DATA PROCESSING Addendum

This Data Processing Addendum (“DPA”) is part of the Terms agreed between DressX, referenced herein as (“Processor”), and its Customer, referenced herein as (“Controller”). This DPA supplements the Terms and forms part of the entire agreement entered between the Parties (“Agreement”) and will be effective from the date the Agreement has been validly entered.

DEFINITIONS
1. Capitalized terms used but not defined within this DPA will have the meaning set forth in the Agreement. The following capitalized terms used in this DPA will be defined as follows:

"Applicable Data Protection Laws" means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time, including (without limitation): the GDPR, Swiss Data Protection Laws and the US Data Protection Laws.

"Controller Purposes" means the processing purposes solely pursued by the Controller.

"Covered Data" means Personal Data that is: (a) provided by or on behalf of Controller to Processor in connection with the Services; or (b) obtained, developed, produced or otherwise Processed by Processor, or its agents or subcontractors, for the purposes of providing the Services, in each case as further described in Schedule 1.

"Data Subject" means a natural person whose Personal Data is Processed.

"EEA" means the European Economic Area including the European Union ("EU").

"GDPR" means Regulation (EU) 2016/679 (the "EU GDPR") or, where applicable, the "UK GDPR", as defined in section 3 of the Data Protection Act 2018.

"Member State" means a member state of the EEA, being a member state of the European Union, Iceland, Norway, or Liechtenstein.

"Personal Data" means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise "personal data", "personal information", "personally identifiable information", or similarly defined data or information under Applicable Data Protection Laws.

"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. "Process", "Processes" and "Processed" will be interpreted accordingly.

"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorized access to, Covered Data.

"Services" means the services to be provided by Processor to Controller under the Agreement.

"Standard Contractual Clauses" or "SCCs" means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.

"Sub-processor" means, with respect to any Processing performed by Processor as a processor or service provider, an entity appointed by Processor to Process Covered Data on its behalf.

"Swiss Data Protection Laws" means the Swiss Federal Act on Data Protection of 25 September 2020 ("FADP") and the Swiss Data Protection Ordinance of 31 August 2022 (the "Ordinance"), and any new or revised version of these laws that may enter into force for time to time.

“UK” means the United Kingdom.

"US Data Protection Laws" means all applicable federal and state laws rules, regulations, and governmental requirements relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States.

"Usage and Administration Data" means:

diagnostic, usage and performance information collected by Processor in relation to the Controller's and its authorised users' use of the Services, including metadata relating to content and information uploaded by the Controller to the Services;
contact details relating to, and the content of correspondence with the Controller's main account holder or administrator;
support enquiries submitted by the Controller's authorised users in relation to the Services.

The terms "controller", "processor", "business" and "service provider" have the meanings given to them in the Applicable Data Protection Laws.

INTERACTION WITH THE AGREEMENT

This DPA is incorporated into and forms an integral part of the Agreement. This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any Processing of Covered Data.

ROLE OF THE PARTIES

3.1 The Parties acknowledge and agree that:

save as set out in paragraph 3(b), Processor acts as a processor or service provider in the performance of its obligations under the Agreement and this DPA and Controller acts as a controller or business; and
for the purposes of the GDPR and Swiss Data Protection Laws, Processor acts as a controller with respect to the Processing of Usage and Administration Data for the Controller Purposes.

DETAILS OF DATA PROCESSING
1. The details of the Processing of Personal Data under the Agreement and this DPA (including subject matter, nature and purpose of the Processing, categories of Personal Data and Data Subjects) are described in the Agreement and in Schedule 1 to this DPA.
2. Processor shall comply with its obligations under Applicable Data Protection Laws. Save with respect to any Processing of Usage and Administration Data for the Controller Purposes, Processor will only Process Covered Data on behalf of and under the instructions of Controller and in accordance with Applicable Data Protection Laws.
3. The Agreement and this DPA shall constitute Controller’s instructions for the Processing of Covered Data. Controller may issue further written instructions in accordance with this DPA.
4. Processor will:
  1. provide Controller with information to enable Controller to conduct and document any data protection assessments required under Applicable Data Protection Laws; and
  2. promptly inform Controller if, in its opinion, an instruction from Controller infringes the Applicable Data Protection Laws.
COMPLIANCE

Controller shall comply with its obligations as a controller, business or equivalent term under the Applicable Data Protection Laws, and shall provide any notices and obtain any consents required for the lawful Processing of Covered Data (other than Processor's Processing of Usage and Administration Data for the Controller Purposes) under this DPA or, where necessary, obtain consents on behalf of Processor in accordance with Applicable Data Protection Laws.

CONFIDENTIALITY AND DISCLOSURE
1. Processor shall:
  1. limit access to Covered Data to personnel who have a business need to have access to such Covered Data; and
  2. ensure that such personnel are subject to obligations at least as protective of the Covered Data as the terms of this DPA and the Agreement, including duties of confidentiality with respect to any Covered Data to which they have access.
SUB-PROCESSORS
1. Processor may Process Covered Data anywhere that Processor or its Sub-processors maintain facilities, subject to the remainder of this clause 7.
2. Controller grants Processor general authorisation to engage any of the Sub-processors listed in Schedule 3, as amended in accordance with clause 7.4 (the "Authorised Sub-processors"), to Process Covered Data.
3. Processor shall:
  1. enter into a written agreement with each Authorised Sub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than Processor's obligations under this DPA; and
  2. remain liable for each Authorised Sub-processor’s compliance with the obligations under this DPA.
4. Processor will provide Controller with at least thirty (30) days’ notice of any proposed changes to the Authorised Sub-processors. Controller shall notify Processor if it objects to the proposed change to the Authorised Sub-processors (including, where applicable, when exercising its right to object under clause 9(a) of the SCCs) by providing Processor with written notice of the objection within thirty (30) days after Processor has provided notice to Controller of such proposed change (an "Objection").
5. In the event Controller submits an Objection to Processor, Processor and Controller shall work together in good faith to find a mutually acceptable resolution to address such Objection. If Processor and Controller are unable to reach a mutually acceptable resolution within a reasonable timeframe, which shall not exceed thirty (30) days, Controller may terminate the portion of the Agreement relating to the Services affected by such change by providing written notice to Processor.
6. Processor shall notify the Controller of any failure by the sub-processor to fulfil its obligations under that contract.
DATA SUBJECT RIGHTS REQUESTS
1. Processor will notify Controller of any request received by Processor or any Authorised Sub-processor from a Data Subject to assert their rights in relation to Covered Data under Applicable Data Protection Laws (a "Data Subject Request").
2. Processor shall not respond to the Data Subject Request, save that Processor may advise the Data Subject that their request has been forwarded to Controller.
3. Taking into account the nature of the Processing and the information available to Processor, Processor will provide Controller with reasonable assistance as necessary for Controller to fulfil its obligation under Applicable Data Protection Laws to respond to Data Subject Requests.
SECURITY
1. Processor will implement and maintain appropriate technical and organisational data protection and security measures designed to ensure security of Covered Data, including, without limitation, protection against unauthorised or unlawful Processing and against accidental loss, destruction, or damage of or to Covered Data.
2. When assessing the appropriate level of security, Processor shall take into account the nature, scope, context and purpose of the Processing as well as the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data.
3. Processor will implement and maintain as a minimum standard the measures set out in Schedule 2.
INFORMATION AND AUDITS
1. Processor shall notify Controller promptly if Processor determines that it can no longer meet its obligations under Applicable Data Protection Laws.
2. Controller may take reasonable and appropriate steps to:
  1. ensure that Processor uses Covered Data in a manner consistent with Controller’s obligations under Applicable Data Protection Laws; and
  2. upon reasonable notice, stop and remediate unauthorized use of Covered Data.
3. Controller may audit Processor's compliance with this DPA at least annually. The Parties agree that all such audits will be conducted:
  1. upon reasonable written notice to Processor;
  2. only during Processor's normal business hours; and
  3. in a manner that does not materially disrupt Processor's business or operations.
4. With respect to any audits conducted in accordance with clause 10.3:
  1. Controller may engage a third-party auditor to conduct the audit on its behalf;
  2. Processor shall not be required to facilitate any such audit unless and until the Parties have agreed in writing the scope and timing of such audit.
5. Controller shall promptly notify Processor of any non-compliance discovered during an audit.
6. The results of the audit shall be Processor's confidential information.
7. Processor shall provide to Controller upon request, or may provide to Controller in response to any audit request submitted by Controller to Processor, either of the following:
  1. data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing company; or
  2. such other documentation reasonably evidencing the implementation of the technical and organisational data security measures in accordance with industry standards.
8. If an audit requested by Controller is addressed in the documents or certification provided by Processor in accordance with paragraph 10.7, and:
  1. the certification or documentation is dated within twelve (12) months of Controller’s audit request; and
  2. Processor confirms that there are no known material changes in the controls audited,

Controller agrees to accept that certification or documentation in lieu of conducting a physical audit of the controls covered by the relevant certification or documentation.

SECURITY INCIDENTS
1. Processor shall notify Controller in writing without undue delay, and in any event within forty-eight (48) hours, after becoming aware of any Security Incident.
2. Processor shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall send Controller timely information about the Security Incident, to the extent known to Processor or as the information becomes available to Processor, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation.
3. Processor shall provide reasonable assistance with Controller’s investigation of any Security Incidents and any of Controller’s obligations in relation to the Security Incident under Applicable Data Protection Laws, including any notification to Data Subjects or supervisory authorities.
4. Processor's notification of or response to a Security Incident under this paragraph 11 shall not be construed as an acknowledgement by Processor of any fault or liability with respect to the Security Incident.
TERM, DELETION AND RETURN
1. This DPA shall commence on the effective date of the Agreement and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, Processor's deletion of all Covered Data as described in this DPA.
2. Unless otherwise required by applicable law, Processor shall:
  1. if requested to do so by Controller within thirty (30) days of expiry of the Agreement (the "Retention Period"), provide a copy of all Covered Data in such commonly used format as requested by Controller, or provide a self-service functionality allowing Controller to download such Covered Data; and
  2. on expiry of the Retention Period, delete all copies of Covered Data Processed by Processor or any Authorised Sub-processors, other than any Covered Data Processed for the Controller Purposes.
STANDARD CONTRACTUAL CLAUSES
1. The Standard Contractual Clauses shall, as further set out in Schedule 4, apply to the transfer of any Covered Data from Controller to Processor, and form part of this DPA, to the extent that:
  1. the GDPR or Swiss Data Protection Law applies to the Controller when making that transfer; or
  2. the Applicable Data Protection Laws that apply to the Controller when making that transfer (the "Exporter Data Protection Laws") prohibit the transfer of Covered Data to Processor under this DPA in the absence of a transfer mechanism implementing adequate safeguards in respect of the Processing of that Covered Data, and any one or more of the following applies:
    1. the relevant authority with jurisdiction over the Controller’s transfer of Covered Data under this DPA has not formally adopted standard data protection clauses or another transfer mechanism under the Exporter Data Protection Laws; or
    2. such authority has issued guidance that entering into standard contractual clauses approved by the European Commission would satisfy any requirement under the Exporter Data Protection Laws to implement adequate safeguards in respect of that transfer; or
    3. entering into standard contractual clauses approved by the European Commission would reasonably satisfy any requirement under the Exporter Data Protection Laws to implement adequate safeguards in respect of that transfer; or
  3. the transfer is an "onward transfer" (as defined in the applicable module of the SCCs).
2. The Parties agree that execution of the Agreement shall have the same effect as signing the SCCs.
GENERAL
1. The Parties hereby certify that they understand the requirements in this DPA and will comply with them.
2. The Parties agree that any limitations on either Party's liability under the Agreement shall not apply to any claims, losses or damages arising in respect of a breach of the SCCs.
3. The Parties agree to negotiate in good faith any amendments to this DPA as may be required in connection with changes in Applicable Data Protection Laws.

Details of Processing

A. List of Parties

The Parties are set out in the preamble to this DPA. With regard to any transfers of Covered Data falling within the scope of the GDPR from Controller to Processor, additional information regarding the data exporter and data importer is set out below.

Data Exporter

The data exporter is: the Controller operating in the countries which comprise the European Economic Area, UK and/or Switzerland and/or – to the extent agreed by the Parties – Controller in any other country to the extent the GDPR applies.

The data exporter’s contact person’s name, position and contact details as well as (if appointed) the data protection officer’s name and contact details and (if relevant) the representative’s contact details are included in the Agreement or will be disclosed to Processor upon request.

The activities relevant to the data transfer under these Clauses are defined by the Agreement and the data exporter who decides on the scope of the Processing of Personal Data in connection with the Services further described in section B of this Schedule 1.

Data Importer

The data importer is: the Processor.

The data importer’s contact person and contact details are included in the Agreement or will be disclosed to Controller upon request.

The data importer’s activities relevant to the data transfer under these Clauses are as follows: the data importer Processes Personal Data provided by the data exporter on behalf of the data exporter in connection with providing the Services to the data exporter as further described in section B of this Schedule 1 and in the Agreement.

B. Description of Processing

Categories of Data Subjects

The categories of Data Subjects whose Personal Data are Processed:

End Users, i.e., third-party individuals who access and use the Platform through Customer Offering.
Authorized Users, i.e., Customer’s employees, consultants, contractors, and agents who are authorized to access and use the Platform under the Agreement and for whom access has been purchased.

Categories of Personal Data

The Processed categories of Personal Data are:

Images, photographs, and other content transmitted or generated through the Platform.
Data used to identify the source and destination of a communication, such as activity logs, IP addresses, device identifiers, session identifiers.
If the Order Scope includes, also: name, e-mail, phone number, timestamp of usage.

(together “Covered Data”)

Special categories of Personal Data (if applicable)

The Platform is not designed to store, process, or generate special categories of personal data (see sec. 2.5.c. of the Agreement).

Frequency of the Processing

The Processing is performed continuously during the Subscription Period (as defined in the Order), each time an End User or Authorized User accesses or uses the Platform.

Subject matter and nature of the Processing

The subject matter of the Processing is the provision of DressX proprietary AI platform to Customer for integration into the Customer Offerings.

The nature of the processing includes:

Collection of End User data through the Platform.
Processing of such data to generate the Output.
Temporary storage and caching of Input as necessary to perform the rendering.
Collection and processing of usage data, such as activity logs, communication metadata.

Purpose(s) of the data transfer and further Processing

The purpose/s of the data transfer and further Processing is:

To provide the Platform to the Customer for integration into the Customer Offerings.
To provide professional services to the Customer in the context of the provision of the Platform.

Storage Limitation

The period during which the Personal Data will be Processed, or, if that is not possible, the criteria used to determine that period:

Per Section 2.5(b) of the Agreement, the Platform may be subject to limitations on the length of time that Customer Data will be stored and Customer Data exceeding such limitations may be automatically deleted after 30 days. DressX may delete all Customer Data upon termination or expiration of the Agreement.

The duration of Processing corresponds to the Subscription Period as defined in the applicable Order, unless Personal Data is deleted earlier upon request by Controller during the term of the Agreement or automatically by the Platform.

Sub-processor (if applicable)

For Processing by sub-processors, specify subject matter, nature, and duration of the Processing: As set forth in Schedule 3 below.

C. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with clause 13 of the SCC:

Where the data exporter is established in an EU Member State: The supervisory authority of the country in which the data exporter established is the competent authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR: The competent supervisory authority is the one of the Member State in which the representative is established.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of the GDPR: The competent supervisory authority is the supervisory authority of Ireland.

Technical and Organizational Measures

Processor maintains and operates an information security program aligned with its internal Security Policy, including the following measures:1) Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Processor’s information security program.

2) Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Processor’s organization, monitoring and maintaining compliance with Processor’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.

3) Utilization of industry-standard encryption technologies:

a) Data in transit is encrypted using secure protocols (e.g., TLS 1.2+).

b) Data at rest is encrypted within cloud infrastructure (e.g., Google Cloud default encryption).

c) Endpoint and portable media encryption is applied where technically feasible and aligned with internal policy.

4) Data security controls which include at a minimum, but may not be limited to, logical segregation of data, logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review, and revoking/changing access promptly when employment terminates or changes in job functions occur).

5) Password controls include minimum complexity requirements, secure storage, prohibition of sharing, and periodic updates in accordance with internal authentication standards.

6) System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.

7) Physical and environmental security is primarily managed by third-party cloud infrastructure providers (e.g., Google Cloud), which maintain industry-standard controls including access restrictions, monitoring, and environmental protections.

8) Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Processor’s possession.

9) Change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to Processor’s technology and information assets.

10) Incident / problem management procedures design to allow Processor to investigate, respond to, mitigate, and notify of events related to Processor’s technology and information assets.

11) Network security controls that provide for the use of firewall systems, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.

12) Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.

13) Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.

14) Processor’s security program is aligned with industry standards including ISO/IEC 27001 principles, NIST Cybersecurity Framework, and SOC 2 security controls.

Authorised SUB-PROCESSORS

Name of Sub-processor

Address of Sub-processor

Contact person’s name, position and contact details

Description of Processing

Amplitude

Amplitude, Inc., 201 Third Street, Suite 200, San Francisco, CA 94103

Attn:

Legal and legalnotices@amplitude.com

Analytics on the performance and usage of the services

STANDARD CONTRACTUAL CLAUSES

EU SCCS

With respect to any transfers referred to in clause 13, the Standard Contractual Clauses shall be completed as follows:

Module One (controller to controller) of the SCCs will apply with respect to Processor's Processing of Covered Data for the Controller Purposes; otherwise, Module Two (controller to processor) of the SCCs will apply.
Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.
Option 2 of Clause 9(a) (General written authorization) shall apply, and the time period to be specified is determined in clause 7.4 of the DPA.
The option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.
With regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that option 1 will apply and the governing law will be Irish law.
In Clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of Ireland.
For the purpose of Annex I of the Standard Contractual Clauses, Schedule 1 of the DPA contains the specifications regarding the parties, the description of transfer, and the competent supervisory authority.
For the purpose of Annex II of the Standard Contractual Clauses, Schedule 2 of the DPA contains the technical and organisational measures.

UK Addendum
1. This paragraph 2 (UK Addendum) shall apply to any transfer of Covered Data from Controller (as data exporter) to Processor (as data importer), to the extent that:
  1. the UK Data Protection Laws apply to Controller when making that transfer; or
  2. the transfer is an "onward transfer" as defined in the Approved Addendum.
2. As used in this paragraph 2:

"Approved Addendum" means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Approved Addendum.

"UK Data Protection Laws" means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.

The Approved Addendum will form part of this DPA with respect to any transfers referred to in paragraph 2.1, and execution of this DPA shall have the same effect as signing the Approved Addendum.
The Approved Addendum shall be deemed completed as follows:
1. the "Addendum EU SCCs" shall refer to the SCCs as they are incorporated into this Agreement in accordance with clause 13 and this Schedule 4;
2. Table 1 of the Approved Addendum shall be completed with the details in paragraph A of Schedule 1;
3. the "Appendix Information" shall refer to the information set out in Schedule 1 and Schedule 2;
4. for the purposes of Table 4 of the Approved Addendum, Processor (as data importer) may end this DPA, to the extent the Approved Addendum applies, in accordance with Section ‎19 of the Approved Addendum; and
5. Section 16 of the Approved Addendum does not apply.

Swiss addendum
1. This Swiss Addendum will apply to any Processing of Covered Data that is subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the EU GDPR.
2. Interpretation of this Addendum
  1. Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:

"Addendum" means this addendum to the Clauses;

"Clauses" means the Standard Contractual Clauses as incorporated into this DPA in accordance with clause 13 and as further specified in this Schedule 4; and

"FDPIC" means the Federal Data Protection and Information Commissioner.

This Addendum shall be read and interpreted in a manner that is consistent with Swiss Data Protection Laws, and so that it fulfils the Parties' obligations under Article 16(2)(d) of the FADP.
This Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.
Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Swiss Addendum has been entered into.
In relation to any Processing of Personal Data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends and supplements the Clauses to the extent necessary so they operate:
1. for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer; and
2. as standard data protection clauses approved, issued or recognised by the FDPIC for the purposes of Article 16(2)(d) of the FADP.

Hierarchy

In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects will prevail.

Changes to the Clauses for transfers exclusively subject to Swiss Data Protection Laws

To the extent that the data exporter's Processing of Personal Data is exclusively subject to Swiss Data Protection Laws, or the transfer of Personal Data from a data exporter to a data importer under the Clauses is an "onward transfer" (as defined in the Clauses, as amended by the remainder of this paragraph 3.4) the following amendments are made to the Clauses:

References to the "Clauses" or the "SCCs" mean this Swiss Addendum as it amends the SCCs.
Clause 6 Description of the transfer(s) is replaced with:

"The details of the transfer(s), and in particular the categories of Personal Data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1of this DPA where Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer."

References to "Regulation (EU) 2016/679" or "that Regulation" or ""GDPR" are replaced by "Swiss Data Protection Laws" and references to specific Article(s) of "Regulation (EU) 2016/679" or "GDPR" are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.
References to Regulation (EU) 2018/1725 are removed.
References to the "European Union", "Union", "EU" and "EU Member State" are all replaced with "Switzerland".
Clause 13(a) and Part C of Annex I are not used; the "competent supervisory authority" is the FDPIC;
Clause 17 is replaced to state:

"These Clauses are governed by the laws of Switzerland".

Clause 18 is replaced to state:

"Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts of Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts."

Supplementary provisions for transfers of Personal data subject to both the GDPR and Swiss Data Protection Laws
1. To the extent that the data exporter's Processing of Personal Data is subject to both Swiss Data Protection Laws and the GDPR, or the transfer of Personal Data from a data exporter to a data importer under the Clauses is an "onward transfer" under both the Clauses and the Clauses as amended by paragraph 3.4 of this Addendum:
  1. for the purposes of Clause 13(a) and Part C of Annex I:
    1. the FDPIC shall act as competent supervisory authority with respect to any transfers of Personal Data to the extent Swiss Data Protection Laws apply to the data exporter's Processing when making that transfer, or such transfer is an "onward transfer" as defined in the Clauses (as amended by paragraph 3.3 of this Addendum; and
    2. subject to the provisions of paragraph 2 of this Schedule 4 (UK Addendum), the supervisory authority identified in Schedule 1 shall act as competent supervisory authority with respect to any transfers of Personal Data to the extent the GDPR applies to the data exporter's processing, or such transfer is an "onward transfer" as defined in the Clauses.
2. the terms "European Union", "Union", "EU", and "EU Member State" shall not be interpreted in a way that excludes the ability of Data Subjects in Switzerland bringing a claim in their place of habitual residence in accordance with Clause 18(c) of the Clauses.

Transfers under the laws of other jurisdictions
1. With respect to any transfers of Personal Data referred to in clause 13.1(b) (each a "Global Transfer"), the SCCs shall not be interpreted in a way that conflicts with rights and obligations provided for in the Exporter Data Protection Laws.
2. For the purposes of any Global Transfers, the SCCs shall be deemed to be amended to the extent necessary so that they operate:
  1. for transfers made by the applicable data exporter to the data importer, to the extent the Exporter Data Protection Laws apply to that data exporter's Processing when making that transfer; and
  2. to provide appropriate safeguards for the transfers in accordance with the Exporter Data Protection Laws.
3. The amendments referred to in paragraph 4.2 include (without limitation) the following:
  1. references to the "GDPR" and to specific Articles of the GDPR are replaced with the equivalent provisions under the Exporter Data Protection Laws;
  2. reference to the "Union", "EU" and "EU Member State" are all replaced with reference to the jurisdiction in which the Exporter Data Protection Laws were issued (the "Exporter Jurisdiction");
  3. the "competent supervisory authority" shall be the applicable supervisory in the Exporter Jurisdiction; and
  4. Clauses 17 and 18 of the SCCs shall refer to the laws and courts of the Exporter Jurisdiction respectively.
4. Where, at any time during Processor's Processing of Covered Data under this DPA, a transfer mechanism other than the SCCs is approved under the Exporter Data Protection Laws with respect to transfers of Covered Data by Controller to Processor, the Parties shall promptly enter into a supplementary agreement that:
  1. incorporates any standard data protection clauses or another transfer mechanism formally adopted by the relevant authority in the Exporter Jurisdiction;
  2. incorporates the details of Processing set out in Schedule 1; and
  3. shall, with respect to the transfer of Personal Data subject to the Exporter Data Protection Laws, take precedence over this DPA in the event of any conflict.
5. Where required under the Exporter Data Protection Laws, the relevant data exporter shall file a copy of the agreement entered into in accordance with paragraph 4.4 with the relevant national authority.