Data Processing Agreement

This Data Processing Agreement (the “DPA”) is made by and between Google LLC (“Company”) and the entity identified as Customer (“Customer”) in the Spectacles SaaS Agreement or other agreement between Customer and Company for the purchase of Services (in each case, the “Agreement”) that was assigned from Specs, Inc. to Company. This DPA is incorporated into the Agreement between Company and Customer. Regardless of whether the Agreement has terminated or expired, this DPA will remain in effect until, and automatically expire when, Company deletes all Customer Personal Data as described in this DPA.

1.          DEFINITIONS

1.1       “Customer Personal Data” means the Personal Data provided to Company in connection with Company’s provision of Services under the Agreement.

1.2       “Data Protection Legislation” means all applicable legislation relating to data protection and privacy together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time.

1.3       “Personal Data”, “Data Subject”, “Process”, “Processor”, “Controller”, and “Supervisory Authority” will each have the meaning given to them or similar terms in applicable Data Protection Legislation.

1.4       “Personal Data Breach” means a breach of Company’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise Processed by Company that compromises the confidentiality, integrity, or availability of such Customer Personal Data.

1.5       “Standard Contractual Clauses” or “SCC” means the Standard Contractual Clauses annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

1.6       “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0 in force March 21, 2022, as may be amended or replaced from time to time by the UK Information Commissioner (as currently available at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/).

1.7       Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

2.          DETAILS OF THE PROCESSING

2.1       Categories of Data Subjects. Categories Data Subjects whose Personal Data may be included in Customer Personal Data include Customer’s employees, contractors, and other personnel whom Customer authorizes to use the Services, and other Data Subjects about whom Customer receives or collects, and thereafter provides to Customer, Personal Data in the form of Customer Personal Data.

2.2       Types of Personal Data. Customer Personal Data may include Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, such as names and email addresses.

2.3       Subject-Matter and Nature of the Processing. The subject-matter of Company’s Processing of Customer Personal Data is the provision of the Services to Customer, which include the Processing of Customer Personal Data. Customer Personal Data will be subject to those Processing activities that Company must perform to provide the Services pursuant to the Agreement and any applicable statement of work or other ordering document.

2.4       Purpose of the Processing. Company will process Customer Personal Data for purposes of providing the Services described in the Agreement and any applicable Order Form or other ordering document.

2.5       Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 11 of this DPA.

3.          PROCESSING OF CUSTOMER PERSONAL DATA

3.1       This DPA applies to the Processing of Customer Personal Data by Company as set forth in the Agreement and this DPA. If applicable Data Protection Legislation recognizes the roles of Controller and Processor as applied to Customer Personal Data, then as between Company and Customer, Customer acts as Controller and Company acts as a Processor (or Subprocessor, as the case may be) of Customer Personal Data. Company will only Process Customer Personal Data as a Processor on behalf of and in accordance with Customer’s prior written instructions, including with respect to transfers of Customer Personal Data, unless Processing is required by applicable Data Protection Legislation to which Company is subject. The Parties agree that such instructions are contained in the Agreement (including this DPA) and that Company may Process Customer Personal Data as necessary to enable Company to provide the Services according to the Agreement. Any additional or different instructions require a signed agreement between Company and Customer and may be subject to additional fees. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Legislation. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Personal Data. Company will inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Legislation, provided, however, Company is not responsible for performing legal research and/or for providing legal advice to Customer.

3.2       If Company cannot process Customer Personal Data according to Customer’s instructions due to a legal requirement under any applicable Data Protection Legislation, Company will (i) promptly notify Customer of such inability (unless such notice is prohibited by Data Privacy Legislation), providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; and (ii) Process (or continue to Process) Customer Personal Data to the extent Company is able to comply with Customer’s instructions in order to provide the Services as set forth in the Agreement.

3.3       Each of Customer and Company will comply with their respective obligations under Data Protection Legislation. Customer shall (a) provide all required notices and appropriate disclosures to all Data Subjects regarding Customer’s, and Company’s, Processing of Customer Personal Data and (b) ensure that Customer has obtained (or will obtain) and maintain during the term of the Agreement all rights and consents (if required) which are necessary for Company to Process Customer Personal Data in accordance with this DPA and the Agreement. If Customer is not required by Data Protection Legislation to obtain and maintain valid consent from Data Subjects, Customer will otherwise obtain and maintain a valid legal basis in accordance with Data Protection Legislation to Process Customer Personal Data and for providing such data to Company for Processing under the Agreement (including this DPA).

3.4       Unless set forth in an Order Form or other document signed by the parties, Customer Personal Data may not include any sensitive or special data that imposes specific data security or data protection obligations on Company in addition to or different from those specified in any documentation or which are not provided as part of the Services.

4.          INTERNATIONAL TRANSFERS

4.1       In accordance with Customer’s instructions under Section 3, Company may Process Customer Personal Data on a global basis as necessary to provide the Services, including for IT security purposes, maintenance and provision of the Services and related infrastructure, technical support, and change management.

4.2       To the extent that the Processing of Customer Personal Data by Company involves the transfer of such Customer Personal Data from the European Economic Area (“EEA”) to a country or territory outside the EEA, other than a country or territory that has received a binding adequacy decision as determined by the European Commission (an “EEA Transfer”), such EEA Transfer shall be subject to the protections and provisions of the Standard Contractual Clauses (for which the SCC Appendix is attached to this DPA in Schedule 1) or other binding and appropriate transfer mechanisms that provide an adequate level of protection in compliance with Data Protection Legislation.

4.3       Customer shall be deemed to have signed the SCC in Schedule1, Annex I in its capacity of “data exporter” and Company in its capacity as “data importer.” Module Two or Module Three of the SCC shall apply to the transfer depending on whether Customer is Controller of the Customer Personal Data (for Module Two) or a Processor of the Customer Personal Data on behalf of its customer (for Module Three). If Module Three applies, Customer hereby notifies Company that it is a Processor and the instructions shall be as set forth in Section 3. Clause 7 is omitted. In Clause 11(a), the optional provision shall not apply. For purposes of Clauses 17 and 18 of the SCCs, the Parties select The Netherlands. Additional provisions applicable to customer Personal Data transferred pursuant to SCC are set forth in Schedule 2.

4.4       The SCC will cease to apply if Company has implemented an alternative recognized compliance mechanism for the lawful transfer of personal data in accordance with applicable Data Protection Legislation.

4.5       In the event of any conflict between any terms in the SCC and DPA, the SCCs shall prevail to the extent of the conflict.

4.6       Where Customer Personal Data originating from the United Kingdom (“UK”) specifically is processed by Company outside of the UK, in a territory that has not been designated by the UK Information Commissioner (“ICO”) as ensuring an adequate level of protection pursuant to Data Protection Legislation in the UK (“UK Transfer”), and to the extent such processing and transfer would be subject to such UK Data Protection Legislation, the Parties agree that the UK Addendum shall apply to such UK Transfer and shall be completed with the information set forth in this DPA and the Agreement.

5.          CONFIDENTIALITY

Company shall implement processes designed to ensure that Customer Personal Data is only made available to those of its personnel, including its Subprocessors, who (i) need to access such Customer Personal Data in order to carry out their roles in the performance of Company’s obligations under the Agreement and this DPA and (ii) have committed themselves to protect the confidentiality of such Customer Personal Data or are otherwise under an appropriate statutory obligation of confidentiality.

6.          SECURITY MEASURES

6.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company will implement appropriate technical and organizational measures designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (“Security Measures”) (described under Annex II to the Standard Contractual Clauses). These Security Measures include measures to encrypt Customer Personal Data; to help ensure ongoing confidentiality, integrity, availability and resilience of Company’s systems and services; to help restore timely access to Customer Personal Data following an incident; and for regular testing of effectiveness. Company may update its security practices from time to time but will not materially decrease the overall security of the Services during the term of a statement of work or other ordering document. Such measures shall include a process for regularly testing, assessing and evaluating the effectiveness of the measures.

6.2. Taking into account the nature of the processing of Customer Personal Data and the information available to Company, Company will assist Customer in ensuring compliance with its obligations relating to security and personal data breaches under Data Protection Legislation by implementing and maintaining the Security Measures in accordance with Section 6.1, complying with the terms of Section 9 (Personal Data Breaches), and making security documentation available to Customer as described in Section 12.2.

7.          SUBPROCESSING

7.1       Customer specifically authorizes Company’s engagement as Subprocessors of those entities  identified on Schedule 1, Annex III of this DPA as Subprocessors of Customer Personal Data and, without prejudice to Customer’s opportunity to object as described below, generally authorizes Company’s engagement of additional Subprocessors and Company’s replacement of any Subprocessors identified in Annex III. For the avoidance of doubt, the above authorization constitutes Customer’s prior written consent to the subprocessing of Customer Personal Data for purposes of Clause 9, Option 2 of the Standard Contractual Clauses.

7.2       When Company engages any new Subprocessor during the term of the Agreement, Company will, at least 30 days before the new Subprocessor starts processing any Customer Personal Data, notify Customer of the engagement (including the name, location, and activities of the new Subprocessor). To receive such notifications, Customer agrees to sign up for notifications as set forth on https://www.spectacles.dev/utility/subprocessors. If Customer can show on reasonable and objective grounds that a new Subprocessor does not or cannot comply with applicable Data Protection Legislation and wishes to object to Company’s use of such Subprocessor, then Customer has fifteen (15) days after Company notifies customer of such new Subprocessor to object by immediately terminating the applicable Agreement for convenience in accordance with that Agreement’s termination provision or, if there is no such provision, by notifying Company in writing of its reasonable and objective basis, supported by documentary evidence, for objection to the use of the new Subprocessor. With regard to Customers who only order Beta Services, Customer’s sole and exclusive remedy in the event Customer objects to the use of a Subprocessor is to cease use of the Beta Services, and Company shall have no other obligations.

7.3       Company will enter into a binding written agreement with any Subprocessors that imposes on the Subprocessors the same level of restrictions that apply to Company under this DPA to the extent applicable to the nature of the services provided by such Subprocessors. Where any of its Subprocessors fails to fulfil its data protection obligations in relation to the Services provided to Customer, such that Company would be found to have violated its obligations to Customer under this DPA, Company will be responsible to Customer for the performance of its Subprocessors’ obligations.

8.          DATA SUBJECT RIGHTS; ACCESS

8.1       To the extent legally permitted, and where a Data Subject identifies Customer as the entity that collected its Personal Data, Company shall notify Customer without undue delay of receiving any request or complaint from Data Subjects regarding Customer Personal Data (“Data Subject Inquiry”). Company shall not respond to Data Subject Inquiries without Customer’s prior written consent and written instructions except to the extent that Company advises the Data Subject to submit their request to Customer. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Inquiry, taking into account the nature of the processing of Customer Personal Data, Company will provide Customer with reasonable assistance necessary for the fulfilment of Customer’s obligation to respond to requests for the exercise of Data Subjects’ rights in accordance with Data Protection Legislation. To the extent legally permitted, Customer shall be responsible for any costs arising from Company’s provision of such assistance.

8.2       If a Data Subject does not identify an entity that collected its Personal Data, Company will instruct the Data Subject to identify and contact the relevant entity that collected its Personal Data.

8.3       Company shall comply with Customer’s instructions regarding the handling of a Data Subject Inquiry, subject to the terms of Section 3.1.

8.4       During the term of the Agreement, Company will enable Customer, in a manner consistent with the functionality of the Services, to access, rectify and restrict processing of Customer Personal Data, including via the deletion functionality provided by Company as described in Section 11 (Return of Deletion of Customer Personal Data), and to export Customer Personal Data. If Customer becomes aware that any Customer Personal Data is inaccurate or outdated, Customer will be responsible for using such functionality to rectify or delete that data if required by Data Protection Legislation.

9.          PERSONAL DATA BREACHES

9.1       Company will notify Customer at the contact information on file promptly and without undue delay after it becomes aware of and confirms any Personal Data Breach, and promptly take reasonable steps to minimize harm and secure Customer Personal Data. As information regarding the Personal Data Breach is collected or otherwise reasonably becomes available to Company, Company will also provide Customer with information regarding (1) the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Customer Personal Data records concerned; (2) the reasonably anticipated consequence of the Personal Data Breach; (3) measures taken to mitigate any possible adverse effects; and (4) other information concerning the Personal Data Breach reasonably known or available to Company that Customer is required to disclose to a Supervisory Authority or Data Subjects under Data Protection Legislation. Company’s contact point for additional details regarding a Personal Data Breach is privacy@spectacles.dev. Company’s provision of any notification of a Personal Data Breach shall not constitute an admission of fault. Except as required by applicable Data Protection Legislation, the obligations set out in Section 9 shall not apply to Personal Data Breaches caused by Customer.

9.2       Customer is solely responsible for complying with data incident notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any data incidents. Company has no obligation to assess Customer Personal Data in order to identify information subject to any specific legal requirements. Customer and Company shall work together in good faith within the timeframes for Customer to provide Personal Data Breach notifications in accordance with Data Protection Legislation to finalize the content of any notifications to Data Subjects or Supervisory Authorities, as required by Data Protection Legislation. In any event, Customer shall not disclose any confidential or proprietary information of Company in the content of any notification. Company’s prior written approval shall be required for any statements regarding, or references to, the Personal Data Breach or Company made by Customer in any such notifications.

10.       DATA PROTECTION IMPACT ASSESSMENT; PRIOR CONSULTATION

Taking into account the nature of the processing and the information available to Company, Company will provide Customer with reasonable assistance in ensuring compliance with its obligations relating to data protection impact assessments, risk assessments, and prior regulatory consultations or equivalent procedures under Data Protection Legislation, by providing Customer with information and documentation regarding Company’s Processing operations, if Customer is required to engage in such activities under applicable Data Protection Legislation and such assistance relates to the Processing by Company of Customer Personal Data.

11.       RETURN OR DELETION OF CUSTOMER PERSONAL DATA

11.1    Subject to Section 11.2 below, Company shall:

11.1.1.  Make Customer Personal Data available for retrieval to Customer for a maximum of thirty (30) days after termination or expiration of the Agreement (“Retrieval Period”); and

11.1.2.  After such Retrieval Period, delete Customer Personal Data Processed by Company or any Subprocessors, unless Data Protection Legislation requires storage, and where deletion is not possible, sufficiently de-identify Customer Personal Data such that it is no longer Personal Data, except if required or permitted by applicable law or for compliance, audit, or security purposes.

11.2    Company and its Subprocessors may retain Customer Personal Data to the extent required by applicable laws, only to the extent and for such period as required by applicable laws, and provided that Company shall protect the confidentiality of all such Customer Personal Data and Process such Customer Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose. Company is under no obligation to retain Customer Personal Data for Beta Services.

12.       INFORMATION

12.1    Company will provide Customer with all information reasonably necessary to enable Customer to demonstrate compliance with its obligations under Data Protection Legislation (which such information is Company Confidential Information under the Agreement), and, subject to the terms below, allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, to the extent that such information is within Company’s control and Company is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.

12.2    Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement and this DPA, Company shall make available to Customer that is not a competitor of Company (or Customer’s independent, third-party auditor that is not a competitor of Company) a copy of Company’s security documentation and any available and recent third-party audits or certifications, as applicable, each for the sole purposes of confirming Company’s compliance with this DPA and to assist Customer with complying with its obligations under Data Protection Legislation. If no such audit report is available at the time of Customer’s request, Company will allow and contribute to audits as set forth below.

12.3    Except with regard to Customers who only order Beta Services, Customer may, upon reasonable notice and at reasonable times, request an audit (either by itself or using independent third-party auditors) of Company’s compliance with this DPA if required under Data Protection Legislation. Company shall reasonably cooperate with Customer or its auditor and contribute to any audits conducted in accordance with this Section 12. Such audits may be carried out once per year or more often if required by Data Protection Legislation. Company may object in writing to an auditor appointed by Customer to conduct any audit under this Section 12 if the auditor is, in Company’s reasonable opinion, not suitably qualified or independent, a competitor of Company, or otherwise manifestly unsuitable. Any such objection by Company will require Customer to appoint another auditor or conduct the audit itself. With regard to Customers who only order Beta Services, the Parties agree that Sections 12.1 and 12.2 satisfy any audit requirements of Data Protection Legislation.

12.4    Company  may charge a fee (based on Company’s reasonable costs) for any audit under this Section 12. Company will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Customer shall reimburse Company for any reasonable costs or expenses incurred by Company in connection with the audit.

12.5    Without prejudice to the rights granted in Section 12.3 above, if the requested audit scope is addressed in a SOC, ISO, NIST, PCI DSS, HIPAA or similar audit report or attestation letter issued by a qualified third party auditor within the prior twelve months and Company provides such report or attestation letter to Customer confirming there are no known material changes in the controls audited, Customer agree to accept the findings presented in the third party audit report or attestation letter in lieu of requesting an audit of the same controls covered by the report.

13.       GENERAL PROVISIONS

13.1    Customer acknowledges that Company is reliant on Customer for direction as to the extent to which Company is entitled to Process Customer Personal Data on behalf of Customer in performance of the Services. Consequently, Company will not be liable under the Agreement or this DPA for any claim brought by a Data Subject arising from any action or omission by Company, to the extent that such action or omission resulted from Customer’s instructions or from Customer’s failure to comply with its obligations under the applicable Data Protection Legislation.

13.2    With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail.

13.3    To the extent the California Consumer Protection Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA”) applies to any Customer Personal Data, Company confirms that it understands its restrictions set forth in Section 1798.140(ag)(1) of the CCPA as to such Customer Personal Data regarding residents of California and will comply with the same to the extent no CCPA exemptions apply.

13.4    Company may share and disclose Customer Personal Data in connection with, or during the negotiation of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of Company’s business by or to another company, including the transfer of contact information and data of Customer’s customers, partners and end users, and Customer Personal Data Processed in connection with the Services.

13.5    The parties agree that the bundling of Customer’s data exporters, for example, if Customer consists of multiple global affiliates, as controllers within this single DPA is undertaken for efficiency purposes (i.e., to avoid a multitude of different contract documents) and (i) shall result in legally separate Addenda between the respective Customer entity and Company solely for purposes of addressing any such obligations under Data Protection Legislation; (ii) shall not create any new or different legal or other relationship whatsoever between the “bundled” Customer entities; (iii) does not create any additional rights or remedies for such bundled Customer entities; (iv) all processing instructions must be provided by the Customer entity that is signatory to the Agreement and Company is not responsible for consolidating or evaluating the validity of instructions received from other Customer entities; (v) any commercial terms not provided by the DPA are provided by the Agreement regardless of whether the bundled Customer entities signed or were consulted regarding the terms of the Agreement or are aware of the Agreement; and (vi) any audits conducted in accordance with the DPA shall be conducted only by and through the Customer entity that is signatory to the Agreement.

13.6    To the extent that additional country-specific (or state-specific, or regional, provincial, or other geographic area specific) provisions are required under Data Protection Legislation, the parties agree to incorporate such provisions solely to the extent they are required and solely to the extent they are applicable to particular Customer Personal Data processed by Company. Company may, from time to time, update this DPA as required by Data Protection Legislation.

13.7    To the extent the Israeli Privacy Protect Law, 1981, and any regulations promulgated thereunder (“Israeli Privacy Protection Law”), applies, Company will allow Customer or an independent auditor appointed by Customer to conduct audits (including inspections) as described in Section 12 (Information).

13.8    To the extent the Turkish Law on the Protection of Personal Data No. 6698 dated April 7, 2016 (Turkish Data Protection Law) applies, the following terms apply: (i) if Customer enters into standard contract clauses under Turkish Data Protection Law (“Turkish SCCs”) and Turkish Data Protection Law requires notification to the  Kişisel Verileri Koruma Kurumu (“Turkish Personal Data Protection”) of use of the Turkish SCCs, Customer will be responsible for providing such notice within five (5) business days of signature of the Turkish SCCs; (ii) if Customer enters into Turkish SCCs, Company will allow Customer (or an independent auditor appointed by Customer) to conduct auits as described in those SCCs and, during an audit, make available all information required by those SCCs, both in accordance with Section 12 (Information); (iii) if Customer concludes, based on its current or intended use of the Services, that appropriate safeguards are not provided for transferred Customer Personal Data, then Customer may immediately terminate the applicable Agreement in accordance with that Agreement's termination for convenience provision or, if there is no such provision, by notifying Company; (iv) nothing in the Agreement (including this DPA) is intended to modify or contradict the Turkish SCCs or prejudice the fundamental rights or freedoms of data subjects under Turkish Data Protection Law; and (vi) to the extent of any conflict or inconsistency between the Turkish SCCs (which will be incorporated by reference into this DPA if entered into by Customer) and the remainder of the Agreement (including this DPA), the Turkish SCCs will prevail.

Schedule 1

Appendix to the Standard Contractual Clauses

ANNEX 1

    A.   LIST OF PARTIES:

Data exporter

Name: The data exporter is the entity identified as “Customer” in the DPA.

Address: as set forth in the Agreement.

Contact person: as set forth in the Agreement.

Activities relevant to the data transferred under these Clauses: as set forth in the Agreement.

Signature and date: refer to DPA.

Role: Controller, except when processing data on behalf of another entity, in which case data exporter is a processor.

Data importer

Name: The data importer is the entity identified as “Company” in the DPA.

Address: as set forth in the Agreement.

Contact person: as set forth in the Agreement.

Activities relevant to the data transferred under these Clauses: as set forth in the Agreement.

Signature and date: refer to DPA.

Role: processor, or sub-processor if data exporter is a processor.

    B.     DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred: Data subjects are defined in the DPA.

Categories of personal data transferred: Categories of personal data are defined in the DPA.

Sensitive categories of data (if appropriate): As set forth in the DPA.

The frequency of the transfer: As set forth in the Agreement.

Nature of the processing: The nature of the processing defined in the DPA and the Agreement.

Purposes of the data transfer and further processing: The purposes of data transfers and further processing are defined in the DPA and the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: As set forth in the DPA and the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: As set forth in the DPA and the Agreement.

    C.   COMPETENT SUPERVISORY AUTHORITY

If Customer is established in an EU Member state, the competent supervisory authority shall be the supervisory authority applicable to the establishment location of Customer. If Customer is not established in an EU Member state, the competent supervisory authority shall be the supervisory authority located where Customer has appointed its EU Representative. If Customer is not established in an EU Member state and is not required to appoint an EU Representative, the competent supervisory authority shall be the supervisory authority applicable to the location of the Data Subject whose data is at issue.

ANNEX II

Technical and organizational measures including technical and organizational measures to ensure the security of the data: Please reference the webpage https://www.spectacles.dev/security 

ANNEX III

List of Subprocessors

‍

Schedule 2 - Additional SCC Provisions

Based on European Data Protection Board Recommendations 01/2020

1. Company shall unless otherwise prohibited by law or a legally binding order of an applicable body or agency promptly notify Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority) (“Disclosure Request”) without responding to such request, unless otherwise required by applicable law (including to provide acknowledgement of receipt of the request). Company will review applicable law to evaluate any Disclosure Request, for example the ability of the requesting authority to make the Disclosure Request, and to challenge the Disclosure Request if, after a careful assessment, it concludes that there are grounds under applicable law to do so. When challenging a Disclosure Request, Company shall seek interim measures to suspend the effects of the Disclosure Request until an applicable court or other authority has decided on the merits. Company shall not disclose Customer Personal Data requested until required to do so under applicable law. Company shall only provide the minimum amount of Customer Personal Data permissible when responding to the Disclosure Request, based on a reasonable interpretation of the Disclosure Request. If the Disclosure Request is incompatible with the SCCs or other data transfer mechanism utilized in accordance with Section 3 in this DPA, Company will so notify the requesting authority and, if permitted by applicable law, notify the competent EEA government authority with jurisdiction over the Customer Personal Data subject to the Disclosure Request. Company will maintain a record of Disclosure Requests and its evaluation, response, and handling of the requests. Company will provide Customer with such records relevant to Customer Personal Data except as prohibited by applicable law or legal process or in the interest in protecting Company’ legal rights in connection with threatened, pending, or current litigation.
2. Company has not purposefully created “back doors” or similar programming in its systems that provide Services that could be used to access the systems and/or Customer Personal Data, nor has Company purposefully created or changed its business processes in a manner that facilitates access to Customer Personal Data or its systems that provide the Services. To the best of Company’ knowledge, United States Data Protection Legislation does not require Company to create or maintain “back doors” or to facilitate access to Customer Personal Data or systems that provide Services or for Company to possess or provide the encryption key in connection with a United States Disclosure Request.
3. Company shall use reasonable efforts to assist Customer and its Data Subjects, as instructed by Customer (in accordance with Section 8 of the DPA), regarding Disclosure Requests, unless prohibited by applicable law, for example to provide information to Customer in connection with the Data Subject’s efforts to exercise its rights and obtain legally-available redress, provided Company shall not be required to provide Customer or Data Subjects with legal advice.
4. Customer may request to audit Company information regarding access to Customer Personal Data, subject to the terms of Section 12 of the DPA.
5. Company has established an internal procedure regarding handling of Disclosure Requests and applicable transfers of Personal Data of customers. Company has procedures for applicable personnel to receive information, as appropriate, regarding applicable transfers of Customer Personal Data, where such information may include an explanation of the necessity of the transfer and any data protection safeguards in scope.
6. In the event Company receives a request to voluntarily disclose unencrypted Customer Personal Data to a government authority, Company will use reasonable efforts to first obtain Customer’s consent, either on its behalf or on behalf of the relevant Data Subject.

‍