DATA PROCESSING AGREEMENT
[Last Updated August XX, 2024]
This Data Processing Agreement (“DPA”) supplements the Master Service Agreement, Terms of Service, or
any other agreement (“Agreement”) executed by and between Wand Synthesis AI, Inc. (“Wand”), and you, a
customer, user or individual (“Customer”) using the Wand.ai Platform and data processing platform services
(“Services”). All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
WHEREAS, the Services may require Wand to Process Personal Data (as such terms are defined below) on
the Customer’s behalf subject to the terms and conditions of this DPA; and
WHEREAS, the parties desire to supplement this DPA to achieve compliance with the UK, EU, Swiss, United
States and other data protection laws and agree on the following:
1. APPLICATION OF THE DPA
1.1. This DPA reflects the parties’ agreement on the processing of Personal Data in connection with the
Services and the Agreement and in accordance with Data Protection Laws to the extent applicable.
1.2. In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA
shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been
executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those
of this DPA.
2. DEFINITIONS
2.1. “Adequate Country” is a country that received an adequacy decision from the European Commission.
2.2. “CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018,
including as modified by the California Privacy Rights Act (“CPRA”) as well as all regulations
promulgated thereunder from time to time.
2.3. “Customer Data” means any and all Personal Data provided by the Customer to Wand during its use
of the Service, as detailed in Annex I attached herein.
2.4. The terms “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” (and
“Process”), “Processor”, , “Special Categories of Personal Data” and “Supervisory Authority”, shall all
have the same meanings as ascribed to them in the EU Data Protection Law, the CPA, the VCDPA and
the CTDPA. The terms “Business”, “Business Purpose”, “Consumer”, “Contractor”, “Cross-contextual
Advertising”, “Service Provider”, “Sale”, “Sell” and “Share”, “Targeted Advertising”, “Third Party
Business”, shall have the same meaning as ascribed to them in the US Data Protection Laws. “Data
Subject” shall also mean and refer to (under this DPA) a “Consumer”, as such term defined in the US
Data Protection Laws, and “Personal Data” shall include “Personal Information” under this DPA.
2.5. “Data Protection Law” means any and all applicable privacy and data protection laws and regulations
(including, where applicable, EU Data Protection Law, UK Data Protection Laws, Swiss Data Protection
Laws, Israeli Law and the US Data Protection Laws) as may be amended or superseded from time to
time.
2.6. “EEA” means the European Economic Area.
2.7. “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679)
(“GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as
amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or
succeeding (i) and (ii); (v) any legislation replacing or updating any of the foregoing; and (vi) any
judicial or administrative interpretation of any of the above, including any binding guidance,
guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued
by any relevant Supervisory Authority.
2.8. “Israeli Law” means Israeli Privacy Protection Law, 5741-1981, the regulations promulgated pursuant
thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and other
related privacy regulations.
2.9. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized
disclosure of, or access to Customer Data. Any Personal Data Breach will comprise a Security Incident.
2.10. “Standard Contractual Clauses” or “SCC” mean the standard contractual clauses for the transfer of
Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament
and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, which
may be found here: Standard Contractual Clauses.
2.11. “Swiss Data Protection Laws” or “FADP” shall mean (i) Swiss Federal Data Protection Act (dated
June 19, 1992, as of March 1, 2019) (“FDPA”); (ii) The Ordinance on the Federal Act on Data
Protection ("FODP"); and (iii) any national data protection laws made under, pursuant to, replacing or
succeeding and any legislation replacing or updating any of the foregoing.
2.12. “Swiss SCC” shall mean the applicable standard data protection clauses issued, approved or
recognized by the Swiss Federal Data Protection and Information Commissioner.
2.13. "US Data Protection Laws" means any U.S. federal and state privacy laws effective as of the Effective
Date of this DPA and applies to Wand Processing of Customer Data, and any implementing regulations
and amendment thereto, including without limitation, the CCPA.
2.14. ”UK Data Protection Laws” shall mean the Data Protection Act 2018 (DPA 2018), as amended, and
EU General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with
regard to the processing of personal data and on the free movement of such data, as incorporated
into UK law as the UK GDPR, as amended, and any other applicable UK data protection laws, or
regulatory Codes of Conduct or other guidance that may be issued from time to time.
2.15. ”UK GDPR” shall mean the GDPR as it forms part of domestic law in the United Kingdom by virtue of
section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by
the laws of the United Kingdom or a part of the United Kingdom from time to time).
2.16. “UK Standard Contractual Clauses” or “UK SCC” means the UK “International Data Transfer
Addendum to The European Commission Standard Contractual Clauses” available at
https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-
addendum.pdf as adopted, amended or updated by the UK Information Commissioner Office (“ICO”),
Parliament or Secretary of State.
Any other terms that are not defined herein shall have the meaning provided under the Agreement or
applicable Data Protection Laws. A reference to any term or section of the Data Protection Laws means
the version as amended. Any references to the GDPR in this DPA shall mean the GDPR or UK GDPR
depending on the applicable Law.
3. ROLES AND DETAILS OF PROCESSING
3.1. The parties agree and acknowledge that under the performance of their obligations set forth in the
Agreement, and with respect to the Processing of Customer Data, and according to the applicable
Data Protection Laws, Wand is acting as a Data Processor, or Service Provider and Customer is acting
as a Data Controller or Business.
3.2. Each party shall be individually and separately responsible for complying with the obligations that
apply to such party under applicable Data Protection Law.
3.3. The subject matter and duration of the Processing carried out by the Processor on behalf of the
Controller, the nature and purpose of the Processing, the type of Personal Data and categories of Data
Subjects are described in Annex I attached hereto.
3.4. Additional US Data Protection Laws specifications are further detailed in Annex VII.
4. REPRESENTATIONS AND WARRANTIES
4.1. The Customer represents and warrants that: (i) its Processing instructions shall comply with applicable
Data Protection Law, and the Customer acknowledges that, taking into account the nature of the
Processing, Wand is not in a position to determine whether the Customer’s instructions infringe
applicable Data Protection Law; and (ii) due to the nature of the Services, Wand does not monitor or
control the Customer Data uploaded or hosted by the Wand Platform and thus, the type of Personal
Data or Categories of the Data Subjects processed by it is subject to the Customer’s sole discretion.
4.2. Wand represents and warrants that it shall Process Customer Data, on behalf of the Customer, solely
for the purpose of providing the Service, all in accordance with Customer’s written instructions under
the Agreement and this DPA. Notwithstanding the above, in the event Wand is required under
applicable laws, including Data Protection Law or any union or member state regulation, to Process
Customer Data other than as instructed by Customer, Wand shall make its best efforts to inform the
Customer of such requirement prior to Processing such Customer Data, unless prohibited under
applicable law.
4.3. Wand shall provide reasonable cooperation and assistance to the Customer in ensuring compliance
with its obligation to carry out data protection impact assessments with respect to the Processing of
its Customer Data and to consult with the Supervisory Authority (as applicable).
4.4. Where applicable, Wand shall assist the Customer in ensuring that Customer Data Processed is
accurate and up to date, by informing the Customer without delay if it becomes aware of the fact that
the Customer Data it is processing is inaccurate or has become outdated.
4.5. Wand shall ensure: (i) the reliability of its staff and any other person acting under its supervision who
may come into contact with, or otherwise have access to and Process Customer Data; and (ii) that
persons authorized to Process the Customer Data have committed themselves to confidentiality or are
under an appropriate statutory obligation of confidentiality.
4.6. Notwithstanding the above, in any event that the Israeli Law applies, the parties hereby undertake
that they comply with the aforesaid regulations as well as comply with the DPA.
4.7. Wand acknowledges and confirms that it does not receive or process any Personal Data as
consideration for any services or other items that Wand provides to Customer under the Agreement.
5. DATA SUBJECTS REQUESTS
5.1. It is agreed that where Wand receives a request from a Data Subject or an applicable authority in
respect of Customer Data, where applicable, Wand will notify the Customer of such request promptly
and direct the Data Subject or the applicable authority to the Customer in order to enable the
Customer to respond directly to the Data Subject’s or the applicable authority’s request, unless
otherwise required under applicable laws.
Parties shall provide each other with commercially reasonable cooperation and assistance in relation
to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under
Data Protection Law.
6. SUB-PROCESSING
6.1. The Customer acknowledges that Wand may transfer Customer Data to and otherwise interact with
third party data Processors (“Sub-Processor”). The Customer hereby authorizes Wand to engage
and appoint such Sub-Processors as listed in Annex III, to Process Customer Data, as well as permits
each Sub-Processor to appoint a Sub-Processor on its behalf. Wand may continue to use those Sub-
Processors already engaged by Wand, as listed in Annex III, or to engage an additional or replace an
existing Sub-Processors to Process Customer Data, subject to the provision of a thirty (30) days prior
notice of its intention to do so to the Customer. In case the Customer has not objected to the
adding or replacing of a Sub-Processor within such notice period, such Sub-Processor shall be
deemed approved by the Customer. In the event the Customer objects to the adding or replacing of
a Sub-Processor, within such notice period, Wand may, under Wand's sole discretion, suggest the
engagement of a different Sub-Processor for the same course of services, or otherwise terminate
the Agreement.
6.2. Wand shall, where it engages any Sub-Processor, impose, through a legally binding contract
between Wand and the Sub-Processor, data protection obligations that are no less onerous than,
and provide at least the same level of protection as, those set out in this DPA. Wand shall ensure
that such contract will require the Sub-Processor to provide sufficient guarantees to implement
appropriate technical and organizational measures in such a manner that the Processing will meet
the requirements of Data Protection Laws.
6.3. Wand shall remain responsible to the Customer for the performance of the Sub-Processor’s
obligations in accordance with this DPA. Wand shall notify the Customer of any failure by the Sub-
Processor to fulfill its contractual obligations.
7. TECHNICAL AND ORGANIZATIONAL MEASURES
7.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context,
and purposes of Processing as well as the risk of varying likelihood and severity for the rights and
freedoms of natural persons, and without prejudice to any other security standards agreed upon by
the parties, Wand hereby confirms that it has implemented and will maintain appropriate physical,
technical and organizational measures to protect the Customer Data as required under Data
Protection Laws to ensure lawful Processing of Customer Data and safeguard Customer Data from
unauthorized, unlawful or accidental processing, access, disclosure, loss, alteration or destruction.
7.2. The parties acknowledge that security requirements are constantly changing and that effective
security requires the frequent evaluation and regular improvement of outdated security measures.
7.3. The security measures implemented and maintained by Wand are further detailed in Annex II.
8. SECURITY INCIDENT
8.1. Wand will notify the Customer without undue delay (and in any event within 24 hours) upon
becoming aware of any Security Incident involving the Customer Data. Wand's notification
regarding or response to a Security Incident under this Section 8 shall not be construed as an
acknowledgment by Wand of any fault or liability with respect to the Security Incident.
8.2. Wand will: (i) take necessary steps to remediate, minimize any effects of and investigate any
Security Incident and to identify its cause; (ii) co-operate with the Customer and provide the
Customer with such assistance and information as it may reasonably require in connection with the
containment, investigation, remediation or mitigation of the Security Incident; (iii) notify the
Customer in writing of any request, inspection, audit or investigation by a Supervisory Authority or
other authority; (iv) keep the Customer informed of all material developments in connection with
the Security Incident and execute a response plan to address the Security Incident; and (v) co-
operate with the Customer and assist Customer with its obligation to notify the affected individuals
in the case of a Security Incident.
9. AUDIT RIGHTS
9.1. Wand shall maintain accurate written records of any and all the Processing activities of any
Customer Data carried out under this DPA and shall make such records available to the Customer
and applicable Supervisory Authorities upon written request. Such records provided shall be
considered Wand’s Confidential Information and shall be subject to confidentiality obligations.
9.2. the event the records and documentation provided subject to Section 9.1 above are not sufficient,
Wand shall make available, solely upon prior reasonable written notice and no more than once per
year, to a reputable auditor nominated by the Customer, information necessary to reasonably
demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such
reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance
with the terms and conditions hereunder. The auditor shall be subject to the terms of this DPA and
standard confidentiality obligations (including towards third parties). Wand may object to an
auditor appointed by the Customer in the event Wand reasonably believes the auditor is not
suitably qualified or independent, is a competitor of Wand or otherwise unsuitable (“Objection
Notice”). The Customer will appoint a different auditor or conduct the Audit itself upon its receipt
of an Objection Notice from Wand. Customer shall bear all expenses related to the Audit and shall
(and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage,
injury or disruption to Wand' premises, equipment, personnel and business while its personnel are
on those premises in the course of such Audit. Any and all conclusions of such Audit shall be
confidential and reported back to Wand immediately.
10. CROSS BORDER PERSONAL DATA TRANSFERS
10.1. Where the GDPR, UK GDPR or the Swiss FADP is applicable, and the Processing of Customer
Data by Wand (or by a Sub-Processor) includes transfer of Customer Data (either directly or through
an onward transfer) to a third country outside the EEA, the UK and Switzerland that is not an
Adequate Country, such transfer shall only occur if an appropriate safeguard approved by the
applicable Data Protection Law (the GDPR (Article 46), UK GDPR (Article 46) or Swiss FADP (as
applicable)) for the lawful transfer of Customer Data under is in place.
10.2. When Customer and Wand, or Wand and or its Sub-Processor relies on the Standard
Contractual Clauses to facilitate a transfer to a third country that is not an Adequate Country, then:
10.2.1. transfer of Customer Data from the EEA the terms set forth in Annex IV shall apply.
10.2.2. transfer of Customer Data from the UK, the terms set forth in Annex V shall apply; and
10.2.3. transfer of Customer Data from Switzerland, the terms set forth in Annex VI shall apply.
11. TERM & TERMINATION
1.1. This DPA shall be effective as of the Effective Date (as defined in the agreement) and shall remain in
force until the Agreement terminates.
11.1. Wand shall be entitled to terminate this DPA or terminate the Processing of Customer Data
in the event that Processing of Customer Data under the Customer’s instructions or this DPA
infringe applicable legal requirements.
11.2. Following the termination of this DPA, Wand shall, at the choice of the Customer, delete all
Customer Data Processed on behalf of the Customer and certify to the Customer that it has done
so, or, return all Customer Data to the Customer and delete existing copies, unless applicable law or
regulatory requirements requires that Wand continue to store Customer Data. Until the Customer
Data is deleted or returned, the parties shall continue to ensure compliance with this DPA.
Customer’s choice shall be provided in writing to Wand, following effect of termination.
ANNEX I
DETAILS OF PROCESSING
This Annex includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.
Categories of Data Subjects:
Data subjects such as individuals that the Customer provided Wand Personal Data during the use of the
Services (by or at the direction of Customer). Data subjects include, depending on the Customer, individual
contacts, prospects, customers, business partners and vendors of Customer (who are natural persons); or
employees or contact persons of Customer or Customer’s prospects, customers, business partners and
vendors, including without limitations Customer’s Authorized Users, or any other individuals whose personal
data is included in Customer Data.
Categories of Personal Data:
Contact details (e.g., name, email address, telephone number); account data (e.g., user name, email address,
password); as well as any content, communications, messages, data, IP addresses, cookies data, location
data; and any other Personal Data processed in the course of the Services as Customer Data.
Special Categories of Personal Data:
The personal data that is processed through the Services is determined and controlled by Customers in their
sole discretion and may include the following sensitive data: personal data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex
life, or data relating to offences, criminal convictions or security measures. Wand does not require this data
to operate the Services.
Nature of the processing:
Collection, storage, organization, analysis, modification, retrieval, disclosure, communication and other uses
in performance of the Services as set out in the Agreement.
Purpose(s) of Processing:
Processing activities in performance of the Services as set out in the Agreement, including providing access
to the Wand Platform and Services.
Retention Period:
Personal data will be retained for the term of the Agreement, unless agreed otherwise in the Agreement
and/or the DPA.
Process Frequency:
Continuous basis
ANNEX II
TECHNICAL AND ORGANISATIONSL MEASURES
1. Wand shall implement and maintain current and appropriate technical and organizational measures to
protect Customer Data against accidental, unauthorized or unlawful Processing and against accidental
loss, destruction, damage, alteration, disclosure or access;
2. Provide third-party attestation of static or dynamic application security testing or penetration testing on
all software or systems Processing Customer Data, remediate any identified high vulnerabilities, provide
written remediation plans for medium and low vulnerabilities, and provide evidence of its remediation of
any identified security vulnerabilities at Customer’s request;
3. Maintain a level of security appropriate to the harm that may result from any unauthorized or unlawful
Processing or accidental loss, destruction, damage, denial of service, alteration or disclosure, and
appropriate to the nature of Customer Data;
4. Oblige its employees, agents or other persons to whom it provides access to Customer Data to keep it
confidential; take reasonable steps to ensure the integrity of any employees who have access to
Customer Data; provide annual training to staff and subcontractors on the security requirements
contained herein;
5. Maintain measures designed to ensure the ongoing confidentiality, integrity, availability and resilience of
Wand’s systems and services;
6. Maintain a process for regularly testing, assessing and evaluating the effectiveness of technical and
organizational measures for ensuring the security of the Processing of Customer Data, regularly testing
such measures to validate their appropriateness and effectiveness, and implementing corrective action
where deficiencies are revealed by such testing;
7. Log all individuals’ access to and activities on systems and at facilities containing Customer Data.
8. Adhere password policies for standard and privileged accounts consistent with industry best practices;
protect both Wand’s and Customer’s user accounts by using multi-factor authentication;
9. Store and transmit Customer Data using strong cryptography, consistent with industry best practices, and
pseudonymize Personal Data where appropriate;
10. If applicable, any connection to Customer’s networks shall be via Virtual Private Network (VPN), without
split tunneling, and utilizing strong cryptography consistent with industry best practices;
11. Ensure that only those personnel who need to have access to Customer Data are granted access, such
access is limited to the least amount required, and only granted for the purposes of performing the
Services and the obligations under this DPA. Wand shall conduct access reviews upon each individual’s
scope of responsibility change, staffing change or other change impacting the access to Customer Data;
12. Maintain a physical security program that is consistent with industry best practices;
13. Ensure that any storage media (whether magnetic, optical, non-volatile solid state, paper, or otherwise
capable of retaining information) that captures Customer Data, if applicable, is securely erased or
destroyed before repurposing or disposal;
Additional Safeguards:
Measures and assurances regarding U.S. government surveillance have been implemented by Wand, and
Wand agrees and hereby represents it maintains the following additional safeguards:
a) Wand maintains industry standard measures to protect the Customer Data from interception
(including in transit from Customer to Wand and between different systems and services). This
includes maintaining encryption in transit and at rest. In addition, the fragment key enabling the
decryption of Customer Data is held independently by Customer, locally within Customer’s
environment, and is the only feasible way to decrypt Customer Data.
b) As of the Agreement signature date stated above, Wand has not received any national security
orders.
c) Wand will make reasonable efforts to resist, subject to applicable laws, any request for bulk
surveillance relating to the Personal Data protected under the GDPR or the UK GDPR, including (if
applicable) under section 702 of the United States Foreign Intelligence Surveillance Court (“FISA”).
d) If Wand becomes aware of any law enforcement agency or other governmental authority
(“Authority”) attempt or demand to gain access to or receive a copy of the Customer Data (or part
thereof), whether on a voluntary or a mandatory basis, then, unless legally prohibited or under a
mandatory legal compulsion that requires otherwise, Wand shall: (i) inform the relevant Authority
that Wand is a Processor of the Customer Data and that Customer, as the Controller, has not
authorized Wand to disclose the Customer Data to the Authority; (ii) inform the relevant Authority
that any and all requests or demands for access to Customer Data should be directed to or served
upon Customer in writing; and (iii) use reasonable legal mechanisms to challenge any such demand
for access to Customer Data.
e) Notwithstanding the above, if, taking into account the nature, scope, context and purposes of the
related Authority’s intended access to Customer Data, Wand has a reasonable and good-faith belief
that urgent access is necessary to prevent an imminent risk of serious harm to any individual or
entity, these subsections shall not apply. In such event, Wand shall notify Customer, as soon as
possible, following the access by the Authority, and provide Customer with relevant details, unless
and to the extent legally prohibited to do so.
f) Wand will inform Customer, upon written request (and not more than once a year), of the types of
binding legal demands for Customer Data Wand has received and complied with, including
demands under national security orders and directives, specifically including any process under
Section 702 of FISA.
ANNEX III
LIST OF SUB-PROCESSORS
Name Location Description of the
processing DPA/SCC Executed
Google EU, US Hosting, storing https://cloud.google.com/terms/data-
processing-addendum
Snowflake EU, US Hosting, storing https://www.snowflake.com/legal/data-
processing-addendum/
Pendo EU, US Usage data,
analytics.
https://www.pendo.io/legal/data-
processing-addendum/
ANNEX IV
EU INTERNATIONAL TRANSFERS AND SCC
2. The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference
and shall apply to transfer of Customer Data from the EEA to other countries that are not deemed as
Adequate Countries.
3. Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the transfer is
effectuated by Customer as the Controller of the Customer Data and Wand is the Processor of the Customer
Data.
4. The parties agree that for the purpose of transfer of Customer Data between Customer (as Data Exporter)
and Wand (as Data Importer), the following shall apply:
a) Clause 7 of the Standard Contractual Clauses shall not be applicable.
b) In Clause 9, option 2 (general written authorization) shall apply and the method for appointing and
time period for prior notice of Sub-Processor changes shall be as set forth in the Sub-Processer Section
of the DPA.
c) In Clause 11, the optional language will not apply, and Data Subjects shall not be able to lodge a
complaint with an independent dispute resolution body.
d) In Clause 17, option 1 shall apply. The parties agree that the Standard Contractual Clauses shall be
governed by the laws of the EU Member State in which the Customer is established (where
applicable).
e) In Clause 18(b) the parties choose the courts of the Republic of Ireland, as their choice of forum and
jurisdiction.
5. Annex I.A of the Standard Contractual Clauses shall be completed as follows:
5.a.1. "Data Exporter": Customer
5.a.2. "Data Importer": Wand
5.a.3. Roles: (A) With respect to Module Two: (i) Data Exporter is a Controller and (ii) the Data Importer is a
Processor.
5.a.4. Data Exporter and Data Importer Contact details: As detailed in the Agreement.
5.a.5. Signature and Date: By entering into the Agreement and DPA, Data Exporter and Data Importer are
deemed to have signed these Standard Contractual Clauses incorporated herein, including their
Annexes, as of the Effective Date of the Agreement.
6. Annex I.B of the Standard Contractual Clauses shall be completed as follows:
a) The purpose of the Processing, nature of the Processing, categories of Data Subjects, categories of
Personal Data and the parties’ intention with respect to the transfer of special categories are as
described in Annex I (Details of Processing) of this DPA.
b) The frequency of the transfer and the retention period of the Personal Data is as described in
Annex I (Details of Processing) of this DPA.
c) The Sub-Processors which Personal Data is transferred to are listed in Annex III.
7. Annex I.C of the Standard Contractual Clauses shall be completed as follows: the competent supervisory
authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section
3 above.
8. Annex II of this DPA (Technical and Organizational Measures) serves as Annex II of the Standard Contractual
Clauses.
9. Annex III of this DPA (List of Sub-Processors) serves as Annex III of the Standard Contractual Clauses.
10. Transfers to the US: Measures and assurances regarding US government surveillance (“Additional
Safeguards”) are further detailed in Annex II.
ANNEX V
UK INTERNATIONAL TRANSFERS AND SCC
1. The parties agree that the terms of the Standard Contractual Clauses as amended by the UK Standard
Contractual Clauses , and as amended in this Annex V, are hereby incorporated by reference and shall
apply to transfer of Customer Data from the UK to other countries that are not deemed as Adequate
Countries.
2. This Annex V is intended to provide appropriate safeguards for the purposes of transfers of Customer
Data to a third country in reliance on Article 46 of the UK GDPR and with respect to data transfers from
Controller to Processor or from a Processor to its Sub-Processors.
3. Terms used in this Annex V that are defined in the Standard Contractual Clauses, shall have the same
meaning as in the Standard Contractual Clauses.
4. This Annex V shall (i) be read and interpreted in the light of the provisions of UK Data Protection Laws,
and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 of
the UK GDPR, and (ii) not be interpreted in a way that conflicts with rights and obligations provided for in
UK Data Protection Laws.
5. Amendments to the UK Standard Contractual Clauses:
5.1. Part 1: Tables
5.1.1. Table 1 Parties: shall be completed as set forth in Section 4 within Annex IV above.
5.1.2. Table 2 Selected SCCs, Modules and Selected Clauses: shall be completed as set forth in
Section 2 and 3 within Annex IV above.
5.1.3. Table 3 Appendix Information:
Annex 1A: List of Parties: shall be completed as set forth in Section 2 within Annex IV above.
Annex 1B: Description of Transfer: shall be completed as set forth in Annex I above.
Annex II: Technical and organizational measures including technical and organizational
measures to ensure the security of the data: shall be completed as set forth in Annex II above.
Annex III: List of Sub Processors: shall be completed as set forth in Annex III above.
5.1.4. Table 4 ending this Addendum when the Approved Addendum Changes: shall be completed as
“neither party”.
ANNEX VI
SUPPLEMENTARY TERMS FOR SWISS DATA PROTECTION LAW TRANSFERS ONLY
The following terms supplement the Clauses only if and to the extent the Clauses apply with respect to data
transfers subject to Swiss Data Protection Law, and specifically the FDPA:
The term ’Member State’ will be interpreted in such a way as to allow Data Subjects in Switzerland to
exercise their rights under the Clauses in their place of habitual residence (Switzerland) in accordance
with Clause 18(c) of the Clauses.
The clauses in the DPA protect the Customer Data of legal entities until the entry into force of the
upcoming revised FDPA.
All references in this DPA to the GDPR should be understood as references to the FDPA insofar as the
data transfers are subject to the FDPA.
References to the “competent supervisory authority”, “competent courts” and “governing law” shall be
interpreted as Swiss Data Protection Laws and Swiss Information Commissioner, the competent courts in
Switzerland, and the laws of Switzerland (for Restricted Transfers from Switzerland).
In respect of data transfers governed by Swiss Data Protection Laws, the EU SCCs will also apply to the
transfer of information relating to an identified or identifiable legal entity where such information is
protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to
no longer apply to a legal entity.
The competent supervisory authority is the Swiss Federal Data Protection Information Commissioner.
ANNEX VII
US DATA PROTECTION LAWS ADDENDUM
This US Privacy Law Addendum (“US Addendum”) adds specification applicable to US Data Protection Laws.
All terms used but not defined in this US Data Protection Laws Addendum shall have the meaning set forth in
the DPA.
1. CCPA Specifications:
1.1. For the purpose of the CCPA, Customer is the Business and Wand is the Service Provider.
1.2. Wand shall Process Customer Data on behalf of the Customer as a Service Provider under the CCPA
and shall not: (i) Sell or Share the Customer Data; (ii) retain, use or disclose the Customer Data for
any purpose other than for a Business Purpose specified in the Agreement; or (iii) combine the
Customer Data with other Personal Data that it receives from, or on behalf of, another customer,
or collects from its own interaction with California residents, expect as otherwise permitted by the
CCPA.
1.3. if, and to the extent applicable, Wand shall assist Customer in respect of a Consumer request to
limit the use of its Sensitive Personal Information (“SPI”) or Sensitive Data (as applicable) by Wand.
1.4. Wand certifies that it understands the rules, requirements and definitions of the CCPA and agrees
to refrain from Selling any Customer Data.
2. US Applicable States Specifications:
2.1. For the purpose of this US Addendum “Applicable States” shall mean Virginia, Connecticut,
Colorado, Utah, Texas, Oregon, Montana (effective of October 1, 2024), and effective of January 1,
2025 – Nebraska, New Hampshire, New Jersey, Delaware, and Iowa.
2.2. Wand agrees to notify the Customer if Wand makes a determination that it can no longer meet its
obligations under this US Addendum or US Data Protection Law.
2.3. Wand shall provide information necessary to enable Customer to conduct and document any data
protection assessments required by US Data Protection Laws. Notwithstanding the above, Wand is
responsible for only the measures allocated to it.
2.4. Wand shall provide assistance and procures that its subcontractors will provide assistance, as
Customer may reasonably request, where and to the extent applicable, in connection with any
obligation by Customer to respond to Consumer’s requests for exercising their rights under the US
Data Protection Laws. Including without limitation, by taking appropriate technical and
organizational measures, insofar as this is possible, for the fulfillment of the Customer's respective
obligation. Wand acknowledges and confirms that it does not receive any monetary goods,
payments or discounts in exchange for Processing the Customer Data.
2.5. Each party shall, taking into account the context of Processing, implement appropriate technical
and organizational measures to ensure a level of security appropriate to the risk. The parties are
hereby establishing a clear allocation of the responsibilities between them to implement these
measures. Wand technical measures are detailed in the DPA and Annexes above.
2.6. The Processing instructions, including the nature of Processing, purpose of Processing, the duration
of Processing, the type of Personal Data and categories of Data Subjects, are set forth in Annex I
above.
2.7. In addition to the Audit rights under Section 8 of the DPA, under US Data Protection Laws and
subject to Customer’s consent, Wand my alternately, provide the Customer with an applicable
third-party audit attestation to verify Wand’s compliance with its obligations under this US Data
Protection Laws. During such audit, Wand will make available to the third-party auditor all
information necessary to demonstrate such compliance.
2.8. Each party will comply with the requirements set forth under US Data Protection Laws with regards
to processing of de-identified data, as such term is defined under the applicable US Data Protection
Law.
3. When Processing Customer Data or Usage Data (as defined in the Agreement) for the permitted purposes
under US Data Protection Laws, Wand shall ensure it complies with applicable laws and shall be liable for
such Processing activities.