Effective as of August 8, 2023
For transfers of Referral Personal Data from the Data Discloser to the other party outside the EEA, UK and Switzerland in a country that does not ensure an adequate level of protection within the meaning of European Data Protection Laws, the EU SCCs and/or UK Addendum and/or Swiss Addendum, as applicable, shall govern such transfers.
The EU SCCs will apply to any Processing of Referral Personal Data that is subject to the GDPR and any optional clauses not expressly selected are not incorporated. For the purposes of the EU SCCs:
1.1 Module One will apply.
1.2 in Clause 7, the optional docking Clause will apply.
1.3 in Clause 11, the optional language will not apply.
1.4 in Clause 17 Option 1 will apply and the governing law will be as set out in clause 16.6 of the Agreement.
1.5 in Clause 18(b),the jurisdiction shall be as set out in clause 16.6 of the Agreement.
1.6 in Annex I, for purposes of Annex I, Parts B and C, Annex I of this Schedule contains the specifications regarding the Processing and the competent supervisory authority and the following shall apply for the purposes of Annex I, Part A with respect to the parties:
Data Exporter: Contentful or Partner.
Contact Details: As set out in the Agreement.
Data Exporter Role: Controller.
Signature & Date: By entering into the Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Data importer: As above.
Contact Details: As above.
Data Importer Role: As above.
Signature & Date: By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the DPA.
1.7 Annex II: with the technical and organizational security measures as set out in Annex II.
The UK Addendum will apply to any Processing of Referral Personal Data that is subject to the UK GDPR or to both the UK GDPR and the GDPR. For purposes of the UK Addendum:
2.1 Table 1: The parties are Contentful and Partner, with contact details as set forth in the Agreement.
2.2 Table 2: The Approved Standard Contractual Clauses are the EU SCCs as set forth in Section 1 (EU SCCs) of this Schedule 1.
2.3 Table 3: (a) Annex 1A: as set forth in Annex I; (b) Annex 1B: as set forth in Annex I; and (c) Annex II: as set forth in Annex II.
2.4 Table 4: Either party may terminate the UK Addendum in accordance with Section 19 of the UK Addendum if the parties are unable to come to a mutual agreement after a good faith effort to amend this Agreement to account for changes arising from a revised Approved Addendum issued by the ICO.
2.5 Part 2 Mandatory Clauses. The Mandatory Clauses of the Approved Addendum, (being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as revised under Section 18 of those Mandatory Clauses) shall apply.
For transfers of Referral Personal Data that are subject to the Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993 (Swiss Data Protection Laws), the EU SCCs form part of this Swiss Addendum, but with the following differences to the extent required by the Swiss Data Protection Laws.
3.1 References to the GDPR in the EU SCCs shall be references to Swiss Data Protection Laws to the extent the data transfers are subject exclusively to Swiss Data Protection Laws and not to the GDPR.
3.2 References to the “European Union”, “Union”, “EU” and “EU Member State” are all replaced with “Switzerland”.
3.3 The “competent supervisory authority” is the Federal Data Protection and Information Commissioner insofar as the transfers are governed by Swiss Data Protection Laws.
3.4 References to “personal data” in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions of Swiss Data Protection Laws that eliminate this broader scope.
3.5 Clause 18 of the EU SCCs is replaced to state: “Any dispute arising from these Clauses relating exclusively to Swiss Data Protection Laws will be resolved by the courts in Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence.”
For purposes of the Standard Contractual Clauses in Schedule 1, this Annex I serves as Annex I, Parts B & C.
| Categories of Referral Personal Data | Contact information such as name, email address, telephone number and business address; and other background information related to potential customers of Contentful or Partner to the extent it includes Personal Data. |
| Categories of Data Subjects | Potential customers of Contentful or Partner (where those customers are individuals) or employees or representatives of customers (where those customers are organizations). |
| Duration of Processing | Duration of the Agreement as described in section 15. |
| Frequency of Processing | Continuous basis for the duration of the Agreement. |
| Nature of Processing | Any operation necessary for the performance of the Agreement and the Agreed Purposes set out in section 8.4. |
| Purposes of Processing | The Agreed Purposes as set out in section 8.4. |
| Competent Supervisory Authority | The competent supervisory authority of the applicable Member State of the Data Discloser (the data exporter for purposes of Schedule 1). |
Technical and Organizational Security Measures
For purposes of the Standard Contractual Clauses in Schedule 1, this Annex II serves as Annex II of the Standard Contractual Clauses.
Where Contentful is the Data Importer, Contentful shall comply with the security measures set out in the Contentful security standards available on the following page: https://www.contentful.com/legal/security-standards/
Where Partner is the Data Importer, Partner shall implement and maintain the minimum technical and organizational security measures as follows:
| Technical and Organizational Security Requirement | Partner Technical and Organizational Security Measure |
|---|---|
| Measures of encryption of Contentful Data and pseudonymisation of Referral Personal Data | Partner maintains Referral Personal Data in an encrypted format at rest and in transit in line with industry best practices. Partner pseudonymizes Referral Personal Data only in accordance with Contentful’s instructions. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the Processing | Partner maintains industry standard security certifications, subject to regular audits. Examples of such certifications include, but are not limited to, ISO 27001 and SOC 2 Type II.
Partner performs regular scans and penetration tests to identify software vulnerabilities, misconfigurations or other flaws that may negatively affect the security of the Partner or Referral Personal Data. Security threats and vulnerabilities that are detected are prioritized, triaged, and remediated promptly. |
| Measures for user identification and authorization | Partner implements industry standard access controls and detection capabilities. Partner personnel are required to use unique user access credentials, passwords, and multifactor for authorization inline with industry recognized practices Partner personnel are authorized to access Referral Personal Data based on their job function, role and responsibilities, and such access requires approval prior to being provided. Actions performed must be audited and attributable to a unique user. Access is promptly changed or removed as applicable upon role change or termination. |
| Measures for the protection of Referral Personal Data during storage and transmission | Referral Personal Data is encrypted when in transit using industry standard secure encryption. Stored Referral Personal Data is encrypted using the encryption standard specified above.Â
Partner uses network and host based intrusion and malware protection tools and services. Security threats and vulnerabilities that are detected are prioritized, triaged, and remediated promptly. Partner maintains tools and processes to proactively identify security threats and intrusion attempts. Such processes include, but are not limited to, proactively enhancing systems, ensuring such systems are functioning with comprehensive coverage, and responding to suspicious events or confirmed incidents to limit damage to information systems. |
| Measures for ensuring physical security of locations at which Referral Personal Data are Processed | Partner’s servers and office spaces have a physical security program that manages visitors, building entrances, and overall office security. All employees and contractors are required to have approved access cards and visitors are required to be escorted throughout those parts of the premises where personnel can access Referral Personal Data. |
| Measures for ensuring events logging | Partner centrally stores and protects the confidentiality, availability, and integrity of security relevant logs and events for systems that Process Referral Personal Data. Security relevant logs and events include, but are not limited to, system behavior, traffic, authentication, access, and are inclusive of infrastructure and applications.
Relevant security personnel are alerted to and investigate anomalous activities that pose a threat to the health or security of the system. |
| Measures for ensuring system configuration, including default configuration | Partner aligns and monitors configuration of systems that Process Contentful Data with industry standard benchmarks. An example of such benchmark includes, but is not limited to, the Center for Internet Security (CIS) benchmarks. |
| Measures for internal IT and security governance and management | Partner maintains a risk-based security program and security team as described above. |
| Measures for certification/assurance of processes and products | Partner conducts regular third-party audits to attest to its security certifications including those certifications specified above.
Partner applies industry standard processes to perform numerous security-related activities for its systems including, without limitation, creating threat models to detect any potential security threats and vulnerabilities, and a change management process as described above. Security is managed at the highest level of the company with regular meetings by senior management to discuss and coordinate security initiatives company-wide and for processes and products. |
| Measures for ensuring data minimisation | Partner ensures data minimisation in accordance with its instructions from Contentful, data privacy policies and industry standards. |
| Measures for ensuring data quality | Partner ensures data quality in accordance with the Agreement. |
| Measures for ensuring limited data retention | Partner maintains internal policies to ensure that Referral Personal Data is not kept for longer than necessary in accordance with the Agreement. |
| Measures for ensuring accountability | Partner has adopted measures for ensuring accountability, such as implementing data privacy policies across its business. Partner has appointed an employee or contractor with primary responsibility for the business’ compliance with relevant data privacy obligations. Partner also conducts regular audits to ensure compliance with its privacy and security standards. Partner requires all personnel to complete security awareness and data privacy training at least annually. |