This is Schedule 10.1 to our MEA

This Data Processing Agreement (“DPA”) is entered into in Barcelona (Spain) between TYPEFORM and the Client (as both terms are defined in the Agreement to which this DPA is appended to), and is effective as of the date of signature. For purposes of this DPA, TYPEFORM and Client shall also be jointly referred to as the “Parties” and individually as a “Party”.

Recitals

I-. Whereas the Parties have entered into a business relationship which results in TYPEFORM processing information on behalf of and under the instructions delivered from time to time by Client. For purposes of this DPA, the above-mentioned relationship shall be referred to as the “Services”. The type of data that TYPEFORM will be processing and the categories of data subject are identified, in respect of each data processing, in each Order Form signed by the Parties;

II-. Whereas, said information may include data defined under the GDPR as ‘personal’, as it may concern identified or identifiable individuals. GDPR means (i) the Regulation (EU) 2016/679, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data; (ii) the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018; (iii) any future laws that may amend them or complement them in the future; and

III-. Whereas, it is in the interest of both Parties to set forth the terms and conditions under which TYPEFORM, acting as ‘data processor’, shall process personal data in respect of which Client is regarded as ‘data controller’, as further provided in this DPA.

Clauses

1. General

1.1. ‘Data controller’, ‘data processor’, ‘data subject’, ‘personal data’, ‘processing’ shall have the meaning set forth in the GDPR or in any other applicable European data protection law.

1.2. Any capitalized words not specifically defined in this DPA shall have the meaning ascribed to them in the Agreement.

2. Processing of data

2.1. TYPEFORM shall process any personal data it may have access to because of the provision of the Services in accordance with the documented instructions provided by Client from time to time. Should a Union or Member State law to which TYPEFORM is subject requires TYPEFORM to process personal data —including the international transfer of personal data—, TYPEFORM shall inform Client of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

2.2. Should TYPEFORM have reasonable grounds to believe that a documented instruction given by Client infringes the GDPR or any other applicable EU data protection law or regulation, it shall put said instruction on hold and immediately notify Client. At its sole risk and without TYPEFORM being responsible or liable to Client for any losses, Client will be entitled to order TYPEFORM to perform any such instruction despite the concerns raised by TYPEFORM, as long as it reconfirms its instruction in writing.

For purposes of this DPA, it shall be understood that a ‘documented instruction’ includes, without limitation, (i) any instruction delivered by Client by means of any durable media, such as a letter or email; (ii) any instruction electronically sent by Client when using the software provided as part of the Services (i.e. by using the interface part of the software and the features made available through it); (iii) any instructions orally transmitted by Client, as long as they are subsequently confirmed in writing; or (iv) the provisions of the DPA.

2.3. For clarification purposes and given its position of data controller, Client warrants and represents that it will timely and sufficiently perform its obligations under the applicable privacy laws, such as inform data subjects (e. g. respondents to the forms, etc.) and obtain their consent (where appropriate).

3. Confidentiality duty

3.1. TYPEFORM shall ensure that all employees authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. Sub-processors

4.1. TYPEFORM shall be entitled to seek the assistance of its affiliates TYPEFORM US LLC, conducting business in the US and having registered address at Spaces 95, 3rd St. 2nd Floor - San Francisco, CA 94103 (United States of America); TYPEFORM UK Limited, a company incorporated in England and Wales with registered office at 9th Floor, 107 Cheapside, London, EC2V 6DN (United Kingdom); Typeform DE GmbH, a company incorporated in Germany with registered office at EdisonStr. 63 - 12459 Berlin (Germany), and Typeform SL, a limited liability company incorporated in Spain, and with registered office at C/ Can Rabia 3-5, 4th floor, 08017 - Barcelona (Spain) . These companies are providing engineering, marketing & sales and customer success support services. For clarification purposes, TYPEFORM US LLC shall only be retained to the extent that the contracting Party to this DPA is Typeform SL, and Typeform SL shall only be retained when Typeform US LLC is the contracting Party to the DPA.

Additionally, TYPEFORM shall be entitled to engage Amazon Web Services Inc., a US entity with registered address at 2021 Seventh Ave., Seattle -- Washington 98121 (United States of America) for the provision of hosting services; Cloudflare Inc., a US entity with registered address at 101 Townsend St., San Francisco -- California 94107 (USA) for security & fraud prevention; Google Inc., a US entity with registered address at 1600 Amphitheatre Parkway Mountain View -- California 94043 (USA), for supporting the processing of tickets raised by respondents; and Zendesk Inc., a US company with registered address at 1019 Market Street San Francisco, -- California 94103 (USA), for the processing of customer success tickets.

4.2. In the event that TYPEFORM intends to replace one subprocessor by other or contract new subprocessors to provide Client with the Services, Client shall be entitled to reasonably oppose to such change in the non-extendable term of fifteen (15) calendar days and, if Client exercises any such right, TYPEFORM shall be entitled to early terminate the contractual relationship set forth in for the provision of the Services and in any applicable order form(s) by providing fifteen (15) days prior notice. ‘Reasonable oppose’ shall be interpreted as any challenge based on the potential or actual failure to meet the legal requirements set forth by the GDPR by the sub-processor to be appointed.

4.3. TYPEFORM shall enter into written agreements with any sub-processors engaged in the provision of the Services including the safeguards and guarantees required by the GDPR, particularly in respect of implementing the security measures required in the GDPR.

4.4. The Client shall subscribe to the emailing list available at https://help.typeform.com/hc/en-us/articles/360029617191-What-other-companies-do-we-share-data-with- in order to receive notifications for changes in the sub-processor list pursuant to Section 4.

5. Data subjects’ rights

5.1. Taking into account the nature of the processing, TYPEFORM shall assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Client's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, if applicable.

5.2. For the avoidance of doubt, TYPEFORM shall convey to Client any request data subjects may address directly to TYPEFORM together with all relevant information, if any, so that Client can formally contact and answer to data subjects.

6. Security measures

6.1. TYPEFORM shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as those measures are further detailed in Annex II.

6.2. Taking into account the nature of processing and the information available to TYPEFORM, TYPEFORM shall reasonably assist Client in compliance with the security obligations set forth by Article 32 of the GDPR.

7. Assistance and data breaches

7.1. In addition to the duty set forth in Section 6 above, TYPEFORM shall also provide, subject to the nature of processing and information available to TYPEFORM, assistance in complying with obligations set forth in Articles 32 to 36 of the GDPR, if applicable.

7.2. With respect to data breaches, TYPEFORM shall notify Client without undue delay upon TYPEFORM becoming aware of a personal data breach affecting personal data and, in any event, within the deadlines set forth under the GDPR. TYPEFORM shall provide Client with sufficient information to allow it to meet any obligations to report or inform competent authorities or data subjects. TYPEFORM shall reasonably cooperate with Client and take such reasonable commercial steps as are directed by Client to assist in the investigation, mitigation and remediation of each such data breach. For the avoidance of doubt, Client shall be the only Party responsible for both filing any reports required under applicable law and notifying data subjects, and Client shall defend, indemnify and hold TYPEFORM harmless of any and all costs (including attorney’s fines), fines or sanctions, or any damages that lack of action on Client side may cause.

8. Termination

8.1. In respect of each Service contracted by Client and unless the Order Form for said Service is renewed, Client shall decide whether it wants TYPEFORM to delete or return personal data, unless Union or Member State law requires storage of the personal data.

8.2. The Client is advised that deletion of the account provided as part of the Services shall always result in deletion of personal data, and its request to delete the account shall be understood as a request to delete data under this Section 8.

9. Audit rights

9.1. TYPEFORM shall make available to Client all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client who is not a direct or indirect competitor of TYPEFORM.

9.2. Parties agree that the obligation to provide information demonstrating compliance with this DPA may be satisfied by TYPEFORM making available to Client copies of the audit reports and/or certifications undergone by TYPEFORM, such as ISO27001 or SOC2 certificates. In the event that these documents do not reasonably address Client’s concerns, Parties agree that Client may only conduct up to one (1) audit per year, unless there are reasonable grounds to believe that TYPEFORM is not performing the obligations laid down in this DPA. Audits shall only be carried out during normal business hours, and Client shall bear all costs unless TYPEFORM is found to be in a material breach of this DPA.

10. International transfer of personal data

10.1. In the event that the Client is subject to the GDPR but the contracting TYPEFORM entity is not, Parties hereby enter into the SCCs, module 2, as a mechanism to ensure the adequate protection of personal data being transferred outside the EEA.

10.2. In the event that the Client is neither subject to the GDPR, nor located in the EEA, nor the transfer can be legally performed in accordance with the GDPR (because such transfer falls under an adequacy decision passed by the European Commission or can be otherwise performed under the GDPR on the basis of BCR, a certification mechanism or under a legally binding instrument), Client and TYPEFORM hereby enter into the SCCs, module 4, as a mechanism to ensure the adequate protection of personal data being transferred outside the EEA.

10.3. Should the Client be based in the United Kingdom,

• And Typeform SL is the contracting Party to this DPA, Parties declare that the transfer of data from the United Kingdom to Spain or from Spain to the United Kingdom shall not be construed as an international transfer of personal data, considering the adequacy decisions passed on this subject. Annex III shall apply in respect of any onward transfers.

• And Typeform US LLC is the contracting Party to this DPA, Parties declare that the transfer of data from the United Kingdom to the US shall be subject to Annex III.

10.4. Client hereby authorizes to the transfer of data to the sub-processors listed in Section 4 above, it being understood that any such transfer shall be performed to the extent that TYPEFORM enters into a written contract with the sub-processors setting forth the obligations to be implemented by the sub-processors in respect of the transfer of data (e.g. SCCs, module 3; or, should Client be an entity subject to the UK GDPR, the SCCs amended as specified in Annex III), and Client has the right to oppose any future changes or amendments of the sub-processors by following the same steps mentioned in Section 4 above. Should Client exercise any such right, TYPEFORM shall be entitled to early terminate the contractual relationship set forth for the provision of the Services and in any applicable order form(s) by providing fifteen (15) days prior notice.

10.5. For purposes of the SCCs:

• Clause 7 (Docking Clause) shall not apply;

• Option 2 in Clause 9 (general written authorization) is chosen. Option 2 shall be construed in the light of the provisions of this DPA;

• Clause 11 (Optional Language) shall not apply; and

• In Clause 13, 17 and 18, Spanish law shall be the applicable law, and the competent courts and authorities of the Kingdom of Spain shall be the ones competent to solve any disputes connected with the SCCs.

11. CCPA

11.1 In the event that Client provides TYPEFORM with Personal Information that should be processed in accordance with the CCPA, Parties agree that this DPA shall be construed in the light of said piece of legislation. In this respect, the Parties agree that Client is a ‘business’ and TYPEFORM a ‘service provider’ as those terms are defined in the CCPA. Both Parties shall comply with the provisions of the CCPA, and the SCCs. In particular, TYPEFORM will not retain, use, or disclose Personal Information for any purpose other than for the specific purpose of TYPEFORM’s performance of the Services, or as otherwise permitted by the CCPA. Personal Information means any personal information, as that term is defined in the CCPA, provided to TYPEFORM for the provision of the Services.

12. Miscellanea

12.1. Independent contractors. The DPA sets forth a commercial relationship between the Parties and, thus, it is the express intention of the Parties to perform the rights and obligations set forth herein as independent business entities, with separate legal personality and without confusion or association with their business or assets.

12.2. Applicable law and competent courts. The rights and obligations of the Parties under the contractual relationship set forth herein shall be governed and construed in accordance with Spanish law, without reference to conflict of laws principles. The Parties agree to submit all conflicts arising from or related to this contractual relationship to the courts in Barcelona (Spain), and they waive any other jurisdiction to which they may be entitled to.

**************

ANNEX I

A. LIST OF PARTIES

Data exporter(s): TYPEFORM, as identified in the relevant Order Form to which these SCCs are appended to. TYPEFORM’s Data Protection Officer can be contacted at: gdpr@typeform.com, or in the postal address mentioned at the heading of the MEA.

Data importer(s): The Client, as identified in the relevant Order Form to which these SCCs are appended to.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred – as described in each applicable Order Form.

Categories of personal data transferred – as described in the Order Form.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures – as described in the Order Form, and subject to the security measures described in Annex II.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis) – Continuous basis.

Nature of the processing – data collection, saving, organization, hosting, deletion. Making the data available to the data importer following its requirements / petitions.

Purpose(s) of the data transfer and further processing –Provision of customer service services, as further detailed in the MEA.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: data will be retained for as long as the data importer requires the services. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing – same as above.

C. COMPETENT SUPERVISORY AUTHORITY – the Spanish Data Protection Agency.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Information Security Program (“ISP”)

TYPEFORM will maintain an ISP designed to (i) help secure personal data against accidental or unlawful loss, access or disclosure; (ii) identify reasonably foreseeable and internal risks to security and unauthorized access; and (iii) minimize security risks, including through risk assessment and regular testing. The ISP will include the following measures:

Network Security

TYPEFORM will maintain access and transmission controls and policies to manage access to the network, including the use of authentication controls, firewalls or intrusion detection systems to ensure that only the authorized individual have access to the systems and data is transmitted without compromise to the correct recipients. TYPEFORM will maintain security incident response plans to handle potential security incidents.

Physical Security

Physical components are housed in facilities (“Facilities”) controlled by an ISO 27001 certified company (i.e. Amazon Web Services) or in Facilities which meet or exceed all of the following physical security requirements.

Physical Access Controls and Limited Access. Access to the Facilities is granted to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked.

Personal Data Security. Controls for the Protection of Personal Data.

Taken care in the control “Privacy by design & by default”. TYPEFORM will maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, personal data), confidentiality and integrity of personal data appropriate to the risk, including inter alia as appropriate: (i) the pseudonymization and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing; and (v) the principles of privacy by design and by default to ensure that processes and systems are designed such that the collection and processing if data are limited to what is necessary for the identified purpose. Such principles comprises for personal data the limit of collection, processing, accuracy and quality, minimization of objectives, de-identification, deletion & disposal at the end of processing, proper management of temporary files, retention periods & processing transmission controls. TYPEFORM regularly monitors compliance with these measures, and will not materially decrease the overall security of the data processing services during the term of the relevant Order Form.

Temporary files: Temporary files training & awareness will be included in TYPEFORM training & awareness program for employees.

Business Continuity and Disaster Recovery

TYPEFORM will maintain a business continuity and disaster recovery plan based on risk. Recovery plan are tested at least annually.

Employee security

TYPEFORM will have signed confidentiality agreements with the employees and contractors. Also, all employees and contractors will have a common way to report incidents approved by the organization and they will undergo at least an annual security awareness training.

Ongoing Evaluation

TYPEFORM must reassess and update their security policies on a periodic basis. Changes must be documented.

Sub-processors

Sub-processors shall implement the same security measures described in this Annex II.

ANNEX III

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Table 2: Selected SCCs, Modules and Selected Clauses

As stipulated in section 10.3 of the DPA.

Table 3: Appendix Information

Appendix Information: means the information which must be provided for the selected modules as set out in the Appendix of the EU SCCs (other than the Parties), and which is set out in the DPA.

Table 4:

Neither party may end this Addendum when the approved Addendum changes.

Part 2: Mandatory Clauses

Entering into this Addendum

Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.

Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

Interpretation of this Addendum

Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:

This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.

If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.

If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.

If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.

Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

Hierarchy

Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section ‎10 will prevail.

Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.

Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

Incorporation of and changes to the EU SCCs

This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:

together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;

Sections ‎9 to ‎11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and

this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.

Unless the Parties have agreed alternative amendments which meet the requirements of Section ‎12, the provisions of Section ‎15 will apply.

No amendments to the Approved EU SCCs other than to meet the requirements of Section ‎12 may be made.

The following amendments to the Addendum EU SCCs (for the purpose of Section ‎12) are made:

References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;

In Clause 2, delete the words:

“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;

Clause 6 (Description of the transfer(s)) is replaced with:

“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;

Clause 8.7(i) of Module 1 is replaced with:

“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;

Clause 8.8(i) of Modules 2 and 3 is replaced with:

“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”

References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;

References to Regulation (EU) 2018/1725 are removed;

References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;

The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;

Clause 13(a) and Part C of Annex I are not used;

The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;

In Clause 16(e), subsection (i) is replaced with:

“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;

Clause 17 is replaced with:

“These Clauses are governed by the laws of England and Wales.”;

Clause 18 is replaced with:

“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and

The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.

Amendments to this Addendum

The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.

If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

From time to time, the ICO may issue a revised Approved Addendum which:

makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or

reflects changes to UK Data Protection Laws;

The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.

If the ICO issues a revised Approved Addendum under Section ‎18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:

its direct costs of performing its obligations under the Addendum; and/or

its risk under the Addendum,

and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.