DPA
This Addendum supplements the Master Purchase and Services Agreement (the “Service Agreement”) between the Company and CERTX, outlining the terms related to the purchase and use of Products and Services. In case of any discrepancies between this Addendum and the Service Agreement, the terms of this Addendum shall prevail.
1. Purpose and Scope
1.1 This Addendum pertains to the processing of Personal Data under the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). It outlines the types of data, data subjects, and the purposes of processing (as detailed in Annex 2). 
1.2 This Addendum integrates the EU Model Clauses, addressing the transfer of Personal Data from the European Economic Area (EEA) to jurisdictions that do not provide adequate protection.
1.3 Personal Data processing will be governed by the Company’s instructions, with CERTX processing such data solely as needed to fulfill the Services.
1.2 This Addendum integrates the EU Model Clauses, addressing the transfer of Personal Data from the European Economic Area (EEA) to jurisdictions that do not provide adequate protection.
1.3 Personal Data processing will be governed by the Company’s instructions, with CERTX processing such data solely as needed to fulfill the Services.
2. Definitions
The following key terms are defined according to the GDPR, CCPA, and the Service Agreement:
- Personal Data: As defined under the GDPR and “Personal Information” under the CCPA.
- Subprocessor: Any third party engaged by CERTX to process Personal Data.
- EU Model ClausesStandard contractual clauses approved by the European Commission.
3. Responsibilities for Data Processing
3.1 The Company is responsible for determining the purpose and scope of Personal Data processing. CERTX will only process Personal Data based on the Company’s written instructions. 
3.2 CERTX may only use Subprocessors that are specifically approved (as listed in Annex 4).
3.3 Both parties agree to implement adequate technical and organizational measures (as outlined in Annex 3) to protect Personal Data from risks.
3.2 CERTX may only use Subprocessors that are specifically approved (as listed in Annex 4).
3.3 Both parties agree to implement adequate technical and organizational measures (as outlined in Annex 3) to protect Personal Data from risks.
4. Subprocessors
4.1 CERTX’s approved Subprocessors including: Amazon Web Services, Google.
 
4.2 CERTX will notify the Company of any changes or additions to the Subprocessors, and the Company will have 30 days to raise any objections.
				4.2 CERTX will notify the Company of any changes or additions to the Subprocessors, and the Company will have 30 days to raise any objections.
									5. Data Transfers
6. Security Measures
7. Incident Management
8. Return or Deletion of Data
9. Support for Data Controller
					5.1 Transfers of Personal Data originating in the EEA are governed by the EU Model Clauses.  
5.2 CERTX must notify and obtain the Company’s approval before transferring data to any jurisdiction that does not have adequate protection for Personal Data.
5.2 CERTX must notify and obtain the Company’s approval before transferring data to any jurisdiction that does not have adequate protection for Personal Data.
6. Security Measures
Both parties agree to implement the security measures which include: 
- Access control, encryption, pseudonymization, regular audits, and incident response plans.
- Safeguards to maintain the confidentiality, integrity, and resilience of processing systems.
7. Incident Management
7.1 CERTX must notify the Company of any data breaches or incidents that affect the security of Personal Data. 
7.2 The notification will include details about the breach, the affected data, and the steps being taken to mitigate the issue.
7.2 The notification will include details about the breach, the affected data, and the steps being taken to mitigate the issue.
8. Return or Deletion of Data
Upon termination of the Service Agreement, CERTX will either return or securely delete all Personal Data unless retention is required by applicable law.
9. Support for Data Controller
CERTX will support the Company in meeting its obligations under the GDPR and CCPA, including assisting with Data Subject requests and conducting Data Protection Impact Assessments.
								
				