Data Processing Agreement

This Data Processing Agreement (“DPA”) is hereby entered by and between Wizer Feedback LTD. and the Customer. Each a “party” and collectively, the “parties”. 

 This DPA sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data, during the course of the Agreement. This DPA forms an integral part of the binding Agreement between the parties, hence any capitalized terms used herein and not defined herein shall have the respective meanings given to them in the Master Subscription Agreement.

1. DEFINITIONS

1.1. “Adequate Country” is a country that an adequacy decision from the European Commission.
1.2. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq.
1.3. “Controller“, “Processor“, “Data Subject“, “Personal Data“, “Processing” (and “Process“), “Personal Data Breach” and “Special Categories of Personal Data” shall all have the meanings given to them in EU Data Protection Law. The terms “Business”, “Business Purpose”, “Consumer”, “California Consumer”, “Service Provider”, “Sale” and “Sell” shall have the same meanings as ascribed to them in the CCPA. “Data Subject” shall also mean and refer to a “Consumer,” as such term is defined in the CCPA. “Personal Data” shall also mean and refer to “Personal Information”, as such term is defined in the CCPA.
1.4. “Customer Data” means Personal Information or Personal Data which is processed by the Company solely on behalf of Customer, as detailed in ANNEX I.
1.5. “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, Israeli Privacy Protection Regulations (Data Security) 5777-2017 Israeli Privacy Protection Law, 5741-1981, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and other related privacy regulations (“Israeli Law”), the EU Data Protection Law and the CCPA) as may be amended or superseded from time to time.
1.6. “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) – (iii); and (iv) any legislation replacing or updating any of the foregoing.
1.7. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other party’s Personal Data will comprise a Security Incident.
1.8. “Standard Contractual Clauses” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.
1.9. “UK GDPR” means the Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
1.10. “UK SCC” means where the UK GDPR applies, the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR for transferring Personal Data outside of the EEA or UK.

2. RELATIONSHIP OF THE PARTIES

2.1. The parties acknowledge that in relation to all Customer Data, as between the parties, Customer is the Controller of Customer Data, and that the Company, in providing the Services is acting as a Processor on behalf of the Customer. For the purpose of the CCPA (and to the extent applicable), Customer is the Business and the Company is the Service Provider.
2.2. The purpose, subject matter and duration of the Processing carried out by the Company on behalf of the Customer, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in ANNEX I attached hereto.

3. REPRESENTATIONS AND WARRANTIES

3.1. The Customer represents and warrants that: (i) its Processing instructions shall comply with applicable Data Protection Law; (ii) it will comply with Data Protection Law, specifically with regards to the lawful basis principal for Processing Personal Data and all applicable CCPA provisions; and (iii) due to the nature of the Services, the Company does not monitor or control the data uploaded to the Platform by the Customer or by the Customer’s user and thus, the type of Personal Data or Categories of the Data Subjects processed by it in such cases is subject to the Customer’s sole discretion.
3.2. The Company represents and warrants that it: (i) shall process Personal Data, as set forth under Article 28(3) of the GDPR, on behalf of the Customer, solely for the purpose of providing the Service, and for the pursuit of a Business Purpose as set forth under the CCPA, all in accordance with Company’s written instructions including the Agreement and this DPA; (ii) in the event the Company is required under applicable laws, including Data Protection Law or any union or member state regulation, to Process Personal Data other than as instructed by Customer, the Company shall make best efforts to inform the Customer of such requirement prior to Processing such Personal Data, unless prohibited under applicable law; and; (iii) provide reasonable cooperation and assistance to Customer in ensuring compliance with its obligation to carry out data protection impact assessments with respect to the processing of Personal Data and to consult with the supervisory authority (as applicable).
3.3. Company shall take reasonable steps to ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process Personal Data; (ii) that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and (iii) that such personnel are aware of their responsibilities under this DPA and any applicable Data Protection Laws.
3.4. If the EU Data Protection Law or the CCPA do not apply to the Customer, then Customer must abide by any other Data Protection Law and data security laws and regulations that are applicable to it, and at a minimum Customer shall: (i) obtain and maintain any and all authorizations, permissions and informed consents, as may be necessary under applicable laws and regulations, in order to allow the Processor to lawfully collect, handle, retain, process and use the processed data within the scope of the Services; (ii) substantiate the legal basis and legitimize, pursuant to applicable law, any and all Personal Data or personally identifiable information transferred through the Services; (iii) have, properly publish and abide by an appropriate privacy policy that complies with all applicable Data Protection Law.
3.5. Notwithstanding the above, in the event the Customer is an Israeli establishment or Customer Data includes processing of Israeli data subjects, or in any event that the Israeli Law shall apply, the parties hereby undertake that they comply with the aforesaid regulations as well as comply with the DPA.

4. RIGHTS OF DATA SUBJECTS AND THE PARTIES’ COOPERATION OBLIGATIONS

4.1. It is agreed that where the Company receives a request from a Data Subject or an applicable authority in respect of Personal Data Processed by Company, where relevant, the Company will direct the Data Subject or the applicable authority to the Customer in order to allow the Customer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.
4.2. Where applicable, Company shall assist the Customer in ensuring that Personal Data Processed is accurate and up to date, by informing the Customer without delay if the Company becomes aware of the fact that the Personal Data it is Processing is inaccurate or has become outdated.

5. DO NOT SELL PERSONAL INFORMATION

5.1. It is hereby agreed that any sharing of Personal Information between the parties is made solely in order to fulfill a Business Purpose and the Company does not receive or process any Personal Information as consideration for the Services. Thus, such Processing of Personal Information shall not be considered as a Sale.

6. SUB-PROCESSOR

6.1. The Customer acknowledges that the Company may transfer Personal Data to and otherwise interact with third party data processors (“Sub-Processor”). The Customer hereby, authorizes the Company to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. The Company may continue to use those Sub-Processors already engaged by the Company, as listed in ANNEX III, and the Company may engage an additional or replace an existing Sub-Processor to process Personal Data, subject to the provision of a 30 day prior notice to the Customer. In case the Customer has not objected to the adding or replacing of a Sub-Processor, such Sub-Processor shall be considered as approved by the Customer. In the event the Customer objects, its sole remedy is to terminate the Agreement.
6.2. The Company shall, where it engages any Sub-Processor, impose, through a legally binding contract between the Company and the Sub-Processor, data protection obligations no less onerous than those set out in this DPA on the Sub-Processor. The Company shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Data Protection Law.
6.3. The Company shall remain fully responsible to the Customer for the performance of the Sub-Processor’s obligations in accordance with the Agreement. The Company shall notify the Customer of any failure by the Sub-Processor to fulfil its contractual obligations.

7. TECHNICAL AND ORGANIZATIONAL MEASURES

7.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties, the Company shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and in accordance with best industry practices to protect data from a Security Incident. The parties acknowledge that security requirements are constantly changing and that effective security requires the frequent evaluation and regular improvement of outdated security measures.
7.2. The security measures implemented by Company are detailed in ANNEX II.

8. SECURITY INCIDENT

8.1. The Company will notify the Customer upon becoming aware of any confirmed Security Incident involving the Customer Data in the Company’s possession or control, as determined by the Company in its sole discretion. The Company will, in connection with any Security Incident affecting the Customer Data: (i) take such steps as are necessary to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) co-operate with the Customer and provide the Customer with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; (iii) notify the Customer in writing of any request, inspection, audit or investigation by a supervisory authority or other authority; (iv) keep the Customer informed of all material developments in connection with the Security Incident and execute a response plan to address the Security Incident; and (v) co-operate with the Customer and assist Customer in the Customer’s expense, with the Customer’s obligation to notify affected individuals if required.
8.2. Company’s notification regarding or response to a Security Incident under this Section ‎8 shall not be construed as an acknowledgment by the Company of any fault or liability with respect to the Security Incident.

9. AUDIT RIGHTS

9.1. Company shall respond to inquiries from the Customer regarding the Processing of Personal Data in accordance with this DPA. Company shall make available to the Customer all information necessary to demonstrate compliance with the obligations under the EU Data Protection Law.
9.2. The Company shall make available, solely upon prior written notice and no more than once per year (except for in the case of a Security Incident), information necessary to reasonably demonstrate compliance with this DPA to a reputable auditor nominated by the Customer, in the Customer’s expense, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The Audit shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties). The Company may object to an auditor appointed by the Customer in the event the Company reasonably believes that the auditor is not suitably qualified or independent, is a competitor of the Company or otherwise unsuitable (“Objection Notice”). The Customer will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from the Company. Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to the Company’s premises, equipment, personnel and business. Any and all conclusions of such Audit shall be confidential and reported back to the Company immediately.

10. DATA TRANSFER

10.1. The Customer acknowledges and agrees that in order to be provided with the Services the Company may transfer, access and Customer Data form countries outside the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA”), Switzerland and the United Kingdom, including the US, as detailed herein or may process the Customer Data within the EEA however, certain Sub-Processors’ may transfer or process the Customer Data in the US.
10.2. The parties acknowledge that EU Data Protection Law does not require Standard Contractual Clauses or an alternative transfer solution in order for Customer Data to be processed in or transferred to an Adequate Country (“Permitted Transfers”).
10.3. In the event such Processing includes transferring of Personal Data to a country outside the EEA that has not received the adequacy decision from the European Commission or is not exempt under Article 49 of the GDPR (“Restricted Transfer”), the following shall apply:
10.3.1. In order to maintain the integrity, security and confidentiality of the Personal Data, a Restricted Transfer shall be subject, in addition to the terms of this DPA, to the terms and obligations of the Module II of the Standard Contractual Clauses in which event Company shall be deemed as the Data Importer and the Customer shall be deemed as the Data Exporter.
10.3.2. The purpose and description of the transfer shall be detailed in ANNEX I.
10.3.3. The UK SCC shall incorporate ANNEX I, II and III herein
10.4. The Customer further agrees that where the Company engages a Sub-Processor, and those processing activities include a Restricted Transfer, Company and the Sub-Processor shall be bound by the Standard Contractual Clauses in which Company shall be deemed as the Data Exporter and the Sub-Processor shall be deemed as the Data Importer. For the purposes of such engagement, Company and the Sub-Processor will enter into Module III of the Standard Contractual Clauses.
10.5. Subject to Clause 13 of Standard Contractual Clauses, Company agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Standard Contractual Clauses. Notwithstanding the above the UK SCCs shall be governed by the laws of England and Wales.
10.6. Specifically, EU-US Transfers: Additional measures and assurances regarding US government surveillance (“Additional Safeguards”) are further detailed in ANNEX II

11. CONFLICT

11.1. In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.

12. TERM & TERMINATION

12.1. This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates. The Customer shall be entitled to suspend the Processing of Customer Data in the event the Company is in breach of Data Protection Laws, this DPA or a binding decision of a competent court or the competent supervisory authority.
12.2. The Company shall be entitled to terminate this DPA or terminate the Processing of Customer Data in the event the Processing of Personal Data under the Customer’s instructions or this DPA infringe applicable legal requirements. Such termination shall be subject to informing the Customer and the Customer insists on compliance with the instructions.
12.3. Following the termination of this DPA, Company shall, at the choice of the Customer, delete all Customer’s Personal Data processed on behalf of the Customer and certify to the Customer that it has done so, or, return all the Customer’s Personal Data to the Customer and delete existing copies unless applicable law or regulatory requirements requires that the Company continue to store the Customer’s Personal Data. Until the Personal Data is deleted or returned, Company shall continue to ensure compliance with this DPA.

ANNEX I

DETAILS OF PROCESSING AND TRANSFERRING OF CUSTOMER DATA

This Annex I include certain details of the Processing and transferring of Personal Data as required by Article 28(3) GDPR, the Standard Contractual Clauses and the UK SCC.

Categories of data subjects whose personal data is processed or transferred:

• Individuals responding to a survey as part of the market research (“Respondent”). 
• Customer employees using the Platform.   

Categories of personal data processed and transferred:

• Respondent data, including contact information (if applicable), survey information and the prize, award received for filling in the survey. 
• Customer employee contact information or credentials when accessing the Platform. 

Sensitive data processed or transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measure: 
NA 

 The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).
One-off

Nature of the processing and transferring:
Market Research 

Purpose(s) for which the personal data is processed or transferred on behalf of the controller:
Hosting and providing the Services as set forth in the Agreement. 

Duration of the processing:
For the duration of the Services according to the Agreement and the period from the end of the Term until deletion of all Customer Data.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The sub-processors are detailed in ANNEX III, all of the above is applicable to the sub-processors.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:

Physical Access Control

The measures for ensuring physical security of locations at which Personal Data are processed include security measures implemented in Company’s office (alarm system, code locks, etc.) and the physical security measures taken by Company’s hosting providers. The Company secures the physical access to its offices and maintains records of any physical access to the protected Personal Data in order to ensure that solely authorized individuals such as employees and authorized external parties (maintenance staff, visitor, etc.) can access the Company’s offices.

The Personal Data processed by the Company is stored on AWS Cloud (please see the security measures here). When the Personal Data is transferred to the applicable servers it is always done in a secure and encrypted manner, encryption by default, at rest and in transit. AWS undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited to, SSAE 16-compliant SOC 2 certification and ISO 27001 certification.  

Security Risk Analysis and Management

The Company conducts an accurate and thorough assessment of the potential risks and vulnerabilities of the Personal Data to ensure the confidentiality, integrity, and availability of electronic Personal Data processing. The Company applies an annual penetration testing (as further detailed below) and periodic scout reports (e.g., NCC scout and alike) are executed periodically to identify potential security risks, whereas major or critical issues are handled immediately. The Company abides by the Company’s Disaster Recovery plan in order to ensure that the Company can cope with a consummation of any disaster and emergencies. The Company’s servers include an automated back-up procedure. The Company’s office is equipped with fire detectors, fire extinguishers and other applicable measures for the case of consummation of a nature disaster.

Penetration Testing

External penetration test is performed on an annual basis. The penetration tests include, among others, procedures to prevent customers, groups of individuals, or other entities from accessing confidential information other than their own. The penetration tests and security scans are performed by a reputable Third-party vendor. In addition, Wizer conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment. Actions are taken to remediate identified deficiencies on a timely basis. Vulnerability scans is performed using external tools, in order to detect potential security breaches.

System Control

Access to the Company’s systems is highly restricted in order to ensure that solely the appropriate prior approved personnel can access or use the Company’s systems. Safeguards related to remote access and wireless computing capabilities are in implemented therein. Employees are required to comply with the Company’s password policy when composing a password in order to allow strict access or use related to Personal Data all in accordance with position, and solely to the extent such access or use is required. There is constant monitoring of the access to the data and the passwords used to gain login access. In addition, the Company implement automatic captcha, lock-out mechanism in order to prevent any unauthorised login to the Company’s servers by the means of password guessing. Electronic procedures are set in order to terminate an inactive session are also in use by the Company. Only very few employees have access to the database which is protected by multiple passwords.

Data Access Control

There are restrictions in place to ensure that the access to the Personal Data is restricted to employees and service providers which have a permission to access it and solely on an “need to know” basis. Any permission is granted by the Company’s data protection officer. The Company uses high level security measures to ensure that Personal Data information shall not be accessed, modified, copied, used, transferred or deleted without specific authorization. The access to the Personal Data information, as well as any action performed involving the use of the Personal Data requires a password and user name, which is routinely changed, as well as blocked when applicable. The user password is fully encrypted. Each employee is able to perform actions solely according to the permissions determined by the Company. Each access is logged and monitored, and any unauthorized access is automatically reported. Further, the Company has ongoing review of which employees’ have authorizations, to access and whether access is still required. Company revokes access immediately upon termination of employment. Authorized individuals can solely access Personal Data that is established in their individual profiles.

In addition, weekly security reports are reviewed by the Company’s security officer, the servers are monitored 24/7 and AWS audit trail (CloudTrail) tracks any changes to resources and entities.

Organizational and Operational Security

The Company invests a multitude of efforts and resources in order to ensure compliance with the Company’s security practices, as well as continuously provides employees on-going training and periodic updates regarding Company’s security procedures. The Company strives to raise awareness to the risk involved in the processing of Personal Data. In addition, the Company implemented applicable safeguards for its hardware and software, including web content filtering, firewalls and anti-virus software (“Protection Measures”) on applicable Company hardware, software or employee’s computer, in order to protect against virus, worms, Trojan identifications or any other malicious software. The Protection Measures cannot be deactivated by any user other than the Company’s cyber security officer and according to the Company’s policies.

In addition, weekly security reports are reviewed by the Company’s security officer, the servers are monitored 24/7 and AWS audit trail (CloudTrail) tracks any changes to resources and entities.

Transfer Control

The Company conducted a transfer impact assessment (“TIA”) identifying all transfers of Personal Data and is able to share the TIA upon Customer’s request. The purpose of transfer control is to ensure that Personal Data cannot be read, copied, modified or removed by unauthorized parties during the electronic transmission of these data or during their transport or storage in the applicable data center. All data is encrypted, both at rest and in transit. All and any transfer of Personal Data (either between the servers, from Customer side to server side and between Company’s designated partners) is protected using encryption safeguards such as L2TP, IPsec (or equivalent protection), as well as encryption of the Personal Data prior to the transfer of any Personal Data. The Company’s servers are protected by industry best standards. Furthermore, the destruction of Personal Data following termination of the engagement is included within the contract between the parties. In addition, to the extent applicable, the Company’s business partners execute an applicable Data Processing Agreement and Standard Contractual Clauses, all in accordance with applicable laws. In addition, the traffic and transfer are guarded by a WAF with IPS and IDS (Incapsula) and is encrypted by TLS.

Company has ensured all documents, including without limitations, agreements, privacy policies online terms, etc. are compliant with the Data Protection Regulations, including by implementing Data Processing Agreement and where needed Standard Contractual Clauses (either pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN or pursuant to the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR for transferring Personal Data outside of the EEA or UK). 

Availability Control

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident were implemented by the Company and include an automated backup procedure. The Company has a backup concept which includes automated daily backups. Periodical checks are preformed to determine that the backup have occurred. The Company has also implemented Business Continuity plans and Disaster Recovery policies so that in the event of a disaster the Company will be able to continue to provide the services. 

Data Retention

Personal Data is retained for as long as needed to provide the services or as required under applicable laws. 

Software Security

All builds are executed on a remote and secured server in a sterile environment (CI/CD). Deployments are checked with anti-virus and vulnerabilities tests before being shipped for deployment and code is tested on unit, integration and end-to-end level before being shipped via CI.

Job Control

All of the Company’s employees are required to execute an employment agreement which includes confidentiality provisions as well as applicable data protection provisions binding them to comply with the Company’s policies, in particular the computer security policy. In addition, employees undergo a screening process applicable per regional law. In the event of a breach of an employee’s obligation or non-compliance with the Company’s policies, the Company includes repercussions to ensure compliance with the policies all according to the Company’s Employee’s Manual. In addition, prior to the Company’s engagement with third party contractors, the Company reviews such third party’s security policies, specifically their information data security policies to ensure it complies with the Company’s standard for data security protection. Third party contractors may solely access the Personal Data as explicitly instructed by the Company.

Data Subject Request

The Company has an online mechanism to enable individuals to submit a data subject request (“DSR”), further, the Company has implemented internal policies to handle the DSR subject to applicable data protection laws and contractual obligations.

Additional Safeguard

Measures and assurances regarding U.S. government surveillance (“Additional Safeguards”) have been implemented due to the EU Court of Justice Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems decision (“Schrems II”), these measures include the following: 

• Encryption both in transit and at rest; 
• As of the date of this DPA, the Company has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II decision. 
• No court has found the Company  to be the type of entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition. 
• The Company shall not comply with any request under FISA for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific “targeted selector” (an identifier that is unique to the targeted endpoint of communications subject to the surveillance). 
• The Company shall use all available legal mechanisms to challenge any demands for data access through national security process that Company receives, as well as any non-disclosure provisions attached thereto. 
• The Company will notify Customer if The Company can no longer comply with the Standard Contractual Clauses or these Additional Safeguards, without being required to identify the specific provision with which it can no longer comply.

ANNEX III

List of Sub-Processors