Compt Data Processing Agreement (DPA)

This Compt Data Processing Agreement (“DPA”) is made between Customer (as defined below) and Compt Inc. (the “Company”), a Delaware corporation having its principal place of business at 8 Museum Way, Cambridge, MA 02141, collectively referred to as the “Parties”. This DPA forms part of the Compt Software Subscription Agreement (the “Service Agreement”) between Customer and Company. By using the Company’s services, the Customer agrees to the terms of this DPA. 

If Customer and Compt have executed a written data processing in agreement governing the processing of personal data by means of the Service, then the terms of such signed data processing agreement between the parties will supersede this DPA. 

1. Definitions

For the purposes of this DPA, the following capitalized terms have the meanings set out below. Terms used but not defined in this DPA shall have the meanings given in the Applicable Data Protection Laws.

• “Customer”  having the same meaning as ‘Customer’ as defined in the executed Service Agreement with Compt. 
• “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) that is Processed under this DPA. This corresponds to the definition of “personal data” in GDPR Article 4(1) and equivalent terms under other Data Protection Laws.
• “Processing” (and its grammatical variations) means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, erasing, or destroying, as defined in GDPR Article 4(2).
• “Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Here, the Customer is the Controller (or a “Business” under the CCPA) with respect to Customer Data.
• “Processor” means the entity which Processes Personal Data on behalf of the Controller. Here, the Company is the Processor of Customer Personal Data (and a “Service Provider” under the CCPA).
• “Customer Personal Data” means any Personal Data that the Company Processes on behalf of the Customer as part of the Company’s services or as otherwise instructed by the Customer.
• “Applicable Data Protection Laws” means all data protection and privacy laws and regulations applicable to the Processing of Personal Data under the Service Agreement, including, where applicable: (a) the EU GDPR (Regulation (EU) 2016/679) and laws implementing or supplementing it in EU member states; (b) the UK GDPR (the GDPR as incorporated into UK law by the Data Protection Act 2018 and UK European Union (Withdrawal) Act 2018) and the UK Data Protection Act 2018; (c) the Swiss Federal Data Protection Act of 19 June 1992 (as revised) (“Swiss DPA”); (d) the California Consumer Privacy Act of 2018 (“CCPA”) as amended by the California Privacy Rights Act of 2020 (“CPRA”); and (e) any other applicable privacy or data protection law (collectively, “Data Protection Laws”).
• “EU GDPR” or “GDPR” means the General Data Protection Regulation, Regulation (EU) 2016/679.
• “UK GDPR” means the GDPR as retained and amended in UK law.
• “CCPA” means the California Consumer Privacy Act of 2018, California Civil Code §1798.100 et seq., as amended by the California Privacy Rights Act (CPRA) of 2020, together with any implementing regulations. References to obligations or definitions under the CCPA include the CPRA amendments (e.g., “Share,” “Sell,” “Business Purpose,” etc.).
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for international transfers of personal data as adopted by the European Commission and, as applicable, their UK and Swiss adaptations. Specifically: (i) for EU personal data, the SCCs as approved by EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021[1] (the “EU SCCs”); (ii) for UK personal data, the International Data Transfer Addendum issued by the UK Information Commissioner’s Office (ICO), Version B1.0, in force 21 March 2022 (the “UK Addendum”); and (iii) for Swiss personal data, the standard clauses as recognized by the Swiss Federal Data Protection and Information Commissioner (with necessary modifications to align with Swiss law).
• “Sub-processor” means any third party (including any Company Affiliate, contractor, or service provider) appointed by or on behalf of the Company to Process Customer Personal Data.
• “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed. This corresponds to the definition of the term in GDPR Article 4(12).
• “Business”, “Service Provider”, “Sell”, and “Share” shall have the meanings given to them under the CCPA, to the extent applicable. For clarity under this DPA, the Customer is a “Business” and the Company is a “Service Provider” when processing California Personal Information.
• “California Personal Information” means any Personal Data about a consumer or household that is protected under the CCPA/CPRA (i.e. Personal Data that is collected about California residents and subject to CCPA).

Any other defined terms used in this DPA shall have the meanings assigned in the Service Agreement or under Data Protection Laws. Headings are for reference only and shall not affect interpretation.

2. Roles of the Parties

2.1 The Parties acknowledge that, as between the Parties, the Customer is acting as a Controller and the Company is acting as a Processor with respect to Customer Personal Data. The Customer determines the purposes and means of the Processing of Personal Data, and the Company Processes such data on behalf of and at the direction of the Customer. If the Customer is a Processor acting on behalf of an end Controller, the Company is appointed as a sub-processor to process the Personal Data on behalf of that Controller. In such case, the Customer warrants that it is authorized by the relevant Controller(s) to appoint the Company as sub-processor and to enter into this DPA on their behalf.

2.2 Each Party shall comply with its obligations under Applicable Data Protection Laws with respect to the Processing of Personal Data. The Customer shall ensure that it has obtained all consents, rights and notices required under Data Protection Laws for the Company to Process Customer Personal Data pursuant to the Service Agreement and this DPA. The Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which the Customer acquired the data. The Customer shall not instruct the Company to process any Personal Data in a manner that would violate Applicable Data Protection Laws. The Company shall inform the Customer if it becomes aware that an instruction infringes applicable law (unless legally prohibited from doing so).

2.3 The Company shall not process Personal Data (i) for purposes other than those set forth in the Agreement and/or Annex 1, (ii) in a manner inconsistent with the terms and conditions set forth in this DPA or any other documented instructions provided by Customer, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Supervisory Authority to which the Company is subject; in such a case, the Company shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest, or (iii) in violation of Data Protection Laws.  

2.4 The Customer is responsible for determining the legal basis for Processing of Personal Data and, where applicable, for documenting and communicating that basis to Data Subjects. The Customer represents that it has an appropriate legal basis for the Company’s Processing of Customer Personal Data as instructed by the Customer. The Company shall not be responsible for determining the legality of Customer’s data collection practices or whether Customer has a lawful basis for processing; however, the Company will immediately inform Customer if, in Company’s opinion, an instruction violates Data Protection Laws.

3. Confidentiality and Personnel

3.1 The Company will ensure that any person it authorizes to Process the Personal Data (including the Company’s employees, agents, and subcontractors) is subject to a duty of confidentiality (whether by contract or by law). The Company will restrict access to Customer Personal Data strictly to those personnel and Sub-processors who need such access to perform the services or to comply with applicable laws. The Company shall ensure that its personnel authorized to process Customer Personal Data have received appropriate training on their data protection responsibilities and only process Personal Data as necessary to fulfill the Company’s obligations under the Service Agreement.

4. Security Measures

4.1  The Company shall implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data from unauthorized or unlawful Processing, and from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, in accordance with Article 32 of the GDPR. In determining the appropriate measures, the Company will take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing, and the risks of varying likelihood and severity to the rights and freedoms of Data Subjects. The Company’s security measures shall include those listed in Annex 2 (Technical and Organizational Measures), which are incorporated herein. 

4.2  The Company will regularly monitor compliance with these measures and will not materially decrease the overall security of the services during the term of the Service Agreement. Upon Customer’s reasonable request, the Company will provide summary information or documentation (e.g., security program summaries, certifications, audit reports) so the Customer can evaluate the Company’s security measures.

5. Sub-Processors

5.1 The Customer provides a general authorization for the Company to engage Sub-processors for carrying out specific Processing activities on behalf of the Customer, provided that the Company meets the requirements set forth in this Section. A list of the Company’s current Sub-processors (including the identities and purposes for each) is included in Annex 3 (List of Sub-processors) , also available at https://compt.io/who-we-are/security-compliance/sub-processors/.  Company will provide a mechanism to subscribe to notifications (which may include but are not limited to email notifications) of new Authorized Sub-Processors and Customer, if it wishes, will subscribe to such notifications where available. If Customer does not subscribe to such notifications, Customer waives any right it may have to receive prior notice of changes to Authorized Sub-Processors. At least ten (10) days before enabling any third party other than existing Authorized Sub-Processors to access or participate in the processing of Personal Data, Company will add such third party to the List and notify subscribers, including Customer, via the aforementioned notifications.

5.2 Customer will be entitled to object to a new Sub-processor in writing within fifteen (15) days of notice. In such event, the Parties will cooperate in good faith to address the Customer’s objection, for example by assessing mitigating controls or proposing an alternate Sub-processor. If Customer reasonably objects to an engagement, and Company cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Service by providing written notice to Company.  Discontinuation shall not relieve Customer of any fees owed to Company under the Agreement. If Customer does not object to the engagement of a third party in accordance with Section 4.2 within ten (10) days of notice by Company, that third party will be deemed an Authorized Sub-Processor for the purposes of this DPA.

5.3 The Company shall enter into a written agreement with any Sub-processor imposing data protection obligations that are at least as protective as those set forth in this DPA. The Company shall remain fully responsible and liable to the Customer for the performance of each Sub-processor’s obligations in accordance with the DPA and Applicable Data Protection Laws. In the event a Sub-processor fails to fulfill its data protection obligations, the Company will remain liable to the Customer for such failure.

5.4 The Customer agrees that the Company’s Affiliates may be engaged as Sub-processors, and that the Company and its Affiliates respectively may engage third-party Sub-processors in the delivery of the services. All Sub-processors (including Affiliates) will be bound by written agreements as per Section 5.3.

5.5 Notwithstanding the foregoing, the Customer acknowledges that in urgent situations (e.g., an emergency replacement of a Sub-processor due to service outages or security incidents), the Company may replace a Sub-processor without advance notice to ensure continuity of service. In such cases, the Company will inform Customer as soon as practicable of the change and shall work with Customer if any objections arise as described above.

6. Data Subject Rights

6.1 The Company shall assist the Customer by appropriate technical and organizational measures, insofar as possible, to fulfill the Customer’s obligations to respond to requests from Data Subjects to exercise their rights under Data Protection Laws. These Data Subject rights may include, as applicable, the right of access, rectification, erasure (“right to be forgotten”), restriction of Processing, data portability, objection to Processing, or not being subject to automated decision-making.

6.2 If the Company receives any request from a Data Subject or an authorized agent of the Data Subject relating to Customer Personal Data, the Company will promptly notify the Customer upon receipt of the request. The Company shall not respond to any such request except: (i) on the documented instructions of the Customer; or (ii) if required by applicable law, in which case the Company shall (to the extent permitted by law) inform the Customer of that legal requirement before responding. The Parties agree that the Customer (as Controller or Business) is responsible for handling and responding to Data Subject requests. The Company will not independently take any action in response to a Data Subject’s request without Customer’s prior instruction, unless required by law.

6.3 Upon request, the Company shall provide reasonable cooperation and assistance to the Customer in responding to Data Subject requests, including by providing relevant information or implementing technical measures to enable Customer to fulfill requests. The Company may develop self-service functionality within the services (where feasible) to assist with Data Subject requests (e.g., tools to search or retrieve data). To the extent legally permitted, the Customer shall be responsible for any costs arising from the Company’s provision of such assistance beyond the standard functionality of the services.

7. Personal Data Breach Notification

7.1 The Company shall notify the Customer without undue delay (and in any event promptly) after becoming aware of a Personal Data Breach that affects Customer Personal Data. Such notice will include, to the extent reasonably available to the Company, all relevant information about the Personal Data Breach, including a description of the nature of the breach, the categories and approximate volume of Personal Data and Data Subjects concerned, the likely consequences of the breach, and the measures taken or proposed by the Company to address the breach and mitigate its possible adverse effects. Where it is not feasible to provide the information simultaneously, the Company may provide the information in phases without undue further delay.

7.2 The Company will promptly investigate the Personal Data Breach and take reasonable steps to identify, prevent and mitigate the effects of the breach. The Company will cooperate with the Customer and provide timely information relating to the breach as it becomes known, to assist the Customer in fulfilling its breach notification obligations under Data Protection Laws (e.g., any obligations to notify supervisory authorities or affected Data Subjects).

7.3 The Company will maintain records of all Personal Data Breaches and the remedial actions taken in a breach register, as required by Article 33(5) of GDPR or applicable law. Unless required by law, the Company will not disclose information about a Personal Data Breach to any third party (including Data Subjects, the media, or regulators) without first consulting with the Customer, except as necessary to inform a sub-processor or to fulfill legal obligations.

7.4 The Parties agree that any breach notification delivered by the Company to the Customer shall not be construed as an acknowledgement by the Company of any fault or liability with respect to the Personal Data Breach.

8. Assistance with Controller Obligations

8.1 Upon Customer’s request, the Company shall provide reasonable assistance to the Customer (at Customer’s expense, if significant effort is required) with respect to any data protection impact assessments (DPIAs) and prior consultations with supervisory authorities that the Customer is required to carry out under GDPR Articles 35 and 36 (or equivalent provisions of other Data Protection Laws). Such assistance shall be provided to the extent that the required information is available to the Company and the assistance is necessary and relates to the Processing of Customer Personal Data by the Company.

8.2 Compliance and Information: The Company shall make available to the Customer all information reasonably requested by the Customer to demonstrate the Company’s compliance with its obligations under this DPA and Data Protection Laws. This may include providing responses to questionnaires or reports on Company’s compliance measures. The Company will notify the Customer if, in its opinion, the Customer’s instructions or requests under this Section infringe applicable law (unless prohibited from notifying by law).

8.3 The Company shall maintain all records required by Article 30(2) of the GDPR (and any equivalent records requirements under other Data Protection Laws) of categories of Processing activities carried out on behalf of the Customer, and shall make such records available to the Customer or supervisory authority upon request, to the extent required by law.

9. Return or Deletion of Data

9.1 Upon ninety (90) days of either, termination or expiration of the Service Agreement, or upon Customer’s written request, the Company shall securely delete or return all Customer Personal Data (including copies) that it Processes on behalf of the Customer. Notwithstanding the foregoing, Customer understands that Company may retain Customer’s Data if required by law, and such data will remain subject to the requirements of this Addendum.

10. Audit Rights

10.1 Company shall allow for reasonable audits and inspections by the Customer (or an independent auditor mandated by the Customer) for the purpose of verifying the Company’s compliance with this DPA and Applicable Data Protection Laws. The Company will provide access to its relevant data processing facilities, personnel, and records as reasonably necessary for this purpose, subject to the confidentiality and security restrictions outlined in Section 10.3 and the Company’s reasonable policies.

10.2 Notwithstanding the foregoing, if the Company has obtained independent third-party security or privacy certifications or audit reports (e.g., ISO 27001, SOC 2 Type II, or similar) that cover the systems used to Process Customer Personal Data, the Company may provide such reports or certifications in lieu of a Customer-conducted audit. The Customer agrees to accept those findings in satisfaction of the audit request, unless material issues are reasonably indicated. In any event, the Company shall provide all information and cooperation reasonably necessary to demonstrate compliance with this DPA, as required by Article 28(3)(h) of GDPR.

10.3 Audits shall be at Customer’s sole cost and expense. The Customer shall provide the Company with a copy of any audit reports generated, which shall be treated as Company’s confidential information and used only for the purpose of ensuring compliance. Upon Company’s request, the Customer shall, and shall direct any auditor to, sign a non-disclosure agreement reasonably acceptable to the Company before proceeding with the audit. The Company may redact or withhold any information that is not relevant to the Customer’s Personal Data or that is proprietary or highly confidential (such as information related to other customers or Company’s own trade secrets).

11. International Data Transfers

11.1 The Parties acknowledge that Data Protection Laws may impose restrictions on the transfer of Personal Data to countries or international organizations outside of the jurisdiction where the data originated (each a “Restricted Transfer”). For example, the GDPR prohibits transfers of Personal Data from the European Economic Area (EEA) to a recipient in a country that has not been deemed to provide an adequate level of protection, unless appropriate safeguards (such as Standard Contractual Clauses) are in place. Similarly, UK and Swiss laws impose transfer restrictions. The Parties agree to comply with such transfer restrictions.

11.2 To the extent the Company Processes (or causes to be Processed) any Customer Personal Data originating from the EEA or that is otherwise subject to the EU GDPR, outside of the EEA (or to an international organization) in a country not recognized by the European Commission as providing an adequate level of data protection, the Parties shall be deemed to enter into and execute the EU Standard Contractual Clauses (SCCs) by signing the Service Agreement and/or this DPA. The EU SCCs (Controller-to-Processor clauses, or Processor-to-Processor as appropriate) are hereby incorporated by reference into this DPA, with the Customer as “data exporter” and the Company (and/or applicable Sub-processors) as “data importer.” The details required for the execution of the SCCs (such as categories of data subjects, transfers, etc.) are set out in Annex 1 and Annex 2 of this DPA, which shall be deemed to form Annex I and Annex II (and Annex III, if applicable) of the SCCs. For the avoidance of doubt, Module Two of the SCCs (Controller-to-Processor) shall apply where Customer is a Controller and Company is a Processor; Module Three (Processor-to-Processor) shall apply where Customer is a Processor on behalf of a third-party Controller and Company is a sub-processor. The optional Docking Clause 7 of the SCCs shall be considered enabled, allowing addition of new parties if required. The SCCs shall be governed by the law of an EU Member State as specified in Annex 1 (e.g., the law of [Specify Member State]), and the competent supervisory authority shall be determined in accordance with Clause 13 of the SCCs (generally the authority of the EU country in which the data exporter is established, or as specified in Annex 1).

11.3 To the extent Customer Personal Data subject to UK GDPR is transferred from the UK to a country not deemed adequate under UK law, the EU SCCs (as incorporated in Section 11.2) shall apply with the following modifications: (i) the SCCs shall be read and interpreted in a manner that complies with the UK GDPR and the UK Data Protection Act; (ii) the UK Addendum (International Data Transfer Addendum, version B1.0 issued 21 March 2022) is hereby incorporated into this DPA and the SCCs by reference, and shall be deemed completed as follows: Table 1 of the Addendum: Parties and signatures (referencing the Parties and Effective Date of this DPA); Table 2: the version of the Approved EU SCCs is the EU SCCs referenced in Section 11.2; Table 3: Annex 1A, 1B, II, III – use the information in Annex 1, 2, 3 of this DPA; Table 4: the Exporter (Customer) may end the Addendum when the EU SCCs are replaced by new clauses or as otherwise set out in Section 19 of the Addendum (we select “neither party” as having the right to terminate for convenience). In the event of conflict between the EU SCCs and the UK Addendum, the provisions of the UK Addendum shall prevail for data transfers from the UK.

11.4 For Personal Data subject to the Swiss DPA (Switzerland), transfers to any country not recognized by the Swiss authorities as providing adequate protection shall be governed by the EU SCCs as well, with the following modifications: (i) references to “EU GDPR” or “Regulation (EU) 2016/679” in the SCCs shall be understood to include the Swiss DPA; (ii) references to “EU”, “Member State” or “Member State law” shall be interpreted to include Switzerland and Swiss law; (iii) the terms “supervisory authority” and “competent courts” in the SCCs shall be understood to refer to the Swiss Federal Data Protection and Information Commissioner (FDPIC) and the competent courts in Switzerland, respectively; (iv) the governing law of the SCCs, insofar as it relates to Swiss transfers, shall be the law of Switzerland (to the extent permissible), and the Swiss FDPIC shall be the competent authority under Clause 13. The Parties agree to abide by the applicable Swiss-specific standard clauses or adaptations as required to legitimize transfers from Switzerland.

11.5 In the event that the EU SCCs or UK Addendum are updated, replaced, or invalidated, or if an alternative transfer mechanism (such as an adequacy decision, binding corporate rules, or another lawful transfer solution) becomes available and applicable to the transfers under this DPA, the Parties agree to cooperate in good faith to implement such alternative mechanism. The Customer may reasonably request the Company to enter into any new or additional standard contractual clauses or other data transfer agreements as required by the Data Protection Laws for continued lawful transfer of Personal Data.

11.6 In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses (including the UK Addendum) with respect to the protection of Personal Data, the terms of the Standard Contractual Clauses (and UK Addendum, as applicable) shall prevail to the extent of such conflict. For clarity, nothing in this DPA is intended to restrict data subjects or supervisory authorities from exercising their rights under the Standard Contractual Clauses.

11.7 The Company will disclose upon Customer’s request the countries in which Customer Personal Data is stored or accessible, including where its Sub-processors process data, so that Customer can evaluate any necessary SCCs or transfer requirements. The Company agrees to notify the Customer if it can no longer comply with its obligations under the SCCs or this Section, and if so, the Customer is entitled to suspend data transfers and/or terminate the relevant Processing, as needed.

12. Additional Provisions for California Personal Information

12.1 With respect to California Personal Information, the Parties acknowledge that the Customer is a “Business” and the Company is a “Service Provider” as those terms are defined in the CCPA. The Company is Processing California Personal Information on behalf of the Customer for the purpose of providing the services under the Service Agreement (the “Business Purpose”) and for no other purposes, except as otherwise permitted by the CCPA and this DPA.

12.2 The Company certifies that it understands and will comply with the following restrictions and obligations: The Company shall not Sell or Share any California Personal Information received from the Customer. The Company shall not retain, use, or disclose California Personal Information for any purpose other than the specific purpose of performing the services for Customer under the Service Agreement, or as otherwise permitted by the CCPA and its regulations. The Company shall not retain, use, or disclose the California Personal Information outside of the direct business relationship between the Company and the Customer. In particular, the Company shall not (i) use California Personal Information for its own purposes (such as for marketing or advertising to the Data Subject, or for building profiles apart from providing the services), (ii) combine or update California Personal Information received from the Customer with personal information received from other sources (except as allowed by the CCPA, such as to perform any business purpose permitted for Service Providers, or as needed to detect data security incidents, prevent fraud, or enhance the services in a way that is still in the context of providing the services), or (iii) otherwise engage in any Processing of California Personal Information that would cause the Company to be deemed a “third party” under the CCPA. The Company shall not Share California Personal Information for cross-context behavioral advertising, nor Sell such information for monetary or other valuable consideration.

12.3 The Company will comply with all applicable sections of the CCPA and its implementing regulations in its role as a Service Provider. The Company will provide the same level of privacy protection to the California Personal Information as is required of businesses by the CCPA. The Company will notify Customer without undue delay if the Company makes a determination that it can no longer meet its obligations under the CCPA (for example, if the Company can no longer comply with the restrictions and requirements in this Section). Upon such notice, the Customer may take reasonable and appropriate steps to stop and remediate any unauthorized use of California Personal Information.

12.4 The Company acknowledges that the Customer has the right to take reasonable and appropriate steps to help ensure that the Company uses California Personal Information in a manner consistent with the Customer’s obligations under the CCPA. This includes the right for the Customer to, at its option and upon notice, monitor the Company’s Processing of California Personal Information or to request attestations or certifications from the Company regarding its compliance. If the Customer notifies the Company that it believes the Company is using California Personal Information in a manner not permitted by the CCPA or this DPA, the Company shall cooperate with the Customer to remediate and address any such concerns. The Customer shall also have the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of California Personal Information by the Company or a Sub-processor, including the right to direct the Company to stop and verify deletion of any such information.

12.5 The Customer authorizes the Company to use Sub-processors (which may qualify as “contractors” or additional “service providers” under CCPA) to process California Personal Information, consistent with Section 5 of this DPA. The Company will ensure that any Sub-processor that processes California Personal Information on Company’s behalf is a Service Provider or contractor under the CCPA, is contractually bound to the same restrictions and obligations that apply to Company under this Section (in accordance with CCPA §1798.140(w) and implementing regulations), and does not Sell or Share the California Personal Information. The Company will enter into a written agreement with each such Sub-processor that requires the Sub-processor to provide at least the same level of privacy protection as required by the CCPA. The Company remains liable for any breaches of this Section caused by its Sub-processors.

12.6 The Parties acknowledge and agree that the Customer’s transfer of Personal Data to the Company is not part of any monetary or other valuable consideration provided by the Customer to the Company. The Customer is not selling or licensing Personal Data to the Company; rather, the Company receives Personal Data solely for the purpose of providing the contracted services. The Parties agree that the disclosure of Personal Data by Customer to Company is not a Sale and not a Share of Personal Data under the CCPA, and the Company provides its certification to that effect.

12.7 The Company shall cooperate with the Customer’s handling of any consumer requests or rights exercised under the CCPA, in accordance with Section 6 of this DPA. If the Company itself receives a verifiable consumer request under CCPA related to Customer’s data, it will promptly inform the Customer and not respond directly (unless legally compelled, in which case the Company will inform Customer). The Company shall enable the Customer to comply with any requests from individuals to exercise their CCPA rights, such as deletion or access, by appropriate technical and organizational measures.

12.8 The Company shall not combine the Personal Information received from Customer with personal information from other sources (except as permitted by 11 CCR §7051(a)(5) – e.g., to perform a Business Purpose, or as required by law, or to improve the quality of services in a manner consistent with the CCPA). Any combined data that is exempt from CCPA (e.g., deidentified or aggregate information) will be handled in compliance with relevant provisions of the CCPA.

13. General Provisions

13.1 This DPA is incorporated into and forms part of the Service Agreement. In the event of any conflict between this DPA and any other agreement between the Parties (including the Service Agreement or any related terms of service) with regard to the Processing of Personal Data, the provisions of this DPA shall prevail. Notwithstanding the foregoing, if there is a conflict between the SCCs (as incorporated in Section 11) and any other part of the Service Agreement (including this DPA), the SCCs shall prevail with respect to transfers of Personal Data.

13.2 This DPA enters into force on the Effective Date and will remain in effect until the Service Agreement expires or is terminated. The obligations and rights of the Parties under this DPA extend for as long as the Company processes Customer Personal Data, or until deletion of all Personal Data as described in Section 9 (Return or Deletion of Data). Termination or expiration of this DPA shall not discharge the Parties from the confidentiality and security obligations herein, which shall survive as long as the Company or its Sub-processors retain Personal Data.

13.3 Prior to any amendment or modification of this DPA, Customer shall be provided thirty (30) days notice of material changes. Notwithstanding the foregoing, the Company may update Annex 3 (Sub-processors) as described in Section 5.1, or make changes to this DPA as required by changes in law or the issuance of new Standard Contractual Clauses or regulations. In such case, the Company will notify the Customer of the changes. If any provisions of Data Protection Laws are amended or interpreted in a manner that this DPA is no longer deemed sufficient for compliance, or if any supervisory authority or regulator issues guidance requiring changes to the DPA, the Parties agree to negotiate in good faith any necessary amendments to this DPA.

13.5 Each Party’s liability under or in connection with this DPA (including liability arising from the SCCs, if applicable) is subject to the limitations and exclusions of liability set out in the Service Agreement. The Parties agree that any liability of the Company arising under this DPA or the SCCs is aggregated with, and not in addition to, any liability cap or limitation applicable under the Service Agreement, to the maximum extent permitted by Data Protection Laws. However, nothing in the Service Agreement or this DPA limits a Party’s liability to data subjects under the third-party beneficiary provisions of the SCCs or under Data Protection Laws where such limitation is prohibited.

13.7 This DPA shall be governed by and construed in accordance with the same governing law that is stipulated in the Service Agreement, unless otherwise required by applicable Data Protection Laws. Where the Standard Contractual Clauses apply, the Parties agree that the law of the specified EU Member State (as set out in Annex 1) shall govern the SCCs. In all cases, any disputes arising out of or in connection with this DPA shall be subject to the jurisdiction and dispute resolution terms (such as arbitration or courts) set forth in the Service Agreement, unless otherwise mandated by applicable law or by the SCCs (e.g., disputes under the SCCs may be resolved in the courts of an EU Member State as provided therein). Nothing in this Section shall deprive Data Subjects of the rights or remedies they have under Data Protection Laws or the SCCs.

13.8 This DPA (including its Annexes) and the Service Agreement constitute the entire agreement between the Parties with regard to the subject matter hereof and supersede all prior discussions, understandings or agreements on the same subject. In case of ambiguity or inconsistency between this DPA and any other agreements between the Parties, this DPA shall prevail in respect of the subject matter hereof.

Annex 1: Description of Processing 

Annex 1(A) – List of Parties:

• Data Exporter (Controller/Customer):
  Customer as defined above
  Role: Controller and/or Processor as specified in the DPA
• Data Importer (Processor/Company):
  Name: Compt Inc.
  Address: 8 Museum Way, Apt 2404 Cambridge, MA 02141
  Contact person’s name, position and contact details: support@compt.io
  Role: Processor and/or Service Provider
  Signature & Date: Company is deemed to have signed this Annex by signing the Service Agreement on Effective Date of Agreement. 

Annex 1(B) – Description of Processing and Transfer:

This Annex describes the subject matter and details of the Processing of Personal Data as required by GDPR Article 28(3) and Annex I of the SCCs.

• Subject Matter: The subject matter of the Processing is the provision of the Company’s SaaS services (the “Services”) to the Customer, as described in the Service Agreement. Processing of Personal Data is an integral part of the Services provided.
• Duration of Processing: The Processing will last for the duration of the Service Agreement and any retention period post-termination as required by the Service Agreement or law. Personal Data will be Processed only for as long as necessary to fulfill the purposes stated herein. Specific retention and deletion timelines are outlined in Section 9 of the DPA.
• Nature and Purpose of Processing: The Company will Process Personal Data as needed to provide the Services to Customer, which may include (by way of example) the collection, storage, analysis, retrieval, correction, deletion, and transfer of data on the Customer’s behalf. The purposes of Processing are to enable the Customer to use the Company’s cloud-based software application for administrative tasks and to perform related support and technical maintenance. The Processing includes all such activities as are reasonably required to provide the Services in accordance with the Service Agreement and Customer’s instructions (including to implement Customer’s requests via the Services). The business purpose of Processing California Personal Information is strictly to provide the Services in accordance with the Agreement (and for no other commercial purpose).
• Categories of Data Subjects: The Personal Data that the Customer instructs the Company to process may relate to the following categories of Data Subjects: Customer’s employees, contractors, agents, and end-users who are authorized to use the Services (e.g., staff whose information is input into the system by Customer).
• Categories of Personal Data: The Personal Data Processed may include (but is not limited to) identifiers and contact information (e.g., names, email addresses, phone numbers); account credentials; organizational details (e.g., company name, job title); usage data (e.g., system logs, IP addresses, activity logs related to the use of the Service); and any other data that Customer chooses to import or collect via the Service. The Service is not intended to Process any Special Categories of Personal Data (sensitive data) or data relating to criminal convictions, and Customer is advised not to input such data into the Service unless permitted by an applicable Agreement and necessary with appropriate safeguards. If any sensitive data is processed, it will be only as determined and controlled by the Customer and in accordance with Data Protection Laws. 
• Frequency of Processing/Transfer: Personal Data will be Processed on a continuous or routine basis throughout the term of the Service Agreement (e.g., whenever users interact with the Service or as data is uploaded, stored, or accessed via the Service). Transfers of Personal Data to the Company (and onward transfers to Sub-processors) occur as needed to provide the Services, which is typically continuous and on-demand.
• Purpose Limitation: The Company shall not process the Personal Data for any purposes other than those related to providing the Services, as described above, or as otherwise required by law or expressly authorized by the Customer.

Annex 2: Technical and Organizational Security Measures

Company has implemented and will maintain security measures, internal controls, and information security policies and procedures designed to protect Customer Data. Company shall regularly monitor compliance with these safeguards. The following Security Measures are in place to protect Customer Data Processed by Company on behalf of Customer:

For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

Annex 3: List of Authorized Sub-Processors

The following link provides a list of Sub-processors that the Company is authorized to engage to assist in the Processing of Customer Personal Data. https://compt.io/who-we-are/security-compliance/sub-processors/.  

Annex 4: Cross Boarder Data Transfer Mechanism (where applicable)

1. Definitions
   1. “Standard Contractual Clauses” means the 2021 Standard Contractual Clauses approved by the European Commission in decision 2021/914.
   2. “UK IDTA” means the UK international data transfer addendum (Annex 5).
2. UK Standard Contractual Clauses
   1. For data transfers from the UK, the UK IDTA will be deemed entered into (and incorporated into this Addendum by reference) together with the Standard Contractual Clauses as set forth in Section 3 of this Annex below.
3. The 2021 Standard Contractual Clauses
   1. For data transfers from the EEA, the UK, and Switzerland that are subject to the SCCs, the SCCs will apply in the following manner: 
   2. Module Two (Controller-to-Processor) will apply where Customer is a controller of Customer Data and Company is a processor of Customer Data; 
   3. Module Three (Processor-to-Processor) will apply where Customer is a processor of Customer Data and Company is a subprocessor of Customer Data; 
   4. For each Module, where applicable:
      1. in Clause 7, the option docking clause will not apply; 
      2. in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes will be as set forth in Section 4 (Subprocessors) of this Addendum; 
      3. in Clause 11, the optional language will not apply; 
      4. in Clause 17 (Option 1), the 2021 Standard Contractual Clauses will be governed by Irish law in Clause 18(b), disputes will be resolved before the courts of Ireland; 
      5. In Annex I, Part A:
         1. Data Exporter: Customer and authorized Affiliates of Customer.
         2. Contact Details: Customer’s account owner email address, or to the email address(es) for which Customer elects to receive privacy communications. 
         3. Data Exporter Role: The Data Exporter’s role is outlined in Section 2 of this Addendum.
         4. Signature & Date: By entering into the Agreement, Data Exporter is deemed to have signed these SCCs incorporated herein, including their Annexes, as of the Effective Date of the Agreement. 
         5. Data Importer: Company 
         6. Contact Details: Compt’s support team: support@compt.io     
         7. Data Importer Role: The Data Importer’s role is outlined in Section 2 of this Addendum. 
         8. Signature & Date: By entering into the Agreement, Data Importer is deemed to have signed these SCCs, incorporated herein, including their Annexes, as of the Effective Date of the Agreement. 
      6. In Annex I, Part B:
         1. The categories of data subjects are described in Annex 1, Section 4. 
         2. The sensitive data transferred is described in Annex 1, Section 6. 
         3. The frequency of the transfer is a continuous basis for the duration of the Agreement. 
         4. The nature of the processing is described in Annex 1, Section 1. 
         5. The purpose of the processing is described in Annex 1, Section 1. 
         6. The period of the processing is described in Annex 1, Section 3. 
         7. For transfers to sub-processors, the subject matter, nature, and duration of the processing is outlined in Annex 3.
      7. In Annex I: The Irish Data Protection Commission will be the competent supervisory authority.
      8. Annex 2 serves as Annex II of the Standard Contractual Clauses.
4. As to the specific modules, the parties agree that the following modules apply, as the circumstances of the transfer may apply:
   1. Controller-to-Processor – Module Two 
   2. Processor-to-Processor – Module Three 
5. To the extent there is any conflict between the SCCs or the UK IDTA and any other terms in this Addendum, including Annex 5 (Jurisdiction Specific Terms), the provisions of the SCCs or the UK IDTA, as applicable, will prevail. 

Annex 5: Jurisdiction Specific Terms 

1. EEA
   1. The definition of “Applicable Data Protection Laws” includes the General Data Protection Regulation (EU 2016/679) (“GDPR”). 
   2. When Company engages a Subprocessor under Section 4 (Subprocessors), it will:
      1. require any appointed Subprocessor to protect Customer Data to the standard required by Applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and 
      2. require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the SCCs. 
   3. Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body based on such other party’s violation of the GDPR. 
2. Switzerland 
   1. The definition of “Applicable Data Protection Laws” includes the Swiss Federal Act on Data Protection. 
   2. When Company engages a Subprocessor under Section 4 (Subprocessors), it will:
      1. require any appointed Subprocessor to protect Customer Data to the standard required by Applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and 
      2. require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the SCCs. 
3. United Kingdom 
   1. References in this Addendum to GDPR will to that extent be deemed to be references to the corresponding laws of the UK (including the UK GDPR and Data Protection Act 2018). 
   2. When Company engages a Subprocessor under Section 4 (Subprocessors), it will:
      1. require any appointed Subprocessor to protect Customer Data to the standard required by Applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and 
      2. require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the SCCs.      
4. California
   1. The definition of “Applicable Data Protection Laws” includes the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act of 2020 (“CPRA”). All references throughout the Addendum to CCPA are inclusive of CCPA and CPRA.
   2. The terms “business”, “commercial purpose”, “service provider”, “consumer”, “sell”, “share”, and “personal information” have the meanings given in the CCPA.
   3. With respect to Customer Data, Company is a service provider under the CCPA with Customer as the business.
   4. Company will not (a) sell or share Customer Data within the meaning of the CCPA or otherwise; (b) retain, use or disclose any Customer Data for any purpose other than the Permitted Purpose, including retaining, using or disclosing Customer Data for a commercial purpose other than providing the Services; (c) retain, use or disclose Customer Data outside of the direct business relationship between Company and Customer; or (d) combine Customer Data with other personal information that it received from or on behalf of another person/entity, or collects from its own interaction with the consumer.

5. Company certifies and warrants that it will comply with all applicable provisions of CCPA and the terms of this Section 4 (California). Company shall promptly notify Customer if Company determines that it can no longer meet its obligations.
6. The parties acknowledge and agree that the Processing of Customer Data authorized by Customer’s instructions described in Section 3 of this Addendum (Description and Scope of Processing) is integral to and encompassed by Company’s provision of the Services and the direct business relationship between the parties.
7. Notwithstanding anything in the Agreement or any order form, order, statement of work or similar document entered in connection therewith, the Parties acknowledge and agree that Company’s access to Customer Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.
8. Company implements and maintains reasonable security and privacy practices appropriate to the nature of the personal information that it processes as set forth in section 5 of this Addendum (Security).
9. Company agrees that it will provide Customer with reasonable assistance and cooperate with Customer’s obligations under CCPA to ensure that Company is: (i) Processing Customer Data in a manner consistent with Company’s obligations and (ii) stop and remediate any unauthorized use of Customer Data.
10. In the event that either party shares de-identified information with the other party, the receiving party warrants that it: (i) takes reasonable measures to ensure that the information cannot be associated with a consumer or household; (ii) commits to maintain and use the information in de-identified form and not to attempt to re-identify the information, except that the party attempt to re-identify the information solely for the purpose of determining whether its de-identification processes satisfy the law; and (iii) contractually obligates any recipients of the information to comply with all applicable laws.     

5. Australia
   1. As the definition of “Applicable Data Protection Laws” includes the Australian Privacy Principles and the Australian Privacy Act (1988), the following applies:
      1. The definition of “Personal Data” includes “Personal Information” as defined under the Australian Privacy Principles and the Australian Privacy Act (1988).
      2. The definition of “sensitive data” includes “Sensitive Information” as defined under the Australian Privacy Principles and the Australian Privacy Act (1988).
6. Canada
   1. As the definition of “Applicable Data Protection Laws” includes the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”), the following applies:
      1. Company’s Subprocessors, as described in this Addendum, are third parties under the PIPEDA, with whom Company has entered into a written contract that includes terms substantially similar to this Addendum. Company has conducted appropriate due diligence on its Subprocessors.
      2. Company will implement technical and organizational measures as set forth in Annex 2 (Security Measures).

Annex 6:   UK IDTA

This Addendum has been issued by the Information Commissioner for parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Table 2: Selected SCCs, Modules and Selected Clauses

Personal data received from the Importer may be combined with personal data collected by the Exporter.

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Table 4: Ending this Addendum when the Approved Addendum Changes

Part 2: Mandatory Clauses

Entering into this Addendum

1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.

2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

Interpretation of this Addendum

3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:

4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfills the Parties’ obligation to provide the Appropriate Safeguards.

5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.

6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.

7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.

8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

Hierarchy

9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section ‎10 will prevail.

10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.

11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

Incorporation of and changes to the EU SCCs

12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:

a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;

b. Sections ‎9 to ‎11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and

c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.

13. Unless the Parties have agreed alternative amendments which meet the requirements of Section ‎12, the provisions of Section ‎15 will apply.

14. No amendments to the Approved EU SCCs other than to meet the requirements of Section ‎12 may be made.

15. The following amendments to the Addendum EU SCCs (for the purpose of Section ‎12) are made:

a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;

b. In Clause 2, delete the words:

“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;

c. Clause 6 (Description of the transfer(s)) is replaced with:

“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;

d. Clause 8.7(i) of Module 1 is replaced with:

“it is to a country benefiting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;

e. Clause 8.8(i) of Modules 2 and 3 is replaced with:

“the onward transfer is to a country benefiting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”

f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;

g. References to Regulation (EU) 2018/1725 are removed;

h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;

i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;

j. Clause 13(a) and Part C of Annex I are not used;

k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;

l. In Clause 16(e), subsection (i) is replaced with:

“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;

m. Clause 17 is replaced with:

“These Clauses are governed by the laws of England and Wales.”;

n. Clause 18 is replaced with:

“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and

o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.

Amendments to this Addendum

16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.

17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

18. From time to time, the ICO may issue a revised Approved Addendum which:

a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or

b. reflects changes to UK Data Protection Laws; and/or

c. The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.

19. If the ICO issues a revised Approved Addendum under Section ‎18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate, and demonstrable increase in:

a. its direct costs of performing its obligations under the Addendum; and/or

b. its risk under the Addendum, and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.

Alternative Part 2 Mandatory Clauses: