Transfers to Sub-Processors. The subject matter and nature of the Processing by Sub-processors are as specified in Annex C of the DPA. The duration of the Processing carried out by the Sub-processors will be until thirty (30) days following the termination or expiration of the Agreement unless otherwise agreed. Competent Supervisory Authority: Customer’s competent Supervisory Authority will be determined in accordance with the applicable Data Protection Laws. [End of Annex B] ANNEX C List of Sub-processors Entity Name Purpose of Processing Processed Data Location OpenAI, LLC Hosting of large language models Customer Personal Data United States Amazon Web Services, Inc. Servers, storage, and databases Customer Personal Data United States Google LLC (GSuite) Back-office operations Customer Personal Data, specifically emails between Company and Customer United States Google LLC (Google Analytics) Tracking users on marketing site Customer Personal Data, specifically anonymized marketing website behavior United States Stripe, Inc. Payment service provider Customer Personal Data: Email, Name, and Billing information United States [End of Annex C] ANNEX D EU Standard Contractual Clauses ANNEX
Transfers to Sub-Processors. The authorised sub-processors, and the nature of the processing performed by each one is set out in Annex III. The processing shall be for the duration of the agreement with the Partner unless GOLF notifies the Partner of a change in sub-processor pursuant to clause 1.4.6.
Transfers to Sub-Processors. The subject matter and nature of the processing by Sub-processors are as specified in Appendix C of the DPA. The duration of the processing carried out by the Sub-processors will be as set forth in the Agreement and the DPA.
Transfers to Sub-Processors. The transfer to Sub-Processors is as described at xxx.xxxxx.xxx/xxxxx Sub-Processors.
Transfers to Sub-Processors. Please refer to a list of sub-Processors made available on Company’s website . Appendix 2 to Data Processing Agreement Security Measures Company has implemented and will maintain the following security measures to safeguard security of Transferred Personal Data, which in conjunction with the obligations in this DPA, are Company’s only responsibility with respect to the security of that data. Organization of Information Security Security Roles and Responsibilities. Company’s Authorised Personnel with access to Transferred Personal Data are informed of the confidential nature of the Transferred Personal Data and are bound by confidentiality obligations. Risk Management Program. Company performed a risk assessment before processing the Transferred Personal Data or launching the Solution. Asset Management Asset Inventory. Company maintains an inventory of all media on which Transferred Personal Data is stored. Access to the inventories of such media is restricted to Authorised Personnel. Asset Handling - Company applies data classification and levelled protection on Transferred Personal Data to help identify it and to allow for access to it to be appropriately restricted. - Company’s Authorised Personnel must obtain Company authorization prior to storing Transferred Personal Data on portable devices, remotely accessing such data, or processing such data outside Company’s facilities. Human Resources Security Background Check. Company performs a background and qualification check towards Authorised Personnel, to the extent permitted by applicable law. Authorised Personnel are required to agree to the terms of the Code of Conduct and accept related security trainings. Security Training. Company informs its Authorised Personnel about relevant security procedures and their respective roles. Company also informs its Authorised Personnel of possible consequences of breaching the security rules and procedures. Physical and Environmental Security Physical and Logical Safeguards. Company employs both physical and logical safeguards to ensure data is tightly controlled and limited to Authorized Personnel only. Such controls include, but are not limited to physical access restrictions; authentication security appropriate to the system and data; monitoring and logging access to systems and applications; data loss prevention tools; enforced security policies; multi-factor authentication for remote access to corporate resources; and unique, limited duration, single-use user ...
