Data Processing Addendum

DATA PROCESSING ADDENDUM

1. DATA PROCESSING ADDENDUM
   
   1. Order of Precedence | To the extent the Parties have agreed any variation, amendment or replacement of these data protection terms in a Master Subscription Agreement or other principal agreement executed between the Parties, such variation, amendment or replacement shall prevail over this Data Processing Addendum to the extent of any conflict or inconsistency.
   2. Data Protection Law | The Parties acknowledge and agree that with respect to the processing of Customer’s Users’ Personal Data for the provision of Services, Customer is a Controller and Cutover is a Processor. The terms of this Schedule apply to such processing. In relation to the processing by each Party of the business contact information (Personal Data) of the other Party’s representatives in the ordinary course of business (including in relation to the negotiation and execution of the Agreement and each Order Form and account management purposes) (the “Excluded Processing Activities”), Cutover and Customer are independent Controllers and each Party will comply with its own Controller obligations. 
   3. Customer Obligations | In relation to receipt and use of the Services, Customer will ensure: (a) that it has all necessary appropriate safeguards, consents and notices in place to enable the lawful transfer of Personal Data to Cutover for the duration and purposes of this Agreement; and (b) its instructions to Cutover for processing of Personal Data comply with applicable Data Protection Law. Customer shall not submit any sensitive Personal Data into the Cutover Instance or any: (i) consumer reports as defined in the US Fair Credit Reporting Act, as amended (“FCRA”), (ii) protected health information as defined under the US Health Insurance Portability and Accountability Act, as amended (“HIPAA”) that has not been de-identified in compliance with HIPAA, (iii) non-public personal information as defined under the US Gramm-Leach-Bliley Act, as amended (“GLBA”), or (iv) special categories of personal data (sensitive personal data) as defined in the GDPR and/or the UK GDPR.
   4. Cutover Obligations | In the provision of Services to Customer, Cutover shall:
      
      1. process Personal Data in accordance with Customer’s documented instructions unless such instructions are contrary to applicable law and only for the performance of this Agreement, the subject matter and scope of which is set forth in the Data Processing Addendum;
      2. not transfer any Personal Data from the United Kingdom, the EEA or Switzerland to a third country which the UK Data Protection Authority, EU Commission or Swiss Data Protection Authority (as applicable) has not provided an adequacy decision as having an adequate level of protection unless Cutover has provided appropriate safeguards under Data Protection Law in relation to the transfer which may include, but not limited to, the entry into an Approved Transfer Mechanism;
      3. to the extent required by Data Protection Law, assist Customer in ensuring compliance with Customer’s Controller obligations under Data Protection Law taking into account the nature of the processing and information available to Cutover;
      4. make available to Customer all information necessary to demonstrate compliance with Cutover’s obligations under the Data Protection Law and allow for and contribute to reasonable audits, including inspections, conducted by Customer or a third party auditor mandated by Customer;
      5. ensure that its Personnel authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
      6. at the written direction of Customer, delete or return Personal Data and copies thereof to Customer on expiry or termination of the Agreement unless required by applicable law to store the Personal Data and subject to encrypted backup retention in accordance with this Agreement;
      7. maintain complete and accurate records and information to demonstrate its compliance with this clause and inform Customer if, in the opinion of Cutover, an instruction infringes the Data Protection Law;
      8. confirm receipt of any data subject rights request, promptly forward the request to Customer and, to the extent possible taking into account the nature of processing, assist the Customer in its obligations to respond to requests for the exercise of the rights of data subjects; and
      9. provide reasonable cooperation and assistance to Customer with respect to its obligations as a Controller in the carrying out of any data protection impact assessments and consultations with its supervisory authority. 
   5. Approved Sub-Processors | Customer consents to Cutover appointing each of the Sub-Processors as third-party processors of Customer Data and User Personal Data under this Agreement as required to provide the Services. Cutover confirms that either it or its Affiliates has entered into and will maintain written agreements with each Sub-Processor which reflect the requirements under Data Protection Law. As between Customer and Cutover, Cutover shall remain fully liable for all acts or omissions of all Sub-Processors appointed by it or its Affiliates pursuant to this clause.
   6. New Sub-Processors | Cutover will provide Customer with thirty (30) days advance written notice of any proposed additional or replacement Sub-Processors (“Notification Period”). Customer may object to such change on reasonable grounds, such as where it has concerns regarding the security of Personal Data, within the Notification Period by sending a notification to contract.notices@cutover.com and agrees to set out an explanation for the objection within the notification. In the event of such an objection, Cutover will not use the applicable Sub-Processor(s) in the provision of Services to Customer and the Parties agree to discuss commercially reasonable alternative solutions in good faith. If the Parties cannot reach a resolution within ninety (90) days of the end of the Notification Period, Customer may request not to have access to the affected feature or component of the Services. 
   7. Security Policy | During the Subscription Term, Cutover will maintain a written security policy that includes policies, procedures and controls aligned to ISO27001, or a substantially equivalent standard, that includes Good Industry Practices designed to protect Customer Data from a Security Incident (“Security Policy”).
   8. Security Measures | In providing the Services, Cutover shall:
      
      1. comply with the measures and standards set out in its Security Policy and test the effectiveness of such security measures (at least once annually); and
      2. ensure that it has in place appropriate technical and organisational measures designed to protect against a Security Incident, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Customer Data and Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
   9. Testing & Audit Reports | During the Term, Cutover will conduct annual penetration testing or other regular security testing and assessments of the Cutover Instance. Upon written request from Customer (not more than once annually), Cutover will provide Customer a copy of or online viewing access to reports summarizing such testing and assessments. If Cutover engages an independent third-party to conduct audits, upon request by Customer, Cutover will provide to Customer a copy of or online viewing access to a summary of the audit reports or certifications issued as a result of such audits. If Cutover conducts its own risk assessment, then Cutover will provide Customer with a copy of or online viewing access to a summary of its report of such assessment. Any such reports are Cutover’s Confidential Information. Cutover shall remedy material issues (classified as critical or high-risk) identified from the testing and audits in a timely manner.
   10. Security Incident Notification | Cutover will notify Customer without undue delay (and, in any event, within seventy-two (72) hours) upon becoming aware of any Security Incident in accordance with the requirements of Clause 16 (Notices). Cutover will keep records of its investigation of the Security Incident including identifying the impact of the Security Incident and the steps Cutover takes to mitigate the effects of any such Security Incident. Where a Security Incident includes the unauthorised disclosure of the Personal Data of Customer’s Users or other representatives, Cutover shall include in the notification all available information described in Article 33(3) of the GDPR or UK GDPR. However, where it is not possible to provide all information referred to in Article 33(3) in the initial notification, the information shall be provided in phases without undue delay and Cutover shall ensure Customer is kept apprised of material updates as more information becomes available during the course of the investigation. Customer may request a copy of Cutover’s incident report in writing (by email to infosec@cutover.com) that Cutover will provide following resolution of the Security Incident and completion of all required notification and related requirements.  
   11. Disaster Recovery | In the event that the Customer provides a written request that Cutover circumvent any agreed security protocols and notice requirements in order to facilitate the Customer’s disaster recovery process, Cutover shall bear no liability in connection with the same to the extent it complies with the written instructions of the Customer.
   12. Deletion of Customer Data | Unless Customer requests otherwise in writing and subject to any requirements to the contrary under applicable law, Customer Data within the Cutover Instance will be deleted within thirty (30) days of the termination of this Agreement.  
   13. California Consumer Privacy Act (CCPA) | To the extent applicable in relation to California User Data, Cutover represents and warrants to Customer that (i) it is acting as a service provider in connection with this Agreement under the CCPA, and (ii) it receives such California User Data from Customer pursuant to and solely for the provision of Services and its legitimate business purposes. To the extent applicable, Customer represents and warrants to Cutover that it is (i) acting as a business in connection with this Agreement with respect to any California User Data, and (ii) sharing and making available to Cutover the California User Data pursuant to and solely for a legitimate business purpose and in accordance with the CCPA. Cutover shall not sell, retain, use or disclose California User Data (x) for any purpose (commercial or otherwise) other than for the specific purpose of providing the Services and performing its obligations and exercise of rights under this Agreement, or (y) outside of the direct business relationship between Cutover and Customer. Cutover certifies that it understands and will comply with the restrictions in the foregoing sentence. Additionally, Cutover confirms that its Sub-Processors are acting as service providers and have entered into written contracts with Cutover containing terms with substantially similar effect to those in this clause restricting Sub-Processor’s use of California User Data. As used in this clause, “California User Data" means the personal information of consumers (whether the Users or other representatives) of Customer or its Affiliates provided or made available by Customer to Cutover in connection with this Agreement and the provision of Services. The terms “business", “business purpose", “consumer", “personal information", “sell" and “service provider have the meaning given to each term in the CCPA.
2. Definitions
   

Capitalised terms used but not defined in these Data Processing Terms shall have the meanings given to them in the Master Subscription Agreement and any applicable Order Form executed between the Parties (together, the "Agreement").

In these Data Processing Terms:

Approved Transfer Mechanism means either (as applicable):

1. the European Commission’s Standard Contractual Clauses under Commission Implementing Decision (EU) 2021/914 (“EU SCCs”); or 
2. the UK Information Commissioner’s Office’s International Data Transfer Addendum to the EU Commission Standard Contractual Clauses Version B1.0, in force 21 March 2022 (“IDTA Addendum”).

Controller has the meaning given in the Data Protection Law.

Data Protection Law means all applicable data protection and privacy laws, including the UK Data Protection Act 2018 (as amended), the GDPR, the UK GDPR, and any other applicable data protection or privacy legislation or regulation relating to the provision of the Services to Customer.

GDPR means the EU General Data Protection Regulation (2016/679), as amended.

UK GDPR means the GDPR as transposed into United Kingdom national law by operation of Section 3 of the European Union (Withdrawal) Act 2018 as amended.

EEA means the European Economic Area.

Processor has the meaning given in the Data Protection Law.

SCHEDULE 1 - DETAILS OF PROCESSING

1. NATURE AND PURPOSE OF PROCESSING

1.1 Cutover is a provider of a cloud-hosted collaborative automation Platform and associated services. Cutover provides a single Platform for planning, orchestration, observability and analysis, updated in real time and visible to all within an organisation or its company group. Cutover integrates machine activity, leverages automation, and replaces multiple spreadsheets, outdated toolsets, fragmented communications, and manual reporting. Customers may purchase one or more Platform Products depending on their use case needs. Cutover also provides a number of associated Services in connection with the Platform, including CSIT Services, Professional Services and Additional Services. Personal Data will be processed for the provision of Services to Customer.

2. CATEGORIES OF DATA SUBJECTS

2.1 The Personal Data transferred concerns the following data subjects:

• (a) Individuals authorised by Customer or its Affiliates to access, use or receive Services.

3. CATEGORIES OF PERSONAL DATA

3.1 The Personal Data processed concerns the following categories of data determined, controlled and submitted by Customer, its Affiliates or the Users to the Platform or otherwise provided to Cutover or its Affiliates in connection with the provision of Services:

• (a) First and last name
• (b) Contact information (email, phone, business address)
• (c) Professional details (company/employer, job title, position)
• (d) Location data
• (e) Personal life data (in the form of a memorable word and other security questions, if applicable based on User input)
• (f) IP Addresses

4. SENSITIVE DATA / SPECIAL CATEGORIES OF PERSONAL DATA

4.1 Customer, its Affiliates and Users will not submit any special categories of Personal Data in connection with the Services.

5. DURATION OF PROCESSING

5.1 The Personal Data will be processed for the Term of the Agreement, subject to longer processing pursuant to the Backup Data Retention clause of the applicable service terms, on the written instructions of Customer or as otherwise required by applicable law.

6. TECHNICAL & ORGANISATIONAL SECURITY MEASURES

6.1 As set out in Cutover's Security Policy.

APPROVED SUB-PROCESSORS

|| {{ name: cms-large-table, colwidths: 1/5, 1/5, 1/5, 1/5, 1/5 }} ||

|| SUB‑PROCESSOR || REGISTERED COMPANY LOCATION || TECHNOLOGY TOOL / SUBJECT MATTER / NATURE OF PROCESSING || SUB‑PROCESSOR PRIMARY DATA PROCESSING/HOSTING LOCATION (SPECIFICS) || PERSONAL DATA (PD) TRANSFERRED TO AND/OR PROCESSED ||

|| CUTOVER – AFFILIATE SUB‑PROCESSORS {{ colspan: 5 }} ||

|| If Cutover Entity is Godesic Limited – Cutover Inc. || United States || Affiliate Service Provider / Sub‑Processor – Cutover Service provision || United States (Hosting via AWS below) || PD Processed: As per the list of Cutover Users’ Personal Data set out in the DPA with Customer. Refer to Schedule 2 of Cutover’s MSA for the DPA ||

|| If Cutover Entity is Cutover Inc. – Godesic Limited || United Kingdom || Affiliate Service Provider / Sub‑Processor – Cutover Service provision || United Kingdom (Hosting via AWS below) || ||

|| EXTERNAL THIRD‑PARTY SUB‑PROCESSORS {{ colspan: 5 }} ||

|| Amazon Web Services, Inc. {{rowspan:2 }} || United States and European Union || AWS – Application hosting and cloud processing || UK/EEA/ROW Customers: Ireland and Frankfurt (EU) US Customers: US‑East and US‑West || PD Processed: As per the list of Cutover Users’ Personal Data set out in the DPA at Schedule 2 ||

|| United States || AWS (AI Features) – Artificial Intelligence (AI), data model and application‑related functionalities || US ‑ US‑East and US‑West || PD Processed: As per the list of Cutover Users’ Personal Data set out in the DPA at Schedule 2 ||

|| Google LLC / Google Cloud EMEA Ltd. / Looker Data Sciences, Inc. {{rowspan:2 }} || United States and European Union {{rowspan:2 }} || GCP – Application hosting and cloud processing || EU & US ‑ United States and European Union || PD Processed (GCP): As per the list of Cutover Users’ Personal Data set out in the DPA at Schedule 2 ||

|| Looker – Application analytics and usage reporting || EU ‑ Ireland (Dublin) || PD Processed (Looker): As per the list of Cutover Users’ Personal Data set out in the DPA at Schedule 2 ||

|| Twilio Ireland Limited. || United States || Twilio – Communication provider || US ‑ Virginia || PD Processed: Cutover Users’ Phone numbers ||

|| Datadog, Inc. || United States || DataDog – Application alerting and monitoring || EU ‑ Germany (Frankfurt) || PD Processed: Cutover Users’ First and Last Names (or Usernames if different), Email Addresses ||

|| Intercom R&D Limited Company. || United States || Intercom – Application Customer Support & Customer Experience Management || US ‑ Virginia EU ‑ Ireland (Dublin) || PD Processed: Cutover Users’ First and Last Names (or Usernames if different), Email Addresses, Company, Role and Title, Locations (City/Country) ||

‍

SCHEDULE 2 - APPROVED TRANSFER MECHANISM

Cutover and Customer hereby agree that if Customer’s use of the Services involves:

• (a) a transfer of Personal Data from the EEA or Switzerland to Cutover Inc., then the EU SCCs Module 2 will apply; or
• (b) a transfer of Personal Data from the UK to Cutover Inc., then the IDTA Addendum will apply.

Accordingly, each Party agrees that it shall be deemed that they have executed the applicable Approved Transfer Mechanism as if the clauses were set out here in full with the following particulars specified (to the extent required for the EU SCCs and IDTA Addendum):

|| {{ name: cms-large-table, colwidths: 1/3, 1/3, 1/3 }} ||

|| GENERAL {{ colspan: 3 }} ||

|| List Of Parties {{rowspan: 3}} || Data Exporter / Exporter: Customer (on behalf of itself and its Affiliates located within the UK, EEA and Switzerland). Contact information as set out in the Subscription Order Form. Customer processes Personal Data in the ordinary course of its business, and desires to obtain the processing services of Cutover in connection with its use of the Services.{{ colspan: 2 }} ||

|| Data Importer / Importer: Cutover Inc. (a Delaware Corporation), principal place of business at 27 E, 28th Street, NY 10016, USA. Cutover Inc. enables organisations to orchestrate work across teams and technologies in dynamic, automated runbooks with real-time visibility and control, and provides data processing services to the Customer in accordance with the terms of this Agreement. {{ colspan: 2 }} ||

|| Representative Contact Details: The Data Exporter / Exporter and Data Importer / Importer representatives are the authorised signatories of each Party to the Subscription Order Form and their contact details are the Legal Notice Emails set forth therein. {{ colspan: 2 }} ||

|| Description of Transfer {{ rowspan: 5 }} || EU SCCs Module: Module Two – Transfer Controller to Processor {{ colspan: 2 }} ||

|| Processing Particulars || The nature and purpose of processing, categories of data subject, categories of data, duration of processing and period for which Personal Data will be retained shall be as set out in the Data Processing Addendum. ||

|| Frequency of Transfer: || Continuous based on Customer's use of the Services. ||

|| Subject Matter, Nature and Duration of Transfer to Sub-Processors || As set out in the Data Processing Addendum. ||

|| OPTIONAL CLAUSES || Clause 7 of the EU SCCs: Does not apply.
Clause 11 of the EU SCCs: The optional language does not apply. ||

|| COMPETENT SUPERVISORY AUTHORITY || EU SCCs || For Annex I.C: The competent supervisory authority shall be the applicable supervisory authority for the Data Exporter. ||

|| TECHNICAL AND ORGANISATIONAL MEASURES {{ colspan: 3}} ||

|| Security Measures || The technical and organisational security measures implemented by the Data Importer are as set out in the Data Processing Addendum and serves as Annex II of the EU SCCs and Annex II of Table 2 of the IDTA Addendum. {{ colspan: 2 }} ||

|| SUB-PROCESSORS {{ colspan: 3 }} ||

|| Approved Sub-Processors || As per the list of Approved Sub-Processors.  {{ colspan: 2 }} ||

|| New Sub-Processor Notification || Clause 9(a) of the EU SCCs: Option 2: General Written Authorisation applies with the time period for notice of intended changes as set out at Clause 8.5 of the Service Terms.  {{ colspan: 2 }} ||

|| ADDITIONAL PARTICULARS {{ colspan: 3 }} ||

|| Governing Law & Forum || EU SCCs || Clause 17: Option 1 – the laws of the Republic of Ireland will apply.
Clause 18(b): the courts of the Republic of Ireland will apply. ||

|| Termination || Table 4 of the IDTA Addendum || Both the Importer and Exporter may terminate the IDTA Addendum in accordance with the Service Terms. ||