Data Processing Addendum

1. NATURE AND PURPOSE OF PROCESSING

1.1 Cutover is a provider of a cloud-hosted collaborative automation Platform and associated services. Cutover provides a single Platform for planning, orchestration, observability and analysis, updated in real time and visible to all within an organisation or its company group. Cutover integrates machine activity, leverages automation, and replaces multiple spreadsheets, outdated toolsets, fragmented communications, and manual reporting. Customers may purchase one or more Platform Products depending on their use case needs. Cutover also provides a number of associated Services in connection with the Platform, including CSIT Services, Professional Services and Additional Services. Personal Data will be processed for the provision of Services to Customer.

2. CATEGORIES OF DATA SUBJECTS

2.1 The Personal Data transferred concerns the following data subjects:

• (a) Individuals authorised by Customer or its Affiliates to access, use or receive Services.

3. CATEGORIES OF PERSONAL DATA

3.1 The Personal Data processed concerns the following categories of data determined, controlled and submitted by Customer, its Affiliates or the Users to the Platform or otherwise provided to Cutover or its Affiliates in connection with the provision of Services:

• (a) First and last name
• (b) Contact information (email, phone, business address)
• (c) Professional details (company/employer, job title, position)
• (d) Location data
• (e) Personal life data (in the form of a memorable word and other security questions, if applicable based on User input)
• (f) IP Addresses

4. SENSITIVE DATA / SPECIAL CATEGORIES OF PERSONAL DATA

4.1 Customer, its Affiliates and Users will not submit any special categories of Personal Data in connection with the Services.

5. DURATION OF PROCESSING

5.1 The Personal Data will be processed for the Term of the Agreement, subject to longer processing pursuant to the Backup Data Retention clause of the applicable service terms, on the written instructions of Customer or as otherwise required by applicable law.

6. TECHNICAL & ORGANISATIONAL SECURITY MEASURES

6.1 As set out in Cutover's Security Policy.

APPROVED SUB-PROCESSORS

|| {{ name: cms-large-table, colwidths: 1/5, 1/5, 1/5, 1/5, 1/5 }} ||

|| SUB‑PROCESSOR || REGISTERED COMPANY LOCATION || TECHNOLOGY TOOL / SUBJECT MATTER / NATURE OF PROCESSING || SUB‑PROCESSOR PRIMARY DATA PROCESSING/HOSTING LOCATION (SPECIFICS) || PERSONAL DATA (PD) TRANSFERRED TO AND/OR PROCESSED ||

|| CUTOVER – AFFILIATE SUB‑PROCESSORS {{ colspan: 5 }} ||

|| If Cutover Entity is Godesic Limited – Cutover Inc. || United States || Affiliate Service Provider / Sub‑Processor – Cutover Service provision || United States (Hosting via AWS below) || PD Processed: As per the list of Cutover Users’ Personal Data set out in the DPA with Customer. Refer to Schedule 2 of Cutover’s MSA for the DPA ||

|| If Cutover Entity is Cutover Inc. – Godesic Limited || United Kingdom || Affiliate Service Provider / Sub‑Processor – Cutover Service provision || United Kingdom (Hosting via AWS below) || ||

|| EXTERNAL THIRD‑PARTY SUB‑PROCESSORS {{ colspan: 5 }} ||

|| Amazon Web Services, Inc. {{rowspan:2 }} || United States and European Union || AWS – Application hosting and cloud processing || UK/EEA/ROW Customers: Ireland and Frankfurt (EU) US Customers: US‑East and US‑West || PD Processed: As per the list of Cutover Users’ Personal Data set out in the DPA at Schedule 2 ||

|| United States || AWS (AI Features) – Artificial Intelligence (AI), data model and application‑related functionalities || US ‑ US‑East and US‑West || PD Processed: As per the list of Cutover Users’ Personal Data set out in the DPA at Schedule 2 ||

|| Google LLC / Google Cloud EMEA Ltd. / Looker Data Sciences, Inc. {{rowspan:2 }} || United States and European Union {{rowspan:2 }} || GCP – Application hosting and cloud processing || EU & US ‑ United States and European Union || PD Processed (GCP): As per the list of Cutover Users’ Personal Data set out in the DPA at Schedule 2 ||

|| Looker – Application analytics and usage reporting || EU ‑ Ireland (Dublin) || PD Processed (Looker): As per the list of Cutover Users’ Personal Data set out in the DPA at Schedule 2 ||

|| Twilio, Inc. || United States || Twilio – Communication provider || US ‑ Virginia || PD Processed: Cutover Users’ Phone numbers ||

|| Datadog, Inc. || United States || DataDog – Application alerting and monitoring || EU ‑ Germany (Frankfurt) || PD Processed: Cutover Users’ First and Last Names (or Usernames if different), Email Addresses ||

|| Intercom, Inc. || United States || Intercom – Application Customer Support || US ‑ Virginia EU ‑ Ireland (Dublin) || PD Processed: Cutover Users’ First and Last Names (or Usernames if different), Email Addresses, Company, Role and Title, Locations (City/Country) ||

APPROVED TRANSFER MECHANISM

Cutover and Customer hereby agree that if Customer’s use of the Services involves:

• (a) a transfer of Personal Data from the EEA or Switzerland to Cutover Inc., then the EU SCCs Module 2 will apply; or
• (b) a transfer of Personal Data from the UK to Cutover Inc., then the IDTA Addendum will apply.

Accordingly, each Party agrees that it shall be deemed that they have executed the applicable Approved Transfer Mechanism as if the clauses were set out here in full with the following particulars specified (to the extent required for the EU SCCs and IDTA Addendum):

|| {{ name: cms-large-table, colwidths: 1/3, 1/3, 1/3 }} ||

|| GENERAL {{ colspan: 3 }} ||

|| List Of Parties {{rowspan: 3}} || Data Exporter / Exporter: Customer (on behalf of itself and its Affiliates located within the UK, EEA and Switzerland). Contact information as set out in the Subscription Order Form. Customer processes Personal Data in the ordinary course of its business, and desires to obtain the processing services of Cutover in connection with its use of the Services.{{ colspan: 2 }} ||

|| Data Importer / Importer: Cutover Inc. (a Delaware Corporation), principal place of business at 27 E, 28th Street, NY 10016, USA. Cutover Inc. enables organisations to orchestrate work across teams and technologies in dynamic, automated runbooks with real-time visibility and control, and provides data processing services to the Customer in accordance with the terms of this Agreement. {{ colspan: 2 }} ||

|| Representative Contact Details: The Data Exporter / Exporter and Data Importer / Importer representatives are the authorised signatories of each Party to the Subscription Order Form and their contact details are the Legal Notice Emails set forth therein. {{ colspan: 2 }} ||

|| Description of Transfer {{ rowspan: 5 }} || EU SCCs Module: Module Two – Transfer Controller to Processor {{ colspan: 2 }} ||

|| Processing Particulars || The nature and purpose of processing, categories of data subject, categories of data, duration of processing and period for which Personal Data will be retained shall be as set out in the Data Processing Addendum. ||

|| Frequency of Transfer: || Continuous based on Customer's use of the Services. ||

|| Subject Matter, Nature and Duration of Transfer to Sub-Processors || As set out in the Data Processing Addendum. ||

|| OPTIONAL CLAUSES || Clause 7 of the EU SCCs: Does not apply.
Clause 11 of the EU SCCs: The optional language does not apply. ||

|| COMPETENT SUPERVISORY AUTHORITY || EU SCCs || For Annex I.C: The competent supervisory authority shall be the applicable supervisory authority for the Data Exporter. ||

|| TECHNICAL AND ORGANISATIONAL MEASURES {{ colspan: 3}} ||

|| Security Measures || The technical and organisational security measures implemented by the Data Importer are as set out in the Data Processing Addendum and serves as Annex II of the EU SCCs and Annex II of Table 2 of the IDTA Addendum. {{ colspan: 2 }} ||

|| SUB-PROCESSORS {{ colspan: 3 }} ||

|| Approved Sub-Processors || As per the list of Approved Sub-Processors.  {{ colspan: 2 }} ||

|| New Sub-Processor Notification || Clause 9(a) of the EU SCCs: Option 2: General Written Authorisation applies with the time period for notice of intended changes as set out at Clause 8.5 of the Service Terms.  {{ colspan: 2 }} ||

|| ADDITIONAL PARTICULARS {{ colspan: 3 }} ||

|| Governing Law & Forum || EU SCCs || Clause 17: Option 1 – the laws of the Republic of Ireland will apply.
Clause 18(b): the courts of the Republic of Ireland will apply. ||

|| Termination || Table 4 of the IDTA Addendum || Both the Importer and Exporter may terminate the IDTA Addendum in accordance with the Service Terms. ||