Web 2 Market DATA PROCESSING ADDENDUM

(WITH EU STANDARD CONTRACTUAL CLAUSES)

This Data Processing Addendum (together with Exhibit 1 and its Appendices, the “Addendum”) is between

(i) Web 2 Market, Inc. has entered into an agreement with the customer signing below to provide IT hosting and/or related services including support services and the detection, prevention, and resolution of security and technical issues (respectively “Web 2 Market”, the “Agreement”, the “Customer”, and the “Services”)

(ii) the Customer. This Addendum is to address the Customer’s compliance obligations under Applicable Data Protection Law and is applicable only if and to the extent that Applicable Data Protection Law applies to the Processing of any Personal Data by Web 2 Market for Customer in relation to the Services (“Customer Personal Data”). If the entity signing this Addendum is not the Customer under the Agreement, this Addendum is not valid and is not legally binding. End-users are not a party to this Addendum.

HOW TO EXECUTE THIS ADDENDUM. The main body of this Addendum has been pre-signed on behalf of Web 2 Market and Exhibit 1 has been pre-signed by Web 2 Market. The customer must complete and sign the Addendum. Upon the effective date, the Agreement shall be amended to incorporate this supplementary Addendum and (if applicable) Exhibit 1 shall take effect.

1. DEFINED TERMS.

For the purposes of this Addendum, the following definitions apply and shall prevail as to any conflict with definitions under the Agreement:

“Affiliate” means any legal entity that a party owns, that owns a party, or that is under its common ownership.

“Ownership” means, for the purposes of this definition, control of more than fifty percent interest in an entity.

“Applicable Data Protection Law” means the EU General Data Protection Regulation (EU) 2016/679
(“Regulation”), in each case together with any transposing, implementing, or supplemental legislation; and “Personal Data”,
“Process/Processing”, “Controller”, “Processor”, and “Data Subjects” shall have the meanings given to them in Applicable Data Protection Law.

“Customer Configuration” means an information technology system that is the subject of the Services or to which the Services relate.

“End-users” means the Customer’s own customers and Affiliates whose Personal Data is Processed by Web 2 Market through the provision to, or use by, the Customer of the Services.

“Model Clauses” means the standard contractual clauses (processors) for the transfer of personal data set out in the EU Commission Decision of 5 February 2010 (2010/87/EC); and “Subprocessor”, “Data Importer”, and “Data Exporter” shall have the meanings given to them in the Model Clauses.

“Security Incident” means a breach of Web 2 Market security leading to (i) accidental or unlawful destruction of Customer Personal Data or (ii) loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
“Transfer Protections” means, in relation to a transfer of Customer Personal Data outside the EEA (including any such transfers to Web 2 Market and/or to subprocessors of Web 2 Market), measures to enable the transfer to be made in compliance with Applicable Data Protection Law, including without limitation where the recipient of such data: (i) receives such data in a country that the European Commission has decided provides adequate protection for Personal Data, (ii) has achieved binding corporate rules authorization in accordance with Applicable Data Protection Law, (iii) has executed standard contractual clauses adopted or approved by the European Commission (including Model Clauses under this Addendum), or (iv) has in place an alternative mechanism that complies with Applicable Data Protection Law for the transfer of Personal Data outside the European Union.

2. PROCESSING OF PERSONAL DATA AND PARTIES’ OBLIGATIONS.

Each party agrees to comply with the obligations that apply to it under Applicable Data Protection Law.

2.1. Processing of Customer’s Personal Data. The parties agree that with respect to any Processing of Customer Personal Data through the provision or use of the Services:

(A) Customer may be either of the following (a) a Controller of Customer Personal Data, or (b) a Processor when it Processes Customer Personal Data on behalf of its End-users. Consequently, Web 2 Market is a Processor where the Customer is the Controller or Processor, or a subprocessor when the Customer is acting as a Processor on behalf of its End-users;

(B) The subject matter of the Processing is Web 2 Market’s provision and Customer’s use of the Services and the detection, prevention, and resolution of security and technical issues as provided for in the applicable Agreement;

(C) The duration of the Processing shall be from the date of this Addendum (or, if later, from the date Customer Personal Data is first Processed through the provision or use of the Services) until the Agreement expires or terminates in accordance with its terms;

(D) The purpose of the Processing is to provide Services to Customer under the Agreement and the detection, prevention, and resolution of security and technical issues as provided for in the applicable Agreement and any purposes compatible therewith;

(E) The type of Personal Data Processed is any Personal Data provided or made available to Web 2 Market by or on behalf of Customer or any End-user through the use or provision of the Services; and

(F) The categories of Data Subjects are those whose Personal Data are provided or made available to Web 2 Market by or on behalf of Customer or any End-user through the use or provision of the Services, including staff, contractors, partners of Customer or End-users and any End-users who are individuals.

2.2. Web 2 Market’s Responsibilities. This Section 2.2 shall apply with effect on and from December 30, 2020.
Where Web 2 Market is Processing Customer Personal Data:
(A) Web 2 Market shall Process Customer Personal Data only on Customer’s documented instructions, including with regard to transfers of personal data to a third country or an international organization (instructions on which are set out in Section 2.2(D)) unless required to do so by the applicable law to which
Web 2 Market is subject; in such a case, Web 2 Market shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The parties agree that this Addendum, the Agreement, and Customer’s configuration and use of the Services together constitute Customer’s complete and final documented instructions to Web 2 Market on the Processing of Customer Personal Data;

(B) Web 2 Market shall ensure that all Web 2 Market personnel (including staff, agents, and subcontractors) who Web 2 Market authorizes to Process Personal Data are subject to a duty of confidentiality (whether contractual or statutory); and

(C) Web 2 Market shall maintain and implement technical and organizational measures appropriate (having regard to the state of technological development and cost of implementation) to the risk of, and to seek to protect Customer Personal Data against, any Security Incident. Such measures shall include, as appropriate: (a) the pseudonymization and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing. At a minimum, such measures shall include those set out in the Agreement. In relation to the security of Customer Configurations, the Customer agrees that those security practices and security Services otherwise detailed in the Agreement are appropriate for Customer Personal Data (and satisfies Web 2 Market’s obligation under this sub-section), in conjunction with the Customer’s obligations regarding security measures set out in the Agreement;

(D) Web 2 Market shall not transfer any Customer Personal Data outside of the European Economic Area unless it has taken steps to ensure Transfer Protections, but subject to such Transfer Protections Customer agrees that Customer Personal Data may be Processed in countries where the Web 2 Market or its subprocessors maintain facilities or personnel as necessary so that Web 2 Market may fulfill its obligations under the Agreement;

(E) Web 2 Market shall respond to any Data Subject request to exercise their rights, or any other Data Subject query, regarding Customer Personal Data, by either asking the Data Subject to make their request to Customer or notifying the Customer of the same. Web 2 Market shall assist the Customer in respect of the rights of Data Subjects as follows (and the Customer agrees that this Section 2.2(E) only applies to the extent Customer does not itself hold or otherwise have access to the Customer Personal Data, and to the extent to which it is possible for Web 2 Market to provide such assistance taking into account the nature of the Processing):

(i) assist the Customer to respond to any request from a Data Subject to exercise any of her or his rights under Applicable Data Protection Law (including rights of access, correction, objection, erasure, and data portability, as applicable) by providing technical measures to provide Customer, in a manner and to the extent consistent with the functionality of the Services and Web 2 Market’s role as Processor, with the ability itself to access, correct, erase, restrict or export Customer Personal Data. In respect of Customer Personal Data which the Customer receives, stores, or transmits on or using the Customer Configuration, the parties agree that the sole assistance Web 2 Market shall provide is to permit the Customer, in a manner and to the extent consistent with the functionality of the Services and Web 2 Market’s role as Processor, with the ability itself to access, correct, erase, restrict or export Customer Personal Data. In respect of other Customer Personal Data, at Customer’s reasonable request and expense, Web 2 Market shall provide reasonable and timely further assistance to Customer to respond to any such Data Subject requests.

(ii) provide reasonable and timely assistance to Customer, at Customer’s reasonable request and expense, to respond to any other correspondence, inquiry, or complaint received from a Data Subject, regulator, or other third parties in connection with the processing of Customer Personal Data.

(F) if Web 2 Market becomes aware of a confirmed Security Incident, inform Customer without undue delay and provide reasonable information (to the extent that such information is known or available to Web 2 Market) and cooperation with Customer so that Customer can fulfill any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. Web 2 Market shall further take any reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of material developments in connection with the Security Incident. In respect of Customer Personal Data which the Customer receives, stores, or transmits on or using the Customer Configuration, the parties agree that (i) Web 2 Market’s obligations under this Section 2.2(F) shall be limited to the extent consistent with the functionality of the Services and Web 2 Market’s role as Processor, the monitoring and security Services purchased by the Customer, and the parties’ respective security obligations under the Agreement; (ii) Web 2 Market shall be under no obligation to notify routine security alerts in respect of the Customer Configuration (including without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers, or similar incidents) save as otherwise specifically set out in the Agreement; (iii) Web 2 Market’s remediation and mitigation obligations shall be limited to Security Incidents arising out of breach by Web 2 Market of its security obligations set out in the Agreement and (iv) Web 2 Market’s assistance shall be at the Customer’s expense save where the confirmed Security Incident is caused by breach of Web 2 Market of its security obligations set out in the Agreement;

(G) the Customer acknowledges that Web 2 Market has no knowledge of the Customer Personal Data received, stored, or transmitted on or using the Customer Configuration. Accordingly, taking into account the nature of the Processing and the information available to Web 2 Market, Web 2 Market shall assist Customer in ensuring compliance with Customer’s obligations pursuant to data protection impact assessments and prior consultation under Applicable Data Protection Law by providing (at Customer’s expense) the audit reports specified in the Agreement and the security tools included in the Services. If however Web 2 Market believes or becomes aware that it’s Processing of Customer Personal Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it shall inform Customer and provide reasonable cooperation to Customer (at Customer’s expense) in connection with any data protection impact assessment that may be required under Applicable Data Protection Law;

(H) Web 2 Market shall enable Customer to retrieve and/or delete Customer Personal Data before any termination of the Agreement. Customer instructs Web 2 Market, after the end of the provision of the Services, to delete all Customer Personal Data in Web 2 Market’s possession or control, including existing copies thereof, but this requirement shall not apply to the extent Web 2 Market is required by the applicable law to retain all or some of the Customer Personal Data or to Customer, Personal Data Web 2 Market has archived on backup systems, which data Web 2 Market shall securely isolate and protect from any further processing except to the extent required by such law until such time as the relevant back-up is destroyed in accordance with Web 2 Market’s standard backup destruction policies; and

(I) Web 2 Market shall maintain records required by Applicable Data Protection Law and information to demonstrate its compliance with Applicable Data Protection Law in relation to its Processing of Customer Personal Data, and provide to the Customer audit reports as otherwise specified in the Agreement to demonstrate compliance.

2.3. Subprocessing. The following provisions shall apply in relation to any subprocess.

(A) Customer authorizes Web 2 Market to engage any third-party subcontractors and/ or resellers (including but not limited to, Amazon, Microsoft, Adobe, AbleCommerce, and Google) as subprocessors in connection with the provision of the Services to Customer. The parties agree that: (i) Web 2 Market shall maintain and make available to the Customer an up-to-date list of its subprocessors, giving the Customer notice of any change in subprocessors prior to any new subprocessor being authorized to Process any Customer Personal Data by updating the list accordingly; (ii) Web 2 Market shall impose written data protection terms on any subprocessor it appoints that require it to Process any Customer Personal Data only to the extent necessary to provide the services for which it has been engaged by Web 2 Market (and for no other purpose) and to protect the Customer Personal Data to at least the standard required by this Addendum and Applicable Data Protection Law; and (iii) Web 2 Market shall remain liable for any breach of this Addendum that is caused by an act, error or omission of its subprocessor. Customer may object to Web 2 Market’s appointment or replacement of a subprocessor by terminating its use of the affected Services for convenience on giving written notice in the manner provided in the Agreement (save that the period of notice given by Customer shall be 7 days, and notice must be given by Customer within 7 days of Web 2 Market’s notice of appointment or replacement) as its sole and exclusive remedy, without prejudice to any fees incurred by Customer for those Services before any such notice of termination takes effect; and such notice of termination shall be ineffective if Web 2 Market notifies Customer that the proposed appointment or replacement shall not be effective to the Customer prior to the expiry of the Customer’s notice of termination.

(B) Customer agrees to Web 2 Market giving any such subprocessors access to Customer’s Customer Configuration so that Web 2 Market or the Applicable Web 2 Market Entity can deliver the Services under the Agreement. Customer further agrees that those subprocessors may be based outside of the state, province, country, or other jurisdiction in which Customer has chosen to store Customer Personal Data, subject to Web 2 Market taking steps to ensure Transfer Protections if transfers are made to those subprocessors. Web 2 Market requires that its subprocessors maintain security and data protection practices that are consistent with the Agreement.

2.4. Customer Responsibilities. The customer undertakes that its instructions to Web 2 Market as its Processor and its use of the Services for processing Customer Personal Data will each (i) comply with privacy laws or regulations applicable to its Processing of Customer Personal Data, including Applicable Data Protection Law, and (ii) not cause Web 2 Market to infringe Applicable Data Protection Law. The Customer will ensure that it has all necessary consents, notices, and other requirements in place to enable lawful Processing of the Customer’s Personal Data by Web 2 Market for the duration and purposes of this Agreement.

3. APPLICATION OF AND CLARIFICATION TO EXHIBIT 1.

The parties agree that the Model Clauses set out in Exhibit 1 apply only if (i) Customer Personal Data to which Applicable Data Protection Law applies is transferred to Web 2 Market and its subprocessors located in a country that is outside of the EEA, and (ii) no Transfer Protections other than Model Clauses have been provided.

3.1. Relationship. The parties acknowledge that for the purposes of the Model Clauses (where applicable under this Addendum), the Applicable Web 2 Market Entity is acting in the capacity of either (i) a Data Importer when Customer is established in the EEA or (ii) a Subprocessor of Customer when Customer is located outside the EEA and is acting in its capacity as a Data Importer to its End-users. The Applicable Web 2 Market Entity will comply with the obligations of the Data Importer or Subprocessor in the Model Clauses as applicable.

3.2. For the purposes of Processing and the transfer of Customer Personal Data from the EEA to other Web 2 Market locations, the applicable Clauses in Exhibit 1 shall be supplemented with the following Sections 3.2(A) and 3.2(B). Such supplementary language addresses practical and operational issues and does not modify the Model Clauses:

(A) Clause 5(f) and 12(2) of the Model Clauses – Audit Rights. Customer agrees that the audit described in Clauses 5(f) and 12(2) shall be carried out in accordance with the following provision: Web 2 Market shall engage qualified third-party auditors to perform examinations of its systems and services in accordance with: the best practice recommendations of ISO 27002, for the purpose of auditing Web 2 Market’s compliance with ISO 27001; SSAE 16 and ISAE 3402 compliance frameworks, and the AT 101 compliance framework (based upon select Trust Services Principles); and/or equivalent industry standards (the resulting output of such audit activities referred to as “Third Party Audit Reports”). Web 2 Market’s annual Service Organization Control (“SOC”) report(s) or suitable equivalent standard(s) as specified by Web 2 Market are available to Customer upon Customer’s request subject to Web 2 Market’s SOC distribution requirements. Subject to the terms of the Agreement and upon Customer’s request with not less than 30 days’ notice, Web 2 Market agrees (at Customer’s expense) to permit Customer to perform reviews of the security of the Services or evaluate and monitor Web 2 Market compliance with its security obligations set forth under the Addendum (the “Customer Audits”). Customer Audits may be conducted by the internal or external auditors or personnel of Customer who has entered into a nondisclosure agreement with Web 2 Market (collectively, “Auditors”). Such Customer Audits shall be conducted strictly in accordance with Web 2 Market’s security policies and procedures and consistent with industry best practices and shall be limited to the security aspects of those Web 2 Market-operated data centers in which the server(s) on which Customer Personal Data is located which are not covered by the Third Party Audit Reports or SOC reports. Customer Audits are limited to viewing those Services that the Customer is using under the Agreement. Such scope does not include (i) viewing any documentation, data, or other information that is related to other customers of Web 2 Market or the Applicable Web 2 Market Entity, or (ii) interacting with a data center or power equipment in any way that may interfere with the performance of or could otherwise pose a risk to the Services, as determined by Web 2 Market or the Applicable Web 2 Market Entity in its sole discretion. Web 2 Market agrees to cooperate in a commercially reasonable manner with the Auditors and provide the Auditors with commercially reasonable assistance as they may reasonably request in connection with the Customer Audit provided that the Auditors avoid disrupting the Web 2 Market’s operations during the Customer Audits. In the event that Customer requests a Customer Audit more than once in a twelve (12) month period, any additional Customer Audits will be performed at Customer’s sole cost and Customer will reimburse Web 2 Market for its reasonable costs associated with such additional Customer Audits. In addition, if any Customer Audit will have a duration of more than three (3) hours or exceed the agreed upon scope (including a request to audit any control that has already been covered in an independent audit report), the Customer agrees to tender to the Web 2 Market an amount equal to Web 2 Market’s projected costs associated with the Customer Audit as a condition precedent to permitting Customer to conduct such Customer Audit.

(B) Clause 5(h) and 11 of the Model Clauses – Subprocessing. In accordance with Clause 5(h) and Clause 11, Customer acknowledges and agrees that the Web 2 Market may engage subprocessors as provided in Section 2.3.

3.3. Where the Model Clauses contain any obligation to notify the Data Exporter, the Web 2 Market shall make such notification to the Customer. When Customer acts in the capacity of Data Importer, Customer agrees to make any required notifications to the Data Exporter.

4. GENERAL PROVISIONS.

4.1. Conflicting Terms. To the extent the Model Clauses are applicable, the Model Clauses in Exhibit 1 supersede any conflicting terms in the Agreement and this Addendum as to the specific subject matter of Exhibit 1. To the extent that any provision of the Addendum conflicts with any provision of any other document(s) comprising the Agreement, the terms of the Addendum shall, as to the specific subject matter of the Addendum, take precedence over the conflicting term(s) of such other document(s).

4.2. Governing Law. To the extent, any claim arises under Model Clauses in relation to the processing by the Web 2 Market of Personal Data that Customer stores or otherwise processes using the Services (including any claims by a Data Subject pursuant to Clause 3 of Model Clauses), the Model Clauses shall be governed by and construed in accordance with Clause 9 (Governing Law) of the Model Clauses. The parties agree that, save as provided above, nothing in this Addendum shall affect the application of the governing law Section of the Agreement, which applies to all other claims brought under the Agreement and this Addendum.

4.3. Limitation of Liability. Customer agrees to exercise its remedies, including those of its Affiliates, arising out of or related to this Addendum and the Model Clauses solely against Web 2 Market. Customer’s remedies, including those of its Affiliates, arising out of or related to this Addendum and the Model Clauses will be subject to those limitations of liability which apply to Customer under the Agreement and the aggregate liability to Customer of Web 2 Market, this Addendum and the Model Clauses in relation to the Processing of Customer Personal Data shall not exceed the lesser of (i) the maximum liability of Web 2 Market to Customer under the Agreement or (ii) one million dollars (US$1,000,000).
Web 2 Market is not liable for any claim brought by Customer or any third party (including without limitation any Data Subject, or regulatory or supervisory authority) arising from their compliance with Customer’s instructions.

4.4. Third-Party Beneficiaries. Notwithstanding anything to the contrary in the Agreement, where the Web 2 Market receiving a transfer of Customer Personal Data is not a party to the Agreement, the Web 2 Market will be a third party beneficiary of the Agreement and of this Addendum (including without limitation Section 4.3).
Web 2 Market and Customer further agree that, with the exception of (a) Exhibit 1 to which the Data Subjects are third-party beneficiaries, and (b) those provisions of the Agreement that are relevant to the services provided by the Web 2 Market and to which the Web 2 Market is a beneficiary, the Agreement does not confer any rights to any End-users, Data Subjects, or any other third party. This Addendum does not establish any direct rights of Customer’s respective End-Users against Web 2 Market or the Web 2 Market regarding the delivery of the Services.

4.5. No further amendment. All terms and conditions in the Agreement save as amended herein remain in full force and effect and are binding upon the parties.

4.6. Modification. Web 2 Market may amend or supplement this Addendum, after giving prior notice to the Customer, if and to the extent necessary to comply with applicable law or requirement of any supervisory, regulatory or governmental authority; to implement any standard contractual clauses adopted by the European Commission or a supervisory authority under the Regulation; to comply with any certification granted to Web 2 Market under the Regulation; or to adhere to a code of conduct approved under the Regulation.

5. TERM AND TERMINATION.

5.1. This Addendum and the Model Clauses will terminate contemporaneously and automatically with the termination or expiration of the Agreement.

5.2. Web 2 Market may terminate the Model Clauses (where applicable under Section 3) if Web 2 Market offers alternative mechanisms to Customer that comply with Applicable Data Protection Law regarding the transfer of Customer Personal Data outside the EEA.

EXHIBIT 1
STANDARD CONTRACTUAL CLAUSES
(PROCESSORS)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection the Customer that is a party to the Addendum to which these Standard Contractual Clauses are attached AND the Web 2 Market, as described in the Addendum to which these Standard Clauses are attached, each a “party”; together “the parties”, HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

1. CLAUSE 1.

1.1. Definitions. For the purposes of the Clauses:
“Personal data”, “special categories of data”, “process/processing”, “controller”, “processor”, “data subject” and “supervisory authority” shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
“The data exporter” means the controller who transfers the personal data;
“The data importer” means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article
25(1) of Directive 95/46/EC;
“The subprocessor” means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
“The applicable data protection law” means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
“Technical and organizational security measures” means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

2. CLAUSE 2.

2.1. Details of the Transfer. The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

3. CLAUSE 3.

3.1. Third-Party Beneficiary Clause.
(A) The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to
(e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
(B) The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause
6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
(C) The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
(D) The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

4. CLAUSE 4.

4.1. Obligations of the Data Exporter. The data exporter agrees and warrants:

(A) that the processing, including the transfer itself, of the personal data, has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(B) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(C) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;

(D) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(E) that it will ensure compliance with the security measures;

(F) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(G) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(H) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(I) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of the data subject as the data importer under the Clauses; and

(J) that it will ensure compliance with Clause 4(a) to (i).

5. CLAUSE 5.

5.1. Obligations of the Data Importer. The data importer agrees and warrants:

(A) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(B) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(C) that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;

(D) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(ii) any accidental or unauthorized access, and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;

(E) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(F) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(G) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(H) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(I) that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(J) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

6. CLAUSE 6.

6.1. Liability.

(A) The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

(B) If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter unless any successor entity has assumed the entire legal obligations of the data exporter by the contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

(C) If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

7. CLAUSE 7.

7.1. Mediation and Jurisdiction.

(A) The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(i) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(ii) to refer the dispute to the courts in the Member State in which the data exporter is established.

(B) The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

8. CLAUSE 8.

8.1. Cooperation with Supervisory Authorities.

(A) The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

(B) The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

(C) The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

9. CLAUSE 9.

9.1. Governing Law. The Clauses shall be governed by the law of the Member State in which the data exporter is established.

10. CLAUSE 10.

10.1. Variation of the Contract. The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business-related issues where required as long as they do not contradict the Clause.

11. CLAUSE 11.

11.1. Subprocessing.

(A) The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfill its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.

(B) The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

(C) The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

(D) The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

12. CLAUSE 12.

12.1. Obligation After the Termination of Personal Data Processing Services.

(A) The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

(B) The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
Attached as Exhibit 1 to the addendum
This appendix forms part of the clauses.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
Terms used in this Appendix 1 have the meaning given to them in the Data Processing Addendum to which these Standard Contractual Clauses have been appended.
DATA EXPORTER: means Customer or its End-users located in the EEA.
DATA IMPORTER: Where Customer transfers to Web 2 Market any Customer Personal Data to which Applicable Data Protection Law applies, the term “data importer” means the Web 2 Market. Where a non-EEA Customer imports Personal Data on behalf of its End-users located in the EEA, the term “data importer” means Customer.
The DATA SUBJECTS, CATEGORIES OF DATA, and PROCESSING OPERATIONS are as set out in Section 2.1 of the Addendum.

Appendix 2 TO THE STANDARD CONTRACTUAL CLAUSES
Attached as Exhibit 1 to the Addendum
This Appendix forms part of the Clauses
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
The Web 2 Market shall implement security measures at least equivalent to those described in the underlying Agreement between Web 2 Market and Customer.