These Terms and Conditions incorporate by reference the IAB Standard Terms and Conditions for Internet Advertising Media Buys One Year or Less v. 3.0 available at https://www.iab.com/wp-content/uploads/2015/06/IAB_4As-tsandcs-FINAL.pdf ( the “IAB Standard Terms”), as amended below. so that references to these Terms and Conditions or Agreement shall include references to the IAB Standard Terms. If there is any conflict between the IAB Standard Terms and the terms specified in these T&Cs, the terms of these T&Cs shall prevail. Capitalised terms used but not defined herein shall have the meaning given to them in the IAB Standard Terms. If there is any conflict between these T&Cs or the IAB Standard Terms and the terms of an IO, the terms of IO shall prevail.

Personal Data shared between the Parties for the purposes of providing the services are governed by the Data Processing Addendum that constitutes Annex 1 to this Huuuge Marketing Terms and Conditions.  

For the purposes of these Terms and Conditions, the IAB Standard Terms are amended as follows:

All references to the “Agency” are hereby changed to “Advertiser”, and “Media Company” shall continue to mean the publisher listed on the applicable IO.

“Third Party Ad Server” means the Appsflyer platform for tracking and attribution of Ads, available at www.appsflyer.com.

This section is deleted in its entirety and replaced with the following:

1. Invoices. Unless stated otherwise in the IO, Media Company will invoice Advertiser monthly for Deliverables delivered in the previous calendar month. Invoices will be sent to Advertiser’s billing address as set forth on the IO and will include information reasonably specified by Advertiser, such as the IO number, brand name or campaign name, and any number or other identifiable reference stated as required for invoicing on the IO. All invoices (other than corrections of previously provided invoices) pursuant to the IO will be sent within 90 days of delivery of all Deliverables.
2. Payment Date. Advertiser will make payment 45 days from its receipt of a valid and uncontested invoice, or as otherwise stated in the IO.

This section is deleted in its entirety and replaced with the following:

Either party may terminate the IO (or any portion thereof) with 48 hours prior written notice to the other party, without penalty.

Subsections X(b.) By Advertiser and X(c.) By Agency are deleted in their entirety and replaced with the following:

b. By Advertiser. Advertiser will defend, indemnify, and hold harmless Media Company and each of its Affiliates and Representatives from Losses resulting from any Claims brought by a Third Party resulting from (i) Advertiser’s breach of Section XII or of Advertiser’s representations and warranties in Section XIV(a), or (ii) the content or subject matter of any Ad or Advertising Materials to the extent used by Media Company in accordance with these Terms or an IO.

and subsection X(d.) Procedure is renumbered as subsection X(c.). 

The parties agree that Advertiser is authorized to use Collected Data for Repurposing.

Subsection XII(h.) Agency Use of Data is deleted in its entirety and replaced with the following:

h. Market Abuse Regulation. Media Company acknowledges that Advertiser’s parent company, Huuuge, Inc., is a public company and is subject to applicable legislation  including securities law relating to insider dealing and market abuse (in particular, Regulation (EU) No 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (market abuse regulation) and repealing Directive 2003/6/EC of the European Parliament and of the Council and Commission Directives 2003/124/EC, 2003/125/EC and 2004/72/EC and its development legislation (“Market Abuse Regulation”)). Media Company acknowledges that it may come into possession of inside information within the meaning of the Market Abuse Regulation by external sources. Media Company acknowledges that it is aware that Market Abuse Regulation, among others, prohibits both (a) an unlawful disclosure or inside information and (b) any person who has inside information from purchasing or selling securities of a listed company to which any inside information refers (and options, warrants and rights relating thereof) or from communicating such information to any other person under circumstances in which it is reasonably foreseeable that such person is likely to purchase or sell such securities. 

Notwithstanding any other terms, the parties agree that this section XIII. is applicable, that both parties will run the Third Party Ad Server, and that the Controlling Measurement will be taken from the Third Party Ad Server.

The following subsections are deleted in their entirety and replaced with the following:

a. Warranties. Advertiser represents and warrants that Advertiser has all necessary licenses and clearances to use the content contained in the Ads and Advertising Materials as specified on the IO and subject to these Terms. Media Company represents and warrants that:

1. 1. Media Company has all necessary permits, licenses, and clearances to sell the Deliverables specified on the IO subject to these Terms;
   2. it has full legal right, power and authority to enter into this agreement and perform its obligation hereunder;
   3. neither the Media Company’s execution nor its performance of this agreement will result in a breach of any other agreement or obligation by which Media Company is bound;
   4. it will comply in the performance of this Agreement with all applicable laws, statutes, ordinances, rules and regulations in the Territory and the rules, policies and procedures of each country’s applicable game ratings organization and any other similar organization in or having jurisdiction in the Territory;
   5. during the handling of the Advertising Materials, it will not cause the Advertising Material to become subject to any virus, worm, time-bomb, Trojan horse, or other instrumentality, contamination or device that will cause any component of the Advertising Materials to be erased, corrupted or become inoperable or incapable of processing or affect operations of any other systems;
   6. all the Advertising Materials designed, modified, or provided by Media Company, as well as Media Company’s practices in distributing such materials, shall at all times be in strict conformity with all relevant advertising and developer policies, including the policies of Google, Facebook and any other relevant advertising networks;
   7. during the distribution of the Advertising Materials, Media Company shall to the best of its knowledge provide truthful information regarding the commodities and services provided to users and shall not make misleading or false claims;
   8. Media Company shall ensure the Ad statistics are acquired authentically without using any fraudulent or illegitimate means. Any action that intentionally attempts to create click-through(s) using robots, frames, iframes, scripts for the sole purpose of creating commissions, will be invalid. Once aforementioned circumstances occur, Advertiser will not be required to accept any fraudulent Ad statistics and the Advertiser reserves the right to withhold/deduct payments for twelve (12) months from the month which such services were provided. Advertiser will provide an explanation for the deducted conversions accordingly upon written request;
   9. Advertising Materials designed, modified, or provided by Media Company, as well as Media Company’s practices in distributing such materials, will not infringe any third party’s rights or violate Google’s Ads and App Promotion Policies. Advertiser’s applications will not be removed from the Google Play Store or hidden from top list placement on the Google Play Store due to the acts or omissions of Media Company or its Representatives.

b. Assignment. Neither party may resell, assign, or transfer any of its rights or obligations hereunder without the prior written approval of the other party, except that a party may assign it rights and obligations hereunder to its own Affiliate.

d. Conflicts; Governing Law; Amendment. In the event of any inconsistency between the terms of an IO and these Terms, the terms of the IO will prevail. All IOs will be governed by the laws of the Republic of Ireland. Media Company and Advertiser agree that any claims, legal proceedings, or litigation arising in connection with the IO (including these Terms) will be brought solely in the courts of Dublin, Ireland, and the parties consent to the jurisdiction of such courts. No modification of these Terms will be binding unless in writing and signed by both parties. If any provision herein is held to be unenforceable, the remaining provisions will remain in full force and effect. All rights and remedies hereunder are cumulative.

e. Notice. Any notice required to be delivered hereunder will be sent by email to the receiving party’s contact(s) as noted on the IO, and will be deemed delivered upon receipt.

and the following subsections are added to this section XIV as subsections XIV(h.) and XIV(i.):

h. Anti-Bribery. Each party hereby warrants, that to the best of its knowledge, neither the party nor any of the Party’s Representatives who provide assistance with carrying out this agreement has at any time engaged in any activity, practice or conduct that would constitute an offense under applicable anti-bribery legislation. Each party warrants that neither that party nor any Representative is currently or has been the subject of an investigation by any governmental or regulatory body regarding any offence or alleged offence under applicable anti-bribery legislation, nor is the party aware of any instance in which any Representative of the party has performed any act that would constitute an offence of foreign or domestic anti-bribery legislation. Each party shall have the right to verify compliance of the latter with the provisions set out above. Media Company hereby undertakes not to allocate any of the funds received hereunder for any corrupt purposes or any other unlawful purposes.

i. Sanction clause. Media Copmany hereby represents that neither him nor any of his affiliates (including his ultimate beneficial owner or any other person who controls the Media Company) are subject to any economic sanctions imposed by the European Union or any Member State of the EU, the United Nations, the United States Government, the United Kingdom or Israel (“Sanctions“). In the event that this situation changes, Media Company agrees to notify Advertiser immediately. Failure to notify Advertiser of a possible sanction may be grounds for termination of this Agreement or may result in liability for damages. Advertiser may terminate the Agreement without notice if the Media Company or an entity or person associated with it is subject to Sanctions or the performance of the Agreement may infringe the Sanctions.

This DPA is hereby incorporated into the Agreement which governs the Supplier’s access and/or processing to Huuuge personal data for the purposes of the Supplier providing the Services.

The term “party” or “parties” as used in this DPA refers to Huuuge and the Supplier, unless otherwise expressly stated. Defined terms used in this DPA will have the meanings given to them in Section 1 (Definitions).

This DPA enters into force on the date the provision of the Services under the Agreement commences, and is also binding for any annexes or updates of the Agreement between the parties, as long the scope of the Services is in line with the scope given in this DPA.

1. Definitions
   1. “personal data“, “processing“, “data subject“, “controller“, and “processor” have the meanings given to them by EEA Law or applicable Data Protection Laws to which the personal data may be subject to the extent that such concepts exist in such laws, where the term “personal data” also includes all information that classifies as personally identifiable information.
   2. “Affiliates” means an entity that owns or controls, is owned or controlled by or is under common control or ownership with a party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by agreement or otherwise.
   3. “Agreement” means the existing arrangement under which the Supplier provides Services to Huuuge. 
   4. “DPA” or “Addendum” means this Data Processing Addendum and any addenda associated with this Data Processing Addendum.
   5. “Data Protection Laws” means any applicable law or regulation concerning data protection, privacy and cybersecurity that governs the processing of personal data, including EEA Law and any supervisory guidance published in respect of the same.
   6. “EEA” means the European Economic Area.
   7. “EEA Law” means Regulation (EU) 2016/679 of the European Parliament and the Council (i.e., General Data Protection Regulation, abbreviated as GDPR), any successor thereto and any other law relating to the data protection or privacy of individuals that applies in the EEA.
   8. “Huuuge” means the Huuuge entity identified in the Agreement.
   9. “Regulator” means the data protection supervisory authority which has jurisdiction over Huuuge’s and/or the Supplier’s processing of personal data pursuant to the Agreement or the Addendum.
   10. “Restricted Third Country Transfer” transfer to Third Countries that is not based on an adequacy decision of the European Commission or when no appropriate safeguards exist. 
   11. “Security Breach” any security incident, unauthorised access, misappropriation, loss, damage or other compromise of the security, confidentiality, or integrity of personal data processed by or on behalf of the Supplier or a Subprocessor for Huuuge.
   12. “Services” means the services (or products) provided pursuant to the Agreement.
   13. “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as currently available at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en, including any subsequent versions thereof released by the European Commission (the latest version shall automatically apply).
   14. “Subprocessor” means any processor engaged by the Supplier or by any other Subprocessor of the Supplier which agrees to receive from the Supplier, or from any other Subprocessor of the Supplier, personal data, exclusively with the intention for processing activities to be carried out on behalf of Huuuge and in accordance with its instructions, the terms of the Agreement, the Addendum and the terms of the written subcontract.
   15. “Supplier” means the party defined in the Agreement as such an entity that provides Services.
   16. “Third Countries” countries outside of the EEA. 
2. Obligations of the parties 
   1. The parties agree that Appendix 1 to this Addendum sets out the: 
      1. subject matter, duration, nature and purpose of the processing to be undertaken by the Supplier or Subprocessors; and
      2. the type of personal data and categories of data subjects,

      applicable to the Agreement.

   2. This Addendum applies where Huuuge and/or its Affiliate are sole or joint controllers and the Supplier and/or its Affiliate is a processor.
   3. Unless expressly specified otherwise, any reference to Huuuge shall also mean a reference to Huuuge’s Affiliates and any reference to Supplier should mean a reference to the Supplier’s Affiliate. Huuuge and the Supplier respectively are fully responsible for their Affiliates in performance of this DPA.
3. Supplier’s obligations and warranties
   The Supplier agrees and warrants that it will:
   1. process personal data only:
      1. on behalf of Huuuge and in accordance with its documented instructions, including disclosing the personal data to a third party (unless otherwise required by any Data Protection Laws to which the Supplier is subject); 
      2. for the specific purpose as set out in Appendix 1.B, unless on further instruction from Huuuge; and not for its own purposes; and
      3. in compliance with the Agreement, this Addendum and applicable Data Protection Laws;
   2. without undue delay notify Huuuge if the Supplier is unable to follow the instructions or is legally required to process the personal data otherwise (before such processing), and immediately inform Huuuge if it believes Huuuge’s instructions infringe any Data Protection Laws or issuances of any Regulator;
   3. provide assistance to Huuuge as it reasonably requires in complying with its obligations under Data Protection Laws, including obligations referred to in Articles 32-36 of the GDPR and the obligation to respond to data subjects’ requests for the exercise of their rights under the Data Protection Laws. The Supplier will without undue delay notify Huuuge of any request it has received from a data subject, but will not respond to that request itself unless it has been authorised to do so by Huuuge;
   4. grant access to the personal data to authorised members of its personnel that are subject to a confidentiality obligation and only to the extent strictly necessary for the implementation, management and monitoring of the DPA or the Agreement;
   5. it has implemented and will maintain appropriate technical and organisational measures to ensure the security of personal data ensuring a level of security adequate to the risk involved in processing of entrusted personal data and referred to in Article 32 of the GDPR or other applicable Data Protection Laws, as well as will carry out regular checks to ensure that these measures continue to provide an appropriate level of security and provide information about them on Huuuge’s request. 
   6. without undue delay and adequately cooperate with Huuuge with regard to matters concerning personal data processing under the DPA, including responding to requests received to this extent, as well as notify Huuuge about any proceedings, decision or planned or pending audits or inspections, including administrative or judicial proceedings or decisions, relating to processing carried out by the Supplier as stated in the DPA.
4. Subprocessors 
   1. Huuuge acknowledges and agrees that the Supplier may subcontract the provision of the Services, or its elements, to Subprocessors included in the list provided to Huuuge by the Supplier before commencement of the Services under the Agreement, in accordance with Appendix 3. 
   2. The Supplier will specifically inform Huuuge in electronic form of any intended changes to the list specified in point 4.1 at least 7 days in advance, thereby giving Huuuge sufficient time to be able to object to such changes prior to the engagement of the Subprocessor(s). 
   3. Any engagement of the Subprocessor(s) requires a written contract between the Supplier and the Subprocessor which provides for, in substance, the same data protection obligations as those binding the Supplier under the DPA. The Supplier is fully responsible to Huuuge for the performance of the Subprocessor’s obligations under its contract with the Supplier. 
   4. At the request of Huuuge, the Supplier will provide explanations and current lists of the Subprocessors prepared in accordance with Appendix 3, unless such information is available at the Supplier’s website/platform as provided by the Supplier.
5. Audit and Supplier’s obligation to provide information
   1. The Supplier will allow for and contribute to audits conducted upon prior notice by Huuuge or an auditor mandated by Huuuge with regard to compliance with the DPA or Data Protection Laws, based on reasonable grounds, including if:
      1. the Supplier has experienced a Security Breach; or
      2. audit is requested by a Regulator or other competent governmental organization.
   2. The Supplier will cooperate with Huuuge during the audit and will reasonably support Huuuge in the audit, in particular by: (i) ensuring access to documents required for such inspection, personal data processing areas and IT systems within which personal data are processed, as well as providing explanations thereto; (ii) allowing for inspection of procedures aimed at assessing the compliance of personal data processing with Data Protection Laws, including procedures concerning security measures; (iii) allowing for interviews with the Supplier’s personnel or contractors involved in personal data processing; (iv) responding to questions and providing all necessary information. 
   3. Each party shall bear their own costs in respect of Huuuge’s audits.
   4. The Supplier will provide Huuuge with all information necessary to demonstrate compliance with obligations under the DPA or Data Protection Laws.
6. Security Breach
   1. The Supplier will:
      1. notify Huuuge immediately after having become aware of a Security Breach; 
      2. take appropriate measures to address the Security Breach, including measures to mitigate its adverse effects; and
      3. cooperate with and assist Huuuge to enable Huuuge to comply with its obligations under Data Protection Laws, in particular to notify the Regulator and the affected data subjects, taking into account the nature of processing and the information available to the Supplier. The Supplier will not make any notification to a Regulator or data subject in respect of any Security Breach unless expressly authorised by Huuuge in electronic form to do so or unless otherwise required by law.
   2. If a Security Breach for reasons attributable to the Supplier results in an administrative penalty or obligation to pay damages being imposed on Huuuge, the Supplier undertakes to indemnify Huuuge from liability and to refund any related losses and costs incurred.
7. Third Country transfer
   1. The parties acknowledge and agree that the Supplier may process personal data in Third Countries, as well as that personal data may respectively be processed in, transferred to or accessed from Third Countries by the Affiliates and Subprocessors of the Supplier when providing the Services in accordance with the Agreement provided that the specific conditions set out in Data Protection Laws have been fulfilled.
   2. The Supplier represents and Huuuge agrees that in the event when the personal data are not to be processed exclusively on EEA territory, it will ensure that transfer to Third Countries will be based on an adequacy decision of the European Commission or appropriate safeguards will be in place in accordance with relevant Data Protection Laws. In case there are no other appropriate safeguards or an adequacy decision of the European Commission in place the transfer shall be governed by the SCCs, with respect to the provisions set out below (Restricted Third Country Transfer).
   3. By entering into the DPA, the Supplier and Huuuge conclude the SCCs by reference with the options and optional modules selected as follows:
      

      All Sections: Module TWO (Transfer controller to processor) Section II, Clause 9(a): OPTION 2, period for informing Huuuge of changes to the list of Subprocessors: at least 7 days Section IV, Clause 17: OPTION 1, governing law: the law governing the Agreement, provided that it is law of one of the EU Member States and allows for third-party beneficiary rights, if not, the law of Poland  Section IV, Clause 18(b): court jurisdiction: as specified in the Agreement, provided that it is the jurisdiction of one of the EU Member States, if not, the court jurisdiction relevant for the seat of Huuuge Games sp. z o. o.

      where Huuuge should be deemed a data exporter and the Supplier a data importer.

   4. In the event of a Restricted Third Country Transfer between Huuuge and the Supplier, Appendix 1 and Appendix 2 to the Addendum will also form part of the SCCs respectively as its Annexes I and II.
   5. In the event of a Restricted Third Country Transfer between the Supplier and Subprocessors, the Supplier warrants that conditions for such transfer are met, in particular, that SCCs were concluded with the options and optional modules selected as follows:
      

      All Sections: Module THREE (Transfer processor to processor) Section II, Clause 9(a): OPTION 2, period for informing Huuuge of changes to the list of Subprocessors: at least 7 days

   6. At Huuuge’s request the Supplier will provide explanations and current lists of the Third Countries where personal data are processed by the Supplier or Subprocessors, and the appropriate safeguards for such transfer, unless such information is available at the Supplier’s website/platform as provided by the Supplier.
8. Deletion of data and duration of the processing
   1. If this is determined by the character of the Services, Huuuge may instruct at any time that the Supplier cease processing of certain personal data on Huuuge’s behalf and delete them in order to fulfil data subject rights or to comply with its retention policies, and the Supplier undertakes to comply with it.
   2. The DPA is concluded for the duration of the Agreement, and termination or expiration of the Agreement shall result in simultaneous termination or expiration of the DPA, with no additional statements of will required to be made by the parties, unless agreed otherwise.
   3. After the end of the provision of the processing services, the Supplier and Subprocessors will within a maximum of 30 days delete all personal data processed on behalf of Huuuge’s under this DPA, unless instructed by Huuuge or agreed by the parties otherwise (e.g. when data need to be deleted within another period or returned instead). 
   4. Until the data is deleted or returned, the Supplier shall continue to ensure compliance with the DPA.
   5. The Supplier is obliged to prove the fact that it deleted the personal data in compliance with this Section and relevant Data Protection Laws at the request of Huuuge. Huuuge is entitled to terminate the DPA with immediate effect if:
      1. the Supplier processes personal data for a purpose or in a manner other than stated in the DPA;
      2. the Supplier is in failure to meet obligations under Section 4 (Subprocessors) and Section 7 (Third Country transfer), or any obligations regarding deletion of personal data under this Section 8; 
      3. the Supplier after a notice from Huuuge fails to comply with the Data Protection Laws.
   6. The parties agree that termination of the DPA in the circumstances listed in point 8.5 shall result in the simultaneous termination of the Agreement on the grounds of fault on the part of the Supplier without the need for any additional statements, unless otherwise contemplated in the Huuuge’s notice of termination.
9. Miscellaneous
   1. The persons authorized and responsible for supervising and executing the DPA are the same as under the Agreement.
   2. Huuuge states that the processing of the Supplier’s personal data and the personal data of persons appointed by the Supplier (including employees and business associates) takes place in order to conclude or perform an agreement and maintain relations with the Supplier. The full version of the privacy policy is available at https://huuugegames.com/general-privacy-policy/ and the Supplier undertakes to provide this information to its representatives.
   3. To the extent that the Agreement has been entered into by any Supplier’s Affiliate or any Huuuge’s Affiliate, the Supplier and Huuuge respectively hereby represent and warrant that they have been duly and effectively authorised by each such Supplier’s Affiliate or Huuuge’s Affiliate to bind such Supplier’s Affiliate or Huuuge’s Affiliate by entering into the DPA on its behalf, to modify the Agreement on the terms set out in the DPA, and to enforce the provisions of the DPA, including any SCCs entered pursuant to it, and the Agreement on its behalf. In the absence of such authority, the Supplier represents and warrants that it will swiftly arrange for the relevant Supplier Affiliate to become a party to the DPA and will without undue delay notify Huuuge accordingly. The Supplier agrees that Huuuge shall be entitled to enforce the provisions of the DPA, including any SCCs entered pursuant to it, and the Agreement on behalf of any relevant Huuuge Affiliate. 
   4. The Addendum and its Appendixes form an integral part of the Agreement. The appendixes to the Addendum form an integral part of the DPA.
   5. In the event of a Restricted Third Country Transfer, the Addendum governs the relationship between the parties to the extent not specified in the SCCs and provided that it does not contradict, directly or indirectly, the SCCs or prejudice the fundamental rights or freedoms of data subjects. To this extent, in the event of any contradiction between the provisions of the Addendum or the Agreement and the SCCs, the SCCs shall prevail. 
   6. In the event of any inconsistencies between the provisions of the Addendum and other arrangements between the parties, including the Agreement, the provisions of the Addendum shall prevail with regard to the parties’ data protection obligations relating to personal data. The Addendum shall prevail, in particular, where it cannot be clearly established whether a provision relates to a party’s data protection obligations. For the avoidance of any doubts, the Supplier shall be liable for any damage suffered by Huuuge, data subjects or third parties in relation to non-performance or improper performance of the DPA or breach of Data Protection Laws by the Supplier, in particular if made in violation of Data Protection Laws concerning engaging Subprocessors or transferring personal data to Third Countries.

List of appendixes to the Addendum:

1. Appendix 1 – Details of processing
2. Appendix 2 – Technical and organisational measures including technical and organisational measures to ensure the security of the data
3. Appendix 3 – List of Subprocessors

Appendix 1 to the Data Processing Addendum

and

Annex I to the Standard Contractual Clauses

1. LIST OF PARTIES
   Data exporter(s): The data exporters are entities identified as Huuuge in the Data Processing Addendum, acting as controllers or joint controllers. Data exporter(s) use the Services provided pursuant to the Agreement.Data importer(s): The data importers are entities identified as the Supplier in the Data Processing Addendum, acting as processors. They are providers of the Services pursuant to the Agreement.
2. DESCRIPTION OF PROCESSING
   Categories of data subjects whose personal data is processedHuuuge services (games) users/ players or prospectus usersCategories of personal data processed
   • Device identifiers (e.g. device ID, Advertiser ID)
   • Information about the device (e.g. operating system and version it uses)
   • Information about the internet connection (e.g. IP address)
   • Information about the app (e.g. how frequently and for how long player use the app)
   • Location-related information (e.g. location of IP address)
   • Others data from cookies or similar trackers 
   • Other data indispensable to provide the Services

   Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

   • n/a

   The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

   • Continuous basis.

   Nature and purpose of the processing

   • The purpose and nature of processing follows directly from and is limited to tasks or Services as specified in the Agreement, and include the operations that are necessary to perform the Services under the Agreement.

   The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

   • Processing is limited to the duration of the Services provided under the Agreement.

   For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

   • Processing by Subprocessors is limited to the extent strictly necessary as required by the scope of provided services. The subject matter, nature and duration of the processing are consistent with and do not exceed the subject matter, nature and duration of the processing carried out by the processors.
3. COMPETENT SUPERVISORY AUTHORITY
   Identify the competent supervisory authority/ies in accordance with Clause 13
   • The supervisory authority identified in accordance with Clause 13 and Huuuge’s country of establishment as specified in the Agreement, provided that it is one of the EU Member States, if not, a Member State in which it has the representative or in which the data subjects whose personal data is transferred in relation to the offering of goods or services to them, or whose behaviour is monitored, are located. 

Appendix 2 to the Data Processing Addendum

and

Annex II to the Standard Contractual Clauses

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

1. The data importer undertakes an analysis of the risks presented by its processing, and uses this to assess the appropriate level of security it needs to put in place.
2. When deciding what measures to implement, the data importer takes account of the state of the art and costs of implementation.
3. The data importer has an information security policy (or equivalent) and takes steps to make sure the policy is implemented.
4. Where necessary, the data importer has additional policies and ensures that controls are in place to enforce them.
5. The data importer makes sure that it regularly reviews its information security policies and measures and, where necessary, improves them.
6. The data importer has put in place basic technical controls such as those specified by established frameworks like Cyber Essentials (secure its Internet connection, secure its devices and software, control access to its data and services, protect from viruses and other malware, keep its devices and software up to date).
7. The data importer puts other technical measures in place depending on its circumstances and the type of personal data it process.
8. The data importer uses encryption and/or pseudonymisation where it is appropriate to do so.
9. The data importer understands and applies the requirements of confidentiality, integrity and availability for the personal data it process.
10. The data importer makes sure that it can restore access to personal data in the event of any incidents, such as by establishing an appropriate backup process.
11. The data importer conducts regular testing and reviews of its measures to ensure they remain effective, and acts on the results of those tests where they highlight areas for improvement.
12. Where appropriate, the data importer implements measures that adhere to an approved code of conduct or certification mechanism.
13. The data importer ensures that any data sub-processor it uses also implements appropriate technical and organisational measures.
14. The data importer undertakes to provide information on the access to personal data by public authorities (e.g. by enumerating the laws and regulations applicable to the importer or statistics on access by public authorities to personal data), indicate measures to prevent such access and provide information on all requests of access which the importer has received.
15. The importer certifies that it has not created back doors or similar programming that could be used to access the data and that is has not facilitated access to the personal data to any government or public authority.
16. The data exporter is authorised to conduct audits on data disclosure by the data importer to public authorities. The data importer undertakes to secure that access logs and other similar trails will be tamper proof so that they can be audited by the data exporter.
17. The data importer undertakes to inform promptly (before access is granted to the data) the data exporter of its inability to comply with the contractual commitments (e.g. due to changes in the third country’s legislation or practice).
18. The data importer undertakes to review the legality of any order to disclose data, and to challenge the order if there are grounds under the law of the country of destination to do so. The importer undertakes also to providing the minimum amount of information permissible when responding to the order. The importer further undertakes that the challenges to the orders will have a suspensive effect under the law of the third country.
19. The data importer undertakes to notify the data subjects of a request or order received from public authorities to access the personal data.
20. The data importer certifies that it has adopted adequate internal policies with clear allocation of responsibilities for data transfers, reporting channels and standard operating procedures for cases of covert or official requests from public authorities to access the data. Moreover, the data importer developed specific training procedures for personnel in charge of managing requests for access to personal data from public authorities.
21. The data importer certifies that it is documenting and recording the request for access received from public authorities and the response provided and that it will make them available to the data exporter and the data subject.
22. The data importer regularly publishes transparency reports or summaries regarding governmental requests for access to data.
23. The data importer uses already existing organisational requirements under the accountability principle, such as the adoption of strict and granular data access and confidentiality policies and best practices, based on a strict need-to-know principle, monitored with regular audits and enforced through disciplinary measures. Data minimisation measures should be accompanied with technical measures as to ensure that data are not subject to unauthorised access.
24. The data exporter developed best practices to appropriately and timely involve and provide access to information to the data protection officer, if existent, and to the legal and internal auditing team on matters related to international transfers of personal data transfers.
25. The data importer adopted strict data security and data privacy policies, based on EU certification or codes of conducts or on international standards (e.g. ISO norms) and best practices (e.g. ENISA).
26. The data exporter undertakes to regularly review internal policies to assess the suitability of the implemented complementary measures and identify and implement additional or alternative solutions when necessary.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

In the event of a Restricted Third Country Transfer to Subprocessors, at least all measures referred in this Appendix 2 shall be implemented.

Appendix 3 to the Data Processing Addendum

LIST OF SUBPROCESSORS