Data Processing Addendum (EMEA/UK)
Effective Date: August 2022
This Data Processing Addendum (“DPA”) is incorporated into, is a supplement to, and forms part of, the Contentstack Master Agreement or other written or electronic agreement between Contentstack Inc. (“Contentstack”) and the Customer (each such agreement, the “Agreement”) in relation to the provision of Services and in each case where Contentstack processes Customer Personal Data as part of performing Services for Customer under the Agreement.
By signing the Order Form, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent Contentstack processes Customer Personal Data for which such Authorized Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and Authorized Affiliates.
As to each Agreement, this DPA is coterminous with such Agreement and shall replace and supersede in its entirety any prior data processing agreement or similar document relating to the processing of Customer Personal Data.
Capitalized words and expressions used in this DPA which are not defined in this DPA shall bear the meaning set out in the Agreement. For the purpose of this DPA, the following terms shall have these meanings:
“Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with the applicable party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
“Authorized Affiliate” means any Customer Affiliate that is subject to Data Protection Laws and permitted to use the Services under the Agreement.
“CCPA” means the California Consumer Privacy Act of 2018 and the California Consumer Privacy Act of 2020, including all laws and regulations implementing or supplementing the CCPA and successor or modifying legislation.
“Customer Personal Data” means Personal Data agreed to be received or accessed and processed by Contentstack on behalf of Customer or an Authorized Affiliate pursuant to the Agreement and this DPA but excluding in all cases Prohibited Data.
“Data Protection Laws” means as applicable: (i) the EU GDPR; (ii) the UK GDPR; (iii) the CCPA; (iv) any other data protection and privacy laws which apply to the processing of Customer Personal Data by Contentstack, whether international, foreign, national, state and/or local; (v) any amendments or successor legislation to (i) to (iv); and (vi) any guidance and codes of practice issued by relevant data protection, supervisory or other regulatory authority(ies) (including Supervisory Authorities and the Commissioner).
“EU GDPR” means the General Data Protection Regulation ((EU) 2016/679) and all applicable laws and regulations (including implementing laws and regulations) of the EU, the EEA, and Switzerland, in each case to the extent applicable to Contentstack’s processing of Customer Personal Data.
“EU SCCs” means the European Commission’s standard contractual clauses for the transfer of Personal Data from the EU to third countries (Modules 2 and 3 only), as set out in the annex to Commission Implementing Decision 2021/914 and which are incorporated herein by reference.
“Personal Data” and “Personal Data Breach” shall have the meanings given to them under Data Protection Laws and includes similarly defined terms or concepts in Data Protection Laws, including (as applicable) “personal information” and “data breach”.
“Prohibited Data” means any Customer Data (including Customer Personal Data) transmitted to Contentstack through any Contentstack API or any third party applications not licensed by Contentstack or otherwise uploaded into the Software, comprising: (i) payment card or other payment method data or confidential financial information; (ii) health information, including “Protected Health Information” as that term is defined under the United States Health Insurance Portability and Accountability Act; (iii) “special categories” of Personal Data as defined in the EU GDPR and UK GDPR, Sensitive Personal Information as defined under the CCPA or other similar state legislation in the US; and (iv) classified information.
“SCCs” means, as applicable, the executed EU SCCs and/or the executed UK SCCs.
“Sub-processor” means any third party appointed by or on behalf of Contentstack to process Customer Personal Data on behalf of Contentstack or any Contentstack Affiliate in connection with the Services, including any other Contentstack Affiliate.
“UK GDPR” means: (i) the Data Protection Act 2018; and (ii) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act of 2018.
“UK SCCs” means the Commissioner’s International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0) (utilizing only the EU SCCs) and which is incorporated herein by reference.
“Commissioner”, Controller”, “Data Subjects”, “EEA”, “process(es)(ing)”, “Processor” and “Supervisory Authority(ies)” shall have the meanings given to them under Data Protection Laws. Controller, Data Subject and Processor shall be synonymous with “Business”, “Consumer” and “Service Provider” (respectively) under the CCPA.
2. APPLICABILITY; PROCESSING OF CUSTOMER PERSONAL DATA
2.1 Applicability. This DPA applies only to the extent and as of the time the Data Protection Laws applicable to Customer Personal Data and the processing of such Customer Personal Data by Contentstack under the Agreement and this DPA.
2.2 Authorization. Customer authorizes and requests that Contentstack processes Customer Personal Data as set forth in the Agreement and this DPA (including Annex 1) for the purposes set forth herein. This DPA and the SCCs set out: (i) the subject matter and duration of the processing; (ii) the nature and purpose of the processing; and (iii) the types of Customer Personal Data and categories of Data Subjects whose Personal Data may be processed by Contentstack under the Agreement and this DPA.
2.3 Roles of the Parties. The parties acknowledge and agree that with regard to the processing of Customer Personal Data in connection with the Agreement, this DPA and the SCCs, as between the parties:
2.3.1 Customer is either the Controller or Processor for a third-party Controller (as applicable) and (for the purposes of the SCCs) the data exporter; and
2.3.2 Contentstack is the Processor, Sub-processor (but only where the Customer is a Processor for a third-party Controller) or Service Provider (as applicable), and (for the purposes of the SCCs) the data importer.
2.4 Customer’s Obligations. Without limiting any other obligations of Customer under the Agreement, this DPA and/or the SCCs, Customer shall:
2.4.1 comply with all obligations under Data Protection Laws applicable to it, in particular with the principles relating to the processing of Customer Personal Data and the lawfulness of processing, including obtaining and maintaining any required consents or other authorizations from Data Subjects, as well as safeguarding the rights of Data Subjects in their use of the Services;
2.4.2 promptly notify Contentstack of any change in the applicability of Data Protection Laws to Customer or Customer Personal Data that may affect the Agreement, this DPA, the SCCs, and/or Contentstack's ability to perform its obligations thereunder or under this DPA, the Agreement and/or the SCCs;
2.4.3 have sole responsibility and liability for the accuracy, quality, and legality of Customer Personal Data, obtaining any necessary consents or other authorizations from Data Subjects, and the means by which Customer acquired Customer Personal Data before and after processing; and
2.4.4 serve as a single point of contact on behalf of all Customer Affiliates for Contentstack and be solely responsible for the internal coordination, review, and submission of instructions or requests of Customer Affiliates that may be permitted by Customer under the terms of the Agreement to use the Services. Contentstack is discharged from any obligation to inform or notify such Customer Affiliates when Contentstack has provided applicable information or notice to the Customer. Contentstack is entitled to refuse any requests or instructions provided directly by Customer Affiliates.
2.5 Contentstack's Obligations. Without limiting any other obligations of Contentstack under the Agreement, this DPA and/or the SCCs, Contentstack shall:
2.5.1 comply with all obligations under Data Protection Laws applicable to it. Contentstack will not be obligated to comply with Data Protection Laws that are specific to Customer or Customer’s industry that are not generally applicable to Contentstack’s provision of the Services;
2.5.2 process Customer Personal Data on behalf of and in accordance with Customer’s documented instructions: (i) as further specified in the Agreement, this DPA, and the SCCs; (ii) as otherwise required or permitted under Data Protection Laws; or (iii) as required by other applicable law or judicial process;
2.5.3 to the extent required by Data Protection Laws, provide, at Customer’s request and expense, reasonable cooperation and assistance in connection with Customer’s obligations under Data Protection Laws as they relate to Contentstack’s processing of Customer Personal Data; and
2.5.4 without undue delay, but no later than 24 hours after discovery by Contentstack, inform Customer of any Personal Data Breach relating to Contentstack’s processing of Customer Personal Data, to the extent Contentstack is legally permitted or required to do so.
2.6 Purposes of Processing. Customer instructs Contentstack to process Customer Personal Data for the following purposes: (i) processing in accordance with the Agreement, any applicable Order Form (or similar document), and this DPA; (ii) processing initiated by Users in their use of the Services in accordance with Customer’s configuration of the Services; and (iii) processing to comply with other reasonable written instructions provided by Customer via Contentstack's support service where such instructions are consistent with the terms of the Agreement, this DPA and Data Protection Laws. Where an instruction cannot be followed due to the architecture of the Services or generates disproportionate efforts, the Customer will reimburse Contentstack for the costs arising from these efforts or Contentstack may terminate all or applicable parts of the affected Services.
3. RIGHTS OF DATA SUBJECTS
3.1 Correction, Amendment, and Deletion. To the extent Customer, in its use of the Services, does not have the ability to correct, amend, transfer or delete Customer Personal Data, as may be required by Data Protection Laws, Contentstack shall (taking into account the nature of the processing and at Customer’s expense) provide reasonable assistance to facilitate such actions to the extent Contentstack is legally permitted or required to do so.
3.2 Data Subject Requests. Contentstack shall, to the extent legally permitted or required, and to the extent, Contentstack has been able to identify that the request comes from a Data Subject whose Customer Personal Data was submitted to the Services, notify the Customer if it receives a request from a Data Subject in relation to the exercise of that person’s rights under Data Protection Laws. Contentstack shall not respond to any such Data Subject request except as required under Data Protection Laws, and Contentstack shall (at Customer’s expense) provide Customer with reasonable cooperation and assistance in relation to its handling of a Data Subject’s request according to Data Protection Laws, to the extent legally permitted and to the extent Customer cannot handle the request itself through its use of the Services.
4. CONTENTSTACK PERSONNEL
Contentstack will restrict access to Customer Personal Data to those authorized persons who need such information to implement, manage and monitor this DPA and/or the Agreement. Contentstack will ensure that its personnel engaged in the processing of Customer Personal Data are informed of the confidential nature of the Customer Personal Data, have received appropriate training on their responsibilities, and are subject to confidentiality obligations that will survive termination of their employment.
5.1 Appointment of Sub-processors. Customer acknowledges, agrees, authorizes and herewith consents that: (i) Contentstack Affiliates may act as Sub-processors; and (ii) Contentstack and Contentstack Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. A current list of Sub-processors (and the subject matter/nature and location of applicable processing) is available at www.contentstack.com/legal/subprocessors. To the extent required by Data Protection Laws, the Customer will be notified of changes to this list via the Service and/or via a mechanism that the Customer must be a subscriber to in order to receive notifications of new Sub-processors for each applicable Service.
5.2 Written Agreement. To the extent required by Data Protection Laws, Contentstack will enter into written agreements with Sub-processors containing, in substance, data protection obligations no less protective than those in this DPA with respect to the protection of Customer Personal Data to the extent applicable to the nature of the services provided by such Sub-processor. Customer agrees that: (i) copies of Contentstack’s data processing agreements with Sub-processors, provided to Customer by Contentstack upon request, will have confidential information and other business secrets removed by Contentstack beforehand; and (ii) such copies will be provided by Contentstack in a manner to be determined by Contentstack and subject to the confidentiality obligations set forth in the Agreement.
5.3 Liability. To the extent required by Data Protection Laws and except as otherwise set forth in the Agreement, Contentstack shall be liable for the acts and omissions of its Sub-processors to the same extent Contentstack would be liable if performing the Services of each Sub-processor directly under the terms of this DPA.
5.4 Changes to List of Current Sub-processors. Contentstack may remove, replace or appoint further Sub-processors in its sole discretion. To the extent required by Data Protection Laws, Contentstack will inform the Customer about any changes to the list of Sub-processors in a timely fashion, which may be by announcing them to the Customer through automated notice, such as the mechanism described in paragraph 5.1 of this DPA. Within 10 business days after receipt of notification from Contentstack to remove, replace or appoint further Sub-processors, the Customer may object in writing on legitimate grounds based on data protection or security concerns. If Customer so objects, Contentstack will use reasonable efforts to make available to Customer a change in the affected Services or recommend a commercially reasonable change to Customer’s configuration or use of the affected Services to avoid the processing of Customer Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If Contentstack is unable to make available such change within a reasonable period of time, which shall not exceed 60 days, the Customer may (upon written notice) terminate the applicable Order Form in respect only of those Services which cannot be provided by Contentstack without the use of the objected-to new Sub-processor.
6. SECURITY & AUDIT
6.1 Controls for the Protection of Customer Personal Data. Contentstack shall maintain administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of Customer Personal Data as set forth at www.contentstack.com/legal/security-addendum.
6.2 Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals during the Subscription Term and subject to the confidentiality obligations set forth in the Agreement, Contentstack shall provide a copy of Contentstack's then most recent third-party audits or certifications, as applicable, or any summaries thereof or other information that Contentstack generally makes available to its customers at the time of such request evidencing Contentstack's compliance with paragraph 6.1.
6.3 Data Protection Checks by Regulators. To the extent required by Data Protection Laws, Contentstack will provide Supervisory Authorities or the Commissioner with all information and assistance reasonably necessary to investigate Personal Data Breaches relating to Customer Personal Data or otherwise to demonstrate that the Services comply with Data Protection Laws to the extent that such inspections concern the processing of Customer Personal Data under the Agreement and this DPA.
7. RETURN AND DELETION OF CUSTOMER PERSONAL DATA
Contentstack’s obligations in relation to the return or destruction of Customer Personal Data following termination or expiry of the Agreement and all Order Forms are set out in section 7.6 of the Agreement.
8. CCPA PROVISIONS
8.1 Contentstack will not Sell, collect, retain, use or disclose Customer Personal Data of Consumer, except as permitted by law, and only as necessary to perform the business purpose (as set out in paragraph 2.6 of this DPA) or for Contentstack to fulfill its obligations under the Agreement and this DPA.
8.2 Contentstack will not process Customer Personal Data for its own or any other purposes (including any Commercial Purposes (as defined in the CCPA)) except as otherwise expressly permitted by law or otherwise agreed in writing; provided, however, that processing of Customer Personal Data by Contentstack to ensure the security, operational maintenance, analysis, evaluation or development of the Services for the benefit of its customers without disclosing any Customer Personal Data and without having any adverse impact on the technical and organizational measures implemented by Contentstack to protect Customer Personal Data shall not constitute processing for Contentstack's own or any other purposes.
8.3 Contentstack certifies that it understands the restrictions set forth in this paragraph 8 and will comply with them.
9. UK GDPR AND EU GDPR
9.1 In respect of transfers of Customer Personal Data by Customer to Contentstack which are subject to the UK GDPR and/or EU GDPR, the parties shall comply with the SCCs as follows:
9.1.1 SCCs Clause 7: This optional clause shall apply.
9.1.2 SCCs Clause 8.1(b) (Module 2) / 8.1(c) (Module 3): Contentstack shall immediately inform the Customer if, in its opinion, an instruction infringes the EU GDPR and/or UK GDPR.
9.1.3 SCCs Clause 8.3: Customer agrees that it shall provide Data Subjects with a copy of the SCCs and the relevant Annexes of this DPA only. Neither the remainder of this DPA nor the Agreement shall be made available to any Data Subject. Prior to sharing the SCCs and relevant Annexes with any Data Subject, the Customer shall consult Contentstack in order to redact the SCCs and relevant Annexes to ensure that Contentstack’s Confidential Information and other business secrets are protected. The customer shall provide any required accompanying meaningful summary and reasons for any redactions to the Data Subject.
9.1.4 SCCs Clause 8.4: Customer agrees that Contentstack’s obligations under this clause shall be fully satisfied pursuant to paragraph 3.1 of this DPA.
9.1.5 SCCs Clause 8.5: Customer agrees that Contentstack’s obligations under this clause shall be fully satisfied pursuant to paragraph 7 of this DPA.
9.1.6 SCCs Clause 8.6: Customer agrees that Contentstack’s obligations under this clause shall be fully satisfied pursuant to paragraphs 2.5.4 and 6.1 of this DPA.
9.1.7 SCCs Clause 8.9: Customer agrees that Contentstack’s obligations under this clause shall be fully satisfied pursuant to paragraph 6.2 of this DPA.
9.1.8 SCCs Clause 9: Option 2 applies with respect to Clause 9(a) and the Customer agrees that Contentstack’s obligations under this clause shall be fully satisfied pursuant to paragraph 5 of this DPA. Contentstack shall, at the request of Customer pursuant to clause 9(c) of the SCCs, make a copy of the applicable standard contractual clauses with its Sub-processor available to Customer with any necessary redactions to protect business secrets, personal data, or other confidential information. In accordance with clause 9(d) of the SCCs, Contentstack shall notify the Customer of any failure by a Sub-processor to fulfill its obligations under such standard contractual clauses where such failure leads to Contentstack being in material breach of the SCCs.
9.1.9 SCCs Clause 11(a): The optional paragraph shall not apply.
9.1.10 EU SCCs Clause 13(a): The version of clause 13(a) that applies to the Customer shall be included, and if, in accordance with the provisions of such clause 13(a), the parties may select, the applicable Supervisory Authority, such Supervisory Authority shall be that of the Netherlands.
9.1.11 SCCs Clauses 14(f), 16(b), and 16(c): Where Customer exercises any of its rights to suspend the processing of Customer Personal Data within the Services or its right to terminate any applicable Order Form(s) pursuant thereto, Customer shall notify Contentstack in writing setting out in sufficient detail the material non-compliance and the basis for such determination (including identifying the provisions of the SCCs with which, in Customer's reasonable opinion, there is a material non-compliance by Contentstack and the applicable laws and practices that are not met). Within 30 days after receipt of such notice or any other timeframe agreed by the parties, if Contentstack does not: (i) demonstrate that such material non-compliance is not in breach of the SCCs or (ii) make available to Customer a change in the Services or Customer’s use or configuration of the Services that remedies such material non-compliance, then Customer may terminate the relevant Order Form(s) pursuant to the SCCs and section 7.3 of the Agreement.
9.1.12 SCCs Clause 15.1(a): To the extent legally permitted, any and all communications, instructions, notifications, inquiries, requests, correspondence, cooperation, and assistance needs between Contentstack and Data Subjects intended under the SCCs shall be made exclusively via Customer.
9.1.13 EU SCCs Clause 17: Except as otherwise expressly agreed in writing, Option 1 shall apply and the governing law shall be that of the Netherlands.
9.1.14 EU SCCs Clause 18(b): The applicable forum shall be the Netherlands; provided, however, that if Module Three applies and the Customer is headquartered in the United States, then, subject to the rights of Data Subjects under clause 18(c) of the EU SCCs), the forum shall be as set forth in the Agreement.
9.1.15 UK SCCs Clause 18(b): In respect of Module Three, if the Customer is headquartered in the United States, then, subject to the rights of Data Subjects under clause 18(c) of the UK SCCs), the forum shall be as set forth in the Agreement.
9.1.16 UK SCCs Table 4: The importer.
9.1.17 SCCs Annex I: The details for this annex are set out in Annex 1 of this DPA.
9.1.18 SCCs Annex II: The details for this annex are set out in Annex 2 of this DPA.
9.1.19 SCCs Annex III: The details for this annex are set out in paragraph 5 of this DPA.
9.2 Onwards transfers: Customer consents to Contentstack transferring Customer Personal Data outside the UK, EEA, and Switzerland provided it ensures that appropriate safeguards are in place to comply with Contentstack’s obligations under Data Protection Laws when transferring Customer Personal Data outside the UK, EEA and/or Switzerland.
9.3 Data protection impact assessments: To the extent required by the EU GDPR and/or UK GDPR, at the Customer’s request and expense, Contentstack shall provide the Customer with reasonable cooperation and assistance: (i) needed to fulfill the Customer’s obligation to carry out a data protection impact assessment relating to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information and to the extent, such information is available to Contentstack; and (ii) in connection with its obligation to consult with (as applicable) Supervisory Authorities or the Commissioner in relation to such data protection impact assessment.
9.4 Conflicts: Notwithstanding anything to the contrary in the Agreement, in the event of any conflict or inconsistencies between any provisions in this DPA and any provisions in: (i) the Agreement, the provisions of this DPA shall prevail (but only to the extent of such conflict or inconsistency); and (ii) the SCCs, the provisions in the SCCs shall prevail (but only to the extent of such conflict or inconsistency).
10. LIMITATION OF LIABILITY
10.1 The liability and limitation of liability provisions set out in the Agreement shall apply to each party’s liability (including its Affiliates) to the other party under or in connection with this DPA. To the maximum extent permitted by Data Protection Laws, any reference in such provisions to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
10.2 Subject to paragraph 10.1 of this DPA, Contentstack acknowledges that Authorized Affiliates, as data exporters, may enforce the terms of the SCCs as set out in this DPA. Authorized Affiliates may only exercise any rights of the data exporter in respect of the SCCs as set out in this DPA, through the Customer entity which has signed the Agreement. Any communications relating to any complaint, allegation or claim arising in connection with the SCCs by Authorized Affiliates, under this DPA, may only be communicated to and discussed with Contentstack by the Customer entity that has signed the Agreement with Contentstack. This DPA does not establish direct rights of Authorized Affiliates regarding the provision of Services, or any other obligations as detailed in the Agreement.
11. GENERAL TERMS
11.2 Governing Law and Jurisdiction. Without prejudice to the SCCs: (i) the parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity, or termination or the consequences of its nullity; and (ii) this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
11.2 Changes in Data Protection Laws. Either party may propose variations to this DPA if and as they may apply to a particular Data Protection Law, which such party believes in good faith is required as a result of any change in, or decision of a competent authority under, that Data Protection Law. In the event of such a proposal, the parties agree to work together in good faith to implement mutually agreed changes. Customer shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Contentstack to protect Contentstack, its Affiliates, and/or Sub-processors against additional risks associated with such changes.
11.3 Legal Effect. This DPA shall only become legally binding between Customer and Contentstack when the DPA has been executed via digital signature or other legally binding mechanisms such as (but not limited to) acceptance of this DPA electronically or in an Order Form.
Data Processing Activities
A. LIST OF PARTIES
Data exporters: Customer and Authorized Affiliates. The customer is located at the address provided in the Agreement.
Key contact/Contact details: [CUSTOMER TO PROVIDE]
Data importer: Contentstack which is located at the address provided in the Agreement.
Key contact/Contact details: firstname.lastname@example.org.
B. DESCRIPTION OF TRANSFER
Categories of Data Subjects whose Customer Personal Data is transferred:
Categories of Customer Personal Data transferred:
Sensitive data transferred (if applicable):
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):
Continuous basis throughout the duration of this DPA and the Agreement.
Nature of the processing and purpose(s) of the data transfer and further processing:
As set out in this DPA and the Agreement.
The period for which Customer Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
The Subscription Term together with any additional time period(s) applicable to comply with obligations in the Agreement and/or this DPA which survive termination or expiry of the Agreement.
For transfers to Sub-processors, also specify the subject matter, nature, and duration of the processing:
As per the data importer.
C. COMPETENT SUPERVISORY AUTHORITY
- EU SCCs - Autoriteit Persoonsgegevens (Dutch Data Protection Authority).
- UK SCCs – The Commissioner.
Technical and organizational security measures
Within Contentstack's area of responsibility, and taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Contentstack has in relation to the Customer Personal Data implemented and will maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risks as set forth at www.contentstack.com/legal/security-addendum and as otherwise agreed in writing in the Agreement.
These include administrative, physical, and technical safeguards for protection of the security, confidentiality, and integrity of Customer Personal Data including protection intended against a Personal Data Breach relating to Customer Personal Data.