G-P Named a Global Leader for the Fourth Time in NelsonHall’s 2024 NEAT Report. Download the report
G-P Logo
Request a proposal

MSA Privacy Language

Last update:

DATA PROTECTION ADDENDUM

This Data Protection Addendum (“Addendum”) supplements the terms and conditions in the Master Agreement and is incorporated therein. In the event of a conflict between this Addendum, and any other agreement between the parties on the issues set forth herein, this Addendum shall control.

1. DEFINITIONS

1.1. Terms not defined herein have the meanings set forth in the Master Services Agreement. The following words in this Addendum have the following meanings:

1.2. “Authorized User” means an individual permitted by Customer who may include either or a Customer’s employee and/or contractor, to access and use the Platform on behalf of the Customer, pursuant the execution of the Master Agreement.

1.3. “CCPA” means the California Consumer Privacy Act.

1.4. “Customer Data”means any Personal Data or Personal Information related to any Authorized User or identifiable natural person that is transferred, processed, or stored by Globalization Partners on behalf of Customer for the use of the Platform by the Customer.

1.5. “Data Protection Laws” means any data protection and privacy laws to which a party to this Agreement is subject and which are applicable to the Services provided, including where applicable, but not limited to, GDPR, UK GDPR, US privacy laws (including state and federal laws) and Singapore’s Personal Data Protection Act .

1.6. “GDPR” means the General Data Protection Regulation (EU) 2016/679 and/or UK GDPR.

1.7. “EEA” means the European Economic Area.

1.8. “EU SCCs” means the means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

1.9. “EOR Services” means the employer of records services to be provided by Globalization Partners to Customer in accordance with the Master Agreement.

1.10. “Master Agreement” means the agreement executed between Customer and Globalization Partners for the provision of the EOR Services.

1.11. “Platform” means Globalization Partners’ proprietary software , including without limitation, the software, the mobile version, any software contained therein, and any data made available through the use of either Globalization Partners’ proprietary software or the third party services, including their updates, upgrades, platform as a service, documentation, a description of which is set out at https://www.globalization-partners.com/goglobal/.

1.12. “UK Addendum” means the UK international data transfer addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner and attached hereto as Annex IV.

1.13. “Controller” “Data Subject”, “Personal Data”, “Personal Information” “Data Breach”, “Processor”, “Process/Processing”, “Restricted Transfer”, “Service Provider” and/or any other similar terms and concepts shall have the meanings as defined in Data Protection Laws

2. RELATIONSHIP OF PARTIES AND ROLES

2.1. Roles of the Parties and Details of Processing. Globalization Partners shall process Personal Data as an independent Controller when Globalization Partners provides EOR Services. In no event will the Parties Process Personal Data under this Addendum as joint Controllers. Where Globalization Partners operates as an independent Controller, Globalization Partners shall comply with its Controller obligations under Data Protection Laws when Processing Personal Data and shall Process the Personal Data as described in Globalization Partners’ Privacy Policy available at https://www.globalization-partners.com/privacy-policy/. Customer shall comply with its obligations under Data Protection Laws when Processing Personal Data as a Controller. To the extent Globalization Partners acts as Processor while Processing Customer Data, such Processing shall be carried out in accordance with Section 3 (“Processing of Personal Data”) below.

2.2. Responsibilities and Acknowledgements. Each Party may process Personal Data under this Addendum with respect to Personal Data as independent data Controllers. The Parties agree to comply with their respective obligations and to process any Personal Data fairly and lawfully in compliance with this Addendum and all Data Protection Laws applicable to such Party’s Personal Data Processing operations. Each Party shall ensure that its Processing of Personal Data is limited to the purpose of the EOR Services being provided by Globalization Partners and is based on a legal ground for lawful processing. The Parties will assist each other in complying with their respective obligations under Data Protection Laws, including, but not limited to, assisting each other if a Data Breach occurs, responding to Data Subjects and/or regulators’ requests.

3. PROCESSING OF PERSONAL DATA

3.1. Scope. The use of the Platform by the Customer and the Customer management relationship may entail the Processing of Customer Data by Globalization Partners as a Processor or Service Provider on behalf of Customer.

3.2. Instructions. Globalization Partners will process Customer Data in accordance with Customer’s documented instructions. Customer agrees that this Addendum, the Master Agreement, and Annex I attached hereunder, comprise Customer’s complete instructions to Globalization Partners regarding the Processing of Customer Data. Any additional or alternate instructions must be agreed between the parties in writing, including the costs (if any) associated with complying with such instructions. Globalization Partners is not responsible for determining if Customer’s instructions are compliant with applicable law. However, if Globalization Partners is of the opinion that a Customer instruction infringes applicable Data Protection Laws, Globalization Partners shall notify Customer as soon as reasonably practicable and shall not be required to comply with such infringing instruction.

3.3. Details of Processing. Details of the subject matter of the Processing, its duration, nature and purpose, and the type of Customer Data and data subjects are as specified in Annex I attached hereto.

3.4. Compliance. Customer and Globalization Partners agree to comply with their respective obligations under Data Protection Laws applicable to the Customer Data that is Processed as specified in Annex I. Customer has sole responsibility for complying with Data Protection Laws regarding the lawfulness of the Processing of Customer Data prior to disclosing, transferring, or otherwise making available, any Customer Data to Globalization Partners. For the avoidance of doubt, in all cases, Customer shall obtain, where required, any consents from the Data Subjects for Globalization Partners to Process Customer Data as directed by Customer.

3.5. Subprocessors. Customer authorizes Globalization Partners to appoint and use Processors (“Subprocessors”) to Process the Customer Data in connection with the Services. Subprocessors may include third parties or any member of the Globalization Partners group of companies. Globalization Partners may continue to use those Subprocessors already engaged by Globalization Partners as of the date of this Addendum, and a list of such Subprocessors is available in Annex III attached hereunder. Where a Subprocessor fails to fulfil its data protection obligations as specified above, Globalization Partners shall be liable to the Customer for the performance of the Subprocessor’s obligations. Globalization Partners shall notify Customer of any changes to its list of Subprocessors. If, within 10 (ten) days of the receipt of that notice, Customer legitimately objects to the addition or removal of a Subprocessor on data protection grounds and Globalization Partners cannot reasonably accommodate Customer’s objection, the parties will discuss Customer’s concerns in good faith with a view to resolving the matter.

3.6. Technical and organizational security measures. Taking into account industry standards, the costs of implementation, the nature, scope, context and purposes of the Processing, and any other relevant circumstances relating to the Processing of the Customer Data within the Platform, Globalization Partners shall implement appropriate technical and organizational security measures to ensure security, confidentiality, integrity, availability and resilience of processing systems and services involved in the Processing of the Customer Data are commensurate with the risk in respect of such Customer Data. Globalization Partners will periodically (i) test and monitor the effectiveness of its safeguards, controls, systems and procedures and (ii) identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the Customer Data, and ensure these risks are addressed.

3.7. Confidentiality. Globalization Partners shall ensure that persons authorized to access the Customer Data (i) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and (ii) access the Customer Data only upon documented instructions from Globalization Partners, unless required to do so by applicable law.

3.8. Personal Data Breach. Globalization Partners will notify the Customer without undue delay after becoming aware of a Data Breach in relation to the Processing of Customer Data and will use reasonable efforts to assist the Customer in mitigating, where possible, the adverse effects of any Data Breach.

3.9. International Transfers. Globalization Partners is authorized, in the normal course of business, to make worldwide transfers of Customer Data to its affiliates and/or Subprocessors. When making such transfers, Globalization Partners shall ensure appropriate protection is in place to safeguard the Customer Data transferred under or in connection with the Master Agreement, as following:

  • 3.9.1. Where Globalization transfers Customer Data to countries outside the EEA (which are not subject to an adequacy decision under Privacy Laws), Globalization Partners shall execute and comply with its obligations under the EU SCCs, which are incorporated into this Addendum by this reference and completed as follows:
    • Module 2 (Controller to Processor) will apply where Customer is a Controller of Personal Data and Globalization Partners is a Processor of Personal Data;
    • in Clause 7, the optional docking clause will apply;
    • in Clause 9, option 2 will apply with 10 days;
    • in Clause 11, the optional language will not apply;
    • in Clause 12, any claims brought under the EU SCCs shall be subject to the terms and conditions set forth in the Agreement;
    • in Clause 17, Option 1 will apply, EU SCCs will be governed by Irish Law;
    • in Clause 18(b), disputes shall be resolved before the courts of Ireland;
    • Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this Addendum;
    • Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this Addendum; and
    • Annex III of the EU SCCs shall be deemed completed with the information set out in Annex III to this Addendum.
  • 3.9.2. In relation to Customer Data that is protected by the UK GDPR, the Parties are lawfully permitted to rely on the EU SCCs for Restricted Transfers from the United Kingdom subject to the UK Addendum which is incorporated into this Addendum by this reference and completed as defined in Annex IV attached hereto. If this section 3.9.2 does not apply, then Globalization Partners Exporting Company and the Customer shall cooperate in good faith to implement appropriate safeguards for transfers of such Personal Data as required or permitted by the UK GDPR without undue delay.
  • 3.9.3. Nothing in the interpretations in this Section 3.9 is intended to conflict with either Party’s rights or responsibilities under the EU SCCs and/or the UK Addendum and, in the event of any such conflict, the EU SCCs and/or the UK Addendum, as applicable, shall prevail.

3.10. Deletion of Personal Data. Upon termination of the Services (for any reason) and if requested by Customer in writing, Globalization Partners shall, as soon as reasonably practicable, return or delete the Customer Data stored in the Platform unless applicable law requires storage of the Customer Data for a longer period. For such retention the provisions of this Addendum shall continue to apply to such Customer Data.

3.11. Data Subject Requests. Globalization Partners shall promptly inform Customer of any Data Subjects’ requests regarding Customer Data. Customer is responsible for responding to such requests. Globalization Partners will reasonably assist Customer to respond to such Data Subject requests to the extent that Customer is unable to access the relevant Customer Data in its use of the Platform.

3.12. Third party requests. If Globalization Partners receives any requests from third parties or an order of any court, tribunal, regulator or government agency with competent jurisdiction to which Globalization Partners is subject relating to the Processing of Customer Data under the Agreement, Globalization Partners will promptly redirect the request to the Customer. Globalization Partners will not respond to such requests without Customer’s prior authorization unless legally compelled to do so. Globalization Partners will, unless legally prohibited from doing so, inform the Customer in advance of making any disclosure of Customer Data and will reasonably co-operate with Customer to limit the scope of such disclosure to what is legally required.

3.13. Data Protection Impact Assessment and Prior Consultation. To the extent required by Data Protection Laws, Globalization Partners shall provide reasonable assistance to Customer to carry out a data protection impact assessment in relation to the Processing of Customer Data undertaken by Globalization Partners and/or any required prior consultation(s) with supervisory authorities. Globalization Partners reserves the right to charge Customer a reasonable fee for the provision of such assistance.

3.14. Demonstrating Compliance. Globalization Partners regularly conducts external audits on organization’s security, availability, processing integrity, confidentiality and privacy controls and will provide Customer with a copy of the most recent summary audit report or certification upon written request. If the Customer prefers to conduct its own audit in addition to the provided third party certifications or reports, such audit shall be conducted: i) no more than once per each 12 (twelve) months period; ii) during normal business hours and without disrupting Globalization Partners’ day-to-day business; iii) with thirty (30) days prior written notice; iv) at the Customer’s sole expense (including Globalization Partner’s time spent assisting the Customer during the audit based on the daily rate of a security manager); v) based upon mutually agreed parameters and scope, limited to the specific scope of services, systems in use and/or processing activities contemplated and be specific to the actual requirement; vi) based upon mutually agreed in advance date, subject to reasonable postponement by Customer upon Globalization Partners’ reasonable request; and vii) in accordance with all confidentiality obligations and restrictions. Notwithstanding the forgoing, no audit right is granted after termination of the Master Agreement, except for legal obligations that will have to be demonstrated by the Customer. Any third-party representative selected to perform an audit on behalf of Customer must not have an ownership interest in or affiliation with an EOR Services agency, a related organization or consultant.

3.15. No Information Selling. Globalization Partners shall not derive or exercise any rights or benefits regarding Personal Data except as provided in this Addendum . For the avoidance of doubt, Globalization Partners will not retain, use, share or disclose Customer Data for any purpose other than for the specific purpose of providing the Platform to the Customer in accordance with the Master Agreement. Globalization Partners shall not sell any Personal Data, as the term “sell” is defined in the CCPA. Globalization Partners represents and warrants that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from taking any action that would cause any transfers of Personal Data to or from Globalization Partners to qualify as “selling personal information” under the CCPA.

Annex I - Data Processing Description

Parties Controller / Data Exporter: Customer entity executing the Master Agrement
Processor / Data Importer: Globalization Partners entity executing the Master Agreement.
Parties Contact Details Customer contact details as set out in the Master Agreement. Globalization Partners contact details as set out in the Master Agreement.
Activities Relevant to the Data Transferred Activities related to the Platform provided as a service.
Processing Activities Globalization Partners will process Customer Data in its provision of the Platform as a service to the Customer.
Duration of the Processing Globalization Partners will Process Customer Data for the duration of the Master Agreement and on a continuous basis.
Nature and Purpose of Processing Customer may transfer Customer Data to Globalization Partners, the extent of which is determined and controlled by the Customer in its sole discretion. Globalization Partners will Process Customer Data as necessary for the purposes of providing the Platform as a service to the Customer in accordance with the Master Agreement.
Categories of Data Subjects The Customer Data concern Authorized Users of the Platform who may include Customer’s employees and/or contractors, in addition to individuals whose Personal Data is supplied by Authorized Users of the Platform.
Types of Personal Data The Customer Data transferred may include the following categories of data:

  • Contact details (such as postal address, phone number and e-mail).
  • Employees / Contractors data (such as job title and name of the company).
  • Customer details (such as invoicing and credit related data).
  • Usage data (such as data about the Authorized User’s device and how such device interact with the Platform).
  • Location data (such as location derived from the IP address).
  • Content data (such as the content of the Customer’s files regarding the Professionals and communications).
  • Credentials (such as passwords, passwords hints and similar security information used for authentication and account access to the Platform).
  • Any Personal Data supplied by Authorized Users.
Special Categories of Data (if appropriate) N/A
Retention Customer Data will be retained at least as long as any applicable legally mandated minimum retention period, that is consistent with applicable statutes of limitations and meets good business practices.
Competent Supervisory Authority The Irish Data Protection Commission
Transfers to Subprocessors For transfers to processors, the subject matter, nature and duration of the processing are the same as above defined.
Globalization Partners Privacy contact details privacy@globalization-partners.com
Attn: Global Privacy Office.

Annex II - Technical And Organisational Measures

Globalization Partners has been certified and attested to confirm compliance with SOC 2 standards, by independent auditors. Service Organization Controls (SOC) reports demonstrate our commitment to securing Customer Data. Globalization Partners’ security program is designed to:

  • Protect the confidentiality, integrity, and availability of Customer Data in Globalization Partners’ possession or to which Globalization Partners has access;
  • Protect against any anticipated threats or hazards to the confidentiality, integrity, and availability of Customer Data;
  • Protect against unauthorized or unlawful access, use, disclosure, alteration, or destruction of Customer Data;
  • Protect against accidental loss or destruction of, or damage to, Customer Data; and
  • Safeguard information as set forth in any regulations by which Globalization Partners may be regulated.

The following describes the functions, processes, controls, systems, procedures and measures which Globalization Partners has taken to ensure the security of the Processing of Customer Data:

1) TECHNICAL MEASURES TO ENSURE DATA PRIVACY AND PROTECTION

a) Privacy by Design and Default:

Globalization Partners takes the requirements of Article 25 GDPR into account in the conception and development phase of product development. Processes and functionalities are set up in such a way that the data protection principles such as legality, transparency, purpose limitation, data minimization, etc. as well as the security of processing are considered at an early stage.

b) Encryption of Personal Data:

Ensuring that personal data are only stored in the system in a way that does not allow third parties to identify the data subject.

  • Database and storage encryption:
    On all databases used by Globalization Partners an encryption “at rest” according to the state of the art is used so that the data from the database can only be read after proper authentication on the respective database system.
  • Encryption of mobile data media:
    The use of mobile data carriers for storing customer data is not permitted.
  • Encryption of data carriers on laptops:
    Appropriate state-of-the-art hard disk encryption is installed on all employees’ laptops.
  • Encrypted exchange of information and files:
    In principle, the exchange of information and files is directly encrypted via a special application. If personal data or confidential information must be transferred to servers which cannot be sent via TLS-encrypted HTTPS uploads, these will be transferred using Secure File Transfer Protocol (SFTP), encrypted envelope service or another encrypted mechanism according to the state of the Art.
  • E-Mail Encryption:
    In principle, all e-mails sent by employees of Globalization Partners are encrypted with TLS. Exceptions may be if the receiving mail server does not support TLS. The Customer shall ensure that the corresponding mail servers used within the scope of the order support TLS encryption

c) Admission Control

Admission controls are intended and put in place in order to prevent the use and processing of data which is protected by data protection laws by unauthorized persons.

  • Use of authentication methods
    Access to personal data is always via encrypted protocols: SSH, SSL/ TLS, HTTPS or comparable protocols. Authentication procedure for IT system: Multifactor authentication log-in to IT system.
  • Automatic blocking in case of inactivity
    Laptops used by Globalization Partners employees locked with password or PIN protection when not in use by the user. In addition, an automatic screen lock with password protection is set up after 15 minutes of inactivity.
  • Use of anti-virus software
    Laptops used by Globalization Partners employees are equipped with state-of-the-art anti-virus software that is kept up to date on all operational or business IT systems. As a matter of principle, no computers may be operated without resident virus protection unless other equivalent state-of-the-art security measures have been taken or there is no risk. Default security settings must not be deactivated or circumvented.
  • “Clean Desk Policy”
    Employees of Globalization Partners are instructed not print out or locally store personal data of data subjects, not to leave work materials in a location where they may be viewed by third parties, and to store all work materials properly. Documents which Globalization Partners is required by law to hold in hard copy are stored in locked cabinets.

d) Access Controls Within the Platform

Access controls ensure that persons authorized to use a processing system have access only to the personal data covered by their access authorization.

  • Roles and Authorization
    • Roles and Authorization Platform – Customer Access Customer users can view and edit customer account information.
    • Roles and Authorization Platform – Professional Access Professional users can view and edit their own professional information.
      Professionals can also gain Customer access role upon requirement + approval
    • Roles and Authorization Platform – Internal Access
      Internal access users have varied roles. They have varied access to create, view, edit, and approve the following:

      • Customer information
      • Billing information
      • Partner information
      • Professional personnel records information

      Access to the admin system is generally limited to trained employees in the areas of customer support and product development.

e) Firewall as a Service

Globalization Partners uses use an external firewall as a service that allows it to grant or block access to websites to make sure systems can’t access malicious content and to restrict access to inappropriate content.

f) Record of Log-In to the Platform

Globalization Partners maintains a record of all login activity.

g) Separability

Ensuring that personal data collected for different purposes can be processed separately and are separated from other data and systems in such a way that unplanned use of these data for other purposes is excluded.

  • Separation of development, test and operating environments
    Data from the operating environment may only be transferred to test or development environments if it has been made completely anonymous before transfer. The transfer of the anonymized data must be encrypted or via a trustworthy network.
  • Separation in networks
    Globalization Partners separates its networks according to tasks. The following networks are used permanently: operating environment (“Production”), test environment (“Staging”, “Sandbox”), development environment (“Dev”) office IT staff. In addition to these networks, further separate networks are created as required, e.g., for restore tests and penetration tests. Depending on the technical possibilities, the networks are separated either physically or by means of virtual networks.

h) Availability control

Globalization Partners takes the following steps to ensure that personal data is protected against accidental destruction or loss.

  • Data protection procedures/ backups
    To ensure adequate availability Globalization Partners implements daily snapshots of its database with replication to a different region. Measures are also taken to ensure employees with job-based need to review data are granted access only to replica datasets.
  • Geo-redundancy with regard to server infrastructure of productive data and backups
  • IT incident management (“Incident Response Management”)
    There is a concept and documented procedures for handling incidents and safety- relevant events. This includes the planning and preparation of the response to incidents, procedures for monitoring, detecting and analyzing security- relevant events and the definition of corresponding responsibilities and reporting channels in the event of a violation of the protection of personal data within the framework of the legal requirements.
2) ORGANIZATIONAL MEASURES TO ENSURE DATA PRIVACY AND PROTECTION

Globalization Partners has put in place the following organizational measures to ensure the organization operates in a manner that meets data privacy and protection requirements.

a) Organizational Instructions

Globalization Partners has developed and is developing a data governance program including policies, procedures, and guidelines for employees to follow. Documentation includes how to identify and manage data privacy issues, best practices for ensuring privacy compliance, and policies for addressing privacy incidents.

b) Commitment to confidentiality and data protection

Globalization Partners has developed and is developing a data governance program including policies, procedures, and guidelines for employees to follow. All employees and contractors are bound in writing to confidentiality and data protection as well as other relevant laws. All employees receive privacy & security training. Internal audits on data protection and information security are conducted regularly. Audits are carried out on the basis of common test criteria/schemes. The employees and contractors of Globalization Partners are instructed to process personal data for lawful reasons only, pursuant to applicable contracts with the customer and professional, with due consideration to any express consent given or withheld by the data subject, and in keeping with any lawful duty of the organization.

c) Data protection training

All employees receive privacy & security training which remains available for review at any time in Globalization Partners training platform.

d) Physical Access Controls

Globalization Partners has the following physical controls in place to deny unauthorized persons access to IT systems equipment used for processing.

  • Electronic door protection
    The entrance doors to the premises of Globalization Partners offices are always locked and electronically secured. The doors are opened via a personal electronic transponder.
  • Controlled distribution of keys
    A central, documented allocation of keys to the employees of Globalization Partners takes place. These electronic transponders/keys could be deactivated centrally by each office manager or the People Resources department.
  • Supervision and accompaniment of external persons
    External service providers and other third parties may only be granted access to the premises via prior authorization or when accompanied by an employee of Globalization Partners. Globalization Partners applies its written Visitor’s Policy when visitors are invited to the premises.
  • Securing of premises with increased need for protection
    Premises or cabinets with increased protection requirements, such as legal offices and certain Operations locations, are equipped with locking cabinets and drawers. Cabinets and drawers where legal documents, contracts, and confidential documentation are held are to be locked at all times except when they are in use.
  • Closed doors and windows
    Employees are organizationally instructed to keep windows and doors closed or locked outside office hours.

e) Recoverability

Globalization Partners ensures that systems in use can be restored in the event of physical or technical failure.

  • Regular tests of the data recovery (“Restore-Tests”)
    Regular full restore tests are carried out to ensure recoverability in the event of an emergency/disaster.
  • Emergency plan (“Disaster Recovery Concept”)
    There is a concept for the treatment of emergencies/disasters and a corresponding emergency plan. Globalization Partners ensures the recovery of all systems on the basis of the data backups / backups, usually within 48 hours.
  • Review and evaluation measures
    Presentation of the procedures for regular review, assessment and evaluation of the effectiveness of the technical and organizational measures.

f) Privacy Team

The organization has a Global Data Privacy Office tasked with planning, implementing, evaluating and adapt measures in the field of data protection.

g) Risk Management

There is a process for analyzing, evaluating, and allocating risks and for deriving measures on the basis of these risks.

3) INDEPENDENT REVIEW OF INFORMATION SECURITY

a) Performance of audits

Internal audits on data protection and information security are conducted regularly. Audits are carried out on the basis of common test criteria/schemes.

b) Review of compliance with security policies and standards

Compliance with the applicable security guidelines, standards and other security requirements for the processing of personal data is checked regularly. Where possible, these checks are carried out on a random and unexpected basis.

c) Verification of compliance with technical specifications

Regular automated and manual vulnerability scans are performed by the IT department or other qualified personnel to verify the security of the applications and infrastructure, as well as the regular development of the product. Detailed penetration tests are carried out by an external service provider to specifically examine the applications and infrastructure for vulnerabilities.

d) Processing on instruction

The employees of Globalization Partners are instructed to process personal data for lawful reasons only, pursuant to applicable contracts with the customer and professional, with due consideration to any express consent given or withheld by the data subject, and in keeping with any lawful duty of the organization.

e) Careful supplier selection

Globalization Partners adheres to its Supplier Prequalification Process when selecting vendors and suppliers who may encounter protected data. This process includes feedback from the Finance and Legal/Privacy Departments and incorporates risk assessment, security prequalification and documentation certification steps. Suppliers who will process protected data will be required to demonstrate their adherence to applicable data privacy laws, including Article 28 GDPR for covered data.

Annex III - List of Subprocessors

Subprocessor Contact Information Description of Processing Location
Globalization Partners subsidiaries https://www.globalization- partners.com/contact-us/ Providing the Platform and Customer relationship management US
Acumatica 3933 Lake Washington Blvd NE #350, Kirkland, WA 98033, USA Financial Services US
Amazon Web Service P.O. Box 81226 Seattle, WA 98108-1226, USA
https://aws.amazon.com/contact-us/
Hosting – Cloud Services Provider US
Microsoft One Microsoft Way Redmond, Washington 98052 USA

Telephone: (+1) 425-882-8080.
Business Process Support communications (email); services management US
Atlassian 350 Bush Street Floor 13 San Francisco, CA 94104, USA
+1 415 701 1110
Business Process Support for services management US
Conga https://conga.com/contact-us
62 Margaret St, 3rd floor London W1W 8TF United Kingdom
Contracts Management UK
DocuSign DocuSign International (EMEA) Ltd, Attention: Privacy Team, 5 Hanover Quay, Ground Floor, Dublin 2, Republic of Ireland Document Management Ireland
Gong 265 Cambridge Ave, Suite 60717 Palo Alto, CA 94306, USA Telecommunications Services US
iCertis 2 Kingdom Street Paddington London W2 6BD United Kingdom Contracts Management UK
Salesforce.com Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA

1-800-387-3285
Business Process Support for Customer Relationship management (CRM) US
Zendesk 989 Market St San Francisco, CA 94103, USA
zendesk.com
888-670-4887
Helpdesk inquiries for customer support US

Annex IV - UK Addendum to EU Standard Contractual Clauses

PART 1: TABLES

Table 1: Parties

Start date Effective Date of this Addendum
The Parties Exporter (who sends the Restricted Transfer) Importer (who receives the Restricted Transfer)
Parties’ Details Customer entity details as set out in the Master Agreement. Globalization Partners entity details as set out in the Master Agreement.
Key Contacts Customer contact details as set out in the Master Agreement. Globalization Partners contact details as set out in the Master Agreement and Globalization Partners Privacy contact details as defined in Annex I above.

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs The version of the Approved EU SCCs incorporated at Section 3.9 of the Addendum, including the Annex information attached to this Addendum.

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

  • Annex 1A: List of Parties: Annex I
  • Annex 1B: Description of Transfer: Annex I
  • Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Annex II
  • Annex III: List of Sub processors: Annex III

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes Which Parties may end this Addendum as set out in Section ‎19:
☐ Importer
☒ Exporter
☐ neither Party
PART 2: MANDATORY CLAUSES
Mandatory Clauses Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.