Data Processing Agreement

For the purposes of Article 28(3) of Regulation 2016/679 (the GDPR)

Between Supersolve AS (Norwegian registration no. 933860175) (the data processor)

And any customer of the Watchdog service that qualifies as a data controller under the GDPR (the "Data Controller")

each a 'party'; together 'the parties'

By using the Watchdog service or entering into a service agreement that incorporates this Agreement by reference, the Data Controller agrees to the following contractual clauses (the "Clauses"), in order to meet the requirements of the GDPR and to ensure the protection of the rights of data subjects.

Table of Contents

  1. Preamble
  2. The rights and obligations of the data controller
  3. The data processor acts according to instructions
  4. Confidentiality
  5. Security of processing
  6. Use of sub-processors
  7. Transfer of data to third countries or international organisations
  8. Assistance to the data controller
  9. Notification of personal data breach
  10. Erasure and return of data
  11. Audit and inspection
  12. The parties' agreement on other terms
  13. Commencement and termination
  14. Data controller and data processor contacts/contact points

Appendix A: Information about the processing

Appendix B: Authorised sub-processors

Appendix C: Instruction pertaining to the use of personal data

Appendix D: Standard Contractual Clauses (SCCs) for international transfers

Preamble

These Contractual Clauses (the Clauses) set out the rights and obligations of the data controller and the data processor, when processing personal data on behalf of the data controller.

The Clauses have been designed to ensure the parties' compliance with Article 28(3) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

In the context of the provision of "Watchdog" the data processor will process personal data on behalf of the data controller in accordance with the Clauses.

The Clauses shall take priority over any similar provisions contained in other agreements between the parties.

Four appendices are attached to the Clauses and form an integral part of the Clauses.

Appendix A contains details about the processing of personal data, including the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing.

Appendix B contains the data controller's conditions for the data processor's use of sub-processors and a list of sub-processors authorised by the data controller.

Appendix C contains the data controller's instructions with regards to the processing of personal data, the minimum security measures to be implemented by the data processor and how audits of the data processor and any sub-processors are to be performed.

Appendix D contains the data controller's conditions for the data processor's sub-processors that use valid transfer mechanisms (SCCs), for the potential exchange of data between countries in accordance with the requirements of GDPR Chapter V.

The Clauses along with appendices shall be retained in writing, including electronically, by both parties.

The Clauses shall not exempt the data processor from obligations to which the data processor is subject pursuant to the General Data Protection Regulation (the GDPR) or other legislation.

The rights and obligations of the data controller

The data controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR (see Article 24 GDPR), the applicable EU or Member State1 data protection provisions and the Clauses.

The data controller has the right and obligation to make decisions about the purposes and means of the processing of personal data.

The data controller shall be responsible, among other things, for ensuring that the processing of personal data, which the data processor is instructed to perform, has a legal basis.

The data processor acts according to instructions

The data processor shall process personal data only on documented instructions from the data controller, unless required to do so by Union or Member State law to which the processor is subject. Such instructions shall be specified in appendices A, C and D. Subsequent instructions can also be given by the data controller throughout the duration of the processing of personal data, but such instructions shall always be documented and kept in writing, in connection with the Clauses.

The data processor shall immediately inform the data controller if instructions given by the data controller, in the opinion of the data processor, contravene the GDPR or the applicable EU or Member State data protection provisions.

Confidentiality

The data processor shall only grant access to the personal data being processed on behalf of the data controller to persons under the data processor's authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need to know basis. The list of persons to whom access has been granted shall be kept under periodic review. On the basis of this review, such access to personal data can be withdrawn, if access is no longer necessary, and personal data shall consequently not be accessible anymore to those persons.

The data processor shall at the request of the data controller demonstrate that the concerned persons under the data processor's authority are subject to the abovementioned confidentiality.

Security of processing

Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data controller and data processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

The data controller shall evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. Depending on their relevance, the measures may include the following:

Pseudonymisation and encryption of personal data;

the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;

the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

According to Article 32 GDPR, the data processor shall also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. To this effect, the data controller shall provide the data processor with all information necessary to identify and evaluate such risks.

Furthermore, the data processor shall assist the data controller in ensuring compliance with the data controller's obligations pursuant to Articles 32 GDPR, by inter alia providing the data controller with information concerning the technical and organisational measures already implemented by the data processor along with all other information necessary for the data controller to comply with the data controller's obligations.

If subsequently – in the assessment of the data controller – mitigation of the identified risks require further measures to be implemented by the data processor, than those already implemented by the data processor pursuant to Article 32 GDPR, the data controller shall specify these additional measures to be implemented in Appendix C.

Use of sub-processors

The data processor shall meet the requirements specified in Article 28(2) and (4) GDPR in order to engage another processor (a sub-processor).

The data processor shall therefore not engage another processor (sub-processor) for the fulfilment of the Clauses without the prior general written authorisation of the data controller.

The data processor has the data controller's general authorisation for the engagement of sub-processors. The data processor shall inform in writing the data controller of any intended changes concerning the addition or replacement of sub-processors at least 1 month in advance, thereby giving the data controller a five-day opportunity to object to such changes prior to the engagement of the concerned sub-processor(s). Longer time periods of prior notice for specific sub-processing services can be provided in Appendix B. The list of sub-processors already authorised by the data controller can be found in Appendix B.

Where the data processor engages a sub-processor for carrying out specific processing activities on behalf of the data controller, the same data protection obligations as set out in the Clauses shall be imposed on that sub-processor by way of a contract or other legal act under EU or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Clauses and the GDPR.

The data processor shall therefore be responsible for requiring that the sub-processor at least complies with the obligations to which the data processor is subject pursuant to the Clauses and the GDPR.

A copy of such a sub-processor agreement and subsequent amendments shall – at the data controller's request – be submitted to the data controller, thereby giving the data controller the opportunity to ensure that the same data protection obligations as set out in the Clauses are imposed on the sub-processor. Clauses on business related issues that do not affect the legal data protection content of the sub-processor agreement, shall not require submission to the data controller.

If the sub-processor does not fulfil his data protection obligations, the data processor shall remain fully liable to the data controller as regards the fulfilment of the obligations of the sub-processor. This does not affect the rights of the data subjects under the GDPR – in particular those foreseen in Articles 79 and 82 GDPR – against the data controller and the data processor, including the sub-processor.

Transfer of data to third countries or international organisations

Any transfer of personal data to third countries or international organisations by the data processor shall only occur on the basis of documented instructions from the data controller and shall always take place in compliance with Chapter V GDPR, using valid transfer mechanisms (SCCs).

In case transfers to third countries or international organisations, which the data processor has not been instructed to perform by the data controller, is required under EU or Member State law to which the data processor is subject, the data processor shall inform the data controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.

Without documented instructions from the data controller, the data processor therefore cannot within the framework of the Clauses:

  • transfer personal data to a data controller or a data processor in a third country or in an international organization
  • transfer the processing of personal data to a sub-processor in a third country
  • have the personal data processed by the data processor in a third country

The data controller's instructions regarding the transfer of personal data to a third country including, if applicable, the transfer tool under Chapter V GDPR on which they are based, shall be set out in Appendix C.6.

Assistance to the data controller

Taking into account the nature of the processing, the data processor shall assist the data controller by appropriate technical and organisational measures, insofar as this is possible, in the fulfilment of the data controller's obligations to respond to requests for exercising the data subject's rights laid down in Chapter III GDPR.

This entails that the data processor shall, insofar as this is possible, assist the data controller in the data controller's compliance with:

  • the right to be informed when collecting personal data from the data subject
  • the right to be informed when personal data have not been obtained from the data subject
  • the right of access by the data subject
  • the right to rectification
  • the right to erasure ('the right to be forgotten')
  • the right to restriction of processing
  • notification obligation regarding rectification or erasure of personal data or restriction of processing
  • the right to data portability
  • the right to object
  • the right not to be subject to a decision based solely on automated processing, including profiling

In addition to the data processor's obligation to assist the data controller pursuant to Clause 6.3., the data processor shall furthermore, taking into account the nature of the processing and the information available to the data processor, assist the data controller in ensuring compliance with:

The data controller's obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, the Norwegian Data Protection Authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons;

the data controller's obligation to without undue delay communicate the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons;

the data controller's obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data protection impact assessment);

the data controller's obligation to consult the competent supervisory authority, the Norwegian Data Protection Authority, prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk.

The parties shall define in Appendix C the appropriate technical and organisational measures by which the data processor is required to assist the data controller as well as the scope and the extent of the assistance required. This applies to the obligations foreseen in Clause 9.1. and 9.2.

Notification of personal data breach

In case of any personal data breach, the data processor shall, without undue delay after having become aware of it, notify the data controller of the personal data breach.

The data processor's notification to the data controller shall, if possible, take place within 72 hours after the data processor has become aware of the personal data breach to enable the data controller to comply with the data controller's obligation to notify the personal data breach to the competent supervisory authority, cf. Article 33 GDPR.

In accordance with Clause 9(2)(a), the data processor shall assist the data controller in notifying the personal data breach to the competent supervisory authority, meaning that the data processor is required to assist in obtaining the information listed below which, pursuant to Article 33(3) GDPR, shall be stated in the data controller's notification to the competent supervisory authority:

The nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

the likely consequences of the personal data breach;

the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The parties shall define in Appendix C all the elements to be provided by the data processor when assisting the data controller in the notification of a personal data breach to the competent supervisory authority.

Erasure and return of data

On termination of the provision of personal data processing services, the data processor shall without undue delay, and within 180 days, delete all personal data processed on behalf of the data controller and certify to the data controller that it has done so unless Union or Member State law requires storage of the personal data.

The data processor commits to exclusively process the personal data for the purposes and duration provided for by this law and under the strict applicable conditions.

Audit and inspection

The data processor shall make available to the data controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and the Clauses and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller.

Procedures applicable to the data controller's audits, including inspections, of the data processor and sub-processors are specified in appendices C.7. and C.8.

The data processor shall be required to provide the supervisory authorities, which pursuant to applicable legislation have access to the data controller's and data processor's facilities, or representatives acting on behalf of such supervisory authorities, with access to the data processor's physical facilities on presentation of appropriate identification.

The parties' agreement on other terms

The parties may agree other clauses concerning the provision of the personal data processing service specifying e.g. liability, as long as they do not contradict directly or indirectly the Clauses or prejudice the fundamental rights or freedoms of the data subject and the protection afforded by the GDPR.

Except for liability that cannot be disclaimed under applicable law, each party's total liability arising out of or in connection with the Clauses - whether based on contract, tort, or any other legal theory - shall be subject to the limitation of liability provisions set out in the main service agreement.

Commencement and termination

The Clauses shall become effective on the date the data controller accepts the Clauses, including by electronic acceptance or by entering into a service agreement that incorporates these Clauses by reference.

Both parties shall be entitled to require the Clauses to be renegotiated if changes to applicable law or material changes in the processing render the Clauses inappropriate or insufficient.

The Clauses shall apply for the duration of the provision of personal data processing services. For the duration of the provision of such services, the Clauses may not be terminated unless other clauses governing the provision of personal data processing services have been agreed between the parties.

If the provision of personal data processing services is terminated and the personal data has been deleted or returned to the data controller in accordance with Clause 11.1 and Appendix C.4, the Clauses may be terminated by either party upon written notice.

Any notice under this Clause may be given electronically in accordance with Clause 15.

Data controller and data processor contacts/contact points

The data processor may be contacted regarding matters relating to these Clauses and the processing of personal data at:

Name: Benjamin Bjorvatn Øien

Role: Chief Executive Officer

E-mail: hello@watchdog.no

The data controller may be contacted via the e-mail address or addresses registered by the data controller in connection with its customer account, service agreement, or other written communications with the data processor.

Each party is responsible for ensuring that its contact information is kept accurate and up to date. Electronic communication to the contact details described above shall be deemed valid written notice under these Clauses.

The parties shall not be required to execute or amend these Clauses solely to reflect changes in contact details.

Appendix A: Information about the processing

A.1. The purpose of the data processor's processing of personal data on behalf of the data controller is:

The purpose of the data processor's processing of personal data on behalf of the data controller is to enable the data controller to identify overbilling by suppliers, such as price discrepancies, missing discounts, duplicate invoices, and other irregularities, through automated and AI-assisted analysis of invoice and contract data. The processing aims to reduce costs, ensure accurate invoicing, and simplify reimbursement processes. Processing is limited to what is technically necessary to deliver the Watchdog service and does not include profiling or secondary use of personal data.

A.2. The data processor's processing of personal data on behalf of the data controller shall mainly pertain to (the nature of the processing):

Collection, storage, organization, and automated analysis of personal data found in invoices and related documents. Processing is carried out in a cloud-based software platform, where an AI model scans the content for compliance with the data controller's agreements and policies. In some cases, processing is supported by human review for accuracy.

A.3. The processing includes the following types of personal data about data subjects:

Primarily business-related personal data, including:

  • Name and contact details of employees of the data controller and suppliers (e.g., name, company email, phone number, title, department).
  • Username or user ID from the system (for internal users validating anomalies).
  • Invoice details that may identify a person (e.g., consultant names on service invoices).
  • Any other identifiable information in free-text fields or attachments within invoice and contract documents.

No special categories of personal data are processed beyond what appears in invoices and contracts.

A.4. Processing includes the following categories of data subject:

Employees of the data controller (especially procurement, finance, and signatories), suppliers, and partners.

Other individuals named in invoices or contracts, e.g., sole proprietors acting as suppliers or customers.

A.5. The data processor's processing of personal data on behalf of the data controller may be performed when the Clauses commence. Processing has the following duration:

The processing continues as long as Watchdog provides services to the data controller in accordance with the customer agreement. When the processing ends, the personal data shall be deleted or returned in accordance with the customer agreement.

The data processor has entered into data processing agreements with all sub-processors, ensuring through these that the requirements of the GDPR are met. Although primary storage is within the EU/EEA, some sub-processors assisting with support, analysis, or infrastructure may be located outside the EU/EEA. See Appendix B and C.6 for details.

Appendix B: Authorised sub-processors

B.1. Approved sub-processors

On commencement of the Clauses, the data controller authorises the engagement of the following sub-processors:

NameOrg. Nr.AddressDescription of Processing
Supabase, Inc-3500 S Dupont Hwy, Camden, DE, USADatabase and storage (Sweden)
Google Cloud EMEA LimitedIE3668997OHGordon House 4, Barrow St, Grand Canal Dock, Dublin, IrelandHosting (GCP); File storage (Google Drive); Artificial Intelligence (Vertex); EU region
Vercel UK Ltd15286209 (UK Company No)4th Floor, St. James House, St. James Square, Cheltenham, GL50 3PR, UKHosting (EU edge locations)
VeraSafe Ireland Ltd (Clerk)-Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork, IrelandUser authentication (EU region)
Inngest86-2590642 (IRS EIN)1039 Iroquois Blvd, Royal Oak, MI 48067, USABackend queuing system (EU region)
Functional Software, Inc. (Sentry)EU372050121 (VAT OSS)45 Fremont St, 8th Floor, San Francisco, CA 94105, USAError detection (EU region)
Pydantic Services UK Ltd14554427 (UK Company No)3.07 The Food Exchange, New Covent Garden Market, London, SW8 5EL, UKService monitoring (EU region)
Resend-2261 Market Street #5039, San Francisco, CA 94114Email (EU region)
SFDC Ireland Limited-Salesforce Tower, 60 R801, North Dock, Dublin, IrelandCommunication platform (EU region)

Some providers such as Supabase and Google use sub-processors that in some cases may process data outside the EU/EEA. Such transfers occur in accordance with GDPR Chapter V, on the use of the EU's Standard Contractual Clauses (SCCs), and with sufficient technical and organizational measures in place to ensure confidentiality and integrity.

A complete and updated list of sub-processors used by Supabase, Google, and SFDC (Salesforce) is available via their websites. The data controller approves the use of these sub-processors. The data processor will notify of significant changes in accordance with section 7.2.

Appendix C: Instruction pertaining to the use of personal data

C.1. The subject of/instruction for the processing

Data Processor receives and analyzes invoices and contract documents via its cloud-based platform, using automated tools, including AI, to identify irregularities (e.g., price deviations, missing discounts, duplicates) made available via a secure interface. Processing is limited to what is necessary to deliver the Watchdog service.

C.2. Security of processing

The level of security shall reflect that the personal data being processed is limited in scope and does not include special categories of data as defined in Article 9 of the GDPR. The processing primarily concerns ordinary personal data appearing in business-related documents, within the context of large data volumes and financially sensitive information. The risk to data subjects is assessed as low to moderate.

The data is of a business-critical and confidential nature, and a breach may result in financial loss and reputational damage for the data controller, therefore the security level is high.

The processor is obliged to implement technical and organizational measures to ensure an adequate level of security. At a minimum, the following measures shall be in place:

  • Encryption: TLS 1.3+ encryption in transit and AES-256 at rest
  • Pseudonymization: Pseudonymization of personal information where possible
  • Access Control: Access to systems is strictly limited to authorized personnel, protected by multi-factor authentication, and implemented according to the "need-to-know" principle.
  • Resilience and Availability: Infrastructure is hosted on high-availability cloud platforms (Google Cloud and Supabase), with established backup routines.
  • Recovery: Encrypted backups are stored, and recovery procedures are tested regularly.
  • Testing and Evaluation: Regular security assessments of proprietary software are conducted, including vulnerability scanning and code analysis.
  • Internet Access: Access via the internet occurs only over encrypted connections and through secured APIs.
  • Transfers: All data transfers, including transfers to third countries as specified in Appendices C.6 and D, are encrypted and carried out in accordance with agreed security measures.
  • Storage: Data is stored in professional data centers within the EU/EEA (Google Cloud in Finland; Supabase in Stockholm).
  • Physical Security: All physical processing occurs in secured data centers with strict access controls.
  • Logging: Access to systems and data is logged and regularly reviewed for security purposes.

C.3. Assistance to the data controller

The data processor shall insofar as this is possible, within the scope and the extent of the assistance specified below, assist the data controller in accordance with Clause 9.1. and 9.2. by implementing the following technical and organisational measures:

  • Fulfillment of data subjects' rights: The processor will facilitate the controller's ability to respond to requests for access, rectification, erasure, and data portability through service functionality.
  • Notification of security breaches: The processor shall notify the controller without undue delay, within 72 hours of discovering a security breach, via email. The notification will include details of the breach to help the controller meet its obligations to the Norwegian Data Protection Authority. The notification shall include: time of breach, affected data categories, estimates for affected users, actions made to remedy the breach and contact information for further updates.
  • Data Protection Impact Assessment (DPIA): The processor shall, upon request, provide necessary information to assist the controller in conducting a DPIA.

C.4. Storage period/erasure procedures

Data is retained until the customer relationship ends, after which it is automatically deleted unless otherwise agreed in writing.

Upon termination of the provision of personal data processing services, the data processor shall either delete or return the personal data in accordance with Clause 11.1., unless the data controller, after the signature of the contract, has modified the data controller's original choice. Such modification shall be documented and kept in writing, including electronically, in connection with the Clauses.

C.5. Processing location

Processing of personal data covered by the Clauses cannot, without the data controller's prior written approval, take place at locations other than those listed in the overview of sub-processors in Appendix B.

C.6. Instruction on the transfer of personal data to third countries

The controller authorizes the processor to use Sub-processors established in countries outside the EU/EEA ("third countries"), such as Supabase, Inc. in the United States, for the purpose of delivering the service.

These sub-processors may, in some cases, engage their own sub-processors who process personal data in countries outside the EU/EEA. Such transfers shall take place in accordance with Chapter V of the GDPR, based on the EU Standard Contractual Clauses (SCCs), and accompanied by appropriate technical and organizational security measures. The Sub-processors are GDPR-compliant and have entered into binding agreements with their sub-processors to ensure adequate data protection during such transfers.

Any transfer of personal data to such third countries shall only occur provided a valid legal basis for transfer has been established under Chapter V of the GDPR. For transfers to Sub-processors in countries not subject to an adequacy decision by the European Commission, the transfer shall be based on the Commission's Standard Contractual Clauses (SCCs), which are incorporated into this agreement through Appendix D.

The data processor undertakes to ensure that all Sub-processors located in third countries are bound by terms ensuring a level of protection at least equivalent to that provided under the Clauses and applicable data protection legislation.

C.7. Procedures for the data controller's audits, including inspections, of the processing of personal data being performed by the data processor

The controller, or a representative appointed by the controller, may carry out an on-site inspection of the locations where the data processor processes personal data, including physical premises, to verify that the data processor complies with GDPR.

Any on-site inspection at the data processor's premises shall be subject to a minimum of 14 days' prior written notice and shall be limited to systems and facilities relevant to the processing activities. For inspections of data centers operated by sub-processors, the Parties acknowledge that such inspections will normally be conducted through the Sub-processor's own audit reports, as direct physical access by individual customers is generally not feasible due to security considerations.

The data controller shall bear its own costs associated with audits. However, if an audit reveals material breaches of the data processor's obligations under the Clauses or under applicable data protection legislation, the data processor shall reimburse the data controller for its reasonable and documented costs incurred in connection with the audit.

Appendix D: Standard Contractual Clauses (SCCs) for international transfers

D.1 Application of SCCs:

This appendix applies to transfers of personal data to sub-processors in third countries lacking an adequacy decision. By entering into this DPA, the parties agree that the SCCs (Commission Implementing Decision (EU) 2021/914) are incorporated herein. For the transfer from the processor (supersolve AS) to a sub-processor (e.g., Supabase, Inc.), Module 3 (Processor to Processor) to the SCCs shall apply.

D.2 Optional Clause Choices:

The parties agree to the following selections for the optional clauses in Module Three:

  • Clause 7 (Docking clause): Does not apply.
  • Clause 9(a) (Use of further sub-processors): Option 2 (General written authorisation) shall apply, with the notification period specified in clause 7.2 of the DPA.
  • Clause 11(a) (Redress): The optional independent dispute resolution body shall not be used.
  • Clause 17 (Governing Law): The agreement shall be governed by Norwegian law.
  • Clause 18 (Choice of forum and jurisdiction): Disputes shall be resolved by the courts of Norway.

D.3 SCC Annexes:

Annex I - Parties and description of the transfer:

  • Data Exporter: The processor (supersolve AS, org. no. 933860175).
  • Data Importer: The sub-processor, as specified in Appendix B (e.g., Supabase, Inc.).
  • Description of the processing: As described in Appendix A.
  • Competent supervisory authority: Norwegian Data Protection Agency.

Annex II - Technical and Organisational Measures:

  • The data importer (sub-processor) shall, as a minimum, implement the TOMs described in Appendix C, supplemented by the measures in the sub-processor's own documentation.

Annex III - List of sub-processors:

  • The list of pre-approved sub-processors at the data importer is referenced in Appendix B.

D.4 UK and Swiss Transfers:

United Kingdom (UK): For any transfer of personal data subject to UK data protection law (UK GDPR), the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0), issued by the UK Information Commissioner's Office (ICO), shall be deemed incorporated into and completed in accordance with the provisions of this Appendix.

Switzerland: For any transfer subject to Swiss data protection law, the Standard Contractual Clauses (SCCs) shall be interpreted to provide adequate safeguards under the Swiss Federal Act on Data Protection (FADP). References to the "EU" and "Member State" shall be interpreted to include "Switzerland," and references to the "competent supervisory authority" shall include the Swiss Federal Data Protection and Information Commissioner (FDPIC).

Footnotes

  1. References to "Member States" made throughout the Clauses shall be understood as references to "EEA Member States".