background image

Customer Data Processing Agreement

Effective date July 5, 2023


(ElectroNeek as Supplier)

This Data Processing Agreement (“DPA”) forms part of, and is subject to, the ElectroNeek Order (the “ Agreement”) and the Terms and Conditions, the latest version of which is located at ElectroNeek reserves the right to periodically update this DPA, with revised versions posted here: 

1. Definitions. Capitalized terms that are used but not otherwise defined in this DPA, shall have the meanings given in the Terms and Conditions or Data Protection Legislation.

Agreement” means the underlying agreement(s) and/or License Order and/or Reselling Order and/or Annexes in effect between the Customers and/or End Users relating to the ElectroNeek Services, and any applicable order form signed by both parties, annexes and exhibits, or other written or electronic terms of service or subscription agreement, including without limitation this DPA upon its effectiveness, for the use of the services provided by ElectroNeek and the software required to deliver or to connect those services. 

Affiliate” shall have the meaning given in the Terms and Conditions; this means, any entity that directly or indirectly Controls, is Controlled by, or is under common Control with a Party, where “Control” means control of greater than 50 % of the voting rights or equity interests of a Party(e.g.:subsidiary, parent or sibling). 

Authorized Affiliate” shall mean an Affiliate of Customer that has not signed a separate agreement with the Company, but is either a Controller or Processor for the Personal Data processed by the Company pursuant to the Agreement, for so long as such entity remains an Affiliate of Customer.

Approved Jurisdiction” means a jurisdiction that has either been approved as having adequate legal protections for data by the European Commission or the United Kingdom Information Commissioner’s Office, or where data transfers contemplated by this Agreement are not otherwise restricted under the relevant Data Protection Legislation.

Controller” shall have the meaning attributed to it in the EU GDPR or the UK GDPR, as applicable, this means, the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Customer” shall mean the entity identified in the License Order and/or Reselling Order and/or Annex as “User” or otherwise identified in the Order as the End User. This means the End customer who has purchased the relevant the ElectroNeek Services, whether directly from the Company or through an ElectroNeek Partner, together with all Affiliates of Customer that are authorized to purchase the ElectroNeek Services for their own account pursuant to the Agreement.

Data Protection Legislation” means all data protection laws, regulations, regulatory requirements in the relevant jurisdiction applicable to the respective Party in its role in the Processing of Personal Data under the Agreement, which may include the EU GDPR, the UK GDPR, and other relevant data protection laws of the United States, the EU and its Member States, Switzerland, Iceland, Liechtenstein and Norway, in each case, applicable to the Processing of Personal Data under the Agreement, each as may be amended or updated from time to time.

Data Subject” shall mean an identified or identifiable natural person to whom Personal Data relates.

DPA Effective Date” shall be the last to occur on the effective date of the Agreement or the date of initial delivery of the ElectroNeek Services to which this DPA relates (but not later than the first date of Processing of Personal Data for such purpose).

EEA” means the European Economic Area.

EU” means the European Union.

EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

EU Standard Contractual Clauses” or “EU SCCs” means the standard data protection clauses for the transfer of Personal Data to processors established in third countries, as described in Article 46 of the EU GDPR pursuant to the European Commission’s decision (C (2010) 593) of 5 February 2010 on Standard Contractual Clauses, as approved by the European Commission in the European Commission’s Implementing Decision 2021/914/EU of 4 June 2021.

Company” means Electroneek Robotics, Inc., a Delaware corporation, and its direct and indirect subsidiaries.

ElectroNeek Services” means all the services provided by ElectroNeek through ElectroNeek RPA Platform, procured by Customer directly from the Company or through the Company Partner.

Personal Data” means any personal data as defined in the Data Protection Legislation, that the Company Processes in connection with the Company Offering.

Processing” or “Process” shall have the meaning attributed to it in the applicable Data Protection Legislation.

Security Documentation” means the documentation describing the Security Measures and any other documents and information made available by the Company.

Security Incident” means a breach of the Company’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in the Company’s possession, custody or control.

Security Measures” means technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.

Services” means the generally available the Company Insight software-as-a-service offering described in the applicable the Company documentation and procured by Customer, and any other services provided by the Company pursuant to the Agreement, including but not limited to support and maintenance services and professional services.

Sub-processors” means third parties engaged by the Company to Process Personal Data in relation to the Company Offering.

Term” means the period from the DPA Effective Date until the end of the Company’s provision of the applicable the Company Offering pursuant to the Agreement.

Third-Party Controller” means an entity other than Customer or the Company that is a Controller with respect to Personal Data being processed hereunder.

UK GDPR” means the Retained Regulation (EU) 2016/679 (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

UK Standard Contractual Clauses” or “UK SCCs” means the standard data protection clauses adopted pursuant to Article 46 of the UK GDPR for the transfer of personal data to processors established in third countries.

2. Duration and Scope of DPA. This DPA will take effect on the DPA Effective Date and, notwithstanding the expiration of the Term, will remain in effect until, and automatically expire upon termination or expiration of the Agreement, or until such time as the Company no longer Processes Personal Data. This DPA applies where and only to the extent that the Company Processes Personal Data on behalf of Customer as Data Processor in the course of providing the ElectroNeek Services.

3. Roles and Regulatory Compliance.

3.1. Processor and Controller Responsibilities. The parties acknowledge and agree that:

3.1.1. The Company is a Processor of that Personal Data under Data Protection Legislation, in each case regardless of whether Customer acts as a Controller or as a Processor on behalf of a third-Third-Party Controller. To the extent any Event/Usage Data (as defined in the Agreement) is considered Personal Data under applicable Data Protection Legislation, the Company is the Data Controller of such data and shall Process such data in accordance with the Agreement and applicable Data Protection Legislation; and

3.1.2. Customer is a Controller of that Personal Data under Data Protection Legislation; and

3.1.3. The Company will inform Customer if it believes that Customer’s instructions with respect to the Processing of Personal Data violate the EU GDPR, UK GDPR or Member State provisions; and

3.1.4. Each party will comply with the obligations applicable to it in such a role under the Data Protection Legislation with respect to that Personal Data.

3.2. Customer Responsibilities. Customer agrees that: (a) Customer has established or ensured that another party has established a legal basis for the Company’s Processing of Personal Data contemplated by this DPA; (b) to the extent required by Data Protection Legislation given the context of the Processing and unless another legal basis supports the lawfulness of Processing, all notices have been given to, and consents and rights have been obtained from, the relevant Data Subjects and any other party as may be required under applicable law (including Data Protection Legislation) for such Processing; and (c) Personal Data does not and will not contain Special Categories of Personal Data, as defined in Article 9.1 of the EU GDPR and the UK GDPR; (d) Customer will keep the amount of Personal Data provided to the Company to the minimum necessary for the provision of the relevant the ElectroNeek Services; and (e) Customer will ensure a level of security appropriate to the particular content of the Personal Data in accordance with the requirements of the applicable Data Processing Legislation, including without limitation pseudonymizing and backing-up Personal Data and securing the account authentication credentials, systems and devices Customer uses to access the ElectroNeek Services.

3.3.  Scope of Processing and Authorization.

3.3.1. Customer’s Instructions. By entering into this DPA, Customer instructs the Company to Process Personal Data: (a) to provide the ElectroNeek Services, including Processing initiated by Customer’s users in their use of Offerings; (b) as authorized by the Agreement, including this DPA; and (c) as further documented in any other written instructions given by Customer and acknowledged in writing by the Company. Where applicable, Customer shall be responsible for any communications, notifications, assistance and/or authorizations that may be required in connection with a Third-Party Controller.

3.3.2. The Company’s Compliance with Instructions. The Company will only Process Personal Data in accordance with Customer’s instructions described in Section 3.3.1 unless Data Protection Legislation requires otherwise, in which case the Company will notify Customer in writing (unless that law prohibits the Company from doing so on important grounds of public interest).

3.4. Authorized Affiliates. The Company’s obligations set forth in this DPA shall also extend to Authorized Affiliates, subject to the following conditions:

3.4.1. Customer must exclusively communicate any additional Processing instructions requested pursuant to 3.3.2 directly to the Company, including instructions from Authorized Affiliates;

3.4.2. Customer shall be responsible for Authorized Affiliates’ compliance with this DPA and all acts and/or omissions by an Authorized Affiliate with respect to Customer’s obligations in this DPA shall be considered the acts and/or omissions of Customer.

3.4.3. Authorized Affiliates may only bring a claim directly against the Company if they have acceded in writing to this DPA. Otherwise, if an Authorized Affiliate seeks to assert a legal demand, action, suit, claim, proceeding, or otherwise against the Company (“Authorized Affiliate Claim”), Customer must bring such Authorized Affiliate Claim directly against the Company on behalf of such Authorized Affiliate, unless Data Protection Legislation requires the Authorized Affiliate be a party to such claim.

4. Data Deletion and Retention.

4.1. Deletion on Termination. On termination of the Agreement or expiry or termination of the Term and at the choice of the Customer, the Company will either delete or return (in a commonly machine-readable format) the Personal Data to the Customer unless Data Protection Legislation requires or permits continued retention and Processing of the Personal Data.

4.2. Retention. Personal Data will be retained as needed to fulfill the purposes for which it was collected, such as delivery of the ElectroNeek Services, and as necessary for the Company to comply with its business requirements, legal obligations, resolve disputes, protect its assets, and enforce its rights and agreements (“Business Requirements”). The Company will use commercially reasonable efforts to implement and maintain appropriate retention periods for Personal Data in accordance with Data Protection Legislation. The Company will delete Personal Data as soon as retention of such data is no longer necessary for the purposes of Processing under this DPA, subject only to situations where a longer period is necessary for the Company’s Business Requirements or is required under Data Protection Legislation or other governing laws.

5. Data Security.

5.1. General. Taking into account the state of the art, the costs of implementation, and the nature, scope context and purposes of the Processing as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, the parties shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

5.2. The Company Security Measures. The Company will implement and maintain sufficient technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.

5.3. Security Controls; Confidentiality of Processing. The Company may grant access to Personal Data to employees, contractors and Sub-processors under an appropriate obligation of confidentiality (whether a contractual or statutory duty) when such access is required to perform their job duties.

5.4. The Company Security Assistance. The Company will (taking into account the nature of the Processing of Personal Data and the information available to the Company) provide Customer with reasonable assistance necessary for Customer to comply with its obligations in respect of Personal Data under Data Protection Legislation, including Articles 32 to 36 (inclusive) of the EU GDPR and UK GDPR, by:

5.4.1.  implementing and maintaining the Security Measures in accordance with Section 5.2 (the Company Security Measures), and

5.4.2.  complying with the terms of Section 6 (Notice and Communication).

5.5 No Assessment of Personal Data by the Company. The Company shall have no obligation to assess the contents or accuracy of Personal Data, including to identify information subject to any specific legal, regulatory, or other requirement. Customer is responsible for reviewing the information made available by the Company relating to data security and making an independent determination as to whether the Offerings meet Customer’s requirements and legal obligations under Data Protection Legislation.

6.  Notice and Communication.

6.1. Notification of Security Incident. If the Company becomes aware of a Security Incident, the Company will (a) promptly take reasonable steps to investigate the Security Incident and (b) notify Customer of the Security Incident without undue delay, in accordance with governing law.

6.2. Communication. The Company shall provide Customer timely information about the Security Incident including, to the extent known to the Company: (a) description of the nature of the Security Incident, (b) the name and contact details for the contact point to find more information, (c) a description of likely consequences of the Security Incident, (d) a description of the measures taken or proposed to be taken to address the Security Incident including, where appropriate, measures to mitigate its possible adverse effects, and (e) such other information as is necessary for Customer to carry out Customer’s notification obligations related to the Security Incident, including, but not limited to, to assist Customer in complying with Articles 33 and 34 of EU GDPR. Notwithstanding the foregoing, Customer acknowledges that because the Company personnel may not have visibility to the content of Personal Data, it may be unlikely that the Company can provide information as to the particular nature of the Personal Data, or where applicable, the identities, number or categories of affected Data Subjects. Communications by or on behalf of the Company with Customer in connection with a Security Incident shall not be construed as an acknowledgment by the Company of any fault or liability with respect to the Security Incident.

6.3  Complaints or Notices Related to Personal Data. If the Company receives any official complaint, notice, or communication that relates to the Company's Processing of Personal Data or either Party's compliance with Data Protection Legislation in connection with Personal Data, to the extent legally permitted, the Company shall promptly notify Customer and, to the extent applicable, the Company shall provide Customer with commercially reasonable cooperation and assistance in relation to any such complaint, notice, or communication. Customer shall be responsible for any reasonable costs arising from the Company’s provision of assistance in relation to any official complaint, notice, or communication that relates to Customer’s compliance with Data Protection Legislation.

7. Reviews and Audits of Compliance.

7.1.  Audit. Customer may audit the Company’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by Data Protection Legislation, including where mandated by Customer’s supervisory authority. The Company will contribute to such audits by providing Customer or Customer’s supervisory authority with the information and assistance reasonably necessary to conduct the audit. Customer acknowledges and agrees that any exercise of its audit rights under applicable Data Protection Legislation will be conducted in accordance with this DPA.

7.2. Third Party. If a third party is to conduct the audit, the Company may object to the auditor if the auditor is, in the Company’s reasonable opinion a competitor of the Company. Such objection by the Company will require Customer to appoint another auditor or conduct the audit itself.

7.3. Process. Subject to Section 6 (Notice and Communication) in relation to a Security Incident and aside from in the event of an investigation of a supervisory authority, to request an audit, Customer must submit a detailed proposed audit plan to the Company at least thirty (30) days in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. Customer shall be solely responsible for the actions or inaction of any such third party, including without limitation any breaches of confidentiality. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. The Company will review the proposed audit plan and provide the Customer with any concerns or questions (for example, any request for information that could compromise the Company security, privacy, employment or other relevant policies). The Company will work cooperatively with the Customer to agree on a final audit plan. Nothing in this Section shall require the Company to disclose any information where such disclosure would result in a breach of any duties of confidentiality.

7.4. Documents. If the controls or measures to be assessed in the requested audit are addressed in an SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request and the Company has confirmed there are no known material changes in the controls audited, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures.

7.5. Timing. The audit must be conducted during regular business hours, subject to the agreed final audit plan and the Company’s safety, security or other relevant policies, and may not unreasonably interfere with the Company business activities.

7.6. Reports. Customers will promptly notify the Company of any non-compliance discovered during the course of an audit and provide the Company any audit reports generated in connection with any audit under this Section 7, unless prohibited by Data Protection Legislation or otherwise instructed by a supervisory authority. Customers may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA. The reports, audit, and any information arising therefrom shall be considered the Company's Confidential Information and may only be shared with a third party (including a Third-Party Controller) with the Company's prior written agreement.

7.7. Costs. Any audits are at Customer’s expense. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit. The Company may charge a fee, to be mutually agreed by the parties in advance, for any such audit; rates shall be reasonable, taking into account the resources expended by the Company. Nothing in this DPA shall be construed to require the Company to furnish more information about its Sub-processors in a connection with such audits than such Sub-processors make available to the Company without restriction on further disclosure.

8.  Impact Assessments and Consultations. 

8.1. The Company will provide reasonably requested information regarding the ElectroNeek Services to enable Customer to carry out impact assessments or prior consultations with data protection authorities as required by applicable Data Protection Legislation, including, if applicable, Customer’s obligations pursuant to Articles 35 and 36 of the EU GDPR and UK GDPR, by (a) making available for review copies of the Security Documentation or other documentation or information describing relevant aspects of the Company’s information security program and the security measures applied in connection therewith; and (b) providing the other information contained in the Agreement including this DPA. The Company shall additionally provide such reasonable assistance to Customer, taking into consideration the nature of the Offerings provided, to the extent needed by Customer in connection with a data protection impact assessment as required to comply with applicable Data Protection Legislation.

9. Data Subject Requests.

9.1. Customer’s Responsibility for Requests. The Company shall promptly notify Customer if the Company receives a request from a Data Subject that identifies Personal Data or otherwise identifies Customer, including where the Data Subject seeks to exercise any of its rights under applicable Data Protection Legislation. During the Term or as otherwise required by applicable Data Protection Legislation, if the Company receives any request from a Data Subject in relation to the Data Subject’s Personal Data Processed in connection with the Company Offering, to the extent legally permitted the Company will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to any such request, subject to the assistance to be provided by the Company pursuant to Section 9.2 below.

9.2. The Company’s Data Subject Request Assistance. The Company will provide (taking into account the nature of the Processing of Personal Data) Customer with reasonable assistance as necessary for Customer to perform its obligation under Data Protection Legislation to respond to requests by Data Subjects, including if applicable, Customer’s obligation to respond to requests for exercising the Data Subject’s rights set out in Chapter III of the EU GDPR and in the UK GDPR.

10. Transfers of Personal Data.

10.1. Data Storage and Processing Facilities. The Company may, subject to this Section 10, store and Process Personal Data in the United States or anywhere the Company or its Sub-processors maintains facilities.

10.2. Transfer Mechanisms. For any transfers of Personal Data from the EEA and its member states, United Kingdom and/or Switzerland or other jurisdictions to a country which is not an Approved Jurisdiction, such transfers and Processing shall be governed by a valid mechanism for the lawful transfer of Personal Data recognized under applicable Data Protection Legislation, such as those below:

10.2.1. EU Standard Contractual Clauses. With respect to transfers of Personal Data protected by the EU GDPR outside an Approved Jurisdiction, such transfers shall be subject to the EU Standard Contractual Clauses, which shall be deemed incorporated into and form part of this DPA, including the election of specific terms and/or optional clauses as described in more detail in (a)-(i) below, and any optional clauses not expressly selected are not included:

a) The Module 2 terms shall apply (Controller to Processor);

b) The optional Clause 7 in Section I of the EU SCCs is incorporated, and Authorized Affiliates may accede in a signed writing to this DPA and the SCCs under the same terms and conditions as Customer, subject to Section 3.4 (Authorized Affiliates) of this DPA via mutual agreement of the parties;

c) For purposes of Clause 9 of the EU SCCs, Option 2 (“General written authorization”) is selected and the process and time period for the addition or replacement of Sub-processors shall be as described in Section 11 (Sub-processing) of this DPA;

d) For purposes of Clause 13 and Annex 1.C of the SCCs, Customer shall maintain accurate records of the applicable Member State(s) and competent supervisory authority, which shall be made available to Customer on request;

e) For purposes of Clause 17 and Clause 18 of the SCCs, the Member State for purposes of governing law and jurisdiction shall be the Federal Republic of Germany;

f) For purposes of Annex 1.A, the “data importer” shall be the Company and the “data exporter” shall be Customer and any Authorized Affiliates that have acceded to the SCCs pursuant to this DPA;

g) For purposes of Annex 1.B, the description of the transfer is as described in Section 3 (Roles and Regulatory Compliance) of this DPA;

h) For purposes of Annex II, the technical and organization measures are those measures described in Section 5.2 (the Company Security Measures) of this DPA; and

i) The Sub-processors for Annex III shall be as described in the Sub-processor Addendum to this DPA, as may be revised pursuant to Section 11 (Sub-processing) of this DPA.

10.2.2. UK Standard Contractual Clauses. With respect to transfers of Personal Data protected by the UK GDPR outside an Approved Jurisdiction, the EU SCCs will also apply in accordance with the paragraphs above, subject to the following modifications:

a) any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the UK GDPR; references to specific Articles of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK GDPR;

b) references to “EU”, “Union” and “Member State law” are all replaced with “UK”;

c) Clause 13(a) and Part C of Annex I of the EU SCCs are excluded;

d) All references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Information Commissioner and the courts of England and Wales;

e) Clause 17 of the EU SCCs is replaced to state that “The Clauses are governed by the laws of England and Wales”;

f) Clause 18 of the EU SCCs is replaced to state “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A Data Subject may bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The parties agree to submit themselves to the jurisdiction of such courts. “

g) Alternative. In the event that the EU SCCs, implemented as described above, cannot be used to lawfully transfer Personal Data in compliance with the UK GDPR, then the UK SCCs shall instead be incorporated by reference and shall apply to such transfers, provided that in such event the Annexes or Appendices of the UK SCCs shall be populated using the information contained in Appendices of this DPA (as applicable). To the extent the UK GDPR or UK SCCs are amended or replaced, the parties will use reasonable efforts to make such transfers of Personal Data in accordance with such amended or replaced laws, which will be incorporated by reference herein as applicable.

10.2.3  Notwithstanding the foregoing, if a Sub-processor has adopted Binding Corporate Rules, as defined in applicable Data Protection Legislation (“BCRs”), that cover the transfer, then such BCRs shall govern the transfer of Personal Data.

11.  Sub-Processing.

11.1.  Authorized Sub-Processors. For purposes of Clause 9 of the Standard Contractual Clauses, Customer provides the Company with a general consent to engage Sub-processors, subject to Section 11.3 (Changes to Sub-processors), as well as the Company’s current Sub-processors already engaged as of the DPA Effective Date.

11.2. Sub-Processor Obligations. The Company shall: (i) enter into a written agreement with each Sub- processor imposing data protection obligations no less protective of Personal Data as the Company’s obligations under this DPA to the extent applicable to the nature of the services provided by such Sub-processor; and (ii) remain liable for each Sub-processor’s compliance with the obligations under this DPA. Upon written request, and subject to any confidentiality restrictions, the Company shall provide Customer all relevant information it reasonably can in connection with its applicable Sub-processor agreements where required to satisfy Customer’s obligations under Data Protection Legislation.

11.3. Changes to Sub-Processors. The Company shall notify Customer of any new Sub-processor at least fourteen (14) business days in advance of allowing the new Sub-processor to Process Personal Data (the “Objection Period”). During the Objection Period, objections (if any) to the Company’s appointment of the new Sub-processor must be provided to the Company in writing and based on reasonable grounds relating to data protection. In such an event, the parties will discuss those objections in good faith with a view to achieving resolution. If it can be reasonably demonstrated to the Company that the new Sub-processor is unable to Process Personal Data in compliance with the terms of this DPA and the Company cannot provide an alternative Sub- processor, or the parties are not otherwise able to achieve resolution as provided in the preceding sentence, Customer may provide written notice to the Company terminating the purchases with respect only to those aspects of the Offerings which cannot be provided by the Company without the use of the new Sub-processor.

12. Government, Law Enforcement, and/or Third-Party Inquiries. If the Company receives a demand to retain, disclose, or otherwise Process Personal Data for any third party, including, but not limited to law enforcement or a government authority (“Third-Party Demand”), then the Company shall attempt to redirect the Third-Party Demand to Customer. Customer agrees that the Company can provide information to such third-party as reasonably necessary to redirect the Third-Party Demand. If Customer cannot redirect the Third-Party Demand to Customer, then Customer shall, to the extent legally permitted to do so, provide Customer reasonable notice of the Third-Party Demand as promptly as feasible under the circumstances to allow Customer to seek a protective order or other appropriate remedy. This section does not diminish the Company’s obligations under the EU SCCs or UK SCCs with respect to access by public authorities.

13. Miscellaneous.

13.1. Notices. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by the Company to Customer under this DPA. may be given (a) in accordance with the notice clause of the Agreement; and/or (b) as described in Section 6.1 (Notification of Security Incident) of this DPA if applicable; and/or (c) to the Company’s primary points of contact with Customer.

13.2. General. The parties agree that this DPA shall replace and supersede any existing data processing addendum, attachment, exhibit or standard contractual clauses that the Company and Customer may have previously entered into in connection with the ElectroNeek Services. Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect. To the extent of any conflict or inconsistency between this DPA and the remaining terms of the Agreement regarding the subject matter herein, this DPA shall govern, provided that in the event of additional terms such term shall be read to give effect to such additional terms. To the extent of any conflict or inconsistency between the body of this DPA and its Addenda (not including the Standard Contractual Clauses) and the relevant Standard Contractual Clauses in a way that materially affects the adequacy of the transfer, the Standard Contractual Clauses shall prevail. In the event of any conflict between this DPA and the relevant Data Protection Legislation, the provisions under the Data Protection Legislation shall prevail. Notwithstanding anything to the contrary in the Agreement or this DPA, each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the SCCs, and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. Nothing in this DPA is intended to limit the parties’ direct liability towards Data Subjects or applicable supervisory data protection authorities which cannot be limited under mandatory applicable law.

13.3. No Third-Party Rights. In no event shall this DPA benefit or create any right or cause of action on behalf of a third party (including a Third-Party Controller), but without prejudice to the rights or remedies available to Data Subjects under Data Protection Legislation or this DPA (including the SCCs).

13.4. Governing Law. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement and Terms and Conditions or in the event that the Customer Agreement is silent, in accordance with the law of the State of Texas and the United States without regard to conflicts of laws provisions.