Scope and Roles. Customer is Controller; Vendor is Processor. Vendor will Process Personal Data solely to provide the Service per Customer’s documented instructions (the Agreement and Orders).

1. Security Measures. Vendor will implement the technical and organizational measures described in Schedule 3 and Annex II.
   
   

2. Subprocessing. Vendor may engage Subprocessors and remains responsible for their performance. 
   
   

3. International Transfers. For transfers from the EEA/Switzerland, the parties adopt the EU Standard Contractual Clauses (Controller-to-Processor, Module 2) (Commission Implementing Decision (EU) 2021/914) as incorporated by reference, with the UK Addendum for the UK.
   
   

4. Confidentiality. Vendor ensures personnel authorized to Process Personal Data are bound by confidentiality obligations.
   
   

5. Assistance. Taking into account the nature of Processing and information available to Vendor, Vendor will reasonably assist Customer with data subject requests, security incidents, DPIAs, and consultations with supervisory authorities.
   
   

6. Personal Data Breach. Vendor will notify Customer without undue delay and in any event within 72 hours after confirmation of a Personal Data Breach affecting Customer Personal Data, providing details then known and subsequent updates as information becomes available.
   
   

7. Return and Deletion. Upon termination or at Customer’s written request, Vendor will return or make available Customer Personal Data and then delete it from active systems; deletion from backups occurs per retention schedule unless law requires retention.
   
   

8. Liability. This DPA is subject to the limitations and exclusions of liability in the Agreement; any non-waivable statutory liabilities remain unaffected.