Data Protection Addendum

Last Updated: March 3rd 2022

Causal Data Protection Addendum

The customer agreeing to these terms (“Customer”) has entered into an agreement with Causal, Inc. (“Causal”) under which Causal has agreed to provide services to Customer (the “Agreement”). This Data Protection Addendum, including its attachment and appendices (the “DPA”) will be effective and replace any previously applicable data processing and security terms as of the DPA Effective Date (as defined below). This DPA forms part of the Agreement and consists of (a) the main body of the DPA; (b) Exhibit 1 (Details of the Data Processing); and (c) Exhibit 2 (Security Measures). To the extent of any conflict between this DPA and the Agreement, this DPA takes precedence. By signing the Agreement, the parties are deemed to be signing this DPA and its Exhibits.

1. Definitions

The following definitions apply for purposes of this DPA. Capitalized terms that are used but not otherwise defined in this DPA shall have the meanings set forth in the Agreement.

1.1 “Affiliate” means in relation to a party any entity that directly or indirectly controls, is controlled by, or is under common control with the party, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.

1.2 “Applicable Data Protection Law(s)” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”) and other data protection laws of the European Economic Area (“EEA”), Switzerland, and the United Kingdom; and the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and any amendments thereto (“CCPA”), including the California Privacy Rights Act of 2020 (“CPRA"). All such laws are included in references herein to “applicable law.”

1.3 “Customer Personal Data” means any “personal information”, “personal data” or other similar term as defined under Applicable Data Protection Laws that is contained within the data provided to or accessed by Causal by or on behalf of Customer or Customers’ employees in connection with the Services.

1.4 “DPA Effective Date” means the date on which the parties agreed to the Agreement.

1.5 “EU SCCs” means the Standard Contractual Clauses issued pursuant to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in the “Data Transfers” section below.

1.6 “Process” or Processing” means any operation or set of operations which is performed on Customer Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.7 “Security Breach” means a breach of Causal’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Causal’s possession, custody or control, to the extent the incident constitutes a reportable “data breach,” “personal data breach,” “breach of the security of the system,” or other similar term as defined under applicable law. “Security Breach” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

1.8 “Services” means the services and/or products to be provided by Causal to Customer under the Agreement.

1.9 “Subprocessors” means third parties that Causal engages to Process Customer Personal Data on Causal’s behalf in relation to the Services.

1.10 “Term” means the period from the DPA Effective Date until the end of Causal’s provision of the Services.

1.11 “UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/), completed as set forth in “Data Transfers” below.

2. Duration of the DPA.

This DPA will take effect on the DPA Effective Date and, notwithstanding the expiration of the Term, will remain in effect until, and automatically expire upon, Causal’s deletion of all Customer Personal Data as described in this DPA.

3. Processing of Data

3.1 Roles and Regulatory Compliance; Authorization.

3.1.1 Responsibilities of the Parties.

(i) The subject matter and details of the Processing are described in Exhibit 1.

(ii) Causal is a “processor” or “service provider” as defined in Applicable Data Protection Laws, meaning that Causal Processes Customer Personal Data at the direction of and on behalf of the Customer.

(iii) Customer, or an entity for which Customer is a representative (as set out in Section 3.1.2 below), alone or with others, determines the purposes and means of the Processing of Customer Personal Data, and Customer is a “business” or “controller” under Applicable Data Protection Laws.

(iv) Each party will comply with the obligations applicable to it under applicable law with respect to the Processing of Customer Personal Data.

3.1.2 Authorization by Third Party Entity. If Customer is providing data to Causal as a representative for or on behalf of another entity, Customer warrants to Causal that Customer’s instructions and actions with respect to that Customer Personal Data, including its appointment of Causal as another processor or service provider, have been authorized by the relevant entity in accordance with Applicable Data Protection Law.

3.2 Scope of Processing.

3.2.1 Causal will Process Customer Personal Data only as described in the Agreement and under Customer’s written instructions unless applicable law obligates Causal to engage in different Processing of Customer Personal Data. In such case, Causal shall inform Customer of that applicable law as soon as practicable before commencing the different Processing, unless applicable law prohibits providing such information on important grounds of public interest. Any processing of Customer Personal Data by Causal shall be in compliance with Applicable Data Protection Laws.

3.2.2 By entering into this DPA, Customer instructs Causal to Process Customer Personal Data : (a) to provide the Services; (b) as authorized by the Agreement, including this DPA; and (c) as otherwise instructed by Customer.

3.2.3 Without limiting the foregoing, (i) Causal shall not “sell” Customer Personal Data, as such term is defined in the CCPA (regardless of whether the CCPA applies); (ii) Causal shall not share or otherwise communicate Customer Personal Data with a third party for cross-context behavioral advertising in accordance with the CPRA (regardless of whether the CPRA applies); (iii) Causal shall not retain, use, or disclose any Customer Personal Data for any purpose other than for the business purposes specified in this Agreement for Customer; (iv) Causal shall not retain, use, or disclose any such data outside of the direct business relationship between it and Customer; and (v) Causal shall comply with applicable restrictions in Applicable Data Protection Laws.

4. Data Retention; Deletion or Return

4.1 Retention. Causal will retain Customer Personal Data until instructed to delete or return such Customer Personal Data or until the purpose for Processing such data is completed, as required by Applicable Data Protection Law, unless required by applicable law to retain Customer Personal Data for longer. Notwithstanding any such instruction, Causal may retain Customer Personal Data for up to 180 days for backup purposes, unless legal obligations require storage of the Customer Personal Data for a longer period.

4.2 Deletion or Return. Causal will, at Customer’s choice and upon Customer’s instruction, return to Customer or destroy all Customer Personal Data after the termination or expiration of Customer’s use of the relevant Services except to the extent that applicable law requires Causal to retain the Customer Personal Data for longer. Nothing will oblige Causal to delete Customer Personal Data from files created for security, backup, and business continuity purposes sooner than required by Causal’s reasonable data retention processes. If you require earlier deletion of such Customer Personal Data, and such deletion is commercially feasible, you must first pay Causal’s reasonable fees for such deletion, which may include costs for business interruptions associated with such a request. Without limiting any of the foregoing, nothing will require Causal to retain Customer Personal Data following the termination or expiration of the Agreement.

5. Data Security

5.1 Causal’s Security Measures, Controls and Assistance.

5.1.1 Causal’s Security Measures. Causal maintains technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, as described in Exhibit 2 (the “Security Measures”). Causal may update or modify the Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Services.

5.1.2 Among other Security Measures, Causal will ensure that the persons Causal permits to Process Customer Personal Data are subject to an appropriate written confidentiality agreement covering such data or are under a statutory obligation of confidentiality.

5.1.3 Causal’s Security Assistance. Causal will (taking into account the nature of the Processing of Customer Personal Data and the information available to Causal) provide Customer with reasonable assistance necessary for Customer to comply with its obligations under Applicable Data Protection Laws, by implementing and maintaining the Security Measures, complying with the terms of Section 5.2 (Security Breaches), and cooperating with audits under Section 5.4 (Compliance Audits).

5.2 Security Breaches.

5.2.1 Security Breach Notification. If Causal becomes aware of an Security Breach, Causal will: (i) notify Customer of the Security Breach without undue delay after becoming aware of the Security Breach; and (ii) take reasonable steps to identify the cause of such Security Breach, minimize harm and prevent a recurrence.

5.2.2 Details of Security Breach. Notifications made pursuant to this Section 5.2 will describe, to the extent available, details of the Security Breach, including steps taken to mitigate the potential risks and steps Causal recommends Customer take to address the Security Breach.

5.2.3 Customer Obligations. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations applicable to Customer related to any Security Breaches .

5.2.4 No Acknowledgement of Fault by Causal. Causal’s notification of or response to an Security Breach under this Section 5.2 will not be construed as an acknowledgement by Causal of any fault or liability with respect to the Security Breach.

5.3 Customer’s Responsibilities.

5.3.1 Customer is solely responsible for reviewing any available security documentation and features and evaluating whether the Services and related Security Measures meet its needs, including its security obligations under Applicable Data Protection Laws. Customer may only use the Services if the security commitments in this DPA would provide a level of security appropriate to the risk in respect of Customer Personal Data. In addition, without prejudice to the rest of this Section 5.3, Customer is solely responsible for:

(i) Securing its devices, passwords, systems, and networks;

(ii) All activity occurring under its account, including by Authorized Users and unauthorized users;

(iii) Any storage of Customer Personal Data outside of the Services; and

(iv) Backing up its Customer Personal Data.

5.3.2 Customer will comply with its obligations under Applicable Data Protection Laws in its use of the Services, including by obtaining any consents and providing any notices required by Applicable Data Protection Laws.

5.3.3 Customer will not provide Causal with Customer Personal Data which, if Causal used with Customer Personal Data in accordance with the Agreement and Customer’s instruction, would result in Causal’s (i) violation of applicable law, including Applicable Data Protection Laws; (ii) defamation, invasion of privacy or publicity, or other violation or infringement of the statutory or contractual rights of any third party; (iii) involvement with illegal activity; and/or (iv) distribution or sharing of malware, viruses, Trojan horses, spyware, worms, or other malicious or harmful code.

5.4 Compliance Audits

5.4.1 Customer may audit Causal’s compliance with its obligations under this DPA up to once per year. In addition, to the extent required by Applicable Data Protection Laws, including where mandated by Customer’s regulatory or governmental authority, Customer or an auditor appointed by Customer may perform more frequent audits (including inspections). Causal will contribute to such audits by providing Customer or other mutually agreed upon auditor with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Services.

5.4.2 Such audits are limited to Causal’s Processing of Customer Personal Data subject to Applicable Data Protection Laws, not any other aspect of Causal’s business or information systems or other customers.

5.4.3 If a third party is to conduct the audit, Causal may object to the auditor if the auditor is, in Causal’s reasonable opinion, not suitably qualified or independent, a competitor of Causal, or otherwise manifestly unsuitable. Such objection by Causal will require Customer to appoint another auditor or conduct the audit itself.

5.4.4 To request an audit, Customer must submit a detailed proposed audit plan to dataaudit@causal.app at least thirty (30) days in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Causal will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Causal security, privacy, employment or other relevant policies). Causal will work cooperatively with Customer to agree on a final audit plan. The audit plan, and anything produced in response to it (including any derivative work product such as notes of interviews), will be considered Confidential Information, and will remain Confidential Information in perpetuity or the longest time allowable by applicable law after termination of the Agreement. Such materials and derivative work product will not be disclosed to anyone without the prior written permission of Causal unless such disclosure is required by applicable law. If disclosure is required by applicable law, Customer will give Causal prompt written notice of that requirement and an opportunity to obtain a protective order to prohibit or restrict such disclosure except to the extent such notice is prohibited by applicable law or order of a court or governmental agency.

5.4.5 Nothing in this Section 5.4 shall require Causal to breach any duties of confidentiality.

5.4.6 If the requested audit scope is addressed in an SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor (“Audit Reports”) within twelve (12) months of Customer’s audit request and Causal confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.

5.4.7 The audit must be conducted during regular business hours at the applicable facility, subject to the agreed final audit plan and Causal’s health and safety or other relevant policies, and may not unreasonably interfere with Causal business activities.

5.4.8 Customer will promptly notify Causal of any non-compliance discovered during the course of an audit and provide Causal any audit reports generated in connection with any audit under this Section 5.4, unless prohibited by applicable law or otherwise instructed by a regulatory or governmental authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA. The audit reports are Confidential Information of the parties under the terms of the Agreement.

5.4.9 Any audits are at Customer’s expense. Customer shall reimburse Causal for any time expended by Causal or its Third Party Subprocessors in connection with any audits or inspections under this Section 5.4 at Causal’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.

5.4.10 The parties agree that this Section 5.4 shall satisfy Causal’s obligations under Applicable Data Protection Laws, including the audit requirements of the Standard Contractual Clauses applied to Data Importer under Clause 5(f) and to any Subprocessors under Clause 11 and Clause 12(2).

6. Impact Assessments and Consultations.

Causal will (taking into account the nature of the Processing and the information available to Causal) reasonably assist Customer in complying with its obligations under Applicable Data Protection Laws or other applicable law in respect of data protection impact assessments and prior consultation, including, if applicable, Customer’s obligations pursuant to Articles 35 and 36 of the GDPR.

7. Data Subject Rights

7.1 Customer’s Responsibility for Requests. During the Term, if Causal receives any request or complaint from a data subject in relation to Customer Personal Data, Causal will advise the data subject to submit their request or complaint to Customer and Customer will be responsible for responding to any such request. Nothing in this DPA or the Agreement obligates Causal to respond to any such requests or complaints directly. However, if Causal has an obligation under applicable law to respond directly, it shall, unless legally prohibited, notify Customer of this requirement when making the initial notification and comply with Customer’s reasonable requests in responding to such request.

7.2 Causal’s Data Subject Request Assistance. Causal will (taking into account the nature of the Processing of Customer Personal Data) provide Customer with self-service functionality through the Services or other reasonable assistance as necessary for Customer to fulfill its obligation under applicable law to respond to requests by data subjects. Customer shall reimburse Causal for any such assistance beyond providing self-service features included as part of the Services at Causal’s then-current professional services rates, which shall be made available to Customer upon request.

8. Data Transfers

8.1 Customer authorizes Causal to Process Customer Personal Data anywhere that Causal or its Subprocessors maintains facilities, and to make international transfers of Customer Personal Data in accordance with this DPA so long as applicable law for such transfers is respected.

8.2 With respect to Customer Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any EEA jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs, in which case the updated UK SCCs will control. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. The UK SCCs are deemed completed as follows:

8.2.1 Table 1 of the UK SCCs:

(i) The Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in Exhibit 1.

(ii) The Key Contact shall be the contacts set forth in Exhibit 1.

8.2.2 Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties.

8.2.3 Table 3 of the UK SCCs: Annex 1A, 1B, II, and III shall be set forth in Exhibits 1 and 2, as applicable.

8.2.4 Table 4 of the UK SCCs: Causal may end this DPA as set out in Section 19 of the UK SCCs.

8.2.5 By entering into this DPA, the Parties are deemed to be signing the UK SCCs and its applicable Tables and Appendix Information.

8.3 To the extent otherwise legally required, the EU SCCs form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict, and (except as described in Section 8.4) they will be deemed completed as follows:

8.3.1 Because Customer acts as a controller and Causal acts as a processor with respect to the Customer Personal Data subject to the EU SCCs, its Module 2 applies.

8.3.2 Clause 7 (the optional docking clause) is included.

8.3.3 Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization). The initial list of Subprocessors is available as provided in section 9.2 below. If Causal intends to add or replace a Subprocessor on that list, Causal will notify Customer at least thirty (30) days before the Subprocessor Processes Customer Personal Data.

8.3.4 Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.

8.3.5 Under Clause 17 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the law of Ireland.

8.3.6 Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Ireland.

8.3.7 Under Annex I(A) of the EU SCCs (List of parties):

(i) The exporter is Customer. The exporter’s contact information for Causal to use is as set forth in Agreement, Order Form, or Causal account, as applicable. The exporter’s contact information for Data Subjects to use is set forth in its privacy policy, as are the identity and contact details of the exporter’s data protection officer (if any) and representative in the European Union (if any).

(ii) The exporter’s activity as relevant to the data transferred under these Clauses is its use of the relevant Services.

(iii) The importer is Causal. The importer’s contact information is set forth on Causal’s website or in the Agreement, as applicable.

(iv) The importer’s activity as relevant to the data transferred under these Clauses is its provision of the relevant Services.

(v) When the Customer purchases the Services, the parties are deemed to be signing Annex I(A) of the EU SCCs.

8.3.8 For any particular Services, the details for Annex I(B) of the EU SCCs (Description of transfer) are set forth in Exhibit 1 of the DPA.

8.3.9 Under Annex I(C) of the EU SCCs (Competent supervisory authority), the parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.

8.3.10 Annex II of the EU SCCs (Technical and organizational measures) is set forth in Exhibit 2 of this DPA.

8.3.11 Annex III of the EU SCCs (List of subprocessors) is inapplicable.

8.4 For transfers of Customer Personal Data that are subject to the Swiss Federal Act on Data Protection (“FADP”), the EU SCCs form part of this DPA as set forth in Section 9.3 of this DPA, but with the following differences to the extent required by the FADP:

8.4.1 References to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not the GDPR.

8.4.2 The term “member state” in the EU SCCs shall not be interpreted so as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.

8.4.3 References to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.

8.4.4 Under Annex I(C) of the EU SCCs (Competent supervisory authority):

(i) Where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

(ii) Where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in Section 8.3.9 of this DPA insofar as the transfer is governed by the GDPR.

8.5 Disclosure of Confidential Information Containing Personal Data. Where the parties have entered into the UK SCCs and/or EU SCCs, Causal will, notwithstanding any term to the contrary in the Agreement, make any disclosure of Customer’s Confidential Information containing personal data, and any notifications relating to any such disclosures, in accordance with the UK SCCs and/or EU SCCs. For the purposes of the UK SCCs and/or EU SCCs, Customer and Causal agree that (i) Customer will act as the data exporter on Customer’s own behalf and on behalf of any of Customer’s entities and (ii) Causal or its relevant Affiliate will act on its own behalf and/or on behalf of Causal’s Affiliates as the data importers.

9. Subprocessors

9.1 Consent to Subprocessor Engagement. Customer authorizes Causal to engage its Affiliates and any third parties as Subprocessors of Customer Personal Data. If the parties have entered into UK SCCs and/or EU SCCs, the above authorizations will constitute Customer’s general written authorization and consent (to the extent required) to Causal’s provision of Customer Personal Data to the Subprocessors listed in the linked list provided in Section 9.2 below, for the purpose of performing the Services.

9.2 Information about Subprocessors. Information about Subprocessors, including their functions and locations, is available here (as may be updated by Causal from time to time in accordance with this DPA) (the “Subprocessor Webpage”).

9.3 Requirements. Causal will enter into a written contract with each Subprocessor containing data protection obligations not less protective than those in this DPA with respect to the protection of Customer Personal Data, to the extent applicable to the nature of the Services provided by such Subprocessor. Causal shall be liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.

9.4 Opportunity to Object to Subprocessor Changes. If Customer subscribes to email updates about the Subprocessor Webpage, Causal will inform Customer of any Subprocessor additions or replacements by email at least ten (10) days prior to the addition or replacement.

(i) Customer may reasonably object to any new Subprocessor by providing written notice thereof to Causal within ten (10) days of being notified by Causal of the new Subprocessor. In its notification, Customer will explain its reasonable grounds for objection. If Customer does not provide written notice of an objection, Customer will be deemed to have consented to the Processing of Customer Personal Data by the Subprocessor and waived its right to object.

(ii) In the event of such objection, Causal may elect to not engage such Subprocessor. If Causal continues use of such Subprocessor after Customer’s reasonable objection, then Customer may elect to immediately suspend or terminate the Agreement upon notice to Causal. Customer shall not be entitled to any refund for terminating the Agreement under this Section 9.4.

(iii) Notwithstanding the foregoing, Causal may replace a Subprocessor if the need for the change is urgent and necessary to provide the Service and continuity thereof. In such instance, Causal shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Subprocessor pursuant to this paragraph.

10. Processing Records.

Customer acknowledges that Causal may be required under applicable law to: (a) collect and maintain records of certain information, including the name and contact details of each Processor and/or Controller on behalf of which Causal is acting and, where applicable, of such Processor’s or Controller’s local representative and data protection officer; and (b) make such information available to regulatory or governmental authorities. Accordingly, to the extent that any such requirement applies to the Processing of Customer Personal Data, Customer will, where requested, provide such information to Causal, and will ensure that all information provided is kept accurate and up-to-date.

11. Liability

11.1 Liability Cap. The total combined liability of either party and its Affiliates towards the other party and its Affiliates, whether in contract, tort or any other theory of liability, under or in connection with the Agreement, this DPA, and the Standard Contractual Clauses if applicable (to the extent legally permitted) combined will be limited to limitations on liability or other liability caps agreed to by the parties in the Agreement, subject to Section 11.2 (Liability Cap Exclusions).

11.2 Liability Cap Exclusions. Nothing in Section 11.1 (Liability Cap) will affect any party’s liability to data subjects under the third party beneficiary provisions of the UK SCCs and/or EU SCCs to the extent limitation of such rights is prohibited by the Applicable Data Protection Laws, where applicable.

12. Third Party Beneficiary.

Notwithstanding anything to the contrary in the Agreement, where Causal is not a party to the Agreement, Causal will be a third party beneficiary of Section 5.3 (Compliance Audits), Section 9.1 (Consent to Subprocessor Engagement) and Section 11 (Liability) of this DPA.

13. Analytics.

Customer acknowledges and agrees that Causal may create and derive from Processing related to the Services anonymized and/or aggregated data that does not identify Customer or any natural person, and use, publicize or share with third parties such data to improve Causal’s products and services and for its other legitimate business purposes.

14. Notices.

Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by Causal to Customer may be given (a) in accordance with the notice clause of the Agreement; (b) to Causal’s primary points of contact with Customer; and/or (c) to any email provided by Customer for the purpose of providing it with Service-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.

Exhibit 1: Details of The Data Processing

Details relevant to Tables 1-3 (inclusive) of the UK SCCs and Annex I(B) of the EU SCCs

Subject Matter: Causal’s provision of the Services to Customer pursuant to the Agreement.

Duration of the Processing: The Term plus the period from the expiry of the Term until deletion or return of all Customer Personal Data by Causal in accordance with the DPA.

Nature and Purpose of the Processing: Causal will process Customer Personal Data for the purposes of providing the Services to Customer in accordance with the DPA.

Categories of Data: Data relating to individuals provided to Causal in connection with the Services, by (or at the direction of) Customer, including but not limited to financial records, customer names, employee names and salaries, business performance.

Categories of Data Subjects: The Customer Personal Data may concern Customer’s employees, consultants, professional service advisors, investors, and any other data subjects whose Personal Data Customer chooses to input into the Services.

Special Categories of Data: Not applicable.

Additional details relevant to Annex 1(B) of the 2021 SCCs

Applied safeguards and restrictions specific to any special categories of data: Not applicable. In any case, the same standard of protection described in Exhibit 2 to the DPA applies to this and other categories of Customer Personal Data.

The frequency of the transfer: Continuous for as long as necessary to provide the Services pursuant to the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The lesser of as long as needed to provide the Services pursuant to the Agreement or as long as required by Applicable Law.

Exhibit 2: Security Measures

Description of the technical and organizational security measures implemented by the data importer:

Information about Causal’s security measures is available here (as may be updated by Causal from time to time in accordance with this DPA).