Grouper GDPR Data Processing Addendum

Last Updated: February 25, 2024

This Data Processing Addendum (the "DPA") supplements Grouper's Terms of Service and Privacy Policy, as updated from time to time between Customer and Grouper, and any other agreement(s) between Customer and Grouper governing Customer's use of the Services (jointly the "Service Agreement") WHEN THE GDPR, THE UK GDPR, OR THE SWISS DPA APPLIES TO CUSTOMER'S USE OF THE SERVICES TO PROCESS CUSTOMER DATA.

This DPA is an agreement between Grouper, Inc. ("Grouper", "Company" and/or "Data Processor"), and you and/or the entity you represent ("Customer", "you", "your" and/or "Data Controller"), each a "Party" and collectively the "Parties". Unless otherwise defined in this DPA or in the Service Agreement, all capitalized terms used in this DPA will have the meanings given to them in Section 1 of this DPA.

Definitions

1. In this DPA, the following words and phrases shall have the following meanings, unless otherwise specified:

   1. "Applicable Law(s)" means all applicable laws, regulations, and other legal or regulatory requirements in any jurisdictions relating to privacy, data protection, security, or the processing of personal data, including, but not limited to, (a) the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR"); the United Kingdom's European Union (Withdrawal) Act of 2018, which saves the GDPR into United Kingdom law ("UK GDPR"); and (c) the Swiss Federal Data Protection Act ("Swiss DPA"). For the avoidance of doubt, if Grouper's processing activities involving personal data are not within the scope of an Applicable Law, such law is not applicable for the purposes of this DPA.

   2. "Account Settings" means the controls that the Services provide, including tools made available to the Customer for the update, correction, and deletion of Customer Data, as described in the Service Agreement.

   3. "Customer Data" shall mean Customer Personal Data as defined hereunder.

   4. "Data Breach" or "Personal Data Breach" shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

   5. "Data Controller" or "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

   6. "Data Processor" or "Processor" shall mean a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

   7. "Data Subject" shall refer to an identified or identifiable natural person. For the purposes of this DPA, End-Users utilizing the Services, and for which Customer is responsible ("Customer End-Users"), are considered Data Subjects.

   8. "EEA" means the European Economic Area.

   9. "Grouper Security Standards" shall mean the security standards attached to the Service Agreement, or if none are attached to the Service Agreement, attached to this DPA as Exhibit "A".

   10. "End-User(s)" shall mean teachers and students (natural persons) using the Services through Grouper accounts.

   11. "EU Customer Data" shall mean Personal Data of Customers residing in the European Union.

   12. "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

   13. "Processing of Customer Data" or "Processing Activities" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

   14. "Pseudonymisation" means the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person.

   15. "Services" shall mean services offered at https://grouper.school and any associated applications or products and services that the Company may provide now or in the future.

   16. "Security Incident" means a breach of Grouper's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data.

   17. "Standard Contractual Clauses" shall mean (i) where the GDPR applies, the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj) (the "EU SCC"); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the "UK SCC); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (the "Swiss SCC"), in the terms outlined in Exhibit "B" of this DPA.

   18. "Subprocessors" means any person appointed by or on behalf of Grouper to process Personal Data on behalf of it in connection with the Service Agreement.

   19. "Third party" means a natural or legal person, public authority, agency or body other than the Data Subject, the Controller or the Processor. The term shall therefore include, for the avoidance of doubt, Subprocessors.

2. Any other terms or concepts shall be interpreted in accordance with the provisions contained in Applicable Laws.

General Considerations

1. This DPA applies when Customer Data is processed by Grouper.

2. Customer can use the Services Account Settings to update, rectify and/or erase Customer Data subject to the procedures outlined in the Service Agreement. Considering the nature of the processing, Customer understands and agrees that it is unlikely that Grouper would become aware that Customer Data transferred under the Standard Contractual Clauses or any other legally valid mechanism is inaccurate or outdated. Nonetheless, if Grouper becomes aware that Customer Data transferred is inaccurate or outdated, it will inform Customer without undue delay. Grouper will cooperate with Customer to erase or rectify inaccurate or outdated Customer Data transferred as necessary to erase or rectify Customer Data.

3. Each Party will comply with all applicable and binding laws, rules, and regulations in the performance of this DPA.

Processing of Customer Data

1. Scope. This DPA sets the obligations of both Parties in relation to the safety and confidentiality of Customer Data.

2. Purpose and Term. The purpose of the Processing Activities under this DPA is the provision of the Services as requested by the Customer from time to time. Consequently, the duration of the Processing Activities foreseen hereunder is determined by the Customer.

3. Nature of Processing Activities. Computing, storage, and such other Services as described in the Service Agreement and initiated by the Customer from time to time.

4. Affected Customer Data. Customer Data uploaded to the Services under Customer's Grouper accounts.

5. Categories of Data Subjects. Data Subjects include Customer's End-Users.

Obligations of Grouper as the Data Processor

1. In the processing of Customer Data, Grouper shall:

   1. Not use Customer Data directly or indirectly for any purpose other than in connection with the provision of Services to the Customer.

   2. Manage and process Customer Data acquired from the Customer in accordance with the documented instructions as set out in this DPA and the obligations of Applicable Laws, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by any other Applicable Law to which Grouper is subject. In such a case, Grouper shall inform the Customer of that legal requirement before processing, unless any applicable law prohibits disclosure of such information on important grounds of public interest.

   3. Pseudonymised Personal Data may be used by Grouper for the purposes of development, research, and improvement of educational sites, services, or applications. Grouper agrees not to attempt to re-identify pseudonymised information.

2. Taking into account the nature of the processing, Grouper shall assist Customer by appropriate technical and organizational measures, insofar as it is possible, to enable Customer to fulfill its obligations to respond to requests from data subjects (including the rights of access to, rectification of and erasure of Personal Data), and shall promptly comply with any request from Customer to amend, transfer or delete such Personal Data.

3. If a data subject makes a request to Grouper, Grouper will promptly forward such request to Customer once Grouper has identified that the request is from a Data Subject for whom Customer is responsible. Customer authorizes Grouper to respond to any Data Subject who makes a request to Grouper, to refer such data subject to Customer. The Parties agree that Customer's use of Account Settings, as well as associated procedures foreseen in the Service Agreement, and Grouper forwarding Data Subjects to Customer for data requests in accordance with this DPA, represent the scope and extent of Customer's required assistance.

Confidentiality of Customer Data

1. Grouper will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Grouper a demand for Customer Data, Grouper will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Grouper may provide Customer's basic contact information to the governmental body. If compelled to disclose Customer Data to a governmental body, then Grouper will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Grouper is legally prohibited from doing so.

2. Grouper restricts its employees from processing Customer Data without authorisation by Grouper as described in Exhibit "A" of this DPA. Grouper imposes appropriate contractual obligations upon its employees, including relevant obligations regarding confidentiality, data protection and data security.

Grouper Subprocessors

1. Customer provides general authorisation to Grouper's use of Subprocessors to provide processing activities on Customer Data on behalf of Grouper in accordance with this Section. The Grouper website lists Subprocessors that are currently engaged by Grouper (outlined in Grouper's Privacy Policy, section "Security Measures," item "Which are Grouper's third-party service providers?").

2. At least fifteen (15) days before Grouper engages a Subprocessor, Grouper will update its website and/or provide Customer with a mechanism to obtain notice of that update. To object to a Subprocessor, Customer can: (i) terminate the Service Agreement pursuant to its terms; or, to the extent applicable, (ii) cease using the Services for which Grouper has engaged the Subprocessor. For the purposes of this Section and the receipt of notifications from Grouper regarding Subprocessors, Customer hereby agrees to have its designated representative create a Grouper account and verify their email address accordingly.

3. Where Grouper authorizes a Subprocessor as described in Sections 6.1 and 6.2 above, Grouper will:

   1. restrict the Subprocessor's access to Customer Data only to what is necessary to provide or maintain the Services in accordance with the Service Agreement, and Grouper will prohibit the Subprocessor from accessing Customer Data for any other purpose;

   2. enter into a written agreement with the Subprocessor and, to the extent that the Subprocessor performs the same data processing services provided by Grouper under this DPA, Grouper will impose on the Subprocessor contractual obligations that are consistent with and not less stringent than those Grouper has under this DPA; and

   3. remain responsible for its compliance with the terms of this DPA and for any acts or omissions of engaged Subprocessors that cause Grouper to breach any of Grouper's obligations under this DPA.

Safeguarding Customer Data

1. Grouper shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

   1. the pseudonymisation and encryption of Personal Data;

   2. the implementation of measures that ensure the ongoing confidentiality, integrity, availability and resiliency of processing systems and services;

   3. the capacity to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

   4. the design and implementation of a process to regularly test, assess, and evaluate the effectiveness of technical and organizational measures for ensuring the security of processing.

2. Grouper shall ensure the security of information stored on all fixed and mobile devices, including desktop computers, servers and mobile computer devices (laptops, notebooks, smartphones and other smart type devices) and removal storage devices (CD, DVD, portable hard drives, etc.).

Audits

1. Grouper shall make available to Customer, upon Customer's written request, all information necessary to demonstrate compliance with Grouper's obligations laid down in this DPA and applicable laws and regulations, and allow for Customer Audits as outlined below.

2. Upon written request by Customer, Grouper shall provide the Customer with copies of its policies and related procedures that pertain to the protection of Personal Data. It may be made available in a form that does not violate Contractor's own information security policies, confidentiality obligations, and applicable laws. In addition, Grouper may be required to provide Customer with a recent industry standard independent audit report on Grouper's privacy and security practices. Where such audit report is not available, Grouper will allow Customer, at Customer's expense, to audit the security and privacy measures that are in place to ensure the protection of Personal Data or any portion thereof. Grouper will cooperate fully with Customer and provide access to staff, agents, reports, and records to the extent necessary for performing the audit.

3. Any audit performed under Section 8.2. must be:

   1. conducted during Grouper's regular business hours;

   2. informed of with reasonable advance notice to Grouper;

   3. carried out in a manner that prevents unnecessary disruption to Grouper's operations; and

   4. subject to reasonable confidentiality procedures.

   5. limited to one (1) per year.

Security Incidents

1. Grouper shall implement controls reasonably necessary to prevent unauthorized use, disclosure, loss, acquisition of, or access to Customer Data as foreseen in Section 7 of this DPA.

2. Upon the discovery by Grouper of a Security Incident that results in the unauthorized release, disclosure, or acquisition of Personal Data, or the suspicion that such an incident may have occurred, Grouper shall provide notice to Customer without undue delay and, where feasible, not later than forty-eight (48) hours after having become aware of it ("Initial Notice"). Where the notification to Customer is not made within forty-eight (48) hours, it shall be accompanied by reasons for the delay.

3. The notice shall be delivered to Customer's designated representative(s) by electronic mail and shall, to the extent known at the time of notification:

   1. specify date and time of the incident;

   2. describe the nature of the Personal Data affected including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of personal data records concerned;

   3. communicate the name and contact details of the Data Protection Officer or other contact point where more information can be obtained;

   4. describe the likely consequences of the Security Incident;

   5. describe the measures taken or proposed to be taken by Grouper to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects.

   Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

4. It is Customer's sole responsibility to ensure Customer's designated representative(s) maintain accurate contact information on their Grouper account.

5. Grouper shall assist Customer in fulfilling its obligation to notify the relevant supervisory authority and data subjects of a data breach in accordance with Applicable Laws.

6. Without prejudice to the foregoing, Customer agrees that:

   1. an unsuccessful Security Incident will not be subject to this Section 9. An unsuccessful Security Incident is one that results in no unauthorized access to Customer Data or to any Grouper's equipment or facilities storing Customer Data, and could include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents; and

   2. Grouper's obligation to report or respond to a Security Incident under this Section 9 is not and will not be construed as an acknowledgement by Grouper of any fault or liability of Grouper with respect to the Security Incident.

Transfers of Personal Data

1. Grouper will not transfer Customer Data outside the EEA except as necessary to provide the Services initiated by Customer, or as necessary to comply with the law or binding order of a governmental body.

2. Subject to section 10.3 below, the Standard Contractual Clauses will only apply to Customer Data that is transferred, either directly or via onward transfer, to a Third Country that does not offer the same degree of protection as that of the Customer's region of residence (each a "Data Transfer"), except for the transfer of EU Customer Data to the United States, which shall be subject to Customer consent as outlined in section 10.6 below.

3. The Standard Contractual Clauses will not apply to a Data Transfer if Grouper has adopted Binding Corporate Rules for Processors or an alternative recognised compliance standard for lawful Data Transfers.

4. It is not the intention of either Party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Service Agreement (including this DPA), the Standard Contractual Clauses will prevail to the extent of such conflict.

5. By entering into this DPA, the Parties are deemed to be signing the applicable Standard Contractual Clauses and its applicable Appendices and Annexes.

6. When transferring EU Customer Data to the United States, Grouper will do so on the derogations foreseen for specific situations under Article 49 of the GDPR. In particular, Grouper will collect and transfer to the United States personal data with Customer's explicit consent, to perform a contract with Customer, and/or for reasons of public interest, as outlined in Grouper's Privacy Policy, section "European Economic Area", item "Transfers of Data to the United States".

DPA Termination and Disposal of Customer Data

1. This DPA will remain in force until the Service Agreement is terminated (the "Termination Date").

2. Grouper shall ensure, upon termination or completion of the Service Agreement, that all documents, data, other records or tangible objects containing or representing Personal Data which have been disclosed by Customer to Grouper and all copies thereof which are in the possession of Grouper and its Subprocessors, shall at the written request and election of Customer, be returned and/or securely deleted.

3. In the absence of any specific disposal request from Customer, Personal Data shall be automatically deleted after End-User Accounts have been inactive for a period of eighteen (18) months, in compliance with the principle of minimum data retention.

4. Where Grouper is required for legal or regulatory compliance to retain a copy of Personal Data, Grouper shall provide Customer in writing with full details of any information they are proposing to retain and the details of the legal and regulatory obligations governing this action.

5. Without prejudice to all of the aforementioned, Grouper may keep backups of data as part of its disaster recovery storage system for an additional term of thirteen (13) months after termination of the Services, provided such data is (i) inaccessible to the public; and (ii) not used in the normal course of business by Grouper.

Entire Agreement

This DPA incorporates the Standard Contractual Clauses by reference. Except as amended by this DPA, the Service Agreement will remain in full force and effect. If there is a conflict between the Service Agreement and this DPA, the terms of this DPA will control. Nothing in this document varies or modifies the Standard Contractual Clauses.

Grouper has a comprehensive Security Program in place designed to protect the confidentiality, integrity, and availability of systems, networks and data. The following is a general overview of data security protocols in place:

1. Data in Transit. Data is transferred using HTTPS and enabling TLS v1.2 or greater.

2. Data at Rest. AES-256 is used as the data encryption technique. 256-bit encryption is a data/file encryption technique that uses a 256-bit key to encrypt and decrypt data or files.

3. Data Center Security. Grouper uses Google Cloud Platform ("GCP") Data Centers, which conform to the following:

   • GCP has extensive experience in designing, constructing, and operating large-scale data centers. GCP data centers are housed in nondescript facilities.
   • Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means.
   • Authorized staff must pass two-factor authentication a minimum of two times to access data center floors.
   • GCP only provides data center access and information to employees and contractors who have a legitimate business need.
   • GCP has certification for compliance with ISO 27001, ISO 27017, ISO 27018, and ISO 27701, as well as with the System and Organisation Controls ("SOC") 1, 2 and 3 Reports.

4. Personnel. Grouper employees with access to Personal Data:

   • Undergo criminal background checks.
   • Receive annual privacy and security training.
   • Access to Personal Data is role-based; limited to those employees who need access to perform job responsibilities.

5. Continued Evaluation. Grouper will conduct periodic reviews of the security of its systems and networks, and the adequacy of its information security program:

   • as measured against industry security standards and its policies and procedures; and
   • to determine whether additional or different security measures are required to respond to new security risks or findings generated by periodic reviews.

THIS EXHIBIT IS ATTACHED TO AND FORMS PART OF THE DATA PROCESSING ADDENDUM (THE "DPA"). UNLESS OTHERWISE DEFINED IN THIS ATTACHMENT, CAPITALISED TERMS USED HEREIN HAVE THE MEANINGS GIVEN TO THEM IN THE DPA.

Customer acknowledges and agrees that, subject to compliance with Applicable Laws, Grouper may process Customer Personal Data anywhere in the world where Grouper, its Affiliates or its Subprocessors maintain data processing operations. The Parties agree that when the transfer of Customer Personal Data from Customer (as "data exporter") to Grouper (as "data importer") requires that appropriate safeguards are put in place, the Parties will be subject to the Standard Contractual Clauses, which will be deemed incorporated into and form a part of this DPA, as follows:

1. In relation to transfers of Customer Personal Data protected by the GDPR, the EU SCCs will be completed as follows:

   • The clauses as set forth in Module Two (controller to processor) will apply only to the extent Customer is a controller and Grouper is a processor;
   • The clauses as set forth in Module Three (processor to processor) will only apply to the extent Customer is a processor and Grouper is a subprocessor;
   • The "data exporter" is the Customer, and the exporter's contact information is set forth in Exhibit C below;
   • The "data importer" is Grouper, and Grouper's contact information is set forth in Exhibit C below;
   • In Clause 7, the optional docking clause will not apply;
   • In Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes will be as set out in Section 6.2 of the DPA;
   • In Clause 11, the optional language will not apply;
   • In Clause 17, Option 1 will apply, and the EU SCCs will be governed by Spanish law;
   • In Clause 18(b), disputes will be resolved before the courts of Spain; and
   • Annexes I and II of the Appendix are set forth in Exhibit C below.

2. In relation to transfers of Customer Personal Data protected by the UK GDPR, the EU SCCs will also apply to such transfers in accordance with paragraph (a) above, subject to the following:

   • Any references in the EU SCCs to "Directive 95/46/EC" or "Regulation (EU)2016/679" will be interpreted as references to the UK GDPR;
   • Any references to "EU", "Union" and "Member State law" will be interpreted as references to English law; and
   • Any references to the "competent supervisory authority" and "competent courts" will be interpreted as references to the relevant data protection authority and courts in England;
   • Unless the EU SCCs as implemented above cannot be used to lawfully transfer such Customer Personal Data in compliance with the UK GDPR, in which event the UK SCCs will instead be incorporated by reference and form an integral part of this DPA and will apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the UK SCCs will be populated using the information contained in Exhibit C of this DPA (as applicable).

3. In relation to transfers of Customer Personal Data protected by the Swiss DPA, the EU SCCs will also apply to such transfers in accordance with paragraph (a) above, subject to the following:

   • Any references in the EU SCCs to "Directive 95/46/EC" or "Regulation (EU)2016/679" will be interpreted as references to the Swiss DPA;
   • Any references to "EU", "Union" and "Member State law" will be interpreted as references to Swiss law; and
   • Any references to the "competent supervisory authority" and "competent courts" will be interpreted as references to the relevant data protection authority and courts in Switzerland;
   • unless the EU SCCs as implemented above cannot be used to lawfully transfer such Customer Personal Data in compliance with the Swiss DPA, in which event the Swiss SCCs will instead be incorporated by reference and form an integral part of this DPA and will apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the Swiss SCCs will be populated using the information contained in Exhibit C of this DPA (as applicable).

Data Exporter(s)/Controller(s):

• Name: The entity identified as "Customer" in the DPA.
• Address: The address for Customer associated with its Grouper account or as otherwise specified in the DPA or the Service Agreement.
• Contact person's name, position and contact details: The contact details associated with Customer's Grouper account, or as otherwise specified in the DPA or the Service Agreement.
• Activities relevant to the data transferred under these Clauses: The activities specified in Section 3 of the DPA.
• Signature and date: By using the Grouper Services to transfer Customer Data to Third Countries, the Controller will be deemed to have signed this Annex I.

Data Importer(s)/Processor(s):

• Name: "Grouper" as identified in the DPA.
• Address: The address for Grouper specified in the DPA or the Service Agreement.
• Contact person's name, position and contact details: The contact details for Grouper specified in the DPA or the Service Agreement.
• Activities relevant to the data transferred under these Clauses: The activities specified in Section 3 of the DPA.
• Signature and date: By transferring Customer Data to Third Countries on Customer's instructions, the Processor will be deemed to have signed this Annex I.

1. Data subjects. The personal data transferred concerns the following categories of data subjects: Customers; Potential Customers; End-Users; Employees; Authorized Agents or Assignees.
2. Categories of data. Personal Data uploaded to the Grouper Service under End-Users' and Customers' Grouper accounts; Contact Data; Key Contract Data (Contractual/Legal Relationships, Contractual or Product Interest); Customer History; Contract Billing and Payments Data, where (and if) applicable.
3. Special categories of data (if appropriate). N/A
4. Processing operations. The personal data transferred will be subject to the following basic processing activities (please specify): As set forth in the DPA between the parties, as well as any appendices thereto.
5. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). Personal data is transferred in accordance with Customer's instructions as described in the DPA.
6. Purpose(s) of the data transfer and further processing. To provide the Services.
7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. Not applicable because Customer determines the duration of processing in accordance with the terms of the DPA.
8. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. The subject matter, nature and duration of the processing are described in the DPA.

1. Description of the technical and organizational measures implemented by the processor to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons: The technical and organizational measures, as well as the scope and the extent of the assistance required to respond to Data Subjects' requests, are described in the DPA.
2. For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter: The technical and organizational measures that the Processor will impose on Subprocessors are described in the DPA.