Secure 2024: Forrester Wave™ Q2 2022 Showcases Leading Bot Management Solutions


As of: October 18, 2023

This Human Security Subscription Agreement (“Agreement”) sets forth the provisions under which Customer (as specified on the Order Form), will use the services provided by Human Security, Inc., a Delaware corporation with an address at 111 West 33rd Street, 11th Floor, New York, NY 10001 (“HUMAN”), as such services may be defined from time to time as specified on the Order Form(s) agreed to and executed by the Parties (“Order Form”).


1.1 Platform means the Software, Services and Data provided by Human to Customer under this Agreement.

1.2 Platform Data means any information and reports generated by Human in the performance of Services provided under this Agreement.

1.3 Services means the services listed in the Order Form.

1.4 Software means the object code versions of the product, together with the updates, upgrades, modifications or enhancements owned and provided by Human to Customer pursuant to this Agreement. The Software is an application made up of individual software components, each of which was individually written and copyrighted and is, therefore, a collective work under U.S. Copyright Law.

1.5 Standard Reporting means aggregated results on internet activity from the Services provided.

1.6 Third-party Software and/or Components. Any third-party software, including any third-party's plug-in, that may be provided with the software is included for use at your option.  If Customer chooses to use such third-party software, then such use shall be governed by such third-party's license agreement. Human is not responsible for any third-party's software and shall have no liability for your use of third-party software.

1.7 Transactional Level Reporting means Standard Reporting with the addition of detailed log-level results.

1.8 Customer Data means any data provided by or on behalf of Customer to HUMAN and/or its affiliates under this Agreement, excluding IP addresses that have been identified as invalid traffic and are de-identified and aggregated.


2.1 License Grant to Customer. Upon payment of the fees applicable, HUMAN hereby grants to Customer a limited, nonexclusive, revocable, non-sublicensable right and license to access and use the Platform during the Term solely for Customer’s own internal purposes within Customer’s designated internal divisions and departments.

2.2 Customer License Grant. Customer hereby grants to HUMAN a limited, nonexclusive, revocable, right and license to access and use Customer Data solely to the extent necessary for HUMAN to perform the Services under this Agreement, and to improve service performance. HUMAN will not reproduce, modify, make derivative works of, publicly display, transfer, sell, or permit access to any Customer Data by any entity other than Customer or HUMAN (a “Third-party”).

2.3 No Modification by Customer. Customer will not: (i) reproduce, modify, or make derivative works of any portion of the Platform; (ii) reverse engineer, decompile, disassemble, or attempt to derive the source code form or internal logic of any software portion of the Platform provided by HUMAN in object code form only; or (iii) alter, obscure, or remove any HUMAN branding, proprietary notices situated within the Platform

2.4 Restriction on Transaction Level Reporting. Customer will not share any Transaction Level Reporting with any third-party under any circumstances.

2.5 Definition of Authorized Third-party. An “Authorized Third-party” is a Third-party business partner of Customer (such as an affiliate, supplier, vendor, or customer) that is subject to an obligation of nondisclosure at least as restrictive as that which exists between Customer and HUMAN, and that are not “Known Bad Actors,” which means companies or businesses (or divisions or segments of an otherwise reputable company or business) that operate websites, networks of websites, applications (apps), platforms, or other mechanisms for delivering ads, mechanisms for delivering audiences to properties that host ads, or any other identifiable and marketed online properties, channels, or segments for which the Platform has reported fraud rates in excess of 50% of total traffic volume during the previous 90 days.

2.6 Authorized Data Sharing. If “Data Sharing” is included in the Order Form, then Customer may share a portion of Standard Reporting as Summary Reporting (“Aggregated Reporting”) with Authorized Third Parties as follows: (i) the applicable Authorized Third-party must first execute an unaltered “HUMAN Third-party Data Use Agreement” attached hereto as EXHIBIT A; (ii) Authorized Third-party may access Summary Reporting through Summary Dashboard accounts or Emailed Reports; (iii) HUMAN may provision each Summary Dashboard account in any manner it sees fit to ensure that only Summary Reporting relevant to such Authorized Third-party is accessible therein; and (iv) HUMAN has the right to refuse to provide or continue to provide Summary Dashboard accounts and Emailed Reports to any Authorized Third-party it reasonably determines is or becomes a Known Bad Actor (defined above).

2.7 Unauthorized Use. Customer may not: (i) permit other individuals or companies to use the Platform other than as specified herein; (ii) modify, translate, reverse engineer, decompile, disassemble (except to the extent that this restriction is expressly prohibited by law) or create derivative works based upon the Platform; (iii) copy the Platform (except for back-up or archival purposes); (iv) publicly display, publicly perform, sell, distribute, rent, lease, sublicense, or transfer any portion of the Platform; (v) operate the Platform on behalf of any third parties; (vi) operate the Platform as a service bureau; (vii) incorporate or bundle any portion of the Platform into any other offering, product, or service; (viii) use or analyze the Platform in a manner that enables Customer or any Third-party to compete directly with HUMAN. Any such forbidden use shall immediately terminate Customer’s license to the Platform.

2.8 Passwords and Platform Access. If Customer is given passwords to access the Platform, Dashboard, or API, Customer shall require that all Authorized Third Parties thereof keep HUMAN login and password information strictly confidential. Logins are granted to individual, named persons and may not be shared. Customer shall be responsible for any and all actions taken using Customer’s logins and passwords and shall collaborate with HUMAN upon HUMAN's reasonable request to determine if any user who has access to a login is no longer employed by or affiliated with Customer.


Unless as conveyed herein, all rights, title, and interest in and to the Platform, any documentation, and corresponding intellectual property (including without limitation any images, photographs, animations, video, audio, music, and text incorporated into the Platform, the accompanying printed materials, and any copies of the Software) shall remain in Human or its suppliers or are publicly available. This Agreement does not grant Customer any rights, title, or interest in or to any trademarks, service marks, or trade secrets of Human or its suppliers. The Software and Documentation are protected by the copyright and intellectual property laws of the United States and international copyright and intellectual property laws and treaties. All title, rights, and interest in and to content, which may be accessed through the Software ("Content"), is the property of the respective Content owner, shall be retained by the applicable Content owner, and may be protected by applicable copyright or other intellectual property laws and treaties. This Agreement gives Customer no rights to such Content, including use of the same. All rights not expressly granted under this Agreement are reserved by Human, its suppliers, or third parties.

4.   TERM

The term of this Agreement (the “Term”) will be as specified on the Order Form(s).


5.1 Mutual Warranties. Each party represents and warrants to the other that: (i) it will comply with all laws including data privacy and protection laws (i.e. GDPR) to which they are subject. Neither party makes any warranties other than as expressly set forth herein, and HUMAN disclaims all implied warranties, including without limitation merchantability and fitness for a particular purpose.

5.2 HUMAN Warranties. HUMAN warrants that it: (i) will not collect any data from Customer other than that which Customer selects and sends to HUMAN in furtherance of the product process; (ii) will not collect any data from Customer’s end users other than that which is necessary to provide the Services or to improve the overall quality of the Services; (iii) the HUMAN Platform contains no code that exists for any purpose other than providing the Services; and (iv) HUMAN has all rights necessary to provide the Platform, Services, and Platform Generated Data to Customer for the purposes hereof.


6.1 Indemnification by HUMAN. HUMAN shall indemnify, defend, and hold harmless Customer and its affiliates, and the officers, directors, and employees of each, from and against any Third-party claim of infringement of a U.S. patent, U.S. copyright, or U.S. trademark asserted against Customer by a Third-party based upon Customer’s use of the Platform, Services, or Platform Generated Data. If Customer’s use of the Platform, Services, or Platform Generated Data is, or in HUMAN's opinion is likely to be, enjoined due to the type of infringement specified above, or if required by settlement, HUMAN may, in its sole discretion: (i) substitute substantially functionally similar products or services; (ii) procure for Customer the right to continue using the Platform, Services, and Platform Generated Data; or, if (i) and (ii) are commercially impracticable, (iii) terminate this Agreement and refund to Customer the fees paid by Customer for the portion of the Term pre-paid by Customer during which Customer had no access or use of the Platform, Services, or Platform Generated Data. The foregoing indemnification obligation of HUMAN shall not apply to the extent that: (1) the Platform, Services,  or Platform Generated Data are modified by any party other than HUMAN; (2) the Platform, Services, or Platform Generated Data are used in an unauthorized way or combined with other non-HUMAN products or processes not authorized by HUMAN; or (3) the applicable action arises as a result of any third-party deliverables or components contained within the Platform, Services, or Platform Generated Data.

6.2 Indemnification by Customer. Customer shall indemnify, defend and hold harmless HUMAN, its affiliates, and the officers, directors and employees of each, from and against all Third-party claims, costs, damages, losses, liabilities, and expenses (including reasonable attorneys’ fees and costs) arising out of any breach of Customer’s covenants, obligations, representations, or warranties hereunder, or any act or omission of Customer constituting gross negligence or willful misconduct.

6.3 Process. Each indemnifying party’s obligations in this Section are subject to receipt by the indemnifying party of: (i) prompt written notice of the applicable claim (but in any event notice in sufficient time for the indemnifying party to respond without prejudice); (ii) the exclusive right to control and direct the investigation, defense, and settlement of such claim; and (iii) all reasonable cooperation of the indemnified party at the indemnifying party’s expense. The indemnified party may participate in the defense of any claim by counsel of its own choosing, at its cost and expense. The indemnifying party shall not settle any claim without the indemnified party’s prior written approval.




8.1 Assignment. Neither party may assign this Agreement except upon the advance written consent of the other party, except that HUMAN may assign this Agreement in connection with a merger, reorganization, acquisition, or other transfer of all or substantially all of HUMAN's assets or voting securities upon notice to Customer.

8.2 Miscellaneous. If any provision of this Agreement is held to be unenforceable, that shall not affect the enforceability of the remaining provisions.  This Agreement shall be governed and enforced under the laws of New York and the United States without regard to conflicts of laws provisions thereof, and without regard to the United Nations Convention on the International Sale of Goods. The jurisdiction and venue for actions hereunder shall be the state and federal courts in New York, New York. 

8.3 Entire Agreement. This Agreement (including the Order Form(s)) is the complete statement of the mutual understanding of the parties and supersedes all prior or contemporaneous communications, agreements and understandings, written or oral, with respect to the subject matter hereof including without limitation the terms of any third-party EULA contained in the Software or any purchase order issued in connection with this Agreement.  This Agreement shall not be amended or modified except in a writing signed by authorized representatives of each party.

8.4 Force Majeure. Neither party shall be liable to the other for any delay in its performance of any obligation hereunder if the delay is due to unforeseen events that occur after the signing of this Agreement and that are beyond the control of such party, such as a war, terrorism, riot, natural disaster, pandemic or failure of power, telecommunications, or data networks; provided that the party whose performance is so delayed gives the other party notice thereof within 24 hours of such event and diligently resumes performance as soon as possible.

8.5 Service Availability. HUMAN does not guarantee the Service will be operable at all times or during any down time (i) caused by outages to any public Internet backbones, networks, or servers or third-party data centers or cloud service providers; (ii) caused by any failures of Customer equipment, systems, or local access services; or (iii) for previously scheduled maintenance. If for any reason HUMAN fails to provide the Services with regards to a Server Request, FraudSensor Event, MediaGuard Decision or  BotGuard Decision (if such term(s) are defined in the Order Form), such attempted Server Request, FraudSensor Event, MediaGuard Decision, or BotGuard Decision will not be counted towards Customer’s Prepaid Usage or against any obligations of HUMAN to Customer under any applicable Order, Exhibit, or SOW. Customer acknowledges that in order to provide improved customer experience, HUMAN may make changes to the Platform from time to time throughout the Term, where such changes will neither materially contradict the provisions hereof nor materially alter the level of service provided hereunder.

EXHIBIT A: Authorized Third Party Data Use Agreement

This Authorized Third Party Data Use Agreement (“Agreement”) is entered into as of                   by Human Security, Inc., a Delaware corporation having an address at 841 Broadway, 2nd Floor, New York, NY 10003 (“HUMAN”) and the person or entity signing below (“Authorized Third Party”), both of whom, for good and valuable consideration, hereby mutually agree as follows:

1. Data. The Parties acknowledge and agree that Authorized Third Party may access or has accessed from HUMAN's Customer, a certain portion of data owned by HUMAN (the “Data”).

2. License. HUMAN hereby grants to Authorized Third Party the limited, revocable right and license to access and examine the Data solely for Authorized Third Party’s internal purposes and for no other purposes whatsoever. Authorized Third Party shall not reproduce, modify, make derivative works of, publicly display, distribute, sell, sublicense, or otherwise exploit all or any portion of the Data. Authorized Third Party shall not expose or transmit the Data to any third parties. Authorized Third Party shall not use the Data to reverse engineer or otherwise derive the internal means of operation of any HUMAN product or service. Authorized Third Party shall not access or use the Data by means of any “bot” or other automated mechanism. HUMAN reserves all rights not expressly granted hereunder.

3. Passwords and Platform Access. If Authorized Third Party is given credentials to access HUMAN'S Platform or Dashboard, Authorized Third Party shall keep such credentials strictly confidential and shall not share such credentials with any other party. Authorized Third Party shall be responsible for all actions taken by its personnel using such credentials, and shall collaborate with HUMAN on at least a monthly basis to determine if any user who has access to such credentials is no longer is employed by or affiliated with Authorized Third Party.

4. Term. Either party shall have the right to terminate this Agreement immediately upon written notice to the other. Absent such notice, this Agreement and the license granted hereunder shall expire on the first anniversary hereof. Upon termination or expiration hereof for any reason, Authorized Third Party shall have no further right or license to access, examine, or use the Data, shall promptly destroy the Data and all copies thereof in Authorized Third Party’s possession or control, and shall certify such destruction to HUMAN in writing.

5. Confidentiality. To the extent that any nondisclosure agreement is in effect by and between Authorized Third Party and HUMAN, or by and between Authorized Third Party and HUMAN'S Customer, then the Data shall be deemed to be Confidential Information in accordance with such NDA. If no such NDA is in effect, Authorized Third Party shall maintain the confidentiality of the Data in perpetuity and shall not use or disclose it other than as may be permitted hereby.


7. General. This agreement:  (i) does not by itself create any relationship between the parties other than independent Authorized Third Parties and does not obligate either party to enter into any future relationship or agreement with the other; (ii) shall not be amended except in writing executed by both parties; (iii) shall not be assigned to a third party by Authorized Third Party; (iv) sets forth the entire understanding of the parties and supersedes all prior and contemporaneous understandings; and (v) may be executed by facsimile and digital scan. New York law shall govern the interpretation and enforcement hereof, and disputes arising hereunder shall be resolved in the courts of competent jurisdiction sitting in New York, New York.


“Customer” As defined in the Agreement between Customer and HUMAN

Notices to be provided Attn: Legal

Notices of Incidents to be provided: Business Contact listed in accompanying Order Form
“HUMAN” Human Security, Inc., a Delaware corporation, 841 Broadway, 2nd Floor, New York, NY 1003

Notices to be provided Attn: General Counsel

Notices of Incidents to be provided: and


This Data Processing Addendum (“DPA”) (including its appendices) is made by and between Customer and HUMAN (each a “Party”; collectively the “Parties”) and entered into as of the Effective Date of the Agreement (as defined below) for the purpose of governing the Processing by HUMAN of Personal Data (both as defined below) on behalf of Customer pursuant to the Service Agreement entered into between HUMAN and Customer (the “Agreement”). This DPA is incorporated into and made subject to the terms of the Agreement. In the event of a conflict between the terms of this DPA and the terms of the Agreement, the terms of the DPA shall prevail. In case of a conflict or inconsistency between the operative provisions in this DPA and the Standard Contractual Clauses in Appendix 3, if applicable, the Standard Contractual Clauses shall supersede and take precedence.

1.    Definitions. Definitions applicable to the DPA are as follows:

1.1    Applicable Laws” means any law or regulation concerning information privacy or security applicable to HUMAN’s Processing of the Personal Information to provide Services under the Agreement, including to the extent applicable to the Processing, (i) EU GDPR, (ii) UK GDPR, and (iii) any United States privacy laws (such as Cal. Civ. Code § 1798.100 et seq, Va. Code § 59.1-571 et seq., Colorado Rev. Stat. §§ 6-1-1301 et seq., Connecticut Public Act No. 22-15, Iowa Code §§ 715D.1 et seq., and Utah Code Ann. §§ 13-61-101 et seq.) and all implementing regulations.

1.2    Authorized Employees means HUMAN’s employees who have a need to know or otherwise access Personal Data to enable HUMAN to perform its obligations under the Agreement.

1.3    Authorized Persons means (i) Authorized Employees; and (ii) HUMAN’s contractors, agents, and auditors who have a need to know or otherwise access Personal Data to enable HUMAN to perform the Services.

1.4    Controller has the meaning given to “controller”, “data controller”, “business” or a similar term used to define the Party that, alone or jointly with others, determines the means and purpose of the Processing of Personal Data in accordance with Applicable Laws.

1.5    Customer Data means any information Processed by HUMAN (and/or its affiliates and/or Authorized Persons) in HUMAN’s role as a Processor to Customer pursuant to the Agreement, including any Personal Data.

1.6    Data Subject has the meaning given to “data subject”, “consumer” or similar term used to describe the individual who is the subject of the Personal Data in accordance with Applicable Laws.

1.7    EEA means the European Economic Area.

1.8    EU GDPR means the European Union General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), as may be amended from time to time.

1.9    GDPR means, as applicable, the EU GDPR and/or the UK GDPR.

1.10    Incident means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

1.11    Personal Data has the same meaning as personal data, “personal information,” or similar terms used in Applicable Laws to describe information that identifies or related to an individual who can be identified directly or indirectly from the data alone or in combination with other information in HUMAN’s possession or control or that HUMAN is likely to have access to, where the data is Processed by HUMAN (and/or its affiliates and/or any Authorized Persons) in HUMAN’s role as a Processor to Customer pursuant to the Agreement.

1.12    Processing or Process has the meaning given in accordance with Applicable Laws or absent such a definition, any operation or set of operations which is performed on Personal Data, such as collection, storage, alteration, retrieval, use, disclosure, or otherwise making available, or destruction.

1.13    Processor has the meaning given to “processor,” “data processor”, “service provider,” “contractor,” or other terms used to describe the Party that Processes the Personal Data on behalf of the Controller in accordance with Applicable Laws.

1.14    Regulatory Authority means any court, tribunal, or governmental or other entity that has jurisdiction, under Applicable Laws, over the Agreement, the Services, Customer or HUMAN, including any foreign data protection authority with jurisdiction or oversight over the Applicable Laws.

1.15    Share,” “Shared,” and “Sharing” have the meaning defined in the California Consumer Privacy Act (CCPA).

1.16    Sale” and “Selling” have the meaning defined in the Applicable Laws.

1.17    Service Order” means a written or online ordering document by which Customer purchases Services.

1.18    Services” means the services provided to Customer pursuant to the Agreement.

1.19    Standard Contractual Clauses” means, as applicable, the EEA Standard Contractual Clauses and/or the UK Standard Contractual Clauses as further defined in Appendix

1.20    UK GDPR” means the United Kingdom Data Protection Act of 2018 and the United Kingdom General Data Protect Act and any successor legislation thereto.

In the event of a conflict in the meanings of defined terms in the Applicable Laws, the meaning from the law applicable to the Processing of Personal Data of the relevant Data Subject applies.

2.    Standard of Care

2.1    Limited Processing and Documented Instructions. HUMAN shall comply with this DPA and be responsible for any authorized Processing of Personal Data while such Personal Data is under HUMAN’s control or in its possession. HUMAN and Customer acknowledge and agree that for the purposes of this Agreement and Applicable Laws, Customer is either a Controller or a Processor and HUMAN is a Processor of any Personal Data. HUMAN shall Process Customer Data only on documented instructions from Customer. Customer instructs HUMAN to Process Customer Data for only the following purposes: (i) Processing in accordance with the Agreement and applicable Service Orders (if any) and to the extent necessary to perform the Services; and (ii) Processing to comply with other documented instructions provided by Customer where such instructions are consistent with the terms of the Agreement. If Customer is a Data Processor, Customer represents and warrants that its instructions and actions with respect to the Personal Data, including appointing HUMAN as an additional Processor, have been and are authorized by the relevant Data Controller. HUMAN shall not (i) collect, use, retain, disclose, Sell, Share, rent, or otherwise make Personal Data available outside of the direct business relationship with Customer or for HUMAN’s own commercial purposes or for the benefit of anyone other than Customer, except with Customer’s prior written consent, (ii) Sell or Share Customer Data, (iii) retain, use, or disclose Customer Data for any purpose other than for the specific purpose of performing the services specified in Appendix 1, and (iv) combine Personal Data received from Customer with other Personal Data HUMAN received from or on behalf of another person, or collected from its own interactions with a Data Subject, to the extent prohibited by Applicable Laws. Notwithstanding the foregoing, HUMAN may use the Personal Data as follows to the extent permitted by Applicable Laws: (i) for its internal use to improve the quality of the Services provided by HUMAN, provided, however, that HUMAN does not use the Personal Data to build or modify a profile about a Data Subject or their household to use in providing services to a third-party, or cleaning or augmenting any Personal Data acquired from another source; (ii) to detect Incidents, or to protect against fraudulent or illegal activity; and (iii) as otherwise explicitly permitted under Applicable Law. The Agreement and this DPA are Customer’s complete instructions to HUMAN for the Processing of Personal Data. Where HUMAN receives an instruction from Customer that, in its reasonable opinion, infringes Applicable Laws, HUMAN shall immediately inform Customer, and shall be entitled to suspend performance of such instruction, until Customer confirms in writing that such instruction is valid under Applicable Laws. In the event HUMAN is required under Applicable Laws to Process Customer Data in excess of Customer’s documented instructions, HUMAN shall notify Customer of such a requirement, unless Applicable Laws prohibit such notification, in which case it will notify Customer as soon as the Applicable Laws permit it to do so.

2.2    Responsibilities. HUMAN shall in accordance with Customer’s written instructions: (i) implement reasonable and appropriate measures appropriate to the risk of Processing the Personal Data as required by Applicable Laws, including, as appropriate, the measures referred to in Article 32(1) of the GDPR, designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by HUMAN ; (ii) apply the security measures set forth in Appendix 2 to the Processing of Customer Data; (iii)  notify Customer if HUMAN is unable to comply with the obligations in this DPA or Applicable Laws, in which case Customer shall be entitled to suspend the Processing of Personal Data by HUMAN and/or terminate the Agreement upon written notice to HUMAN if HUMAN is unable to bring itself into compliance within a reasonable period of time, or otherwise take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data; and (iv) ensure that Authorized Persons are informed of the confidential nature of the Customer Data, have executed confidentiality agreements, and are subject to a duty of confidentiality with respect to Customer Data.

3.    Mechanism for Processing

3.1    Compliance with Laws. HUMAN and Authorized Persons will (i) Process Personal Data in compliance with all Applicable Laws, (ii) comply with the obligations of the Applicable Laws, (iii) provide the same level of protection for the Personal Data as is required of Customer under Applicable Laws, (iv) provide Customer with all reasonably-requested assistance to enable Customer to fulfill its own obligations under the Applicable Laws, and (v) understand and comply with this DPA. Upon the reasonable request of Customer, HUMAN shall make available to Customer all information in HUMAN’s possession necessary to demonstrate HUMAN’s compliance with this subsection. Customer also has the right to take reasonable and appropriate steps to ensure that HUMAN uses Customer Data consistent with Customer’s obligations under Applicable Laws.

3.2    Customer’s Processing of Personal Data. Customer is responsible for Processing Personal Data in accordance with the requirements of all Applicable Laws. Customer shall comply with all Applicable Laws, and Customer’s instructions for the Processing of Personal Data shall comply with all Applicable Laws. Customer shall ensure that Customer has provided or shall provide any necessary notices to Data Subjects and has obtained or shall obtain all consents and rights necessary for HUMAN to Process Personal Data in accordance with this DPA and the Agreement. Customer represents and warrants that HUMAN’s Processing in accordance with Customer’s instructions shall not cause HUMAN to be in breach of any Applicable Laws or Customer’s policies and procedures.

3.3    Changes to Processing of Personal Data. Appendix 1, Part B to this DPA sets out the details of HUMAN’s Processing of Personal Data. Customer may amend Appendix 1, Part B on written notice to HUMAN from time to time as Customer reasonably considers necessary to meet any applicable requirements of Applicable Laws. Without limiting any rights or obligations of the Parties conferred or imposed under the Agreement, nothing in Appendix 1 (including as amended pursuant to this Section 3.3) confers any right or imposes any obligation on any Party to this DPA.

4.    Actions and Access Requests

4.1    Assistance. Each Party shall reasonably assist the other in the event of any action by any Regulatory Authority in relation to the Services, if and to the extent that such action relates to the collection, maintenance, use, Processing or transfer of Personal Data under this DPA, at the requesting Party’s cost and expense.

4.2    Third Party Requests. HUMAN shall assist Customer by appropriate technical and organizational measures for the fulfilment of Customer’s obligation to respond to third party requests, including, but not limited to, requests of Regulatory Authorities, at Customer’s cost and expense. HUMAN shall (i) promptly notify Customer if it receives a third party request related to Customer Data unless prohibited by Applicable Laws; and (ii) not respond to that third party request related to Customer Data except on the documented instructions of Customer or as required by Applicable Laws to which it is subject, in which case HUMAN shall, to the extent permitted by Applicable Laws, inform Customer of that legal requirement before it responds to the third party request. Should any Regulatory Authority to which Customer is subject require or request a security audit or review of HUMAN, HUMAN shall, with Customer’s full involvement (including Customer’s attendance at any related meetings with federal, state or other government officials), cooperate with any such requirement or request and provide to Customer, its authorized representatives, and/or an independent inspection body designated by Customer, on reasonable notice, (a) access to HUMAN’s information processing premises and records, and (b) reasonable assistance and cooperation of Authorized Persons for the purpose of auditing HUMAN’s compliance with its obligations under this DPA. For the avoidance of doubt, any additional expenses that shall arise as a result of regulatory or compliance requirements for Customer shall be covered by Customer entirely.

4.3    Data Subject Requests. Except as required by Applicable Laws, HUMAN shall not respond to a Data Subject who requests to exercise their data protection rights under Applicable Laws in connection with their Personal Data other than at the written instruction of the Customer. Customer shall use commercially reasonable efforts to provide any necessary data or identifiable information to assist HUMAN in responding to data access requests. HUMAN shall not be responsible for fulfilling a data request without such assistance from Customer. Where required by Applicable Laws, HUMAN shall provide commercially reasonable assistance to Customer for the fulfillment of Customer’s obligations to respond to Data Subject rights requests pursuant to the Applicable Laws. If, upon a Data Subject’s request for access to their Personal Data, HUMAN is unable to produce or delete the Personal Data requested as a result of an act or omission of HUMAN in violation of its obligations under this DPA, HUMAN shall be responsible for all costs associated with or arising from its inability to produce the Personal Data.

4.4    Data Protection Impact Assessment. Upon Customer’s request, HUMAN shall provide Customer with reasonable assistance needed to fulfil Customer’s obligations under Applicable Laws to carry out a data protection impact assessment related to the Processing of Personal Data, taking into account the nature of the Processing, at Customer’s cost and expense.

4.5    Prior Consultation. Upon Customer’s request, HUMAN shall provide Customer with reasonable assistance with any prior consultations to any Regulatory Authority of Customer which are required under Applicable Laws, such as Article 36 of the GDPR, at Customer’s cost and expense.

5.    Security Breach Procedures

5.1    Notice Process. HUMAN shall notify Customer without undue delay (after any appropriate internal investigations) after becoming aware of an Incident involving Personal Data to the extent required by Applicable Laws or other unlawful Processing that would require HUMAN to notify Customer under Applicable Laws. In the event of such an Incident:

5.1.1    HUMAN shall provide Customer with: (a) the nature of the Incident; (b) the types of potentially compromised Personal Data; (c) the duration and expected consequences of the Incident; (d) the date the Incident took place, and the date on which the HUMAN discovered the Incident; and (e) the mitigation or remediation measures taken or planned in response to the Incident.

5.1.2    HUMAN shall provide reasonable assistance to Customer so that Customer can comply with Customer’s obligations to notify a Regulatory Authority and/or Data Subjects of the Incident, taking into account the nature of Processing and the information available to HUMAN.

5.1.3    Customer is solely responsible for complying with data incident notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any Incident.

5.1.4    HUMAN shall not publicly disclose any information regarding the Incident that identifies Customer without Customer’s prior express written consent; provided that HUMAN may disclose the occurrence of any Incident as necessary to comply with Applicable Laws.

5.2    Mitigation and Remedy. HUMAN shall, in accordance with Applicable Laws, take reasonable steps as are directed by Customer to mitigate and remedy, and to assist in the investigation of, any Incident caused by HUMAN’s violation of this DPA or Applicable Laws and prevent a recurrence thereof.

6.    Attestations or Certifications. Upon the request of Customer, no more than once per year, HUMAN shall provide a copy of its current attestation of compliance to any industry or compliance standards maintained by HUMAN.  The reports, information, attestations and certifications provided to Customer pursuant to this Section shall be HUMAN’s confidential information under the Agreement.

7.    Audit Rights.
Customer shall have the right, upon prior written notice, one time per year, to conduct audits of HUMAN’s security and technology compliance programs that involve the Processing of Personal Data and to submit data protection or security questionnaires to HUMAN for completion. Before the commencement of any onsite audit, Customer and HUMAN shall mutually agree upon the scope, timing and duration of the audit. HUMAN shall provide to Customer on request all materials, documents and other information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA.

8.    Deletion of Personal Data.
At any time during the term of the Agreement, at Customer’s written request or upon the termination or expiration of the Agreement for any reason, HUMAN shall, and shall instruct all Authorized Persons to, promptly and securely dispose of all copies of Personal Data unless the applicable law requires continued storage of all or portions of the Personal Data. Notwithstanding the foregoing, to the extent it is not commercially reasonable for HUMAN to remove Personal Data from archive or other backup media, HUMAN may retain Personal Data on such media in accordance with its backup or other disaster recovery procedures. In the event HUMAN retains Personal Data after the term of the Agreement, HUMAN shall continue to comply with the confidentiality and privacy obligations hereunder until it is no longer in possession of Personal Data. 

9.    Data Transfers.
With regard to Personal Data of a Data Subject in the EEA or United Kingdom, Customer authorizes HUMAN to transfer Personal Data from the EEA and/or the United Kingdom to the United States through the protections provided by the Standard Contractual Clauses, herein incorporated by reference in accordance with Appendix 3. HUMAN will ensure that any Sub Processor agrees to comply with the appropriate Standard Contractual Clauses. Both Parties shall ensure compliance with the Standard Contractual Clause Agreement as set out at Appendix 3. In connection with the use of the Standard Contractual Clauses, the Parties further agree and acknowledge that: (i) sections of this DPA addressing the same or similar subject matter as the Standard Contractual Clauses may be used to satisfy the applicable requirements of the Standard Contractual Clauses; and (ii) if required, the Parties shall sign a copy of the Standard Contractual Clauses and take such further action as is required by Applicable Laws to ensure that the Standard Contractual Clauses are legally valid. Where HUMAN’s Processing of Personal Data requires an onward transfer mechanism to lawfully transfer Personal Data from one jurisdiction to another, HUMAN will enter into the appropriate Standard Contractual Clauses.

10.    Sub-Processors. Subject to Section 11, HUMAN may engage third-party Sub-Processors in connection with the provision of the Services provided that, before the Sub-Processor first Processes Personal Data, HUMAN: (a) enters into a written agreement with the Sub-Processor on terms at least as protective as those set out in this DPA, and (b) carries out adequate due diligence to ensure the Sub-Processor is capable of providing the level of protection for Personal Data required by this DPA. HUMAN shall provide Customer with a current list of the Sub-Processors that HUMAN has engaged in connection with the provision of Services upon Customer’s request. HUMAN shall provide to Customer written notice of any change to the list of Sub-Processors at least thirty (30) days prior to the date the change takes effect.  HUMAN shall remain fully liable to Customer for the performance of its obligations under this DPA even where a Sub-Processor carries out the Services or any part of the Services on HUMAN’s behalf. 

11.    Right to Object.
Customer hereby grants HUMAN general written authorization to engage Sub-Processors in connection with the provision of the Services. HUMAN shall give Customer notice of the appointment of any new Sub-Processor through Customer’s account dashboard.  If Customer reasonably objects to the use of a new Sub-Processor within forty-eight (48) hours of the notice date, then the Parties shall use good faith and best efforts to find a reasonable replacement in a mutually agreeable manner.

12.    Customer Instructions.  
Customer acknowledges that HUMAN is reliant on Customer for direction concerning the extent to which HUMAN may Process Personal Data on behalf of Customer in performance of the Services.  HUMAN shall not be liable under the Agreement for any claim or complaint brought by a Data Subject, Consumer or Regulatory Authority arising from any action or omission by HUMAN, to the extent that such action or omission results from Customer’s instructions or failure to comply with its obligations under Applicable Laws.

13.    Dispute. Governing Law.
The Parties hereby submit to the choice of law and choice of venue and jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; provided, however, that with respect to any disputes under the GDPR only, the Parties agree that this DPA shall be governed by the laws of Ireland.

14.    Compelled Disclosures.  Any disclosure by HUMAN or its representatives of any of the Personal Data pursuant to applicable federal, state, or local law, regulation, or valid order issued by a court or governmental agency of competent jurisdiction (a “Legal Order”) will be subject to the terms of this paragraph. Prior to making such a disclosure, HUMAN shall, to the extent permitted under the Legal Order, provide Customer with: (a) prompt written notice of such requirement so that Customer may seek, at its sole cost and expense, a protective order or other remedy; and (b) reasonable assistance, at Customer’s sole cost and expense, in opposing such disclosure or seeking a protective order or other limitations on disclosure. If, after providing such notice and assistance as required herein, HUMAN remains subject to a Legal Order to disclose any Personal Data, HUMAN shall make reasonable efforts to disclose no more than the portion of Personal Data which such Legal Order specifically requires HUMAN to disclose.

15.    Liability. The liability of each Party under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement. Any reference to any “limitation of liability” of a Party in the Agreement shall be interpreted to mean the aggregate liability of a Party under the Agreement and this DPA.

Appendix 1 - Details of the Parties and Processing

A. List of Parties

Data exporter(s): the Customer designated in the Agreement entered into with Human Security, Inc. 

Name and Address:  As indicated in the Agreement
Activities relevant to the data transferred under the SCCs and this DPA: use of the Services in accordance with the Agreement.
Signature and Date: This Appendix 1 shall be deemed executed upon execution of the DPA.
Role: Data exporter’s role is set forth in Section 2.1 of the DPA.

Data importer(s):

Name:  Human Security, Inc. (“HUMAN”)
Address: 841 Broadway, New York, New York 10003
Contact person’s name, position, and contact details:;
Signature and Date: This Appendix 1 shall be deemed executed upon execution of the DPA.
Role: Processor

B. Description of Processing and Transfer

The categories of Data Subject to whom the Personal Data relates

Data Subjects include the identified or identifiable individuals contained in data submitted to the Services by Customer.

Categories of Personal Data Processed and transferred

HUMAN Processes the limited Personal Data HUMAN needs to perform the particular Services, as instructed and/or authorized by Customer. Dependent on the products and as advised by the Customer, HUMAN may Process device ID, IP address, mobile ID, name, email address, usernames, passwords, and other log-in credentials. 

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

HUMAN does not collect “sensitive categories” of Personal Data as such term is defined by EU GDPR.

The frequency of the Processing and transfer (e.g. whether the data is transferred on a one-off or continuous basis)

HUMAN will process Personal Data to the extent necessary to perform the Services pursuant to the Agreement and as further instructed by Customer in writing and as otherwise permitted by the Agreement and the DPA. 

The nature and purpose of the Processing

HUMAN will process Personal Data to provide the Services in accordance with the Agreement and the DPA. 

Purpose(s) of the data transfer and further processing

HUMAN will process Personal Data to provide the Services in accordance with the Agreement and the DPA.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period

The duration of the Processing of the Personal Data is set out in the Agreement and this DPA.  Personal Data is deleted based on the terms of the Agreement and this DPA, legal requirements related to data storage and if Personal Data is no longer needed to perform the Services and there is no lawful reason to keep it. 

C. Sub-Processors 

Third Party Service/Vendor Purpose Entity Country Website
AWS Amazon Data Hosting 410 Terry Avenue North
Seattle Washington 98109-5210, USA
Fastly Inc. Content Delivery Network 475 Brannan Street
San Francisco, CA 94107, USA
GCP Google Data Hosting 1600 Amphitheatre Parkway
Mountain View, CA 94043, USA
Snowflake Data Housing/Cloud Storage 106 E Babcock St.
Bozeman, Montana 59715, USA
Equinix (formally Packet Host) Data Housing 1 Lagoon Drive, Fourth Floor
Foster City, CA 94065, USA
Salesforce/Slack Customer Support 415 Mission Street, 3rd Floor
San Francisco, CA 94105, USA
Support Advisors, LLC Security Operations Center 1 East Benton Street
Aurora, IL 60505, USA


HUMAN may update this list from time to time in accordance with the terms of the DPA; please visit for the up-to-date list of Sub-Processors.

The obligations and rights of Customer

The obligations and rights of Customer are set out in the Agreement and this DPA.

D. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13

For the EEA Standard Contractual Clauses, the competent supervisory authority is determined in accordance with Clause 13 of the EEA SCCs.
For the UK Standard Contractual Clauses, the competent supervisory authority is the UK Information Commissioner’s Office.

Appendix 2 – Technical and Operational Measures


This Data Security Appendix is made a part of the attached DPA between Customer and HUMAN. The Agreement and DPA, including without limitation this Data Security Appendix, reflects the Parties’ agreement with regard to the Processing and safeguarding of Personal Data.

Implementation of the provisions of this Appendix by HUMAN shall be consistent with industry standards, where applicable. Unless otherwise stated, capitalized terms in this Appendix shall have the meanings set forth in the Agreement or DPA. 

1. Organizational Security Measures.

1.1. Point of Contact. HUMAN shall appoint a representative to act as a point of contact for the Customer with respect to this Data Security Appendix. The representative shall be responsible for ensuring HUMAN’s compliance with this Data Security Appendix.

1.2. Security Program. HUMAN has developed and implemented, and will regularly update and maintain as appropriate and needed: (a) a written and comprehensive information security program in compliance with Applicable Laws; and (b) reasonable policies and procedures designed to detect, prevent, and mitigate the risk of data security breaches or identify theft (“Security Program”). Specifically, such Security Program shall include, at a minimum and in addition to the items contained in Section 2 below: 

1.2.1. A disaster recovery/business continuity plan that addresses ongoing access, maintenance and storage of Personal Data as well as security needs for back­up sites and alternate communication networks.

1.2.2. Secure transmission and storage of Personal Data.

1.2.3. Personnel security and integrity, including background checks where consistent with applicable law.

1.2.4. Annual training to HUMAN’s employees on how to comply with the HUMAN’s physical, technical, and administrative information security safeguards and confidentiality obligations under Applicable Laws. 

1.2.5. Quarterly review of authentication and access control mechanisms over Personal Data, media, applications, operating systems and equipment.

1.2.6. Data retention and destruction procedures in accordance with Section 8 of the DPA.

1.3. Training. HUMAN shall provide training to its Authorized Persons to ensure their treatment of the Personal Data is in accordance with the DPA, including this Data Security Appendix. HUMAN shall provide such training to Authorized Persons before they are allowed access to Personal Data and no less than annually thereafter. Such training shall be consistent with industry standards. Upon reasonable notice from Customer, HUMAN will provide Customer with summaries or copies of HUMAN’s relevant training program.

1.4. Access. HUMAN shall limit disclosure of and access to Personal Data to only those Authorized Persons who have a business need to access such Personal Data in order to provide the Services to Customer and/or to fulfill the purposes of the Agreement. HUMAN shall establish, maintain, and enforce the security principles of “segregation of duties” and “least privileged access” with respect to all Personal Data. HUMAN shall reasonably update all access rights based on personnel or computer system changes, and shall periodically review all access rights at an appropriate frequency to ensure current access rights to Personal Data are appropriate and no greater than are required for an individual to perform his or her functions necessary to deliver the Services to Customer and/or to fulfill the purposes of the Agreement. HUMAN shall verify all access rights through effective authentication methods.

1.5. Background Investigations of Personnel. As permitted by law, HUMAN agrees that any employees of HUMAN or of any subcontractor who either are directly providing the Services under the Agreement and/or who have access to Personal Data shall have passed a background check. Each background check shall include the following minimum review: identity verification (utilizing Social Security numbers or other state/national ID number) and a criminal history check. Background checks must be performed by a member of the National Association of Professional Background Screeners or a competent industry recognized Customer with the same level of professionalism within HUMAN’s jurisdiction.

2. Physical and Technical Security Measures.

2.1. Server Location. During the term of the Agreement, Personal Data shall at all times be hosted on servers that are physically located in the United States, unless otherwise agreed in writing by the Parties. HUMAN shall comply with and provide Customer with commercially reasonable assistance to comply with Applicable Laws in the country to which and from which Personal Data will be transferred.

2.2. Network Configuration, Access Control and Limiting Remote Access. HUMAN shall secure its computer networks by using and maintaining appropriate firewall and security screening technology that is designed to prevent unauthorized access. HUMAN ensures that the following network security controls are in place: (a) firewall platforms are hardened and have real time logging and alerting capabilities, (b) intrusion detection and prevention systems are in place and maintained at the perimeter and critical server systems, (c) access lists are implemented on network routers to restrict access to sensitive internal networks or servers, (d) remote access requires two factor authentication and occurs over an encrypted tunnel e.g. IPSec, SSL­VPN, and (e) systems servicing Customer are segregated from other network zones logically and physically including DMZ, production databases, back office, and software development areas. HUMAN shall secure access to and from its systems by disabling remote communications at the operating system level if no business need exists and/or by tightly controlling access through management approvals, robust controls, logging, and monitoring access events and subsequent audits. HUMAN shall identify computer systems and applications that warrant security event monitoring and logging, and reasonably maintain and analyze log files. HUMAN ensures that privileged accounts (administrator, super user, etc.) will be controlled and reviewed on at least an annual basis. HUMAN enforces a process to control and manage user accounts upon termination of employment or change in role within 24 hours of such termination or change.

2.3. Encryption. HUMAN shall use best efforts to encrypt all Personal Data in its possession, custody or control while at rest and in transit. For the avoidance of doubt, “encryption” shall be deployed using PGP or other industry best practice for key based encryption protocol. HUMAN will work with Customer to test HUMAN’s ability to deliver the data in an encrypted form to Customer.

2.4. Third ­Party Data Centers. Where applicable, HUMAN using a third party data center to host the Services shall ensure that (a) all application and database servers are physically isolated within the data center and secured from unauthorized physical access, (b) physical and network access is limited to HUMAN’s Authorized Persons, and (c) Personal Data remains logically segregated from other data stored in any shared environment at all times and that use of any shared environment does not compromise the security, integrity, or confidentiality of Personal Data. 

2.5. Security Patches. HUMAN shall use commercially reasonable efforts to deploy all applicable and necessary system security patches to all software and systems that process, store, or otherwise support the Services, including operating system, application software, database software, web server software within industry best practices and in accordance with its information security policies.

2.6. Protection Against Malicious Software. HUMAN shall use commercially reasonable efforts to protect its own information technology against malicious code and ensure that its connection to the Internet and for any other platform or network running the Services is secure, and shall in accordance with industry standards and its own information security practices, acquire and implement new technology, including monitoring hardware and software, as the technology becomes available and is proven stable, in HUMAN’s reasonable discretion, to ensure a secure and stable environment.

2.7. Vulnerability Testing. Prior to providing any code, hosting services, or network connectivity to Customer, HUMAN must perform and be able to show proof that external penetration testing has been completed and that any reported vulnerabilities have been remediated. Proof includes the external pen test report or cover letter. For software, this includes tests for security vulnerabilities that are a part of the OWASP Top 10 or SANs Top 25. HUMAN will promptly address, prioritize and correct security vulnerabilities identified in a vulnerability test or report.

2.8. Life Cycle Development. HUMAN shall implement and maintain a secure software development life cycle for all applications which integrate with Customer’s environment or are developed on Customer’s behalf. HUMAN will observe all industry standard application security guidelines, such as the Open Web Application Security Project (OWASP). HUMAN will ensure that (a) regular reviews of application source code occur, (b) developers receive detailed coding and design training in application security, (c) development, testing, production and operational facilities are separated to reduce the risk of unauthorized access or changes to the production and operational systems and Personal Data, (d) software developers are restricted from accessing production environment unless a particular access request is reviewed and approved, and (e) data masking functionality is implemented in relation to software processing any financial related Personal Data (including payment card and banking information).

2.9. System Change Control. HUMAN will use commercially reasonable efforts to ensure that change control procedures are documented and maintained and detail why the change was required, how and why changes were executed and include an emergency change process. The change control process includes considering security control requirements, implementing them where necessary and testing these changes prior to implementation. HUMAN will notify the Customer of any upgrades or configuration changes which may impact the security of Personal Data.

3. Security Reviews by Customer.

3.1. Internal Audits. Upon Customer’s written request, HUMAN shall provide Customer, at HUMAN’s expense, with the results of the most recent data security compliance reports or any audit performed by or on behalf of HUMAN that assesses the effectiveness of HUMAN’s, and any relevant third parties performing services on HUMAN’s behalf, information security program, system(s), internal controls, and procedures relating to the Services (i.e., SSAE16 SOC1 or other) as relevant to the security and confidentiality of Personal Data, including any report summarizing any control issues and associated corrective action plans and any management responses. Such reports shall be of sufficient scope and in sufficient detail as may reasonably be required by Customer to provide reasonable assurance that any material inadequacies would be disclosed by such examination, and, if there are no such inadequacies, the reports shall so state.

4. Non­compliance. HUMAN will not knowingly materially lessen the security of any system used to collect, use, disclose, store, retain or otherwise Process Personal Data during the term of the Agreement.  In the event that HUMAN determines it is unable to comply with the obligations stated in the DPA or this Data Security Appendix, HUMAN shall promptly notify Customer, and Customer may take any one or more of the following actions: (a) suspend the transfer of Personal Data to HUMAN; (b) require HUMAN to cease Processing Personal Data; (c) demand the return or destruction of Personal Data; or (d) immediately terminate this Agreement.

5. External Communication of Internal Controls. HUMAN communicates its security and availability commitments regarding its products and Services to external users via its Terms of Use and Privacy Policy, which are posted on its website.  Customer usage and external roles and responsibilities are communicated via several mediums, including the Terms of Use and Privacy Policy.  Support contact information is readily available to customers through HUMAN’s website and other customer provided documentation.  Customers and users are encouraged to contact appropriate personnel if they become aware of items such as operational or security failures, Incidents, systems problems, concerns or other complaints.

Appendix 3 - Cross Border Transfer Mechanism

1.    Definitions. Capitalized terms not defined in this Appendix shall have the meaning set forth in the DPA.

1.1    “Standard Contractual Clauses” means, as applicable to a particular transfer, one of the following:

1.1.1    EEA SCCs

1.1.2    UK SCCs

1.2    “EEA SCCs” or “EEA Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

1.3    “UK SCCs” or “UK Standard Contractual Clauses” means the “UK Addendum to the EU Standard Contractual Clauses” issued by the UK ICO under s.119(A)(1) of the Data Protection Act of 2018 (“UK Addendum”).

2.    The Standard Contractual Clauses will apply to any Processing of Personal Data by HUMAN where Personal Data is exported by Customer from the European Economic Area (“EEA”), the United Kingdom and/or Switzerland to HUMAN outside the EEA, the United Kingdom and/or Switzerland, either directly or via onward transfer, to any country:  (a)  not recognized by the European Commission, United Kingdom, or Switzerland (as applicable) as providing an adequate level of protection Personal Data (within the meaning of Applicable Laws); and (b) to the extent the transfer is not covered by an alternative mechanism of transfer (e.g., binding corporate rules) recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data.

3.    Application of the EEA Standard Contractual Clauses. If Customer exports Personal Data from the EEA or Switzerland to HUMAN, then the EEA SCCs will apply as follows:

3.1    Module 2 (Controller to Processor) will apply where Customer is a Controller of Personal Data and Vendor is a Processor of Personal Data;

3.2    Module 3 (Processor to Processor) will apply where Customer is a Processor of Personal Data and Vendor is a Processor of Personal Data;

3.3    For each Module, where applicable:

3.3.1    in Clause 7, the option docking clause will not apply.

3.3.2    in Clause 9, Option 2 will apply, and the time period for prior notice of a sub-processor will be as set forth in Section 10 of the DPA.

3.3.3    in Clause 11, the option will apply.

3.3.4    in Clause 17 (Governing Law) (Option 1), the law of Ireland will apply.

3.3.5    in Clause 18(b), disputes will be resolved before the courts of Ireland.

3.4    Annex I of the SCCs shall be deemed completed with the information in Appendix 1 of this DPA.

3.5    Annex II of the SCCs shall be deemed completed with the information in Appendix 2 of this DPA.

3.6    Annex III of the SCCs shall be deemed completed with the sub-processor information in Appendix 1 of this DPA.

3.7    If Customer exports Personal Data from Switzerland to HUMAN:

3.7.1    The supervisory authority with respect to such personal Data is the Swiss Federal Data Protection and Information Commissioner.

3.7.2    References to a “Member State” shall be interpreted to refer to Switzerland.

3.7.3    Data subjects located in Switzerland shall be able to enforce their rights in Switzerland.

3.7.4    References to the EU GDPR shall be understood to refer to the Swiss Federal Act on Data Protection (as amended or replaced).

3.7.5    In Clause 17 (Governing Law) (Option 1), the law of Ireland will apply.

3.7.6    In Clause 18(b), disputes will be resolved in the courts of Ireland.

4.    Application of the UK Standard Contractual Clauses. If Customer exports Personal Data from the UK to HUMAN, then the Parties are permitted to rely on the EEA Standard Contractual Clauses for transfers of Personal Data, as amended by and subject to completion of a UK Addendum. Accordingly: (i) the EEA SCCs shall apply as amended by the UK Addendum, as modified and specified by Sections 3.1 through 3.6 of this Appendix; and (ii) the UK Addendum shall be deemed executed between HUMAN and Customer. Table 3 of the UK Addendum shall be completed as follows:

4.1.1    Annex I shall be deemed completed with the information in Appendix 1 of this DPA.

4.1.2    Annex II shall be deemed completed with the information in Appendix 2 of this DPA.

4.1.3    Annex III shall be deemed completed with the sub-processor information in Appendix 1 of this DPA.

5.    If a Regulatory Authority issues new Standard Contractual Clauses, such new Standard Contractual Clauses will be incorporated into this DPA when in effect without any further action of the Parties. Information contained within this DPA, including the information from Appendix 1 and Appendix 2, shall be deemed incorporated into such new Standard Contractual Clauses as applicable.