Legal

Data Processing Addendum

Last updated: May 16, 2026

This Data Processing Addendum ("DPA") forms part of the Master Subscription Agreement or other written or electronic agreement between Aspect Ratio, Inc. ("Aspect") and the customer identified on the applicable Order Form ("Customer") for the provision of the Services (the "Agreement"). This DPA is incorporated into and made a part of the Agreement and reflects the parties' agreement with respect to the Processing of Customer Personal Data in connection with the Services.

1. Subject Matter and Duration

1.1 Subject Matter

This DPA governs Customer's provision of, and Aspect's Processing of, Customer Personal Data pursuant to the Agreement. All capitalized terms not expressly defined in this DPA have the meanings given to them in the Agreement. If and to the extent any language in this DPA or any of its annexes conflicts with the Agreement, this DPA controls.

1.2 Duration and Survival

This DPA becomes binding upon the effective date of the Agreement and survives until expiration or termination of the Agreement or the return or deletion of Customer Personal Data in accordance with Section 8, whichever is later.

2. Definitions

For the purposes of this DPA, the following terms (and those defined within the body of this DPA) apply: "Aspect Security Standards" means Aspect's security standards, as updated from time to time, available at https://trust.aspect.inc/security. "Biometric Data" means facial recognition embeddings, mathematical representations of facial geometry, and user-uploaded reference images Processed through the facial recognition feature of the Services. "CCPA" means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and any associated regulations and amendments, including the California Privacy Rights Act amendments. "Controller" means the person who, alone or jointly with others, determines the purposes and means of the Processing of personal data; for purposes of this DPA, "Controller" also includes "business" as such term is defined under the CCPA. "Customer Personal Data" means Service Data (as defined in the Agreement) that constitutes "personal data," "personal information," or similar term under applicable Data Protection Law. "Data Protection Law(s)" means all worldwide data protection and privacy laws and regulations applicable to Customer Personal Data, including, where applicable, EU/UK Data Protection Law, the Swiss Federal Act on Data Protection ("FADP"), and the CCPA. "EEA" means the European Economic Area. "EU/UK Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively, the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to, or that apply in conjunction with any of (i), (ii), or (iii); in each case as may be amended or superseded from time to time. "Process" or "Processing" means any operation or set of operations performed on Customer Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction. "Processor" means the person who, alone or jointly with others, Processes personal data on behalf of the Controller; for purposes of this DPA, "Processor" also includes "service provider" as such term is defined under the CCPA. "Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA that is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country not subject to adequacy regulations pursuant to Section 17A of the UK Data Protection Act 2018; in each case whether such transfer is direct or via onward transfer. "SCCs" means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 ("EU SCCs"); (ii) where the UK GDPR applies, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner under s.119A(1) of the UK Data Protection Act 2018 (the "UK IDTA"); and (iii) where the FADP applies, the EU SCCs as adapted by the Swiss Federal Data Protection and Information Commissioner. "Security Incident(s)" means any unauthorized or unlawful breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Customer Data Processed under or in connection with the Agreement, including but not limited to Customer Personal Data. "Subprocessor(s)" means a third party engaged by Aspect to Process Customer Personal Data under the Agreement. "Subprocessor List" means the current list of Aspect Subprocessors maintained at https://trust.aspect.inc/subprocessors.

3. Data Use and Processing

3.1 Data Processing Relationship

Customer is either the Controller of Customer Personal Data or else Processes Customer Personal Data as a Processor on behalf of a third-party Controller (such as an end customer to Customer). In either case, the parties acknowledge and agree that Aspect has been appointed by Customer to Process Customer Personal Data as a Processor (or sub-Processor, as applicable) on behalf of Customer. If Customer is a Processor on behalf of a third-party Controller, Customer will ensure that any Processing instructions it provides to Aspect pursuant to this DPA are consistent with the instructions the Controller has issued to Customer.

3.2 Documented Instructions

Aspect shall Process Customer Personal Data solely: (1) to fulfill its obligations to Customer under the Agreement, including this DPA; (2) on Customer's behalf; and (3) in compliance with Data Protection Laws. Aspect shall Process Customer Personal Data strictly for the business purpose(s) agreed between the parties and as provided under the Agreement, this DPA, and any instructions expressly agreed upon by the parties in writing (together, the "Business Purpose(s)"). Customer will not instruct Aspect to Process Customer Personal Data in violation of applicable law (including Data Protection Law(s)). Aspect has no obligation to monitor the compliance of Customer's use of the Services with applicable law and will have no liability for any harm or damages resulting from Aspect's compliance with unlawful instructions received from Customer. However, Aspect will, unless legally prohibited from doing so, (i) inform Customer in writing if it reasonably believes that there is a conflict between Customer's instructions and applicable law, or otherwise seek to Process Customer Personal Data in a manner that is inconsistent with Customer's instructions, and (ii) in either such event, cease all Processing of the affected Customer Personal Data (other than merely storing and maintaining the security of the affected Customer Personal Data) until such time as Customer issues new instructions with which Aspect is able to comply. If this provision is invoked, Aspect will not be liable to Customer under the Agreement for failure to perform the Services until such time as the parties agree on new instructions. Customer retains the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.

3.3 Service Provider Certification

Aspect shall not: (a) "sell" Customer Personal Data (as such term in quotation marks is defined in the CCPA); (b) "share" or Process Customer Personal Data for purposes of "cross-context behavioral advertising" or "targeted advertising" (as such terms in quotation marks are defined in the CCPA); (c) retain, use, or disclose Customer Personal Data for any purpose other than for the Business Purpose(s), including for any commercial purpose other than performing the Services under the Agreement; or (d) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Aspect. Aspect (i) will not attempt to re-identify any pseudonymized, anonymized, aggregated, or de-identified Customer Personal Data without Customer's express written permission; and (ii) will comply with any applicable restrictions under Data Protection Laws on combining Customer Personal Data with personal data Aspect receives from, or on behalf of, another person. Aspect certifies that it understands the restrictions set out in this Section 3.3 and will comply with them.

3.4 No Use of Customer Personal Data for Model Training

Aspect shall not use Customer Personal Data, including any media files, transcripts, metadata, Biometric Data, or other Customer content, to train artificial intelligence or machine learning models operated by Aspect or its Subprocessors. Customer Personal Data Processed through AI features of the Services, including transcription, automated tagging, object detection, natural language search, and facial recognition, is used solely to deliver the requested feature to Customer and is not retained by AI Subprocessors beyond the time required to process the request. Aspect's AI Subprocessors are contractually prohibited from using Customer Personal Data for model training.

3.5 Authorization to Use Subprocessors

Customer hereby authorizes Aspect to engage affiliates and other Subprocessors to Process Customer Personal Data in accordance with this DPA and Data Protection Laws. The current list of Aspect's Subprocessors is set forth in the Subprocessor List. Customer acknowledges and agrees that Aspect's use of such Subprocessors satisfies the requirements of this DPA.

3.6 Aspect and Subprocessor Compliance

Aspect agrees to (i) enter into a written agreement with each Subprocessor regarding such Subprocessor's Processing of Customer Personal Data that imposes data protection requirements consistent with this DPA; and (ii) remain responsible to Customer for its Subprocessors' failure to perform their obligations with respect to the Processing of Customer Personal Data.

3.7 Notice of New Subprocessors

Aspect will provide notice of new Subprocessors via the Subprocessor List, and, where Customer has subscribed to notifications, by email, at least thirty (30) days before authorizing such Subprocessor to Process Customer Personal Data. Customer may object to the engagement of a new Subprocessor on reasonable data protection grounds by notifying Aspect in writing within thirty (30) days of such notice. If the parties cannot resolve the objection in good faith within thirty (30) days, Customer's sole and exclusive remedy is to terminate the affected portion of the Services and receive a pro-rata refund of any prepaid Fees for the unused portion of the then-current Term.

4. Confidentiality and Personnel

4.1 Personnel

Aspect ensures that its personnel authorized to Process Customer Personal Data are bound by appropriate obligations of confidentiality (whether contractual or statutory), have received training on data protection and information security, and access Customer Personal Data only on a need-to-know basis.

5. Security

5.1 Security Measures

Aspect implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data against Security Incidents and to preserve the security, confidentiality, and integrity of Customer Personal Data. Such measures are described in the Aspect Security Standards and include, at a minimum, encryption of Customer Personal Data at rest using AES-256 and in transit using TLS 1.2 or higher, encrypted backups, role-based access controls, multi-factor authentication for personnel access to production systems, and an ongoing SOC 2 program.

5.2 Updates

Aspect may update its security measures from time to time, provided that such updates do not materially diminish the overall level of protection afforded to Customer Personal Data.

5.3 Customer Responsibility for Locally Cached Data

Aspect's security measures apply to Customer Personal Data while Processed within the Services. Once Service Data is cached on Customer or Authorized User devices via the desktop mount feature of the Services, Customer is solely responsible for securing such locally cached data, including managing access controls, device encryption, and deletion, as further described in the Agreement.

6. Security Incidents

6.1 Notice

Upon becoming aware of a Security Incident, Aspect will provide written notice to Customer without undue delay. Any such notification is not an acknowledgment of fault or responsibility. Where possible, such notice will include all details known to Aspect and required under Data Protection Law(s) for Customer to comply with Customer's own notification obligations to regulatory authorities or individuals affected by the Security Incident, which may include, as applicable and if known: how the Security Incident occurred, the categories and approximate number of data subjects concerned, the categories and approximate number of Customer Personal Data records concerned, the likely consequences of the Security Incident, and measures taken or proposed to be taken by Aspect to address the Security Incident, including, where appropriate, measures designed to mitigate its possible adverse effects.

6.2 Investigation and Mitigation

Aspect shall use commercially reasonable efforts to: (i) investigate and identify the cause of such Security Incident; (ii) remedy or mitigate the possible adverse effects of such Security Incident; and (iii) reduce the likelihood that such Security Incident recurs. Aspect will not assess the contents of Customer Personal Data in order to identify information subject to any specific legal requirements or assess the applicability of any specific privacy, data protection, or cybersecurity requirement pertaining to such information.

6.3 Customer Responsibility

Customer is solely responsible for complying with Security Incident notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident. At Customer's written request and subject to Customer paying Aspect's reasonable fees (at then-current rates) and expenses, Aspect will provide Customer with assistance reasonably necessary to enable Customer to notify relevant security breaches to the competent data protection authorities and/or affected data subjects, if Customer is required to do so under Data Protection Law(s).

7. Audits

7.1 Third-Party Audit Reports

Aspect obtains the third-party audits set forth in the Aspect Security Standards. Upon Customer's request, and subject to the confidentiality obligations set forth in the Agreement and the entry into specific non-disclosure agreements, Aspect shall make available to Customer (or Customer's independent, reputable, third-party auditor) information regarding Aspect's compliance with the obligations set forth in this DPA by providing Customer with summaries of the most recent third-party audit reports referenced in the Aspect Security Standards. All such summaries, to the extent not made generally publicly available by Aspect, constitute Aspect's Confidential Information.

7.2 Audit of Aspect

Where Data Protection Laws afford Customer an audit right, Customer (or Customer's independent, reputable, third-party auditor) may contact Aspect in accordance with the Notices section of the Agreement to request an audit of Aspect's policies, procedures, and records relevant to the Processing of Customer Personal Data necessary to confirm Aspect's compliance with this DPA, provided that the foregoing are within Aspect's control and Aspect is not precluded from disclosure by applicable law, a duty of confidentiality, or any other obligation owed to a third party. Customer shall reimburse Aspect for its costs and expenses, including any time expended in connection with any such audit at Aspect's then-current rates. Before the commencement of any such audit, Customer and Aspect shall mutually agree upon the scope, timing, and duration of the audit, in addition to the reimbursement rate. Audits shall be conducted no more than once per calendar year (except where required by a competent supervisory authority), during normal business hours, and in a manner that does not interfere with Aspect's day-to-day operations or compromise the security or confidentiality of any other Aspect customer's data.

8. Return and Deletion of Customer Personal Data

8.1 Return or Deletion

Upon termination or expiration of the Agreement, Customer shall have a sixty (60) day retrieval period (the "Retrieval Period") to export Customer Personal Data from the Services using the platform's self-service export tools or by contacting Aspect support. Upon expiration of the Retrieval Period, Aspect shall delete Customer Personal Data across all storage tiers used by the Services, including primary distributed storage, cold storage, application metadata, AI-generated metadata, and CDN edge caches, except to the extent applicable law requires storage of Customer Personal Data.

8.2 Deletion Certification

Upon Customer's written request following deletion under Section 8.1, Aspect shall provide Customer with written certification of such deletion.

8.3 Retention Exceptions

Notwithstanding Section 8.1, Aspect may retain Customer Personal Data: (i) in encrypted backups, subject to Aspect's standard backup rotation schedule, until such backups are overwritten or expire in the ordinary course; and (ii) where required by applicable law or regulatory obligation, for the period required by such law or obligation. Customer Personal Data retained pursuant to this Section 8.3 remains subject to the confidentiality and security obligations of this DPA.

9. International Data Transfers

9.1 Restricted Transfers

Where Aspect makes a Restricted Transfer, the parties agree that such Restricted Transfer shall be governed by the SCCs, which are incorporated into this DPA by reference. The EU SCCs Module Two (Controller to Processor) shall apply where Customer is a Controller and Aspect is a Processor; the EU SCCs Module Three (Processor to Processor) shall apply where Customer is a Processor and Aspect is a Sub-Processor. The UK IDTA shall apply where the UK GDPR governs the transfer. The EU SCCs as adapted by the Swiss FDPIC shall apply where the FADP governs the transfer.

9.2 Order of Precedence

In the event of any conflict between the SCCs and any other terms of this DPA or the Agreement with respect to a Restricted Transfer, the SCCs shall prevail to the extent of such conflict.

9.3 Data Residency

Customer may elect a primary storage region for media data from among the regions made available by Aspect for the Services. Cold storage and archival data residency is determined by Aspect. All storage tiers are subject to identical security controls, encryption standards, and retention policies.

10. Data Subject Rights and Assistance

10.1 Self-Service Tools

Aspect provides Customer with in-platform tools to enable Customer to fulfill its obligations under Data Protection Laws to respond to requests from data subjects to exercise their rights of access, rectification, erasure, restriction, portability, objection, and not to be subject to automated decision-making.

10.2 Direct Requests

If Aspect receives a request from a data subject directly in relation to Customer Personal Data, Aspect will, without undue delay, direct the data subject to make their request to Customer and will not respond to such request except to confirm Aspect's role as Processor on behalf of Customer.

10.3 Reasonable Assistance

Taking into account the nature of the Processing, Aspect shall provide reasonable assistance to Customer, insofar as possible, for the fulfillment of Customer's obligations to respond to requests for the exercise of data subject rights, as well as for the fulfillment of Customer's obligations under Articles 32 to 36 of the EU GDPR (security, breach notification, data protection impact assessments, and prior consultations), taking into account the nature of the Processing and the information available to Aspect.

11. Biometric Data

11.1 Customer as Controller of Biometric Data

With respect to all Biometric Data Processed through the facial recognition feature of the Services, Customer is the Controller (or Processor on behalf of a third-party Controller) and Aspect is the Processor. Aspect Processes Biometric Data solely on Customer's documented instructions and in accordance with this DPA. Customer warrants that, prior to activating or using the facial recognition feature, it has obtained all legally required consents, authorizations, and releases from individuals whose Biometric Data may be Processed through the facial recognition feature, including but not limited to consents required under the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), the Washington biometric privacy statute (RCW 19.375), the CCPA, the GDPR, and any other applicable biometric privacy law.

11.3 Indemnification

The indemnification obligations set forth in the Agreement with respect to Biometric Data and the facial recognition feature are reaffirmed and incorporated into this DPA by reference.

11.4 Aspect Obligations

Aspect shall: (i) Process Biometric Data only as necessary to provide the facial recognition feature to Customer; (ii) not sell, lease, trade, or otherwise profit from Biometric Data; (iii) not use Biometric Data to train artificial intelligence or machine learning models; (iv) encrypt Biometric Data using AES-256 at rest and isolate Biometric Data logically per Customer workspace; and (v) delete Biometric Data within sixty (60) days of the workspace administrator disabling the facial recognition feature or termination of the Agreement.

12. Limitation of Liability

Each party's liability under or in connection with this DPA shall be subject to the exclusions and limitations of liability set forth in the Agreement. To the extent the SCCs apply to a Restricted Transfer, nothing in this DPA shall be construed to limit either party's liability to data subjects under the SCCs.

13. General

13.1 Governing Law and Jurisdiction

This DPA is governed by, and shall be construed in accordance with, the governing law and jurisdiction provisions set forth in the Agreement, except to the extent that the SCCs or applicable Data Protection Laws require otherwise.

13.2 Notices

Notices under this DPA shall be delivered in accordance with the Notices section of the Agreement.

13.3 Amendments

Aspect may amend this DPA from time to time to reflect changes in Data Protection Laws or changes to the Services, provided that Aspect provides Customer with at least thirty (30) days' prior written notice of any such amendment and such amendment does not materially diminish the overall level of protection afforded to Customer Personal Data.

13.4 Severability

If any provision of this DPA is held by a court of competent jurisdiction to be unenforceable, such provision shall be modified by the court and interpreted so as to best accomplish the original provision to the fullest extent permitted by law, and the remaining provisions of this DPA shall remain in effect.

13.5 Entire Agreement

This DPA, together with the Agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, proposals, or representations, written or oral, concerning the subject matter hereof.

Annex I: Data Processing Description

This Annex I forms part of the DPA and describes the Processing that Aspect (as Processor or Sub-Processor, as applicable) will perform on behalf of Customer (as Controller or Processor, as applicable). This Annex I also serves as Annex I to the EU SCCs where applicable.

A. List of Parties

Controller / Data Exporter (or Processor / Data Exporter, as applicable):
  • Name: Customer as set forth in the applicable Order Form.
  • Address: As set forth in the applicable Order Form.
  • Contact person's name, position, and contact details: As set forth in the applicable Order Form.
  • Activities relevant to the data transferred under these Clauses: Processing necessary to receive the Services pursuant to the Agreement.
  • Signature and date: This Annex I shall automatically be deemed executed when Customer accepts the Agreement.
  • Role (Controller / Processor): Controller or Processor, as applicable.
Processor / Data Importer (or Sub-Processor / Data Importer, as applicable):
  • Name: Aspect Ratio, Inc.
  • Contact person's name, position, and contact details: Gurish Sharma, Chief Executive Officer, gurish@aspect.inc.
  • EU/UK Representative under Article 27 of the EU GDPR / UK GDPR: To be designated.
  • Activities relevant to the data transferred under these Clauses: Processing necessary to provide the Services pursuant to the Agreement.
  • Signature and date: This Annex I shall automatically be deemed executed when Customer accepts the Agreement.
  • Role (Processor / Sub-Processor): Processor or Sub-Processor, as applicable.

B. Description of Processing / Transfer

EU SCC Module: Module Two (Controller to Processor) or Module Three (Processor to Sub-Processor), as applicable. Categories of data subjects: The personal data Processed concerns the following categories of data subjects:
  • Customer's Authorized Users and their employees, contractors, consultants, agents, and other personnel.
  • Individuals appearing or identifiable in Customer-uploaded media (including, where Customer enables facial recognition, individuals whose facial features are processed).
  • Individuals identified in or referenced by transcripts, metadata, comments, annotations, or other Customer-generated content within the Services.
  • Customer's clients, end customers, business contacts, and other individuals whose personal data Customer chooses to Process through the Services.
Categories of personal data: The personal data Processed includes:
  • Account information (such as name, business email address, IP address, billing contact details, authentication identifiers).
  • The contents of Customer-uploaded media files (video, audio, image, and document files), which may include personal data within such media.
  • AI-generated metadata derived from Customer-uploaded content, including transcripts, automated tags, object detection labels, natural language search indexes, and related metadata.
  • Comments, annotations, and other collaboration data submitted by Authorized Users.
  • Audit logs and activity records reflecting Authorized User actions within the Services.
Sensitive data Processed (if applicable): Biometric Data (facial recognition embeddings and reference images) is Processed only where Customer enables the facial recognition feature. Customer-uploaded media may, at Customer's discretion, contain additional categories of sensitive data; Customer is responsible for determining the appropriateness of Processing such categories through the Services. Frequency of the transfer: Continuous for the duration of the Agreement. Nature of the Processing: Cloud-based storage; streaming and delivery; transcoding; AI inference (transcription, automated tagging, object detection, natural language search, facial recognition); indexing and search; review and approval workflows; sharing and permissions management; archival; and deletion. Purpose(s) of the data transfer and further Processing: The performance of the Services pursuant to the Agreement. Period for which the personal data will be retained, or, if not possible, the criteria used to determine that period: For the duration of the Agreement plus the sixty (60) day Retrieval Period, except as otherwise provided in Section 8 of this DPA or as required by applicable law. For transfers to Sub-Processors, also specify subject matter, nature, and duration of the Processing: Sub-Processor Processing is as described in the Subprocessor List, and is limited to the activities necessary to provide the Services pursuant to the Agreement.

C. Competent Supervisory Authority

In accordance with Clause 13 of the EU SCCs, the competent supervisory authority shall be determined based on the EU member state in which the Controller / Data Exporter (Customer) is established, or, where Customer is not established in the EEA, the EU member state in which Customer's designated EU representative under Article 27 of the EU GDPR is established, or, in the absence of such representative, the EU member state in which the data subjects whose personal data is transferred are located. For transfers governed by the UK GDPR, the competent supervisory authority is the United Kingdom Information Commissioner's Office (ICO). For transfers governed by the Swiss FADP, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC).

Annex II: Technical and Organizational Measures

The technical and organizational measures implemented by Aspect to ensure an appropriate level of security for Customer Personal Data are set forth in the Aspect Security Standards, available at https://trust.aspect.inc/security, which are incorporated into this DPA by reference and form part of Annex II to the EU SCCs. The Aspect Security Standards include, at a minimum, measures relating to:
  • Pseudonymization and encryption of personal data (AES-256 at rest; TLS 1.2 or higher in transit; encrypted backups).
  • The ongoing confidentiality, integrity, availability, and resilience of Processing systems and services.
  • The ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident.
  • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures, including an ongoing SOC 2 program and periodic vendor security reviews.
  • Logical workspace isolation, role-based access controls, and multi-factor authentication for personnel access to production systems.
  • Personnel security, including background checks where permitted by law, security and privacy training, and confidentiality obligations.
  • Asset management, change management, vulnerability management, and incident response programs.

Annex III: List of Sub-Processors

The current list of Aspect Sub-Processors is maintained and made available to Customer at https://trust.aspect.inc/subprocessors, which is incorporated into this DPA by reference and forms part of Annex III to the EU SCCs. Aspect provides notice of additions to the Sub-Processor list in accordance with Section 3.7 of this DPA.

Annex IV: UK International Data Transfer Addendum

For transfers of personal data subject to the UK GDPR, the UK IDTA is incorporated into this DPA by reference and completed as follows:
  • Table 1 (Parties): The parties identified in Annex I.A of this DPA.
  • Table 2 (Selected SCCs, Modules and Selected Clauses): The EU SCCs, as completed by this DPA, with Modules Two and Three (as applicable) and all optional clauses as completed in this DPA.
  • Table 3 (Appendix Information): As set forth in Annexes I, II, and III of this DPA.
  • Table 4 (Ending this Addendum when the Approved Addendum Changes): Either party may end the UK IDTA in accordance with Section 19 of the UK IDTA.

Annex V: Swiss FADP Adaptations

For transfers of personal data subject to the Swiss FADP, the EU SCCs apply with the following adaptations: (i) references to the EU GDPR shall be deemed to include the FADP to the extent the FADP applies; (ii) the term "member state" shall not be interpreted to exclude data subjects in Switzerland from exercising rights in their place of habitual residence; and (iii) the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner (FDPIC).

Contact Us

If you have any questions about this Data Processing Addendum, please contact us at legal@aspect.inc.

Get started

For every aspect of the creative workflow.