Data Processing Agreement

This Data Processing Agreement including its attached schedules (“DPA”) sets forth the terms and conditions relating to Processing of Personal Data through the Faithbase software-as-a-service platform (“Platform”) and related Services pursuant to the Terms of Service for Platform (the “Agreement” which includes this DPA and all schedules hereto, and all schedules, attachments, and addenda to the Agreement) between Servus Consulting Partners, LLC dba Servant (“Servant,” “us,” or “we”) and you as a subscribing client (“you” or “Client”). The parties agree to comply with the terms and conditions in this DPA in connection with such Processing of Personal Data. All capitalized terms not defined herein have the same meaning set forth in the Agreement. BY EXECUTING THE AGREEMENT, THE PARTIES ALSO EXECUTE THIS DPA.

Client’s agreement to this DPA via execution of the Agreement shall be deemed to constitute signature and acceptance of the main body of this DPA, Schedule 1: EU SCCs, Schedule 2: Description of Processing, and Schedule 3: International Transfer Addendum. This DPA shall not replace any comparable or additional rights relating to the Processing of Personal Data contained in the Agreement (including any existing data processing addendum to the Agreement).

  1. Defined Terms

    1. Client” refers to the Client identified in the introductory paragraph of this DPA along with Client’s Authorized Affiliate(s), if any. “Authorized Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with Client and (i) is subject to Data Protection Laws and (ii) is permitted to use the Services pursuant to the Agreement but has not executed its own contract with Servant and is not “Client” as defined under the Agreement.

    2. Client Data” means electronic data and information submitted by or for Client to the Services.

    3. Controller” means the entity that determines the means and purposes of the Processing of Personal Data.

    4. Data Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Data (including Personal Data, transmitted, stored, or otherwise) Processed by Servant or its Sub-processors.

    5. Data Protection Laws” means all Laws applicable to the Processing of Personal Data under the Agreement, including without limitation U.S. Data Protection Laws, European Data Protection Laws, and other consumer privacy or data protection laws applicable to Client’s use of the Services, and their respective implementing regulations, each as amended from time to time.

    6. Data Subject” means the identified or identifiable person to whom Personal Data relates.

    7. Europe” means the European Union, the European Economic Area, Switzerland, and the United Kingdom.

    8. European Data Protection Laws” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC together with any subordinate legislation or implementing regulation (“GDPR”), the laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the without limitation the Data Protection Act 2018 (“UK Data Protection Laws”) and other applicable data protection Laws of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, each as amended from time to time.

    9. Personal Data” means any information contained in Client Data that is protected under applicable Data Protection Laws, such as information describing or relating to: (i) an identified or identifiable natural person or household or (ii) an identified or identifiable legal entity (where such information is protected as personal data or personally identifiable information under applicable Data Protection Laws).

    10. Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    11. Processor” means the Party which Processes Personal Data on behalf of the Controller, including as applicable any "Service Provider" as that term is defined by the CCPA.

    12. Security Measures” means the technical and organizational measures employed by Servant to secure Personal Data on the Services and as described in Section 9 of Schedule 2.

    13. Standard Contractual Clauses” or “SCCs”) means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

    14. Sub-processor” means a Processor engaged by Servant to Process Personal Data contained in Client Data.

    15. Supervisory Authority” means an independent public authority that is established pursuant to the GDPR or UK Data Protection Laws.

    16. “U.S. Data Protection Laws” means the federal and state laws of the United States governing consumer privacy and data protection, including without limitation the California Consumer Privacy Act, Cal. Civ. Code§ 1798.100 et seq., and its implementing regulations (“CCPA”) and consumer privacy and data protection law of Connecticut, Colorado, Iowa, Nevada, Oregon, Tennessee, Texas, Virginia, and other states as enacted or amended from time to time.

    17. U.S. Personal Information” means Personal Data that is subject to the protection of one or more U.S. Data Protection Laws.

  2. Processing Personal Data

    1. Roles of the Parties. This DPA applies where and to the extent that Servant Processes Personal Data contained in Client Data through Client’s use of Platform pursuant to the Agreement. The parties acknowledge and agree that (i) with regard to the Processing of Personal Data, Client is the Controller and Servant is the Processor and (ii) Servant will engage Sub-processors pursuant to the requirements of Section 4 “Sub-Processors” herein.

    2. Duration. Servant shall process Personal Data throughout the term of the Agreement or any renewal term thereof. Upon termination of the Agreement by either Party, Servant shall cease processing Personal Data on Client’s behalf upon completion of the termination provisions described herein.

    3. Nature, Purpose, and Subject-Matter of the Processing. The nature, purpose, and subject matter of Servant’s Processing of Personal Data as Client’s Processor is described in and governed by the Agreement and as further specified in Schedule 2 to this DPA. All Processing of Personal Data via the Services is determined solely by Client and according to Client’s privacy practices and Instructions to Servant under Section 2.5.

    4. Processing By Client. Client shall Process Personal Data in accordance with the requirements of all applicable Data Protection Laws, including without limitation requirements to provide notice to Data Subjects of the use of Servant as Processor. Client represents and warrants that Client has established a lawful basis to Process Personal Data, Client’s use of the Services will not violate the rights of any Data Subject, and Client has the right to transfer, or provide access to, the Personal Data to Servant for Processing under the terms of the Agreement. Client shall have sole responsibility for (i) the accuracy, quality, and legality of Personal Data, (ii) the means by which Client acquired Personal Data, and (iii) the lawful basis and mechanisms of transferring Personal Data to Servant. Client shall inform Servant without undue delay if Client is not able to comply with Client’s obligations under this DPA or any applicable Data Protection Laws. For the avoidance of doubt, Servant is not responsible for compliance with any Data Protection Laws applicable to Client or Client’s industry that are not generally applicable to Servant.

    5. Instructions. Servant shall Process, retain, use, store, or disclose Personal Data only according to written, documented, and lawful instructions issued by Client to Servant for the purpose of providing the Services to Client pursuant to the Agreement (“Instructions”). The parties agree that the Agreement, together with Client’s selections, configurations, customizations, and use of Platform constitute Client’s complete and final Instructions to Servant concerning the Processing of Personal Data. Client is solely responsible for the legality, outcome, and results of all Instructions and Servant shall have no liability whatsoever related to its performance of the Agreement according to any Client Instructions. Servant shall inform Client without delay if, in Servant’s opinion, an Instruction violates Data Protection Laws or Servant is unable to follow an Instruction, and Servant may cease all Processing without liability until Client issues new Instructions with which Servant can comply.

    6. Processing By Servant. Client hereby appoints Servant to Process the Personal Data on Client’s behalf as necessary for Servant to provide the Services under the Agreement. Servant shall treat Personal Data as confidential. Servant shall ensure that its personnel involved in the Processing of Personal Data receive appropriate training on their responsibilities and are bound to appropriate confidentiality obligations. Servant shall ensure that access to Personal Data is limited to those personnel who are necessary to provide the Services. If Servant is required by applicable law to disclose Personal Data for a purpose unrelated to the Agreement, Servant will first inform Client of the legal requirement and give Client an opportunity to object or challenge the requirement, unless the law prohibits such notice. Notwithstanding the foregoing, Servant shall have the right to (i) collect and use Personal Data to investigate a use of the Services that is unlawful or violates the Agreement, provide, and develop the Services, respond to legal actions, or for administrative purposes such as accounting and compliance and (ii) use any data in an anonymized format for Servant’s internal purposes.

  3. Data Subject Rights

If Servant receives a request from a Data Subject to exercise the Data Subject's right under applicable Data Protection Laws relating to Personal Data (each a “Data Subject Request”), Servant shall, to the extent legally permitted, notify Client or instruct the Data Subject to contact Client directly. Client shall be legally responsible for responding to all Data Subject Requests or communications involving Personal Data and for all costs associated with the same. Servant will reasonably assist Client to address a Data Subject Request if Client is unable to do so independently as required by applicable law.

  1. Sub-Processors

Client generally authorizes Servant to engage Sub-Processors for the provision of the Services and Client acknowledges and agrees that Servant may engage third-party Sub-Processors in connection with the provision of the Services to Client. Servant has entered into a written agreement with each Sub-Processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-Processor. Servant shall be liable for the acts and omissions of its Sub-Processors to the same extent Servant would be liable if performing the Services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement. Servant shall make available to Client the current list of Sub-processors for the applicable Service(s) (“Sub-Processor List”) upon Client’s written request.

If Client is entitled to notice and an opportunity to object to new Sub-Processors under applicable Data Protection Laws, (i) upon request by Client to be so notified, Servant shall notify Client of new Sub-Processors and (ii) Client may object to Servant’s use of a new Sub-Processor by notifying Servant promptly in writing within ten (10) business days after receipt of Servant’s notice thereof. In the event Client objects to a new Sub-Processor, Servant will use reasonable efforts to make available to Client a change in the Services or recommend a commercially reasonable change to Client’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-Processor without unreasonably burdening Client. If Servant is unable to make available such change within thirty (30) days, Client may terminate the Agreement.

  1. Data Security

    1. Controls for the Protection of Personal Data. Servant shall maintain appropriate technical and organizational measures to protect the security, confidentiality, and integrity of Personal Data as detailed in Section 9 of Schedule 2. In doing so, Servant shall take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Client is solely responsible for (i) reviewing and determining whether the Services meet Client’s security standards and support Client’s obligations under Data Protection Laws and (ii) the secure use of Platform and other Services by Client’s End Users.

    2. Data Protection Impact Assessment. Upon Client’s written request, Servant shall provide Client with reasonable cooperation and assistance needed to fulfill Client’s obligations under Data Protection Laws to carry out a data protection impact assessment related to Client’s use of the Services, to the extent Client does not otherwise have access to the relevant information, and to the extent such information is available to Servant.

    3. Audits. Upon reasonable written request from Client, Servant will make available to Client applicable reports and summaries from Servant’s most recent inspection or audit to assess compliance with this DPA, where required by applicable law (“Audit Report”). Client will treat the Audit Report as Servant’s confidential information subject to non-disclosure and non-distribution limitations. If and to the extent the Audit Report is not sufficient to meet Client’s demonstration of compliance obligations under applicable Data Protection Laws, Servant will promptly respond to Client’s additional Instructions to participate in an audit of Servant’s records and systems directly relating to Client’s receipt of the Services (“Audit”). Audits shall be conducted: (i) acting reasonably, in good faith, and in a proportional manner, taking into account the nature and complexity of the Services used by Client; (ii) up to one time per year with at least three weeks’ advance written notice and at Client’s sole expense; and (iii) during Servant’s normal business hours, under reasonable duration and shall not unreasonably interfere with Servant’s day-to-day operations. If an emergency justifies a shorter notice period, Servant will use good faith efforts to accommodate the Audit request. Before any Audit commences, Client and Servant shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for which Client shall be responsible.

    4. Data Incidents

Servant shall notify Client without undue delay after becoming aware of a Data Incident occurring on Servant or our Sub-Processor’s information systems involving Client Data. Servant shall make reasonable efforts to identify the cause of such Data Incident and take such steps as Servant deems necessary and reasonable to remediate the cause of such a Data Incident to the extent the remediation is within Servant's reasonable control. At Client’s reasonable request, and to the extent Servant is required to do so under applicable Data Protection Laws, Servant will promptly provide Client with commercially reasonable assistance as necessary to enable Client to meet Client’s obligations under applicable Data Protection Laws to notify authorities and/or affected Data Subjects. The obligations herein shall not apply to incidents that are caused by Client or Client’s End Users.

  1. Government Access Requests

If Servant receives a legally binding request from a Public Authority to access Personal Data that Servant Processes on Client’s behalf, Servant shall, unless otherwise legally prohibited, promptly notify Client including a summary of the nature of the request. To the extent Servant is prohibited by law from providing such notification, Servant shall use commercially reasonable efforts to obtain a waiver of the prohibition to enable Servant to communicate as much information as possible, as soon as possible. Further, Servant shall challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful. Servant shall pursue possibilities of appeal. When challenging a request, Servant shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the Personal Data requested until required to do so under the applicable procedural rules. Servant agrees it will provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request. Servant shall promptly notify Client if Servant becomes aware of any direct access by a Public Authority to Client Data and provide information available to Servant in this respect, to the extent permitted by law. For the avoidance of doubt, this DPA shall not require Servant to pursue action or inaction that could result in civil or criminal penalty for Servant such as contempt of court. Servant shall ensure that Sub-processors involved in the Processing of Personal Data are subject to the relevant commitments regarding Government Access Requests in the Standard Contractual Clauses.

  1. Return/Deletion of Personal Data

Servant will return, destroy, or render anonymous all Personal Data in accordance with Client’s reasonable written Instructions submitted to Servant within 30 days of termination or expiration of Client’s Subscription under the Agreement or as otherwise instructed by Client. The requirements of this Section 7 do not apply to the extent that Servant is required by applicable law to retain any Client Data, or to Client Data that is archived on backup systems, which data Servant shall securely isolate and protect from any further Processing and delete following Servant’s deletion practices.

  1. European Provisions

    1. European Data Protection Laws. This Section 8 shall apply only to the extent Servant Processes Personal Data subject to European Data Protection Laws as Client’s Processor. Servant will Process Personal Data in accordance with the European Data Protection Laws requirements directly applicable to Servant’s provision of its Services. This section shall apply only to the extent Servant Processes Personal Data subject to European Data Protection Laws as Client’s Processor. For the purposes of this section and the Schedules attached hereto, the “Standard Contractual Clauses” or “SCCs” means Standard Contractual Clauses sections I, II, III, and IV (as applicable) to the extent they reference Module Two (Controller-to-Processor).

    2. Transfer mechanisms for data transfers. If, in the provision of the Services, Personal Data that is subject to the GDPR or any other law relating to the protection or privacy of individuals that applies in Europe is transferred out of Europe to countries that do not ensure an adequate level of data protection within the meaning of the Data Protection Laws of Europe, the SCCs, subject to the additional terms in Section 2 of Schedule 1, shall apply to such transfers, provided that Client is a Controller and a data exporter of Personal Data and Servant is a Processor and data importer in respect of that Personal Data. In such case, the SCCs can be directly enforced by the Parties to the extent such transfers are subject to the European Data Protection Laws.

    3. Impact of local laws. If Servant reasonably believes that any existing or future enacted or enforceable laws and practices in the third country of destination applicable to its Processing of the Personal Data (“Local Laws”) prevent it from fulfilling its obligations under this DPA, it shall (i) promptly notify Client and (ii) use reasonable efforts to make available to Client a change in the Services to facilitate compliance with Local Laws without unreasonably burdening Client. If Servant is unable to make available such change promptly, Client may terminate the applicable SOW and suspend the transfer of Personal Data in respect only to those Services which cannot be provided by Servant in compliance with the Local Laws by providing written notice to Servant as required under the Agreement.

  2. United States Provisions

    1. U.S. Data Protection Laws. This Section 9 applies only to the extent Servant Processes U.S. Personal Information on Client’s behalf. For the purposes of this section, these terms shall be defined as follows: (a) “Business”, “Service Provider”, “Sell”, and “Share” shall have the meanings given to them in the CCPA or other applicable U.S. Data Protection Laws; (b) “Controller” is replaced with “Business” wherever those terms appear in this DPA; and (c) “Processor” is replaced with “Service Provider” wherever those terms appear in this DPA.

    2. Responsibilities. The Parties agree that Servant will Process U.S. Personal Information as Client’s Service Provider in accordance with applicable U.S. Data Protection Laws and strictly for the business purpose of performing the Service under the Agreement. Servant shall not (i) Sell U.S. Personal Information; (ii) Share U.S. Personal Information with third Parties for cross-contextual behavioral advertising purposes; (iii) retain, use, or disclose U.S. Personal Information for a commercial purpose other than for such business purpose or as otherwise permitted by U.S. Data Protection Laws; or (iv) retain, use, or disclose U.S. Personal Information outside of the direct business relationship between Client and Servant. Servant certifies that it understands and will comply with the restrictions of this Section 9.2.

    3. No Sale Between Parties. The Parties agree that Client does not sell U.S. Personal Information to Servant because, as a Service Provider, Servant may only use U.S. Personal Information for the purposes of providing the Services to Client.

  3. General Provisions

This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement unless otherwise required by applicable Data Protection Laws. If and to the extent language in this DPA conflicts with the Agreement, this DPA shall control concerning the subject matter herein. Except as specifically provided in the Standard Contractual Clauses applicable to this DPA, all activities under this DPA are subject to the applicable limitations of liability set forth in the Agreement. For the avoidance of doubt, Servant’s total liability for all claims from Client arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Client and, in particular, shall not be understood to apply individually and severally to Client that is a contractual party to any such DPA. Additionally, Client agrees that any regulatory fines or penalties incurred by Client relating to Client Data that arise as a result of or in connection with Client's failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce Servant's liability under the Agreement as a liability under the Agreement. This DPA and the schedules hereto will automatically terminate upon expiration or termination of the Agreement.

SCHEDULE 1

TRANSFER MECHANISMS FOR EUROPEAN DATA TRANSFERS

  1. STANDARD CONTRACTUAL CLAUSES OPERATIVE PROVISIONS AND ADDITIONAL TERMS

For the purposes of the Standard Contractual Clauses, Client is the data exporter and Servant is the data importer and the Parties agree to the following. Where this Schedule 1 does not explicitly mention SCCs, it applies to them.

  1. Reference to the Standard Contractual Clauses. The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA. The information required for the purposes of the Appendix to the Standard Contractual Clauses is set out in Schedule 2.

  2. Docking clause. The option under clause 7 shall not apply.

  3. Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in clause 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by Servant to Client only upon Client’s written request.

  4. Instructions. This DPA and the Agreement are Client’s complete and final documented instructions at the time of signature of the Agreement to Servant for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of this DPA and the Agreement. For the purposes of clause 8.1(a), the instructions by Client to Process Personal Data are set out in Section 2.5 of this DPA and include onward transfers to a third party located outside Europe for the provision of the Services.

  5. Security of Processing. For the purposes of clause 8.6(a), Client is solely responsible for making an independent determination as to whether the technical and organizational measures set forth in the Section 9 of Schedule 2 meet Client’s security requirements and Client agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the Processing of its Personal Data as well as the risks to individuals) the security measures and policies implemented and maintained by Servant provide a level of security appropriate to the risk with respect to its Personal Data. For the purposes of clause 8.6(c), personal data breaches will be handled in accordance with Section 5.4 of this DPA.

  6. Audits of the SCCs. The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with Section 5.3 of this DPA.

  7. General authorization for use of Sub-processors. Option 2 under clause 9 shall apply. For the purposes of clause 9(a), Servant has Client’s general authorization to engage Sub-processors in accordance with Section 4 of this DPA. Servant shall make available to Client the current list of Sub-processors in accordance with Section 4 of this DPA. Where Servant enters into the processor-to-processor transfer clauses with a Sub-Processor in connection with the provision of the Services, Client grants Servant authority to provide a general authorization on Controller's behalf for the engagement of sub-processors by Sub-processors engaged in the provision of the Services, as well as decision making and approval authority for the addition or replacement of any such Sub-Processors.

  8. Notification of New Sub-Processors and Objection Right for new Sub-Processors. Pursuant to clause 9(a), Client acknowledges and expressly agrees that Servant may engage new Sub-Processors as described in Section 4 of the DPA. Servant shall inform Client of any changes to Sub-Processors according to the terms of Section 4 of the DPA.

  9. Complaints - Redress. For the purposes of clause 11, Servant shall inform data subjects on its website of a contact point authorized to handle complaints. Servant shall inform Client if it receives a complaint by, or a dispute from, a Data Subject with respect to Personal Data and shall without undue delay communicate the complaint or dispute to Client. Servant shall not otherwise have any obligation to handle the request (unless otherwise agreed with Client). The option under clause 11 shall not apply.

  10. Liability. Servant’s liability under clause 12(b) shall be limited to actual and proven damage caused by Servant’s Processing of Personal Data on Client’s behalf as a Processor where Servant has not complied with its obligations under the GDPR specifically directed to Processors, or where Servant has acted outside of or contrary to Client’s lawful Instructions, as specified in Article 82 GDPR.

  11. Supervision. Clause 13 shall apply as follows:

    1. Where Client is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by Client with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.

    2. Where Client is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.

    3. Where Client is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The Data Protection Commission of Ireland, 21 Fitzwilliam Square South, Dublin, 2 D02 RD28, Ireland shall act as competent supervisory authority.

    4. Where Client is established in the United Kingdom or falls within the territorial scope of application of UK Data Protection Laws, the Information Commissioner's Office shall act as competent supervisory authority.

    5. Where Client is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws.

  12. Notification of Government Access Requests. For the purposes of clause 15.1(a), Servant shall notify Client only, and not the Data Subject(s), in case of government access requests. Client shall be solely responsible for promptly notifying the Data Subject as necessary.

  13. Governing Law. The governing law for the purposes of clause 17 shall be the law that is designated in the Governing Law section of the Agreement. If the Agreement is not governed by an EU Member State law, the Standard Contractual Clauses will be governed by either (i) the laws of Ireland; or (ii) where the Agreement is governed by the laws of the United Kingdom, the laws of the United Kingdom.

  14. Choice of forum and jurisdiction. The courts under clause 18 shall be those designated in the Governing Law section of the Agreement. If the Agreement does not designate an EU Member State court as having exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with this Agreement, the parties agree that the courts of either (i) Ireland; or (ii) where the Agreement designates the United Kingdom as having exclusive jurisdiction, the United Kingdom, shall have exclusive jurisdiction to resolve any dispute arising from the Standard Contractual Clauses. For Data Subjects habitually resident in Switzerland, the courts of Switzerland are an alternative place of jurisdiction in respect of disputes.

  15. Appendix. The Appendix shall be completed as follows:

SCHEDULE 2

DESCRIPTION OF PROCESSING/TRANSFER

  1. LIST OF PARTIES

Data exporter(s): Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union

Data importer(s): Identity and contact details of the data importer(s), including any contact person with responsibility for data protection

Client End Users (as defined in the Agreement).

  1. CATEGORIES OF PERSONAL DATA TRANSFERRED

Client may include, or permit its End Users to include, Personal Data in the Client Data in the categories of identifiers, internet and similar information, inferences drawn from Personal Data, or any other category of Personal Data as determined solely by Client and according to Client’s privacy practices.

  1. SENSITIVE DATA TRANSFERRED

Client may choose to permit End Users to include sensitive personal data in Inputs or otherwise in the Client Data, subject to Client’s privacy practices and terms and conditions for Client’s website and digital properties. If Client chooses to Process sensitive data via the Services, Client does so at Client’s own risk and with no responsibility or liability of Servant.

  1. FREQUENCY OF THE TRANSFER

Data is transferred on a continuous basis depending on Client’s use of the Services pursuant to the Agreement.

  1. NATURE OF THE PROCESSING

The nature of the Processing is the provision of the Services to Client pursuant to the Agreement.

  1. PURPOSE OF PROCESSING, THE DATA TRANSFER AND FURTHER PROCESSING

Servant will Process Personal Data as necessary to provide the Services under the Agreement and as Instructed by Client.

  1. DURATION OF PROCESSING

Subject to Section 2.2 of the DPA, Servant will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

  1. SUB-PROCESSOR TRANSFERS

Sub-Processor(s) will Process Personal Data as necessary to provide the Services pursuant to the Agreement. Subject to Section 4 of the DPA, the Sub-Processor(s) will Process Personal Data for the duration of the Agreement unless otherwise agreed in writing. Identities of the Sub-Processors used for the provision of the Services and their country of location will be provided to Client upon written request.

  1. COMPETENT SUPERVISORY AUTHORITY
  1. TECHNICAL AND ORGANISATIONAL MEASURES

Servant has implemented the following technical and organizational Security Measures for the Services:

<table style="width:100%;"> <colgroup> <col style="width: 4%" /> <col style="width: 42%" /> <col style="width: 52%" /> </colgroup> <tbody> <tr> <td><ol type="1"> <li></li> </ol></td> <td><strong>Physical access controls</strong> employed for preventing unauthorized persons from gaining access to data processing systems within which Personal Data is processed or used.</td> <td><ul> <li><p>Data center is ISO 27001, ISO 27017, and ISO 27018 certified via Vercel and Convex, which operate on AWS infrastructure holding these certifications; Vercel is independently ISO 27001 certified.</p></li> <li><p>Data center compliant with SOC 2 Type II (Vercel and Convex) and the CISPE Code of Conduct via the underlying AWS infrastructure for data protection.</p></li> </ul></td> </tr> <tr> <td>2.</td> <td><strong>Admission control</strong> measures taken for preventing data processing systems from being used without authorization.</td> <td><ul> <li><p>Multi-factor-authentication is available via WorkOS AuthKit; required for administrative accounts</p></li> <li><p>Fine granular access to objects is enabled (only administrative level staff can personally access data)</p></li> <li><p>Only authorized API-request authentication is used</p></li> <li><p>Short-lived, signed session tokens are issued by WorkOS AuthKit (sealed/encrypted cookies) and scoped Convex authentication tokens are used for backend access; service-to-service credentials are rotated via Vercel environment variables.</p></li> </ul></td> </tr> <tr> <td>3.</td> <td><strong>Virtual access control</strong> measures taken to ensure that persons entitled to use a data processing system have access only to Personal Data to which they have a right of access, and that Personal Data cannot be read, copied, modified or removed without authorizations in the course of Processing or use and after storage.</td> <td><ul> <li><p>End User authentication is based on username and strong password.</p></li> <li><p>All transactional records contain identifiers to distinguish client records.</p></li> <li><p>Data access based upon specific user and role.</p></li> <li><p>Data access, insert, and modification are logged.</p></li> </ul> <ul> <li><p>Cloud security and privacy standards: SOC 2 Type II, ISO 27001, ISO 27017, and ISO 27018 (inherited from Vercel, Convex, and their underlying AWS infrastructure); GDPR and CCPA aligned.</p></li> </ul></td> </tr> <tr> <td>4.</td> <td><strong>Transmission control</strong> measures taken to ensure that Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of Personal Data by means of data transmission facilities is envisaged.</td> <td><ul> <li><p>All data encrypted in transit using TLS 1.2 or higher (HTTPS) between end users, Vercel, Convex, and all third-party ef</p></li> <li><p>Access to reports is logged.</p></li> <li><p>Backup media are encrypted.</p></li> <li><p>Removable storage is not used.</p></li> </ul></td> </tr> <tr> <td>5.</td> <td><strong>Input control</strong> measures taken to ensure that it is possible to check and establish whether and by whom Personal Data have been entered into data processing systems, modified or removed.</td> <td><ul> <li><p>Governance, auditing, and monitoring of Personal data stored tracked by (i) an in-product audit log (Convex auditLogs table …), (ii) Axiom observability, and (iii) Braintrust for LLMs call logging and evaluation.</p></li> <li><p>Record entry is restricted to a defined set of roles.</p></li> <li><p>All entry is date/time stamped and includes identifiers for entering party.</p></li> <li><p>Firewalls and intrusion prevention systems are in place to prevent unauthorized access.</p></li> </ul></td> </tr> <tr> <td>6.</td> <td><strong>Assignment control</strong> measures employed to ensure that, in the case of commissioned Processing of Personal Data, the data are processed strictly in accordance with the instructions of the principal.</td> <td><ul> <li><p>Confidentiality agreements in place for all individuals with data access.</p></li> <li><p>Regular training conducted for personnel.</p></li> <li><p>No third parties used for the processing of data other than as described in this Agreement.</p></li> </ul></td> </tr> <tr> <td>7.</td> <td><strong>Availability control</strong> measures taken to ensure that Personal Data are protected from accidental destruction or loss.</td> <td><ul> <li><p>Nightly snapshots are taken by Convex's managed backup service and stored on encrypted AWS S3 in a region separate from the primary deployment.</p></li> <li><p>Backups are kept for 14 days.</p></li> </ul></td> </tr> <tr> <td>8.</td> <td><strong>Separation control</strong> measures taken to ensure that Personal Data collected for different purposes can be processed separately.</td> <td><ul> <li><p>Physical and logical data separation.</p></li> <li><p>Discrete development, staging and production environments are maintained.</p></li> <li><p>Personal data necessary for services and support is stored separately from marketing data.</p></li> </ul></td> </tr> </tbody> </table>

SCHEDULE 3

UK ADDENDUM TO SCCS

This UK Addendum to SCCs incorporates the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018 VERSION B1.0, in force 21 March 2022 into the DPA. VERSION B1.0, in force 21 March 2022

PART 1: TABLES

Table 1: Parties

Start Date: Effective Date of the Agreement

<table style="width:99%;"> <colgroup> <col style="width: 33%" /> <col style="width: 33%" /> <col style="width: 33%" /> </colgroup> <tbody> <tr> <td style="text-align: left;"><strong>The Parties</strong></td> <td style="text-align: left;"><strong>Exporter (who sends the Restricted Transfer)</strong></td> <td style="text-align: left;"><strong>Importer (who receives the Restricted Transfer)</strong></td> </tr> <tr> <td style="text-align: left;"><strong>Parties’ Details</strong></td> <td style="text-align: left;"><p>Servus Consulting Partners, LLC dba Servant</p> <p>108 Fourth Ave South, Suite 207 Franklin, TN 37064</p></td> <td style="text-align: left;">Client name and address as registered with Servant.</td> </tr> <tr> <td style="text-align: left;"><strong>Key Contact</strong></td> <td style="text-align: left;">Shannon Basada, shannon@servant.io</td> <td style="text-align: left;">Client point of contact as registered with Servant.</td> </tr> <tr> <td style="text-align: left;"><strong>Signature</strong></td> <td style="text-align: left;">By executing the DPA, Servant also executes all Schedules thereto.</td> <td style="text-align: left;">By executing the DPA, Client also executes all Schedules thereto.</td> </tr> </tbody> </table>

Table 2: Selected SCCs, Modules and Selected Clauses

<table> <colgroup> <col style="width: 25%" /> <col style="width: 74%" /> </colgroup> <tbody> <tr> <td style="text-align: left;"><strong>EU SCCs</strong></td> <td style="text-align: left;"><blockquote> <p>The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information.</p> <p>EU Standard Contractual Clauses sections I, II, III, and IV (as applicable) to the extent they reference Module Two (Controller-to-Processor) (the “<strong>EU SCCs</strong>”).</p> </blockquote> <p><strong>Clause 7 (Docking clause):</strong> The docking clause shall not apply.</p> <p><strong>Clause 11 (Option):</strong> The option under clause 11 shall not apply.</p> <p><strong>Clause 9(a) (Prior Authorisation or General Authorisation):</strong> Servant has Client’s general authorisation to engage Sub-processors in accordance with Section 4 of the DPA.</p> <p><strong>Clause 9(a) (Time Period):</strong> Servant shall make available to Client the current list of Sub-Processors in accordance with Section 4 of the DPA. Servant shall inform Client of changes to Sub-Processors as required by applicable Data Protection Laws.</p> <p><strong>Is Personal Data received from the Importer combined with Personal Data collected by the Exporter?</strong> Yes, as instructed by Client pursuant to the Agreement.</p></td> </tr> </tbody> </table>

Table 3: Appendix Information

Appendix Information” means the information that must be provided for the selected modules and which for this Addendum is set out in:

Table 4: Ending this Addendum when the Approved Addendum Changes

<table> <colgroup> <col style="width: 25%" /> <col style="width: 74%" /> </colgroup> <tbody> <tr> <td>Ending this Addendum when the Approved Addendum changes</td> <td style="text-align: left;"><blockquote> <p><strong>Which Parties may end this Addendum as set out in Section <a href="#_heading=h.d9frc5jnznib">19</a>?</strong> Neither Party except as provided in Section 2 of the DPA.</p> </blockquote></td> </tr> </tbody> </table>

PART 2: MANDATORY CLAUSES

Entering into this Addendum

  1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.

  2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

Interpretation of this Addendum

  1. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:

    1. Addendum: This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.

    2. Addendum EU SCCs: The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.

    3. Appendix Information: As set out in Table 3.

    4. Appropriate Safeguards: The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.

    5. Approved Addendum: The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18.

    6. Approved EU SCCs: The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

    7. ICO: The Information Commissioner.

    8. Restricted Transfer: A transfer which is covered by Chapter V of the UK GDPR.

    9. UK: The United Kingdom of Great Britain and Northern Ireland.

    10. UK Data Protection Laws: as defined in Section 1 of the DPA.

  2. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfills the Parties’ obligation to provide the Appropriate Safeguards.

  3. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.

  4. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws apply.

  5. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning that most closely aligns with UK Data Protection Laws applies.

  6. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re- enacted and/or replaced after this Addendum has been entered into.

Hierarchy

  1. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.

  2. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.

  3. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

Incorporation of and changes to the EU SCCs

  1. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:

    1. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;

    2. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and

    3. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.

  2. Unless the Parties have agreed to alternative amendments which meet the requirements of Section 11, the provisions of Section 15 will apply.

  3. No amendments to the Approved EU SCCs other than to meet the requirements of Section 11 may be made.

  4. The following amendments to the Addendum EU SCCs (for the purpose of Section 11) are made:

    1. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;

    2. In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;

    3. Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;

    4. Clause 8.7(i) of Module 1 is replaced with: “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;

    5. Clause 8.8(i) of Modules 2 and 3 is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”

    6. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;

    7. References to Regulation (EU) 2018/1725 are removed;

    8. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;

    9. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;

    10. Clause 13(a) and Part C of Annex I are not used;

    11. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;

    12. In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;

    13. Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”;

    14. Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and

    15. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10, and 11.

  5. Amendments to this Addendum

    1. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.

    2. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

    3. From time to time, the ICO may issue a revised Approved Addendum which: (i) makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or (ii) reflects changes to UK Data Protection Laws; and

    4. The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.

  6. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in: (a) its direct costs of performing its obligations under the Addendum; and/or (b) its risk under the Addendum, and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

  7. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.

  8. Alternative Part 2 Mandatory Clauses

Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.