subject to European Data Protection Law and the transfer of Personal Data to Company would be restricted in the absence of the Standard Contractual Clauses, the Parties agree that the Standard Contractual Clauses shall be incorporated into this DPA with Customer as the “data exporter” and Company as the “data importer.”
2. The Standard Contractual Clauses are further completed as follows: the optional docking clause in Clause 7 is implemented; Clause 9(a) option 2 is implemented and the time period therein is specified as thirty (30) days; the optional redress clause in Clause 11(a) is struck; the governing law in Clause 17 is the law of the Republic of Ireland; the court in Clause 18(b) are the Courts of the Republic of Ireland; and Annex 1, 2 and 3 to the Standard Contractual Clauses are Paragraph 3, 4, and 5 of this DPA respectively. To the extent required by Data Protection Law in the UK, Part 1, tables 1, 2 and 3 of the UK SCCs will be deemed to be completed like its equivalent provisions in the EU SCCs. For the purpose of Part 1, Table 4, the party that may end the UK SCCs in accordance with Section 19 of the UK Addendum is the importer.
Assistance and Notifications
1. Upon Customer’s request, Company will provide Customer with reasonable cooperation and assistance to the extent required to fulfil Customer’s obligation under European Data Protection Law to:
  1. reply to investigations and inquiries from data protection regulators; and
  2. carry out a data protection impact assessment related to the services, where Client does not otherwise have access to the relevant information necessary to perform such assessment.
2. Unless prohibited by Data Protection Law, Company must inform Customer without undue delay if Company:
  1. receives a request, complaint or other inquiry regarding the Processing of Personal Data;
  2. receives a binding or non-binding request to disclose Personal Data from law enforcement, courts or any government body;
  3. is subject to a legal obligation that requires Company to Process Personal Data in contravention of Customer’s instructions; or
  4. is otherwise unable to comply with Data Protection Law or this DPA.
3. Upon becoming aware of a Security Incident, Company will inform Customer without undue delay and will provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer to allow Customer to fulfil its data breach reporting obligations under applicable Data Protection Law.
Audit
1. Company will make available to Customer at Customer’s request information which is necessary to demonstrate compliance with this DPA and allow for any audits, including inspections, conducted by Customer or another auditor, as requested by Customer.
2. To the extent Company makes available to Customer confidential summary reports ("Audit Report") prepared by third-party security professionals, Customer agrees to accept such Audit Report, subject to confidentiality requirements, in satisfaction of its audit right; however, if Customer can demonstrate that it requires additional information, beyond the Audit Report, then Customer may request, at Customer's cost, Company to provide for an audit subject to reasonable confidentiality procedures, which will: (i) not include access to any information that could compromise confidential information relating to other Company customers or suppliers, Company's technical and organizational measures, or any trade secrets; and (ii) be performed upon not less than thirty (30) days’ notice, during regular business hours and in such a manner as not to unreasonably interfere with Company’s normal business activities.
General
1. If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict in connection with the Processing of Personal Data.
2. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
3. Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party under this DPA is subject to the limitations of liability set out in the Agreement.
4. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.

ANNEXES

ANNEX I

LIST OF PARTIES
Customer is the controller and the data exporter and Company is the processor and the data importer.

DESCRIPTION OF TRANSFER

Subject Matter	Customer employee names & email addresses
Duration of the Processing	Lifetime of customer account or customer's employee user account
Nature and Purpose of the Processing	Used to allow customer employees to log in to the app and receive related notifications
Frequency of the Processing	Continuous
Categories of Data	Email Addresses; Personal Names
Special Categories of Data Processed	None
Data Subjects	Customer user account holders

COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority is the Irish Data Protection Commission.

ANNEX II

Physical access control

Company relies on public cloud service providers to host processing & data storage workloads. Company shall ensure that such providers have appropriate physical security measures in place.

Virtual access control

Data access control

Disclosure control

Entry control

Control of instructions

Availability control

Separation control

ANNEX III

List of Subprocessors

Customer authorizes Company to engage the list of subprocessors as defined at the following URL:

https://trust.scrunchai.com/subprocessors (for the sake of clarity, as may be updated from time to time, including if the foregoing is relocated to Sitecore’s Leegal Hub at https://www.sitecore.com/legal)

Scrunch Data Processing Addendum

ANNEXES

ANNEX I

ANNEX II

ANNEX III

Platform

Solutions

Resources

Services

Company

Scrunch Data Processing Addendum

ANNEXES

ANNEX I

ANNEX II

ANNEX III

Platform

Solutions

Resources

Services

Company