Data Processing Addendum with EU Model Contract

KEAP DATA PROCESSING ADDENDUM

Keap Clients

This Keap Data Processing Addendum (the “Addendum”) is entered into by and between Thryv, Inc., d/b/a Keap (“Keap”) and you (the “Client”) (each, a “Party” and, collectively, the “Parties”). If you are accepting the terms of this Addendum on behalf of an entity, you represent and warrant to Keap that you have the authority to bind that entity and its affiliates (where applicable) to the terms and conditions of this Addendum. This Addendum is effective as of the date on which you agree to it (the “Effective Date”) (1) accepting Keap's Terms of Service, or (2) transferring to Keap any Client Personal Data (as defined below) pursuant to the Service Agreement (as defined below).

WHEREAS, the Parties have entered into an agreement for Keap’s provision of services to Client available at https://keap.com/legal/terms-of-service (the “Service Agreement”);

WHEREAS, the Parties now wish to amend the Service Agreement to ensure that Client Personal Data (as defined below) transferred between the Parties is Processed (as defined below) in compliance with applicable data protection principles and requirements; and

NOW, THEREFORE, in consideration of the mutual agreements set forth in this document and for other good and valuable consideration, the receipt and sufficiency of which the Parties both acknowledge, the Parties agree as follows:

1. Definitions
   1. The definitions used in this Addendum shall have the meanings set forth in this Addendum. Capitalized definitions not otherwise defined herein shall have the meaning given to them in the Service Agreement. Except as modified or supplemented below, the definitions of the Service Agreement, as well as all the other terms and conditions of the Service Agreement, shall remain in full force and effect.
   2. For the purpose of interpreting this Addendum, the following terms shall have the meanings set out below:
      1. “Applicable Data Protection Laws” means the laws and regulations specified in Exhibit B hereto that are applicable to the Processing of Client Personal Data under the Agreement;
      2. “Client” means the Party, as indicated in the opening paragraph of this Addendum, that has entered into the Service Agreement with Keap, including all affiliates of that other Party that are also bound by the Service Agreement, if any;
      3. “Controller”, “Data Subject”, “Processor”, “Processing”, and “Personal Data” shall have the meanings attributed to them under Applicable Data Protection Laws;
      4. “Client Personal Data” means any Personal Data Processed by Keap or a Subprocessor on behalf of the Client (where the client is the Controller) pursuant to or in connection with the Service Agreement;
      5. “Contracted Processor” means Keap, a Subprocessor, or both collectively;
      6. “Personal Data Breach” shall have the meaning provided in the relevant sections of Exhibit B
      7. “Services” means the “Keap Service” and the “Services”, as applicable, as defined in the Service Agreement;
      8. “Sub-processor” means any third-party entity appointed by Keap to Process Client Personal Data on behalf of the Client in connection with the Service Agreement.
2. Applicability
   1. This Addendum will apply to the Processing of all Client Personal Data which is regulated by the data protection laws and regulations specified in Exhibit B attached hereto.
3. Processing of Client Personal Data
   1. In the context of this Addendum, the Client acts as a Controller and Keap acts as a Processor with regard to the Processing of Client Personal Data.
   2. Keap warrants that it will:
      1. not Process Client Personal Data other than on the Client’s relevant documented instructions to the extent that this is required for the provision of the Services, including with regard to international transfers of Client Personal Data, unless such Processing is permitted by applicable laws to which Keap is subject in which case Keap shall, to the extent permitted by applicable laws, inform the Client of that legal requirement before the respective act of Processing of that Client Personal Data; and
      2. only conduct transfers of Client Personal Data, in compliance with all applicable conditions, as laid down in Applicable Data Protection Laws.
   3. The Client agrees to provide Keap at [email protected] the identity and contact information of its Data Protection Officer and the identity and contact information of its EU and UK representative (if applicable). The Client warrants that it will promptly update Keap, when there is a change in the information provided.
   4. The Client instructs Keap (and authorizes Keap to instruct each Sub-processor) to Process Client Personal Data, and in particular, transfer Client Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Service Agreement and this Addendum. In the event that, in Keap’s opinion, a Processing instruction given by the Client infringes Applicable Data Protection Laws, Keap shall immediately inform the Client.
   5. The Client represents and warrants that it has all necessary rights to provide the Client Personal Data to Keap for the purposes of Processing such data within the scope of this Addendum and the Service Agreement. Within the scope of the Service Agreement and in its use of the Services, the Client shall be solely responsible for complying with the statutory requirements relating to data protection and privacy, in particular regarding the disclosure and transfer of Client Personal Data to Keap and the Processing of Client Personal Data.
4. Keap Personnel
   1. Keap shall take reasonable steps to ensure that Keap employees, agents and contractors who have access to the Client Personal Data have committed themselves to confidentiality or are under professional or statutory obligations of confidentiality.
5. Security of Processing
   1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, Keap shall, with regard to Client Personal Data, implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to that risk, as well as assist the Client with regard to ensuring compliance with the Client’s security obligations pursuant to Applicable Data Protection Laws, insofar as those obligations relate to Keap.
   2. In assessing the appropriate level of security, Keap shall take account the risks that are presented by the nature of such Processing activities, and particularly those related to possible Personal Data Breaches.
   3. The Client is responsible for reviewing the information made available by Keap relating to data security and making an independent determination as to whether the Services meet the Client’s requirements and legal obligations under Applicable Data Protection Laws. The Client acknowledges that the security measures are subject to technical progress and development and that Keap may update or modify the security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Client.
   4. Notwithstanding the above, the Client agrees that, except as provided by this Addendum, the Client is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Client Personal Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any Client Personal Data uploaded to the Services.
6. Sub-processing
   1. The Client authorizes Keap to appoint (and to permit each Sub-processor appointed in accordance with this Section 6 to appoint) Sub-processors in accordance with this Section 6 and any possible further restrictions, as set out in the Service Agreement, as the case may be.
   2. Keap may continue to use those Sub-processors already engaged by Keap as of the Effective Date, subject to Keap meeting the obligations set out in Section 6.4 of this Addendum. The list of Keap Sub-processors is located at: https://keap.com/legal/subprocessors. Keap provides the Client with a mechanism to subscribe to notifications about changes to the list of Keap Sub-processors.
   3. Keap shall give the Client written notice of the appointment of any new Sub-processor, by way of updating the list of Keap Sub-processors, as indicated in Section 6.2. If within seven (7) days of posting of each such update, the Client does not explicitly notify Keap in writing of any objections (on reasonable grounds) to the proposed appointment, it shall be deemed that the Client has consented to the proposed appointment.
   4. With respect to each Sub-processor, Keap shall:
      1. before the Sub-processor first Processes Client Personal Data (or, where relevant, in accordance with Section 6.2), carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Client Personal Data required by this Addendum, the Service Agreement, and Applicable Data Protection Laws; and
      2. where required under the terms of Exhibit B, ensure that the arrangement between Keap and any prospective Sub-processor is governed by a written contract that includes data protection obligations compatible with those of Keap under this Addendum (excluding its Exhibits) to the extent specified by the applicable terms of Exhibit B
   5. If the Client elects to enable, access or use certain non-Keap services which may be integrated directly into the Client’s account, the Client’s access and use of such non-Keap services is governed solely by the terms and conditions and privacy policies of such non-Keap services (to the extent the non-Keap services are offered separately from, and not as a part of, the Services). Keap does not endorse and is not responsible or liable for, and make no representation as to any aspect of, such non-Keap services, including, without limitation, their content or the manner in which they handle Client Personal Data or any interaction between the Client and the provider of such non-Keap services. The providers of non-Keap services shall not be deemed Sub-processors for any purpose under this Addendum.
7. Rights of the Data Subjects
   1. Taking into account the nature of the Processing, Keap shall assist the Client by implementing appropriate technical and organizational measures, insofar as reasonably possible, for the fulfilment of the Client’s obligations, as reasonably understood by the Client, to respond to requests to exercise Rights of the Data Subjects under the Applicable Data Protection Laws.
   2. With regard to Rights of the Data Subjects within the scope of this Section 7, and only to the extent that a Data Subject can reasonably be identified as Client Personal Data, Keap shall:
      1. promptly notify the Client if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Client Personal Data; and
      2. ensure that the Contracted Processor does not respond to that request except on the documented instructions of the Client, or as required or permitted by Applicable Data Protection Laws to which the Contracted Processor is subject, in which case Keap shall, to the extent permitted by Applicable Data Protection Laws, inform the Client of that legal requirement before the Contracted Processor responds to the request.
8. Personal Data Breach
   1. When required by applicable laws governing Client Personal Data, Keap shall notify the Client without undue delay upon Keap becoming aware of a confirmed Personal Data Breach that has a material impact on Client Personal Data. Keap shall provide the Client with sufficient information to allow the Client to meet its obligations under Applicable Data Protection Laws, and reasonably cooperate with the Client in the investigation of the Personal Data Breach.
   2. Keap’s notification of or response to a Personal Data Breach under this Section 8 will not be construed as an acknowledgement by Keap of any fault or liability with respect to the Personal Data Breach.
9. Deletion or Return of Client Personal Data
   1. Keap shall provide the Client with the technical means, consistent with the manner in which the applicable Services are provided, to request the deletion of Client Personal Data within the term of this Addendum and the Service Agreement, unless Applicable Data Protection Laws require storage of any such Client Personal Data.
   2. Following the date of cessation of Services involving the Processing of Client Personal Data, at the choice of the Client, Keap shall delete or return all Client Personal Data to the Client, as well as delete existing copies, unless Applicable Data Protection Laws permit storage of any such Client Personal Data.
10. Audit Rights
    1. Where the Client is entitled to and desires to review Keap’s compliance with the Applicable Data Protection Laws, the Client may request, and Keap will provide (subject to obligations of confidentiality) reasonable documentation to demonstrate the measures it has taken to comply with this Addendum.
11. Jurisdiction Specific Terms
    1. To the extent Keap processes Client Personal Data originating from, or protected by, Applicable Data Protection Laws in one of the jurisdictions listed in Exhibit B, then the terms and definitions specified in Exhibit B with respect to the applicable jurisdiction(s) (“Jurisdiction Specific Terms”) shall apply in addition to the terms of this Addendum.
    2. Keap may update Exhibit B from time to time to reflect changes in or additions to Applicable Data Protection Laws to which Keap is subject. If Keap updates Exhibit B, it will provide the updated Exhibit B to the Client by means of posting an updated version to the Keap website. If the Client does not object to the updated Exhibit B within fourteen (14) days of receipt, the Client will be deemed to have consented to the updated Exhibit B.
    3. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this Addendum or the Service Agreement, the applicable Jurisdiction Specific Terms will prevail.
12. No Selling of Client Personal Data
    1. Keap acknowledges and confirms that it does not receive any Client Personal Data as consideration for any Services or other items that Keap provides to the Client. The Client retains all right and interest in Client Personal Data. The Client agrees to refrain from taking any action that would cause any transfers of Client Personal Data to or from Keap to quality as selling Client Personal Data under Applicable Data Protection Laws.
13. Indemnification
    1. The Client agrees to indemnify and hold harmless Keap and its officers, directors, employees, agents, affiliates, successors, and permitted assigns against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind which Keap may sustain as a consequence of the breach by the Client of its obligations pursuant to Applicable Data Protection Laws and under this Addendum.
    2. The Client agrees that any liability for breach of any terms and conditions under the Addendum shall be subject to the liability clause agreed in the Service Agreement.
14. General Terms
    1. This Addendum supersedes and replaces all prior and contemporaneous proposals, statements, sales material or presentations, and agreements, oral and written, with regard to the subject matter of this Addendum, including any prior data processing addenda entered into between Keap and the Client.
    2. All clauses of the Service Agreement, that are not explicitly amended or supplemented by the clauses of this Addendum, and as long as this does not contradict with compulsory requirements of Applicable Data Protection Laws under this Addendum, remain in full force and effect and shall apply.
    3. In the event of any conflict between the Service Agreement (including any annexes and appendices thereto) and this Addendum, the provisions of this Addendum shall prevail, except where the applicable Jurisdiction Specific Terms apply and prevail as discussed in Section 11.3 above.
    4. Keap may amend the Addendum, including its Exhibits, in the event changes to this Addendum are necessary to meet the requirements of Applicable Data Protection Laws, and Customer agrees to revised terms for this Addendum with Keap. If Client does not agree to the revised terms, Client shall initiate negotiations with Keap. Keap agrees to negotiate the revised terms and, if such negotiations are unsuccessful, Keap may terminate the Service Agreement at its election, and Customer shall pay the applicable fees until the subscription is terminated. Upon termination of the subscription term, all fees then due and payable to Keap must be paid in full even if they have not yet been invoiced.
    5. Should any provision of this Addendum be found invalid or unenforceable pursuant to any applicable law, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of the Addendum will continue in effect.
    6. If Keap makes a determination that it can no longer meet its obligations in accordance with this Addendum, it shall promptly notify the Client of that determination, and cease the Processing or take other reasonable and appropriate steps to remediate.

Exhibit A

1. Further details of the Processing, in addition to the ones laid down in the Service Agreement and this Addendum, include:

Exhibit B

Jurisdiction Specific Terms

1. United States of America
   1. Definitions
      1. “Applicable Data Protection Laws” (as used in the Addendum) includes “Applicable United States Data Privacy Laws” (as defined below).
      2. “Applicable United States Data Privacy Laws” includes all the enacted state and federal laws, acts, and regulations of the United States of America that apply to the Processing of Personal Data that is Company Data, as they may be amended from time to time. Such laws include, without limitation:
         1. the California Consumer Privacy Act of 2018, Assembly Bill 375 of the California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the California Governor on June 28, 2018 as amended by the California Privacy Rights Act.
         2. the Colorado Privacy Act;
         3. the Connecticut Data Privacy Act;
         4. the Virginia Consumer Data Protection Act;
         5. the Utah Consumer Privacy Act;
         6. the state data breach notification laws of each state of the United States of America.
      3. “Business Purpose” and “Commercial Purpose” (as both are used in this Section) shall have the meanings given to those terms by the Applicable United States Data Privacy Laws that define those terms.
      4. “Controller” (as used in the Addendum) includes “Business” as defined under the Applicable United States Data Privacy Laws that define that term.
      5. “Data Subject” (as used in the Addendum) includes “Consumer” as defined under the Applicable United States Data Privacy Laws that define that term.
      6. “Personal Data” (as used in the Addendum) includes “Personal Information” as defined under the Applicable United States Data Privacy Laws that define that term.
      7. “Personal Data Breach” (as used in the Addendum) includes “Breach of the Security of the System” as defined under the Applicable United States Data Privacy Laws that define that term.
      8. “Processor” (as used in the Addendum) includes “Service Provider” as defined under the Applicable United States Data Privacy Laws that define that term.
      9. The terms “Sell” (as used in this Section) and “Share” shall have the meanings given to those terms by the Applicable United States Data Privacy Laws that define those terms.
   2. The Client discloses Personal Data to Keap solely for: (i) valid Business Purposes; and (ii) to enable Keap to perform the Services.
   3. Keap shall not: (i) Sell or Share Client Personal Data; (ii) retain, use or disclose Client Personal Data for a Commercial Purpose other than providing the Services specified in the Agreement or as otherwise required by Applicable United States Data Privacy Laws; (iii) retain, use, or disclose Client Personal Data except where permitted under the Service Agreement between Client and Keap; nor (iv) combine Client Personal Data with other information that Keap Processes on behalf of other persons or that Keap collects directly from the Data Subject, with the exception of Processing for Business Purposes. Keap certifies that it understands these prohibitions and agrees to comply with them.
   4. Keap shall ensure that the arrangement between Keap and any prospective Sub-processor is governed by a written contract that includes data protection obligations compatible with those of Keap under this Section 1. Client agrees that agreements between Keap Sub-processors and Keap that do not specifically include Personal Data governed by Applicable United States Data Privacy Laws provide data protection obligations compatible with those of Keap under the Addendum and this Section.
2. European Economic Area (EEA)
   1. Definitions
      1. “EEA” means the European Economic Area, consisting of the EU Member States, and Iceland, Liechtenstein, and Norway.
      2. “EU 2021 Standard Contractual Clauses” means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of June 4, 2021, on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
      3. “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC.
      4. “Personal Data Breach” (as used in the Addendum) shall have the same meaning as under the EU GDPR.
      5. “Restricted Transfer of EEA Personal Data” (as used in this Section) means any transfer of Personal Data subject to the EU GDPR which is undergoing processing or is intended for processing after transfer to Third Country (as defined below) or an international organization Third Country (including data storage on foreign servers).
      6. “Third Country” (as used in this Section) means a country outside of the EEA.
   2. Restricted Transfers of EEA Personal Data
      1. With regard to any Restricted Transfer of EEA Personal Data from the Client to Keap within the scope of this Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:
         1. a valid adequacy decision adopted by the European Commission on the basis of Article 45 of the EU GDPR that provides that the Third Country, a territory or one or more specified sectors within that Third Country, or the international organization in question to which Personal Data is to be transferred ensures an adequate level of data protection. This includes, if applicable, Keap’s certification to any successor/replacement framework to the EU-U.S. Privacy Shield Framework, to the extent that the Services are lawfully covered by such certification;
         2. the EU 2021 Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Article 46 of the GDPR). The text contained in Exhibit C of this Addendum serves to supplement the 2021 Standard Contractual;
         3. any other lawful data transfer mechanism, as laid down in chapter 5 of the EU GDPR, as the case may be.

      2. EU 2021 Standard Contractual Clauses

         1. This Addendum incorporates by reference the EU 2021 Standard Contractual Clauses provided that the Parties’ choices under the EU 2021 Standard Contractual Clauses and the content of Annex I.B and Annex II is set forth in Exhibit A and Appendix A to Exhibit B to the Addendum.
         2. In cases where the EU 2021 Standard Contractual Clauses apply, and there is a conflict between the terms of the Addendum and the terms of the EU 2021 Standard Contractual Clauses, the terms of EU 2021 Standard Contractual Clauses shall prevail.
   3. Data Protection Impact Assessments and Prior Consultations
      1. Keap shall provide the Client with commercially reasonable information with regard to any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, when the Client reasonably considers that such data protection impact assessments or prior consultations are required pursuant to Applicable Data Protection Laws, but in each such case solely with regard to Processing of Client Personal Data by, and taking into account the nature of the Processing and information available to, the respective Contracted Processors.
      2. The Client agrees to pay Keap, upon receipt of invoice, a reasonable fee based on the time spent, as well as to account for the materials expended, in relation to the Client exercising its rights under this Section 2.3.
   4. Audit Rights
      1. If the Client, after having reviewed Keap’s documentation that demonstrates the measures it has taken to comply with this Addendum (as requested under Section 10.1 of the Addendum), still reasonably deems that it requires additional information in order to comply with EU GDPR, Keap shall allow for and contribute to audits, including remote inspections of the Services, by the Client or an auditor mandated by the Client with regard to the Processing of the Client Personal Data.
      2. Keap shall provide the assistance described in this Section 2.4, insofar as in Keap’s reasonable opinion such audits, and the specific requests of the Client, do not interfere with Keap’s business operations or cause Keap to breach any legal or contractual obligation to which it is subject.
      3. The Client agrees to pay Keap, upon receipt of invoice, a reasonable fee based on the time spent, as well as to account for the materials expended, in relation to the Client exercising its rights under this Section 2.4 or the EU 2021 Standard Contractual Clauses.
   5. Agreements with Subprocessors
      1. Keap shall ensure that the arrangement between Keap and any prospective Sub-processor is governed by a written contract that includes data protection obligations compatible with those of Keap under the Addendum (excluding its Exhibits) and this Section 2. Client agrees that older versions of the EU 2021 Standard Contractual Clauses concluded between Keap Sub-processor and Keap provide data protection obligations compatible with those of Keap under the Addendum and this Section.
3. United Kingdom
   1. Definitions
      1. “Applicable Data Protection Laws” (as used in the Addendum) includes the Data Protection Act 2018, and the UK GDPR.
      2. “EU 2021 Standard Contractual Clauses” means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of June 4, 2021, on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
      3. “Personal Data Breach” (as used in the Addendum) shall have the same meaning as under the UK GDPR.
      4. “Restricted Transfer of UK Personal Data” (as used in this Section) means any transfer of Personal Data Subject to the UK GDPR which is undergoing Processing or is intended for Processing after transfer to Third Country (as defined below) or an international organization (including data storage on foreign servers).
      5. “Third Country” (as used in this Section) means a country outside of the United Kingdom.
      6. “UK Transfer Addendum” (as used in this Section) means the agreement available at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf.
      7. “UK GDPR” (as used in this Section) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as has been amended, adopted, and forming part of the law of England, Wales, Scotland, and Northern Ireland by virtue of Section 3 of the European Union Withdrawal Agreement Act of 2020.
   2. Audit Rights
      1. If the Client, after having reviewed Keap’s documentation that demonstrates the measures it has taken to comply with this Addendum (as requested under Section 10.1 of the Addendum), still reasonably deems that it requires additional information in order to comply with Data Protection Act 2018 and the UK GDPR, Keap shall allow for and contribute to audits, including remote inspections of the Services, by the Client or an auditor mandated by the Client with regard to the Processing of the Client Personal Data.
      2. Keap shall provide the assistance described in this Section 3.2, insofar as in Keap’s reasonable opinion such audits, and the specific requests of the Client, do not interfere with Keap’s business operations or cause Keap to breach any legal or contractual obligation to which it is subject.
      3. The Client agrees to pay Keap, upon receipt of invoice, a reasonable fee based on the time spent, as well as to account for the materials expended, in relation to the Client exercising its rights under this Section 3.2 or the EU 2021 Standard Contractual Clauses.
   3. Agreements with Sub-processors
      1. Keap shall ensure that the arrangement between Keap and any prospective Sub-processor is governed by a written contract that includes data protection obligations compatible with those of Keap under the Addendum (excluding its Exhibits) and this Section 3.
   4. Restricted Transfers of UK Personal Data
      1. With regard to any Restricted Transfer of UK Personal Data from the Client to Keap within the scope of this Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:
         1. a valid adequacy decision adopted pursuant to Article 45 of the UK GDPR that provides that the Third Country, a territory or one or more specified sectors within that Third Country, or the international organization in question to which Personal Data is to be transferred ensures an adequate level of data protection. This includes, if applicable, Keap’s certification to any successor/replacement framework to the EU-U.S. Privacy Shield Framework, to the extent that the Services are covered by the such certification and to the extent that the United Kingdom recognizes the EU-U.S. Privacy Shield Framework or its successor/replacement as a valid transfer mechanism;
         2. the EU 2021 Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under the UK GDPR) along with any necessary modifications and addenda to make the SCCs applicable to transfers of UK Personal Data (including the adoption and incorporation by reference of the UK Transfer Addendum);
         3. any other lawful data transfer mechanism, as laid down in Chapter 5 of the UK GDPR, as the case may be.
      2. EU 2021 Standard Contractual Clauses:
         1. This Addendum incorporates by reference the EU 2021 Standard Contractual Clauses provided that the content of Annex I.B and Annex II of the EU 2021 Standard Contractual Clauses, the Parties’ choices under the EU 2021 Standard Contractual Clauses, and the tables of the UK Transfer Addendum is set forth in Exhibit A and Appendix A to Exhibit B. The Parties are deemed to have accepted, executed, and signed the EU 2021 Standard Contractual Clauses where necessary, in their entirety (including the Appendices thereto) and the UK Transfer Addendum.
         2. In cases where the EU 2021 Standard Contractual Clauses apply, and there is a conflict between the terms of the Addendum and the terms of the EU 2021 Standard Contractual Clauses, the terms of EU 2021 Standard Contractual Clauses shall prevail.
4. Brazil
   1. Definitions
      1. “Applicable Data Protection Laws” (as used in the Addendum) includes the Lei Geral de Proteção de Dados (“LGPD”).
      2. “Personal Data Breach” (as used in the Addendum) includes a security incident impacting Client Personal Data that may result in any relevant risk or damage to the Data Subjects.
      3. “Processor” (as used in the Addendum) includes “Operador” as defined under the LGPD.

Appendix A to Exhibit B

Choices and Contents of the 2021 Standard Contractual Clauses and the UK Addendum to the EU 2021 Standard Contractual Clauses

Exhibit B

Supplemental Clauses to the EU 2021 Standard Contractual Clauses

By this Exhibit C (this “Exhibit”), Keap provides additional safeguards to Client and additional redress to the Data Subjects to whom Client Personal Data relates. This Exhibit supplements and is made part of, but is not in variation or modification of EU 2021 Standard Contractual Clauses as defined in Exhibit B.

1. Applicability of this Exhibit
   1. This Exhibit applies where Keap processes Client Personal Data subject the EU 2021 Standard Contractual Clauses as described in Exhibit B.
2. Definitions
   1. For the purpose of interpreting this Exhibit, the following terms shall have the meanings set out below:
      1. “EO 12333” means U.S. Executive Order 12333.
      2. “FISA” means the U.S. Foreign Intelligence Surveillance Act.
      3. “Schrems II Judgment” means the judgment of the European Court of Justice in Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems.
3. Applicability of Surveillance Laws to Keap
   1. U.S Surveillance Laws
      1. Keap represents and warrants that, as of the date of this Agreement, it has not received any national security orders of the type described in Paragraphs 150-202 of the judgment of the European Court of Justice in Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems.
      2. Keap represents that it reasonably believes that it is not eligible to be required to provide information, facilities, or assistance of any type under FISA Section 702 because:
         1. It does not believe that it qualifies as an “electronic communication service provider” within the meaning of 50 U.S.C. § 1881(b)(4) and is therefore ineligible to receive any process issued under Section 702 of the Foreign Intelligence Surveillance Act for Services it provides to its customers.
         2. No court has found Keap to be an entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C. § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
      3. If Keap were to be found eligible for FISA Section 702, which it believes it is not, it is nevertheless also not the type of provider that is eligible to be subject to UPSTREAM collection pursuant to FISA Section 702, as described in paragraphs 62 and 179 of the Schrems II judgment.
      4. EO 12333 does not provide the U.S. government the ability to order or demand that Keap provide assistance for the bulk collection of information and Keap shall take no action pursuant to U.S. Executive Order 12333.
4. Redirection of the Request to Client
   1. If the Keap is prohibited from notifying Client and/or the data subject under the laws of the country of destination of the request for disclosure of Client Personal Data, Keap agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. Keap agrees to document its best efforts to be able to demonstrate them upon. This includes but it is not limited to informing requesting public authority of the incompatibility of the order with the safeguards contained in the EU 2021 Standard Contractual Clauses and the resulting conflict of obligations for Keap.
   2. Unless prohibited under the law applicable to the requesting third party, Keap shall use every reasonable effort to redirect the third party requesting the disclosure of any Client Personal Data that has been transferred to Keap request data directly from Client.
5. Backdoors
   1. Keap certifies that:
      1. it has not purposefully created back doors or similar programming for governmental agencies to access Keap’s systems and/or Client Personal Data;
      2. it has not purposefully created or changed its business processes in a manner that facilitates governmental access to personal data or systems, and
      3. that national law or government policy does not require Keap to create or maintain back doors or to facilitate access to personal data or systems or for Keap to be in possession or to hand over the encryption key.
6. Additional Measures to Prevent Authorities from Accessing Personal Data
   1. Keap will implement, and Client approves, the following technical, organizational, administrative and physical measures designed to protect any the transferred Client Personal Data from unauthorized disclosure and access:
      1. Encryption of the Transferred Personal Data in transit using the Transport Layer Security (TLS) protocol version 1.2 or higher with a minimum of 128-bit encryption;
      2. Encryption within the Keap-authored software application product offerings within the Keap-authored software application product offerings are encrypted at rest using a minimum of AES-256;
      3. Active monitoring and logging of network and database activity for potential security events including intrusion;
      4. Regular scanning and monitoring of Keap-authored software applications and IT systems for vulnerabilities;
      5. Restriction of physical and logical access to IT systems that process Client Personal Data to those officially authorized persons with an identified need for such access.
      6. Firewall protection of external points of connectivity in the Keap network architecture; and
      7. Expedited patching of known exploitable vulnerabilities in Keap-authored software applications and IT systems.
      8. Internal policies establishing that:
         1. (i) where Keap is prohibited by law from notifying the affected Client or the Data Subject of an order from a public authority for Client Personal Data subject to the EU 2021 Standard Contractual Clauses, Keap will use best efforts to request that any confidentiality requirements be waived to enable it to notify Client, the Data Subject or competent data protection authorities in the EEA;
         2. Keap requires an official, signed document issued pursuant to the Applicable Data Protection Laws of the requesting third party before it will consider a request for access to Client Personal Data;
         3. Keap’s legal team shall scrutinize every request for legal validity and, as part of that procedure, will reject any request Keap considers to be invalid;
         4. where the scope of the request is unclear or disproportional, Keap will clarify the scope of every request with the requesting party and attempt to narrow it to the strict minimum; and
         5. if Keap is legally required to comply with an order, it will respond as narrowly as possible to the specific request.
7. Updates to this Exhibit and the Transfer Adequacy Assessment Memorandum
   1. From time to time, Keap may update this Exhibit and the Transfer Adequacy Assessment Memorandum, which also outlines Keap’s supplemental measures, and is available to Client upon request) to add or modify supplemental measures described in this Exhibit.
   2. If Keap updates this Exhibit, it will provide the updated Exhibit to the Client. If the Client does not object to the updated Exhibit within fourteen (14) days of receipt, the Client will be deemed to have consented to the updated Exhibit.
8. Termination
   1. This Exhibit shall automatically terminate if the European Commission, a competent Member State supervisory authority, or an EEA or competent Member State court approves a different lawful transfer mechanism that would be applicable to the data transfers covered by the EU 2021 Standard Contractual Clauses (and if such mechanism applies only to some of the data transfers, this Addendum will terminate only with respect to those transfers) and that does not require the additional safeguards set forth in this Addendum.