Data Processing Addendum
Terms defined in the Master Agreement shall, unless otherwise defined in this DPA, have the same meanings when used in this DPA and the following capitalised terms used in this DPA shall be defined as follows:
"Adequate Jurisdiction" means the UK, EEA, or a country which ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data, as set out in:
- with respect to personal data relating to data subjects in the EEA, a decision of the European Commission;
with respect to personal data relating to data subjects in the UK, the UK Data Protection Act 2018 or regulations made by the UK Secretary of State under the UK Data Protection Act 2018;
"Customer Affiliate" has the meaning given to it in clause 2.1;
"Customer Personal Data" means the personal data processed by the Processor on behalf of the Customer in connection with the provision of the Services, as further described in Exhibit A;
"Data Protection Laws" means the GDPR and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Customer Personal Data;
"DPA" has the meaning given to it in the Background;
"EEA" means the European Economic Area;
"Effective Date" means the last date of signature below, except as otherwise set forth herein;
"GDPR" means Regulation (EU) 2016/679 (the "EU GDPR") or, where applicable the “UK GDPR” as defined in the UK Data Protection, Privacy and Electronic Communications (Amendment Etc.) (EU Exit) Regulations 2019;
"Instruction" means any documented instruction, submitted by Customer to Processor, directing Processor to perform a specific action with regard to personal data;
"Master Agreement" has the meaning given to it in the Background;
"Member State" means a member state of the EEA, being a member state of the European Union, Iceland, Norway, or Liechtenstein;
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Personal Data;
"Services" has the meaning given to it in the Background;
"Standard Contractual Clauses 2010" means the Standard Contractual Clauses (processors) approved by European Commission Decision C(2010)593;
"Standard Contractual Clauses 2021" means Module Two (controller to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914;
"sub-processor" means a processor appointed by the Processor to process Customer Personal Data.
The terms "personal data", "controller", "processor", "data subject", "process" and "supervisory authority" shall have the same meaning as set out in the GDPR.
Interaction with Master Services Agreement
This DPA supplements the Master Agreement with respect to any processing of Customer Personal Data provided by Customer or Customer’s affiliates specified in Schedule 1, as amended from time to time by written agreement between the Parties (the "Customer Affiliates").
In the event of any conflict between this DPA and the Master Agreement, the terms of this DPA shall prevail as to such conflict only.
Standard Contractual Clauses
The Standard Contractual Clauses 2010 shall apply to any transfers of Customer Personal Data from the Customer (as data exporter) to the Processor (as data importer) to the extent that:
- the Effective Date is 27 September 2021 or earlier, and the transfer is initiated at or prior to 11:59 pm on 27 December 2022; or
the transfer relates to Customer Personal Data falling within the scope of the UK GDPR.
For the purposes of the Standard Contractual Clauses 2010:
- Annex 1 (Details of the Transfer Forming Part of the Standard Contractual Clauses) shall be deemed to incorporate the information in Schedule 2;
Annex 2 (Technical and Organisational Security Measures) shall be deemed to incorporate the information in Schedule 4.
The Standard Contractual Clauses 2021 shall apply to any transfers of Customer Personal Data falling within the scope of the EU GDPR from the Customer (as data exporter) to the Processor (as data importer) to the extent that:
- the Effective Date is 28 September 2021 or later; or
the transfer is initiated on or after 00:00 am on 28 December 2022.
For the purposes of the Standard Contractual Clauses 2021:
- Annex I.A (List of Parties) shall be deemed to incorporate the information in Schedule 1;
Annex I.B (Description of Transfer) shall be deemed to incorporate the information in Schedule 2;
Annex I.C (Competent Supervisory Authority) shall be deemed to refer to the supervisory authority identified in Schedule 1;
Annex II (Technical and Organisational Measures) shall be deemed to incorporate the information in Schedule 4.
In the event of any conflict between the Standard Contractual Clauses 2010 or Standard Contractual Clauses 2021 (as applicable) and the main body of this DPA, the provisions of the Standard Contractual Clauses 2010 or Standard Contractual Clauses 2021 (as applicable) shall prevail.
Instructions for Data Processing
The Parties agree that, for the purposes of clause 5(a) of the Standard Contractual Clauses 2010 and clause 8.1(a) of the Standard Contractual Clauses 2021 (as applicable), the Master Agreement and this DPA shall be the Customer's final instructions for the processing of Customer Personal Data
To the extent that any of the Customer's instructions require processing of Customer Personal Data in a manner that falls outside the scope of the Services or this DPA, the Processor may:
- make the performance of any such instructions subject to the payment by the Customer of any costs and expenses incurred by the Processor or such additional charges as the Processor may reasonably determine; or
terminate the Master Agreement and the Services.
Notwithstanding clause 5(a) of the Standard Contractual Clauses 2010 and clause 8.1 of the Standard Contractual Clauses 2021 (as applicable), the Processor may process Customer Personal Data to the extent required by applicable law in the UK, the EEA or a Member State, in each case to which the Processor is subject, in which case the Processor shall, to the extent permitted by such applicable law, inform the Customer of that legal requirement before processing that Customer Personal Data.
The Customer authorises the Processor to transfer Customer Personal Data to a recipient in a country or territory that is not an Adequate Jurisdiction, provided that:
- where the transfer relates to Customer Personal Data subject to the UK GDPR, the Processor ensures that such transfer is made in accordance with Chapter V of the UK GDPR;
where the transfer relates to Customer Personal Data subject to the EU GDPR, the Processor complies with Clause 8.8 of the Standard Contractual Clauses 2021.
Customer Warranties and Undertakings
The Customer represents and warrants that:
- it has provided all applicable notices to data subjects and, to the extent required, obtained consent from data subjects in each case as required for the lawful processing of Customer Personal Data in accordance with the Master Agreement and this DPA;
without prejudice to the generality of clauses 4(c) and (d) of the Standard Contractual Clauses 2010 and clause 8 of the Standard Contractual Clauses 2021 (as applicable), taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the security measures set out in Schedule 4 are:
- appropriate to ensure the security of the Customer Personal Data, including protection against a Security Incident; and
otherwise consistent with the Customer's obligations under Article 32 of the GDPR;
where the transfer of Customer Personal Data is governed by the Standard Contractual Clauses 2010, the transfer of Customer Personal Data to the Processor is lawful under applicable Data Protection Laws taking into account:
- the obligations set out in Standard Contractual Clauses 2010;
the law and practices of the jurisdiction in which the Processor is established, including those requiring the disclosure of data to public authorities or authorising access to such authorities;
the circumstances of the transfer; and
any supplementary contractual, technical or organisational safeguards agreed to in writing by the Parties, including measures applied during transmission and to the processing of the Customer Personal Data in the country of destination.
it is duly authorised to enter into this DPA for and on behalf of any Customer Affiliates, and that, upon executing this DPA or a written amendment to the Customer Affiliates listed in Exhibit A, each Customer Affiliate shall be bound by the terms of this DPA as if they were the Customer; and
it is duly mandated to enforce the terms of this DPA on behalf of any Customer Affiliates, and to act on behalf of any Customer Affiliates in the administration and conduct of any claims arising in connection with this DPA.
The Parties agree that, for the purposes of clause 9 of the Standard Contractual Clauses 2021:
- the Customer gives the Processor general authorisation to engage sub-processors from an agreed list; and
Schedule 3 sets out the list of sub-processors agreed by the Parties.
For the purposes of clause 11 of the Standard Contractual Clauses 2010, the Customer hereby consents to the Processor engaging the sub-processors set out in Schedule 3.
The Processor shall, with respect to any sub-processors engaged to process Customer Personal Data subject to the Standard Contractual Clauses 2010 enter into a written agreement with each sub-processor which provides for, in substance, the same obligations as those applicable to the Processor under this DPA.
The Processor shall provide the Customer with thirty (30) days' notice of any proposed changes to the sub-processors it uses to process Customer Personal Data (including any addition or replacement of any sub-processors), including any information reasonably necessary to enable the Customer to assess the sub-processor and exercise its right to object.
If the Customer objects to the Processor's use of a new sub-processor (including when exercising its right to object under clause 9(a) of the Standard Contractual Clauses 2021), it shall provide the Processor with:
- written notice of the objection within seven (7) days after the Processor has provided notice to the Customer as described in clause 6.2; and
documentary evidence that reasonably shows that the sub-processor does not or cannot comply with the requirements in this DPA, (an "Objection").
In the event of an Objection, the Processor will use reasonable endeavours to make available to the Customer a change in the Services, or will recommend a commercially reasonable change to the Services to prevent the applicable sub-processor from processing the Customer Personal Data.
If the Processor is unable to make available such a change in accordance with clause 6.6 within a reasonable period of time, which shall not exceed thirty (30) days, either Party may terminate the Master Agreement by providing not less than thirty (30) days' written notice to the other Party. During such notice period, the Processor may suspend the affected portion of the Services.
Security and Audits
The Processor may, by written notice to the Customer, vary the security measures set out in Schedule 4, including (where applicable) following any review by the Processor of such measures in accordance with clause 8.6 of the Standard Contractual Clauses 2021, provided that such variation does not reduce the overall level of protection afforded to the Customer Personal Data by the Processor under this DPA.
The Processor shall treat the Customer Personal Data subject to the Standard Contractual Clauses 2010 as the confidential information of the Customer, and shall ensure that:
- access to Customer Personal Data is limited to those employees or other personnel who have a business need to have access to such Customer Personal Data;
any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data.
With respect to any audits conducted under clause 5(f) of the Standard Contractual Clauses 2010 or clauses 8.9(c) and (d) of the Standard Contractual Clauses 2021 (as applicable), the Parties agree that:
all such audits shall be conducted:
on reasonable advance written notice to the Processor no more than once per calendar year;
only during the Processor's normal business hours; and
in a manner that does not disrupt the Processor's business;
the Customer (or, where applicable, a third party independent auditor appointed by the Customer) shall:
enter into a confidentiality agreement with the Processor prior to conducting the audit in such form as the Processor may request; and
ensure that its personnel comply with the Processor's and any sub-processor's policies and procedures when attending the Processor's or sub-processor's premises, as notified to the Customer by the Processor or sub-processor.
With respect to any Customer Personal Data processed by the Processor under the Standard Contractual Clauses 2010, if the Processor or any sub-processor becomes aware of a Security Incident, the Processor shall:
- notify the Customer of the Security Incident without undue delay;
investigate the Security Incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the Security Incident and (where required) notify data subjects and applicable supervisory authorities of the Security Incident, and
take steps to remedy any non-compliance with this DPA.
Assistance and Information
With respect to any Customer Personal Data processed by the Processor under the Standard Contractual Clauses 2010, the Processor shall, taking into account the nature of the processing:
- assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under the GDPR;
implement (insofar as this is possible) appropriate technical and organisational measures for the fulfilment of the Customer's obligation to respond to requests for exercising data subject rights under the GDPR; and
make available to the Customer on request all information necessary to demonstrate compliance with this DPA.
The Processor shall provide reasonable assistance to the Customer with any data protection impact assessments and with any prior consultations to any supervisory authority of the Customer, in each case solely in relation to processing of Customer Personal Data and taking into account the information available to the Processor.
The Customer shall pay to the Processor on demand all costs and expenses incurred by the Processor in connection with:
- implementing any changes to the Services under clause 6.4;
facilitating and contributing to any audits of the Processor under clause 5(f) of the Standard Contractual Clauses 2010 or clauses 8.9(c) and (d) of the Standard Contractual Clauses 2021 (as applicable);
facilitating and contributing to any audits of the Processor conducted by a supervisory authority;
responding to queries or requests for information from the Customer relating to the processing of Customer Personal Data under clause 8.1(c) of this DPA, clause 5(e) of the Standard Contractual Clauses 2010 or clauses 8.9(a), 8.9(c) or 8.9(e) of the Standard Contractual Clauses 2021;
any assistance provided by the Processor to the Customer with its fulfilment of its obligations to respond to data subjects' requests for the exercise of their rights under the GDPR; and
any assistance provided by the Processor to the Customer with any data protection impact assessments or prior consultation with any supervisory authority of the Customer.
Duration and Termination
The Processor shall, within ninety (90) days of the date of termination or expiry of the Master Agreement:
- if requested to do so by the Customer within that period, return a copy of all Customer Personal Data Processed by the Processor by secure file transfer to the Customer; and
other than any Customer Personal Data retained by the Processor after termination of the Master Agreement in accordance with clause 12(1) of the Standard Contractual Clauses or clauses 8.5 and 16(d) of the Standard Contractual Clauses 2021, delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data processed by the Processor or any sub-processors.
Processor may modify or supplement these DPA, with notice to Customer, (i) if required to do so by a supervisory authority or other government or regulatory entity, (ii) if necessary to comply with Applicable Law, (iii) to implement amended standard contractual clauses laid down by the European Commission or (iv) to adhere to a code of conduct or certification mechanism approved or certified pursuant to Art. 40, 42 and 43 of the GDPR. Customer shall notify Processor if it does not agree to a modification, in which case Processor may terminate these DPA and the Master Services Agreement with two (2) weeks' prior written notice, whereby in the case of an objection not based on non-compliance of the modifications with applicable data protection law, Processor shall remain entitled to claim its agreed remuneration until the term end.
Law and Jurisdiction
Notwithstanding the provisions of the Master Agreement, this DPA and (where applicable) the Standard Contractual Clauses 2021 shall be governed by, and construed in accordance with:
- where the Customer is established in the EEA, the law of the Member State in which the Customer is established;
where the Customer is established in the UK, the law of England and Wales;
where the Customer is established other than in the UK or EEA, the law of the Member State in which the Customer has appointed its representative under Article 27 of the GDPR; or
where the Customer is not established in the UK or EEA, and has not appointed a representative under Article 27(1) of the GDPR, the law of the Federal Republic of Germany.
The governing law applicable to the Standard Contractual Clauses 2010 shall be:
- where the Customer is established in the EEA, the law of the EEA Member State in which the Customer is established;
where the Customer is established in the UK, the law of England and Wales; and
where the Customer is established other than in the UK or EEA, the law of England and Wales.
Notwithstanding the provisions of the Master Agreement, the Parties submit themselves to the jurisdiction of the following courts:
- where the Customer is established in the EEA, the courts of the Member State in which the Customer is established;
where the Customer is established in the UK, the courts of England and Wales;
where the Customer is established other than in the UK or EEA, the courts of the Member State in which the Customer has appointed its representative under Article 27 of the GDPR; or
where the Customer is not established in the UK or EEA, and has not appointed a representative under Article 27(1) of the GDPR, the courts of the Federal Republic of Germany.
Third Party Rights
Other than the right of data subjects or not-for-profit bodies, organisations or associations under the conditions set out in Article 80(1) of the GDPR to bring claims under the Standard Contractual Clauses 2010 or Standard Contractual Clauses 2021 (as applicable), a person who is not a party to this DPA may not enforce any of its terms.
Written Communications. Applicable laws may require that some of the information or communications that the Parties send to each other should be in writing. The Parties agree, for the purposes of this DPA, that communication between them will mainly be electronic and that the Parties will contact each other by e-mail. For contractual purposes, the Parties agree to this electronic means of communication and the Parties acknowledge that all contracts, notices, information and other communications provided by one Party to the other electronically comply with any legal requirement that such communications be in writing.
Notices. Any notices given by one Party to the other will be served if validly served in accordance with the Agreement, and will be deemed received in accordance with the relevant provisions in the Agreement.
Rights and remedies. Except as expressly provided in the Agreement, the rights and remedies provided under the Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
No partnership or agency. Nothing in the DPA is intended to, or shall be deemed to, establish any partnership or joint venture between any of the Parties, constitute any Party the agent of another Party, or authorise any Party to make or enter into any commitments for or on behalf of any other Party. Each Party confirms it is acting on its own behalf and not for the benefit of any other person.
Transfer of rights and obligations. Neither Party shall transfer, assign or otherwise deal in the DPA, or any of its rights and obligations under this DPA, other than to an assignee of that Party's rights and obligations under the Agreement.
Waiver. No forbearance or delay by either Party in enforcing its rights shall prejudice or restrict the rights of that Party, and no waiver of any such rights or any breach of any contractual terms shall be deemed to be a waiver of any other right or of any later breach.
Variation. No variation of this DPA shall be effective unless it is in writing and signed by the Parties (or their authorised representatives).
Severability. If any provision of the DPA is judged to be illegal or unenforceable, the continuation in full force and effect of the remainder of the provisions of the DPA shall not be prejudiced.
Relevant Information on Processor / data importer and Customer / data exporterPartyCustomer / data exporterProcessor / data importerContact personLegal Department • email@example.comUK representative (if applicable)EU representative (if applicable)Activities / services providedDesign version control and workflow management SaaS servicesCompetent supervisory authorityn/a
Relevant Information of Customer AffiliatesCustomer affiliate[***] [complete for each affiliate]Contact person[***]UK representative (if applicable)[***]EU representative (if applicable)[***]Activities / services provided[***]Competent supervisory authority[***]
Categories of data subjects
The categories of data subjects whose personal data are transferred: The Customer's Authorized Users (as defined in the Master Agreement), and any other persons authorised by the Customer to access and use the Services, including employees and independent contractors.
Categories of personal data
The transferred categories of personal data are: Names, email addresses, geographic locations, and any other personal data provided by the Customer in connection with its use of the Services.
Special categories of personal data (if applicable)
Frequency of the transfer
The frequency of the transfer is: At User registration, as often as User logs in to the application, and as frequently as necessary for the use of and provision of the Services.
Subject matter of the processing
The subject matter of the processing is: In support of the provision and use of the Services by Customer and its Authorized Users.
Nature of the processing
The nature of the processing is: Collection, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Purpose(s) of the data transfer and further processing
The purpose/s of the data transfer and further processing is/are: In support of the provision and use of the Services by Customer and its Authorized Users.
Personal data is retained until 90 days after 1) User requests data deletion, or 2) Termination of Abstract Services.
Sub-processor (if applicable)
For transfers to sub-processors, specify subject matter, nature and duration of the processing: As set out in Schedule 3.
A current list of Abstract subprocessors may be found at: https://www.abstract.com/legal/abstract-sub-processors
Description of the technical and organisational security measures implemented by the data importer / Processor (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks for the rights and freedoms of natural persons.
Pseudonymisation and Encryption, Art. 32 para 1 point a GDPR
Pseudonymisation contains measures that enable one to process personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures. Encryption contains measures that enable one to convert clearly legible information into an illegible string by means of a cryptographic process.
Stored data is encrypted where appropriate, including any backup copies of the data.
Pseudonymisation is used on documents that must be retained, after a data subject has requested deletion.
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, Art. 32 para 1 point b GDPR
Confidentiality and integrity are ensured by the secure processing of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
2.1.1 Physical access control
Measures that prevent unauthorised persons from gaining access to data processing systems with which personal data are processed or used. Processor does not maintain any physical office space. All physical access control measures below are provided by the data centres.
Physical access control systems
Definition of authorised persons and Management and documentation of individual authorisations
Regulation of Visitors and external staff
Monitoring of all facilities housing IT systems
Logging of physical access
2.1.2 System/Electronic access control
Measures that prevent data processing systems from being used without authorisation.
User Authentication by simple authentication methods using username/password on all systems and Multi-Factor Authentication on critical systems.
Secure transmission of credentials using networks using TSL 1.2 or higher
Automatic account locking
Monitoring of Guidelines for Handling of passwords delivered to all employees at orientation and periodically after that facilities housing IT systems
Definition of authorised persons set in Access Control policies
Managing means of authentication by tool administrators
Access control to infrastructure that is hosted by cloud service provider limited by principle of Least Privilege
2.1.3 Internal Access Control
Measures that ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorisation in the course of processing or use and after storage.
Automatic locking after a period of inactivity and manual locking at termination or when there is suspicion of compromise.
implementation of access restrictions, implementation of the "need-to-know" principle, managing of individual access rights.
2.1.4 Isolation/Separation Control
Measures to ensure that data collected for different purposes can be processed (storage, amendment, deletion, transmission) separately.
Network separation of web, application, and data tiers
Segregation of responsibilities and duties among the infrastructure team
Documentation of procedures and diagrams of the separation
2.1.5 Job Control
Measures that ensure that, in the case of commissioned processing of personal data, the data are processed strictly corresponding the instructions of the principal.
Training and confidentiality agreements for internal staff and external staff
2.2.1 Data transmission control
Measures ensure that personal data cannot be read, copied, modified or removed without authorisation during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged.
Secure transmission between client and server and to external systems by using industry-standard encryption of TLS 1.2 or higher
Secure network interconnections ensured by Web Application and Network Firewalls
Logging of transmissions of data from application and databases that store or process personal data
2.2.2 Data input control
Measures that ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems, modified or removed.
Logging authentication and monitored logical system access
Logging of data access including, but not limited to access, modification, entry and deletion of data
Documentation of data entry rights and partially logging security related entries.
2.3 Availability and Resilience of Processing Systems and Services
Availability includes measures that ensure that personal data is protected from accidental destruction or loss due to internal or external influences. Resilience of processing systems and services includes measures that ensure the ability to withstand attacks or to quickly restore systems to working order after an attack.
Daily full backups
Protection of stored backups in a separate geographical region, using the same level of encryption and security controls as production.
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, Art. 32 para 1 point c GDPR
Organisational measures that ensure the possibility to quickly restore the system or data in the event of a physical or technical incident.
Continuity planning tested and updated annually.
Recovery Time Objective is 48 hours.
A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing, Art. 32 para 1 point d GDPR
Organisational measures that ensure the regular review and assessment of technical and organisational measures.
Documentation of interfaces and tools used for processing
Internal assessments of technical and organizational measures
External audits of technical and organizational measures
Additional technical and organisational measures
The following additional technical and organisational measures will be implemented:
Measures for ensuring data quality with validation processes and tools
Measures for ensuring limited data retention with scheduled disposal according to the Retention Policy and periodic data retention audits
Measures for allowing data portability and ensuring erasure with data subject access to a data export feature and an account deletion feature
Description of the specific technical and organisational measures to be taken by the to assist with the fulfilment of data subject requests (Clause 10 (b) SCC)
In order to for the data importer / Processor to assist the data exporter / Customer with fulfilling its obligations to respond to data subjects’ requests in accordance with Clause 10 (b) SCC, the Parties will set out the appropriate technical and organisational measures in the following, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required:
Data subjects can export their account data via a feature in their account settings
Data subjects can initiate account deletion via a feature in their account settings
Support staff are available to assist data subjects with finding the above features or by manually initiating the data subjects’ request
Technical and Organisational Security Measures in relation to special categories of data (where applicable) (Appendix, Annex I B. SCC; Exhibit B)
If special categories of personal data are processed as outlined in Exhibit B of the DPA, the applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures are: there are no special categories of personal data processed.
For transfers to (sub-) processors, technical and organisational measures to be taken by the (sub-) processor to assist to the data exporter
For transfers to (sub-) processors, the technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the data importer / Customer are: As set out in Schedule 3.