Data Processing Agreement

This AGREEMENT is made BETWEEN

PINEAPPLE TECHNOLOGY LTD, a company incorporated in England and Wales with company number 13093357 whose registered office is at 66 City Road, London, EC1Y 2AL (“incident.io”), and the Customer identified below (“Customer”);

each a “party” and together the “parties”.

INTRODUCTION

(A) The Customer is either the Controller or a Processor in respect of certain Personal Data and incident.io is a Processor.

(B) The Customer requires incident.io to provide certain services under incident.io’s Terms of Service (“Master Agreement”).

(C) In providing the Services for the Customer, incident.io will process some of that Personal Data on behalf of the Customer. In order to comply with DP Laws, the parties are entering into this Data Processing Agreement on the terms contained herein.

Schedule 1

DATA PROCESSING TERMS

NOW IT IS AGREED:

  1. Definitions
    1. In this Agreement, all terms used without definition have the meanings ascribed to them: first, in the Applicable Data Protection Law; second, as applicable in Schedule 2 (Jurisdiction Specific Terms); and third, in the Master Agreement.
    2. The following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
      1. Applicable Data Protection Law” means all applicable laws, statutes, regulations, regulatory requirement, subordinate legislation or other law or mandatory guidance or code of practice; or (b) judgement of a relevant court of law, or sanction, directive, order or requirement of any regulatory authority, from time to time in force in any applicable jurisdiction;
      2. Controller” (or data controller), “Processor” (or data processor), “Data Subject”, “international organisation”, “Personal Data” and “processing” all have the meanings given to them in DP Laws;
      3. DP Laws” means any Applicable Data Protection Law relating to the processing, privacy, and use of Personal Data, that applies to the Customer, incident.io and/or the Services, including: (i) the General Data Protection Regulation (EU) 2016/679 (“GDPR”), (ii) the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“UK GDPR”), (iii) the Data Protection Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, (iv) the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and (v) the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426), in each case, as in force and applicable, and as amended, supplemented or replaced from time to time;
      4. Personal Data Breach” means a breach of security or other action or inaction leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Protected Data;
      5. Protected Data” means Personal Data received from or on behalf of the Customer, or otherwise obtained or created in connection with the performance of incident.io’s obligations under this Agreement or the Master Agreement; and
      6. Services” means any and all services to be provided by the Supplier under the Master Agreement.
  2. Processor/Controller

    The parties agree that, in respect of Protected Data, the Customer shall be either the Controller or a Processor and incident.io shall be a Processor.
  3. Compliance
    1. Each party shall comply with DP Laws and their respective obligations under this Agreement.
    2. Intentionally omitted.
    3. The Customer warrants that:
      1. it will be solely responsible for ensuring the lawfulness of processing the personal data of its data subjects in order for incident.io to process the personal data;
      2. incident.io will have no liability for failure to obtain any consents or authorisations prior to the processing of personal data in connection with this Agreement and/or performance of the Services;
      3. it has provided each data subject with appropriate information as to how incident.io will process the personal data; and
      4. that it has reviewed the technical and organisational security measures incident.io applies when it processes personal data and that it deems them appropriate and has taken steps to ensure that any data it or its affiliates and agents pass to incident.io are transferred securely.
  4. Processing Instructions
    1. The details of the Protected Data processing carried out by incident.io are set out in Appendix 1 to this Agreement.
    2. incident.io shall:
      1. process the Protected Data only in accordance with the Customer’s written instructions and only as required to perform its obligations under this Agreement;
      2. immediately inform the Customer:
        1. a. of any requirement under the Applicable Data Protection Law that would require incident.io to process the Protected Data other than on the Customer’s written instructions, or
        2. b.if the Customer’s written instructions are either unlawful or do not comply with the DP Laws;
      3. implement and maintain appropriate technical and organisational measures in relation to its processing of Protected Data so as to ensure a proportionate level of security in respect of the possible risk posed to the Protected Data;
      4. not engage any sub-processor for carrying out any processing activities in respect of the Protected Data without the consent of the Customer except those sub-processors set out in Appendix 1 to this Agreement which, by signature of this Agreement, the Customer authorises the appointment of. Following the Effective Date, any change to the sub-processors will be notified (email sufficient) to Customer ten (10) days in advance and during such ten (10) day period Customer may object in writing to such change. Customer’s failure to object during such period shall be deemed to be Customer’s consent;
      5. if the Customer gives its consent, incident.io shall appoint such sub-processor under a binding written contract which imposes data protection obligations which are no less onerous than those set out in this Agreement on the sub-processor;
      6. be liable for the acts and omissions of its sub-processors to the extent that incident.io would be liable if performing the services of each sub-processor directly under this Agreement;
      7. ensure that its personnel processing Protected Data have committed themselves to confidentiality obligations;
      8. at all times take reasonable steps to ensure the reliability of those of its personnel who have access to the Protected Data and shall use reasonable endeavours to ensure their compliance with the obligations set out in this Agreement;
      9. provide reasonable assistance as the Customer reasonably requires, information and cooperation to the Customer to ensure compliance with its obligations under the DP Laws, including with respect to (a) security of processing; (b) notification by the data controller of breaches to the appropriate supervisory authority or data subjects; (c) data protection impact assessments and prior consultation with the appropriate supervisory authority regarding high risk processing; and (d) handling of data subject rights requests.
      10. refer any communications, requests or queries from data subjects or a competent regulatory authority relating to the Protected Data to the Customer within 5 business days of receipt;
      11. not transfer any Protected Data to any country outside the United Kingdom or the European Economic Area unless the Customer’s consents to such transfer, it is on the basis of a European Commission or United Kingdom adequacy decision or appropriate safeguards are in place, in accordance with the DP Laws and shall provide details of any such transfers to the other party promptly on request;
      12. maintain, in accordance with DP Laws, written records of all categories of processing activities carried out on behalf of the Customer;
      13. make available to the Customer the information necessary to demonstrate its compliance with the DP Laws to the extent such information is not already available to the Customer.
      14. allow for and contribute to audits, including inspections, carried out by or on behalf of the Customer (subject to reasonable confidentiality undertakings) to determine incident.io’s compliance with its obligations under DP Laws insofar as such processing relates to Protected Data and provided that: (a) such audits/inspections shall be carried out no more than once per calendar year unless otherwise directed by a regulatory authority; (b) shall require reasonable advance written notice and shall be carried out during normal working hours on a business day in a manner that does not unreasonably disrupt the data controller’s operations; and (c) shall not entail access to information concerning other clients of incident.io or information that incident.io is legally prohibited from disclosing;
      15. notify the Customer of any Personal Data Breach (and provide the Customers with details of such breach) without undue delay; and
      16. at the choice of the Customer, delete or return all the Protected Data to the Customer after the termination of the Agreement, unless Applicable Data Protection Law requires continued storage of the Protected Data.
  5. Liability
    1. Nothing in this agreement limits any liability which cannot legally be limited, including but not limited to liability for:
      1. death or personal injury caused by negligence; and
      2. fraud or fraudulent misrepresentation.
    2. No party shall be liable to the other party for any losses, damages, costs (including reasonable legal costs on an indemnity basis) and expenses, in each case of any nature whatsoever, that are not reasonably foreseeable or any loss or damage of any kind that is, in either case, indirect or consequential damages, in each case, whether in contract, tort (including negligence), or otherwise, that arise under or in connection with this Agreement.
  6. Term
    1. This Agreement will commence on the last date of signature and shall continue in full force and effect until the later of:
      1. the termination or expiration of the Master Agreement; or
      2. the termination of the last of the Services to be performed pursuant to the Master Agreement.
    2. Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect the Protected Data will remain in full force and effect.
  7. General
    1. Neither party may at any time assign, transfer, mortgage, charge, subcontract or deal in any other manner with all or any of its rights or obligations under this Agreement without the prior written consent of the other party (such consent not to be unreasonably withheld or delayed).
    2. With the exception of the Master Agreement, this Agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.
    3. No variation of this Agreement, including the introduction of any additional terms and conditions, shall be effective unless it is in writing and signed by the parties (or their authorised representatives).
    4. A waiver of any right or remedy is only effective if given in writing and shall not be deemed a waiver of any subsequent breach or default. A delay or failure to exercise, or the single or partial exercise of, any right or remedy shall not (i) waive that or any other right or remedy, or (ii) prevent or restrict the further exercise of that or any other right or remedy.
    5. If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of this Agreement.
    6. This Agreement does not confer on any person other than the parties any right to enforce or otherwise invoke any term of this Agreement under the Contracts (Rights of Third Parties) Act 1999.
    7. The parties shall pay their own costs in connection with the negotiation, preparation and execution of this Agreement.
    8. This Agreement may be executed in any number of counterparts, each of which will be deemed an original, but all of which together will constitute one and the same document.
    9. This Agreement, and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with English Law, and the parties hereby irrevocably submit to the exclusive jurisdiction of the courts of England and Wales.

Appendix 1

DATA PROCESSING DETAILS

Description of processing:Providing a product to facilitate incident management within the applicable Communications Platform.
Length of processing:Data will be held for the period in which services are provided by the incident.io to the Customer. When a contract with the Customer is terminated, incident.io will remove any data within 14 days.
Purpose of processing:Providing a product to facilitate incident management within the applicable Communications Platform.
Showing user names and profile pictures in the app and enabling the functionality of the app.
Types of Personal Data being processed:Basic information, such as:
  • The name of your company, and the Communications Platform Team ID of your Communications Platform workspace. We use the installation to store an access token that grants us the permissions necessary to deliver the functionality of the app (for an up-to-date list of permission, please see our Security FAQ).
  • The name, user ID for the applicable Communications Platform, profile pictures and avatar URL of users who interact with the web app, or the bot.
Information that enables user functionality, such as:
  • A description of an action (a task that you would like someone to do during or after an incident), the current state of that action (outstanding, or completed), and who is assigned to be the owner of that action.
  • The name of an incident, the summary description of the incident, the severity of the incident, the URL of any document that you set to be associated with an incident, and the URL of any video conferencing call you set to be associated with an incident. We cannot view this document, or the call, as they are URLs: they should be internal to your organisation.
Information regarding usage or exposure to messages related to our app, such as:
  • Who and when people joined or left incident channels (so we can determine who was involved in the incident at a particular time)
  • Who and when people sent messages in incident channels (so we can determine who is participating in the incident — we do not store the content of these messages)
  • Who and when someone pinned a message within the applicable Communications Platform; and
  • Who and when someone posted a message containing a link to a third party of interest (such as GitHub, or Sentry).
incident.io also generates auto generated IDs that link all of entities together. incident.io may anonymise usage data and use the anonymised data for its own purposes.
Types of Data Subjects:Current personnel / employees who have an account with the applicable Communications Platform.
Additional instructions:incident.io takes user names and profile pictures of employees from the applicable Communications Platform, and shows them in the incident.io app. incident.io stores them both in a managed database and storage buckets, in Google Cloud Platform, both on which are encrypted at rest. Access to Google Cloud Platform is limited to incident.io staff, and all accounts are password protected, and protected by 2FA (two factor authentication).

For sub-processors located outside the European Economic Area, the transfer of personal data shall be done according to the regulation on transfers to third countries in Article 45 to 47 and 49 of the GDPR or the UK GDPR (as applicable).

incident.io is hereby authorised to enter into the standard contractual clauses (Module Three - Processor to Processor) for the transfer of personal data to processors established in third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as notified under document C/2021/3972 (“Commission

Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

LIST OF AUTHORISED SUB-PROCESSORS

NameLocationDescription of Processing
GoogleEuropean RegionsCloud Infrastructure
IntercomUnited StatesCustomer Support
SlackUnited StatesCustomer Support
FivetranUnited StatesAnalytics Infrastructure Provider
MetabaseUnited StatesAnalytics Infrastructure Provider
OpenAIUnited StatesArtificial Intelligence Provider
RecallUnited StatesTranscription
HexUnited StatesData Analytics Tool
ExploUnited StatesData Analytics Tool
OmniUnited StatesData Analytics Tool
TwilioUnited StatesText Message Delivery Service
WorkOSUnited StatesSCIM/SAML Authentication Flows
SentryUnited StatesException Tracking
SvixUnited StatesSend Product Webhooks
Microsoft Teams (for clients using Microsoft Teams as their Communications Platform)United KingdomCustomer Support

Appendix 2

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, incident.io shall implement measures to ensure an appropriate level of security for the provision of the Services. These measures shall include but are not limited to the following:

  • Ensuring incident.io’s production systems can only be remotely access by authorised employees via an approved encrypted connection;

  • Encryption of data at incident.io’s datastores;

  • Logging of system activity;

  • Regular pen testing of the Services; and

  • SOC2 type II compliance.

Where applicable, this Appendix 2 will serve as Annex II to the Standard Contractual Clauses.

Appendix 3

CROSS BORDER DATA TRANSFER MECHANISMS

  1. Definitions
    • “EC” means the European Commission
    • “EEA” means the European Economic Area
    • "Standard Contractual Clauses” means, depending on the circumstances unique to Customer, any of the following:
      • a. UK International Data Transfer Agreement , and
      • b. EU Standard Contractual Clauses
    • “UK International Data Transfer Agreement” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022., and
    • “EU Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
    2. Cross Border Data Transfer Mechanisms.
    1. 2.1 Order of Precedence. In the event the Services are covered by more than one Transfer Mechanism, the transfer of Personal Data will be subject to a single Transfer Mechanism in accordance with the following order of precedence: (a) the UK International Data Transfer Agreement as set forth in Section 2.2 (UK International Data Transfer Agreement) or Section 2.3 (EU Standard Contractual Clauses) of this Appendix 3; and, if (a) is not applicable, then (b) other applicable data Transfer Mechanisms permitted under Applicable Data Protection Law.
    2. 2.2 UK International Data Transfer Agreement. The parties agree that the UK International Data Transfer Agreement will apply to Personal Data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for Personal Data. For data transfers from the United Kingdom that are subject to the UK International Data Transfer Agreement, the UK International Data Transfer Agreement will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:

      (a) In Table 1 of the UK International Data Transfer Agreement, the parties’ details and key contact information are located in Section 2.3 (c)(vi) of this Appendix 3.

      (b) In Table 2 of the UK International Data Transfer Agreement, information about the version of the Approved EU SCCs, modules and selected clauses which this UK International Data Transfer Agreement is appended to is located in Section 2.3 (EU Standard Contractual Clauses) of this Appendix 3.

      (c) In Table 3 of the UK International Data Transfer Agreement:
      • 1. The list of Parties is located in Section 2.3(c)(vi) of this Appendix 3. 2.
      • 2. The description of the transfer is set forth in Appendix 1 (Data Processing Details) of this DPA.
      • 3. Annex II is located in Appendix 2 (Technical and Organisational Security Measures) of this DPA.
      • 4. The list of sub-processors is set forth in Appendix 1 (Data Processing Details) of this DPA.


      (d) In Table 4 of the UK International Data Transfer Agreement, both the Importer and the exporter may end the UK International Data Transfer Agreement in accordance with the terms of the UK International Data Transfer Agreement.
    3. 2.3 EU Standard Contractual Clauses. The parties agree that the EU Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Personal Data. For data transfers from the European Economic Area that are subject to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:

      (a) Module Two (Controller to Processor) of the EU Standard Contractual Clauses will apply where Customer is a controller of Personal Data and incident.io is processing Personal Data.

      (b) Module Three (Processor to Processor) of the EU Standard Contractual Clauses will apply where Customer is a processor of Personal Data and incident.io is processing Personal Data.

      (c) For each Module, where applicable:

      (i) in Clause 7 of the EU Standard Contractual Clauses, the optional docking clause will not apply;

      (ii) in Clause 9 of the EU Standard Contractual Clauses, Option 2 will apply and the time period for prior notice of subprocessor changes will be as set forth in Section 6 (Subprocessors) of this DPA;

      (iii) in Clause 11 of the EU Standard Contractual Clauses, the optional language will not apply;

      (iv) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by Irish law;

      (v) in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;

      (vi) in Annex I, Part A of the EU Standard Contractual Clauses:

      • Data Exporter: Customer.

      • Contact Details: The email address(es) designated by Customer in Customer’s account via its notification preferences.

      • Data Exporter Role: The Data Exporter’s role is set forth in Schedule 1 (Data Processing Terms) of this DPA.

      • Signature and Date: By entering into the Master Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Master Agreement.

      • Data Importer: Pineapple Technology Ltd

      • Contact details: incident.io Privacy Team – privacy@incident.io.

      • Data Importer Role: Data Processor.

      • Signature and Date: By entering into the Services Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Services Agreement.

      (vii) in Annex I, Part B of the EU Standard Contractual Clauses:

      • The categories of data subjects are described in Appendix 1 (Data Processing Details) of this DPA.

      • The Sensitive Information transferred is described in Appendix 1 (Data Processing Details) of this DPA.

      • The frequency of the transfer is a continuous basis for the duration of the Master Agreement.

      • The nature of the processing is described in Appendix 1 (Data Processing Details) of this DPA.

      • The purpose of the processing is described in Appendix 1 (Data Processing Details) of this DPA.

      • The period for which the Personal Data will be retained is described in Appendix 1 (Data Processing Details) of this DPA.

      • For transfers to subprocessors, the subject matter, nature, and duration of the processing is set forth in Appendix 1 (Data Processing Details) of this DPA.

        (viii) in Annex I, Part C of the EU Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority.

        (ix) Appendix 2 (Technical and Organisational Security Measures) of this DPA serves as Annex II of the EU Standard Contractual Clauses.

    4. 2.4 Conflict. To the extent there is any conflict or inconsistency between the EU Standard Contractual Clauses or UK International Data Transfer Agreement and any other terms in this Addendum, including Schedule 2 (Jurisdiction Specific Terms), or the Master Agreement, the provisions of the EU Standard Contractual Clauses or UK International Data Transfer Agreement, as applicable, will prevail.

Schedule 2

JURISDICTION SPECIFIC TERMS

1. Australia:

1.1 The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles and the Australian Privacy Act (1988).

1.2 The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.

1.3 The definition of “Sensitive Information” includes “Sensitive Information” as defined under Applicable Data Protection Law.

2. Brazil:

2.1 The definition of “Applicable Data Protection Law” includes the Lei Geral de Proteção de Dados (LGPD).

2.2 The definition of “Security Breach” includes a security incident that may result in any relevant risk or damage to data subjects.

2.3 The definition of “processor” includes “operator” as defined under Applicable Data Protection Law.

3. California:

3.1 The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act (CCPA).

3.2 The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law and, for clarity, includes any Personal Information contained within Customer Account Data, Personal Data, and Customer Usage Data.

3.3 The definition of “Data Subject” includes “Consumer” as defined under Applicable Data Protection Law. Any data subject rights, as described in Section 4 (Processing Instructions) of this DPA, apply to Consumer rights. In regards to data subject requests, incident.io can only verify a request from Customer and not from Customer’s end user or any third party.

3.4 The definition of “controller” includes “Business” as defined under Applicable Data Protection Law.

3.5 The definition of “processor” includes “Service Provider” as defined under Applicable Data Protection Law.

3.6 incident.io will process, retain, use, and disclose Personal Data only as necessary to provide the Services under the Master Agreement, which constitutes a business purpose. incident.io agrees not to (a) sell (as defined by the CCPA) Customer’s Personal Data or Customer end users’ Personal Data; (b)retain, use, or disclose Customer’s Personal Data for any commercial purpose (as defined by the CCPA) other than providing the Services; or (c) retain, use, or disclose Customer’s Personal Data outside of the scope of the Master Agreement. incident.io understands its obligations under Applicable Data Protection Law and will comply with them.

3.7 incident.io certifies that its subprocessors, as described in Section 4 (Processing Instructions) of this DPA, are Service Providers under Applicable Data Protection Law, with whom incident.io has entered into a written contract that includes terms substantially similar to this DPA. incident.io conducts appropriate due diligence on its subprocessors.

3.8 incident.io will implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Data it processes as set forth in Section 4 (Processing Instructions)) of this DPA.

4. Canada:

4.1 The definition of “Applicable Data Protection Law” includes the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).

4.2 incident.io’s subprocessors, as described in Section 4 (Processing Instructions)) of this DPA, are third parties under Applicable Data Protection Law, with whom incident.io has entered into a written contract that includes terms substantially similar to this DPA. incident.io has conducted appropriate due diligence on its subprocessors.

4.3 incident.io will implement technical and organisational measures as set forth in Section 4 (Processing Instructions) of this DPA.

5. European Economic Area (EEA):

5.1 The definition of “Applicable Data Protection Law” includes the General Data Protection Regulation (EU 2016/679) (“GDPR”).

5.2 When incident.io engages a subprocessor under Section 4 (Processing Instructions) of this DPA, it will:

(a) require any appointed subprocessor to protect the Personal Data to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR, and

(b) require any appointed subprocessor to (i) agree in writing to only process Personal Data in a country that the European Union has declared to have an “adequate” level of protection or (ii) only process Personal Data on terms equivalent to the Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent European Union data protection authorities.

5.3 Notwithstanding anything to the contrary in this DPA or in the Master Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.

6. Israel:

6.1 The definition of “Applicable Data Protection Law” includes the Protection of Privacy Law (PPL).

6.2 The definition of “controller” includes “Database Owner” as defined under Applicable Data Protection Law.

6.3 The definition of “processor” includes “Holder” as defined under Applicable Data Protection Law.

6.4 incident.io will require that any personnel authorised to process Personal Data comply with the principle of data secrecy and have been duly instructed about Applicable Data Protection Law. Such personnel sign confidentiality agreements with incident.io in accordance with Section 4 (Processing Instructions) of this DPA.

6.5 incident.io must take sufficient steps to ensure the privacy of data subjects by implementing and maintaining the security measures as specified in Section 4 (Processing Instructions) of this DPA and complying with the terms of the Master Agreement.

6.6 incident.io must ensure that the Personal Data will not be transferred to a subprocessor unless such subprocessor has executed an agreement with incident.io pursuant to Section 4 (Processing Instructions) of this DPA.

7. Japan:

7.1 The definition of “Applicable Data Protection Law” includes the Act on the Protection of Personal Information (APPI).

7.2 The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.

7.3 The definition of “controller” includes “Business Operator” as defined under Applicable Data Protection Law. As a Business Operator, incident.io is responsible for the handling of Personal Data in its possession.

7.4 The definition of “processor” includes a business operator entrusted by the Business Operator with the handling of Personal Data in whole or in part (also a “trustee”), as described under Applicable Data Protection Law. As a trustee, incident.io will ensure that the use of the entrusted Personal Data is securely controlled.

8. Mexico:

8.1 The definition of “Applicable Data Protection Law” includes the Federal Law for the Protection of Personal Data Held by Private Parties and its Regulations (FLPPIPPE).

8.2 When acting as a processor, incident.io will:

(a) treat Personal Data in accordance with Customer’s instructions set forth in Section 4 (Processing Instructions) of this DPA;

(b) process Personal Data only to the extent necessary to provide the Services;

(c) implement security measures in accordance with Applicable Data Protection Law and Section 4 (Processing Instructions) of this DPA;

(d) keep confidentiality regarding the Personal Data processed in accordance with the Master Agreement;

(e) delete all Personal Data upon termination of the Master Agreement; and

(f) only transfer Personal Data to subprocessors in accordance with Appendix 1 (Data Processing Details) of this DPA.

9. Singapore:

9.1 The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 (PDPA).

9.2 incident.io will process Personal Data to a standard of protection in accordance with the PDPA by implementing adequate technical and organisational measures as set forth in Section 4 (Processing Instructions) of this DPA and complying with the terms of the Master Agreement.

10. Switzerland:

10.1 The definition of “Applicable Data Protection Law” includes the Swiss Federal Act on Data Protection.

10.2 When incident.io engages a subprocessor under Section 4 (Processing Instructions) of this DPA, it will:

(a) require any appointed subprocessor to protect the Personal Data to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR, and

(b) require any appointed subprocessor to (i) agree in writing to only process Personal Data in a country that the European Union has declared to have an “adequate” level of protection or (ii) only process Personal Data on terms equivalent to the Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent European Union data protection authorities.

11. United Kingdom (UK):

11.1 References in this DPA to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).

11.2 When incident.io engages a subprocessor under Section 4 (Processing Instructions) of this DPA, it will:

(a) require any appointed subprocessor to protect the Personal Data to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR; and

(b) require any appointed subprocessor to (i) agree in writing to only process Personal Data in a country that the United Kingdom has declared to have an “adequate” level of protection or (ii) only process Personal Data on terms equivalent to the Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent United Kingdom data protection authorities.

11.3 Notwithstanding anything to the contrary in this DPA or in the Master Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any UK GDPR fines issued or levied under Article 83 of the UK GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the UK GDPR.