Data Processing Addendum

DATA PROCESSING ADDENDUM (the “DPA”) FOR ZMAGS CUSTOMERS

Zmags Corporation (“Zmags”) and Customer have entered into an agreement or agreements (the “Master Subscription Agreement”) pursuant to which Zmags may Process certain Personal Data on behalf of Customer in connection with Customer’s use of Zmags solutions and services (collectively, “Zmags Services”). This amendment (the “Amendment”) incorporates the Data Processing Amendment (DPA) into the Master Subscription Agreement (as amended by the DPA, the “Master Subscription Agreement”) and describes certain data processing and transfer obligations of the parties. This Amendment shall be effective as of May 25, 2018 (the “Effective Date”). In the event of any inconsistency between the DPA and the Master Subscription Agreement, the DPA shall control.

1. Definitions. In this DPA, the following terms shall have the meanings set out below. Other capitalized terms used but not otherwise defined herein shall have the meanings ascribed to such terms in the Service Agreement.

1.1 “Controller” means the party that determines the purposes and means of the Processing of Personal Data.

1.2 “Data Protection Laws and Regulations” means laws and regulations applicable to the Processing of Personal Data under the Service Agreement, including applicable laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, and the United Kingdom, including without limitation Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation” or “GDPR”) and EU Directive 2002/58/EC on Privacy and Electronic Communications (“e-Privacy Directive”) or, the superseding Regulation on Privacy and Electronic Communications (“e-Privacy Regulation”), once effective.

1.3 “Data Subject” means an identified or identifiable natural person, as defined under Data Protection Laws and Regulations, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.4 “Personal Data” means any information relating to a Data Subject that is Processed by Zmags on behalf of Customer pursuant to the terms of the Service Agreement.

1.5 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

1.6 “Process,” “Processes,” “Processed” or “Processing” means any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.7 “Processor” means the party which Processes Personal Data on behalf of the Controller.

1.8 “Standard Contractual Clauses” means Appendix A, attached to and forming part of this DPA pursuant to the European Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC.

1.9 “Subprocessor” means any Processor engaged by Zmags in the provision of Zmags Services to Customer, as further described in Section 2.4 of this DPA.


2. Protection of Personal Data

2.1 Relationship of Parties: For the purposes of the Service Agreement, Customer is the Controller and appoints Zmags as a Processor to Process Personal Data on behalf of Customer in connection with Customer’s use of Zmags Services pursuant to the Service Agreement. The Processor and Controller shall each comply with their respective obligations applicable to it under the Data Protection Laws and Regulations and this DPA.

2.2 Purpose Limitation: Zmags shall Process Personal Data in order to perform Zmags’s obligations, or as otherwise permitted, under the Service Agreement as a Processor, in compliance with the applicable Data Protection Laws and Regulations. The purposes of Processing are as described in the Service Agreement, including Schedule A to this DPA, and any other exhibits, statements of work or addenda attached to or otherwise incorporated into the Service Agreement (the “Permitted Purpose”).

2.3 Cross-Border Transfers: If Personal Data is transferred under the Service Agreement from the European Economic Area or Switzerland by Customer as Controller to Zmags as Processor, or otherwise by Zmags as Processor, to a jurisdiction which the European Commission or, where relevant, the Swiss Federal Data Protection and Information Commissioner, has determined does not ensure an adequate level of protection of Personal Data, then the Standard Contractual Clauses will apply.

2.4 Subprocessing:

2.4.1 Customer acknowledges and agrees that Zmags may engage Subprocessors in connection with the provision of Zmags Services. A list of approved Subprocessors as of the Effective Date of this DPA is located at www.zmags.com/subprocessors (the “Subprocessor List”).

2.4.2 When engaging any new Subprocessor, Zmags will enter into a written agreement with each Subprocessor containing data protection obligations no less protective than those in this DPA or as may otherwise be required by applicable Data Protection Laws and Regulations. For the avoidance of doubt, Zmags may continue to use those Subprocessors already engaged by Zmags as at the date of this DPA. Zmags agrees to be responsible for the acts or omissions of each such Subprocessor to the same extent as Zmags would be liable if performing the services of such Subprocessor under the terms of the Service Agreement.

2.4.3 Zmags will inform Customer of any new Subprocessor engaged during the term of the Service Agreement by updating the Subprocessor List. If Customer reasonably believes that the appointment of a new Subprocessor will have a material adverse effect on Zmags’s ability to comply with applicable Data Protection Laws and Regulations as a Processor, then Customer must notify Zmags in writing, within 30 days following the update to the Subprocessor List, of its reasonable basis for such belief. Zmags shall not appoint (or disclose any Customer Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by Customer and Customer has been provided with a reasonable written explanation of the steps taken.

2.5 Notices and Consents:

2.5.1 General: Customer shall comply with all applicable Data Protection Laws and Regulations, including: (a) providing all required notices and appropriate disclosures to all Data Subjects regarding Customer’s, and Zmags’s, Processing and transfer of Personal Data; and (b) obtaining all necessary rights and valid consents from Data Subjects (including Data Subjects within Customer’s Content) to permit Processing by Zmags for the purposes of fulfilling Zmags’s obligations, or as otherwise permitted, under the Service Agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.

2.5.2 Children; Sensitive Data: Customer is responsible for compliance with all applicable Data Protection Laws and Regulations regarding its Content, including without limitation those that regulate content directed toward children (as defined under applicable Data Protection Laws and Regulations; for example, under 13 years old in the United States or under 16 years old in certain other countries). Customer’s use of Zmags Services in connection with the distribution of Content and/or Processing of sensitive Personal Data of a Data Subject (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or an individual’s genetic data, biometric data, health data, or data regarding sex life or sexual orientation) must be in compliance with all applicable Data Protection Laws and Regulations, including obtaining explicit consent from Data Subjects whose Personal Data is provided to Zmags for Processing.


3. Cooperation and Data Subjects’ Rights

3.1 To the extent Customer does not have the ability to access Personal Data to correct, amend, delete it, refrain from Processing it, or provide it in portable form, upon request from a Data Subject (to the extent that such Data Subject is entitled to such rights under applicable Data Protection Laws and Regulations), Zmags will assist Customer with any reasonable request to do so. If a Data Subject contacts Zmags directly to request access to, or correction, amendment or deletion of, Personal Data in connection with services provided to Customer by Zmags, to the extent legally required, Zmags will promptly notify Customer of the request.



4. Investigations and Audits

4.1 Regulatory Audit. Zmags shall reasonably assist and support Customer in the event of an investigation by a data protection regulator or similar authority, if and to the extent that such investigation relates to Zmags’s Processing of Personal Data.

4.2 Customer Audit. Upon at least 30 days’ advance written request by Customer, at mutually agreed times and subject to Zmags’ reasonable audit guidelines, Zmags shall provide to Customer, its authorized representatives and/or independent inspection body designated by Customer: (a) reasonable access to records of Zmags’ Processing of Personal Data; and (b) reasonable assistance and cooperation of Zmags’ relevant staff for the purpose of auditing Zmags’ compliance with its obligations under this DPA. Zmags reserves the right to restrict access to its proprietary information, including but not limited to its network architecture, internal and external test procedures, test results and remediation plans. Customer will use best efforts to minimize damage, injury or disruption to Zmags Services and Zmags’ premises, equipment, personnel or business operations. Customer further agrees that: (W) personnel (or designated third parties) performing said audits will be bound by the confidentiality obligations set forth in the Service Agreement; (X) all findings will be deemed Zmags’ Confidential Information; (Y) Customer will share all findings with Zmags; and (Z) Zmags will classify and remediate all findings in accordance with Zmags’ risk management program. Zmags need not give access to its premises for the purposes of such an audit or inspection: (i) to any individual unless he or she produces reasonable evidence of identity and authority and (ii) outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Customer has given notice to Zmags that this is the case before attendance outside those hours begins. Customer is limited to one audit in any 12-month period, except (i) if and as required by a competent data protection authority; or (ii) Customer believes a further audit is necessary as a result of a Personal Data Breach relating to Zmags Services.

4.3 Data Protection Impact Assessment. Taking into account the nature of the Processing and the information available to Zmags, Zmags shall, upon Customer’s written request, provide Customer with reasonable cooperation and assistance to fulfill Customer’s obligations under applicable Data Protection Laws and Regulations to carry out a data protection impact assessment related to Customer’s use of Zmags Services. Such cooperation and assistance is provided to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Zmags. To the extent required by applicable Data Protection Laws and Regulations, Zmags shall provide reasonable assistance to Customer in respect of Customer’s prior consultations with the Supervisory Authority.


5. Notice of Non-Compliance

5.1 If required by applicable Data Protection Laws and Regulations, in the event that Zmags is unable to comply with its obligations in this DPA, Zmags shall promptly notify Customer and, if Zmags is unable to take reasonable and appropriate steps to remediate the non-compliance within a mutually-agreed upon timeframe, Customer may take any one or more of the following actions: (a) suspend the transfer of Personal Data to Zmags; (b) require Zmags to cease Processing Personal Data to the extent technically possible; (c) demand the return or destruction of Personal Data; and/or (d) terminate this DPA in accordance with the Service Agreement.


6. Data Security

6.1 Zmags will ensure that all individuals with access to Personal Data are subject to written obligations of confidentiality and that Personal Data is Processed only for the Permitted Purpose.

6.2 Security Measures. Zmags’ technical and organizational security measures to protect Personal Data shall be as set forth in the Service Agreement, this DPA, and/or in any orders or statements of work issued pursuant to the Service Agreement. Such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. At a minimum, such measures shall include those identified in Schedule B to this DPA.

6.3 Breach Notification. If Zmags becomes aware of a Personal Data Breach involving Zmags Services, Zmags shall: (a) without undue delay following Zmags’ discovery thereof, notify Customer of such Personal Data Breach; (b) investigate, remediate and mitigate the effects of the Personal Data Breach; (c) reasonably cooperate with Customer’s investigation of the Personal Data Breach to the extent that such cooperation does not compromise Zmags’ security; (d) take any additional actions and provide any additional cooperation to Customer as may reasonably be required under applicable Data Protection Laws and Regulations; and (e) upon resolution, provide Customer with a written incident report describing the breach, actions taken during the response and plans for future actions to prevent a similar breach from occurring in the future.


7. Deletion or Return of Personal Data

7.1 Upon termination or expiration of the Service Agreement or at any time at Customer’s written request, Zmags shall return to Customer or destroy all Personal Data, except as otherwise permitted by applicable Data Protection Laws and Regulations.


8. Miscellaneous

8.1 This DPA is effective as of the effective date of the Service Agreement and will terminate automatically upon termination or expiration of the Service Agreement without further action required by either party. Provisions of this Addendum that, by their nature should survive, will survive any such termination or expiration.

8.2 This DPA shall be governed by and construed in accordance with the governing law set forth in the Service Agreement, except where otherwise required by applicable Data Protection Laws and Regulations.


Schedule A

Data Processing Description

This Schedule A forms part of the DPA and describes the Processing that Zmags will perform on behalf of Customer.

Controller

Controller (Customer) uploads Content to Zmags Services.

Processor

Processor (Zmags) is a provider of online software platforms that allow customers to create and publish digital content experiences without the need for coding.

Data subjects

Customer may submit Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

  • Business information (such as email addresses) of Customer’s employees who use Zmags Services (“Users”).
  • End users who view Customer’s Content (“Viewers”) via Zmags Services.
  • Natural persons whose images (or other Personal Data) are included in Customer’s Content.

Categories of data

Customer may submit Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of data: (some or all of which may not be considered Personal Data under applicable Data Protection Laws and Regulations):

  • Users: Names, phone numbers, email and login credentials.
  • Viewers: IP addresses, location data
  • Images (or other Personal Data) of natural persons included in Content.

Special categories of data (if appropriate)

Customer may submit Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following special categories of data:

  • None, unless Customer contacts Zmags at privacy@zmags.com to request a change to this section and the parties agree in writing to the special categories of data to be Processed.

Processing operations

The Personal Data will be subject to the following basic Processing activities:

  • User login credentials and contact information will be used to authenticate User access and to provide Zmags Services and support to Customer.
  • IP addresses and geolocation data is collected to operate Zmags Services and may be used to provide Customer with viewing analytics.
  • IP addresses and geolocation data is collected to operate Zmags Services and may be used to provide Customer with viewing analytics.

Schedule B

Minimum Security Measures

Zmags shall use commercially reasonable efforts to implement appropriate network security and encryption technologies, including but not limited to the following technologies or any technologies that provide comparable or enhanced protections:

1. IT Network Security. Zmags maintains appropriate IT network segmentation, including but not limited to, firewalls, to segregate its internal networks from the internet and maintains intrusion detection, monitoring, and logging systems to detect and respond to attacks.

2. Application Security. Application security refers to the features and measures that are built into the application to defend against threats, attacks and vulnerabilities. Many involve credentials requirements, encryption, limitation on sign-in attempts, and the use of roles and permissions to restrict access to certain data and documents. These application security measures apply to Zmags’ proprietary software-as-a-service products, Creator® and Publicator®.

3. Vulnerability and Patch Management. Following receipt of any update release from the manufacturer, Zmags will apply manufacturer-recommended security updates to all systems, devices, or applications Processing Personal Data within a reasonable period of time, taking into account the nature and severity of the risk. Zmags will install, within a reasonable period of time following Zmags’ receipt from the manufacturer, any software patches designated by manufacturers, vendors, or Zmags as “critical”. Zmags conducts regular vulnerability scans and penetration tests of any network storing or processing Personal Data and remediates any identified critical vulnerability in accordance with Zmags’ defined remediation schedule.

4. Access Controls.

a. Access Management. Only those ZMags personnel that reasonably need access to Personal Data to perform the services described in the Agreement are granted such access. If Zmags personnel no longer need access to Personal Data, whether because of termination or re-assignment, then access privileges are promptly disabled.

b. Usernames and Passwords. Accounts used to access systems, software, equipment, or networks must comply with Zmags’ complex password requirements.

c. Multi-Factor Authentication. Zmags shall have in place multi-factor authentication for its employees to access Personal Data. For the purposes of this requirement, the implementation and use of appropriate and commercially-reasonable identity verification systems and physical access controls that limit access to systems containing Personal Data may be considered a “factor”.

d. Training. Zmags personnel that may have access to Personal Data are required to undergo regular training on commercial best practices for data security.

5. Encryption. The Zmags Services provide encryption of Content in transit via Secure Sockets Layer (SSL). The protocol allows applications to communicate across a network in a way designed to prevent eavesdropping and tampering. It also provides endpoint authentication and communications confidentiality over the internet, so that data sent from a client workstation to the Zmags Services is secure. All data and attachments are also encrypted.

6. Auditing and Testing.

  • Zmags maintains information system audit records to enable the monitoring, analysis, investigation and reporting of unlawful, unauthorized or inappropriate information system activity.
  • Zmags’ security policies, standards and procedures are designed to monitor and protect the Zmags Services. Such policies, standards and procedures are reviewed at least annually and updated as necessary.
  • A third-party conducts network, system and application vulnerability scanning, and penetration testing, on at least an annual basis, to evaluate the implementation of Zmags’ information security measures.
  • Zmags conducts regularly-scheduled internal vulnerability scans against its business and production operations networks.
  • Zmags’ cloud storage providers must provide annual SOC 2 or industry equivalent reports attesting to data center controls.

Appendix A

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Name of the data exporting organization: Customer (as defined in the DPA)
(the data exporter)

Name of the data importing organization: Zmags Corporation
(the data importer)

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Annex A.

1. DEFINITIONS.

For the purposes of the Clauses:
1.1.1 personal data, special categories of data, process/processing, controller, processor, data subject and supervisory authority shall have the same meanings as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
1.1.2 the data exporter means the controller who transfers the personal data;
1.1.3 the data importer means the processor who agrees to receive from the data exporter personal data intended for processing on its behalf after the transfer in accordance with its instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
1.1.4 the sub-processor means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with its instructions, the terms of the Clauses and the terms of the written subcontract;
1.1.5 the applicable data protection law means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
1.1.6 technical and organizational security measures means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

2. DETAILS OF THE TRANSFER

The details of the transfer and in particular the special categories of personal data, where applicable, are specified in Annex A, which forms an integral part of the Clauses.

3. THIRD-PARTY BENEFICIARY CLAUSE

3.1 The data subject can enforce against the data exporter this clause 3, clause 4(b) to clause 4(i), clause 5(a) to clause 5(e) and clause 5(g) to clause 5(j), clause 6.1 and clause 6.2, clause 7, clause 8.2 and clause 9 to clause 12 as third-party beneficiary.
3.2 The data subject can enforce against the data importer this clause 3.2, clause 5(a) to clause 5(e) and clause 5(g), clause 6, clause 7, clause 8.2 and clause 9 to clause 11, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3.3 The data subject can enforce against the sub-processor this clause 3.3, clause 5(a) to clause 5(e) and clause 5(g), clause 6, clause 7, clause 8.2, and clause 9 to clause 11, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
3.4 The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

4. OBLIGATIONS OF THE DATA EXPORTER

The data exporter agrees and warrants:
4.1.1 that the processing, including the transfer itself, of the personal data has been, and will continue to be, carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has notified the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
4.1.2 that it has instructed, and throughout the duration of the personal data-processing services, will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and these Clauses;
4.1.3 that, after assessment of the requirements of the applicable data protection law, the security measures that it has implemented are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular, where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
4.1.4 that it will ensure compliance with the security measures;
4.1.5 that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
4.1.6 to forward any notification received from the data importer or any sub-processor pursuant to clause 5(b) and clause 8.3 to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
4.1.7 to make available to the data subjects upon request a copy of these Clauses, with the exception of Annex B and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with these Clauses, unless these Clauses or the contract contain commercial information, in which case, it may remove such commercial information;
4.1.8 that, in the event of sub-processing, the processing activity is carried out in accordance with clause 10 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subjects as the data importer under the Clauses; and
4.1.9 that it will ensure compliance with clause 4(a) to clause 4(h).

5. OBLIGATIONS OF THE DATA IMPORTER

The data importer agrees and warrants:
5.1.1 to process the personal data only on behalf of the data exporter and in compliance with its instructions and these Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
5.1.2 that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by these Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
5.1.3 that it has implemented the technical and organizational security measures specified in Annex B before processing the personal data transferred;
5.1.4 that it will promptly notify the data exporter about:
5.1.4.1 any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
5.1.4.2 any accidental or unauthorized access; and
5.1.4.3 any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
5.1.5 to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
5.1.6 at the request of the data exporter, to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
5.1.7 to make available to the data subject upon request a copy of these Clauses, or any existing contract for sub-processing, unless these Clauses or the contract contain commercial information, in which case it may remove such commercial information, with the exception of Annex B which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
5.1.8 that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
5.1.9 that the processing services by the sub-processor will be carried out in accordance with clause 10; and
5.1.10 to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

6. LIABILITY

6.1 The parties agree that any data subject who has suffered damage as a result of any breach of the obligations referred to in clause 3 or in clause 10 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
6.2 If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or its sub-processor of any of their obligations referred to in clause 3 or in clause 10 because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
6.3 If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in clause 3 or in clause 10 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

7. MEDIATION AND JURISDICTION

7.1 The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under these Clauses, the data importer will accept the decision of the data subject:
7.1.1 to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
7.1.2 to refer the dispute to the courts in the Member State in which the data exporter is established.
7.2 The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

8. COOPERATION WITH SUPERVISORY AUTHORITIES

8.1 The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
8.2 The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
8.3 The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in clause 5(b).

9. VARIATION OF THE CONTRACT

The parties undertake not to vary or modify these Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict these Clauses.

10. SUB-PROCESSING

10.1 The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under these Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
10.2 The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
10.3 The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
10.4 The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

11. OBLIGATION AFTER THE TERMINATION OF PERSONAL DATA PROCESSING SERVICES

11.1 The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
11.2 The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

Annex A
to the Standard Contractual Clauses

This Annex forms part of the Clauses and must be agreed to by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Annex A.

Data exporter
The data exporter is the Customer (as defined in the DPA) that uploads Content to Zmags Services:

Data importer
The data importer is Zmags Corporation, the provider of online software platforms that allow customers to create and publish digital content experiences without the need for coding

Data subjects
The personal data transferred concern the following categories of data subjects is defined in in Schedule A to the DPA

Categories of data
The personal data transferred concern the following categories of data ()
Special categories of data (if appropriate); as defined in Schedule A to the DPA

The personal data transferred concern the following special categories of data : as defined in Schedule A to the DPA

Processing operations
The personal data transferred will be subject to the following basic processing activities: as defined in Schedule A to the DPA

Annex B
to the Standard Contractual Clauses

This Annex B forms part of the Clauses and must be agreed to by the parties.

Description of the technical and organizational security measures implemented by the data importer in accordance with clause 4(d) and clause 5(c): as set forth in Schedule B to the DPA.