HUBLE DATA PROCESSING ADDENDUM

1. INTRODUCTION AND APPLICATION

1.1. This Data Processing Addendum and its Exhibits (the “DPA”) govern the use and protection of Customer Personal Data by Huble while providing Services to a Customer in terms of a Principal Agreement. 

1.2. The DPA is integral to the Services and forms part of any Principal Agreement concluded between Huble and the Customer.

2. DEFINITIONS AND INTERPRETATION

2.1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. For purposes of this definition.

2.2. “Control,” means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

2.3. "Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Customer Personal Data. 

2.4. “Customer” means the entity procuring the Services from Huble in terms of the Principal Agreement.

2.5. “Customer Personal Data” means any Personal Data pertaining to the Customer’s Data Subjects, which is Processed by Huble in terms of the Principal Agreement. 

2.6. “Data Protection Law” means all laws and regulations applicable to the Processing of Customer Personal Data under the Principal Agreement, including but not limited to the GDPR, the PDPA, the POPIA, and the laws and regulations defined in the Jurisdiction-Specific Terms in Exhibit 3 to this DPA.

2.7. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as may be amended from time to time.

2.8. "Huble” means the Huble entity providing the Services to the Customer in terms of the Principal Agreement. 

2.9. “Instruction” means the written, documented instruction, issued by the Customer as Controller or Processor to Huble as the Processor or Sub-processor, directing Huble to perform a specific Processing action with regard to Customer Personal Data.

2.10. "Parties” means Huble and the Customer, and “Party” shall be a reference to either Huble or the Customer, as the context may require. 

2.11. “Principal Agreement” means the written or electronic agreement between Huble and the Customer for the provision of the Services.

2.12. “Processor” means the natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of a Controller.

2.13. “Services” means the services specified in the Principal Agreement, which may include, HubSpot marketing, business, sales and services consulting, sales and services onboarding, web development and technical integration, SEO and paid media services.

2.14. The terms “Data Subject”, “Personal Data Breach”, “Processing” (or any cognate terms), and “Supervisory Authority” shall all have the same meaning as in the GDPR or the corresponding terms as provided for other Data Protection Law.

2.15. Capitalised terms which are not defined herein have the meaning ascribed to them in the Principal Agreement. 

2.16. In case of any conflict or inconsistency with the terms of the Principal Agreement, this DPA will take precedence. 

3. PROCESSING OF CUSTOMER PERSONAL DATA

3.1. In the course of providing Services under the Principal Agreement, Huble may Process certain Customer Personal Data on behalf of the Customer. Huble and the Customer agree to comply with this DPA in connection with the Processing of such Customer Personal Data. 

3.2. The subject matter and duration of the Processing, nature and purpose of the Processing and types of Customer Personal Data are set out in the Principal Agreement and/or in Exhibit 1 to this DPA.

4. CONTROLLERSHIP ROLES

4.1. In the context of this DPA, when Customer acts as a Controller, Huble acts as a Processor, and when Customer acts as a Processor, Huble acts as a sub-Processor. For the avoidance of doubt, both situations fall within the scope of this DPA.

5. CUSTOMER RESPONSIBILITIES AND UNDERTAKINGS

5.1. When acting as Controller within the scope of the Principal Agreement:

5.1.1. the Customer assumes absolute responsibility for the Instructions given to Huble where applicable  and warrants to Huble that it will always comply with its statutory obligations in terms of Data Protection Law, including, without limitation, law regarding the disclosure and transfer of Customer Personal Data to Huble and the Processing of Customer Personal Data; 

5.1.2. the Customer will ensure that any Customer Personal Data provided to Huble by, or on behalf of the Customer has been collected lawfully, fairly and in a transparent manner to enable such Customer Personal Data to be processed by Huble for all of the Purposes;

5.1.3. the Customer unconditionally acknowledges and accepts the legal duties imposed on it as a Controller in terms of Data Protection Law and indemnifies Huble for any loss or harm (whether direct or consequential) which may arise as a result of its failure to comply with its obligations as Controller; and

5.1.4. the Customer will ensure that the persons giving instructions to Huble and making decisions in relation with this DPA are authorized by the Customer and that such instructions are binding upon the Customer. Huble shall be entitled to rely on such instructions and decisions.

5.2. If the Customer is a Processor with respect to the Customer Personal Data, the Customer warrants that its Instructions and actions with respect to Processing of the Customer Personal Data, including its appointment of Huble as a sub-Processor have been authorized by the relevant Controller.

5.3. Customer’s Instructions for the Processing of Customer Personal Data shall comply with Data Protection Law and the Customer indemnifies Huble to the greatest extent permissible in law for any direct loss occasioned by Huble acting as Processor on behalf of and/or on the Instructions of the Controller with respect to the Processing of Customer Personal Data pursuant to the Principal Agreement. 

5.4. As between the Parties, the Customer will have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which the Customer acquired such Customer Personal Data.   

5.5. The Customer shall at its sole expense, indemnify and hold Huble harmless against all liability, including legal costs, claims, civil actions, damages, indirect or consequential damages, or expenses incurred by Huble or for which Huble may become liable due to any failure by the Customer or its employees or agents whether authorised or not, to comply with the obligations under the Principal Agreement or Data Protection Law.

5.6. The Customer warrants that the Principal Agreement and this DPA sets out the Customer’s complete and final Instruction to Huble in relation to the Processing of Customer Personal Data and any additional Instructions outside the scope of the Principal Agreement will require prior written agreement between the Parties. 

5.7. The Customer shall inform Huble without undue delay and comprehensively about any errors or irregularities related to Data Protection Law.

5.8. The Customer shall inform Huble, without delay, if the Processing includes special categories of Customer Personal Data as contemplated by Data Protection Law, including without limitation: financial, medical and health-related information, information regarding children, or any type of Processing of Personal Data that is afforded a higher level of protection under Data Protection Law.  

6. HUBLE'S OBLIGATIONS

6.1. Compliance with Instructions

6.1.1. In relation to the Customer Personal Data, Huble will comply (and will ensure that any of its personnel comply and use commercially reasonable efforts to ensure that its Contracted Sub-Processors comply), with Data Protection Law. 

6.1.2. Huble will collect, Process, and use Customer Personal Data only within the scope of the Customer’s written instructions and in accordance with Data Protection Law. If Huble believes that any Instruction infringes Data Protection Law, it will inform the Customer without undue delay. 

6.1.3. If Huble is unable to Process Customer Personal Data as per Customer’s Instructions due to a legal requirement, Huble will:

6.1.3.1 promptly notify the Customer of that legal requirement before continuing with the Processing; and

6.1.3.2. cease all Processing (other than merely storing and maintaining the security of the affected Customer Personal Data) until such time as the Customer issues new instructions with which we are able to comply. 

6.1.4. If section 6.1.3 of this DPA is invoked, Huble will not be liable to the Customer under the Principal Agreement for any failure to perform until such time as the Customer issues new, lawful Instructions. 

6.1.5. Huble will facilitate the Customer’s compliance obligations to implement security measures with respect to Customer Personal Data (including if applicable, the Customer’s obligations pursuant to Articles 32 to 36 (inclusive) of the GDPR) by: (i) implementing and maintaining the security measures described in terms of our Information Security Policies; (ii) complying with the terms of section 6.3 (Personal Data Breaches) of this DPA; (iii) assisting Customer in meeting its obligations in relation to a data protection impact assessment or prior consultation with a supervisory authority; and (iv) providing the Customer with information in relation to the Processing in accordance with section 7 (Audits) of this DPA.

6.2. Confidentiality

6.2.1. Huble will ensure that any personnel, whether they are employed or contracted as such, who are under Huble’s authority and who are authorised to Process Customer Personal Data are subject to confidentiality obligations with respect to Customer Personal Data.

6.2.2. The undertaking of confidentiality in section 6.2.1 shall continue after the termination of the Processing activities to which the duty of confidentiality relates. 

6.2.3. Such Confidentiality clause does not apply when information is disclosed by the Processor in compliance with a legal requirement of a government agency or otherwise where disclosure is required by force of governing law as specified under the Principal Agreement, provided always that the Processor should, to the extent reasonably possible whilst complying with the governing law as specified under the Principal Agreement, notify the Controller of such requirements prior to any such disclosure and provide the Controller with a reasonable opportunity to contest the requirement to disclose the information or to limit the extent of the disclosure.

6.3. Personal Data Breaches

6.3.1. Huble will notify the Customer as soon as possible after becoming aware of any Personal Data Breach affecting Customer Personal Data.

6.3.2. At the Customer’s request, Huble will promptly provide the Customer with all reasonable assistance to enable the Customer to notify the competent Supervisory Authority/ies and/or affected Data Subjects about any relevant Personal Data Breaches if Customer is required to do so under Data Protection Law.

Data Subject Requests 

6.4.1. Huble will provide reasonable assistance including the implementation of reasonable and appropriate technical and organisational measures, to enable Customer to respond to any Data Subjects seeking to exercise their rights under Data Protection Law (including their right to access, rectification, restriction, deletion, or portability of Customer Personal Data), to the extent permitted by the law. If such a request is made directly to Huble, Huble will promptly inform the Customer and will advise Data Subjects to submit their request to the Customer. The Customer shall be solely responsible for responding to any Data Subjects’ requests. The Customer shall reimburse Huble for any costs arising from this assistance.

6.4.2. Without prejudice to clause 6.2.3, Huble agrees to obtain the written consent from the Customer prior to any request for disclosure of Customer Personal Data by a Data Subject, and where this request is not of a legal nature to which Huble must adhere to.

6.5. Data Security  

6.5.1. Taking into account the state of the art, nature, and level of sensitivity of the Customer Personal Data, Huble shall implement appropriate measures toward achieving the required technical and organisational measures to adequately protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data. These measures are outlined in Exhibit 1.

6.6. Contracted Sub-Processors

6.6.1. The Customer authorises Huble to engage Sub-Processors to fulfil its obligations defined in the Principal Agreement (each an “Infrastructure Sub-Processor” or a “Affiliate Sub-Processor") in accordance with this Section 6.6. For these purposes, Huble may use Huble Affiliates and the third parties listed in Exhibit 2 of this DPA as Contracted Sub-Processors. 

6.6.2. If Huble intends to instruct a Contracted Sub-Processor other than the Contracted Sub-Processors listed in Exhibit 2 of this DPA, Huble will notify the Customer in writing (including by way of email to the Customer email address(es) on record) and will give the Customer the opportunity to object to the proposed engagement of the new Contracted Sub-Processor within 14 (fourteen) days of being notified, failing which Huble will be entitled to appoint the Contracted Sub-Processor. Should Customer object to the engagement of a Contracted Sub-Processor, such objection must be based on reasonable grounds (e.g., if the Customer proves that significant risks to the protection of its Customer Personal Data exist at the Contracted Sub-Processor). If Huble and Customer are unable to resolve such objections, either Party may terminate the Principal Agreement in accordance with its provisions relating to termination.  

6.6.3. Where Huble engages a Contracted Sub-Processor, Huble will enter into a contract with the Contracted Sub-Processor that imposes on the Contracted Sub-Processor the same obligations that apply to Huble and the Customer under this DPA. 

6.6.4. Where a Contracted Sub-Processor is engaged, the Customer is granted the right to monitor and inspect the Contracted Sub-Processor’s activities in accordance with this DPA and Data Protection Law, including to obtain information from Huble, upon written request, on the substance of the contract and the implementation of the data protection obligations under the contract with the Contracted Sub-Processor, where necessary, by inspecting the relevant contract documents, provided that Huble’s engagement with the Contracted Sub-Processor does not prohibit such disclosure. Huble reserves the right to redact sections in such contract documents that are of a commercially sensitive nature.

6.6.5. The provisions of this section shall mutually apply if Huble engages a Contracted Sub-Processor in a country which does not provide an adequate level of protection for Customer Personal Data as provided for in Data Protection Law. In this event, Huble will implement measures to ensure an "adequate level of protection”, including, but not limited to, the execution of standard contractual clauses issued pursuant to Data Protection Law by and between Huble and the Contracted Sub-Processor. 

6.7. Deletion or Retrieval of Customer Personal Data

6.7.1. Other than to the extent required to comply with Data Protection Law, following termination or expiry of the Principal Agreement, Huble will, at the choice of the Customer, delete or return all Customer Personal Data (including copies thereof) processed pursuant to the Principal Agreement. 

6.7.2. The Customer shall, upon termination or expiration of the Principal Agreement and by way of issuing an instruction, stipulate, within a period of time set by Huble, whether Customer Personal Data should be returned or deleted. Any additional cost arising in connection with the return or deletion of Customer Personal Data shall be borne by the Customer. 

7. AUDITS

7.1. The Customer may, subject to the confidentiality terms in the Principal Agreement, prior to the commencement of Processing, at annual intervals hereafter, or where a Personal Data Breach is reasonably suspected to have occurred, audit the technical and organisational measures taken by Huble in terms of the Data Protection Laws. For such purpose, the Customer may:

7.1.1. obtain information from Huble, demonstrating Huble’s compliance with the terms of this DPA;   

7.1.2. request an attestation or certificate by an independent professional expert with respect to Huble’s security measures, or 

7.1.3. upon reasonable and timely advance agreement, during regular business hours and without interrupting business operations, conduct an on-site inspection of the business operations or, subject to appropriate confidentiality undertakings, have the same conducted by a qualified third party which shall not be a competitor of Huble. The Controller will impose sufficient confidentiality obligations on its auditors and will be liable for this aspect. 
  
7.2. Huble shall, upon written request, and within a reasonable period of time provide the Customer with all information necessary for purposes of this section 7 of the DPA, to the extent that such information is within the Huble’s control and Huble is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.  

7.3. The Customer must, or will request that its external auditors, send a draft version of the audit report to Huble. Huble has the right to submit its comments within a reasonable timeframe. The auditor shall take the comments of Huble into account and include these comments in its final report submitted to the Customer.

7.4. The Customer shall bear the expenses unless any serious non-compliance or breach of data protection obligations is found, in which case the party responsible for the violation shall bear the audit costs. The allocation of costs shall be determined based on the proportionate responsibility for the non-compliance or breach. Both Parties shall cooperate in good faith to minimize audit expenses while ensuring a thorough assessment of data protection practices.

8. LIABILITY

8.1. The Customer shall be liable for, and shall indemnify (and keep indemnified) Huble in respect of any and all action, fines, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, Huble, including any Contracted Sub-Processor, arising directly or in connection with:

8.1.1. any non-compliance by the Customer with Data Protection Law;

8.1.2. notwithstanding section 6.1.1, any Customer Personal Data Processing carried out by Huble or its Contracted Sub-Processor in accordance with Instructions given by the Customer that infringe Data Protection Law; or

8.1.3. any breach by the Customer of its obligations under this DPA,

except to the extent that Huble or any Contracted Sub-Processor is liable under section 8.2 below. 

8.2. Huble shall be liable for, and shall indemnify (and keep indemnified) the Customer in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Customer, arising directly with Huble’s Customer Personal Data Processing activities that are subject to this DPA:

8.2.1. only to the extent that the same results from Huble’s breach of this DPA;

8.2.2. subject to Section 8.4 below, only to the extent that the same results from a Personal Data Breach by a Contracted Sub-Processors or a Contracted Sub-Processor’s non-compliance with Data Protection Law; and

8.2.3. not to the extent that the same is or are contributed to by any breach of this DPA by the Customer.

8.3. The Customer shall not be entitled to claim back from Huble or its Contracted Sub-Processors any sums paid in compensation by the Customer in respect of any damage to the extent that the Customer is liable to indemnify Huble under section 8.1 above.

8.4. Notwithstanding anything to the contrary in this DPA, the maximum aggregate liability of Huble, howsoever arising due to a Personal Data Breach at a Contracted Sub-Processor or a Contracted Sub-Processor’s non-compliance with Data Protection Law, shall be limited to 2 (two) times the amount paid to Huble for the Services during the 12 (twelve) month period preceding the date on which the claim arose. 

9. GENERAL PROVISIONS

9.1. Where individual provisions of this DPA are invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected.

9.2. This DPA is applicable for the duration of the Principal Agreement with surviving provisions applying as the applicable law and context dictates.

9.3. This DPA shall be governed in accordance with the governing law set out in the Principal Agreement.


 

EXHIBIT 1: DETAILS OF CUSTOMER PERSONAL DATA AND PROCESSING ACTIVITIES

1. Subject matter of Processing:

The subject matter of the Processing of Customer Personal Data pertains to the provision of Services in terms of the Principal Agreement. 

2. Nature and purpose of Processing:  

The nature and purpose of Processing pertain to the provision of the Service to Customer, pursuant to the Principal Agreement, this DPA and the Customer’s Instructions.

3. Duration of the Processing:  

Until the earliest of (i) expiry/termination of the Principal Agreement, or (ii) the date upon which Processing is no longer necessary for the purposes of either Party performing its obligations under the Principal Agreement (to the extent applicable).

4. Categories of Data Subjects: 

Customer contacts and other end users, including the Customer’s employees, contractors, collaborators, customers, prospects, suppliers, and subcontractors.   

Data Subjects also include individuals attempting to communicate with or transfer Customer Personal Data to the Customer’s end users.  

5. Categories of Customer Personal Data:  

-Contact Information, the extent of which is determined and controlled by the Customer in its sole discretion.

-Biographical data, demographic data, personal statements, personal interests, purchase history.

-Employment details & history, employee performance data.

-Details of goods or services provided to or for the benefit of individuals.

-Navigational data, browsing history and cookies (including website usage information).

-Email data, system usage data, application integration data, and other electronic data submitted, stored, sent, or received by end-users via the HubSpot subscription service.

6. Special categories of Customer Personal Data:

No special categories of Personal Data will be Processed. The Customer is obligated to inform Huble if any special categories of Customer Personal Data will be Processed in terms of Section 5.8 of the DPA. 

7. Description of the technical and organizational measures implemented by Huble:

Huble will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia:

-the pseudonymisation and encryption of personal data where possible;

-the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;

-the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

-a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.

In addition, the following information security policies will apply to the Processing of Customer Personal Data:

- Huble Digital Group’s Acceptable Use Policy (“AUP”): The purpose of the AUP is to outline the acceptable use of computer systems at the Huble Digital Group. These rules are in place to protect the Huble Digital Group’s information against loss or theft, unauthorised access, disclosure, copying, use, modification or destruction.

-Information Classification and Handling Policy (“ICHP”): Huble Digital Group has a responsibility to protect the information it holds and processes using controls appropriate to the sensitivity of the information involved. Only by classifying information according to a documented scheme can the correct level of protection be applied. The ICHP sets out the details of the scheme to be adopted and the criteria applied in deciding which level of protection to apply to any given information asset. Employees will be responsible for Huble Digital Group’s data and information and for mitigating the risks of an information security breach. Classification of information and documents according to this ICHP will determine the way in which the document is handled, published, moved, and stored – and thereby ensuring that appropriate protections are in place.

-Information Security Policy (“ISP”): The ISP sets out the information security landscape including supporting policies, procedures, frameworks and controls both technical and administrative at Huble Digital Group such that they enable the organisation to operate smoothly and in line with the ISO/IEC:27001 standards.

-Document Management Policy: Documented information within the scope of Huble Digital Group’s established Information Security Management System (“ISMS”) must be controlled in such a way that meets both business requirements and recognised international standards which are established and maintained within this policy

-Two Factor Authentication Policy (“TFAP”): The TFAP establishes the requirements for individuals within the scope of the ISMS to make use of two factor authentication methods on all core systems as defined within the policy and all other systems used within the course of the employment or service provision to Huble Digital Group where available.

For transfers to Contracted Sub-Processors, the specific technical and organizational measures to be taken by the Contracted Sub-Processors to be able to provide assistance to the Controller and, for transfers from a Processor to Contracted Sub-Processors, to the data exporter:

When Huble engages a Contracted Sub-Processor under this DPA, Huble and the Contracted Sub-Processor must enter into an agreement with data protection terms substantially similar to those contained in this DPA. 

Huble must ensure that the agreement with each Contracted Sub-Processor allows Huble to meet its respective obligations with respect to the Customer. In addition to implementing technical and organizational measures to protect Customer Personal Data, a Contracted Sub-Processors must:

-notify Huble in the event of a Personal Data Breach;

-delete Customer Personal Data when instructed by Huble in accordance with the Customer’s Instructions to Huble;

-not engage additional Contracted Sub-Processors without Huble’s authorization; and

-not process Customer Personal Data in a manner which conflicts with the Customer’s instructions to Huble.

8. Frequency of transfers:

Personal Data is transferred in accordance with the Customer’s Instructions to the Huble to Process Customer Personal Data for the provision of the Services under the Principal Agreement.

9. Further Processing:

Huble will not carry out further Processing on Customer Personal Data. Processing is limited to what is strictly necessary for the provision of the Services.

10. Controllership Roles:

Data Exporter: Customer, acting as a Controller or Processor in terms of Section 4.1 of this DPA. 

Data Importer: Huble, acting as a Processor or sub-Processor in terms of Section 4.1 of this DPA.

EXHIBIT 2: LIST OF CONTRACTED SUB-PROCESSORS

EXHIBIT 3: JURISDICTION-SPECIFIC TERMS

1. European Economic Area

1.1. For purposes of this DPA:

1.1.1 “EU 2021 SCCs” means contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

1.1.2. “Restricted Transfer of EEA Personal Data” means any transfer of Customer Personal Data subject to the GDPR which is undergoing Processing or is intended for Processing after transfer to an EEA Third Country or an international organization in an EEA Third Country, including data storage on foreign servers.

1.1.3. "EEA” means the European Economic Area, consisting of the European Union Member States, and Iceland, Liechtenstein, and Norway. 

1.1.4. “EEA Third Country” means a country outside of the EEA.

1.2. With regards to any Restricted Transfer of EEA Personal Data from Customer to Huble within the scope of this DPA and the Principal Agreement, the following mechanisms, in the order of precedence, shall apply:

1.2.1. an adequacy decision adopted by the European Commission in terms of Article 45 of the GDPR that provides that the EEA Third Country, a territory, or one or more specified sectors within that EEA Third Country, or the international organization in question to which Customer Personal Data is to be transferred ensures an adequate level of data protection;

1.2.2. the EU 2021 SCCs, in so far as their use constitutes an “appropriate safeguard” under Article 46 of the GDPR and Data Protection Law; or

1.2.3. any other lawful data transfer mechanism, as provided for in the GDPR.

1.3. EU 2021 SCCs:

1.3.1. This DPA incorporates by reference the EU 2021 SCCs. The Parties are deemed to have accepted, executed, and signed the EU 2021 SCCs in their entirety, including the annexes thereto. 

1.3.2. The contents of Annex I and Annex II of the EU 2021 SCCs are set out in Exhibit 1 to this DPA. The content of Annex III of the EU 2021 SCCs is set out in Exhibit 3 to this DPA. Annex 1 to this Exhibit supplements the EU 2021 SCCs as indicated therein.

1.3.3. The following modules of the EU 2021 SCCs shall apply as specified below:

1.3.3.1. Module 2 of the EU 2021 SCCs (Controller to Processor) to the extent that the Customer, acting as “data exporter”, is the Controller, and Huble, acting as “data importer”, is the Processor, in accordance with section 4.1 of this DPA. 

1.3.3.2. Module 3 of the EU 2021 SCCs (Processor to sub-Processor) to the extent that the Customer, acting as “data exporter”, is the Processor, and Huble, acting as “data importer”, is the sub-Processor, in accordance with section 4.1 of this DPA.

1.3.4. The Parties agree to make the following choices pursuant to the EU 2021 SCCs:

1.3.4.1. The Parties do not elect to include Clause 7 (Docking Clause) of the EU 2021 SCCs.

1.3.4.2. The Parties select “Option 2: General Authorization” and the time period set forth in section 6.6.2 of this DPA for purposes of Clause 9 of the EU 2021 SCCs.
 
1.3.4.3. In respect of Clause 11 of the EU 2021 SCCs, the Parties agree not to provide the right to lodge a dispute with an independent dispute resolution body. 

1.3.4.4. In respect of Clause 13 of the EU 2021 SCCs:

1.3.4.4.1. where the Customer is established in the EEA, the competent supervisory authority shall be the authority for the EEA country in which the Customer is established;

1.3.4.4.2. where the Customer is not established in the EEA, but has appointed a representative in the EEA pursuant to Article 27(1) of the GDPR, the competent supervisory authority shall be the authority for the EEA country in which such representative has been appointed; or

1.3.4.4.3. where the Customer is not established in the EEA and has not appointed a representative in an EEA country pursuant to Article 27(1) of the GDPR, the supervisory authority in one of the EEA countries in which the Data Subject whose Customer Personal Data is transferred under the EU 2021 SCCs, in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, shall act as competent supervisory authority. 

1.3.4.5. In respect of Clause 17 of the EU 2021 SCCs, the Parties select “Option 2”. Accordingly, the EU 2021 SCCs shall be governed by the law of the EU Member State in which the Customer is established. Where such law does not provide for third-party beneficiary rights, the EU 2021 SCCs shall be governed by the law of the Republic of Ireland.

1.3.4.6. In respect of Clause 18 of the EU 2021 SCCs, the Parties agree that any dispute arising from the EU 2021 SCCs shall be resolved by the courts of the Republic of Ireland.

2. Germany

2.1. For purposes of this DPA:

2.1.1. “Data Protection Law” as defined in Section 2 of this DPA includes the Federal Data Protection Act (BDSG) of 30 June 2017 Law on the Protection of Individuals with Regard to the Processing of Personal Data as amended from time to time as the case may be.

3. Belgium

3.1. For purposes of this DPA:

3.1.1. "Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. For purposes of this definition, “Control,” means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity or the power to exert decisive influence the management of such entity.

3.1.2. “Data Protection Law” as defined in Section 2 of this DPA includes the Belgian Act of 30 July 2018 Law on the Protection of Individuals with Regard to the Processing of Personal Data as amended from time to time as the case may be.

4. United Kingdom

 For purposes of this DPA:

4.1. “Data Protection Law” as defined in Section 2 of this DPA includes UK Data Protection Law.

4.1.1. “UK Addendum” means the International Data Transfer Addendum to the EU 2021 Standard Contractual Clauses, issued by the UK Information Commissioner, Version B1.0. in force as of 21 March 2022, as amended from time to time.

4.1.2. “UK Third Country” means a country outside of the United Kingdom. 

4.1.3. “Restricted Transfer of UK Personal Data” means any transfer of Customer Personal Data subject to the UK GDPR which is undergoing Processing or is intended for Processing after transfer to a UK Third Country or an international organization in a UK Third Country, including data storage on foreign servers.

4.1.4. “UK Data Protection Law” means the GDPR, as it forms part of domestic law in England and Wales, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or a part of the United Kingdom from time to time) (the “UK GDPR”) and the Data Protection Act 2018, as may be amended from time to time.

4.1.5. With regards to any Restricted Transfer of UK Personal Data from Customer to Huble within the scope of this DPA and the Principal Agreement, the following mechanisms, in the order of precedence, shall apply:

4.2.1. an adequacy decision adopted in accordance with Article 45 of the UK GDPR that provides that the UK Third Country, a territory, or one or more specified sectors within that UK Third Country, or the international organization in question to which Customer Personal Data is to be transferred ensures an adequate level of data protection;

4.2.2. the EU 2021 SCCs, using the UK Addendum, in so far as their use constitutes an “appropriate safeguard” under Article 46 of the UK GDPR and UK Data Protection Law; or

4.2.3. any other lawful data transfer mechanism, as provided for in the UK Data Protection Law.

4.3. EU 2021 SCCs:

4.3.1. This DPA incorporates by reference the EU 2021 SCCs. The Parties are deemed to have accepted, executed, and signed the EU 2021 SCCs in their entirety, including the annexes thereto. 

4.3.2. The contents of Annex I and Annex II of the EU 2021 SCCs and tables of the UK Addendum are set out in Exhibit 1 to this DPA. The content of Annex III of the EU 2021 SCCs is set out in Exhibit 3 to this DPA.  supplements the EU 2021 SCCs as indicated therein.

4.3.3. The following modules of the EU 2021 SCCs shall apply as specified below:

4.3.3.1. Module 2 of the EU 2021 SCCs (Controller to Processor) to the extent that the Customer, acting as “data exporter”, is the Controller, and Huble, acting as “data importer”, is the Processor, in accordance with section 4.1 of this DPA. 

4.3.3.2. Module 3 of the EU 2021 SCCs (Processor to sub-Processor) to the extent that the Customer, acting as “data exporter”, is the Processor, and Huble, acting as “data importer”, is the sub-Processor, in accordance with section 4.1 of this DPA.

4.4. The Parties agree to make the following choices pursuant to the EU 2021 SCCs and the UK Addendum:

4.4.1. The Parties do not elect to include Clause 7 (Docking Clause) of the EU 2021 SCCs.

4.4.2.The Parties select “Option 2: General Authorization” and the time period set forth in section 6.6.2 of this DPA for purposes of Clause 9 of the EU 2021 SCCs.

4.4.3. In respect of Clause 11 of the EU 2021 SCCs, the Parties agree not to provide the right to lodge a dispute with an independent dispute resolution body. 

5. California

5.1. For purposes of this DPA:

5.1.1. “California Data Protection Law” includes the California Consumer Privacy Act of 2018, Assembly Bill 375 of the California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, including the California Consumer Privacy Act Regulations (collectively, the “CCPA”), and the California Privacy Rights Act of 2020 (the “CPRA”).

5.1.2. “Controller” (as defined in this DPA) includes “Business” as defined in the California Data Protection Law.

5.1.3. “Data Protection Law” (as defined in this DPA) includes California Data Protection Law.

5.1.4. “Data Subject” (as defined in this DPA) includes “Consumer” as defined in the California Data Protection Law.

5.1.5. “Personal Data” (as defined in this DPA) includes “Personal Information” as defined in California Data Protection Law.

5.1.6. The terms “Business Purpose”, “Commercial Purpose”, “Sell”, and “Share”, shall have the meaning ascribed to it in California Data Protection Law.

5.2. Customer discloses Customer Personal Data to Huble only for a valid Business Purpose, and to enable Huble to perform the Services under the Principal Agreement. 

5.3. To the extent Huble Processes Customer Personal Data subject by the CCPA, Huble will comply with the obligations of the CCPA in its performance of the Principal Agreement. In this regard, Huble agrees that it will not Sell or Share Customer Personal Data, retain, use, or disclose Customer Personal Data other than providing the Services or as permitted by the CCPA, nor retain, use, or disclose Customer Personal Data except where permitted under the Principal Agreement.

5.4. Huble certifies that it will comply with the restrictions outlined in this section 3 of this Exhibit.

6. South Africa

For purposes of this DPA:

6.1.1. "Binding Corporate Rules” (for the purpose of this Section 4) shall have the meaning ascribed to it in Section 72(2)(a) of the POPIA. 

6.1.2. “Controller” (as defined in this DPA) includes a “Responsible Party” as defined in the POPIA. 

6.1.3. “Data Protection Law” (as defined in this DPA) includes the South African Protection of Personal Information Act 4 of 2012 (“POPIA”).

6.1.4. “Personal Data” (as defined in this DPA) includes “Personal Information” as defined in the POPIA.

6.1.5. “Processor” (as defined in this DPA) includes an “Operator” as defined in the POPIA.

6.1.6. “Restricted Transfer of SA Personal Data” means any transfer of Customer Personal Data subject to the POPIA which is undergoing Processing or is intended for Processing after transfer to a SA Third Country or an international organization in a SA Third Country, including data storage on foreign servers.

6.1.7. “SA Third Country” means a country outside of the Republic of South Africa.

6.2. With regards to any Restricted Transfer of SA Personal Data from Customer to Huble within the scope of this DPA and the Principal Agreement, the following mechanisms, in the order of precedence, shall apply:

6.2.1. Data Protection Law to which Huble is subject, that effectively upholds the principles for reasonable processing of Personal Data that are substantially similar to the conditions for the lawful processing of Personal Data relating to a Data Subject, and which includes provisions substantially similar to Section 72 of the POPIA, relating to any further onward transfer of Personal Data (for the purposes of this Section 4.2.1 of this Exhibit, the Parties agree that transfers to Huble entities within the EEA, which are subject to the GDPR and Huble entities within the UK, which are subject to UK Data Protection Law, comply with this mechanism);

6.2.2. if implemented by Huble, Binding Corporate Rules in line with the provisions of Section 72(1)(a) of the POPIA; 

6.2.3. the terms of this DPA, as a binding agreement between the Parties to effectively upholds the principles for reasonable processing of Personal Data that are substantially similar to the conditions for the lawful processing of Personal Data relating to a Data Subject, and which includes provisions substantially similar to Section 72 of the POPIA, relating to any further onward transfer of Personal Data; or

6.2.4. any other lawful data transfer mechanism, as provided for in the POPIA.

7. Singapore 

7.1. For purposes of this DPA:

7.1.1. "ASEAN MCCs” means the ASEAN Model Contractual Clauses, as approved on 22 January 2021 by the Association of Southeast Asian Nations. 

7.1.2. "Binding Corporate Rules” (for the purpose of this Section 5) shall have the meaning ascribed to it in Section 11(3) of the SDPR.

7.1.3. “Data Protection Law” (as defined in this DPA) includes the Singapore Data Protection Act 2012 and the Singapore Data Protection Regulations 2021 (the “SDPR”, and collectively, the “SDPA”).

7.1.4. “Processor” (as defined in this DPA) includes a “Data Intermediary” as defined in the SDPA.

7.1.5. “Restricted Transfer of Singapore Personal Data” means any transfer of Customer Personal Data subject to the SDPA which is undergoing Processing or is intended for Processing after transfer to a Singapore Third Country or an international organization in a Singapore Third Country, including data storage on foreign servers.

7.1.6. “Singapore Third Country” means a country outside of the Republic of Singapore.

7.2. With regards to any Restricted Transfer of Singapore Personal Data from Customer to Huble within the scope of this DPA and the Principal Agreement, the following mechanisms, in the order of precedence, shall apply:

7.2.1. Data Protection Law to which Huble is subject, allows for legally enforceable obligations to provide the transferred Personal Data a standard that is at least comparable to the protection under the SDPA (for the purposes of this Section 5.2.1 of this Exhibit, the Parties agree that transfers to Huble entities within the EEA, which are subject to the GDPR and Huble entities within the UK, which are subject to UK Data Protection Law, comply with this mechanism);

7.2.2. if implemented by Huble, Binding Corporate Rules in line with the provisions of Section 11(3) of the SDPA;

7.2.3. the ASEAN MCCs, incorporated by reference into this DPA, as contained in Annex 2 to this Exhibit; or

7.2.4. any other lawful data transfer mechanism, as provided for in the SDPA.

8. Canada

For purposes of this DPA:

8.1. “Data Protection Law” (as defined in this DPA) includes the Canadian Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”).

8.2. “Contracted Sub-Processor” (as defined in this DPA) includes a “Third Party Organization” as defined under the PIPEDA.

8.3. “Personal Data” (as defined in this DPA) includes “Personal Information” as defined under the PIPEDA.

8.4. “Personal Data Breach” (as defined in this DPA) includes a “Breach of Security Safeguards” as defined under the PIPEDA.

9. General

In cases where the EU 2021 SCCs or ASEAN MCCs apply, and there is a conflict between the terms of this DPA and the terms of the EU 2021 SCCs or ASEAN MCCs, the terms of the EU 2021 SCCs or ASEAN MCCs shall prevail.