Data Processing Addendum

Effective date: August 1, 2025

This Ecoflex Data Processing Addendum (this "DPA") forms part of, and is subject to the provisions of, the Agreement. This DPA will apply to the extent Client is subject to relevant Data Protection Laws.

1. Definitions

Capitalized terms that are used but not defined in this DPA have the meanings given to them in the Agreement.

1.1. “Affiliate” means an entity that directly or indirectly controls (e.g., subsidiary), is controlled by (e.g., parent), or is under common control with (e.g., sibling) such party; and the term “control” (including the terms “controlled by” and “under common control with”) means either: (a) ownership or control of more than 50% of the voting interests of the subject entity; or (b) the power to direct or cause the direction of the management and policies of an entity, whether through ownership, by contract, or otherwise.

1.2. “Agreement” means any subscription agreement governing Client’s access to and use of the Platform, which may mean, as applicable, Ecoflex’s online Terms of Service, a Master Subscription Agreement, or other related Platform subscription agreement between Ecoflex and Client.

1.3. “Authorized Affiliate” means Client's Affiliate(s) which (a) are subject to Data Protection Laws; (b) are permitted to use the Platform pursuant to the Agreement between Client and Ecoflex; and (c) have not signed their own Agreement with Ecoflex and are not "Clients" as defined under this DPA.

1.4. “Controller” means the entity that determines the purposes and means of the Processing of Personal Information.

1.5. “Client” means the entity and the entity’s Authorized Affiliates that agree to be bound by the Agreement and this DPA.

1.6. “Client Personal Information” means all Personal Information, excluding Client Relationship Data, made available to Ecoflex by or on behalf of Client.

1.7. “Client Relationship Data” means Personal Information that relates to Client’s relationship with Ecoflex, including the names or contact information of the business point(s) of contact between Client and Ecoflex, individuals, Client billing information, and Client relationship management information.

1.8. “Client Workforce” means any Data Subjects who are employees, contractors, representatives, or other individuals engaged by Client who have access to the Platform via a user account.

1.9. “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Information transmitted, stored, or otherwise Processed.

1.10. “Data Protection Laws” means all applicable laws and regulations applicable to Ecoflex’s processing of Personal Information under the Agreement.

1.11. “Data Subject” means an individual whose Personal Information is subject to Data Protection Laws.

1.12. “EEA” means the European Economic Area.

1.13. “End User” means any Data Subject accessing or otherwise using Website Content.

1.1. “EU Standard Contractual Clauses” or “EU SCCs” means the annex found in the European Commission decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available as of August 1, 2021 at data.europa.eu/eli/dec_impl/2021/914/oj) and any amendments, replacements, or updated standard contractual clauses as recognized and approved by the European Commission from time to time.

1.2. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

1.3. “Personal Information” means any information relating to a Data Subject.

1.4. “Platform” means the access to Ecoflex’s software-as-a-service platform and the related web design technology products and services as subscribed to by Client.

1.5. “Processing” means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.

1.6. “Processor” means the entity which Processes Personal Information on behalf of the Controller.

1.7. “Regulator” means any supervisory authority with authority under Data Protection Laws over all or any part of the provision or receipt of the Platform or the Processing of Personal Information.

1.8. “Sub-processor” means any Processor engaged by Ecoflex to Process Client Personal Information on behalf of Ecoflex.

1.9. “UK International Data Transfer Agreement” means the addendum Version B1.0, issued by the UK Information Commissioner’s Office (“ICO”), under section 119A (1) of the Data Protection Act 2018, in force from 21 March 2022.

1.10. “Website Content” means any content that Client submits, posts, displays, or otherwise makes available on or via the Platform.

2. Relationship of the Parties

2.1. Ecoflex as a Processor. The Parties hereby agree that with regard to the processing of Client Personal Information, Client may act either as a Controller or Processor and Ecoflex is a Processor for all Client Personal Information except for Client Relationship Data as set forth in Section 2.2 (Ecoflex as a Controller of Client Relationship Data). Ecoflex will process Client Personal Information in accordance with Client’s instructions as set forth in Section 3.1 (Instructions).

2.2. Ecoflex as a Controller of Client Relationship Data. The parties hereby agree that, with regard to the processing of Client Relationship Data, Ecoflex is an independent Controller, not a joint Controller with Client. Ecoflex will process Client Relationship Data as a Controller: (a) to manage the relationship with Client; (b) to carry out Ecoflex’s core business operations, such as delivering products, accounting and filing taxes; (c) to detect, prevent, or investigate Data Breaches, fraud, and other abuse or misuse of the Platform; (d) to comply with applicable law; and (e) as otherwise permitted under Data Protection Law and in accordance with this DPA, the Agreement, and Ecoflex’s Privacy Policy.

3. Client Obligations

3.1. Instructions. Client instructs Ecoflex, when acting as a Processor, to Process Client Personal Information to provide the Platform. Client warrants that the instructions it provides to Ecoflex pursuant to this DPA will comply with Data Protection Laws.

3.2. Data Subject and Regulator Requests. Client shall be responsible for communications and leading any efforts to comply with all requests made by Data Subjects under Data Protection Laws and all communications from Regulators that relate to Client Personal Information, in accordance with Data Protection Laws. To the extent such requests or communications require Ecoflex’s assistance, Client shall immediately notify Ecoflex in writing of the Data Subject’s or Regulator’s request.

3.3. Notice, Consent, and Other Authorizations. Client agrees that the Personal Information it collects shall be in accordance with Data Protection Laws, including all legally required consents, bases of processing, approvals, and authorizations. Upon Ecoflex’s request, Client shall provide all information necessary to demonstrate compliance with these requirements.

4. Ecoflex’s Obligations as a Processor

4.1. Scope of Processing and Client Instructions. Ecoflex will Process the Personal Information on documented instructions from Client in such a manner as is necessary for the provision of the Platform under the Agreement, except as may be required to comply with any legal obligation to which Ecoflex is subject.

4.2. Lawfulness of Instructions. Ecoflex shall immediately inform Client if, in its opinion, the execution of an instruction could infringe on any Data Protection Laws. In the event Ecoflex must Process or cease Processing Personal Information for the purpose of complying with a legal obligation, Ecoflex will inform the Client of that legal requirement before Processing or ceasing to Process, unless prohibited by applicable law.

4.3. Ecoflex Personnel Confidentiality Obligations. Ecoflex will grant access to Client Personal Information to its personnel only to the extent strictly necessary for implementing, managing, and monitoring the Platform. Ecoflex shall ensure that personnel authorized to Process Client Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.4. Fulfillment of Data Subject Requests. Ecoflex shall promptly notify Client of any request it has received from a Data Subject. Ecoflex shall not respond to the request itself, unless authorized to do so by Client. Ecoflex shall provide reasonable assistance to Client in fulfilling its obligations to respond to Data Subject requests to exercise their rights under Data Protection Laws.

4.5. Security of Processing. Ecoflex shall implement appropriate technical and organizational measures to ensure the security of Personal Information including protection against a Data Breach. In complying with its obligations under this paragraph, Ecoflex shall implement the technical and organizational measures specified in Schedule 2.

4.6. Data Breach Notification. Ecoflex shall notify Client without undue delay in the event of a confirmed Data Breach.

4.7. GDPR Articles 32-36. Considering the nature of the Processing and the information available to Ecoflex, Ecoflex will provide reasonable assistance to Client in complying with its obligations under GDPR Articles 32-36, which address obligations with regard to security, breach notifications, data protection impact assessments, and prior consultation.

4.8. Deletion or Return of Personal Information. Following termination of the Agreement, Ecoflex shall, at the choice of Client, delete or return all Client Personal Information Processed on its behalf unless such continued processing is otherwise required by applicable law.

4.9. Compliance Documentation. Ecoflex shall make available to Client all information necessary to demonstrate compliance with GDPR. At Client’s request, Ecoflex shall also permit and contribute to audits in the manner prescribed in Section 6 of this DPA (Audit).

4.10. Disclosure to Third Parties. Except as expressly provided in this DPA, Ecoflex will not disclose Client Personal Information to any third party without Client’s consent. If requested or required by a competent governmental authority to disclose Client Personal Information, to the extent legally permissible and practicable, Ecoflex will provide Client with sufficient prior written notice in order to permit Client the opportunity to oppose any such disclosure.

5. Use of Sub-processors

5.1. New Sub-processors. Client hereby agrees and gives its general authorization for Ecoflex, when acting as a Processor, to engage new Sub-processors in connection with the processing of Client Personal Information. A list of Ecoflex’s current Sub-processors. Client must sign up at the aforementioned URL to receive email notifications concerning the addition of new Sub-processors. Client may reasonably object to the addition of any new Sub-processor within fifteen (15) calendar days of receiving such email notification, in which case Ecoflex will use reasonable efforts to make a change in the Platform or recommend a commercially reasonable change to avoid Processing by such Sub-processor. If Ecoflex is unable to provide an alternative, Client may terminate subscription to the Platform and shall pay Ecoflex any fees or expenses not yet paid for all services provided pursuant to any Agreement. If Client fails to sign up for these email notifications, Client shall be deemed to have waived its right to object to the newly added Sub-processor(s).

5.2. Responsibility for Sub-processors. Ecoflex shall impose the same material data protection obligations as set out in this DPA on its Sub-processors. Where a Sub-processor fails to fulfill its data protection obligations, Ecoflex shall be liable for the Sub-processor’s failure to fulfill its data protection obligations.

6. Audit

6.1. Scope. Ecoflex will maintain records of its Processing activities carried out on behalf of Client and will make available to Client the information reasonably necessary to demonstrate its compliance with the obligations set out in this DPA. Ecoflex may limit the scope of information made available to Client if Client is an Ecoflex competitor, provided that such limitation does not violate Data Protection Laws. Client’s inspection rights under this DPA do not extend to Ecoflex’s employee payroll, personnel records or any portions of its sites, books, documents, records, or other information that do not relate to the Platform or to the extent they pertain to third parties.

6.2. Process. Subject to thirty (30) days’ prior written notice from Client and at Client's additional expense (including all reasonable costs and fees for any and all time Ecoflex expends on such audit, in addition to the rates for services performed by Ecoflex), Ecoflex and Client shall mutually agree to appoint a third-party auditor to verify that Ecoflex is in compliance with the obligations under this DPA. In no event shall the Parties agree to a third-party auditor that is a competitor to Ecoflex. Audits and inspections will be carried out at mutually agreed times during regular business hours. Client shall be entitled to exercise this audit right no more than once every twelve (12) months. Client shall not be entitled to an on-site audit of Ecoflex’s premises unless legally required by a Regulator.

6.3. Confidentiality. All information obtained during any such request for information or audit will be considered Ecoflex’s Confidential Information under the Agreement and this DPA. The results of the inspection and all information reviewed during such inspection will be deemed Ecoflex’s Confidential Information. The third-party auditor may only disclose to Client specific violations of this DPA, if any, and the basis for such findings, and shall not disclose any of the records or information reviewed during the inspection.

7. Transfers Outside of EEA, UK, and Switzerland

To the extent Client’s use of the Platform requires an onward transfer mechanism to lawfully transfer Personal Information from the European Economic Area, the United Kingdom, or Switzerland to a country or territory which has not been formally recognized by the European Commission or applicable government(s) or Regulator(s) as affording the Personal Information an adequate level of protection, Client hereby acknowledges, agrees, and instructs Ecoflex to transfer Client Personal Information as set forth in Schedule 3 (Cross Border Transfers) of this DPA.

If Schedule 3 applies to Client’s use of the Platform, then, if applicable, under the order of precedence, by entering into this DPA, the Parties are deemed to be signing such EU Standard Contractual Clauses, including each of its applicable Annexes, or the UK International Data Transfer Agreement, as applicable.

8. Jurisdiction Specific Terms

To the extent Ecoflex processes Client Personal Information originating from and protected by Data Protection Laws in one of the jurisdictions listed in Schedule 5 (Jurisdiction Specific Terms), the terms specified in Schedule 5, with respect to the applicable jurisdiction(s), will also apply.

9. Obligations Post-Termination

Termination or expiration of this DPA shall not discharge the Parties from their obligations that by their nature may reasonably be deemed to survive the termination or expiration of this DPA.

10. Limitation of Liability

This DPA shall be subject to the limitations of liability agreed between Client and Ecoflex in the Agreement and such limitations shall apply in aggregate for all claims under the Agreement and DPA.

11. Severability

Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. The Parties will attempt in good faith to agree upon a valid and enforceable provision that is a reasonable substitute and shall incorporate such substitute provision into this DPA.

12. Updates

Ecoflex reserves the right to modify, update, or change this DPA from time to time in the usual course of business, so we encourage you to review this page periodically. Notwithstanding, when we change this DPA in a material manner, we will update the effective date at the top of this page and provide you with reasonable advance notice before the updates to this DPA become effective. Ecoflex may provide such notifications to you via email notice, written or hard copy notice, and/or through posting of such notice on the Platform. We reserve the right to determine the form and means of providing notifications to you. You may be required to click-to-accept or otherwise agree to the updated DPA, but in any event your continued use or access of the Platform after the effective date of the updated DPA shall constitute your agreement to the updated DPA. The DPA will be effective as of the date specified in the effective date at the top of this page and will apply to your use of the Platform from that point forward. If we update this DPA in a non-material manner after the effective date, we will update the last modified date at the top of this page. Ecoflex is not responsible for any automatic filtering you or your network provider may apply to email notifications we send to the email address you provide us.

‍SCHEDULE 1

Description of Transfer and Processing

 

1. List of Parties

Data exporter:
Name: Client, user of the Platform.
Contact Details: Specified in the signature block above.
Activities relevant to the data transfer: Use of the Platform.
Role: Controller and/or Processor depending on the type of processing as set forth below.

Data importer:
Name: Ecoflex, Inc., provider of the Platform.
Contact Details: Box 107-626, 2201 Long Prairie Road, Flower Mound, Texas 75022 USA.
Activities relevant to the data transfer: Provisioning of the Platform.
Role: Controller and/or Processor depending on the type of processing as set forth below.

1. Description of Transfer

Categories of data subjects whose personal data is transferred:

Module One (Controller to Controller):

• Data Subjects whose Personal Information constitutes Client Relationship Data.

Module Two (Controller to Processor) and Module Three (Processor to Processor):

• End Users; and
• Client Workforce

Categories of personal data transferred:

Module One (Controller to Controller):

• Client Relationship Data including business points of contact: name, email address, phone number, credit card and/or other billing information.

Module Two (Controller to Processor) and Module Three (Processor to Processor):

• Personal Information about End Users and Client Workforce that Client provides to the Platform or through an End User’s interaction with the Platform including, but not limited to, name, email addresses, and other Personal Information as determined by Client;
• Personal Information from add-ons and other third-party services Client uses in conjunction with the Platform; and
• Data about Client, Client’s Workforce, and End Users' use of the Platform, including, but not limited to, interactions with the user interface to the Platform, web browser or operating system details, and the internet protocol address for the computers with which Client, Client’s Workforce, and End Users use to connect to the Platform.

Sensitive data transferred (if applicable):

Module One (Controller to Controller):

• None.

Module Two (Controller to Processor) and Module Three (Processor to Processor):

• End Users may submit special categories of Personal Information to the Client via the Platform, the extent of which is determined and controlled by the Client. For clarity, these special categories of Personal Information may include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, biometric data, health data, or data concerning a natural person’s sex life or sexual orientation.
• Any sensitive data that Client may submit to Ecoflex is stored in a single database location with heavily restricted access.

Frequency of the transfer:

Module One (Controller to Controller), Module Two (Controller to Processor), and Module Three (Processor to Processor):

• Continuous.

Purposes of the data transfer and further processing:

Module One (Controller to Controller), Module Two (Controller to Processor), and Module Three (Processor to Processor):

• Ecoflex will process Client Relationship Data and Client Personal Information for the purpose of providing the Platform described in the Agreement. Client determines the specific processing activities using the Platform but these activities are anticipated to include receiving, storing, displaying, and erasing Personal Information.

The period for which the personal data will be retained:

Module One (Controller to Controller):

• Ecoflex will retain Client Relationship Data during the term of the Agreement and thereafter in accordance with the principles of ‘purpose limitation’ and ‘storage limitation.’ Ecoflex may retain Client Relationship Data as required by applicable law and regulations to comply with its legal obligations.

Module Two (Controller to Processor), and Module Three (Processor to Processor):

• Client Personal Information will be retained during the term of the Agreement. Upon the termination of the Agreement, Ecoflex will delete all Personal Information processed on behalf of Client unless local laws, regulations, or other requirements applicable to Ecoflex prohibit the deletion of the Personal Information.

Subject matter, nature, and duration of the processing by sub-processors:

Module One (Controller to Controller), Module Two (Controller to Processor), and Module Three (Processor to Processor):

• A list of Ecoflex’s current Sub-processors and the subject matter of the sub-processing can be found at Ecoflex.com/legal/sub-processors. Ecoflex’s Sub-processors process Personal Information for the term of the agreement between the Sub-processor and Ecoflex.

1. Competent Supervisory Authority

Module One (Controller to Controller), Module Two (Controller to Processor), and Module Three (Processor to Processor):

• Ireland’s Data Protection Commissioner.

SCHEDULE 2

Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data

 

Ecoflex has a SOC 2 Type II certification and is dedicated to the continued validation of its security program. Specifically, Ecoflex implements the following security measures with respect to Personal Information:

Data Center Security

• Ecoflex infrastructure is managed via Godaddy’s ISO 27001 certified data centers and hosted in multiple regions and availability zones.
• All database servers are isolated inside virtual private networks, and accessible only by key personnel via multi-factor authentication.
• All access to production environments is logged, and access can be immediately revoked.

Protection from Data Loss and Corruption

• All data operations are mirrored to a redundant secondary database.
• All data is backed up on a daily basis and stored on highly redundant storage media in multiple availability zones.
• All data is encrypted at rest using GoDaddy’s EBS encryption functionality.

Application-Level Security

• User account passwords are hashed using a secure low-entropy key derivation function, which protects against brute-force attacks.
• All applications are served exclusively via TLS with a modern configuration.
• All login pages have brute-force logging and protection.
• Two-factor authentication is supported and is mandatory for all internal administrator functions of the application.
• All code changes to our applications require code reviews via an enforced code review process.
• Automated code and dependency analysis tools are in place to identify emergent security issues.
• Different vendors conduct regular application security penetration tests. These tests include high-level server penetration tests across various parts of our platform (i.e. Dashboard, Designer, Editor, Hosted Sites), as well as security-focused source code reviews.

Internal Protocol & Training

• All new employees are given security and data privacy training, tailored to their job functions.
• All employees undergo regular security best practices and data privacy training.
• All developers undergo advanced application security and privacy training.
• All new product changes and improvements undergo a data privacy assessment before any projects proceed to implementation.

Sub-processor Controls

• Ecoflex only uses cloud providers that have confirmed they have implemented and maintain Security Measures in compliance with Article 32 of the GDPR, in storing and keeping secure Personal Information.

Technical and Organizational Measures to aid the Controller

• Ecoflex has a dedicated security and privacy team to respond to Controller requests and inquiries. Considering the nature of the Processing and to the extent reasonably possible, Ecoflex will assist Controller in fulfilling its obligations in relation to Data Subject requests and compliance obligations under applicable Data Protection Laws. This team can be contacted at privacy@Ecoflex-mfg.com.  
• Ecoflex will not disclose Personal Information to any third party without Client’s consent. If requested or required by a competent governmental authority to disclose the Personal Information, to the extent legally permissible and practicable, Ecoflex will provide Client with sufficient prior written notice in order to permit Client the opportunity to oppose any such disclosure.

SCHEDULE 3

Cross Border Data Transfers

1.1 Order of Precedence. In the event the Platform is covered by more than one Transfer Mechanism, the transfer of Personal Information will be subject to a single Transfer Mechanism in accordance with the following order of precedence: (a) the EU-U.S. and Swiss-U.S. Data Privacy Framework as well as the UK Extension to the EU-U.S. Data Privacy Framework and any valid successors thereto, provided Ecoflex is certified under the relevant framework; (b) the EU Standard Contractual Clauses as set forth in Section 1.2 (EU Standard Contractual Clauses) of this Schedule 3; (c) the UK International Data Transfer Agreement as set forth in Section 1.3 (UK International Data Transfer Agreement) of this Schedule 3; (d) Swiss Transfers as set forth in Section 1.4 (Swiss Transfers) of this Schedule 3; and, if neither (a) nor (b) nor (c) nor (d) is applicable, then (e) other applicable data Transfer Mechanisms permitted under Data Protection Law.

‍1.2 EU Standard Contractual Clauses. The parties agree that the EU Standard Contractual Clauses will apply to Personal Information that is transferred via the Platform from the EEA or Switzerland, either directly or via onward transfer, to any country or recipient outside the EEA or Switzerland that is: (a) not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Personal Information. For data transfers from the EEA that are subject to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
‍(a) Module One (Controller to Controller) of the EU Standard Contractual Clauses will apply where Ecoflex is processing Client Relationship Data;

(b) Module Two (Controller to Processor) of the EU Standard Contractual Clauses will apply where Client is a Controller of Client Personal Information and Ecoflex is processing Client Personal Information;

(c) Module Three (Processor to Processor) of the EU Standard Contractual Clauses will apply where Client is a Processor of Client Personal Information and Ecoflex is processing Client Personal Information;

(d) For each Module, where applicable:

1. Clause 7: The optional docking clause will not apply;
2. Clause 9: Option 2 will apply and the time period for prior written notice of Sub-processor changes will be as set forth in Section 5 (Use of Sub-processors) of the DPA;
3. Clause 11: The optional language will not apply;  
4. Clause 17: the EU Standard Contractual Clauses will be governed by the laws of Ireland;  
5. Clause 18: the EU Standard Contractual Clauses disputes will be resolved before the courts of Ireland;

(e) Schedule 1 of this DPA serves as Annex I of the EU Standard Contractual Clauses;

(f) Schedule 2 (Technical and Organizational Security Measures) of this DPA serves as Annex II of the EU Standard Contractual Clauses.

1.3 UK International Data Transfer Agreement. The parties agree that the UK International Data Transfer Agreement will apply to Personal Information that is transferred via the Platform from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is: (a) not recognized by the competent United Kingdom Regulator or governmental body for the United Kingdom as providing an adequate level of protection for Personal Information. For data transfers from the United Kingdom that are subject to the UK International Data Transfer Agreement, the UK International Data Transfer Agreement will be deemed entered into (and incorporated into this DPA by this reference) and completed as set forth in Schedule 4.

1.4 Swiss Transfers. Where Personal Information that is transferred via the Platform from Switzerland, either directly or via onward transfer, to any country or recipient outside Switzerland that is not recognized by the Swiss Federal Act on Data Protection (“FADP”) as providing an adequate level of protection for Personal Information, the following applies:

The EU Standard Contractual Clauses apply as set forth in Section 1.2 (EU Standard Contractual Clauses) of this Schedule 3 with the following modifications:

1. in Clause 13, the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner;
2. in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by the laws of Switzerland;
3. in Clause 18(b), disputes will be resolved before the courts of Switzerland;
4. the term Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c); and
5. all references to the EU GDPR in this DPA are also deemed to refer to the FADP.

‍SCHEDULE 4

UK International Data Transfer Agreement

If applicable, this UK International Data Transfer Agreement has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Start date The Effective Date of the Agreement

The parties	Exporter (who sends the Restricted Transfer)	Importer (who receives the Restricted Transfer)
Parties' details	Client	Full legal name: Ecoflex, Inc. Main address (if a company registered address): Box 107-626, 2201 Long Prairie Road, Flower Mound, Texas 75022 USA
Key contact	Attn: Client Contact details including email: email address provided by Client	Attn: Privacy Counsel Contact details including email: privacy@Ecoflex.com

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: As set out in the Agreement

Annex 1B: Description of Transfer: As set out in Schedule 1 of this DPA

Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: As set out in Schedule 2 of this DPA.

Annex III: List of Sub-processors (Modules 2 and 3 only):As set out in Schedule 1 of this DPA.

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section 19: ☒ Importer ☒ Exporter ☐ neither Party

Part 2: Mandatory Clauses

Mandatory Clauses

Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18 of those Mandatory Clauses.

SCHEDULE 5

Jurisdiction Specific Terms

1. California

Capitalized terms used in this Section 1 of Schedule 5 (“California”) that are used but not defined in the Agreement or the DPA have the meanings given to them in the CCPA.

To the extent that the California Consumer Privacy Act of 2018 (“CCPA”) (California Civil Code sections 1798.100 - 1798.199) and its accompanying regulations apply, Ecoflex agrees that:

1. Ecoflex is prohibited from Selling or Sharing Client Personal Information that it collects from Client as part of providing the Platform;
2. Ecoflex shall only process Client Personal Information for the following Business Purposes:
   1. for the purpose of providing the Platform to Client, specifically by providing Client access to and use of Ecoflex’s software-as-a-service platform and the related web design technology products and services subscribed to by Client; and
   2. for the purpose of ensuring the security of the Platform, including but not limited to network and system integrity, fraud detection, and data loss prevention.
      1. Ecoflex is prohibited from retaining, using, or disclosing Client Personal Information for any purpose other than the Business Purposes specified in the Agreement or as otherwise permitted by the CCPA;
      2. Ecoflex is prohibited from retaining, using, or disclosing Client Personal Information for any Commercial Purpose other than the Business Purposes specified in the Agreement or as otherwise permitted by the CCPA;
      3. Ecoflex is prohibited from retaining, using, or disclosing Client Personal Information outside the direct business relationship between the Ecoflex and Client, unless expressly permitted by the CCPA;
      4. Ecoflex shall comply with all applicable sections of the CCPA, including—with respect to Client Personal Information — providing the same level of privacy protection as required of Businesses by the CCPA;
      5. Client has the right to take reasonable and appropriate steps — as specified in Section 6 (“Audit”) of the DPA — to ensure that Ecoflex is Processing Client Personal Information pursuant to the Agreement with Client in a manner consistent with the Client’s obligations under the CCPA;
      6. Ecoflex shall notify Client after it makes a determination that it can no longer meet its obligations under the CCPA;
      7. Client has the right, upon providing notice to Ecoflex, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Client Personal Information by Ecoflex; and
      8. Ecoflex shall enable Client to comply with consumer requests made pursuant to the CCPA in accordance with Section 4.7 of the DPA (“Fulfillment of Data Subject Requests”).

2. Switzerland

The definition of “Data Protection Law” includes the Swiss Federal Act on Data Protection, as revised (“FADP”).

3. United Kingdom (UK)

References in this DPA to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).