1.  BACKGROUND

1.1. The Customer and Birdie SSOT Corp.  ("Birdie", "we", "us", or "our") agreed to enter into a pricing plan that incorporates our terms and conditions (together, the "Agreement").
1.2.  This Data Processing Agreement (“DPA“) is between Birdie and the Customer (each a "Party" and collectively the "Parties"), pursuant to the Agreement.
1.3.  In the event that we process any Authorized User Data and/or Customer End User of individuals located in the UK or the EEA, or of any Customer who is established in the UK or the EEA, this DPA shall be supplemental to the Agreement and apply to the processing of such Authorized User Data and/or Customer End User Data. In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.

2.     DATA PROCESSING

2.1.  Customer as Controller. The Customer and Birdie acknowledge that for the purpose of Data Protection Laws, the Customer is the controller, and Birdie is the processor of the data.

2.2.  Customer Compliance. The Customer retains control of the personal data and remains responsible for its compliance obligations under applicable Data Protection Laws as Controller, including providing any required notices and obtaining any required consents and for the processing instructions it gives to Birdie.

2.3.  Nature and Purpose of Processing. Annex A describes the subject matter, duration, nature, and purpose of processing and the personal data categories and data subject types in respect of which Birdie may process personal data in order to provide the Services and fulfill its obligations under the Agreement.

2.4.   Instructions for Data Processing.

(a) We will only process Authorized User Data and/or Customer End User Data in accordance with the Customer’s written instructions, unless processing is required by UK, European Union or Member State law to which we may be subject, in which case we shall, to the extent permitted by UK, European Union or Member State law, inform the Customer of that legal requirement before processing such data. The Agreement and this DPA shall be the Customer’s complete and final instructions to us in relation to the processing of such data.

(b) We will comply with the Customer's written instructions requiring us to amend, transfer, delete, or otherwise process Authorized User Data/Customer End User Data or to stop, mitigate or remedy any unauthorized processing unless legally prohibited from doing so.

(c) We will notify the Customer if, in our opinion, the Customer’s instructions would not comply with Data Protection Laws.

2.5.  Additional processing. Processing outside the scope of this DPA or the Agreement will require a prior written agreement between the Customer and us regards additional instructions for processing.

2.6.   Required consent. Where required by applicable Data Protection Laws, Customer will ensure that it has obtained or will obtain all necessary consents for the processing of Authorized User Data and/or Customer End User Data by us in accordance with the Agreement.

3.   TRANSFER OF PERSONAL DATA

3.1.  Authorized Sub-processors. The Customer agrees that we may use the Sub-processors set out in Annex B (and gives general consent for us to appoint future Sub-processors).

(a) We shall not permit, allow or otherwise facilitate Sub-processors to Process Authorized User Data and/or Customer End User Data unless we enter into a written agreement with the Sub-processor which imposes substantially similar obligations on the Sub-processor with regard to their Processing of Authorized User Data, and/or Customer End User Data as are imposed on us under this DPA.

(b) We shall notify the Customer from time to time of the identity of any changes/additions to the Sub-processors we engage, before they perform any processing of the Customer Authorized User Data and/or Customer End User Data.

(c) If the Customer (acting reasonably) does not approve of a new Sub-processor, the Customer may request that we move the Authorized User Data and/or Customer End User Data to another Sub-processor. We shall, within a reasonable period of time following receipt of such request, use all reasonable endeavors to ensure that the relevant Sub-processor does not process any further Authorized User Data and/or Customer End User Data and help identify an alternative.

3.2.  Liability of Sub-processors. We will at all times remain responsible for compliance with our obligations under the DPA and will be liable to the Customer for the acts and omissions of any Sub-processor approved by the Customer as if they were our acts and omissions (subject to the terms of the Agreement).

3.3.  Transfers of Personal Data. Where the Services involve the transfer of European Data to the Processor in a country that has not been deemed to provide an adequate level of data protection pursuant to European Data Protection Laws (“Adequacy Decision”), the following applies:

1. a) With respect to transfers outside the European Economic Area, the Parties shall comply with the terms of the Standard Contractual Clauses. If there is any conflict between the Standard Contractual Clauses and this Data Processing Addendum, the Standard Contractual Clauses shall apply.
2. b) With respect to transfers outside the UK, the Parties shall comply with the terms of the Standard Contractual Clauses as amended by the UK Addendum.
3. c) at Controller's request, the Standard Contractual Clauses shall be replaced, and the Parties shall execute new standard contractual clauses for transfers to data processors in third countries adopted pursuant to Art. 46 (2) c) or d) of the GDPR.
4. d) If an Adequacy Decision is repealed or suspended, paragraphs a) and b) above shall automatically apply.
   
   

The Parties acknowledge that following entry into this Data Processing Addendum, the UK may adopt a new set of approved standard contractual clauses that the Parties will be required to execute (“New Approved UK Clauses”) and incorporate into this Data Processing Addendum in place of the Standard Contractual Clauses as amended by the UK Addendum. In the event New Approved UK Clauses are adopted, the Parties shall work together in good faith and in a timely manner to ensure any formal deadline for implementation of the New Approved UK Clauses is met, including by taking such actions (which may include execution of documents or an addendum to this Data Processing Addendum) as may be required to give effect to the New Approved UK Clauses to ensure compliance with the UK GDPR.

4.     DATA SECURITY, AUDITS, AND SECURITY NOTIFICATIONS

4.1.   Birdie Security Obligations. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we will implement appropriate technical, human and organizational measures to ensure a level of security appropriate to the risk, including all the measures set out at Annex C.

4.2. Compliance. Upon request by the Customer, we will make available all information reasonably necessary to demonstrate compliance with this DPA and the Data Protection Laws.

4.3. Audit. Birdie will permit the Customer and its third-party representatives (not
more than once annually) to audit Birdie’s compliance with its obligations to give at least 60 days notice during the term of the Agreement. Birdie will give the Customer and its third-party representatives only such assistance as is necessary to conduct such audits.

4.4.   Security Incident Notification. If we or any Sub-processor become aware of a Security Incident, we will (a) notify the Customer of the Security Incident within 72 hours, (b) investigate the Security Incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the Security Incident, and (c) take steps to remedy any non-compliance with this DPA.

4.5.   Birdie Employees and Personnel. We will treat the Authorized User Data and
Customer End User Data as confidential information of the Customer, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Authorized User Data and Customer End User Data.

4.6. Assistance. We will provide reasonable assistance in meeting the Customer's compliance obligations under Data Protection Laws, taking into account the nature of our processing and the information available to us, including in relation to data subject rights, data protection impact assessments, and reporting to and consulting with relevant data protection authorities.

5.   ACCESS REQUESTS AND DATA SUBJECT RIGHTS

5.1.  Data Subject Requests. Save as required or where prohibited (as applicable) under applicable law, we will notify the Customer of any request received by us or any Sub-processor from a data subject in respect of personal data included in the Authorized User Data or Customer End User Data, and will not respond to the data subject. The Customer shall be solely responsible for responding substantively to any such data subject request or communications involving personal data.

5.2.  Changes. We will provide the Customer with the ability to correct, delete, block, access, or copy the Authorized User Data or Customer End User Data in accordance with the functionality of the Services.

5.3. Disclosure. We will maintain the confidentiality of Authorized User Data and Customer End User Data and will not disclose such data to third parties unless the Customer or the Agreement specifically authorises such disclosure or as required by domestic law, court, or regulator. If a domestic law, court or regulator requires us to process or disclose personal data to a third party, we must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless we are legally prohibited from giving such notice.

6.     DATA RETURN AND DESTRUCTION

6.1. Return. We will, at the Customer's request, return any Customer End User Data/Authorized User Data in our standard format, ensuring secure deletion of such information.  

6.2. Deletion/Destruction. On termination of the Agreement for any reason or expiry of its term, we will immediately cease processing Authorized User Data and Customer End User Data and will, within 30 days of being instructed in writing by the Customer, either securely delete or destroy or return (and not retain, except as required for record-keeping purposes), all of the personal data related to this Agreement in our possession.

7. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

7.1.  To the extent required under applicable Data Protection Laws, we will provide reasonable assistance to the Customer with any data protection impact assessments and with any prior consultations to any supervisory authority of the Customer, in each case solely in relation to the Processing of Authorized User Data or Customer End User Data and taking into account the nature of the processing and information available to us.

8. CUSTOMER DATA SUBJECT TO CCPA

As used in this Section 12, “Business Purpose”, “Collects”, “Consumer”, “Sell”,

“Share” and “Service Provider” have the meanings assigned to them in the CCPA.

If Customer Data comprises Personal Data subject to the CCPA (“CCPA PersonalData”), the parties agree as follows with respect to such CCPA Personal Data:

(a) CCPA Personal Data is disclosed by Customer only for limited and specified purposes of providing Services to Customers pursuant to the terms of theAgreement. Each party agrees to comply with applicable obligations under CCPA and shall provide the same level of privacy protection to CCPA Personal Data as required by CCPA.

(b) Birdie will not Sell or Share any CCPA Personal Data it Collects pursuant to the Agreement.

(c) Birdie agrees not to retain, use or disclose CCPA Personal Data Collected pursuant to the Agreement for any commercial purpose other than for the Business Purposes specified in the Agreement or as otherwise permitted by the CCPA.

(d) Birdie will not retain, use or disclose CCPA Personal Data Collected pursuant to the Agreement outside of the direct business relationship between Birdie andCustomer, unless expressly permitted by CCPA.

(e) Customer shall have the right to take reasonable and appropriate steps to help ensure that Birdie uses the CCPA Personal Data Collected pursuant to the Agreement in a manner consistent with its obligations under CCPA.

(f) Birdie shall notify Customer if it makes a determination that it can no longer meet its obligations under CCPA. Upon such notice, the Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of CCPA Personal Data.

(g) Birdie will enable Customer to comply with Consumer requests made pursuant to the CCPA. The customer will inform Birdie of any Consumer request pursuant to theCCPA that Birdie must comply with and provide information necessary for Birdie to comply with the request. If Birdie receives a request to know or a request to delete from a consumer with respect to CCPA Personal Data, Birdie shall either act on behalf of the Customer in responding to the request or inform the the consumer that the request cannot be acted upon because the request has been sent to a service provider.

(h) Notwithstanding the foregoing, as permitted under the CCPA, Birdie may retain, use or disclose CCPA Personal Data Collected pursuant to the Agreement: (i) for the specific Business Purpose(s) set forth in the Agreement that is required by CCPA, (ii) to retain and employ another service provider or contractor as a subcontractor, where the subcontractor meets the requirements for a Service Provider under the CCPA, (iii) for internal use by Birdie to build or improve the quality of the services it is providing to Customers, even if this Business Purpose is not specified in the Agreement, provided that Birdie does not use the CCPA Personal Data to perform services on behalf of another person, (iv) to prevent, detect or investigate data security incidents or protect against malicious, deceptive, fraudulent or illegal activity, even if this Business Purpose is not specified in the Agreement or (v) for the purposes enumerated in the California Civil Code section 1798.145, subdivisions (a)(1) through (a)(7).

9. CUSTOMER DATA SUBJECT TO LGPD

If Customer Data comprises Personal Data subject to the LGPD (“LGPD Covered Data”), then Customer Personal Data, as the term is used in any Section of this DPA above shall be deemed to include LGPD Covered Data.

10. CUSTOMER RESPONSIBILITIES

Without limiting its responsibilities under the Agreement, Customer is solely responsible for: (a) Account Data, Customer Credentials (including activities conducted with login credentials), and Customer Data, subject to Birdie’s Processing obligations under the Agreement and this DPA; (b) providing any notices required by Applicable Laws to, and receiving any required consents and authorizations required by Applicable Laws from, persons whose Personal Data may be included in Account Data, Customer Credentials, and Customer Data; and (c) ensuring no Personal Data relating to criminal convictions and offenses (GDPR Article 10) are submitted for Processing by the Services. Further, no provision of this DPA includes the right to, and Customer shall not, directly or indirectly enable any person or entity other than its authorized users to access and use the Services or use (or permit others to use) the Services other than as described in the applicable Order, the Agreement, and this DPA, or for any unlawful purpose.

11. LIABILITY

Each Party’s (and each of its Affiliate’s) liability taken together in the aggregate, arising out of or related to this DPA, including without limitation under the Standard Contractual Clauses, whether in contract, tort or under any other theory of liability, is subject to the limitation of liability provisions of the Agreement, except to the extent such liability cannot be limited under Applicable Law.

12.   TERMINATION

This DPA will remain in full force and effect so long as the Agreement remains in effect and will terminate immediately upon termination of the Agreement.

13. DEFINITIONS

Capitalized terms not otherwise defined in this Agreement shall have the respective meanings assigned to them in this Section 9 unless otherwise set out below:

“Applicable Laws” means any and all governmental laws, rules, directives, regulations, or orders that are applicable to a particular Party’s performance under this DPA, which may include, as applicable, EU Data Protection Law, the California Consumer Privacy Act of 2018, the CCPA, the Brazilian Federal Law 13.709 (“LGPD”) and the Colombian Data Protection Law 1581, 2012 and Law 1266, 2008. 

"Authorized User" means the Customer's employees; any contract staff who are working for the Customer; and any other person working with, or on behalf of, the Customer who is granted access to the Services exclusively on the Customer's behalf and with the Customer's prior authorization.

"Authorized User Data" means the "personal data" relating to each Authorized User.

"CCPA" means Section 1798.100 et seq. of the California Civil Code and any attendant regulations issued there under as may be amended from time to time, including but not limited to the California Privacy Rights Act of 2020 (the“CPRA”) and its implementing regulations.

"Controller" shall have  the meaning given in the UK GDPR or the applicable Data Protection Law that may be applicable to a Party.

"Customer End User" means an end user of the Customer.

"Customer End User Data" means the "personal data" relating to each Customer End User.

"Data Protection Laws" means the UK Data Protection Legislation and any other European Union legislation (including the EU GDPR) relating to personal data and all other legislation and regulatory requirements in force from time to time that apply to a Party relating to the use of personal data (including, without limitation, the privacy of electronic communications).

"EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.

"EU GDPR" means the General Data Protection Regulation ((EU) 2016/679), as it has an effect on EU law.

"Ex EEA Transfer" is the export of personal data to a country or territory outside the EEA other than a country or territory, ensuring an adequate level of protection of personal data as determined by the European Commission.

"Ex UK Transfer" is the export of personal data to a country or territory outside the UK and such transfer is not governed by an adequacy decision made by the Secretary of State in the UK in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.

"Security Incident" means any accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, any Authorized User Data and/or Customer End User Data.

"Services" has the same meaning given in the Agreement.

"Software" has the same meaning given in the Agreement.

"Sub-processor" means any sub-processor engaged by us who agrees to receive from us Authorized User Data and/or Customer End User Data.

"UK Data Protection Legislation" means all applicable data protection and privacy legislation in force from time to time in the UK, including the UK GDPR; the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

"UK GDPR" has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

"UK SCCs" means the Standard Contractual Clauses (Processors) approved by European Commission Decision 2010/87/EU.

“personal data”, “data subject”, “processing”, “data controller”, “processor”, “data processor” and “supervisory authority” should have the respective meaning given to them in the UK GDPR,  EU GDPR or the applicable Data Protection Law that may be applicable to a Party.

California Personal Data

For the purposes of this “California Personal Data” section the Data Processing Addendum, “Business Purpose,” “Sell” (and its derivatives), “Share” (and its derivatives), and “Service Provider” have the meaning ascribed to them in the CCPA.

When pursuant to the Agreement, Client discloses Personal Data to VLC that is directly subject to the CCPA (“California Personal Data”), the Parties acknowledge and agree that Client is a “Business” and VLC is a “Service Provider” for the purposes of the CCPA. Business and Service Provider agrees that Service Provider shall Process California Personal Data for the purpose of performing the Services under the Agreement between the parties (which the parties acknowledge and agree are for Client’s “Business Purpose”) or as otherwise may be permitted by the CCPA or applicable law. Except where permitted by applicable law or the Data Processing Addendum, Service Provider shall not (1) Sell California Personal Data, (2) retain, use, or disclose California Personal Data (i) for any purpose other than for the Business Purposes specified in the Agreement. For the avoidance of doubt, this “California Personal Data” section of the Data Processing Addendum shall only apply to California Personal Data.

Canada Addendum (PIPEDA & Provincial Privacy Laws)

This Canada Addendum (“Addendum”) supplements the DPA and applies where Customer or its End Users are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) or substantially similar provincial laws, including but not limited to the Act respecting the protection of personal information in the private sector (Quebec), as amended by Law 25.

1. Definitions
   For the purposes of this Addendum:

• “Canadian Data Protection Laws” means PIPEDA and any substantially similar provincial privacy legislation (including but not limited to Alberta’s Personal Information Protection Act, British Columbia’s Personal Information Protection Act, and Quebec’s Act respecting the protection of personal information in the private sector, as amended by Law 25).
• Terms not defined in this Addendum shall have the meaning set out in the DPA.

2. Cross-Border Transfers

• 2.1. Customer acknowledges and agrees that Personal Data may be transferred to, accessed from, or otherwise processed in the United States and other jurisdictions in which Processor or its Sub-processors operate.
• 2.2. Processor shall ensure that such transfers are subject to contractual, organizational, and technical safeguards that provide a comparable level of protection to that required under Canadian Data Protection Laws.
• 2.3. Processor shall, upon request, provide information about its safeguards for cross-border transfers.

3. Privacy Impact Assessments (Quebec Law 25)

• 3.1. Processor acknowledges that under certain Canadian Data Protection Laws, notably Quebec's Law 25, Customer may be required to conduct a Privacy Impact Assessment (PIA) before transferring Personal Data outside of Quebec.
• 3.2. To assist Customer in meeting this obligation, Processor shall, upon reasonable request, provide Customer with the necessary documentation to support a PIA (sometimes referred to as a Data Protection Impact Assessment (DPIA) under other legal frameworks) and information regarding its data processing activities, security measures, data storage locations, and the legal framework applicable in the jurisdictions where Personal Data will be processed.

4. Government and Law Enforcement Requests

• 4.1. Processor shall promptly notify Customer of any legally binding request for the disclosure of Personal Data by a law enforcement or government authority, unless such notification is prohibited by law.
• 4.2. Processor agrees to review the legality of each request and will make commercially reasonable efforts to challenge any request it deems to be overly broad or unlawful. In any event, Processor shall only disclose the minimum amount of Personal Data necessary to satisfy the request.

5. Notice of Transfers

• 5.1. Processor shall assist Customer in meeting its obligation to inform individuals that their Personal Data may be transferred outside of Canada for processing, as required under Canadian Data Protection Laws.

6. Data Subject Rights

• 6.1. Processor shall provide reasonable assistance to Customer in fulfilling data subject rights requests under Canadian Data Protection Laws, including access, correction, withdrawal of consent, and deletion, to the extent applicable to Processor’s role.

7. Data Breach Notification

• 7.1. In the event of a Personal Data breach affecting Personal Data subject to this Addendum, and in addition to its obligations under the DPA, Processor shall provide Customer with prompt and sufficient information to allow Customer to assess whether the breach creates a "real risk of significant harm" (RROSH) to an individual, as defined under Canadian Data Protection Laws.
• 7.2. Such information shall include, to the extent known, the circumstances of the breach, the number of individuals affected, the Personal Data elements involved, and the steps Processor has taken to mitigate the harm and prevent a recurrence.

8. Conflict

• 8.1. In the event of a conflict between this Addendum and the DPA, this Addendum shall prevail with respect to Personal Data subject to Canadian Data Protection Laws.

9. Questions and Complaint Resolution

• 9.1 If you have any questions, concerns, or complaints about our privacy practices or how your personal information is being managed, we encourage you to contact our Privacy Officer first so that we may attempt to resolve the issue directly. You can contact us at: security@birdie.ai
• 9.2 If you are not satisfied with our response or believe that we are processing your personal information in a way that is not compliant with the law, you have the right to file a formal complaint with the appropriate data protection authority.

For matters under the jurisdiction of Canada's federal law (PIPEDA), the supervisory authority is the Office of the Privacy Commissioner of Canada (OPC).

Their contact information is as follows:

• Website: www.priv.gc.ca
• Address: 30 Victoria Street, Gatineau, Quebec, K1A 1H3, Canada
• Toll-free: 1-800-282-1376

Note on Provincial Laws: For residents of Quebec, British Columbia, or Alberta, provincial private-sector privacy laws may apply. In such cases, a complaint may be directed to the respective provincial privacy authority. We recommend consulting the OPC's website for guidance on which commissioner to contact based on your location and circumstances.

Colombia Addendum (Law 1581, 2012 and Law 1266, 2008)

1. Legal Basis for Processing: Consent by the data subject is the legal basis for processing personal data of Authorized Users and End Users. Accordingly, no other basis for processing shall be relied on.
2. Data Subject Rights: Processor shall provide reasonable assistance to Customer in fulfilling data subject rights requests under Colombian Data Protection Laws, including access, correction, withdrawal of consent, deletion, and to file claims before the data protection authority to the extent applicable to Processor’s role.
3. Data Breach Notification: Data breach notification shall include details regarding number of data subjects affected, type of personal data, causes and remedies applied in response to the data breach and date of the data breach and its detection.  Data breaches shall be notified to Customer no later than twenty-four (24) hours from detection.
4. Sensitive Personal Data: any and all personal data relating to health, gender, political views, race or ethnic origin, biometrics (voice), intimate of the data subject. Sensitive Personal Data is subject to higher compliance standards regarding security measures. 
5. Cross-Border Transfers: End User and Authorized User shall only be transferred to jurisdictions which provide adequate level of personal data protection. Territories agreed upon are the European Union and the United States. When transfer to different jurisdictions is required Parties will undertake to ensure such transfer is performed in compliance with Colombian Data Protection Laws.
6. Processing of personal data in artificial intelligence systems and models: Processing of personal data in artificial intelligence models shall be informed to Customer prior to any processing. Such processing shall be limited to specific data, limited for the specific purpose, and in the specific systems priorly and expressly approved by Customer. End User and Authorized User personal data shall only be used for the procurement of the Services to Customer, limited to the instructions of Customer. Parties shall conduct Privacy Impact Assessment when high risk for data subjects is encompassed in such processing. Processor shall comply with UNESCO ethical principles.

UK and Switzerland Data Transfer Addendum

This UK and Switzerland Data Transfer Addendum (“Addendum”) is made part of the DPA between the Customer (“Data Exporter”) and Birdie (“Data Importer”).

1. Scope and Application

1.1. This Addendum applies to the processing of Personal Data where such data is protected by UK Data Protection Laws or Swiss Data Protection Laws (as defined below).

1.2. This Addendum supplements the DPA. In the event of a conflict between this Addendum and the DPA, this Addendum shall prevail with respect to Personal Data subject to UK or Swiss Data Protection Laws.

2. Definitions

2.1. "UK Data Protection Laws" means the UK General Data Protection Regulation (UK GDPR), as tailored by the Data Protection Act 2018.

2.2. "Swiss Data Protection Laws" means the Swiss Federal Act on Data Protection of 25 September 2020 (FADP) and its implementing ordinances.

2.3. "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner’s Office.

2.4. Terms not defined herein shall have the meaning set forth in the DPA.

3. Data Transfers from the United Kingdom

3.1. The parties agree that when the transfer of Personal Data is subject to UK Data Protection Laws, the UK Addendum is hereby incorporated by reference and shall be deemed executed between the parties.

3.2. The Standard Contractual Clauses (SCCs) as referenced in the DPA shall be interpreted as amended by the UK Addendum.

3.3. For the purposes of the UK Addendum, the information required for its Tables is as follows: * Table 1: The parties’ names and contact details are as set out in the DPA and this Addendum. * Table 2: The version of the Approved EU SCCs that the UK Addendum is appended to is Module 2 (Controller to Processor), as specified in the DPA. * Table 3: The list of parties, description of transfer, and technical and organizational measures are as described in the Annexes of the DPA. * Table 4: Both the Data Importer and the Data Exporter can end the UK Addendum in accordance with its terms.

4. Data Transfers from Switzerland

4.1. When the transfer of Personal Data is subject to Swiss Data Protection Laws, the Standard Contractual Clauses referenced in the DPA shall apply with the following modifications: a) References to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss FADP. b) References to "EU", "Union", and "Member State" shall be interpreted as references to Switzerland. c) The term "supervisory authority" shall be interpreted as the Swiss Federal Data Protection and Information Commissioner (FDPIC). d) The governing law for the Standard Contractual Clauses shall be the law of Switzerland, and the place of jurisdiction shall be Zurique, Suíça.

5. Transfers to the United States under the Data Privacy Framework

5.1. Data Importer (Birdie) represents and warrants that it is certified under the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework (collectively, the “DPF Program”), as declared in its Privacy Policy. A cópia de sua certificação pode ser visualizada em https://www.dataprivacyframework.gov/.

5.2. To the extent that Birdie is certified under the applicable part of the DPF Program, transfers of Personal Data from the Data Exporter to Birdie in the United States shall be made in reliance on Birdie’s DPF certification.

5.3. Birdie shall: a) Maintain its certification under the applicable DPF Program for the duration of the data processing. b) Notify the Data Exporter without undue delay if it can no longer meet its obligations under the DPF Program or if its certification is revoked, suspended, or no longer valid.

5.4. In the event Birdie cannot rely on its DPF certification for any reason, or if the DPF Program is invalidated, the transfers shall automatically be subject to the safeguards provided by the Standard Contractual Clauses as modified by this Addendum in Sections 3 and 4, without the need for further action from either party.

ANNEX A

PERSONAL DATA PROCESSING PURPOSES AND DETAILS

Data Exporter: Customer

Data importer: Birdie

Subject matter of processing: The processing is needed in order to enable the provision of Services pursuant to the Agreement.

Duration of processing: For the duration of the Agreement, unless otherwise agreed in writing.

Nature of processing: Storage, transmission, and use in order to provide the Services.

Business purpose: For the provision of Services pursuant to the Agreement.

Personal data categories:
(i)Name, email address, and online identifiers (such as IP address) of each Authorized User.

(ii) Information contained in feedback, chat transcripts, or other format collected by the Customer and provided to Birdie relating to each Customer End User.

(iii) Metadata associated with the feedback collected by the Customer and provided to Birdie relating to each Customer End User.

(iv) Credentials and API keys for access to feedback platforms.

Data subjects: Authorized User and Customer End User.

ANNEX B

SUB-PROCESSORS
Authorized User Data:

ANNEX C

TECHNICAL POLICIES AND PROCEDURES

Introduction

We maintain internal policies and procedures, or procure that our Sub-processors do so, which are designed to:

(i) secure any personal data processed by us against accidental or unlawful loss, access, or disclosure;

(ii) identify reasonably foreseeable internal risks to secure any unauthorized access to the personal data processed by us;

(iii) minimize security risks, including through risk assessment and regular testing.

We will conduct periodic reviews of the security of our network and the adequacy of our information security program as measured against industry security standards and our policies and procedures (including our security policy) and will use all practical efforts to procure that our Sub-processors do so as well.

We will periodically evaluate the security of our network and associated services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews and will use reasonable efforts to procure that our Sub-processors do so as well.

Access controls

We limit access to personal data by implementing appropriate access controls.

Availability and backup of personal data

We regularly back-up data. Back-ups are stored separately and are encrypted at rest.

Encryption

We use encryption technology where appropriate to protect personal data held electronically.

Transmission or transport of personal data

We will implement appropriate controls to secure personal data during transmission or transit.

Team training

We periodically train our team on data security and privacy issues relevant to their job role and ensure that new starters receive appropriate training before they start their role. Employees are subject to disciplinary measures for breaches of our policies and procedures relating to data privacy and security.