Data Processing Agreement

Last updated:
January 17, 2025
Terms & Conditions
Data Processing Agreement

This Data Processing Addendum (“Addendum”) to the Master Subscription Agreement (“Agreement”) sets out the data privacy, data protection, and data security obligations applicable to Loop Now Technologies, Inc. and its affiliates’ (collectively “Service Provider”) Processing (defined below) of Personal Data (defined below) on behalf of Customer as well as any of its Affiliates (collectively, “Data Controller”) that receive Processing Services (defined below) under the Agreement.

1. Processing of Personal Data

  1. Data Controller is and shall remain the controller of all information provided by Data Controller to Service Provider or collected by Service Provider under the Agreement that identifies or can be used to directly or indirectly identify, describe, contact, locate, or otherwise be related to or associated with an individual or household (“Personal Data”) under applicable data privacy, data protection, and data security laws and regulations governing the Processing of Personal Data (collectively, “Applicable Data Protection Law(s)”). Personal Data does not include Personal Data Processed by Service Provider in Service Provider’s capacity as a controller. Data Controller maintains the rights and obligations to determine the purposes for which Personal Data is processed (which includes but is not limited to, collection, recording, storage, use, access, transmission, and the means by which Personal Data may be transferred to a third country or international organization) (“Process” or “Processing”). Nothing in this Addendum shall restrict or limit in any way Data Controller’s rights or obligations as controller of Personal Data for such purposes.
  2. Service Provider shall only Process Personal Data in accordance with the instructions of and on behalf of Data Controller, as necessary to carry out the purposes of the Agreement in accordance with Annex A, or as otherwise authorized by Data Controller in writing (“Processing Services”), and for no other purpose. Service Provider shall not engage in the sale of Personal Data. Where an Applicable Data Protection Law requires Service Provider to Process Personal Data under terms other than those of this Addendum, or other written instructions of Data Controller, Service Provider shall notify Data Controller of such legal requirement before Processing in accordance with the legal requirement, unless applicable law prohibits disclosure. In addition, Service Provider shall notify Data Controller if, in Service Provider’s assessment, any of Data Controller’s instructions infringe Applicable Data Protection Laws, unless applicable law prohibits disclosure.
  3. Service Provider shall promptly notify Data Controller in writing of any request, complaint, claim, or other communication received by Service Provider as well as authorized agents, subcontractors, or other third parties authorized by Data Controller to Process Personal Data (“Subprocessor(s)”) regarding Personal Data: (i) from an individual who is (or claims to be) the data subject of the Personal Data; (ii) from any data protection authority, law enforcement agency, or other government authority; and/or (iii) from Data Controller’s employees or other third parties, other than those set forth in this Addendum. Unless prohibited by applicable law, Service Provider shall notify Data Controller of any such request and shall obtain Data Controller’s express written consent before disclosing or sharing any Personal Data in response to such requests, and Service Provider shall respond to such requests only when authorized by Data Controller to do so. Subject to applicable law, in the event Service Provider receives any request from a governmental authority in any jurisdiction that requires the disclosure of Personal Data to such governmental authority, Service Provider shall attempt to redirect the governmental authority to request such Personal Data directly from Data Controller. Notwithstanding anything to the contrary, however, Service Provider shall also reasonably cooperate with and provide reasonable assistance to Data Controller and its affiliates, agents, Subprocessors, and representatives in responding to requests, inquiries, claims, and complaints regarding the Processing of Personal Data.  
  4. Service Provider warrants that any persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  5. Upon request, Service Provider shall provide reasonable cooperation and assistance to Data Controller in ensuring compliance with data security obligations, as well as in carrying out any data protection impact assessment or similar activity, including but not limited to providing a systemic description of the envisaged Processing operations, reasonable assistance with an assessment of the risks to the rights and freedoms of the data subjects to whom the Personal Data relates, and/or reasonable assistance with an assessment of the necessity and proportionality of the Processing operations in relation to the underlying purpose. Service Provider shall also reasonably cooperate and provide any assistance or information reasonably requested and needed for Data Controller to engage in consultations with regulatory authorities or otherwise respond to requests for information from such authorities.

2. Technical and Organizational Security Measures

Service Provider shall implement and maintain a written information security program (“Information Security Program”) that includes appropriate administrative, technical, organizational, and physical safeguards to protect Personal Data, including, as appropriate: (i) the pseudonymization and encryption of electronic Personal Data in transit and the hashing of electronic Personal Data at rest; (ii) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services, including against unauthorized access, use, disclosure, alteration, or destruction of Personal Data; (iii) the ability to timely restore the availability and access to the Personal Data in the event of a physical or technical incident; and (iv) a process for regularly assessing, and evaluating the effectiveness of the administrative, technical, organizational, and physical measures for ensuring the security of the Processing.  

3. Security Incident

  1. Notwithstanding any provisions in this Addendum or the Agreement to the contrary, Service Provider shall notify Data Controller promptly in writing, but no later than forty-eight (48) hours after discovery (unless a shorter time period is required by Applicable Data Protection Law) in the event: (i) Service Provider becomes aware that any Personal Data is Processed by Service Provider (including its Subprocessors) in violation of this Addendum or Applicable Data Protection Law; (ii) Service Provider (including its Subprocessors) discovers, is notified of, or reasonably suspects a breach of security leading to, or that may potentially lead to, the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data; or (iii) Service Provider becomes aware that there have been any formal complaints about the Service Provider’s (including its Subprocessors’) data privacy, data protection, or data security practices (collectively, “Security Incident”).
  2. Service Provider shall reasonably cooperate in the investigation and remediation of the Security Incident, and take reasonable measures to limit further unauthorized disclosure or Processing of Personal Data in connection with the Security Incident.

4. Subprocessors

The parties agree that Service Provider has general authorization to utilize Subprocessors and for those Subprocessors to use Subprocessors. Annex C to this Addendum includes a current list of Subprocessors used by Service Provider. Service Provider shall inform Data Controller if there are any changes concerning the addition or replacement of such Subprocessors.  Service Provider shall remain at all times responsible for and fully liable to Data Controller for the Subprocessors’ performance of its obligations. Service Provider shall also ensure that each Subprocessor is capable of providing the level of protection for Personal Data as is required by this Addendum and enter into a binding written agreement with each Subprocessor that imposes the same or greater obligations as Service Provider’s obligations as set forth under this Addendum.

5. Data Subject Rights

Service Provider shall promptly notify Data Controller if Service Provider receives a request from a data subject with respect to their Personal Data and Service Provider shall reasonably assist Data Controller by implementing appropriate administrative, technical, and organizational measures for responding to such requests. Data Controller shall determine whether or not a data subject has a right to exercise any data subject rights referenced above or under Applicable Data Protection Law with respect to their Personal Data, and give instructions to Service Provider to the extent reasonable assistance is required.

6. Audit Rights

Service Provider shall keep full and accurate records relating to all Processing of Personal Data on behalf of Data Controller as part of the Processing Services, and Data Controller may request, upon ten (10) days written notice to Service Provider, an audit, through itself or through an independent third-party auditor. The audit may be carried out once in any calendar year. Audits shall be subject to all applicable confidentiality obligations agreed to by Data Controller and Service Provider, and any independent auditor shall be required to enter into a non-disclosure agreement with Service Provider, containing confidentiality provisions substantially similar to those set forth in the Agreement to protect Service Provider’s confidential and proprietary information. Audits shall be conducted in a manner that minimizes any disruption of Service Provider’s performance of services and other normal operations. For the avoidance of doubt, any information disclosed by Service Provider in connection with this Addendum will be subject to the confidentiality (including non-use) provisions in the Agreement.

7. Cross-Border Transfers from EEA

  1. EU Standard Contractual Clauses.  To the extent required by Applicable Data Protection Laws, the parties agree that the clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”) will apply to Personal Data that is transferred under the Agreement from the European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Personal Data ("Restricted Transfer"). For data transfers from the European Economic Area that are subject to the EU SCCs, the EU SCCs, Module 2 (Controller to Processor), will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
    1. In Clause 7, the optional docking clause will apply;
    2. In Clause 9, Option 2 will apply and the time period for notice of Subprocessor changes will be as set forth in Section 4 (Subprocessors) of this Addendum;
    3. In Clause 11, the optional redress language will not apply;
    4. In Clause 13(a), all three options may be retained and apply, depending on the circumstances, and as relevant where the transfer falls within the territorial scope of the Regulation (EU) 2016/679;
    5. In Clause 17, the EU SCCs will be governed by Irish law;
    6. In Clause 18(b), disputes will be resolved before the courts of Ireland; and
    7. Annex A (Description of Processing) of this Addendum serves as Annex I of the EU SCCs; Annex B (Technical and Organizational Security Measures Implemented by the Service Provider) of this Addendum serves as Annex II of the EU SCCs and Annex C (List of Subprocessors) serves as Annex III of the EU SCCs.

      Additionally, signature to this Addendum shall constitute all necessary and required signatures to the EU SCCs.
  2. UK Addendum. In relation to Personal Data that is protected by Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 (the "UK GDPR"), the "UK Addendum to the EU Standard Contractual Clauses" ("UK Addendum") shall apply. To the extent that the UK Addendum applies, Annexes A, B, and C of this Addendum shall also apply. For data transfers from the United Kingdom that are subject to the UK Addendum, the UK Addendum will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
    1. For Table One, the details as set out in Annex A of this Addendum shall apply;
    2. For Table Two, the check-box referring to the following shall apply:
      1. “The Approved EU SCCs, including the Appendix Information and with only the modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of the UK Addendum.”
      2. Within the table, Module 2 shall apply and shall be filled out in the same way as the EU SCCs as filled out in Section 6(a) (EU Standard Contractual Clauses) above.
    3. For Table Three, the following shall apply to the referenced columns: Annex A (Description of Processing) of this Addendum shall apply to the columns entitled Annex IA and Annex IB; Annex B (Technical and Organizational Security Measures Implemented by the Service Provider) of this Addendum shall apply to the column entitled Annex II; and Annex C (List of Subprocessors) shall apply to the column entitled Annex III.
    4. For Table Four, only the exporter shall have the right to terminate this Addendum.

      Additionally, signature to this Addendum shall constitute all necessary and required signatures to the UK Addendum.

8. Post-Termination

Notwithstanding any other provision of the Agreement or this Addendum to the contrary, when Service Provider (including its Subprocessors) ceases to perform Processing Services for Data Controller upon termination of the Agreement or otherwise (e.g. per the request or explicit instruction of Data Controller), Service Provider shall, if requested by Data Controller and within sixty (60) days of the request: (i) return Personal Data (and all media containing copies of Personal Data) to Data Controller; and/or (ii) securely purge, delete, and destroy Personal Data to the extent practicable, unless legislation imposed upon Service Provider prevents it from returning or destroying all or part of Personal Data transferred. Electronic media containing Personal Data shall be disposed of in a manner that renders Personal Data unrecoverable.

9. Entry into Addendum

Each Data Controller entity that will receive Processing Services under the Agreement shall be entitled to and bound by the rights and obligations of this Addendum and shall have the right to be added as a signatory to this Addendum, and Data Controller shall have the authority to sign this Addendum on its affiliates’ behalves.  Notwithstanding anything to the contrary, however, each Data Controller entity shall exercise its rights under this Addendum through the Data Controller entity that is an original signatory to this Addendum, unless otherwise required by Applicable Data Protection Law. Regardless, Service Provider is bound by and required to observe any and all obligations of this Addendum towards each Data Controller entity added to this Addendum.

10. Counterparts

This Addendum may be executed in one or more counterparts, each of which will be deemed an original, but all of which taken together will constitute one and the same agreement.

h2
Example H2
h3
Example H3
h4
Example H4
h5
Example H5
h6
Example H6

This Data Processing Addendum (“Addendum”) to the Master Subscription Agreement (“Agreement”) sets out the data privacy, data protection, and data security obligations applicable to Loop Now Technologies, Inc. and its affiliates’ (collectively “Service Provider”) Processing (defined below) of Personal Data (defined below) on behalf of Customer as well as any of its Affiliates (collectively, “Data Controller”) that receive Processing Services (defined below) under the Agreement.

1. Processing of Personal Data

  1. Data Controller is and shall remain the controller of all information provided by Data Controller to Service Provider or collected by Service Provider under the Agreement that identifies or can be used to directly or indirectly identify, describe, contact, locate, or otherwise be related to or associated with an individual or household (“Personal Data”) under applicable data privacy, data protection, and data security laws and regulations governing the Processing of Personal Data (collectively, “Applicable Data Protection Law(s)”). Personal Data does not include Personal Data Processed by Service Provider in Service Provider’s capacity as a controller. Data Controller maintains the rights and obligations to determine the purposes for which Personal Data is processed (which includes but is not limited to, collection, recording, storage, use, access, transmission, and the means by which Personal Data may be transferred to a third country or international organization) (“Process” or “Processing”). Nothing in this Addendum shall restrict or limit in any way Data Controller’s rights or obligations as controller of Personal Data for such purposes.
  2. Service Provider shall only Process Personal Data in accordance with the instructions of and on behalf of Data Controller, as necessary to carry out the purposes of the Agreement in accordance with Annex A, or as otherwise authorized by Data Controller in writing (“Processing Services”), and for no other purpose. Service Provider shall not engage in the sale of Personal Data. Where an Applicable Data Protection Law requires Service Provider to Process Personal Data under terms other than those of this Addendum, or other written instructions of Data Controller, Service Provider shall notify Data Controller of such legal requirement before Processing in accordance with the legal requirement, unless applicable law prohibits disclosure. In addition, Service Provider shall notify Data Controller if, in Service Provider’s assessment, any of Data Controller’s instructions infringe Applicable Data Protection Laws, unless applicable law prohibits disclosure.
  3. Service Provider shall promptly notify Data Controller in writing of any request, complaint, claim, or other communication received by Service Provider as well as authorized agents, subcontractors, or other third parties authorized by Data Controller to Process Personal Data (“Subprocessor(s)”) regarding Personal Data: (i) from an individual who is (or claims to be) the data subject of the Personal Data; (ii) from any data protection authority, law enforcement agency, or other government authority; and/or (iii) from Data Controller’s employees or other third parties, other than those set forth in this Addendum. Unless prohibited by applicable law, Service Provider shall notify Data Controller of any such request and shall obtain Data Controller’s express written consent before disclosing or sharing any Personal Data in response to such requests, and Service Provider shall respond to such requests only when authorized by Data Controller to do so. Subject to applicable law, in the event Service Provider receives any request from a governmental authority in any jurisdiction that requires the disclosure of Personal Data to such governmental authority, Service Provider shall attempt to redirect the governmental authority to request such Personal Data directly from Data Controller. Notwithstanding anything to the contrary, however, Service Provider shall also reasonably cooperate with and provide reasonable assistance to Data Controller and its affiliates, agents, Subprocessors, and representatives in responding to requests, inquiries, claims, and complaints regarding the Processing of Personal Data.  
  4. Service Provider warrants that any persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  5. Upon request, Service Provider shall provide reasonable cooperation and assistance to Data Controller in ensuring compliance with data security obligations, as well as in carrying out any data protection impact assessment or similar activity, including but not limited to providing a systemic description of the envisaged Processing operations, reasonable assistance with an assessment of the risks to the rights and freedoms of the data subjects to whom the Personal Data relates, and/or reasonable assistance with an assessment of the necessity and proportionality of the Processing operations in relation to the underlying purpose. Service Provider shall also reasonably cooperate and provide any assistance or information reasonably requested and needed for Data Controller to engage in consultations with regulatory authorities or otherwise respond to requests for information from such authorities.

2. Technical and Organizational Security Measures

Service Provider shall implement and maintain a written information security program (“Information Security Program”) that includes appropriate administrative, technical, organizational, and physical safeguards to protect Personal Data, including, as appropriate: (i) the pseudonymization and encryption of electronic Personal Data in transit and the hashing of electronic Personal Data at rest; (ii) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services, including against unauthorized access, use, disclosure, alteration, or destruction of Personal Data; (iii) the ability to timely restore the availability and access to the Personal Data in the event of a physical or technical incident; and (iv) a process for regularly assessing, and evaluating the effectiveness of the administrative, technical, organizational, and physical measures for ensuring the security of the Processing.  

3. Security Incident

  1. Notwithstanding any provisions in this Addendum or the Agreement to the contrary, Service Provider shall notify Data Controller promptly in writing, but no later than forty-eight (48) hours after discovery (unless a shorter time period is required by Applicable Data Protection Law) in the event: (i) Service Provider becomes aware that any Personal Data is Processed by Service Provider (including its Subprocessors) in violation of this Addendum or Applicable Data Protection Law; (ii) Service Provider (including its Subprocessors) discovers, is notified of, or reasonably suspects a breach of security leading to, or that may potentially lead to, the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data; or (iii) Service Provider becomes aware that there have been any formal complaints about the Service Provider’s (including its Subprocessors’) data privacy, data protection, or data security practices (collectively, “Security Incident”).
  2. Service Provider shall reasonably cooperate in the investigation and remediation of the Security Incident, and take reasonable measures to limit further unauthorized disclosure or Processing of Personal Data in connection with the Security Incident.

4. Subprocessors

The parties agree that Service Provider has general authorization to utilize Subprocessors and for those Subprocessors to use Subprocessors. Annex C to this Addendum includes a current list of Subprocessors used by Service Provider. Service Provider shall inform Data Controller if there are any changes concerning the addition or replacement of such Subprocessors.  Service Provider shall remain at all times responsible for and fully liable to Data Controller for the Subprocessors’ performance of its obligations. Service Provider shall also ensure that each Subprocessor is capable of providing the level of protection for Personal Data as is required by this Addendum and enter into a binding written agreement with each Subprocessor that imposes the same or greater obligations as Service Provider’s obligations as set forth under this Addendum.

5. Data Subject Rights

Service Provider shall promptly notify Data Controller if Service Provider receives a request from a data subject with respect to their Personal Data and Service Provider shall reasonably assist Data Controller by implementing appropriate administrative, technical, and organizational measures for responding to such requests. Data Controller shall determine whether or not a data subject has a right to exercise any data subject rights referenced above or under Applicable Data Protection Law with respect to their Personal Data, and give instructions to Service Provider to the extent reasonable assistance is required.

6. Audit Rights

Service Provider shall keep full and accurate records relating to all Processing of Personal Data on behalf of Data Controller as part of the Processing Services, and Data Controller may request, upon ten (10) days written notice to Service Provider, an audit, through itself or through an independent third-party auditor. The audit may be carried out once in any calendar year. Audits shall be subject to all applicable confidentiality obligations agreed to by Data Controller and Service Provider, and any independent auditor shall be required to enter into a non-disclosure agreement with Service Provider, containing confidentiality provisions substantially similar to those set forth in the Agreement to protect Service Provider’s confidential and proprietary information. Audits shall be conducted in a manner that minimizes any disruption of Service Provider’s performance of services and other normal operations. For the avoidance of doubt, any information disclosed by Service Provider in connection with this Addendum will be subject to the confidentiality (including non-use) provisions in the Agreement.

7. Cross-Border Transfers from EEA

  1. EU Standard Contractual Clauses.  To the extent required by Applicable Data Protection Laws, the parties agree that the clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”) will apply to Personal Data that is transferred under the Agreement from the European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Personal Data ("Restricted Transfer"). For data transfers from the European Economic Area that are subject to the EU SCCs, the EU SCCs, Module 2 (Controller to Processor), will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
    1. In Clause 7, the optional docking clause will apply;
    2. In Clause 9, Option 2 will apply and the time period for notice of Subprocessor changes will be as set forth in Section 4 (Subprocessors) of this Addendum;
    3. In Clause 11, the optional redress language will not apply;
    4. In Clause 13(a), all three options may be retained and apply, depending on the circumstances, and as relevant where the transfer falls within the territorial scope of the Regulation (EU) 2016/679;
    5. In Clause 17, the EU SCCs will be governed by Irish law;
    6. In Clause 18(b), disputes will be resolved before the courts of Ireland; and
    7. Annex A (Description of Processing) of this Addendum serves as Annex I of the EU SCCs; Annex B (Technical and Organizational Security Measures Implemented by the Service Provider) of this Addendum serves as Annex II of the EU SCCs and Annex C (List of Subprocessors) serves as Annex III of the EU SCCs.

      Additionally, signature to this Addendum shall constitute all necessary and required signatures to the EU SCCs.
  2. UK Addendum. In relation to Personal Data that is protected by Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 (the "UK GDPR"), the "UK Addendum to the EU Standard Contractual Clauses" ("UK Addendum") shall apply. To the extent that the UK Addendum applies, Annexes A, B, and C of this Addendum shall also apply. For data transfers from the United Kingdom that are subject to the UK Addendum, the UK Addendum will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
    1. For Table One, the details as set out in Annex A of this Addendum shall apply;
    2. For Table Two, the check-box referring to the following shall apply:
      1. “The Approved EU SCCs, including the Appendix Information and with only the modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of the UK Addendum.”
      2. Within the table, Module 2 shall apply and shall be filled out in the same way as the EU SCCs as filled out in Section 6(a) (EU Standard Contractual Clauses) above.
    3. For Table Three, the following shall apply to the referenced columns: Annex A (Description of Processing) of this Addendum shall apply to the columns entitled Annex IA and Annex IB; Annex B (Technical and Organizational Security Measures Implemented by the Service Provider) of this Addendum shall apply to the column entitled Annex II; and Annex C (List of Subprocessors) shall apply to the column entitled Annex III.
    4. For Table Four, only the exporter shall have the right to terminate this Addendum.

      Additionally, signature to this Addendum shall constitute all necessary and required signatures to the UK Addendum.

8. Post-Termination

Notwithstanding any other provision of the Agreement or this Addendum to the contrary, when Service Provider (including its Subprocessors) ceases to perform Processing Services for Data Controller upon termination of the Agreement or otherwise (e.g. per the request or explicit instruction of Data Controller), Service Provider shall, if requested by Data Controller and within sixty (60) days of the request: (i) return Personal Data (and all media containing copies of Personal Data) to Data Controller; and/or (ii) securely purge, delete, and destroy Personal Data to the extent practicable, unless legislation imposed upon Service Provider prevents it from returning or destroying all or part of Personal Data transferred. Electronic media containing Personal Data shall be disposed of in a manner that renders Personal Data unrecoverable.

9. Entry into Addendum

Each Data Controller entity that will receive Processing Services under the Agreement shall be entitled to and bound by the rights and obligations of this Addendum and shall have the right to be added as a signatory to this Addendum, and Data Controller shall have the authority to sign this Addendum on its affiliates’ behalves.  Notwithstanding anything to the contrary, however, each Data Controller entity shall exercise its rights under this Addendum through the Data Controller entity that is an original signatory to this Addendum, unless otherwise required by Applicable Data Protection Law. Regardless, Service Provider is bound by and required to observe any and all obligations of this Addendum towards each Data Controller entity added to this Addendum.

10. Counterparts

This Addendum may be executed in one or more counterparts, each of which will be deemed an original, but all of which taken together will constitute one and the same agreement.