Last updated March 19, 2026
Data Processing Agreement
This Data Processing Agreement (the “DPA”) forms part of, and is subject to, the Master Services Agreement (“MSA”) between ServiceChannel.com, Inc. (hereinafter “ServiceChannel”) and Customer (as defined in the MSA). Each of the Customer and ServiceChannel is referred to as a “party” and jointly as the “parties”.
WHEREAS
(i) Customer and ServiceChannel have entered into the Master Services Agreement under which ServiceChannel will provide Customer with the Services.
(ii) ServiceChannel will process Customer Data (which may contain Personal Data) in the course of providing the Services;
(iii) The parties now wish to enter into this DPA that governs ServiceChannel’s Processing of such Personal Data contained in the Customer Data.
NOW, THEREFORE, the parties agree as follows:
1. Definitions:
In this Processing Agreement, terms defined in the MSA have the same meanings when used here. In addition, the following terms shall have the following meanings:
(a) “Administration Data” means: (i) contact details relating to, and the content of correspondence with the Customer’s main account holder or administrator; (ii) support enquiries submitted by the Customer’s authorized users in relation to the Service;
(b) “Affiliates” means any entity which is controlled by, controls or is in common control with ServiceChannel;
(c) “Brazilian SCCs” means the standard contractual clauses annexed to the Brazilian Data Protection Agency’s (“ANPD”) Resolution No. 19/2024;
(c) “CCPA” means the California Consumer Privacy Act of 2018, Cal Civ. Code § 1798.100 et seq., including its implementing regulations and the California Privacy Rights Act of 2020;
(d) “Controller Purposes” means undertaking internal research and development to develop, test, improve and alter the functionality of ServiceChannel’s products and services; (b) creating anonymized datasets for training or evaluation of ServiceChannel’s products and services; (c) administering ServiceChannel’s relationship with the Customer and its contractors under the MSA;
(e) “Customer” means the customer that has executed the Master Services Agreement;
(f) “Customer Personal Data” means, other than Ratings and Reviews, Personal Data contained in the Customer Data, as further described in Annex I to this DPA;
(g) “Data Protection Laws” means all applicable laws, rules, regulations and governmental requirements relating to the privacy, confidentiality, or security of Personal Data (as they may be amended or otherwise updated from time to time), including (without limitation) the GDPR, UK GDPR, the Brazilian Law No. 13,709/2018 (“LGPD”) and the US Data Protection Laws;
(h) “Data Subject” means: (i) a natural person to whom Personal Data relates; and (ii) an individual that is a “data subject”, “consumer” or any equivalent term under Data Protection Laws;
(i) “EU SCCs” means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as updated or replaced from time to time;
(i) “GDPR” means Regulation (EU) 2016/679 (the “EU GDPR”) or, where applicable, the “UK GDPR” as defined in section 3(10) and section 205 of the UK Data Protection Act 2018;
(j) “Personal Data” means any information that: (i) relates, is linked or reasonable linkable to an identified or identifiable natural person; or (ii) is otherwise “personal data”, “personal information”, “personally identifiable information” or similarly defined data or information under Data Protection Laws;
(k) “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning);
(l) “Ratings and Reviews” has the meaning given to it in Section 2.1;
(m) “Sale” or “Sell” has the meaning given to it in the CCPA;
(n) “Share” has the meaning given to it in the CCPA;
(o) “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Customer Personal Data;
(p) “Standard Contractual Clauses” means (as appropriate) the EU SCCs, UK Addendum or the Brazilian SCCs;
(q) “Sub-processor” means any outside entity engaged by ServiceChannel (acting as a Processor) to process Personal Information on behalf of Customer or in order to provide the Services specified in the Agreement;
(r) “UK Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) of the UK Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the UK Addendum;
(s) “US Data Protection Laws” means all applicable federal and state laws rules, regulations, and governmental requirements relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States, including (without limitation) the CCPA;
(t) “Usage Data” means diagnostic, usage and performance information collected by ServiceChannel in relation to the Customer’s and its authorized users’ use of the Services; and
(u) The terms “Controller”, “Processor”, “Business” and “Service Provider” have the meanings given to them in the Data Protection Laws.
2. Relationship of the parties; Compliance with law
2.1 The Customer:
(a) appoints ServiceChannel to Process the Customer Personal Data as its Processor or Service Provider;
(b) acknowledges and agrees that ServiceChannel may:
(i) use Administration Data and Usage Data for the Controller Purposes and that, for the purposes of the GDPR and LGPD, it does so as a Controller.
(ii) collect and display comments, feedback and ratings submitted to ServiceChannel by the Customer’s authorized users in relation to Contractors engaged by the Customer (“Ratings and Reviews“)and that, for the purposes of Data Protection Laws, it does so as a Controller or Business.
2.2 Each party shall comply with the obligations that apply to it under, and provide the same level of privacy protection as required by Data Protection Laws.
2.3 Customer shall ensure that its instructions for the Processing of Customer Personal Data comply with the Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer obtained the Customer Personal Data.
2.4 ServiceChannel shall notify Customer promptly if ServiceChannel determines that it can no longer meet its obligations under Data Protection Laws.
2.5 Customer may take reasonable and appropriate steps to:
(a) ensure that ServiceChannel uses Customer Personal Data in a manner consistent with Customer’s obligations under Data Protection Laws; and
(b) upon reasonable notice, stop and remediate unauthorized use of Customer Personal Data.
3. Processing of Customer Personal Data
3.1 ServiceChannel shall only Process Customer Personal Data on behalf of and in accordance with the MSA, this DPA and (other than any Processing for the Controller Purposes) Customer’s documented instructions. Customer instructs ServiceChannel to Process Customer Personal Data for the following purposes: (i) Processing in accordance with the MSA and any applicable orders; and (ii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the MSA. ServiceChannel shall immediately inform Customer if it is unable to follow those instructions or if in its opinion, an instruction from Customer infringes Data Protection Laws.
3.2 ServiceChannel shall not:
(a) Sell or Share Customer Personal Data;
(b) retain, use, or disclose Customer Personal Data for any purpose other than for the specific business purpose of performing the Services specified in the MSA or as otherwise permitted by Data Protection Laws;
(c) retain, use or disclose Customer Personal Data outside of the direct business relationship between the parties; and
(d) combine the Customer Personal Data with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the Data Subject, unless expressly permitted by and carried out in accordance with Data Protection Laws.
3.3 Customer warrants and undertakes that the Customer Personal Data shall not contain any of the following:
(a) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, criminal convictions and any other special categories of Personal Data identified in Articles 9 or 10 of the GDPR or Personal Data that is otherwise sensitive Personal Data under Applicable Data Protection Laws;
(b) biometric identifiers or templates;
(c) financial information (including, without limitation, billing information and cardholder or sensitive authentication data, as those terms are defined under the Payment Card Industry Data Security Standard);
(d) personally identifiable financial information, as defined by and subject to the Gramm-Leach-Bliley Financial Modernization Act of 1999;
(e) national identification numbers (including, without limitation, Social Security Numbers, Social Insurance Numbers, driver’s license or passport numbers or other governmentally-issued identification numbers);
(f) information relating to individuals under the age of 13;
(g) education records, as defined under the Family Educational Rights and Privacy Act of 1974;
(h) protected health information as defined by, and subject to, the Health Insurance Portability and Accountability Act.
4. Confidentiality of processing/ServiceChannel personnel
4.1 ServiceChannel shall ensure that any person it authorizes to process the Customer Personal Data (an “Authorised Person“) shall protect the Customer Personal Data in accordance with ServiceChannel’s confidentiality obligations under this Agreement.
4.2 ServiceChannel shall ensure that its personnel engaged in the Processing of Customer Personal Data are informed of the confidential nature of the Customer Personal Data and are subject to obligations of confidentiality.
4.3 ServiceChannel shall ensure that access to Customer Personal Data is limited to those personnel who require such access to perform the Services.
5. Security/Breach management and notification
5.1 ServiceChannel shall implement appropriate technical and organisational measures for the protection of the confidentiality, integrity and availability of Customer Personal Data as set out in Annex II.
5.2 If ServiceChannel becomes aware of any Security Breach, ServiceChannel will promptly: (i) notify Customer of the Security Breach in accordance with the timelines required under Applicable Data Protection Laws; (ii) investigate the Security Breach and provide Customer with information about the Security Breach; and (iii) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Breach.
5.3 ServiceChannel shall, at Customer’s request, provide Customer with reasonable assistance with Customer’s fulfilment of its obligations under Data Protection Laws in relation to a Security Breach notified to Customer by Service Channel.
5.4 ServiceChannel shall not be under any obligation to notify Customer of any unsuccessful attempts to obtain unauthorized access to Customer Personal Data or to any of ServiceChannel’s equipment or facilities storing Customer Personal Data, including, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.
5.5 Notification(s) of Security Breaches, if any, will be delivered to one or more of Customer’s business, technical or administrative contacts by any means ServiceChannel selects, including via email. It is Customer’s sole responsibility to ensure it maintains accurate contact information on ServiceChannel’s support systems at all times.
5.6 ServiceChannel’s notification of or response to a Security Breach under this Section 5 shall not be construed as an acknowledgement by ServiceChannel of any fault or liability with respect to the Security Breach.
6. Subprocessing
6.1 Customer acknowledges and agrees that (i) ServiceChannel may appoint Affiliates as its Sub-processors; and (ii) ServiceChannel may engage third-party Sub-processors in connection with the provision of the Services. Any such Sub-processors will be permitted to obtain Customer Personal Data only to deliver the services ServiceChannel has retained them to provide, and are prohibited from using Customer Personal Data for any other purpose. ServiceChannel will enter into a written agreement that imposes upon the Sub-processor data protection obligations that are substantially similar to those imposed on ServiceChannel by this Agreement. ServiceChannel shall remain fully responsible to the Customer for the performance of the Sub-processor’s obligations under its contract with ServiceChannel.
6.2 ServiceChannel may continue to use those Sub-processors already engaged by ServiceChannel or any ServiceChannel Affiliate as at the date of this Agreement, as listed at https://bit.ly/SC_Subprocessors.
6.3 ServiceChannel shall give Customer prior written notice of the appointment of any new Sub-processor, including full details of the Processing to be undertaken by the Sub-processor. If, within 10 days of receipt of that notice, Customer notifies ServiceChannel in writing of any objections (on reasonable grounds) to the proposed appointment, ServiceChannel shall not appoint that proposed Sub-processor until reasonable steps have been taken to address the objections raised by the Customer and the Customer has been provided with a reasonable written explanation of the steps taken. Customer acknowledges that in some cases it may not be able to provide all of the Services without the use of the new Sub-processor.
7. Restricted transfers
7.1 The parties agree that when the transfer of Customer Personal Data from Customer to ServiceChannel is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses as follows:
(a) in relation to Customer Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
(i) Module Two will apply;
(ii) in Clause 7, the optional docking clause will apply;
(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Clause 6.3 of this Agreement;
(iv) in Clause 11, the optional language will not apply;
(v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
(vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
(vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this Agreement;
(viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this Agreement; and
(b) in relation to Customer Personal Data that is protected by the UK GDPR, the UK Addendum will apply completed as follows:
(i) The EU SCCs, completed as set out above in clause 7.1(a) of this Agreement shall also apply to transfers of such Customer Personal Data, subject to sub-clause (ii) below;
(ii) Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out above, and the options “neither party” shall be deemed checked in Table 4. The start date of the UK Addendum (as set out in Table 1) shall be the date of this Agreement; and
(c) in relation to Customer Personal Data that is protected by the Brazilian LGPD, the Brazilian SCCs will apply, as detailed in Exhibit I, as the International Data Transfer Mechanism applicable to all cases where the destination country lacks a level of protection that is adequate or similar to the one provided for in the LGPD.
(d) in the event that any provision of this Agreement contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
7.2 In the event that the current UK Addendum or EU SCCs are superseded or replaced by new standard contractual clauses, the parties agree that such new standard contractual clauses shall automatically apply to the transfer of Customer Personal Data from the Customer to ServiceChannel and shall be deemed completed on a mutatis mutandis basis as described in Clause 7.1 above.
8. Cooperation and Data Subjects’ rights
8.1 ServiceChannel shall, to the extent legally permitted and required, promptly notify Customer if it receives a request from a Data Subject to exercise their rights under Data Protection Laws. ServiceChannel shall not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to Customer.
8.2 To the extent Customer, in its use or receipt of the Services, does not have the ability to access, rectify, restrict, block or delete Customer Personal Data, as required by Data Protection Laws, ServiceChannel will use commercially reasonable efforts to comply with reasonable requests by Customer to facilitate such actions to the extent ServiceChannel is legally permitted to do so.
8.3 ServiceChannel shall provide reasonable cooperation to Customer (at Customer’s expense) in connection with any data protection impact assessment that may be required under Data Protection Law.
9. Termination; deletion or return of Data
9.1 This Agreement shall terminate automatically on ServiceChannel’s deletion or anonymization of all Customer Personal Data.
9.2 Upon termination or expiry of the MSA, ServiceChannel shall:
(a) if requested to do so by Customer within thirty (30) days of expiry of the MSA (the “Retention Period“) at ServiceChannel’s option provide a copy of all Customer Personal Data in such commonly used format as requested by Customer, or provide a self-service functionality allowing Customer to download such Customer Personal Data;
(b) on expiry of the Retention Period, delete all copies of Customer Personal Data Processed by ServiceChannel or any of its Sub-processors, other than:
(i) any Administration Data or Usage Data Processed for the Controller Purposes or any Customer Personal Data which ServiceChannel is required to retain under applicable law; or
(ii) Customer Personal Data archived on back-up systems, which ServiceChannel shall securely isolate and protect from any further Processing except to the extent required by such law until deletion is possible.
10. Audit
10.1 Customer may, to the extent ServiceChannel is acting as a Processor, audit ServiceChannel’s compliance with this DPA. The parties agree that all such audits shall be conducted:
(a) not more than annually, unless more frequent audits are required to comply with Data Protection Laws or required by a supervisory authority with jurisdiction over the Processing of Customer Personal Data;
(b) upon two week’s written notice to ServiceChannel;
(c) only during ServiceChannel’s normal business hours; and
(d) in a manner that does not materially disrupt ServiceChannel’s business or operations.
10.2 With respect to any audits conducted under Section 10.1:
(a) Customer may engage a third-party auditor to conduct the audit on its behalf, save that ServiceChannel may reasonably object to the engagement of the third-party auditor if such third-party auditor is a competitor of ServiceChannel;
(b) ServiceChannel shall not be required to facilitate or assist with any audit unless and until the parties have agreed in writing the scope and timing of such audit and the reimbursement rates under Section 10.3.
10.3 Customer shall reimburse ServiceChannel for any time spent for any such audit at the rates agreed to by the parties. Before the commencement of any such audit, Customer and ServiceChannel shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by ServiceChannel. Customer shall promptly notify ServiceChannel with information regarding any non-compliance discovered during the course of an audit.
10.4 Customer acknowledges that ServiceChannel is regularly audited against SSAE 18 SOC 1 standard by independent third-party auditors. ServiceChannel shall supply to Customer on request, or may supply to Customer in response to any audit request, a summary copy of its audit report(s) to Customer, which shall be subject to the confidentiality provisions of the MSA. If an audit requested by Customer is addressed in the audit report provided by ServiceChannel, Customer agrees to accept such report in place of conducting a physical audit of the controls covered by the relevant report.
11. Limitation of Liability
This DPA is subject to the limitations of liability and disclaimers in the MSA.
12. Parties to this Agreement
Save as set out in the Standard Contractual Clauses, nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.
13. Legal effect
This DPA supplements and forms part of the MSA.
14. General
14.1 Save for the Standard Contractual Clauses incorporated into this DPA, this DPA shall be governed by and construed in all respects in accordance with the governing law and jurisdiction provisions in the MSA, provided that, in the event of a conflict between the MSA and this DPA with regards to the processing of Personal Data, this DPA shall control.
14.2 This Agreement may be executed in any number of counterparts, each of which is an original and all of which evidence the same agreement between the parties.
14.3 Other than as set out in this DPA, the MSA shall remain in full force and effect.
ANNEX I
A. LIST OF PARTIES
| Name | Address | Contact person’s name, position and contact details | Activities relevant to the data transferred | Role | |
| Data exporter | Customer (as identified in the MSA) | As identified in the MSA | As identified in the MSA | Receipt of the Services | Controller |
| Data importer | ServiceChannel.com, Inc. | 30 Patewood Dr Building 2, Suite 350, Greenville, SC 29615 | Brian Chase, General Counsel, [email protected] | Provision of the Services | Processor |
B. DESCRIPTION OF TRANSFER
| Data subjects | Categories of personal data | Sensitive personal data | Frequency of transfer | Nature and purpose of the processing |
| Customer’s authorized users | Name, email address, business address, access credentials. | None | Continuous | Granting access to the Services to Customer’s authorized users. |
| Customer’s authorized users | Name, email address, phone number, business address. | None | Continuous | Facilitating contact between the Customer’s authorized user and persons contracted by the Customer through the Services (“Contractors“) |
| Customer’s authorized users Contractor personnel | Facilities management services requested through the Services, date and time of request. | None | Continuous | Submission of facilities management service requests to Contractors. |
| Customer’s authorized users Contractor personnel | Name, facilities management services provided, date and location of services provided. | None | Continuous | Maintenance of records of facility management services ordered by Customer and completed. |
| Contractor personnel | Name and contact details (phone number and email address) submitted by Customer’s authorized users. | None | Continuous | Facilitating contact between the Customer’s authorized user and their key contacts at Contractors. |
| Customer’s authorized users | Support queries | None | Continuous | Providing technical support. |
| Customer’s authorized users | Log data | None | Continuous | Providing access to the Services. |
Retention
The duration of the processing will be the same as the duration of the provision of services under the MSA.
Subprocessors
As described at https://bit.ly/SC_Subprocessors
C. COMPETENT SUPERVISORY AUTHORITY
Irish Data Protection Commissioner
ANNEX II
Security Measures
ServiceChannel will at all times remain responsible and liable for the following commercially reasonable transfer security measures:
| TRANSFER SECURITY MEASURES | IMPLEMENTED MEASURES |
| Measures of pseudonymisation and encryption of Personal Data | Pseudonymization · character masking · swapping · k-anonymity Encryption · HTTPS encryption for data in transit (using TLS 1.2 or greater) on every login interface, using industry standard algorithms and certificates. · Encryption of data at rest using the industry standard AES-256 algorithm |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | Confidentiality · Virtual Private Network (VPN) · Multi-Factor Authentication (MFA) · Differentiated rights system based on security groups and access control lists. · Secure transmission of credentials using TLS 1.2 (or greater) · Passwords require a defined minimum complexity. Initial passwords must be changed after the first login. · Automatic account locking · Guidelines for handling of passwords · Access controls to infrastructure that is hosted by cloud service provider · Access right management including authorization concept, implementation of access restrictions, implementation of the “need-to-know” principle, managing of individual access rights. · Training and confidentiality agreements for internal staff and external staff · Network separation · Segregation of responsibilities and duties · Restrict access to Personal Data to the parties involved in the Processing in accordance with the “need to know” principle and according to the function behind the creation of differentiated access profiles. Integrity · Secure network interconnections ensured by firewalls etc. · Logging of transmissions of data from IT system that stores or Processes Personal Data · Logging authentication and monitored logical system access · Logging of Personal Data access including, but not limited to access, modification, entry and deletion of Personal Data · Documentation of Personal Data entry rights and logging security related entries · Web Application Firewall (WAF) Availability and Resilience · Customer Personal Data is backed up to multiple durable data stores and replicated across multiple availability zones. · Protection of stored backup media |
| Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident | · Continuity Planning and Disaster Recovery Plan · Disaster recovery processes to restore data and processes · Recovery Time Objective (RTO) · Recovery Point Objective (RPO) · Maximum Tolerable Downtime (MTD) · Capacity management measures to monitor resource consumption of systems as well as planning of future resource requirements. · Procedures for handling and reporting incidents (incident management) including the detection and reaction to possible security incidents. · Productive data is backed up hourly in incremental form and daily as a full backup. All backups are kept redundant and in encrypted form (AES-256). |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the Processing | · Testing of emergency equipment · Documentation of interfaces and Personal Data fields · Internal and external audits · Security checks (e.g. penetration tests) conducted by external parties · SOC 1 and 2 audits · Regular benchmarking and testing with industry standards, e.g. SANS Top 20 Controls for Internet Security, NIST guidelines, etc. |
| Measures for user identification and authorisation | · Secure network interconnections ensured by VPN, MFA, firewalls etc. · Logging of transmissions of data from IT system that stores or processes personal data · Logging authentication and monitored system access · Access to data necessary for the performance of the particular task is ensured within the systems and applications by a corresponding role and authorization concept in accordance to the “need-to-know” principle. · Web Application Firewall (WAF) |
| Measures for the protection of Personal Data during transmission | · Remote access to the network via VPN tunnel and end-to-end encryption · HTTPS encryption for data in transit (using TLS 1.2 or greater) |
| Measures for the protection of Personal Data during storage | · System inputs recorded via log files · Access Control Lists (ACL) · Multi-factor Authentication (MFA) |
| Measures for ensuring physical security of locations at which Personal Data are Processed | · Subdivision of the facility into individual zones with different access authorizations; · Physical access protection (e.g. steel doors, windowless rooms or secured windows); · Electronic access control system to protect security areas; · Monitoring of the facility by security services and access logging to the facility; · Video surveillance of all security-relevant security areas, such as entrances, emergency exits and server rooms; · Central assignment and revocation of access authorisations; · Identification of all visitors by verification of their identity card and registration (a log of visitors is kept); · Mandatory identification within the security areas for all employees and visitors; · Visitors must be accompanied by employees at all times. |
| Measures for ensuring events logging | · Remote logging · Hash chaining · Replication · Central Security Event and Information Management (SIEM) system |
| Measures for ensuring system configuration, including default configuration | · Access Control Policy and Procedures · Baseline configuration identification · Configuration Planning and Management · Configuration Change Management · Configuration Status Accounting · Configuration Verification and Audits · Mobile device management |
| Measures for internal IT and IT security governance and management | · Dedicated and identified person to oversee the company’s information security and compliance program · SOC 1 and 2 audit |
| Measures for certification/assurance of processes and products | · Information security or quality management certifications such as SSAE 18 Type 2 SOC 1 and SSAE18 Type 2 SOC2 |
| Measures for ensuring Personal Data minimisation | · Technological barriers to the unauthorized linking of independent sources of Personal Data. · Limitation to the level of detail used in Personal Data processing: for example, through techniques such as k-anonymity and obfuscation. · Deletion of metadata generated during certain processes that are not necessary for the pursued goal. |
| Measures for ensuring Personal Data quality | · Process for the exercise of data protection rights (right to amend and update information) · Clear documentation of requirements for all Personal Data conditions and scenarios · Restrict access to Personal Data to the parties involved in the processing in accordance with the “need to know” principle and according to the function behind the creation of differentiated access profiles. Rigorous data profiling and control of incoming Personal Data · Data pipeline design to avoid duplicate Personal Data · Quality Assurance team · Enforcement of data integrity |
| Measures for ensuring limited Personal Data retention | · The existence of clear retention schedules and policies · Testing of effectiveness |
| Measures for ensuring accountability | · Assign responsibility to ensure end-user privacy throughout the product lifecycle and through applicable business processes. · Data protection impact assessments as an integral part of any new processing initiative. · Document all decisions that are adopted within the organisation from a “privacy design thinking” perspective. |
| Measures for allowing Personal Data portability and ensuring erasure | · Documented processes in relation to the exercise by users of their privacy rights (e.g. right of erasure or right to data portability) · Use of open formats such as CSV, XML or JSON. |
| Applied restrictions or safeguards for sensitive data (if applicable) | · Encrypting or hashing special category data, although not an explicit legal requirement, should be the norm |
EXHIBIT I – STANDARD CONTRACTUAL CLAUSES
(The wording of the Standard Contractual Clauses included in this exhibit is as determined by the ANPD under Resolution No. 19/2024 and therefore cannot be adjusted, modified, or negotiated by the parties. ServiceChannel provides the SCCs only in the official versions published by the ANPD—namely, the original Portuguese text and the ANPD‑issued English translation—and, consistent with industry practice, we offer a link to the official Portuguese version while relying solely on the ANPD’s own English translation. We do not translate the SCCs into any additional languages in order to preserve their legal meaning and legislative intent as adopted by the ANPD.)
SECTION I – GENERAL INFORMATION
CLAUSE 1. PARTIES’ IDENTIFICATION
1.1. Under this contractual deed, the Parties identified in the Data Processing Agreement, acting either as Exporter or Importer, agree to adopt the standard contractual clauses (hereinafter, Clauses) approved by the Brazilian National Data Protection Authority (ANPD), to govern International Data Transfers, as described in CLAUSE 2, according to the Brazilian Legislation.
CLAUSE 2. SUBJECT
2.1. These Clauses shall apply to all International Data Transfers by the Exporter to the Importer. The main purposes of the transfer, the categories of the personal data transferred, the retention period, and other information concerning the transfer are described in the Data Processing Agreement.
CLAUSE 3. SUBSEQUENT TRANSFERS
3.1. The Importer may carry out Onward Transfers of the Personal Data subject to the International Data Transfer governed by these Clauses under the conditions described below and provided that the provisions of CLAUSE 18 are observed.
CLAUSE 4. PARTIES’ RESPONSIBILITIES
4.1. Without prejudice to the duty to provide mutual assistance or to the Parties’ general obligations, it will be incumbent upon the Designated Party as established below, in its capacity as Controller, to carry out the following obligations as set out in these Clauses:
a) Party responsible for publishing the document referenced in CLAUSE 4;
(X) Exporter ( ) Importer
b) Party responsible for responding to requests by the data subjects as referenced in CLAUSE 15:
(X) Exporter ( ) Importer
c) Party responsible for communicating a security incident as described in CLAUSE 16:
(X) Exporter ( ) Importer
4.2. For the purposes of these Clauses, if it is subsequently determined that the Designated Party, as established in item 4.1., works as a Processor, the Controller will remain responsible:
a) for the execution of the obligations established in Sections 14, 15, and 16, and in any other provisions of the Brazilian Legislation, especially if the Designated Party neglects or fails to perform its obligations;
b) for the compliance with all ANPD requirements; and
c) for the assurance of the Data Subjects’ rights and the compensation of any damages caused, subject to the terms of CLAUSE 17.
4.3. If the Exporter is deemed to be the Controller, as referenced in item 4.2, it will be incumbent upon the Exporter to carry out the obligations established in CLAUSES 14, 15, and 16.
4.4. Except as provided in items 4.2. and 4.3, the provisions of CLAUSES 14, 15, and 16 shall not apply to the Parties in their capacities as Processors.
4.5. Under any circumstance, the Parties shall furnish all the information available to them, which are seemingly necessary to allow the Third-Party Controller to adhere to ANPD requirements and to properly perform the obligations established under the Brazilian Legislation concerning transparency, the assurance of the rights of data subjects, and the communication of security incidents to the ANPD.
4.6. The Parties shall mutually assist each other in responding to any requests by the Data Subjects.
4.7. If a request is received from a Data Subject, the applicable Party shall:
a) respond to the request, when it possesses the information needed to do so;
b) inform the Data Subject of the service channel provided by the Third-Party Controller; or
c) forward the request to the Third-Party Controller as soon as possible, to enable a response within the timeframe established under the Brazilian Legislation.
4.8. The Parties shall keep a record of security incidents involving personal data, according to the terms of the Brazilian Legislation.
SECTION II – MANDATORY CLAUSES
CLAUSE 5. Purpose
5.1. These Clauses are presented as a mechanism to enable the secure international flow of personal data, establish minimum guarantees and valid conditions for carrying out the International Data Transfer and aim to guarantee the adoption of adequate safeguards for compliance with the principles, the rights of the Data Subject and the data protection regime provided for in National Legislation.
CLAUSE 6. Definitions
6.1. For the purposes of these Clauses, the definitions in art. 5 of LGPD, and art. 3 of the Regulation on the International Transfer of Personal Data shall be considered, without prejudice to other normative acts issued by ANPD. The Parties also agree to consider the terms and their respective meanings as set out below:
a) Processing agents: the controller and the processor;
b) ANPD: National Data Protection Authority;
c) Clauses: the standard contractual clauses approved by ANPD, which are part of SECTIONS I, II and III;
d) Related Contract: contractual instrument signed between the Parties or, at least, between one of them and a third-party, including a Third-Party Controller, which has a common purpose, link or dependency relationship with the contract that governs the International Data Transfer;
e) Controller: Party or third-party (“Third Controller”) responsible for decisions regarding the processing of Personal Data;
f) Personal Data: information related to an identified or identifiable natural person;
g) Sensitive Personal Data: personal data on racial or ethnic origin, religious belief, political opinion, affiliation to trade unions or to a religious, philosophical or political organization, data regarding health or sexual life, genetic or biometric data, whenever related to a natural person;
h) Erasure: exclusion of data or dataset from a database, regardless of the procedure used;
I) Exporter: processing agent, located in the national territory or in a foreign country, who transfers personal data to the Importer;
j) Importer: processing agent, located in a foreign country, who receives personal data from the Exporter;
k) National Legislation: set of Brazilian constitutional, legal and regulatory provisions regarding the protection of Personal Data, including the LGPD, the International Data Transfer Regulation and other normative acts issued by ANPD;
l) Arbitration Law: Law No. 9,307, of September 23, 1996;
m) Security Measures: technical and administrative measures able to protect Personal Data from unauthorized access and from accidental or unlawful events of destruction, loss, alteration, communication or dissemination;
n) Research Body: body or entity of the government bodies or associated entities or a non-profit private legal entity legally established under Brazilian laws, having their headquarter and jurisdiction in the Brazilian territory, which includes basic or applied research of historical, scientific, technological or statistical nature in its institutional mission or in its corporate or statutory purposes;
o) Processor: Party or third-party, including a Sub-processor, which processes Personal Data on behalf of the Controller;
p) Designated Party: Party or a Third-Party Controller, under the terms of CLAUSE 4, designated to fulfill specific obligations regarding transparency, Data Subjects’ rights and notifying security incidents;
q) Parties: Exporter and Importer;
r) Access Request: request for mandatory compliance, by force of law, regulation or determination of public authority, to grant access to the Personal Data subject to the International Data Transfer governed by these Clauses;
s) Sub-processor: processing agent hired by the Importer, with no link with the Exporter, to process Personal Data after an International Data Transfer;
t) Third-Party Controller: Personal Data Controller who authorizes and provides written instructions for the carrying out of the International Data Transfer between Processors governed by these Clauses, on his behalf, pursuant to CLAUSE 4 (“Option B”);
u) Data Subject: natural person to whom the Personal Data which are subject to the International Data Transfer governed by these Clauses relate;
v) Transfer: processing modality through which a processing agent transmits, shares or provides access to Personal Data to another processing agent;
w) International Data Transfer: transfer of Personal Data to a foreign country or to an international organization which Brazil is a member of; and
x) Onward Transfer: transfer of Personal Data, within the same country or to another country, by an Importer to a third-party, including a Sub-processor, provided that it does not constitute an Access Request.
CLAUSE 7. Applicable legislation and ANPD supervision
7.1. The International Data Transfer subject to these Clauses shall subject to the National Legislation and to the supervision of ANPD, including the power to apply preventive measures and administrative sanctions to both Parties, as appropriate, as well as the power to limit, suspend or prohibit the international transfers arising from this agreement or a Related Contract.
CLAUSE 8. Interpretation
8.1. Any application of these Clauses shall occur in accordance with the following terms:
a) these Clauses shall always be interpreted more favorably to the Data Subject and in accordance with the provisions of the National Legislation;
b) in case of doubt about the meaning of any term in these Clauses, the meaning which is most in line with the National Legislation shall apply;
c) no item in these Clauses, including a Related Agreement and the provisions set forth in SECTION IV, shall be interpreted as limiting or excluding the liability of any of the Parties in relation to obligations set forth in the National Legislation; and
d) provisions of SECTIONS I and II shall prevail in case of conflict of interpretation with additional clauses and other provisions set forth in SECTIONS III and IV of this agreement or in Related Agreements.
CLAUSE 9. Docking Clause
9.1. By mutual agreement between the Parties, it shall be possible for a processing agent to adhere to these Clauses, either as a Data Exporter or as a Data Importer, by completing and signing a written document, which shall form part of this contract.
9.2. The acceding party shall have the same rights and obligations as the originating parties, according to the position assumed of Exporter or Importer and according to the corresponding category of treatment agent.
CLAUSE 10. General obligations of the Parties
10.1. The Parties undertake to adopt and, when necessary, demonstrate the implementation of effective measures capable of demonstrating observance of and compliance with the provisions of these Clauses and the National Legislation, as well as with the effectiveness of such measures and, in particular:
a) use the Personal Data only for the specific purposes described in CLAUSE 2, with no possibility of subsequent processing incompatible with such purposes, subject to the limitations, guarantees and safeguards provided for in these Clauses;
b) guarantee the compatibility of the processing with the purposes informed to the Data Subject, according to the processing activity context;
c) limit the processing activity to the minimum required for the accomplishment of its purposes, encompassing pertinent, proportional and non- excessive data in relation to the Personal Data processing purposes;
d) guarantee to the Data Subjects, subject to the provisions of CLAUSE 4:
(d.1.) clear, accurate and easily accessible information on the processing activities and the respective processing agents, with due regard for trade and industrial secrecy;
(d.2.) facilitated and free of charge consultation on the form and duration of the processing, as well as on the integrity of their Personal Data; and
(d.3.) accuracy, clarity, relevance and updating of the Personal Data, according to the necessity and for compliance with the purpose of their processing;
e) adopt the appropriate security measures compatible with the risks involved in the International Data Transfer governed by these Clauses;
f) not to process Personal Data for abusive or unlawful discriminatory purposes;
g) ensure that any person acting under their authority, including sub-processors or any agent who collaborates with them, whether for reward or free of charge, only processes data in compliance with their instructions and with the provisions of these Clauses;
h) keep a record of the Personal Data processing operations of the International Data Transfer governed by these Clauses, and submit the relevant documentation to ANPD, when requested.
CLAUSE 11. Sensitive personal data
11.1. If the International Data Transfer involves Sensitive Personal Data, the Parties shall apply additional safeguards, including specific Security Measures which are proportional to the risks of the processing activity, to the specific nature of the data and to the interests, rights and guarantees to be protected, as described in SECTION III.
CLAUSE 12. Personal data of children and adolescents
12.1. In case the International Data Transfer governed by these Clauses involves Personal Data concerning children and adolescents, the Parties shall implement measures to ensure that the processing is carried out in their best interest, under the terms of the National Legislation and relevant instruments of international law.
CLAUSE 13. Legal use of data
13.1. The Exporter guarantees that Personal Data has been collected, processed and transferred to the Importer in accordance with the National Legislation.
CLAUSE 14. Transparency
14.1. The Designated Party shall publish, on its website, a document containing easily accessible information written in simple, clear and accurate language on the conduction of the International Data Transfer, including at least information on:
a) the form, duration and specific purpose of the international transfer;
b) the destination country of the transferred data;
c) the Designated Party’s identification and contact details;
d) the shared use of data by the Parties and its purpose;
e) the responsibilities of the agents who shall conduct the processing;
e) the Data Subject’s rights and the means for exercising them, including an easily accessible channel made available to respond to their requests, and the right to file a petition against the Exporter and the Importer before ANPD; and
g) Onward Transfers, including those relating to recipients and to the purpose of such transfer.
14.2. The document referred to in item 14.1. shall be made available on a specific website page or integrated, in a prominent and easily accessible format, to the Privacy Policy or equivalent document.
14.3. Upon request, the Parties shall make a copy of these Clauses available to the Data Subject free of charge, complying with trade and industrial secrecy.
14.4. All information made available to Data Subjects, under the terms of these Clauses, shall be written in Portuguese.
CLAUSE 15. Rights of the data subject
15.1. The Data subject shall have the right to obtain from the Designated Party, as regards the Personal Data subject to the International Data Transfer governed by these Clauses, at any time, and upon request, under the terms of the National Legislation:
a) confirmation of the existence of processing;
b) access to data;
c) correction of incomplete, inaccurate or outdated data;
d) anonymization, blocking or erasure of unnecessary or excessive data or data processed in noncompliance with these Clauses and the provisions of National Legislation;
e) portability of data to another service or product provider, upon express request, in accordance with ANPD regulations, complying with trade and industrial secrecy;
f) erasure of Personal Data processed under the Data Subject’s consent, except for the events provided in CLAUSE 20;
g) information on public and private entities with which the Parties have shared data;
h) information on the possibility of denying consent and on the consequences of the denial;
i) withdrawal of consent through a free of charge and facilitated procedure, remaining ratified the processing activities carried out before the request for elimination;
j) review of decisions taken solely on the basis of automated processing of personal data affecting their interests, including decisions aimed at defining their personal, professional, consumer and credit profile or aspects of their personality; and
k) information on the criteria and procedures adopted for the automated decision.
15.2. Data subject may oppose to the processing based on one of the events of waiver of consent, in case of noncompliance with the provisions of these Clauses or National Legislation.
15.3. The deadline for responding to the requests provided for in this Clause and in item 14.3. is 15 (fifteen) days from the date of the data subject’s request, except in the event of a different deadline established in specific ANPD regulations.
15.4. In case the Data Subject’s request is directed to the Party not designated as responsible for the obligations set forth in this Clause or in item 14.3., the referred Party shall: a) inform the Data Subject of the service channel made available by the Designated Party; or b) forward the request to the Designated Party as early as possible, to enable the response within the period provided in item 15.2.
15.5. The Parties shall immediately inform the Data Processing Agents with whom they have shared data with the correction, deletion, anonymization or blocking of the data, for them to follow the same procedure, except in cases where this communication is demonstrably impossible or involves a disproportionate effort.
15.6. The Parties shall promote mutual assistance to respond to the Data Subjects’ requests.
CLAUSE 16. Security Incident Reporting
16.1. The Designated Party shall notify ANPD and the Data Subject, within 3 (three) working days of the occurrence of a security incident that may entail a relevant risk or damage to the Data Subjects, according to the provisions of National Legislation.
16.2. The Importer must keep a record of security incidents in accordance with National Legislation.
CLAUSE 17. Liability and compensation for damages
17.1. The Party which, when performing Personal Data processing activities, causes patrimonial, moral, individual or collective damage, for violating the provisions of these Clauses and of the National Legislation, shall compensate for it.
17.2. Data Subject may claim compensation for damage caused by any of the Parties as a result of a breach of these Clauses.
17.3. The defense of Data Subjects’ interests and rights may be claimed in court, individually or collectively, in accordance with the provisions in relevant legislation regarding the instruments of individual and collective protection.
17.4. The Party acting as Processor shall be jointly and severally liable for damages caused by the processing activities when it fails to comply with these Clauses or when it has not followed the lawful instructions of the Controller, except for the provisions of item 17.6.
17.5. The Controllers directly involved in the processing activities which resulted in damage to the Data Subject shall be jointly and severally liable for these damages, except for the provisions of item 17.6.
17.6. Parties shall not be held liable if they have proven that: a) they have not carried out the processing of Personal Data attributed to them; b) although they did carry out the processing of Personal Data attributed to them, there was no violation of these Clauses or National Legislation; or c) the damage results from the sole fault of the Data Subject or of a third party which is not a recipient of the Onward Transfer or not subcontracted by the Parties.
17.7. Under the terms of the National Legislation, the judge may reverse the burden of proof in favor of the Data Subject whenever, in his judgement, the allegation is credible, there is a lack of sufficient evidence or when the Data Subject would be excessively burdened by the production of evidence.
17.8. Judicial proceedings for compensation for collective damages which intend to establish liability under the terms of this Clause may be collectively conducted in court, with due regard for the provisions in relevant legislation.
17.9. The Party which compensates the damage to the Data Subject shall have a right of recourse against the other responsible parties, to the extent of their participation in the damaging event.
CLAUSE 18. Safeguards for Onward Transfers
18.1. The Importer shall only carry out Onward Transfers of Personal Data subject to the International Data Transfer governed by these Clauses if expressly authorized, in accordance with the terms and conditions described in CLAUSE 3.
18.2. In any case, the Importer:
a) shall ensure that the purpose of the Onward Transfer is compatible with the specific purposes described in CLAUSE 2;
b) shall guarantee, by means of a written contractual instrument, that the safeguards provided in these Clauses shall be ensured by the third-party recipient of the Onward Transfer; and
c) for the purposes of these Clauses, and regarding the Personal Data transferred, shall be considered responsible for any eventual irregularities committed by the third-party recipient of the Onward Transfer.
18.3. The Onward Transfer shall also be carried out based on another valid modality of International Data Transfer provided in National Legislation, regardless of the authorization referred to in CLAUSE 3.
CLAUSE 19. Access Request Notification
19.1. The Importer shall notify the Exporter and the Data Subject of any Access Request related to the Personal Data subject to the International Data Transfer governed by these Clauses, except in the event that notification is prohibited by the law of the country in which the data is processed.
19.2. The Importer shall implement the appropriate legal measures, including legal actions, to protect the rights of the Data Subjects whenever there is adequate legal basis to question the legality of the Access Request and, if applicable, the prohibition of issuing the notification referred to in item 19.1.
19.3. To comply with both the ANPD’s and the Exporter’s requests, the Importer shall keep a record of Access Requests, including date, requester, purpose of the request, type of data requested, number of requests received, and legal measures implemented.
CLAUSE 20. Termination of processing and erasure of data
20.1. Parties shall erase the personal data subject to the International Data Transfer governed by these Clauses after the ending of their processing, being their storage authorized only for the following purposes:
a) compliance with a legal or regulatory obligation by the Controller;
b) study by a Research Body, guaranteeing, whenever possible, the anonymization of personal data;
c) transfer to a third-party, upon compliance with requirements set forth in these Clauses and in the National Legislation; and
d) exclusive use of the Controller, being the access by a third-party prohibited, and provided data have been anonymized.
20.2. For the purposes of this Clause, processing of personal data shall cease when:
a) the purpose set forth in these Clauses has been achieved;
b) Personal Data are no longer necessary or pertinent to attain the intended specific purpose set forth in these Clauses;
c) at the termination of the treatment period;
d) Data Subject’s request is met; and
e) at the order of ANPD, upon violation of the provisions of these Clauses or National Legislation.
CLAUSE 21. Data processing security
21.1. Parties shall implement Security Measures which guarantee sufficient protection of the Personal Data subject to the International Data Transfer governed by these Clauses, even after its termination.
21.2. Parties shall inform, in SECTION III, the Security Measures implemented, considering the nature of the processed information, the specific characteristics and the purpose of the processing, the technology current state and the probability and severity of the risks to the Data Subjects’ rights, especially in the case of sensitive personal data and that of children and adolescents.
21.3. The Parties shall make the necessary efforts to implement periodic evaluation and review measures to maintain the appropriate level of data security.
CLAUSE 22. Legislation of country of destination
22.1. The Importer declares that it has not identified any laws or administrative practices of the country receiving the Personal Data that prevent it from fulfilling the obligations assumed in these Clauses.
22.2. In the event of a regulatory change which alters this situation, the Importer shall immediately notify the Exporter to assess the continuity of the contract.
CLAUSE 23. Non-compliance with the Clauses by the Importer
23.1. In the event of a breach in the safeguards and guarantees provided in these Clauses or being the Importer unable to comply with any of them, the Exporter shall be immediately notified, subject to the provisions in item 19.1.
23.2. Upon receiving the communication referred to in item 23.1 or upon verification of non-compliance with these Clauses by the Importer, the Exporter shall implement the relevant measures to ensure the protection of the Data Subjects’ rights and the compliance of the International Data Transfer with the National Legislation and these Clauses, and may, as appropriate:
a) suspend the International Data Transfer;
b) request the return of the Personal Data, its transfer to a third-party, or its erasure; and
c) terminate the contract.
CLAUSE 24. Choice of forum and jurisdiction
24.1. Brazilian legislation applies to these Clauses and any controversy between the Parties arising from these Clauses shall be resolved before the competent courts in Brazil, observing, if applicable, the forum chosen by the Parties in Section IV.
24.2. Data Subjects may file lawsuits against the Exporter or the Importer, as they choose, before the competent courts in Brazil, including those in their place of residence.
24.3. By mutual agreement, Parties may use arbitration to resolve conflicts arising from these Clauses, provided that the procedure is carried out in Brazil and in accordance with the provisions of the Arbitration Law.
SECTION III – Security Measures
The governance and internal process oversight measures, as well as the technical and administrative security measures to ensure the safety of operations such as data collection, transmission, and storage, are already described in the Data Processing Agreement.
English Deutsch Español Français (France) 中文(简体) Slovenščina Italiano Magyar