Data Processing Addendum

Last updated: January 1, 2023

This Data Processing Addendum (the “Addendum”) forms part of the terms entered into by and between FullContact, Inc. (“FullContact”) and Client pursuant to the FullContact Services Agreement (the “Agreement”) under which FullContact provides FullContact Data Services (“Services”) to Client. All capitalized terms not defined herein shall have the meaning set forth in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

1. Effectiveness

a. Scope. This Addendum shall only apply to the extent required by Data Protection Laws with regard to the relevant Client Personal Data. In case of any conflict between the provisions of the Agreement and the provisions of this Addendum with respect to such Processing, the provisions of this Addendum shall apply.

b. Termination. This Addendum will terminate upon the earliest of: (i) termination of the Agreement (and without prejudice to the survival of accrued rights and liabilities of the parties and any obligations of the parties which either expressly or by implication survive termination); (ii) as earlier terminated pursuant to the terms of this Addendum; or (iii) as agreed by the parties in writing.

2. Definitions As used in this Addendum:

“Client Personal Data” means Personal Data received from or on behalf of Client pursuant to or in connection with the Agreement that is covered by Data Protection Laws.

“Controller” means an entity that determines the purposes and means of the Processing of Personal Data.

“Data Protection Laws” means the data privacy and security laws and regulations of any jurisdiction applicable to the Processing of Client Personal Data under the Agreement including, in each case to the extent applicable, European Data Protection Laws and United States Data Protection Laws.

“Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.

“European Data Protection Laws” means, in each case to the extent applicable: (a) the EU General Data Protection Regulation 2016/679 (“GDPR”); (b) the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), the Data Protection Act of 2018, and all other laws relating to data protection, the processing of personal data, privacy, or electronic communications in force from time to time in the United Kingdom (collectively, “UK Data Protection Laws”); (c) the Swiss Federal Act on Data Protection (“Swiss FADP”); and (d) any other applicable law, rule, or regulation related to the protection of Client Personal Data in the European Economic Area, United Kingdom, or Switzerland that is already in force or that will come into force during the term of this Addendum.

“Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual, including, but not limited to, any information that is defined as “personally identifiable information,” “personal information,” “personal data,” or other similar term under Data Protection Laws.

“Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.

“Processor” means an entity that Processes Personal Data on behalf of a Controller.

“Security Incident” means a breach of FullContact’s security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data in FullContact’s possession, custody, or control. A Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Client Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

“Standard Contractual Clauses” means, as applicable, Module Two (Transfer controller to processor) or Module Three (Transfer processor to processor) of the standard contractual clauses approved by the European Commission’s implementing decision (C(2021)3972) of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/678 or the European Parliament and of the Council (available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en), as supplemented or modified by Appendix 3.

“Subprocessor” means any Processor appointed by FullContact in connection with the Processing of Client Personal Data by FullContact under the Agreement.

“Supervisory Authority” means an independent competent public authority established or recognized under Data Protection Laws.

“United States Data Protection Laws” means, in each case to the extent applicable: (a) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, when effective, and its implementing regulations (collectively, “CCPA”); (b) the Virginia Consumer Data Protection Act (“VCPDA”), when effective; (c) the Colorado Privacy Act and its implementing regulations (“CPA”), when effective; (d) the Utah Consumer Privacy Act (“UCPA”), when effective; (e) Connecticut SB6, An Act Concerning Personal Data Privacy and Online Monitoring (“CTDPA”); and (f) any other applicable law or regulation related to the protection of Client Personal Data in the United States that is already in force or that will come into force during the term of this Addendum.

3. Processing of Personal Data

a. Roles of the Parties. The parties acknowledge and agree that, as between the parties, with regard to the Processing of Client Personal Data under the Agreement, Client is a Controller and FullContact is a Processor. In some circumstances, the parties acknowledge that Client may be acting as a Processor to a third-party Controller in respect of Client Personal Data, in which case FullContact will remain a Processor with respect to the Client. Each party will comply with the obligations applicable to it in such role under Data Protection Laws with respect to the Processing of Client Personal Data.

b. Client Instructions. FullContact will Process Client Personal Data only in accordance with Client’s documented instructions unless otherwise required by applicable law, in which case Client will inform FullContact of such Processing unless notification is prohibited by applicable law. Client hereby instructs FullContact to Process Client Personal Data: (i) to provide the Services to FullContact; (ii) to perform its obligations and exercise its rights under the Agreement and this Addendum; and (iii) as necessary to prevent or address technical problems with the Services. FullContact will notify Client if, in its opinion, an instruction of Client infringes upon Data Protection Laws. Client’s instructions for the Processing of Client Personal Data shall comply with Data Protection Laws. Client shall be responsible for: (A) giving adequate notice and making all appropriate disclosures to Data Subjects regarding Client’s use and disclosure and FullContact’s Processing of Client Personal Data; and (B) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Client Personal Data to FullContact to permit the Processing of such Client Personal Data by FullContact for the purposes of performing FullContact’s obligations under the Agreement or as may be required by Data Protection Laws. Client shall notify FullContact of any changes in, or revocation of, the permission to use, disclose, or otherwise Process Client Personal Data that would impact FullContact’s ability to comply with the Agreement, this Addendum, or Data Protection Laws.

c. Details of Processing. The parties acknowledge and agree that the nature and purpose of the Processing of Client Personal Data, the types of Client Personal Data Processed, the categories of Data Subjects, and other details regarding the Processing of Client Personal Data are as set forth in Appendix 1.

d. Processing Subject to the CCPA. As used in this Section 3(d), the terms “Sell,” “Share,” “Business Purpose,” and “Commercial Purpose” shall have the meanings given in the CCPA and “Personal Information” shall mean any personal information (as defined in the CCPA) contained in Client Personal Data. FullContact will not: (i) Sell or Share any Personal Information; (ii) retain, use, or disclose any Personal Information (A) for any purpose other than for the Business Purposes specified in the Agreement, including for any Commercial Purpose other than the Business Purposes specified in the Agreement, or as otherwise permitted by the CCPA, or (B) outside of the direct business relationship between Client and FullContact; or (iii) combine Personal Information received from, or on behalf of, Client with Personal Data received from or on behalf of any third party, or collected from FullContact’s own interaction with Data Subjects, except to perform any Business Purpose permitted by the CCPA. FullContact hereby certifies that it understands the foregoing restrictions under this Section 3(d) and will comply with them. The parties acknowledge that the Personal Information disclosed by Client to FullContact is provided to FullContact only for the limited and specified purposes set forth in the Agreement and this Addendum. FullContact will comply with applicable obligations under the CCPA and provide the same level of privacy protection to Personal Information as is required by the CCPA. Client has the right to take reasonable and appropriate steps to help ensure that FullContact uses the Personal Information transferred in a manner consistent with Client’s obligations under the CCPA by exercising Client’s audit rights in Section 8. FullContact will notify Client if it makes a determination that FullContact can no longer meet its obligations under the CCPA. If FullContact notifies Client of unauthorized use of Personal Information, including under the foregoing sentence, Client will have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use by limiting the Personal Information shared with FullContact, terminating the portion of the Agreement relevant to such unauthorized use, or such other steps mutually agreed between the parties in writing.

4. FullContact Personnel. FullContact restricts its personnel from Processing Client Personal Data without authorization by FullContact and will limit the Processing to that which is needed for the specific individual’s job duties in connection with FullContact’s provision of the Services under the Agreement. FullContact will impose appropriate contractual obligations on its personnel, including relevant obligations regarding confidentiality, data protection, and data security.

5. Data Subject Rights. FullContact will, taking into account the nature of the Processing of Client Personal Data and the functionality of the Services, provide reasonable assistance to Client by appropriate technical and organizational measures, insofar as this is possible, as necessary for Client to fulfill its obligations under Data Protection Laws to respond to requests by Data Subjects to exercise their rights under Data Protection Laws. FullContact reserves the right to charge Client on a time and materials basis in the event that FullContact considers that such assistance is onerous, complex, frequent, or time consuming. If FullContact receives a request from a Data Subject under any Data Protection Laws with respect to Client Personal Data, FullContact will advise the Data Subject to submit the request to Client and Client will be responsible for responding to any such request.

6. Subprocessors. FullContact may engage such Subprocessors as FullContact considers reasonably appropriate for the Processing of Client Personal Data. FullContact currently utilizes Amazon Web Services to perform the Services. A complete list of FullContact’s Subprocessors, including their functions and locations, is available upon Client’s request and may be updated by FullContact from time to time in accordance with this Addendum. FullContact shall notify Client of the addition or replacement of any Subprocessor at least 10 days prior to engagement and Client may, on reasonable grounds, object to a new or replaced Subprocessor by notifying FullContact in writing within 10 days of receipt of FullContact’s notification, giving reasons for Client’s objection. Upon receiving such objection, FullContact shall: (a) work with Client in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and (b) where such change cannot be made within 10 days of FullContact’s receipt of Client’s notice, Client may by written notice to FullContact with immediate effect terminate the portion of the Agreement or any relevant Order Form to the extent that it relates to the Services which require the use of the proposed Subprocessor. This termination right is Client’s sole and exclusive remedy to Client’s objection of any Subprocessor appointed by FullContact. When engaging any Subprocessor, FullContact will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this Addendum with respect to Client Personal Data. FullContact shall be liable for the acts and omissions of the Subprocessor to the extent FullContact would be liable under the Agreement and this Addendum.

7. Security.

a. Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, FullContact shall implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, in accordance with the security standards in Appendix 2 (the “Security Measures”). Client acknowledges that the Security Measures may be updated from time to time upon reasonable notice to Client to reflect process improvements or changing practices, provided that the modifications will not materially decrease FullContact’s security obligations hereunder.

b. Security Incidents. Upon becoming aware of a confirmed Security Incident, FullContact will: (i) notify Client of the Security Incident without undue delay after becoming aware of the Security Incident; and (ii) take reasonable steps to identify the cause of such Security Incident, minimize harm, and prevent a recurrence. FullContact will take reasonable steps to provide Client with information available to FullContact that Client may reasonably require to comply with its obligations under Data Protection Laws. FullContact’s notification of or response to a Security Incident under this Section 7(b) will not be construed as an acknowledgement by FullContact of any fault or liability with respect to the Security Incident.

c. Client Responsibilities. Client agrees that, without limitation of FullContact’s obligations under this Section 7, Client is solely responsible for its use of the Services, including: (i) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Client Personal Data; and (b) securing any account authentication credentials, systems, and devices Client uses to access or connect to the Services, where applicable. Without limiting FullContact’s obligations hereunder, Client is responsible for reviewing the information made available by FullContact relating to data security and making an independent determination as to whether the Services meet Client’s requirements and legal obligations under Data Protection Laws.

8. Assessments and Prior Consultations. In the event that Data Protection Laws require Client to conduct a data protection impact assessment, transfer impact assessment, or prior consultation with a Supervisory Authority in connection with FullContact’s Processing of Client Personal Data, following written request from Client, FullContact shall use reasonable commercial efforts to provide relevant information and assistance to Client to fulfil such request, taking into account the nature of FullContact’s Processing of Client Personal Data and the information available to FullContact. FullContact reserves the right to charge Client on a time and materials basis in the event that FullContact considers that such assistance is onerous, complex, frequent, or time consuming.

9. Return or Destruction of Client Personal Data. Following termination or expiration of the Agreement, FullContact shall, at Client’s option, delete or return Client Personal Data and all copies to Client, except as required by applicable law. If FullContact retains Client Personal Data pursuant to applicable law, FullContact agrees that all such Client Personal Data will continue to be protected in accordance with this Addendum.

10. Audit

a. Report on Compliance. At Client’s written request, FullContact will provide Client with all information reasonably necessary for Client to verify FullContact’s compliance with the security obligations under this Addendum. The information will constitute FullContact Confidential Information under the confidentiality provisions of the Agreement or a non-disclosure agreement executed by the parties. FullContact shall allow for and contribute to audits, including inspections, by Client or an auditor mandated by Client in relation to the Processing of the Client Personal Data by FullContact or any Subprocessor in accordance with the provisions of this Section 10.

b. Applicability of this Section. Client’s information and audit rights only arise under Section 10(a) hereof to the extent that the Agreement does not otherwise provide information and audit rights meeting the relevant requirements of Data Protection Laws.

c. Audit Procedure. An audit shall be conducted in accordance with and subject to the limitations of Section 6(c) (Security Audits) of the Agreement, provided however that: (i) an audit outside normal business hours shall be permitted if the audit or inspection shall be conducted on an emergency basis and where Client has given FullContact prior written notice of such emergency audit; and (ii) no limitation with respect to the frequency of audits conducted shall apply to any additional audits or inspections which Client is required or requested to carry out by a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws, and where Client has identified its concerns or the relevant requirement in its notice to FullContact of the audit or inspection.

11. International Transfer of Data.

a. Data Processing Facilities. FullContact may, subject to Sections 11(b) and 11(c), Process Client Personal Data in the United States or anywhere FullContact or its Subprocessors maintains facilities. Client is responsible for ensuring that its use of the Services complies with any cross-border data transfer restrictions of Data Protection Laws.

b. European Transfers. If Client transfers Client Personal Data to FullContact that is subject to European Data Protection Laws, and such transfer is not subject to an alternative adequate transfer mechanism under European Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then Client (as “data exporter”) and FullContact (as “data importer”) agree that the applicable terms of the Standard Contractual Clauses shall apply to and govern such transfer and are hereby incorporated herein by reference. In furtherance of the foregoing, the parties agree that: (i) the execution of this Addendum shall constitute execution of the applicable Standard Contractual Clauses as of the Addendum Effective Date; (ii) the relevant selections, terms, and modifications set forth in Appendix 3 shall apply, as applicable; and (iii) the Standard Contractual Clauses shall automatically terminate once the Client Personal Data transfer governed thereby becomes lawful under European Data Protection Laws in the absence of such Standard Contractual Clauses on any other basis.

c. Other Jurisdictions. If Client transfers Client Personal Data to FullContact that is subject to Data Protection Laws other than European Data Protection Laws which require the parties to enter into standard contractual clauses to ensure the protection of the transferred Client Personal Data, and the transfer is not subject to an alternative adequate transfer mechanism under Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then the parties agree that the applicable terms of any standard contractual clauses approved or adopted by the relevant Supervisory Authority pursuant to such Data Protection Laws shall automatically apply to such transfer and, as applicable, shall be completed on a mutatis mutandis basis to the completion of the Standard Contractual Clauses as described in Section 11(b).

12. Limitation of Liability. Each party’s liability, taken together in the aggregate, arising out of or related to this Addendum, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Agreement. For the avoidance of doubt, FullContact’s total liability for all claims from the Client or any third party (other than Data Subject) arising out of or related to the Agreement and this Addendum shall apply in the aggregate for all claims under both the Agreement and this Addendum.

13. Jurisdiction and Governing Law. Except as otherwise provided in this Addendum, the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity.

Last Modified: June 22, 2022

APPENDIX 1: DETAILS OF PROCESSING OF CLIENT PERSONAL DATA

1. Subject matter and duration of the Processing of Client Personal Data
The subject matter and duration of the Processing are as described in the Agreement and the Addendum.

2. Nature and purpose of the Processing of Client Personal Data
The nature and purpose of the Processing are those activities reasonably required to facilitate or support the provision of the Services as described in the Agreement and the Addendum.

3. The categories of Data Subjects to whom Client Personal Data relates
The categories of Data Subjects shall be as is contemplated or related to the Processing described in the Agreement.

4. The categories of Client Personal Data
The categories of Client Personal Data Processed are those categories contemplated in and permitted by Agreement.

5. The sensitive data included in Client Personal Data
No sensitive data expected by the parties.

6. The frequency of Client’s transfer of Client Personal Data to FullContact:
On a continuous basis for the term of the Agreement.

7. The period for which Client Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
As set forth in the Addendum or the Agreement.

8. For transfers to Subprocessors, the subject matter, nature and duration of the Processing of Client Personal Data:
As set forth in the Addendum or the Agreement.

APPENDIX 2: SECURITY MEASURES

With respect to Client Personal Data transferred to or received by FullContact under the Agreement, FullContact has implemented, and will maintain, a comprehensive written information security program (“Information Security Program”) that includes appropriate administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of Client Personal Data. In particular, the Information Security Program will include the following safeguards where appropriate or necessary to ensure the protection of Client Personal Data:

1. Access Controls – Policies, procedures, and physical and technical controls: (a) to limit physical access to its information systems and the facility or facilities in which they are housed to properly authorized persons; (b) to ensure that all members of its workforce who require access to Client Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access; (c) to authenticate and permit access only to authorized individuals and to prevent members of its workforce from providing Client Personal Data or information relating thereto to unauthorized individuals; and (d) to reasonably encrypt Client Personal Data where appropriate.
2. Security Awareness and Training – A security awareness and training program for all relevant members of FullContact’s workforce (including management), which includes training on how to implement and comply with its Information Security Program.
3. Security Incident Procedures – Policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect attempted attacks on or intrusions into Client Personal Data or information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes.
4. Contingency Planning – Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Client Personal Data or systems that contain Client Personal Data, including a data backup plan and a disaster recovery plan.
5. Device and Media Controls – Policies and procedures on hardware and electronic media that contain Client Personal Data into and out of a FullContact facility, and the movement of these items within a FullContact facility, including policies and procedures to address the final disposition of Client Personal Data, or the hardware or electronic media on which it is stored, and procedures for removal of Client Personal Data from electronic media before the media are made available for re-use.
6. Audit Controls – Hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.
7. Data Integrity – Policies and procedures to ensure the confidentiality, integrity, and availability of Client Personal Data and protect it from disclosure, improper alteration, or destruction.
8. Storage and Transmission Security – Technical security measures to guard against unauthorized access to Client Personal Data that is being transmitted over an electronic communications network, including a mechanism to encrypt Client Personal Data in electronic form while in transit and in storage on networks or systems to which unauthorized individuals may have access.
9. Assigned Security Responsibility – FullContact will designate a security official responsible for the development, implementation, and maintenance of its Information Security Program. FullContact will inform the Client as to the person responsible for security upon request.
10. Storage Media – Policies and procedures to ensure that prior to any storage media containing Client Personal Data being assigned, allocated, or reallocated to another user, or prior to such storage media being permanently removed from a facility, FullContact will delete such Client Personal Data from both a physical and logical perspective, such that the media contains no residual data, or if necessary physically destroy such storage media. FullContact will maintain an auditable program implementing the disposal and destruction requirements set forth in this section for all storage media containing Client Personal Data.
11. Testing – FullContact will regularly test the key controls, systems, and procedures of its Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified. FullContact will conduct an annual independent audit of their controls and effectiveness (SOC2 or ISO 27001). FullContact will monitor their effectiveness of technical security controls through an ongoing bug bounty program and annual penetration test performed by an independent company.
12. Adjust the Program – The specifications provided herein apply as of the Addendum Effective Date. FullContact will monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or security standards, the sensitivity of the Client Personal Data, internal or external threats to FullContact or the Client Personal Data, and FullContact’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems. In light of the foregoing, the Information Security Program is subject to change; provided, however, that any such update will not materially diminish the applicable information security protections applicable to Client Personal Data.

APPENDIX 3: STANDARD CONTRACTUAL CLAUSES

1. Application of Modules. If Client is acting as a Controller with respect to Client Personal Data, “Module Two: Transfer controller to processor” of the Standard Contractual Clauses shall apply. If Client is acting as a Processor to a third-party Controller with respect to Client Personal Data, FullContact is a sub-Processor and “Module Three: Transfer processor to processor” of the Standard Contractual Clauses shall apply.
2. Sections I-V. The parties agree to the following selections in Sections I-IV the Standard Contractual Clauses: (a) the parties select Option 2 in Clause 9(a) and the specified time period shall be the notification time period set forth in Section 6 of the Addendum; (b) the optional language in Clause 11(a) is omitted; (c) the parties select Option 1 in Clause 17 and the governing law of the Republic of Ireland will apply; and (d) in Clause 18(b), the parties select the courts of the Republic of Ireland.
3. Annexes. The name, address, contact details, activities relevant to the transfer, and role of the parties set forth in the Agreement and the Addendum shall be used to complete Annex I.A. of the Standard Contractual Clauses. The information set forth in Appendix 1 to the Addendum shall be used to complete Annex I.B. of the Standard Contractual Clauses. The competent supervisory authority in Annex I.C. of the Standard Contractual Clauses shall be the relevant supervisory authority determined by Clause 13 and the GDPR, unless otherwise set forth in Sections 5 or 6 of this Appendix 3. If such determination is not clear, then the competent supervisory authority shall be the Irish Data Protection Authority. The technical and organizational measures in Annex II of the Standard Contractual Clauses shall be the measures set forth in Appendix 2 to the Addendum.
4. Supplemental Business-Related Clauses. In accordance with Clause 2 of the Standard Contractual Clauses, the parties wish to supplement the Standard Contractual Clauses with business-related clauses, which shall neither be interpreted nor applied in such a way as to contradict the Standard Contractual Clauses (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of Data Subjects. FullContact and Client therefore agree that the applicable terms of the Agreement and the Addendum shall apply if, and to the extent that, they are permitted under the Standard Contractual Clauses, including without limitation the following:
   1. Instructions. The instructions described in Clause 8.1 are set forth in Section 3(b) of the Addendum.
   2. Protection of Confidentiality. In the event a Data Subject requests a copy of the Standard Contractual Clauses or the Addendum under Clause 8.3, Client shall make all redactions reasonably necessary to protect business secrets or confidential information of FullContact.
   3. Deletion or Return. Deletion or return of Client Personal Data by FullContact under the Standard Contractual Clauses shall be governed by Section 9 of the Addendum. Certification of deletion of Client Personal Data under Clause 8.5 or Clause 16(d) will be provided by FullContact upon the written request of Client.
   4. Onward Transfers. FullContact shall be deemed in compliance with Clause 8.8 to the extent such onward transfers occur in accordance with Article 4 of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
   5. Audits and Certifications. Any information requests or audits provided for in Clause 8.9 shall be fulfilled in accordance with Section 10 of the Addendum.
   6. Liability. The relevant terms of the Agreement which govern indemnification or limitation of liability shall apply to FullContact’s liability under Clauses 12(a), 12(d), and 12(f).
   7. Termination. The relevant terms of the Agreement which govern termination shall apply to a termination pursuant to Clauses 14(f) or 16.
5. Transfers from the United Kingdom. If Client transfers Client Personal Data to FullContact that is subject to UK Data Protection Laws, the parties acknowledge and agree that: (a) the template addendum issued by the Information Commissioner’s Office of the United Kingdom and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf), as it may be revised from time to time by the Information Commissioner’s Office (the “UK Addendum”) shall be incorporated by reference herein; (b) the UK Addendum shall apply to and modify the Standard Contractual Clauses solely to the extent that UK Data Protection Laws apply to Client’s Processing when making the transfer; (c) the information required to be set forth in “Part 1: Tables” of the UK Addendum shall be completed using the information provided in this Appendix 3 and the Addendum; and (d) either party may end the UK Addendum in accordance with section 19 thereof.
6. Transfers from Switzerland. If Client transfers Client Personal Data to FullContact that is subject to the Swiss FADP, the following modifications shall apply to the Standard Contractual Clauses to the extent that the Swiss FADP applies to Client’s Processing when making that transfer: (a) the term “member state” as used in the Standard Contractual Clauses shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from suing for their rights in their place of habitual residence in accordance with Clause 18(c) of the Standard Contractual Clauses; (b) the Standard Contractual Clauses shall also protect the data of legal entities until the entry into force of the revised Swiss FADP on or about 1 January 2023; (c) references to the GDPR or other governing law contained in the Standard Contractual Clauses shall also be interpreted to include the Swiss FADP; and (d) the parties agree that the supervisory authority as indicated in Annex I.C of the Standard Contractual Clauses shall be the Swiss Federal Data Protection and Information Commissioner.