Data Processing Agreement

This Agreement embodies the entire understanding of the Parties with respect to the subject matter thereof. This Agreement supersedes previous agreements or understandings relating to this subject matter between the Parties, both in writing and oral, including correspondence.

This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement, an Order or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.

We update these terms from time to time. If you have an active Edge Factor account, we will let you know when we do via email (if you have subscribed to receive email notifications via the link in our Terms) or via an in-Service notification.

The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.

Last modified on July 15, 2025.

1. Definitions

“California Personal Information” means any Personal Data that is subject to the protections of the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA”), including but not limited to information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household.

“CCPA” means the California Consumer Privacy Act of 2018, California Civil Code §§ 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 and any implementing regulations issued by the California Privacy Protection Agency.

“Consumer”, “Business”, “Sell”, and “Service Provider” will have the meanings given to them in the CCPA.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Data Protection Laws” means all applicable laws, statutes, regulations, and binding guidance relating to data protection, privacy, and the processing of Personal Data, to the extent applicable to a Party in its role under the Agreement. This includes, without limitation:

• the General Data Protection Regulation (EU) 2016/679 (GDPR);
• the General Data Protection Regulation (EU) 2016/679 (GDPR);
• the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA);
• the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) (Ontario);
• the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA);
• the Children’s Online Privacy Protection Act (COPPA); and
• any other similar or equivalent laws or regulations in force from time to time in any jurisdiction, including relevant U.S. state-level privacy laws.

“Data Subject” means the individual to whom Personal Data relates.

“Europe” means, collectively, the European Union (EU), the European Economic Area (EEA), and their member states, as well as Switzerland and the United Kingdom.

“European Data” means Personal Data that is subject to the protection of European Data Protection Laws.

“European Data Protection Laws” means data protection laws applicable in Europe, including:

• Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, or “GDPR”);
• Directive 2002/58/EC (ePrivacy Directive), as implemented by member states, concerning the processing of personal data and the protection of privacy in the electronic communications sector;
• any national laws implementing or supplementing (i) or (ii);
• in the United Kingdom, the UK GDPR, the Data Protection Act 2018, and any successor legislation relating to personal data protection following the UK's exit from the EU; and
• the Swiss Federal Act on Data Protection (FADP) and its implementing ordinances, as amended, replaced, or superseded from time to time.

“EU-U.S. Data Privacy Framework (DPF)” means the self-certification program operated by the U.S. Department of Commerce and approved by the European Commission (Decision of July 10, 2023), which provides a legal basis for transatlantic transfers of personal data under European Data Protection Laws.

“FERPA” (United States Compliance) To the extent Edge Factor qualifies as a “school official” under the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, and its implementing regulations, it will comply with all applicable obligations, including confidentiality, security, data access restrictions, and limitations on the re-disclosure of student education records without prior written consent, unless an applicable statutory exception applies.

“Instructions” means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).

“MFIPPA” (Ontario Compliance): Edge Factor acknowledges that some customers are subject to the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), R.S.O. 1990, c. M.56, which governs access to and protection of personal information held by Ontario's municipal institutions, including school boards. Where applicable, Edge Factor will assist Customer in meeting its MFIPPA obligations in respect of personal information processed on its behalf, in accordance with this DPA.

“Permitted Affiliates” means any of your Affiliates that:

• is authorized to use the Services under the Agreement but has not entered into a separate agreement with Edge Factor and is not independently a “Customer” under the Agreement;
• qualifies as a Controller of the Personal Data processed by Edge Factor under the Agreement; and
• is subject to European Data Protection Laws, as defined above.

“Personal Data” means any information relating to an identified or identifiable individual where such information is contained within User Data and is protected similarly as personal data, personal information or personally identifiable information under applicable Data Protection Laws.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Subscription Services. For clarity, “Personal Data Breach” does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, such as unsuccessful login attempts, pings, port scans, denial of service attacks, or similar network attacks that do not result in unauthorized access or exposure.

“Processing” means any operation or set of operations that is performed on Personal Data, whether or not by automated means. This includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of Personal Data. The terms “Process”, “Processes”, and “Processed” shall be interpreted accordingly.

“Privacy Shield Principles” means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision of July, 12 2016; as may be amended, superseded or replaced.

“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes”, and “Processed” will be construed accordingly.

“Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.

“Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in its Implementing Decision (EU) 2021/914 of 4 June 2021 under the General Data Protection Regulation (GDPR), as amended, updated, or replaced from time to time. These clauses are incorporated by reference in Annex 4 of this DPA.

“Sub-Processor” means any Processor engaged by us or our Affiliates to assist in fulfilling our obligations with respect to the provision of the Subscription Services under the Agreement. Sub-Processors may include third parties or our Affiliates but will exclude any Edge Factor employee or consultant.

2. Customer Responsibilities

2.1 Compliance with Laws

You, as the Controller of Personal Data, are solely responsible for ensuring that your Processing of Personal Data, and all requirements provided to Edge Factor under the Agreement (including this DPA), comply with applicable Data Protection Laws.

Without limiting the foregoing, you acknowledge and agree that you are solely responsible for:

• Lawful Basis and Transparency: Ensuring that all Personal Data you collect, use, or disclose through the Services is obtained lawfully, including providing all required notices, disclosures, and obtaining valid consents where necessary (e.g., for marketing, profiling, or collection from minors under applicable laws such as FERPA, COPPA, or PIPEDA);
• Data Accuracy and Legitimacy: The accuracy, quality, integrity, and legality of the Personal Data and the means by which it was acquired, including compliance with applicable laws regarding the use of service providers;
• Authority to Share Data: Ensuring that you have a valid legal basis and all necessary authorizations, permissions, or consents to transfer or otherwise provide Edge Factor with access to the Personal Data for Processing under the Agreement;
• Instructions Compliance: Ensuring that any instructions you issue to Edge Factor in relation to the Processing of Personal Data are lawful, documented, and consistent with applicable Data Protection Laws;
• Notification Obligations: Promptly notifying Edge Factor without undue delay if you determine or become aware that you are unable to comply with your responsibilities under this Section or applicable Data Protection Laws.

2.2 Indemnities and Liability

You agree to indemnify, defend, and hold harmless Edge Factor, its affiliates, and their respective directors, officers, employees, and agents from and against any and all direct damages, losses, liabilities, costs, and expenses (including reasonable legal fees) arising from or in connection with:

• your breach of this DPA, the Agreement, or applicable Data Protection Laws;
• your failure to obtain lawful authority or valid consents for the Processing of Personal Data; or
• any instructions provided by you to Edge Factor that violate applicable laws or infringe third-party rights.

This indemnity shall not apply to the extent that such damages arise from Edge Factor’s breach of its obligations under this DPA or applicable Data Protection Laws.

2.3 Controller Instructions

The parties acknowledge and agree that the Agreement, including this DPA and your documented use of the Services in accordance with the Agreement, constitute your complete and final instructions to Edge Factor for the Processing of Personal Data (“Instructions”).

Any additional or alternative instructions outside the scope of these documented Instructions shall require prior written agreement between the parties and may be subject to additional fees or terms. Edge Factor shall not be required to comply with any instruction that it reasonably believes would violate applicable Data Protection Laws or the terms of this DPA.

3. Edge Factor Obligations

3.1 Compliance with Instructions

We shall Process Personal Data solely as necessary to provide the Services in accordance with this DPA and the documented, lawful Instructions provided by you, unless otherwise required by applicable law. In such cases, Edge Factor shall, where legally permitted, inform you of that legal requirement before Processing.We are not responsible for compliance with Data Protection Laws that apply specifically to your organization, industry, or Processing activities that are outside of Edge Factor’s role as a Processor under this DPA.

Edge Factor shall not retain, use, or disclose Personal Data for any purpose other than to perform the Services under the Agreement or as permitted by this DPA. Personal Data shall remain the property of the Controller or the relevant Data Subjects, as applicable.

Edge Factor shall not sell, share, or otherwise Process Personal Data for its own commercial benefit or for any purpose not expressly permitted by this DPA or applicable law.

3.2 Rights of the Data Subjects

Edge Factor shall, to the extent required by applicable Data Protection Laws and in a manner proportionate to the nature of the Processing, provide reasonable assistance to you in fulfilling your obligations to respond to requests from Data Subjects to exercise their legal rights, including access, rectification, restriction, objection, erasure, data portability, or the right not to be subject to automated decision-making.

3.3 Conflict of Laws

If, in Edge Factor’s reasonable opinion, an instruction from you infringes applicable Data Protection Laws (“Relevant Legislation”), Edge Factor shall promptly inform you without delay.

Where necessary, Edge Factor will suspend the affected Processing (other than storing the Personal Data and maintaining its security) until you provide revised, lawful instructions that Edge Factor can comply with. During such suspension, Edge Factor shall not be considered in breach of this Agreement or otherwise liable for failure to perform the applicable Services, to the extent such non-performance results from your unlawful or non-compliant instruction.

Nothing in this Section shall require Edge Factor to perform or permit any Processing that it reasonably believes would violate applicable law.

3.4 Security Measures

Edge Factor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed under this DPA (“Security Measures”).

Edge Factor shall at a minimum apply the following security controls:

3.4.1 Governance & Accountability

• Responsibility for information security is formally assigned to relevant management personnel.
• A written information security policy is maintained, approved by management, and communicated to all staff.
• Staff receive regular privacy and security awareness training appropriate to their roles.

3.4.2 Access Controls

• All access to Personal Data is password-protected and authenticated.
• Access rights follow a need-to-know and least privilege model, based on job function.
• Access to Personal Data is logged and regularly reviewed.

3.4.3 Data Transmission & Network Security

• Personal Data in transit over public networks is encrypted using Transport Layer Security (TLS) or equivalent encryption standards.
• Network services handling Personal Data are protected by firewalls with default-deny configurations.

3.4.4 Physical Security

• Access to systems or environments containing Personal Data is restricted through appropriate physical safeguards, including secure entry, alarm systems, or locked server cabinets.

Additional details on Edge Factor’s security program and protections against Personal Data Breaches are described in Annex 2 (Technical and Organizational Measures) of this DPA.

Edge Factor may update or modify these Security Measures at its discretion, provided that such updates do not result in a material reduction in the level of protection afforded to Personal Data.

3.5 Confidentiality

Edge Factor shall treat all Personal Data as strictly confidential and shall ensure that access to such data is limited to those employees, agents, or contractors who have a legitimate need to access the data for the purposes of delivering the Services under the Agreement.

Edge Factor shall ensure that all individuals authorized to Process Personal Data are subject to an enforceable duty of confidentiality, whether by contract or statutory obligation, and are appropriately trained in data protection and privacy compliance.

Edge Factor shall take reasonable steps to ensure that such individuals comply with applicable Data Protection Laws and handle Personal Data in accordance with the terms of this DPA.

3.6 Personal Data Breach

In the event of a Personal Data Breach involving Personal Data Processed by Edge Factor on your behalf, Edge Factor shall, without undue delay after becoming aware of the breach:

3.6.1 Contain and Mitigate

Take appropriate and prompt remedial measures to contain the breach and mitigate any potential adverse effects;

3.6.2 Notify the Customer

Notify you of the breach without undue delay, using the contact details of your designated account administrator. Notification shall include, to the extent reasonably available:

• The date and time of discovery and, if known, the approximate time of the breach;
• A description of the nature of the breach, including (where possible) the categories and approximate number of Data Subjects and records affected;
• The likely consequences of the breach;
• The measures taken or proposed by Edge Factor to address the breach and mitigate its effects;
• Contact details for further information;
• Any additional information reasonably requested by the Customer to comply with its own legal obligations.

Edge Factor shall continue to provide relevant updates as new information becomes available.

You are responsible for ensuring that Edge Factor has current and accurate contact details for your account administrator(s) or other designated personnel for breach notification purposes.

Edge Factor shall not be deemed in breach of this DPA if the failure to notify is caused by your failure to maintain accurate contact information.

3.7 Deletion or Return of Personal Data

Edge Factor retains Personal Data only for as long as necessary to provide the Services in accordance with this DPA, or as required by applicable law. If a user account remains inactive for a continuous period of 24 months, Edge Factor will notify the user of pending data deletion. If the user does not log in within 30 days of the notice, Edge Factor will securely erase the associated Personal Data using industry-standard methods designed to make the data unrecoverable.

We may maintain anonymized or aggregated data, including usage and performance analytics, for internal purposes. Such data does not identify individuals and may be used by Edge Factor for any lawful purpose, including disclosure to third parties, at our sole discretion.

Upon termination or expiration of the Agreement, or upon written request from the Customer, Edge Factor shall:

• Cease Processing the Personal Data; and
• Permanently erase, destroy, and render unreadable such Personal Data in its entirety, in a manner that prevents its physical reconstruction through commonly available file restoration tools.

This deletion requirement does not apply to the extent that Edge Factor is required to retain Personal Data under applicable law, in which case Edge Factor will protect the retained data from further Processing (except as required by law) and delete it in accordance with its internal retention and deletion policies.

Notwithstanding the above, anonymized or aggregated data, and Personal Data that is incidentally included in backup, audit, or disaster recovery systems may be retained until deleted in the ordinary course of business, provided that it remains subject to all applicable confidentiality and security requirements under this DPA.

If you have questions about data retention, deletion, or your rights under this Agreement, please contact us via our Contact Us page.

4. Personal Data

The Platform includes a variety of self-service tools and administrative controls that enable you to retrieve, correct, restrict, or delete Personal Data in accordance with your obligations under applicable Data Protection Laws. You are responsible for managing these controls and using them appropriately to meet your compliance requirements.

You acknowledge and agree that you will be solely responsible for:

• The accuracy, quality, and legality of the Personal Data you or your Users submit to the Platform;
• Ensuring that all Personal Data is collected and Processed lawfully, including providing any necessary notices and obtaining all required consents, authorizations, or other valid legal bases under applicable Data Protection Laws;
• Ensuring that your use of the Platform and your instructions to Edge Factor in relation to the Processing of Personal Data comply with all applicable laws and regulations.

Edge Factor does not independently verify the content, origin, or accuracy of the Personal Data provided by you or your Users, and shall not be held responsible for any obligations or liabilities arising from your failure to comply with applicable transparency, consent, or lawfulness requirements.

You are solely responsible for configuring the Platform settings and permissions that determine what data is collected, retained, or shared. Edge Factor shall have no obligation to notify you of configuration changes you make via the Platform unless such notification is required by law.

5. Sub-Processors

You acknowledge and agree that Edge Factor may engage third-party subcontractors, including its Affiliates, as Sub-Processors to support the delivery of Services under the Agreement. The current list of authorized Sub-Processors is available in Annex III. By entering into this DPA, you provide general written authorization for Edge Factor to engage and use such Sub-Processors.

Edge Factor shall ensure that any Sub-Processor it engages is subject to a written agreement that imposes obligations no less protective of Personal Data than those set out in this DPA, including (where applicable) the Standard Contractual Clauses. Edge Factor will remain fully responsible for the acts and omissions of any Sub-Processor it appoints in connection with the performance of this DPA.

Edge Factor may add or remove Sub-Processors at its discretion without separate customer consent, provided that such changes do not materially diminish the protection of Personal Data. Upon request, Edge Factor will provide an updated list of Sub-Processors. If you reasonably object to a new Sub-Processor on documented data protection grounds, you may notify Edge Factor in writing, and the parties will work in good faith to address the concern. If the concern cannot be resolved, your exclusive remedy will be to terminate the affected Services.

6. Data Transfers

You acknowledge and agree that Edge Factor may access and Process Personal Data globally as necessary to provide the Services in accordance with the Agreement. This includes transfers of Personal Data to Edge Factor, Inc. in Canada, as well as to other jurisdictions where Edge Factor’s Affiliates and authorized Sub-Processors maintain operations.

Edge Factor shall ensure that all such transfers are conducted in compliance with applicable Data Protection Laws, including by relying on adequacy decisions, Standard Contractual Clauses (SCCs), or other valid data transfer mechanisms approved by relevant authorities.

You authorize Edge Factor to make such transfers without further notice or consent, provided that they do not result in a material reduction of the level of protection applicable to Personal Data under this DPA.

7. Additional Provisions for European Data

7.1. Scope

This Section applies exclusively to the Processing of European Data governed by European Data Protection Laws.

7.2 Roles of the Parties

When Processing European Data, the parties acknowledge that you act as the Controller and Edge Factor acts as the Processor. Details of the Processing are outlined in Annex I.

7.3 Instructions

If Edge Factor reasonably believes that any instruction from you violates European Data Protection Laws, we will inform you without undue delay. Until resolved, we may suspend the execution of such instructions without liability.

7.4. Sub-Processors

You grant general authorization for Edge Factor to engage Sub-Processors listed in Annex II and to appoint or replace Sub-Processors in the future. Edge Factor will impose data protection obligations on all Sub-Processors equivalent to those in this DPA.

Upon written request, we will provide an updated list of Sub-Processors. If you object on reasonable, documented data protection grounds within 30 days of receiving the list, the parties will work in good faith to resolve the concern. If no resolution is reached, your sole and exclusive remedy will be to suspend or terminate the affected Services.

7.5 Data Protection Impact Assessment

To the extent you are required to conduct a DPIA or prior consultation under European Data Protection Laws, Edge Factor will reasonably assist you upon written request, but only if the required information is not otherwise available to you through the Platform or documentation.

7.6 International Data Transfers

Edge Factor may transfer European Data to Canada and other jurisdictions where it or its Sub-Processors operate. You acknowledge that:

• Canada is recognized by the European Commission as providing an adequate level of data protection;
• For other jurisdictions, Edge Factor shall use appropriate safeguards, such as the 2021 Standard Contractual Clauses (SCCs) issued by the European Commission (Decision (EU) 2021/914), or other valid legal transfer mechanisms.
• Where SCCs are used, Edge Factor, Inc. will act as the data importer, and you as the data exporter, as further described in Annex IV. If Edge Factor, Inc. is not your contracting party, you authorize your local Edge Factor entity to enter into SCCs with Edge Factor, Inc. on your behalf.

7.6 Demonstration of Compliance

Upon written request and no more than once annually, Edge Factor will provide information reasonably necessary to demonstrate compliance with this DPA. Responses may include confidential written summaries, certifications, or documentation of relevant internal controls.

8. Additional Provisions for California Personal Information

8.1 Scope

This Section applies solely to the Processing of California Personal Information, as defined under the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) (“CCPA”).

8.2 Roles of the Parties

For the purposes of the CCPA, you are the “Business” and Edge Factor is acting as your “Service Provider” with respect to California Personal Information Processed pursuant to the Agreement.

8.3 Restrictions on Use

Edge Factor shall not:

• Sell or Share California Personal Information;
• Retain, use, or disclose California Personal Information for any purpose other than for the specific Business Purpose of performing the Services under the Agreement or as otherwise permitted by the CCPA;
• Retain, use, or disclose California Personal Information outside the direct business relationship between you and Edge Factor;
• Combine California Personal Information received from you with personal information received from another source, except as permitted under the CCPA (e.g., for fraud prevention or security purposes).

8.4 Compliance Certification

Edge Factor certifies that it understands and will comply with the restrictions and obligations set forth in this Section and under the CCPA as a Service Provider.

8.5 Consumer Requests

To the extent required by the CCPA, Edge Factor shall reasonably cooperate with you in responding to verifiable consumer requests to access, correct, or delete California Personal Information, where such requests pertain to data processed by Edge Factor on your behalf.

9. General Provisions

9.1 Amendments

Edge Factor may update or modify this DPA from time to time, as required to reflect changes in applicable law, best practices, or the functionality of the Services. Any such updates will become effective as set out in the ‘Amendment; No Waiver’ section of the Terms of Use. Updates will not materially reduce the level of protection afforded to Personal Data without your consent, unless required by law.

9.2 Severability

If any provision of this DPA is determined to be invalid, unlawful, or unenforceable, the remainder shall remain in full force and effect. Any invalid provision will be interpreted to fulfill its intended purpose to the maximum extent permitted by law or, if necessary, deemed replaced with a valid and enforceable provision that most closely reflects the original intent.

9.3 Limitation of Liability

Each party’s and its Affiliates’ aggregate liability arising out of or relating to this DPA (including any related data processing agreements and the Standard Contractual Clauses, where applicable) is subject to the limitations and exclusions of liability set forth in the ‘Limitation of Liability’ section of the Terms of Use. Where Edge Factor, Inc. is not a direct party to the Agreement, these limitations will apply as between you and Edge Factor, Inc. as though Edge Factor, Inc. were a named party to the Agreement.

9.4 Governing Law

This DPA shall be governed by and construed in accordance with the governing law provisions stated in the ‘Contacting Entity; Applicable Law; Notice’ section of the Terms of Use, except as otherwise required by applicable Data Protection Laws.

9.5 Order of Precedence

In the event of any conflict or inconsistency between the provisions of this DPA, the Agreement, or any prior data protection terms agreed between the parties, the provisions of this DPA shall prevail unless explicitly stated otherwise.

10. Parties to this DPA

10.1 Permitted Affiliates

By entering into the Agreement, you agree to this DPA both on your own behalf and, where applicable under relevant Data Protection Laws, on behalf of your Permitted Affiliates. This establishes a separate agreement between Edge Factor and each Permitted Affiliate, subject to the terms of the Agreement and this DPA, particularly the ‘General Provisions’ and this ‘Parties to this DPA’ section. For clarity, references to “Customer”, “you”, and “your” throughout this DPA will be deemed to include your Permitted Affiliates, unless otherwise specified.

10.2 Authority and Representation

The Customer entity agreeing to this DPA confirms that it is duly authorized to bind itself and its Permitted Affiliates to the terms of this DPA. Edge Factor will not be required to verify such authorization independently.

10.3 Centralized Communications and Remedies

Unless otherwise required by applicable Data Protection Laws, all rights and remedies under this DPA shall be exercised solely by the Customer entity that is party to the Agreement, on behalf of itself and its Permitted Affiliates. All communications regarding this DPA will be coordinated through that entity, and Edge Factor will not be required to interact with Permitted Affiliates separately unless legally mandated.

10.4 Audit Coordination

You agree to take all reasonable steps to minimize disruption to Edge Factor and its Affiliates when exercising audit or compliance rights under this DPA, including (where appropriate) consolidating audit requests from multiple Permitted Affiliates into a single coordinated audit process.

11. Governing Law

This Data Processing Agreement is governed exclusively by the laws of Canada, without regard to its conflict of law principles. Any dispute, claim, or controversy arising out of or relating to this DPA shall be subject to the exclusive jurisdiction of the courts located in Ontario, Canada.

Nothing in this section shall limit the rights of either party to seek injunctive or equitable relief in any jurisdiction where such relief is necessary to prevent immediate and irreparable harm or where required by applicable Data Protection Laws.

Annex 1: Description of the Processing

This Annex sets out the details of the processing of personal data by Edge Factor on behalf of the data controller, as required by Clause 8.1 of the 2021 EU Standard Contractual Clauses (Module 2: Controller to Processor), and in alignment with Canada’s PIPEDA, relevant provincial privacy statutes, and applicable U.S. federal and state data privacy laws. It outlines the nature, purpose, duration, categories of data subjects, and types of personal data processed under the Agreement, ensuring transparency and compliance with cross-border data protection obligations. For U.S.-based educational institutions, Edge Factor processes student information in accordance with FERPA requirements, treating all education records and personally identifiable information as confidential and subject to appropriate access controls.

A. List of Parties

Data Exporter
‍You/your organization.
Role: Controller

Data Importer
Edge Factor Inc.
3860 Quarry Road, Lincoln ON, Canada
privacy@edgefactor.com
Role: Processor

B. Description of Transfer

B.1 Nature and Purpose of Processing

Edge Factor will process Personal Data solely to provide the Services as defined in the Agreement, including platform access, customization, analytics, support, reporting, content delivery, and platform improvements. Processing is limited to what is necessary to perform these services, as further instructed by the data exporter via the platform configuration and usage.

B.2 Duration of Processing

Processing will continue for the duration of the Agreement or as otherwise directed in writing by the data exporter, subject to return or deletion obligations as outlined in this DPA.

B.3 Frequency of Transfer

Continuous – data is transferred and accessed on a rolling basis as part of ongoing service delivery.

B.4 Categories of Data Subjects

The personal data processed may include, but is not limited to:

1. Contact Information: Names, email addresses, usernames (and, where relevant, profile information).
2. Authentication Data: Login method, user ID, and session management information.
3. User Profile Configuration: Grade, subjects taught/enrolled in, assigned classes, and interests.
4. Interaction Data: Answers to quizzes or learning objects, watched content, earned badges, and other engagement signals.
5. Professional Data (for educators/community members): Titles, departments, and submitted feedback or resource contributions.
6. System Metadata: Timestamps, device/browser type, and IP addresses (only for security/logging purposes).

The exact scope of data is determined by the data exporter through the Privacy Settings and platform configuration tools.

B.5 Special Categories of Data

Edge Factor does not require special category data (as defined in Article 9 of GDPR). However, if the data exporter or its users choose to submit special category data (e.g., information revealing health, ethnicity, or beliefs), it is the exporter's responsibility to ensure that such processing complies with applicable legal requirements and is configured appropriately via platform settings.

Edge Factor will apply appropriate safeguards, including role-based access restrictions, pseudonymization (where feasible), and encryption.

B.6 Purpose of the Transfer

To allow Edge Factor to deliver services as described in the Agreement, including platform operation, analytics, account management, educator engagement tracking, and content personalization.

B.7 Onward Transfers

Edge Factor may transfer personal data to authorized sub-processors (listed in Annex III) for purposes strictly required to operate the platform. All sub-processors are contractually bound to equivalent safeguards under the SCCs and DPA.

C. Competent Supervisory Authority

The competent supervisory authority shall be the authority of the EU Member State in which the data exporter is established.

If the data exporter is not established in the EU, but falls under GDPR via Article 3(2), the supervisory authority shall be that of the Member State in which the exporter's GDPR representative is located.

Annex 2: Technical and Organizational Measures

This Annex sets out the technical and organizational measures implemented by Edge Factor, as the data processor, to ensure the protection of personal data processed on behalf of the data controller. Edge Factor adheres to applicable data protection laws in all regions where data is processed, including the GDPR, PIPEDA, MFIPPA (in Ontario), and U.S. privacy frameworks such as the CCPA/CPRA. Our security measures are designed to meet or exceed the standards required by these laws. These measures are designed to ensure a level of security appropriate to the risk and are aligned with the requirements of:

1. Article 32 of the General Data Protection Regulation (GDPR),
2. Decision (EU) 2021/914 on Standard Contractual Clauses (Module 2: Controller to Processor),
3. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA),
4. Applicable Canadian provincial laws, including but not limited to:
5. Ontario’s Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)
6. British Columbia’s Personal Information Protection Act (BC PIPA)
7. Alberta’s Personal Information Protection Act (AB PIPA)
8. Applicable U.S. federal and state privacy laws, including but not limited to:
9. Children’s Online Privacy Protection Act (COPPA)
10. Family Educational Rights and Privacy Act (FERPA)
11. California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
12. Virginia Consumer Data Protection Act (VCDPA)
13. Other applicable U.S. state laws with enforceable personal data protections

These measures aim to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Edge Factor reviews and updates these measures regularly to ensure ongoing effectiveness and compliance with all applicable privacy and data protection laws across jurisdictions where data is collected, processed, or accessed.

A. Organizational Security

We host our Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.

1. Privacy Governance: Edge Factor maintains a written internal data protection policy, designates a privacy officer, and trains all employees on data privacy responsibilities.
2. Access Control Policies: Access to personal data is granted on a strict need-to-know basis through role-based access controls (RBAC). All access is logged and regularly reviewed.
3. Employee Confidentiality: All employees and contractors sign confidentiality agreements and are subject to background checks (where appropriate and lawful).
4. Vendor Management: Sub-processors are carefully selected and contractually bound by equivalent data protection obligations. Reviews of vendor compliance are conducted periodically.

B. Physical and Environmental Security

We implement industry standard access controls and detection capabilities for the internal networks that support its products.

1. Data Centers: Hosting is performed using secure data centers with industry certifications (e.g., ISO 27001, SOC 2) located in jurisdictions with appropriate safeguards.
2. Access Controls: Physical access is restricted by badge, biometric, and/or security escort controls. Logs are maintained.
3. Disaster Recovery: Disaster recovery and business continuity plans are in place and tested at least annually.

We implement industry standard access controls and detection capabilities for the internal networks that support its products.

C. Logical Access Controls and User Management

1. Authentication: Platform access is secured by username and password or via SSO (Single Sign-On) integrations. Strong password policies and brute-force protections are enforced.
2. Least Privilege: Employees only receive access to systems and data strictly necessary for their duties.
3. Account Deactivation: Inactive or former employee accounts are automatically or promptly disabled.

D. Data Encryption

1. In Transit: All data in transit is encrypted using TLS 1.2 or higher.
2. At Rest: Data at rest is encrypted using strong encryption algorithms (e.g., AES-256).
3. Key Management: Encryption keys are managed using secure key management practices and systems.

E. Data Integrity and Availability

1. Backups: Regular, automated backups are performed and stored securely. Restoration processes are tested regularly.
2. Redundancy: Infrastructure includes redundancy and failover mechanisms to ensure service continuity.
3. Monitoring: 24/7 monitoring is in place for system performance, uptime, and potential security incidents.

F. Incident Detection and Response

1. Breach Notification: Incident response procedures are in place. Customers and regulators will be notified without undue delay in the event of a data breach, in accordance with applicable laws.
2. Logging and Auditing: Security logs are collected and reviewed for suspicious activity.
3. Investigation & Remediation: Any identified vulnerability or breach is subject to root cause analysis and mitigation.

G. Data Minimization and Retention

1. Customization: Customers can configure what personal data is collected and retained through Privacy Settings.
2. Retention Limits: Data is retained only as long as necessary for the purposes specified, and securely deleted or anonymized when no longer needed.

Annex 3: Sub-Processors

Edge Factor remains fully responsible for each sub-processor’s compliance with such obligations.

In accordance with Clause 9 of the 2021 EU Standard Contractual Clauses (Module 2: Controller to Processor), this Annex identifies the sub-processors engaged by Edge Factor for the processing of personal data. The sub-processors listed below are authorized to process personal data only to the extent necessary to support the provision of the Services under the Agreement, and are bound by written agreements that impose data protection obligations no less protective than those set forth in this DPA.

The controller will be notified of changes to sub-processors in accordance with the DPA and shall have the opportunity to reasonably object, in compliance with applicable data protection laws, including GDPR Article 28, PIPEDA, and relevant U.S. state privacy legislation.

List of Approved Sub-Processors

Sub-Processor: Microsoft Azure
Service Provided: Hosting Provider
Location of Sub-Processor: USA and Canada
Transfer Mechanism: EU-US and Swiss-US Privacy Shield Framework

Sub-Processor: HubSpot
Service Provided: CRM and marketing communications
Location of Sub-Processor: USA and Canada
Safeguards Implemented: SCCs, CCPA & GDPR-compliant platform

‍Sub-Processor: Google LLC
Service Provided: Analytics and support tooling
‍Location of Sub-Processor: Global (data residency varies by service)
‍Safeguards Implemented: SCCs, robust security certifications, privacy controls

Note: This list may be updated in accordance with the Notification of Sub-Processor Changes section of the main DPA.

Procedure for Adding or Replacing Sub-Processors

Edge Factor maintains general authorization to engage sub-processors necessary for delivering the Services, subject to providing the data controller with prior notice of any intended changes. The controller may raise reasonable objections based on data protection concerns within ten (10) business days. If no objection is raised, the sub-processor will be deemed approved.

Annex 4: EU Standard Contractual Clauses – Controller to Processor

To the extent Edge Factor processes or transfers European Personal Data to a country outside of the EEA not recognized as providing an adequate level of data protection (as defined under GDPR), the parties agree to enter into and incorporate by reference the applicable 2021 EU Standard Contractual Clauses (“SCCs”) adopted under Commission Implementing Decision (EU) 2021/914.

The following Standard Contractual Clauses (SCCs) apply pursuant to the European Commission Decision (EU) 2021/914 of 4 June 2021. These clauses are incorporated into the Agreement and apply where the data exporter is a controller and the data importer is a processor, and personal data is transferred outside the EEA.

Section 1

Clause 1 - Purpose and Scope

The purpose of these Clauses is to ensure appropriate data protection safeguards for personal data transferred from the European Economic Area (EEA) to third countries outside the scope of GDPR, in accordance with Article 46(2)(c) of the Regulation.

These Clauses apply to the transfer of personal data between identified parties, depending on the module(s) selected, whether controller-to-controller, controller-to-processor, processor-to-processor, or processor-to-controller.

They are designed to ensure that data subjects' fundamental rights and freedoms are protected throughout the data transfer process, even when the receiving party is located in a country without an adequacy decision from the European Commission.

Clause 2 - Effect and invariability of the Clauses

The parties agree that the Clauses are legally binding and must not be modified except to select the appropriate modules, options, and to complete the annexes.

Any additional clauses or safeguards may be included in the overarching agreement or DPA, provided they do not contradict or reduce the protections offered by the Clauses or the rights of data subjects under EU data protection law.

This ensures that the core safeguards of the SCCs remain intact and fully enforceable, regardless of the parties’ broader contractual arrangements.

The limitations of liability in Section 13.4 of these Terms are part of the basis of the bargain between you and Edge Factor and shall apply to all claims of liability (e.g., warranty, tort, negligence, contract and law) even if Edge Factor or its affiliates has been told of the possibility of any such damage, and even if these remedies fail their essential purpose.

We shall not be liable for any failure to perform our obligations under this Agreement where such failure results from any cause beyond our reasonable control, including, without limitation, mechanical, electronic or communications failure or degradation (including “line-noise” interference).

Clause 3 - Third-Party Beneficiaries

The parties acknowledge that data subjects (i.e., individuals whose personal data is transferred under these Clauses) are granted third-party beneficiary rights.

This means that data subjects may enforce certain provisions of the Clauses directly against either the data exporter or data importer—including rights related to transparency, data access, rectification, erasure, redress, and safeguards in case of onward transfers or personal data breaches.

These enforceable rights exist even if the data subject is not a formal party to the contract, ensuring that individuals retain control over their personal data in accordance with GDPR principles.

Clause 4 - Interpretation

The parties agree that terms used in these Clauses shall be interpreted in light of the provisions of the General Data Protection Regulation (GDPR).

Where terms are not defined in the Clauses, they shall have the same meaning as in the GDPR. This ensures consistency of interpretation across legal instruments and aligns data processing and transfer activities with the principles and obligations set out in applicable European data protection laws.

Clause 5 - Hierarchy

The parties agree that in the event of any conflict between the terms of these Clauses and any other agreement between the parties (including this DPA, the Terms of Use, or other contractual arrangements), the Clauses shall prevail.

This ensures that the rights and safeguards established by the Clauses for cross-border transfers of personal data take precedence and remain enforceable, even if they conflict with broader commercial or contractual terms.

Clause 6 - Description of the transfer(s)

The parties agree that the specific details of the data transfer (including the categories of data subjects, the types of personal data, the purposes of processing, and the duration of the processing) are set out in Annex I of this Data Processing Agreement.

This Annex forms an integral part of the Clauses and must include:

1. Identification of the data exporter and data importer;
2. A clear description of the nature, scope, and purpose of the transfer;
3. The categories of data subjects involved (e.g., students, educators, workforce partners);
4. The categories of personal data transferred;
5. The frequency and duration of the processing activities;
6. Any sensitive data involved, along with the applied safeguards.

The parties acknowledge that the information in Annex I must be accurate and complete to ensure transparency and lawful processing under the GDPR. Any changes to the described processing must be reflected in a revised version of Annex I.

Clause 7 - Docking Clause

The parties agree that additional entities may become parties to these Clauses throughout the term of the Agreement. Specifically:

1. A third party controller or processor may accede to the Standard Contractual Clauses as either a data exporter or data importer, as applicable;
2. Accession shall occur by that entity executing a docking agreement or written declaration of accession to these Clauses with the existing parties;
3. Once the declaration is executed, the new party will assume the rights and obligations of the role they take under the applicable Module(s) of the SCCs.

Edge Factor and the Customer hereby authorize such docking without requiring separate execution of the full Clauses by each new party, provided that all parties comply with the terms of the Agreement and DPA.

Section 2 - Obligations of the Parties

Edge Factor reserves the right to limit your use of the Services, including the number of your posts and your ability to upload User Content or view Content. Edge Factor reserves the right to restrict, suspend, or terminate your account if you breach these Terms or the law or misuse the Services (i.e., violating any of the Do’s and Don’ts). We also have the right, in our sole discretion, to change or cancel your username and password without notice to you.

Clause 8 - Data Protection Safeguards

The following safeguards shall apply to all transfers of personal data from the EEA to a third country:

Clause 8.1 - Instructions and Purpose Limitation

The data importer (Edge Factor or its sub-processors) shall process personal data solely on documented instructions from the data exporter (Customer), and only for the specific purposes outlined in Annex I.B of this DPA. Any further processing shall require explicit consent from the data subject or be legally justified (e.g., for vital interests or legal claims).

Clause 8.2 - Transparency to Data Subjects

Data subjects may request a copy of these Clauses, including completed annexes. Where redactions are necessary to protect confidential information or personal data, a meaningful summary must be provided. The data importer may not use lack of effort or burden as a basis to avoid providing required information.

Clause 8.3 - Accuracy and Data Minimization

Both parties must ensure that personal data is accurate, relevant, and limited to what is necessary. Inaccurate or outdated data must be rectified or erased without undue delay. Parties are obligated to notify each other if they discover inaccuracies.

Clause 8.4 - Storage Limitation

Personal data shall be retained no longer than necessary for the purposes specified, and the data importer shall enforce erasure or anonymization policies (including for backups) in accordance with the retention periods.

Clause 8.5 - Security of Processing

The data importer agrees to implement and maintain the following technical and organizational security measures to ensure an appropriate level of protection:

1. Information Security Program
2. A documented, company-wide Information Security Policy based on industry best practices such as ISO/IEC 27001 or NIST SP 800-53.
   
3. Regular updates and annual reviews of security controls and procedures.
4. Access Control
5. Role-based access with least privilege enforcement.
6. Multi-factor authentication (MFA) for administrative access whenever possible.
7. Automatic session timeouts and account lockouts for suspicious behavior.
8. Data Encryption
9. Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
10. Cryptographic key management policies with limited access.
11. System and Network Security
12. Firewalls, intrusion detection and prevention systems.
13. Regular vulnerability scanning and patch management.
14. Segmentation of environments (e.g., production vs. test).
15. Operational Resilience
16. Daily backups and offsite storage with regular restoration tests.
17. Business continuity and disaster recovery plans, reviewed annually.
18. Incident Detection and Response
19. 24/7 monitoring for security events.
20. Incident response plan with clear roles and timelines.
21. Breach notification protocols aligned with Clause 8.5(e–g).
22. Staff and Confidentiality
23. Mandatory privacy and security training for all personnel.
24. Confidentiality agreements with all employees and contractors.
25. Vendor and Sub-processor Controls
26. Risk assessments and security due diligence for all third-party vendors.
27. Flow-down of security obligations via DPA and SCCs with sub-processors.

Clause 8.6 - Sensitive Data Handling

Where the transfer or processing of personal data involves special categories of data as defined in Article 9(1) of the GDPR (including, but not limited to, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, data concerning health, or data relating to sex life or sexual orientation) the data importer agrees to implement specific restrictions and additional safeguards, including but not limited to:

1. Limiting access strictly to personnel with a legitimate business need;
2. Applying pseudonymisation or encryption wherever feasible;
3. Ensuring that any onward transfers of sensitive data comply with the requirements of the Standard Contractual Clauses;
4. Implementing enhanced security controls such as multi-factor authentication and audit logging when processing such data;
5. Retaining such data only for the minimum duration necessary for the specified processing purposes.

The data importer shall assess the nature and sensitivity of the data and apply appropriate protections to mitigate the risk to data subjects.

Clause 8.7 - Onward Transfer Safeguards

The data importer shall not disclose or transfer any personal data received under this Agreement to a third party located outside the European Economic Area (EEA), unless:

1. The third party is contractually bound by the Standard Contractual Clauses (SCCs) applicable to the relevant transfer module;
2. The onward transfer is made to a country with an adequacy decision under Article 45 of the GDPR;
3. The third party provides appropriate safeguards in accordance with Articles 46 or 47 of the GDPR (e.g., binding corporate rules);
4. The third party has entered into a binding instrument with the data importer guaranteeing an equivalent level of protection as under the SCCs;
5. The transfer is necessary to establish, exercise, or defend legal claims, or to protect the vital interests of a data subject; or
6. The data subject has provided explicit, informed consent to the specific transfer, after being notified of the purpose, identity of the recipient, and associated risks.

In all cases, the data importer agrees to inform the data exporter of any intended onward transfers and ensure that such transfers remain subject to the same level of protection as required under this Agreement and the SCCs, including purpose limitation.

Clause 8.8 - Documentation and Demonstration of Compliance

The data importer shall maintain comprehensive records of its processing activities and make these available to the data exporter and supervisory authorities upon request. The importer shall also allow and contribute to audits by the data exporter or their appointed representatives, subject to reasonable notice.

Clause 8.9 - Assistance and Cooperation

The data importer shall cooperate with the data exporter to support compliance with data subject rights, breach notifications, and data protection assessments, taking into account the nature of the processing and the information available.

Clause 9 - Sub-Processor Engagement and Objection Rights

Where the data importer acts as a processor or sub-processor, it may only engage sub-processors with prior specific or general written authorization from the data exporter.

1. The data importer may engage sub-processors to assist in the processing of personal data under this Agreement, provided that:
2. A written agreement is in place with each sub-processor that imposes data protection obligations equivalent to those under this DPA and the applicable Standard Contractual Clauses;
3. The list of current sub-processors is made available to the data exporter, and the data importer shall notify the data exporter in writing at least 30 days in advance of any intended changes to this list, including the addition or replacement of sub-processors.
4. The data exporter shall have the right to reasonably object to the engagement of a new sub-processor on data protection grounds within 20 days of receiving such notice.
5. If the data exporter objects, the parties will work in good faith to resolve the objection. If a mutually acceptable solution cannot be found, the data exporter may terminate the affected services without penalty
6. The data importer remains fully liable for the acts and omissions of any sub-processor it engages.

Clause 10 - Data Subject Rights and Contact Process

The parties agree that data subjects must be able to exercise their rights under the GDPR (particularly their rights of access, rectification, erasure, restriction, objection, and data portability) even after their personal data has been transferred outside the EEA. To support this:

1. The data importer shall assist the data exporter in responding to requests from data subjects exercising their rights under applicable data protection laws, including (where applicable) rights of access, rectification, erasure, restriction, objection, data portability, and the right not to be subject to automated decision-making.
2. The data importer shall:
3. Promptly inform the data exporter if it receives a request directly from a data subject related to personal data processed under this Agreement;
4. Not respond to the request directly unless authorized in writing by the data exporter, unless required by applicable law;
5. Provide all reasonable cooperation and support necessary for the data exporter to fulfill its obligations to respond to data subject requests within the timelines required by law.
6. The data importer shall make available the following contact point for data subjects to exercise their rights (privacy@edgefactor.com | subject: Data Subject Right Request).
7. If the data importer is legally obligated to process or respond independently, it shall notify the data exporter and document the legal basis for its actions.

The parties must also ensure that data subjects are provided with clear, transparent information on how to exercise these rights and who to contact for assistance.

Clause 11 - Redress

Data subjects whose personal data is transferred under these Clauses must be provided with effective redress mechanisms. Specifically:

1. Data subjects may lodge complaints with the data exporter, the data importer, or a competent supervisory authority in the EEA.
2. The data importer agrees to promptly handle any complaints received and cooperate with the supervisory authority, including during any investigations or dispute resolution processes.
3. Where the data importer is not established in the EU, it shall designate a contact point within the EU authorized to receive communications on its behalf for the purpose of handling such complaints.

Data importers must inform the data exporter without undue delay of any complaints received and must act in good faith to resolve disputes in accordance with the principles set out in the Clauses.

Clause 12 - Liability

Each party to the Clauses is liable to the other party for any breach of its obligations under the Clauses. Key points include:

1. If a data subject suffers material or non-material damage due to a breach of the Clauses, they have the right to seek compensation.
2. Both the data exporter and data importer may be held liable, either jointly or individually, depending on their role in the breach.
3. If both parties are responsible, the data subject may claim compensation from either. The party that pays full compensation may seek contribution from the other party to the extent they are responsible.
4. This clause ensures that data subjects are not left without remedy and that parties to the agreement remain accountable for compliance throughout the data transfer process.

Clause 13 - Supervision

The parties agree that a competent supervisory authority in the European Economic Area (EEA) shall oversee compliance with the Clauses. Key provisions include:

1. The supervisory authority is designated based on the location of the data exporter or, if applicable, the EU representative of the data importer;
2. This authority shall have the power to conduct investigations, issue orders, and enforce penalties in accordance with the GDPR;
3. The data importer agrees to submit to the jurisdiction of this supervisory authority and cooperate fully, including responding to inquiries and following guidance or enforcement actions;
4. Where required, the data importer must designate a point of contact in the EU to interface with the supervisory authority.

Section 3 - Local Laws and Obligations in Case of Access by Public Authorities

Clause 14 – Legal Assessment and Local Law Warranty

The data importer warrants that it has no reason to believe that local laws or practices in its jurisdiction will prevent it from fulfilling its obligations under the Clauses. To support this:

1. The data importer must conduct a thorough legal assessment of local laws, particularly those related to access by public authorities (e.g., law enforcement, national security agencies);
2. It must provide the data exporter, upon request, with documentation or analysis showing that such laws do not conflict with the Clauses or compromise data subject rights;
3. If the data importer becomes aware of any change in law or practice that could affect compliance, it must notify the data exporter without undue delay;
4. Where risks are identified, the parties shall promptly take appropriate steps (such as suspending the transfer or implementing supplementary safeguards).

Clause 15 - Notification (Government Access and Transparency)

The data importer agrees to implement strong safeguards in the event that public authorities (e.g., law enforcement or national security agencies) request access to transferred personal data.

15.1 - Notification of Government Requests

If the data importer receives a legally binding request (e.g., from law enforcement, national security, or other public authorities) for access to personal data transferred under this Agreement, it shall;

1. Promptly notify the data exporter and, where possible, the data subject, unless legally prohibited;
2. Include in such notice the nature of the request, the requesting authority, and the legal basis relied upon;
3. If prohibited from notifying, the data importer agrees to challenge the prohibition and seek permission to inform the data exporter.

15.2 - Assessment of Request Legitimacy

The data importer commits to:

1. Carefully review the legality of any government request and challenge any unlawful or disproportionate demands;
2. Document the legal assessment and provide it to the data exporter upon request.

15.3 - Minimization and Safeguards

The data importer commits to:

1. Limit the scope of data disclosed to what is strictly necessary and legally required;
2. Apply technical and organizational measures to mitigate impact (e.g., redaction, pseudonymization);
3. Maintain records of all requests and responses and make them available to the data exporter and supervisory authority upon request.

15.4 - Transparency Reports

Where permitted by law, the data importer shall publish periodic transparency reports summarizing:

1. The number and type of access requests received;
2. The legal basis cited;
3. The response provided (including any denials or redactions).

15.5 - Fallback Compliance Protocol

If the data importer becomes subject to government access laws or practices that are likely to impair the effectiveness of the SCCs, it shall:

1. Promptly notify the data exporter;
2. Suspend the data transfer;
3. Implement supplementary measures or assist the data exporter in terminating the Agreement, if necessary.

Section 4 - Final Provisions

The Parties agree that Module Two (Controller to Processor) of the Standard Contractual Clauses applies to the data transfer described in this Agreement.

Clause 16 - Non-Compliance with Clauses and Termination

The parties agree that if the data importer is unable to comply with the Clauses, it must immediately inform the data exporter. In such cases:

1. The data exporter may suspend data transfers to the data importer until compliance is restored or suitable safeguards are implemented;
2. If compliance cannot be ensured within a reasonable time, or if required by the competent supervisory authority, the data exporter must terminate the contract with respect to the processing operations affected;
3. In the event of termination, the data importer must return or delete all personal data received under the Clauses, as agreed by the parties;
4. The data exporter is also entitled to terminate the contract unilaterally if the data importer refuses to comply or notifies that it cannot comply with the Clauses.

Clause 17 - Governing Law

The Clauses are governed by the law of an EU Member State that:

1. Recognizes third-party beneficiary rights, and
2. Is explicitly designated by the parties in Annex I.C of the Clauses.

This ensures that any disputes or interpretations related to the Clauses are handled under a legal framework aligned with the GDPR, thereby preserving data subjects’ rights and ensuring enforceability.

The selected governing law must apply only to the SCCs and not to the broader commercial contract, unless otherwise agreed by the parties.

The Clauses shall be governed by the law of the Republic of Ireland, which recognizes third-party beneficiary rights under the Clauses in accordance with Article 46 of the GDPR.

Clause 18 - Choice of Forum and Jurisdiction

The parties agree that any legal disputes arising from the Clauses shall be resolved in the courts of an EU Member State, specifically:

1. The courts of the Member State designated in Annex I.C, which must also be the jurisdiction whose law governs the Clauses under Clause 17;
2. Data subjects may bring claims in the designated jurisdiction, or in the Member State where they reside.

This clause ensures that data subjects have accessible and enforceable legal remedies in the EU and that disputes are handled within a trusted legal system aligned with GDPR protections.

Any disputes arising from these Clauses shall be resolved by the courts of the Republic of Ireland. Data subjects may also bring legal proceedings in the Member State where they have their habitual residence.

Annex 5: Contact Details for Notifications

Processor
Edge Factor
3860 Quarry Road, Lincoln ON, Canada
privacy@edgefactor.com
1 (716) 805-3343

Controller
Please provide contact details that can be used for any notifications with regards to personal data protection. If your company has a Data Protection Officer, please add them as an account administrator under your Edge Factor user account.