Data Processing Agreement (DPA)
Parties
This Data Processing Agreement (“DPA”) is entered into between:
- Unendlich UG (haftungsbeschränkt), Rotherstraße 24, 10245 Berlin, Germany, registered with the Handelsregister of the Amtsgericht Charlottenburg under HRB 253965 B, operator of the justsayin service (“justsayin”, “Processor”, “we”); and
- the customer that accepts this DPA (“Customer”, “Controller”, “you”).
This DPA forms part of, and is incorporated into, the agreement between the parties for Customer’s use of the Services (the “Agreement”). It is pre-signed by justsayin and becomes binding on Customer upon Customer’s acceptance of the Agreement (including by creating an account at sign-up, where notice of this DPA is given, or by using the Services). Where the Agreement and this DPA conflict on the subject matter of data protection, this DPA prevails.
1. Definitions
Capitalised terms not defined here have the meaning given in the GDPR or the Agreement. The following terms apply throughout this DPA.
1.1 “GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation).
1.2 “Applicable Data Protection Laws” means the GDPR, the German Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”), and any other data protection or privacy laws applicable to a party’s Processing under this DPA, including, to the extent applicable, US State Privacy Laws (addressed in the addendum at Annex G).
1.3 “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, and “Personal Data Breach” have the meanings given in Article 4 GDPR.
1.4 “Customer Personal Data” means Personal Data that justsayin Processes on behalf of Customer in connection with the Services, as described in Annex A. This is the data submitted by, or collected from, Customer’s end users through the feedback widget and public board (e.g. voice recordings, transcripts, typed feedback, screenshots, page context, and the AI-derived data generated from them).
1.5 “Service Data” means data that justsayin Processes as an independent Controller for its own legitimate business operations — including account administration, providing and securing the Services, billing, fraud prevention, product improvement, and legal compliance — independent of Customer’s instructions. Service Data includes Customer’s team-member account and contact details, authentication data, usage and telemetry data, and operational logs. Service Data is governed by justsayin’s Privacy Policy and is not subject to this DPA.
1.6 “Aggregated and Anonymised Data” means data derived from Customer Personal Data that has been irreversibly anonymised so that it can no longer identify, and cannot be used to re-identify, Customer or any Data Subject, within the meaning of Recital 26 GDPR. Aggregated and Anonymised Data is not Personal Data and is not Customer Personal Data.
1.7 “Sub-processor” means any third party engaged by justsayin to Process Customer Personal Data on justsayin’s behalf in connection with the Services. Sub-processors that are artificial-intelligence or machine-learning services (“AI Sub-processors”) are a subset of Sub-processors; justsayin’s engagement of AI Sub-processors is additionally governed by Section 11.
1.8 “Standard Contractual Clauses”, “EU SCCs”, or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021.
1.9 “US State Privacy Laws” means the California Consumer Privacy Act as amended by the CPRA (“CCPA”) and other comparable US state comprehensive privacy laws, in each case where applicable to the relevant Processing.
1.10 “Services” means the justsayin platform and related services provided to Customer under the Agreement.
2. Roles; Scope; Instructions
2.1 Roles of the parties
The parties acknowledge that, in connection with the Services, Personal Data falls into three distinct categories, each with its own allocation of roles:
(a) Customer Personal Data — justsayin acts as Processor. With respect to Customer Personal Data, Customer is the Controller (or, where Customer is itself a Processor acting for one or more third-party Controllers, Customer warrants it has the authority and instructions to engage justsayin as a Sub-processor), and justsayin acts as Processor. justsayin Processes Customer Personal Data only on Customer’s documented instructions, as set out in Section 2.3.
(b) Service Data — justsayin acts as an independent Controller. With respect to Service Data, justsayin determines the purposes and means of Processing and acts as an independent Controller for its own legitimate business operations. Such Processing is governed by justsayin’s Privacy Policy and is outside the scope of this DPA. Each party is independently responsible for its own compliance with Applicable Data Protection Laws in respect of Service Data.
(c) Aggregated and Anonymised Data — outside the Processor relationship. justsayin may create Aggregated and Anonymised Data from Customer Personal Data and use it for any lawful purpose, including analytics, benchmarking, and improving the Services, provided that such data is and remains irreversibly anonymised in accordance with Section 1.6. justsayin will not attempt to re-identify any Data Subject from Aggregated and Anonymised Data. For the avoidance of doubt, raw audio recordings, transcripts, screenshots, and free-text feedback are never treated as Aggregated and Anonymised Data.
2.2 No secondary use; no model training
Except as strictly necessary to provide the Services in accordance with Customer’s instructions, justsayin will not:
(a) sell, rent, or otherwise disclose Customer Personal Data for value;
(b) Process Customer Personal Data for its own purposes or for the benefit of any party other than Customer; or
(c) use Customer Personal Data to train, fine-tune, or otherwise improve any artificial-intelligence or machine-learning model, whether justsayin’s own or a third party’s.
Provisions specific to justsayin’s use of third-party AI services appear in Section 11.
2.3 Customer instructions
This DPA, the Agreement, and Customer’s use and configuration of the Services (for example, the data-retention period and feature settings Customer selects per project) constitute Customer’s complete and final documented instructions to justsayin for the Processing of Customer Personal Data. justsayin will Process Customer Personal Data only on these instructions, including with regard to transfers to a third country, unless required to do otherwise by Union or Member State law to which justsayin is subject; in such a case, justsayin will inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
Any additional or out-of-scope instructions require agreement of the parties and may be subject to additional fees.
2.4 justsayin’s duty to flag unlawful instructions
justsayin will inform Customer without undue delay if, in its opinion, an instruction infringes Applicable Data Protection Laws. justsayin is not obliged to perform a legal review of the lawfulness of Customer’s instructions and may suspend performance of an instruction it reasonably believes to be unlawful until Customer confirms or modifies it.
2.5 Effect of exceeding instructions
If justsayin Processes Customer Personal Data to determine the purposes and means of Processing other than on Customer’s instructions, justsayin will be considered a Controller in respect of that Processing under Article 28(10) GDPR and will assume the corresponding responsibilities. justsayin commits not to do so.
2.6 Customer responsibilities and warranties
Customer is responsible for, and warrants that:
(a) it has a valid legal basis under Article 6 GDPR (and, where relevant, Article 9) for the Processing it instructs, and has provided all notices and obtained all consents required to disclose Customer Personal Data to justsayin and to have it Processed as described in this DPA and Annex A;
(b) the Customer Personal Data, and the means by which Customer acquired it, comply with Applicable Data Protection Laws;
(c) it will not use the Services as a means to Process, as an intended purpose, special categories of Personal Data (Article 9 GDPR) or Personal Data relating to criminal convictions and offences (Article 10 GDPR), and acknowledges that free-form feedback may nonetheless incidentally contain such data, the handling of which is addressed in Annex A.9; and
(d) its instructions to justsayin will not cause justsayin to violate Applicable Data Protection Laws.
2.7 Scope and details of Processing
The subject matter, duration, nature and purpose of the Processing, the categories of Customer Personal Data, and the categories of Data Subjects are described in Annex A. justsayin’s technical and organisational security measures are described in Annex B. The list of authorised Sub-processors is maintained as described in Annex C and Section 9.
3. Compliance; Confidentiality; Personnel
3.1 Compliance
justsayin will comply with the obligations applicable to it as a Processor under Applicable Data Protection Laws in connection with its Processing of Customer Personal Data, and will provide the assistance set out in this DPA to support Customer’s own compliance.
3.2 Confidentiality of Customer Personal Data
justsayin will treat Customer Personal Data as Customer’s confidential information. justsayin will not disclose Customer Personal Data to any third party except: (a) to Sub-processors in accordance with Section 9; (b) as necessary to provide the Services on Customer’s documented instructions; or (c) where required by law, in accordance with Section 12 (Government Requests). These confidentiality obligations survive termination of the Agreement for as long as justsayin retains Customer Personal Data.
3.3 Personnel and authorised persons
justsayin limits access to Customer Personal Data to personnel who require such access to provide the Services, and ensures that persons authorised to Process Customer Personal Data:
(a) are bound by appropriate confidentiality obligations, whether contractual or statutory; and
(b) Process Customer Personal Data only on justsayin’s instructions (which reflect Customer’s documented instructions), unless required to act otherwise by Union or Member State law.
3.4 Reliability and awareness
justsayin takes reasonable steps to ensure that personnel with access to Customer Personal Data are reliable and are made aware of their confidentiality and data-protection responsibilities. Further detail on the technical and organisational measures, including measures relating to personnel, is set out in Annex B.
4. Security; Audits; Certifications
4.1 Security measures
justsayin will implement and maintain appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR, as described in Annex B. These include, as applicable, encryption of Customer Personal Data in transit and at rest, access controls, vulnerability management, logging and monitoring, and measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and to restore availability and access to Customer Personal Data after an incident.
4.2 Regular testing
justsayin regularly tests and evaluates the effectiveness of its technical and organisational measures. This includes automated static application security testing and automated scanning of software dependencies for known vulnerabilities within its development and deployment pipeline.
4.3 No degradation
justsayin will not materially decrease the overall security of the Services during the term of the Agreement.
4.4 Demonstrating compliance
On Customer’s written request, and no more than once per 12-month period, justsayin will make available the information reasonably necessary to demonstrate compliance with this DPA, which may include: (a) the technical and organisational measures described in Annex B; (b) justsayin’s responses to a reasonable security questionnaire; (c) the security certifications and audit reports held by justsayin’s relevant Sub-processors; and (d) summaries of justsayin’s most recent vulnerability scans or, where available, third-party assessments.
4.5 Audits
justsayin operates remotely and all Customer Personal Data is Processed within Sub-processor data centres that are not accessible to justsayin or Customer for physical inspection; audits are therefore conducted remotely. Where the information made available under Section 4.4 does not reasonably enable Customer to meet its own audit obligations under Applicable Data Protection Laws, justsayin will, on at least 30 days’ prior written notice and no more than once per 12-month period, contribute to a remote audit conducted by Customer or an independent third-party auditor mandated by Customer. Any such auditor must not be a competitor of justsayin and must be bound by obligations of confidentiality. The scope of any audit is limited to justsayin’s Processing of that Customer’s Customer Personal Data and must not unreasonably interfere with justsayin’s business operations. Customer may conduct audits more frequently than once per 12 months only where required by a supervisory authority or following a confirmed Personal Data Breach affecting that Customer’s Customer Personal Data.
4.6 Costs
Audits are conducted at Customer’s expense. justsayin may charge a reasonable fee for the time and resources it expends in supporting audit activity that goes beyond the provision of information under Section 4.4.
4.7 Certifications
justsayin may hold or obtain third-party security certifications or audit reports (such as SOC 2 or ISO/IEC 27001). Where justsayin holds a certification or report relevant to the Services, it will make it available to Customer in accordance with Section 4.4.
5. Assistance; Data Subject Requests; DPIA; Records
5.1 Assistance with Data Subject requests
Customer, as Controller, is responsible for responding to requests from Data Subjects who exercise their rights under Applicable Data Protection Laws (including the rights of access, rectification, erasure, restriction of Processing, data portability, and objection). Taking into account the nature of the Processing, justsayin will assist Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling that responsibility, including by:
(a) making available functionality within the Services through which Customer’s authorised users can locate, access, view, and permanently delete individual items of Customer Personal Data, with deletion extending to the associated audio recordings, screenshots, transcripts, and AI-derived data;
(b) offering the optional end-user self-service mechanism described in Section 5.2; and
(c) where the functionality of the Services does not already enable Customer to do so itself, providing reasonable assistance, on Customer’s documented instruction, in retrieving, correcting, restricting, or making available a copy of the Customer Personal Data relating to a given Data Subject.
5.2 End-user self-service for widget feedback
The Services include a per-project setting through which Customer may enable an end-user self-service mechanism for feedback submitted through the feedback widget. Where Customer enables this setting, each submitter is provided, at the time of submission, with a private link that allows that submitter to view and to permanently delete their own feedback without further involvement of Customer or justsayin. This mechanism is a technical measure that supports Data Subjects’ rights of access (Article 15 GDPR) and erasure (Article 17 GDPR), and is particularly significant for widget feedback because such feedback is typically submitted anonymously (see Section 5.3).
Where Customer enables this setting, Customer thereby instructs justsayin to action self-service access and deletion requests made through that link directly, on Customer’s behalf. Customer may disable the setting at any time, in which case justsayin will cease to provide new self-service links and existing links will no longer operate, and requests will instead be handled in accordance with Sections 5.1 and 5.4. Customer is responsible for determining whether self-service is appropriate for its own legal obligations (for example, where Customer is subject to a retention duty or legal hold that should override an erasure).
5.3 Limits arising from anonymous and pseudonymous data (Article 11 GDPR)
Feedback submitted through the widget is typically submitted without information that identifies the Data Subject: it is associated with a randomly generated, session-scoped identifier, and carries a user identifier only where Customer has chosen to supply one (which Customer is instructed to keep opaque). justsayin does not maintain any index that resolves such data to an identified individual. Where justsayin Processes Customer Personal Data that does not, or no longer does, permit justsayin to identify a Data Subject, Article 11 GDPR applies: justsayin is not obliged to acquire, maintain, or process additional information in order to identify a Data Subject for the sole purpose of responding to a request, and may be unable to locate the relevant data without additional identifying information. The self-service link described in Section 5.2 constitutes such additional information, enabling the submitter to exercise their rights in respect of their own feedback. justsayin does not systematically extract identifiers from free-form feedback content; any incidental identifiers a Data Subject includes within such content are deleted together with the feedback record upon erasure or at the expiry of the applicable retention period. justsayin will inform Customer where it is not in a position to identify a Data Subject.
5.4 Requests received directly by justsayin
If justsayin receives a request or communication directly from a Data Subject (or from a supervisory authority, representative, or other third party acting on a Data Subject’s behalf) that relates to Customer Personal Data, justsayin will not respond to the substance of the request except on Customer’s documented instructions (including the standing instruction in Section 5.2, where enabled) or as required by law. justsayin will, without undue delay, forward the request to Customer and/or advise the Data Subject to direct the request to Customer or to use the self-service link where one is available, and will not otherwise disclose Customer Personal Data in response other than as instructed by Customer.
5.5 Assistance with security, breach notification, DPIAs, and prior consultation
Taking into account the nature of the Processing and the information available to justsayin, justsayin will provide reasonable assistance to Customer in ensuring compliance with Customer’s obligations under Articles 32 to 36 GDPR, namely: (a) the security of Processing; (b) the notification of a Personal Data Breach to the supervisory authority and to affected Data Subjects (further addressed in Section 6); (c) carrying out data protection impact assessments; and (d) prior consultation with a supervisory authority. This assistance is limited to Processing carried out by justsayin on Customer’s behalf and to information within justsayin’s possession or reasonable control.
5.6 Records of Processing
justsayin maintains the records of the categories of Processing activities carried out on behalf of Customer that are required of a processor under Article 30(2) GDPR. justsayin will make these records available to Customer on reasonable request to the extent necessary to demonstrate compliance with this DPA, and will retain them for the duration of the Agreement and for a reasonable period thereafter consistent with applicable statutory retention and limitation periods.
5.7 Costs of assistance
justsayin provides the assistance described in this Section at no additional charge to the extent (a) it is required of a processor under Applicable Data Protection Laws and (b) it can be satisfied through the standard functionality of the Services or with reasonable effort. Where the assistance Customer requests requires effort materially beyond that — for example, repeated, voluminous, or manifestly unfounded requests, or bespoke engineering or investigative work — justsayin may charge a reasonable fee, notified to Customer in advance.
6. Security Incidents
6.1 Notification of Personal Data Breaches
This Section 6 governs Personal Data Breaches affecting Customer Personal Data. Following its becoming aware of such a Personal Data Breach, justsayin will notify Customer without undue delay and, where feasible, not later than 72 hours after having become aware. Where, despite reasonable efforts, justsayin is unable to provide complete information within that period, justsayin will provide an initial notification within that period containing the information then available, and will supplement that notification with further information without further undue delay as it becomes available.
6.2 Content of the notification
To the extent known at the time of notification (and consistent with the phased-notification approach in Section 6.1), justsayin’s notification will contain:
(a) a description of the nature of the Personal Data Breach;
(b) the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Customer Personal Data records concerned;
(c) the likely consequences of the Personal Data Breach;
(d) the measures justsayin has taken or proposes to take to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;
(e) a point of contact at justsayin from whom further information can be obtained;
(f) whether Customer Personal Data of categories referred to in Article 9 GDPR is, or may be, implicated; and
(g) whether the Personal Data Breach originated with, or appears to have originated with, a Sub-processor, and any information relevant to that origin received from the Sub-processor concerned.
On Customer’s reasonable written request, justsayin will provide reasonable forensic evidence relating to the Personal Data Breach (including relevant log extracts), subject to obligations of confidentiality and any applicable legal privilege.
6.3 Containment, investigation, and remediation
justsayin will take appropriate steps to contain, investigate, and remediate any Personal Data Breach affecting Customer Personal Data, and will provide Customer with a written root-cause analysis within 30 days of containment, or such longer period as the parties may reasonably agree.
6.4 Cooperation, costs, confidentiality, and effect of notification
Customer will cooperate with justsayin’s investigation of any Personal Data Breach affecting Customer Personal Data, including by providing information reasonably requested by justsayin relating to Customer’s configuration of the Services, Customer’s handling of project keys or other credentials, or events on Customer’s own systems that may be relevant to the Personal Data Breach.
Where the Personal Data Breach is attributable to justsayin or any of its Sub-processors, the assistance described in this Section 6 is provided at no additional charge. Where the Personal Data Breach is attributable to acts or omissions of Customer — including, for example, the disclosure or misuse of project keys or other credentials, misconfiguration of the Services, or a compromise of Customer’s own systems propagating into the Services — justsayin may, on the same basis as Section 5.7, charge a reasonable fee notified to Customer in advance for the time and resources it expends in providing assistance under this Section.
Customer will treat information received under this Section 6 (including the nature, scope, technical details, forensic findings, and the identity of any Sub-processor concerned) as confidential information of justsayin, except to the extent that disclosure is required to comply with Customer’s own obligations under Articles 33 and 34 GDPR or other Applicable Data Protection Laws, or under a binding order of a supervisory or judicial authority.
The provision by justsayin of a notification or other information under this Section 6 is not, and shall not be construed as, an acknowledgement by justsayin of any fault or liability in respect of the Personal Data Breach.
7. Deletion, Return & Retention
7.1 Customer’s choice on termination
Where Customer initiates deletion of a workspace, project, or other portion of Customer Personal Data through the Services, that action constitutes Customer’s instruction under Article 28(3)(g) GDPR to delete the corresponding Customer Personal Data, and justsayin will delete such data in accordance with Section 7.2 without further action by Customer.
Where the Agreement terminates or expires for any reason other than Customer’s deletion instruction through the Services — including without limitation termination by either party on notice, lapse of Customer’s paid subscription, or termination by justsayin under the Agreement — justsayin will retain Customer Personal Data for a period of 30 days following the effective date of termination (the “Grace Period”). During the Grace Period, Customer may instruct justsayin in writing to return Customer Personal Data to Customer rather than delete it. On any such written request received within the Grace Period, justsayin and Customer will agree, in good faith, a commercially reasonable format for the return, taking into account the volume and categories of Customer Personal Data concerned and the Services’ then-current capabilities. In the absence of a written return request received within the Grace Period, justsayin will delete Customer Personal Data in accordance with Section 7.2 at the end of the Grace Period.
Customer’s exercise of either choice (return or delete) under this Section satisfies the choice contemplated by Article 28(3)(g) GDPR. Once deletion of Customer Personal Data has been initiated under this Section, return is no longer available.
7.2 Deletion timelines
Where Customer Personal Data is to be deleted under this Section 7, justsayin will:
(a) delete the Customer Personal Data from its active production systems within 30 days of the relevant trigger (Customer’s instruction through the Services under Section 7.1, the end of the Grace Period, or any other trigger contemplated by this Section); and
(b) delete the Customer Personal Data from its encrypted backup snapshots within a further 90 days thereafter.
The periods in this Section 7.2 are contractual maxima. In practice, justsayin’s active-system deletion under (a) is performed by automated processes that operate substantially faster than the stated maximum, and the rolling backup-retention window of justsayin’s database Sub-processor referenced in (b) operates substantially faster than the stated maximum (as described in Annex B). The longer ceiling in (b) reflects intentional headroom for future evolution of justsayin’s backup architecture without amendment of this DPA.
7.3 Scope, Sub-processor caches, legal hold, and backup carve-out
The deletion obligations in this Section 7 apply to all Customer Personal Data, as defined in Section 1.4 and further described in Annex A.
Sub-processor caches. Where Customer Personal Data has been Processed by a Sub-processor and persists at that Sub-processor beyond justsayin’s deletion of the corresponding records from its own active systems, deletion at the Sub-processor proceeds in accordance with that Sub-processor’s published retention policy, as referenced in Annex C. justsayin does not force-delete at Sub-processors whose published retention windows exceed those in Section 7.2.
Legal hold. Notwithstanding the deletion obligations in this Section 7, justsayin may retain Customer Personal Data to the extent and for so long as required by Union or Member State law to which justsayin is subject, or as necessary to establish, exercise, or defend legal claims. During any such retention, justsayin will Process the retained Customer Personal Data only for the purpose justifying the retention, and will continue to apply the security measures described in Annex B.
Backup carve-out. For the avoidance of doubt, Customer Personal Data deleted under this Section 7 may persist temporarily in justsayin’s encrypted backup snapshots until the rolling backup-retention window described in Section 7.2(b) expires.
7.4 In-life retention controls and costs
Per-project retention. Customer may configure a maximum retention period for individual feedback records on a per-project basis through the Services. justsayin will delete feedback records that exceed the period so configured in accordance with that setting.
Costs. Any assistance with return, deletion verification, or extended retention that goes beyond the standard functionality of the Services is provided on the cost basis set out in Section 5.7.
8. International Transfers; Data Location
8.1 Data location
justsayin is established in Germany and Processes Customer Personal Data within the European Economic Area (the “EEA”), except where Processing by a Sub-processor involves a transfer of Customer Personal Data outside the EEA as identified in Annex C. Any such transfer is made only under the appropriate safeguards described in Section 8.2 and the measures described in Section 8.3.
8.2 Transfer safeguards
Where any Sub-processor engaged by justsayin provides for onward transfer of Customer Personal Data to non-EEA jurisdictions within that Sub-processor’s corporate structure, such transfers are governed by appropriate safeguards under Articles 45 or 46 GDPR — which may include the Standard Contractual Clauses, an adequacy decision, or other recognised safeguards — as identified per Sub-processor in Annex C.
Where Customer Personal Data is subject to the United Kingdom General Data Protection Regulation, the UK Addendum (Annex E) applies correspondingly. Where Customer Personal Data is subject to the Swiss Federal Act on Data Protection, the Swiss adaptations (Annex F) apply correspondingly. The SCCs themselves are incorporated by reference as set out in Annex D.
8.3 Supplementary measures
In addition to the safeguards described in Section 8.2, justsayin applies the following measures to Customer Personal Data:
(a) Encryption in transit. Customer Personal Data is transmitted to and between Sub-processors over TLS 1.2 or higher.
(b) Data minimisation at the transfer boundary. justsayin transmits to each Sub-processor only the Customer Personal Data necessary for that Sub-processor to perform its function on justsayin’s behalf.
(c) Government access transparency. justsayin will, where lawful, inform Customer of any legally binding request received by justsayin, or notified to justsayin by a Sub-processor, for the disclosure of Customer Personal Data by a public authority, in accordance with Section 12 (Government Requests).
9. Sub-processors
9.1 General authorisation
Customer provides a general written authorisation, under Article 28(2) GDPR, for justsayin to engage the Sub-processors identified in Annex C to Process Customer Personal Data in connection with the Services.
9.2 Notification of changes
justsayin will notify Customer’s designated workspace owner by email of any addition or replacement of a Sub-processor, and will publish the updated list at the public location identified in Annex C, in each case at least fourteen (14) calendar days before the change takes effect.
Where an urgent change is required to maintain the availability, security, or integrity of the Services (for example, a Sub-processor’s failure, security incident, cessation of operations, or other event materially affecting service continuity), justsayin may make the change effective immediately, provided that the replacement Sub-processor satisfies the requirements of Sections 8 and 9.4. In such a case, justsayin will notify Customer as soon as reasonably practicable, and the objection period under Section 9.3 will run from the date of that notification.
9.3 Objection
Customer may object to a new Sub-processor, on reasonable data-protection grounds, by written notice to justsayin within fourteen (14) calendar days of receiving the notification under Section 9.2. The parties will attempt to resolve the objection in good faith. If the parties cannot resolve the objection, Customer may either suspend the Services affected by the Sub-processor change or terminate the Agreement, in each case on written notice, with a pro-rata refund of any prepaid, unused fees for the terminated portion.
9.4 Onward obligations and liability
justsayin will impose on each Sub-processor, by binding written contract, data-protection obligations comparable to those imposed on justsayin under this DPA. Subject to the limitations of liability in Section 14 and the Agreement, justsayin remains liable to Customer for the acts and omissions of its Sub-processors in respect of Customer Personal Data to the same extent as if justsayin had performed those acts or omissions itself.
10. US State Privacy Laws (Service Provider / Processor)
10.1 Application and role
This Section applies to Customer Personal Data that constitutes “personal information” subject to US State Privacy Laws (“Personal Information”), and applies in addition to the remainder of this DPA. With respect to such Personal Information, justsayin acts as a “service provider,” “processor,” or “contractor” (as such or equivalent terms are defined under the applicable US State Privacy Law), and Customer acts as a “business,” “controller,” or equivalent. This Section does not apply to Service Data (Section 1.5) or to Aggregated and Anonymised Data (Sections 1.6 and 2.1(c)), neither of which is Personal Information Processed by justsayin on Customer’s behalf. For the avoidance of doubt, US State Privacy Laws do not apply to justsayin by reason of its own activities; this Section is provided to support Customer’s compliance where Customer is subject to such laws.
10.2 Service-provider commitments
With respect to Personal Information subject to US State Privacy Laws, justsayin will:
(a) not “sell” or “share” such Personal Information (as those terms are defined under the applicable US State Privacy Law);
(b) not retain, use, or disclose such Personal Information for any purpose other than the business purposes of providing and securing the Services as set out in this DPA and the Agreement, including not retaining, using, or disclosing it outside the direct business relationship between the parties, except as permitted by the applicable US State Privacy Law;
(c) not combine such Personal Information with personal information that justsayin receives from, or on behalf of, another person, or collects from its own interaction with a consumer, except as permitted by the applicable US State Privacy Law or as necessary to provide the Services;
(d) require any Sub-processor that Processes such Personal Information to be bound by obligations substantially equivalent to those in this Section, consistent with Section 9.4;
(e) provide Customer with reasonable assistance, in the manner and on the cost basis set out in Sections 5 and 5.7, to enable Customer to respond to verifiable consumer requests to exercise rights under the applicable US State Privacy Law;
(f) comply with its applicable obligations as a service provider, processor, or contractor under the applicable US State Privacy Law, provide the same level of privacy protection for such Personal Information as is required by that law, and notify Customer without undue delay if justsayin determines that it can no longer meet those obligations; and
(g) on Customer’s reasonable written request, and no more than once in any 12-month period, provide a written certification of its compliance with this Section.
10.3 Customer’s right to confirm and remediate
Customer may take reasonable and appropriate steps to confirm that justsayin uses such Personal Information in a manner consistent with Customer’s obligations under the applicable US State Privacy Law, including by means of the information and audit mechanisms in Section 4. On notice of any unauthorised use of such Personal Information, justsayin will cooperate with Customer to stop and remediate the unauthorised use.
11. AI Processing & Third-Party AI Services
11.1 Scope of this Section
This Section governs justsayin’s engagement of AI Sub-processors (as defined in Section 1.7) to Process Customer Personal Data in connection with the Services. It applies to any AI Sub-processor justsayin engages for that purpose, whether identified in Annex C as at the date of this DPA or engaged subsequently in accordance with Section 9. This Section does not name a specific provider; the AI Sub-processors then engaged are identified in Annex C, and a change of AI Sub-processor is governed by Section 9.
This Section applies only to AI Processing of Customer Personal Data carried out by justsayin as Processor to provide the Services. It does not apply to: (a) justsayin’s use of artificial intelligence for its own internal or operational purposes that does not involve Customer Personal Data, which concerns Service Data and is governed by justsayin’s Privacy Policy as described in Sections 1.5 and 2.1(b); or (b) any Processing of Aggregated and Anonymised Data, which is not Customer Personal Data and is governed by Sections 1.6 and 2.1(c).
11.2 AI Processing is part of the Services
AI Processing is inherent to, and necessary for, the provision of the Services. The Services use AI to transcribe voice feedback into text and to derive analytical metadata from that feedback; the transcription of voice feedback in particular cannot be delivered without AI Processing of the relevant Customer Personal Data. Such Processing is carried out only to provide the Services, on Customer’s documented instructions as constituted by Customer’s use and configuration of the Services (Section 2.3). On Customer’s reasonable written request, justsayin will confirm the AI Sub-processors then engaged in connection with Customer’s workspace.
11.3 No training; no secondary use
Consistent with Section 2.2, justsayin will not use Customer Personal Data to train, fine-tune, or otherwise improve any artificial-intelligence or machine-learning model, whether justsayin’s own or an AI Sub-processor’s, and will not authorise, enable, or instruct any AI Sub-processor to do so. justsayin Processes Customer Personal Data through AI Sub-processors solely to provide the Services and for no other purpose.
11.4 Engagement of AI Sub-processors
justsayin engages AI Sub-processors only through their programmatic application-programming-interface (API) services, and not through consumer-facing endpoints. justsayin engages AI Sub-processors under data-processing terms and published data-usage policies which provide that Customer Personal Data submitted through the API is not used to train or improve the provider’s models, that retention of such data is limited to what is necessary to provide the service and for the provider’s abuse-monitoring, safety, or legal-compliance purposes, and that access to such data is restricted to authorised personnel. The data-usage and retention posture of each AI Sub-processor is described in Annex C. Deletion of Customer Personal Data persisting at an AI Sub-processor is governed by Section 7.3.
11.5 Nature of AI output; no automated decisions concerning Data Subjects
The AI Processing performed by justsayin produces transcripts and analytical metadata about feedback — such as classification and summary metadata — to support Customer’s own review of, and decisions about, that feedback. justsayin does not use this output to take decisions in respect of Data Subjects, and the output is not intended to produce legal effects concerning Data Subjects or to similarly significantly affect them. Any decision taken on the basis of feedback is made by Customer.
11.6 Documentation
AI Sub-processors are identified in Annex C with their purpose, processing locations, transfer safeguards, and data-usage and retention posture, and are subject to the change-notification process in Section 9.
12. Government Requests
12.1 Requests received by justsayin
If justsayin receives a legally binding request from a public authority, or other legally compelled demand or legal process (such as a court order or subpoena), for the disclosure of Customer Personal Data, justsayin will:
(a) promptly notify Customer of the request, so as to enable Customer to seek protective relief, unless justsayin is legally prohibited from doing so; where justsayin is so prohibited, justsayin will use reasonable and lawful efforts to obtain a waiver of the prohibition in order to notify Customer, and will notify Customer as soon as it is legally permitted to do so;
(b) take reasonable steps to challenge, where it has a lawful basis to do so, any request that appears overbroad, unlawful, or inconsistent with Applicable Data Protection Laws;
(c) disclose only the minimum amount of Customer Personal Data necessary to comply with the request;
(d) where lawful and practicable, inform the requesting authority that justsayin acts as a Processor on Customer’s behalf and seek to redirect the request to Customer as the Controller; and
(e) not disclose Customer Personal Data to a public authority of a third country except where required to do so by Union or Member State law, or on the basis of an international agreement (such as a mutual legal assistance treaty) in force between the requesting third country and the Union or a Member State, consistent with Article 48 GDPR.
12.2 Requests received by a Sub-processor
Where a request described in Section 12.1 is received by a Sub-processor rather than by justsayin, the request is handled under that Sub-processor’s own obligations, including, where applicable, Clause 15 of the SCCs and the obligations imposed under Section 9.4. justsayin will inform Customer of any such request notified to it by a Sub-processor, in accordance with Section 8.3(c) and on the basis set out in Section 12.1.
13. Aggregated & Anonymised Data
The treatment of Aggregated and Anonymised Data — data derived from Customer Personal Data that has been irreversibly anonymised within the meaning of Recital 26 GDPR — is governed by the definition in Section 1.6 and the operative provisions in Section 2.1(c), which place it outside the Processor relationship under this DPA. To avoid divergence, those terms are stated once, in Sections 1.6 and 2.1(c), and are not restated here; they are the single source.
14. Liability; Indemnity; Order of Precedence
14.1 Limitation of liability
justsayin’s liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement. The limitations and exclusions of liability applicable under the Agreement and this Section 14 apply once, in the aggregate, to justsayin’s total combined liability towards Customer arising out of or in connection with the Agreement, this DPA, and the Standard Contractual Clauses, and not cumulatively.
Where, for any reason, the Agreement does not contain a limitation of liability applicable to a claim under this DPA, the following applies to that claim, subject to the third paragraph of this Section 14.1:
(a) for a breach, caused by simple negligence, of an essential contractual obligation — that is, an obligation whose fulfilment makes the proper performance of the Agreement possible in the first place and on whose observance the other party regularly relies and may rely (a “cardinal duty”) — justsayin’s liability is limited to the damage foreseeable and typical for an agreement of this kind; where Customer pays fees under the Agreement, such liability will not in any event exceed, in the aggregate, the total fees paid or payable by Customer in the twelve (12) months preceding the event giving rise to the claim; and
(b) any other liability of justsayin for simple negligence is excluded.
Nothing in this Section 14.1 limits or excludes liability that cannot be limited or excluded under mandatory applicable law, including liability for intent (Vorsatz) or gross negligence (grobe Fahrlässigkeit), for injury to life, body, or health, or any other liability that mandatory law does not permit to be limited. The limitations in this Section 14.1 apply only as between the parties and do not limit, and do not purport to limit, any liability of either party to a Data Subject, including any liability under Article 82 GDPR or under the Standard Contractual Clauses.
14.2 Indemnity
Customer will indemnify justsayin against third-party claims relating to Customer Personal Data (including claims brought by Data Subjects, supervisory authorities, or other public authorities), and the reasonable costs of defending them, to the extent arising from: (a) Customer’s breach of its responsibilities and warranties under Section 2.6; (b) an instruction of the kind described in Section 2.4; or (c) Customer’s material violation of Applicable Data Protection Laws, or material breach of the Standard Contractual Clauses or the UK or Swiss instruments (Annexes E and F), with respect to Customer Personal Data — in each case irrespective of which party carried out the operative Processing. This indemnity is conditional on justsayin: (i) promptly notifying Customer in writing of the claim; (ii) permitting Customer to control the defence and settlement of the claim; and (iii) providing reasonable cooperation, at Customer’s expense. Customer may not settle any claim in a manner that imposes any non-monetary obligation or admission of fault on, or requires any payment by, justsayin without justsayin’s prior written consent (not to be unreasonably withheld or delayed). This indemnity does not extend to any administrative fine or penalty imposed on justsayin to the extent that its assumption by Customer is not permitted under mandatory applicable law.
14.3 Statutory rights of recourse
Nothing in this Section 14 limits any statutory right of recourse that either party may have against the other, including the right of recourse between a Controller and a Processor under Article 82(5) GDPR for the share of any compensation paid to a Data Subject that corresponds to the other party’s part of the responsibility for the damage. This Section 14.3 preserves such rights of recourse only, and does not otherwise affect the limitations and exclusions of liability in Section 14.1.
14.4 Order of precedence
(a) Where Customer Personal Data is transferred under the Standard Contractual Clauses or the UK or Swiss instruments, those instruments prevail, in respect of that transfer and to the extent of any conflict, as set out in Section 15.3.
(b) Subject to paragraph (a), if there is any conflict between this DPA and the Agreement with respect to the Processing of Customer Personal Data, this DPA prevails.
(c) Paragraph (b) does not displace the limitations and exclusions of liability applicable under Section 14.1. Those limitations and exclusions — whether contained in the Agreement or, failing that, in Section 14.1 — govern justsayin’s liability under both the Agreement and this DPA, notwithstanding any other provision of this DPA.
15. Miscellaneous
15.1 Duration and survival
This DPA takes effect on Customer’s acceptance of the Agreement and remains in effect for as long as justsayin Processes Customer Personal Data on Customer’s behalf under the Agreement, notwithstanding any expiry or termination of the Agreement. Provisions that by their nature should survive termination — including Sections 3.2 (Confidentiality), 6 (Security Incidents), 7 (Deletion, Return & Retention), 12 (Government Requests), 14 (Liability), and this Section 15 — survive for as long as necessary to give them effect.
15.2 Governing law and jurisdiction
This DPA is governed by, and construed in accordance with, the laws of the Federal Republic of Germany, excluding its conflict-of-laws rules and the United Nations Convention on Contracts for the International Sale of Goods. Where Customer is a merchant (Kaufmann), a legal person under public law, or a special fund under public law, or has no general place of jurisdiction in Germany, the courts of Berlin, Germany have exclusive jurisdiction over any dispute arising out of or in connection with this DPA; in all other cases, the statutory rules on jurisdiction apply. The governing law and jurisdiction applicable to the SCCs are as set out in Annex D.
15.3 Order of precedence for transfer mechanisms
Where Customer Personal Data is transferred under the Standard Contractual Clauses (Annex D), the UK Addendum (Annex E), or the Swiss adaptations (Annex F), and a conflict arises between any such instrument and the remainder of this DPA or the Agreement in respect of that transfer, the relevant transfer instrument prevails to the extent of the conflict. The general order of precedence between this DPA and the Agreement is set out in Section 14.
15.4 Amendments
justsayin may amend this DPA from time to time, as follows:
(a) Material amendments — amendments that materially reduce Customer’s rights or justsayin’s obligations, expand the scope or change the location of Processing, or reduce justsayin’s security commitments: justsayin will give Customer at least 30 days’ prior notice. During the notice period, Customer may object on reasonable grounds and, failing resolution in good faith, terminate the affected Services or the Agreement on written notice, with a pro-rata refund of any prepaid, unused fees for the terminated portion. The addition or replacement of a Sub-processor is governed by the separate notice and objection mechanism in Section 9, and not by this Section 15.4(a).
(b) Non-material amendments — amendments that do not materially affect Customer’s rights (including clarifications, corrections, formatting changes, and Sub-processor removals): justsayin may make these effective without prior notice and will record them in the changelog maintained for this DPA.
(c) Legally-required amendments — amendments required to comply with Applicable Data Protection Laws, binding regulatory guidance, or a court or supervisory-authority decision: justsayin may make these effective on the date required and will inform Customer; no opt-out applies to the extent the change is legally mandated.
15.5 Notices
Notices under this DPA must be in writing. Notices to Customer are given by email to Customer’s designated workspace owner (or as otherwise specified in the Agreement) and are effective when sent. Notices to justsayin are given to privacy@justsayin.io and are effective when received. Either party may update its address for notices by notifying the other.
15.6 Severability
If any provision of this DPA is or becomes invalid or unenforceable in whole or in part, the validity of the remaining provisions is not affected. The invalid or unenforceable provision is replaced by the applicable statutory provisions (§ 306(2) BGB).
15.7 Third-party rights
This DPA does not confer any rights on, and is not enforceable by, any third party, except that Data Subjects may enforce the rights expressly conferred on them under the SCCs (Annex D) and the corresponding UK and Swiss instruments (Annexes E and F).
15.8 Relationship of the parties
The parties are independent contractors. This DPA does not create any partnership, joint venture, agency, or fiduciary relationship between them.
15.9 Data-protection contact
Data-protection inquiries relating to this DPA may be directed to justsayin at privacy@justsayin.io.
15.10 Language
This DPA is drafted and concluded in the English language, and the English version governs. justsayin may make available a translation for convenience only; in the event of any conflict between the English version and a translation, the English version prevails.
Annex A — Description of Processing
This Annex sets out the information required by Article 28(3) GDPR and, where the SCCs apply (Annex D), by Annex I of the SCCs. The obligations and rights of the Customer as Controller are set out in the body of this DPA, in particular Sections 2 (Roles; Scope; Instructions), 5 (Assistance; Data Subject Requests), 7 (Deletion, Return & Retention), and 9 (Sub-processors).
A.1 Parties and roles
The data exporter / Controller is the Customer. The data importer / Processor is Unendlich UG (haftungsbeschränkt), operator of justsayin, as identified in the Parties section of this DPA. justsayin Processes Customer Personal Data solely as Processor, on Customer’s documented instructions (Section 2).
A.2 Subject matter
The provision of the Services: a voice-first feedback platform through which Customer collects, reviews, and manages feedback submitted by its end users via Customer’s feedback widget and, where Customer enables it, Customer’s public feedback board.
A.3 Nature of the Processing
Collection; storage; transcription of voice recordings into text; AI-based analysis and classification of feedback; generation of AI-derived analytical metadata; grouping of related feedback; display to Customer’s authorised users and, where Customer enables the public board, to the public; transmission to the Sub-processors listed in Annex C to the extent necessary to perform these functions; and deletion.
A.4 Purpose of the Processing
To enable Customer to collect and understand end-user feedback, namely: capturing voice and text feedback on Customer’s behalf; transcribing audio to text; analysing feedback for triage and discovery; grouping related feedback; presenting feedback to Customer and, where Customer enables it, on Customer’s public board; notifying Customer’s team of new or changed feedback; and enabling end users to access or delete their own feedback (Sections 5.2–5.3).
A.5 Duration of the Processing
For the term of the Agreement, and thereafter as set out in Section 7 (Deletion, Return & Retention). Live retention follows the per-project retention period configured by Customer; on termination, the Grace Period and deletion timelines in Section 7 apply. Section 7 is the single source for retention and deletion periods.
A.6 Frequency of the Processing
Continuous, on an ongoing basis, determined by end users’ submission of, and interaction with, feedback through the Services.
A.7 Categories of Data Subjects
(a) End users of Customer’s website or application who submit feedback through the feedback widget; and
(b) where Customer enables the public feedback board, end users who interact with that board, including those who upvote, comment, or create a board profile.
Customer’s own team members and account users are not Data Subjects under this DPA; data relating to them is Service Data (Section 1.5), for which justsayin acts as an independent Controller.
A.8 Categories of Customer Personal Data
(a) Feedback content — voice recordings, the text transcripts derived from them, typed feedback, and any user-initiated screenshots;
(b) Page and session context — the page on which feedback is submitted and related session and interaction context, together with a randomly generated, browser-tab-scoped session identifier that is not, by itself, linkable to an identified individual;
(c) Device and technical information — basic information about the end user’s browser and device;
(d) Optional end-user identifiers — a user identifier and/or email address, Processed only where Customer’s integration chooses to supply them (Customer is instructed to keep any user identifier opaque; see Section 5.3);
(e) AI-derived data — analytical metadata generated from feedback and used to classify, organise, and group related feedback;
(f) Public-board interaction data (only where Customer enables the public feedback board) — a public display name, an optional notification email, and the content end users post to the board (such as comments and upvotes); and
(g) Consent records. justsayin does not persist a consent record for widget feedback. Where the widget shows a voice-recording notice, only the fact that it has been shown is stored on the end user’s own device (on the Customer’s website); justsayin neither receives nor stores that marker or any identifier associated with it.
A.9 Special categories of Personal Data (Article 9 GDPR)
justsayin does not intend to Process special categories of Personal Data, and the Services are not designed or marketed for that purpose. Because feedback is free-form, an end user may nonetheless incidentally disclose such data (for example, health information) within a voice recording or free-text feedback. Customer’s responsibilities in respect of such data are set out in Section 2.6(c). justsayin applies the security measures described in Annex B to all Customer Personal Data, including any special-category or criminal-offence data so disclosed.
justsayin transcribes voice recordings into text and does not perform speaker identification, voiceprinting, or any biometric matching. Voice recordings are therefore not Processed as biometric data “for the purpose of uniquely identifying a natural person” within the meaning of Article 9(1) GDPR.
A.10 Competent supervisory authority
Where the SCCs apply, the competent supervisory authority is that of the Customer as data exporter, determined in accordance with Clause 13 of the SCCs and Annex I.C thereto.
Annex B — Technical and Organisational Measures
This Annex describes the technical and organisational measures justsayin implements to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR and, where the SCCs apply (Annex D), Annex II of the SCCs. The measures are described at the level of principle and capability; justsayin may update individual measures from time to time provided the overall level of security of the Services is not materially decreased (Section 4.3). The operative commitments behind several of these measures are set out in the body of this DPA, as cross-referenced below.
B.1 Encryption
Customer Personal Data is encrypted in transit between end users, justsayin, and its Sub-processors using TLS 1.2 or higher (Section 8.3(a)), and is encrypted at rest in justsayin’s database and object storage.
B.2 Access control and authentication
Access to Customer Personal Data within the Services is governed by role-based authorisation enforced in the application layer, applying least-privilege and tenant-isolation principles so that each Customer’s authorised users can access only that Customer’s data. Access is authenticated through justsayin’s authentication system, which supports single sign-on through established identity providers, including any multi-factor authentication those providers enforce.
B.3 Personnel and confidentiality
Access to Customer Personal Data is limited to authorised persons who require it to provide the Services, each bound by appropriate confidentiality obligations and acting only on justsayin’s instructions, as set out in Section 3.
B.4 Pseudonymisation and data minimisation
Feedback submitted through the widget is, by design, associated with a randomly generated, session-scoped identifier and carries a Customer-supplied identifier only where the Customer chooses to provide one (Sections 5.3 and A.8). justsayin transmits to each Sub-processor only the Customer Personal Data necessary for that Sub-processor to perform its function (Section 8.3(b)), and minimises personal data in its operational and observability logs before those logs leave justsayin’s systems.
B.5 Confidentiality, integrity, availability, and resilience
justsayin’s production systems run on managed infrastructure that provides redundancy and resilience, including a database configuration with a standby replica and automatic failover, and object storage with high durability. Service health and security-relevant events are monitored on an ongoing basis (Section 6).
B.6 Restoration and backups
justsayin’s database Sub-processor maintains continuous archiving of changes and supports point-in-time restoration, enabling justsayin to restore the availability of, and access to, Customer Personal Data in a timely manner appropriate to the risk in the event of a physical or technical incident (Article 32(1)(c) GDPR). Deletion of Customer Personal Data from backups follows the timelines in Section 7.2.
B.7 Regular testing and secure development
justsayin tests and evaluates the effectiveness of its measures on an ongoing basis, including automated static application security testing and automated scanning of software dependencies for known vulnerabilities within its development and deployment pipeline (Section 4.2). Changes are released through an automated, repeatable deployment process.
B.8 Logging and incident detection
justsayin maintains operational and security logging, with personal data minimised at the point of collection (Section B.4), and operates automated monitoring to detect security-relevant anomalies. justsayin’s procedures for responding to Personal Data Breaches are set out in Section 6.
B.9 Sub-processor management
justsayin engages Sub-processors only under binding written contracts imposing data-protection obligations comparable to those in this DPA, and maintains the list and change-notification process described in Section 9 and Annex C.
B.10 Physical security
justsayin operates remotely and maintains no data-centre infrastructure of its own; the physical and environmental security of the facilities in which Customer Personal Data is Processed is provided by justsayin’s infrastructure Sub-processors, whose locations and applicable safeguards are identified in Annex C.
B.11 Deletion and retention
Customer Personal Data is retained and deleted in accordance with the retention controls and deletion timelines set out in Section 7.
Annex C — Sub-processors
The current list of Sub-processors engaged by justsayin to Process Customer Personal Data is maintained at app.justsayin.io/dpa/subprocessors. The list is incorporated into this DPA by reference and, in accordance with Annex III of the SCCs, identifies for each Sub-processor: (a) the contracting entity and its place of establishment; (b) the purpose of, and a general description of, the Processing; (c) the jurisdiction(s) in which Processing occurs; and (d) the applicable transfer safeguard under Section 8.2 where Processing involves a non-EEA jurisdiction. The categories of Customer Personal Data are those set out in Annex A.8. Sub-processor changes are governed by Section 9.
Annex D — Incorporation of Standard Contractual Clauses
Where the Standard Contractual Clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021 apply to a transfer of Customer Personal Data described in Section 8, the SCCs are incorporated into this DPA by reference, with the following selections and completions:
(a) The optional docking clause in Clause 7 does not apply.
(b) In Clause 9, Option 2 (general written authorisation) applies; the prior-notice period for Sub-processor changes is as set out in Section 9 of this DPA.
(c) The optional redress mechanism in Clause 11 does not apply.
(d) In Clause 17, the SCCs are governed by the laws of Germany.
(e) In Clause 18(b), disputes arising under the SCCs are resolved before the competent courts of Berlin, Germany.
(f) The information required by Annex I, Annex II, and Annex III of the SCCs is set out in Annexes A, B, and C of this DPA respectively.
Where the obligations of the SCCs for a given transfer are carried by a Sub-processor’s own contractual arrangements (as identified in Annex C), this Annex D operates as a defensive incorporation for any direct transfer by justsayin to a non-EEA Sub-processor not covered by such Sub-processor arrangements.
Annex E — United Kingdom International Data Transfer Addendum
Where Customer Personal Data is subject to the United Kingdom General Data Protection Regulation (“UK GDPR”) and is transferred outside the United Kingdom to a third country not covered by a UK adequacy regulation, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the United Kingdom Information Commissioner under section 119A of the Data Protection Act 2018 (the “UK Addendum”), is incorporated into this DPA by reference. The UK Addendum supplements and amends the SCCs incorporated under Annex D for the UK dimension of the relevant transfer.
The information required by Tables 1, 2, and 3 of the UK Addendum is provided by Annexes A, C, and D of this DPA respectively. In Table 4 of the UK Addendum, the parties agree that either party may end the UK Addendum in the circumstances permitted by Section 19 of the UK Addendum.
Annex F — Swiss Adaptations
Where Customer Personal Data is subject to the Swiss Federal Act on Data Protection (the “FADP”) and is transferred outside Switzerland to a third country not covered by a Swiss adequacy decision, the SCCs incorporated under Annex D apply with the following adaptations, in accordance with the guidance of the Swiss Federal Data Protection and Information Commissioner (the “FDPIC”):
(a) References in the SCCs to “the Regulation” or “the GDPR” are read to include the FADP as applicable.
(b) References to a “Member State” or “EU Member State” are read to include Switzerland.
(c) References to a “supervisory authority” are read to include the FDPIC for transfers governed by the FADP.
(d) For FADP-only matters, the governing law of the SCCs is Swiss law, and disputes are resolved before the competent courts of Switzerland.
Annex G — US State-Specific Terms
This Annex is the addendum referenced in Section 1.2 for Customer Personal Data that is subject to US State Privacy Laws (as defined in Section 1.9). The operative service-provider / processor / contractor terms are set out in Section 10 of this DPA and apply only to such Personal Information. To avoid divergence, those commitments are stated once, in Section 10, and are not restated here; Section 10 is the single source of the US-state terms.