Last updated: January 10, 2023

This Data Processing Addendum (this “Addendum”) supplements and forms part of the general Terms and Conditions (the “Agreement”) between Fern Technologies Ltd (the “Provider”) and the Customer (each a "party" and collectively the "parties").

1. Definitions

“Controller”, “Processor”, “Data Subject”, “Personal Data” and “Processing” shall have the respective meaning given to them in the “Data Protection Laws” (and related terms such as “Process”, “Processes” and “Processed” shall have corresponding meanings).

Customer Personal Data means the Personal Data Processed by the Provider as Processor on behalf of the Customer in connection to the services described in the Agreement

| Data Protection Laws | means all laws and regulations relating to data protection and privacy as applicable to the Parties and/or to the Processing of Personal Data under this Agreement, including without limitation, the EU General Data Protection Regulation 2016/679 (“GDPR”), the GDPR in such form as incorporated into the laws of the United Kingdom (“UK GDPR”), the Data Protection Act 2018, and any associated implementing legislation and regulations, in each case, as in force and applicable, and as amended, supplemented or replaced from time to time | | EU SCCs | means the https://tryfern.notion.site/e35bb9890d9949e9ad1b55ae5d9c9291 approved by European Commission Decision 2021/914 on 4 June 2021. | | UK SCCs | means the https://tryfern.notion.site/9efef9a842814c1cadb5dc05faffea2a to the EU Commission Standard Contractual Clauses, Version B1.0, in force from March 21, 2022. | | Ex EEA Transfer | means the export of personal data to a country or territory outside the EEA other than a country or territory ensuring an adequate level of protection of personal data as determined by the European Commission. | | Ex UK Transfer | means the export of personal data to a country or territory outside the UK and such transfer is not governed by an adequacy decision made by the Secretary of State in the UK in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018. |

2. Processing of Data

  1. The parties agree and acknowledge that with respect to the Processing of Customer Personal Data, the Provider acts as a Processor on behalf of the Customer, which acts as a Controller.
  2. Customer retains control of the personal data and remains responsible for its compliance obligations under the applicable Data Protection Laws, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to us.
  3. The Provider shall process Data in accordance with the Controller’s instructions and shall not process Data for any other purpose.

3. Sub-Processors

  1. The Customer authorizes the Provider to engage Sub-Processors, as defined in Annex A (”Sub-Processor List”), to process Data on its behalf. The Provider shall notify the Controller of any intended changes concerning the addition or replacement of Sub-Processors.
  2. The Provider shall ensure that any Sub-Processor is subject to the same data protection obligations as the Provider.

4. Data Subject Rights

  1. The Provider shall assist the Controller in responding to requests from Data Subjects exercising their rights under the General Data Protection Regulation (“GDPR”).
  2. The Provider shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the GDPR and to allow the Controller to carry out data protection impact assessments and prior consultations with supervisory authorities in accordance with Articles 36, 37 and/or 57 of the GDPR.

5. Transfers

  1. The Provider shall not transfer Customer Personal Data to any party in a country not deemed adequate for the transfer of Personal Data by the European Commission (for transfer concerning the EEA) and the equivalent UK authority (for transfers concerning the UK), including permitting access to Customer Personal Data from any party in such countries, without the prior written consent of the Customer, unless:
    1. the transfer/access is to a Sub-Processor as set out in Annex A or appointed in accordance with Clause 3 of this DPA; and
    2. the transfer/access is in compliance with Data Protection Laws (including having in place appropriate transfer safeguards as applicable).
      1. Where the transfer involves an Ex UK Transfer, such transfer shall be governed by the UK SCCs, or such other legally recognized transfer method in force
      2. Where the transfer involves an Ex EEA Transfer, such transfer shall be governed by the EU SCCs