SHAPES CUSTOMER DATA PROCESSING ADDENDUM

This Customer Data Processing Addendum (“DPA”) is incorporated by reference into the Shapes Terms of Use (or other agreement) governing the use of the services provided by DreamTeam HR Apps Ltd. d/b/a Shapes (the “Agreement”) entered into between you, the customer (as defined in the Agreement) (“Customer”) and DreamTeam HR Apps Ltd (“Shapes”), and reflects the parties’ agreement as to the Processing of Personal Data by Shapes solely on behalf of the Customer. Both parties shall be referred to as the “Parties” and each, a “Party”.

Capitalized terms not defined in this DPA shall have the meanings given to them in the Agreement.

By using the Services, Customer accepts this DPA and the person accepting this DPA on Customer’s behalf represents and warrants that they have full authority to bind the Customer. If you cannot, or do not, agree to comply with and be bound by this DPA, please do not provide Personal Data to us.

In the event of any conflict between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Personal Data. In the event of any conflict between this DPA and its Schedules, the Schedules shall, in respect of the matters governed by them, prevail over the main body of this DPA.

1. DEFINITIONS

For the purposes of this DPA, the following terms shall have the meanings set out below.

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Authorized Affiliate” means any of Customer’s Affiliates that is permitted to use the Services pursuant to the Agreement between Customer and Shapes but has not signed its own agreement with Shapes and is not a “Customer” as defined under the Agreement.

“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq. (as amended by the California Privacy Rights Act) and its implementing regulations, each as amended or superseded from time to time.

“Controller, Member State, Processor, Processing, Supervisory Authority” have the same meanings as in the GDPR.

“Customer Personal Data” means Personal Data Processed by Shapes solely on behalf of Customer under this DPA and the Agreement. References in this DPA to “Personal Data” shall, in context, mean Customer Personal Data.

“Data Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by Shapes on behalf of the Customer.

“Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations, including those of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom, the United States of America, and Israel, as applicable to the Processing under this DPA, including (without limitation) the GDPR, the UK GDPR, CCPA, PPL, and the FADP, each as amended or superseded from time to time.

“Data Subject” means the identified or identifiable person to whom the Personal Data relates.

“Data Subject Request” means a request from a Data Subject to exercise rights under Data Protection Laws, including the rights of access, rectification, restriction of Processing, erasure, data portability, objection to Processing, and the right not to be subject to automated individual decision-making.

“FADP” means the Swiss Federal Act on Data Protection of 25 September 2020.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).

“Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person.

“PPL” means Israel’s Protection of Privacy Law, 5741-1981, together with the regulations promulgated thereunder (including Amendment 13 / “Tikun 13”, in force from 14 August 2025), as amended or superseded from time to time. 

“Security Documentation” means the technical and organizational measures applicable to the Services purchased by Customer, as further detailed in Shapes Trust Center accessible at https://trust.shapes.co.

“Services” means the services provided to Customer by Shapes in accordance with the Agreement.

“Standard Contractual Clauses” means (a) where the GDPR applies, the standard contractual clauses set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the “EU SCCs”); and (b) where the UK GDPR applies, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B.1.0, issued by the UK Information Commissioner’s Office under the Data Protection Act 2018 (the “UK Addendum”).

“Sub-processor” means any third party (including any Affiliate of Shapes) that Processes Customer Personal Data under the instruction or supervision of Shapes.

“UK GDPR” means the UK Data Protection Act 2018, together with the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended.

2. PROCESSING OF PERSONAL DATA
   
   1. Roles of the Parties: The Parties acknowledge and agree that, with regard to the Processing of Customer Personal Data solely on behalf of Customer: (i) Customer is the Controller of Customer Personal Data; and (ii) Shapes is the Processor of such Customer Personal Data. The terms “Controller” and “Processor” below shall, in context, signify Customer and Shapes respectively.
   2. Customer’s Processing of Personal Data: Customer, in its use of the Services and in its instructions to Shapes, shall comply with Data Protection Laws. Customer shall establish and maintain any and all required lawful bases to collect, Process and transfer to Shapes the Customer Personal Data, to authorize the Processing by Shapes and for Shapes’ Processing activities on Customer’s behalf, including providing all required notices to, and (where required) obtaining all required consents from, Data Subjects.
   3. Shapes’ Processing of Personal Data: When Processing Customer Personal Data on Customer’s behalf under the Agreement, Shapes shall Process such Personal Data only for the following purposes (the “Permitted Purposes”): (i) Processing in accordance with the Agreement and this DPA; (ii) Processing for Customer as part of Shapes’ provision of the Services; (iii) Processing to comply with Customer’s reasonable and documented instructions, where those instructions are consistent with the Agreement; (iv) rendering Customer Personal Data fully anonymous, non-identifiable and non-personal in accordance with applicable standards recognized by Data Protection Laws and guidance issued thereunder; and (v) Processing as required under laws applicable to Shapes, or as required by a court of competent jurisdiction or another competent governmental or semi-governmental authority, provided that Shapes shall (unless prohibited by such law or order on important grounds of public interest) inform Customer of the legal requirement before Processing.

Shapes shall inform Customer without undue delay if, in Shapes’ opinion, an instruction for the Processing of Customer Personal Data given by Customer infringes applicable Data Protection Laws. To the extent Shapes cannot comply with an instruction from Customer, Shapes (i) shall inform Customer with relevant details, (ii) may, without liability to Customer, temporarily cease all Processing of the affected Personal Data (other than securely storing it) and/or suspend Customer’s access to the affected part of the Services, and (iii) if the Parties cannot agree on a resolution and the costs thereof, Customer’s sole remedy shall be to terminate the Agreement and this DPA with respect to the affected Processing, paying all amounts owed up to the date of termination.

4. Details of the Processing: The subject matter of the Processing of Customer Personal Data by Shapes is the performance of the Services pursuant to the Agreement and the Permitted Purposes. The duration, nature and purpose of the Processing, the types of Personal Data and the categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of the Processing).
5. CCPA Terms. If Customer is a Business under the CCPA, and Shapes Processes Personal Data hereunder that is subject to the CCPA, the terms set forth in Schedule 3 (CCPA Terms) hereto shall apply and bind the Parties with regards to such Personal Data and the Processing thereof.

3. DATA SUBJECT REQUESTS

Taking into account the nature of the Processing, Shapes shall (to the extent legally permitted) notify Customer or refer the Data Subject to Customer if Shapes receives a Data Subject Request relating to Customer Personal Data. Shapes shall assist Customer by appropriate technical and organizational measures, insofar as this is possible and reasonable, in fulfilling Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. Where appropriate, Shapes may advise Data Subjects of the self-service features available within the Services.

4. CONFIDENTIALITY

Shapes shall ensure that personnel, contractors and advisors engaged in the Processing of Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access to Customer Personal Data is granted on a need-to-know basis and is logged.

5. SUB-PROCESSORS
   
   1. General Authorization: Customer provides Shapes with general written authorization to engage Sub-processors for the Processing of Customer Personal Data, subject to the conditions set out in this Section 5.
   2. Current List and Notice of New Sub-processors: Shapes makes available to Customer the current list of Sub-processors used to Process Customer Personal Data, including the identities and locations of those Sub-processors and the type of service rendered (the “Sub-processor List”), at https://trust.shapes.co. The Sub-processor List as of the date of first use of the Services by Customer is hereby deemed authorized. Shapes shall notify Customer of any intended addition or replacement of a Sub-processor at least fourteen (14) days before the change takes effect, by updating the Sub-processor List page and providing email notification to Customers subscribed to sub-processor change notifications via the Shapes Trust Center.
   3. Objection to new Sub-processors: Customer may reasonably object to Shapes’ use of a new Sub-processor for reasons relating to the protection of Customer Personal Data by notifying Shapes in writing within seven (7) days after receipt of Shapes’ notice. The objection shall include the reasons for it. Failure to object within seven (7) days shall be deemed acceptance. Where Customer reasonably objects, Shapes shall use reasonable efforts to make available a change in the Services or recommend a commercially reasonable change to Customer’s configuration to avoid Processing by the objected-to Sub-processor without unreasonably burdening Customer. If Shapes cannot make such change available within thirty (30) days of Customer’s written objection, Customer may, as its sole remedy, terminate the Agreement and this DPA only with respect to those Services that cannot be provided without the objected-to Sub-processor, on written notice. All amounts due before the termination date shall be duly paid to Shapes. Until a decision is made, Shapes may temporarily suspend the Processing of the affected Personal Data and/or Customer’s access to the affected Services. Customer will have no further claims against Shapes (including refund claims) arising out of such termination.
   4. Flow-down obligations: Shapes (or a Shapes Affiliate on Shapes’ behalf) has entered into a written agreement with each Sub-processor containing, in substance, the same or materially similar data-protection obligations as those set out in this DPA. Where a Sub-processor fails to fulfil its data-protection obligations, Shapes shall remain responsible to Customer for the performance of the Sub-processor’s obligations.
6. SECURITY AND AUDITS
   
   1. Technical and Organizational Measures: Shapes shall maintain appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data, having regard to the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing and the risk of varying likelihood and severity to the rights and freedoms of natural persons. Such measures are described in the Security Documentation and may be updated from time to time provided that the updated measures provide a level of security no lower than described in the Security Documentation.

Upon Customer’s reasonable request and at Customer’s cost, Shapes shall reasonably assist Customer in ensuring compliance with Customer’s obligations under Articles 32-36 of the GDPR (and equivalent UK GDPR provisions), taking into account the nature of the Processing and the information available to Shapes.

2. Audits and Inspections: Upon Customer’s fourteen (14) days’ prior written request at reasonable intervals (no more than once every twelve (12) months), and subject to strict confidentiality undertakings by Customer, Shapes shall make available to Customer (provided Customer is not a competitor of Shapes) - or to Customer’s independent, reputable, third-party auditor that is not a competitor of Shapes and is not in conflict with Shapes, subject to the auditor’s confidentiality and non-compete undertakings -  information necessary to demonstrate Shapes’ compliance with this DPA, and shall allow for and contribute to audits, including inspections, conducted by them, provided that:
   
   1. Shapes may, in the first instance, satisfy this obligation by providing recent and relevant third-party certifications, attestations and audit reports, and shall not be required to provide on-site audit access where these certifications and audit reports reasonably demonstrate compliance;
   2. audit information, audits, inspections and the results thereof - including any documents reflecting the outcome of the audit and/or inspection - shall be used by Customer solely to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Shapes’ prior written approval;
   3. upon Shapes’ first written request, Customer shall return all records and documentation in its possession or control provided by Shapes in the context of the audit and/or inspection;
   4. if and to the extent the Standard Contractual Clauses apply, nothing in this Section 6.2 shall vary or modify the audit rights of Customer under the Standard Contractual Clauses (which prevail in that respect);
   5. In the event of an audit or inspections as set forth above, Customer shall ensure that it (and each of its mandated auditors) will not cause (or, if it cannot avoid, minimize) any damage, injury or disruption to Shapes’ premises, equipment, personnel and business while conducting such audit or inspection;
   6. The audit rights set forth in ‎this Section 6, shall only apply to the extent that the Agreement does not otherwise provide Customer with audit rights that meet the relevant requirements of Data Protection Laws (including, where applicable, article 28(3)(h) of the GDPR or the UK GDPR).

7. DATA INCIDENT MANAGEMENT AND NOTIFICATION

Shapes maintains documented security incident management policies and procedures and, to the extent required under applicable Data Protection Laws, shall notify Customer without undue delay after becoming aware of a Data Incident. Shapes shall make reasonable efforts to identify and take such steps as Shapes deems necessary and reasonable to remediate and/or mitigate the cause of the Data Incident to the extent remediation is within Shapes’ reasonable control. The obligations herein shall not apply to incidents that are caused by acts or omissions of Customer or a user on its behalf and not by failure of Shapes.

Shapes’ Data Incident notification will include, to the extent then known and as it becomes available: (a) a description of the nature of the Data Incident, including, where possible, the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences; (c) the measures taken or proposed to address the Data Incident, including measures to mitigate its possible adverse effects; and (d) a contact point for further information.

Customer shall not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning a Data Incident that directly or indirectly identifies Shapes (including in any legal proceeding or in any notification to regulatory authorities or affected individuals, but excluding disclosure to third-party advisors of Customer on a need-to-know basis and subject to appropriate confidentiality undertakings) without Shapes’ prior written approval, unless and to the extent Customer is compelled to do so to comply with a mandatory regulatory requirement or Data Protection Laws. In that case (and unless prohibited by such laws), Customer shall provide Shapes with reasonable prior notice and shall limit the disclosure to the minimum scope required.

8. RETURN AND DELETION OF PERSONAL DATA

Within sixty (60) days following termination or expiry of the Agreement (and subject thereto), Shapes shall, at Customer’s choice (indicated through the Services or by written notice to Shapes), delete or return to Customer all Customer Personal Data Processed solely on Customer’s behalf, in the manner described in the Agreement, and Shapes shall delete existing copies of such Personal Data unless applicable Data Protection Laws require otherwise. To the extent authorized or required by applicable law, Shapes may retain a copy of the Personal Data solely for evidential purposes, for the establishment, exercise or defense of legal claims, or for compliance with legal obligations. Personal Data retained on the basis of this paragraph shall continue to be subject to the protective obligations of this DPA.

9. TRANS-BORDER DATA TRANSFERS
   
   1. Transfers to Countries with Adequate Protection: Personal Data may be transferred from EU Member States, the three other EEA Member Countries (Norway, Liechtenstein and Iceland) (together, the “EEA”), Switzerland and the United Kingdom (“UK”) to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data-protection authorities of the EEA, the European Union, the Member States or the European Commission, Switzerland and/or the UK as relevant (“Adequacy Decisions”), without any further safeguard being necessary.
   2. Transfers to Other Countries: Where the Processing of Personal Data by Shapes includes a transfer (either directly or via onward transfer) from the EEA (“EEA Transfer”), the UK (“UK Transfer”) and/or Switzerland (“Swiss Transfer”) to other countries that have not been subject to a relevant Adequacy Decision, and the transfer is not performed through an alternative recognized compliance mechanism for the lawful transfer of personal data, then: (i) the terms of Part 1 of Schedule 2 (EEA Trans-Border Transfers) shall apply to any EEA Transfer; (ii) the terms of Part 2 of Schedule 2 (UK Trans-Border Transfers) shall apply to any UK Transfer; (iii) the terms of Part 3 of Schedule 2 (Swiss Trans-Border Transfers) shall apply to any Swiss Transfer; and (iv) the terms of Part 4 of Schedule 2 (Additional Safeguards) shall apply to any such transfers.
10. AUTHORIZED AFFILIATES
    
    1. Contractual Relationship: By executing or accepting this DPA, Customer enters into this DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, in which case each Authorized Affiliate agrees to be bound by Customer’s obligations under this DPA, if and to the extent Shapes Processes Personal Data on the behalf of such Authorized Affiliate (qualifying it as the “Controller”). All access to and use of the Services by Authorized Affiliates must comply with the terms of the Agreement and this DPA and any violation by an Authorized Affiliate shall be deemed a violation by Customer.
    2. Communication: Customer remains responsible for coordinating all communication with Shapes under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
11. OTHER PROVISIONS
    
    1. Data Protection Impact Assessment and Prior Consultation: Upon Customer’s reasonable request and at Customer’s cost, Shapes shall provide Customer with reasonable cooperation and assistance to fulfil Customer’s obligations under the GDPR or the UK GDPR (as applicable) to carry out a data-protection impact assessment relating to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information and to the extent that information is available to Shapes. Shapes shall provide reasonable assistance at Customer’s cost with the co-operation or prior consultation with the Supervisory Authority required by the GDPR or the UK GDPR.
    2. Modifications to this DPA: Either Party may, on at least forty-five (45) calendar days’ prior written notice, request in writing variations to this DPA where required as a result of a change in, or decision of a competent authority under, any Data Protection Laws, to enable the Processing of Customer Personal Data to be made (or continue to be made) without breach of those Data Protection Laws. The Parties shall make commercially reasonable efforts to accommodate such variations and shall negotiate in good faith with a view to agreeing and implementing those (or alternative) variations as soon as is reasonably practicable. If the Parties are unable to reach agreement within thirty (30) days of such notice, either Party may, on written notice with immediate effect, terminate the Agreement to the extent it relates to the Services affected. Customer shall pay all amounts due before the termination date and shall have no further claims against Shapes (including refund claims) arising out of such termination.

SCHEDULE 1 - DETAILS OF THE PROCESSING

Subject Matter

The subject matter of the Processing is the performance of the Services pursuant to the Agreement.

Nature and Purpose of Processing

1. Providing the Services to Customer;
2. Performing the Agreement, this DPA and any other contracts executed by the Parties;
3. Acting upon Customer’s instructions, where such instructions are consistent with the Agreement;
4. Sharing Customer Personal Data with third parties in accordance with Customer’s instructions and/or pursuant to Customer’s use of the Services (e.g. integrations between the Services and third-party services configured by or on behalf of Customer);
5. Complying with applicable laws and regulations; and
6. Performing all tasks related to any of the above.

Duration and Frequency

Subject to the provisions of the DPA and the Agreement governing duration and the consequences of expiry or termination, Shapes shall Process Customer Personal Data on a continuous basis for the duration of the Agreement, unless otherwise agreed in writing.

Type of Personal Data

Customer may submit Personal Data to the Services, the extent and nature of which is determined and controlled by Customer in its sole discretion. Depending on the specific Services used, the data typically includes (without limitation):

1. contact information (including name, email address and telephone number);
2. professional information (including certifications, training records, previous employment and work history);
3. personal information (including hobbies, preferences and other information Customer deems relevant to managing personnel);
4. account and authentication data;
5. attendance, time-off and scheduling data;
6. performance, review and engagement-survey data;
7. compensation and payroll-related data;
8. usage, device and log data; and
9. any other Personal Data uploaded by Customer or its Users to the Services.

Categories of Data Subjects

Customer may submit Personal Data to the Services (the extent and nature of which is determined and controlled by Customer in its sole discretion) that primarily relates to the following categories of Data Subjects, depending on the specific Services in use:

1. employees of Customer (current, former and prospective);
2. contractors, freelancers, agents and advisors of Customer;
3. managers and HR personnel of Customer (in their administrative-user capacity); and
4. any other natural persons whose Personal Data is included in the data Customer submits to or processes through the Services.

Sensitive Categories of Personal Data

Customer may choose to submit sensitive or special categories of personal data within the meaning of applicable Data Protection Laws and is responsible for its lawful basis. Customer is responsible for the configuration of the Services, for determining whether to submit such data, and for ensuring that any submission complies with the Customer’s obligations under Data Protection Laws.

SCHEDULE 2 - TRANS-BORDER DATA TRANSFERS

Part 1 - EEA Trans-Border Transfers

The Parties agree as follows:

1. the EU SCCs are hereby incorporated by reference and shall apply to any EEA Transfer as set out in this Part 1;
2. Module Two (Controller to Processor) of the EU SCCs shall apply where the EEA Transfer is made by Customer as data controller and Shapes as data processor of the Personal Data;
3. Module Three (Processor to Processor) of the EU SCCs shall apply where the EEA Transfer is made by Customer as data processor and Shapes as a sub-processor of the Personal Data;
4. Module Four (Processor to Controller) of the EU SCCs shall apply where the EEA Transfer is made by Shapes as data processor and Customer as data controller of the Personal Data;
5. Clause 7 (Docking Clause) of the EU SCCs shall not apply;
6. Option 2: GENERAL WRITTEN AUTHORISATION in Clause 9 of the EU SCCs shall apply, with the time period for prior notice of Sub-processor changes being as set out in Section 5.2 of the DPA;
7. in Clause 11 of the EU SCCs, the optional language shall not apply;
8. in Clause 17 of the EU SCCs, Option 1 shall apply, and the Parties agree that the EU SCCs shall be governed by the laws of the Republic of Ireland;
9. in Clause 18(b) of the EU SCCs, disputes shall be resolved before the courts of the Republic of Ireland;
10. Annex I.A (Parties): the data exporter and data importer, their contact details, the activities relevant to the data transferred and the role of each are completed as set out in the table below; signature and date are deemed effected by entry into the Agreement and this DPA;
11. Annex I.B (Description of Transfer): the categories of Data Subjects, the categories of Personal Data, the frequency of transfer, the nature of the Processing, the purposes of the data transfer and further Processing, and the period for which the Personal Data will be retained, are described in Schedule 1 to this DPA. In relation to transfers to Sub-processors, the subject matter, nature and duration of the Processing are described at the Sub-processor List URL set out in Section 5.2 of this DPA;
12. Annex I.C (Competent Supervisory Authority): the supervisory authority in the Member State stipulated under Clause 17 / Clause 18 above shall be the competent supervisory authority;
13. Annex II (Technical and Organizational Measures): the Security Documentation referred to in this DPA serves as Annex II of the EU SCCs; and
14. to the extent of any conflict between the EU SCCs and any other terms of this DPA or the Agreement, the EU SCCs shall prevail.

EU SCCs Annex I.A - Parties:

Module Two - Data Exporter:

Name: Customer. 

Contact details: as detailed in the Agreement. 

Activities: as in Schedule 1. 

Role: data controller. 

Signature/date: deemed effected by entry into the Agreement and DPA.

Module Two - Data Importer:

Name: DreamTeam HR Apps Ltd. d/b/a Shapes.

Contact: support@shapes.co 

Activities: as in Schedule 1. 

Role: data processor. 

Signature/date: deemed effected by entry into the Agreement and DPA.

Module Three - Data Exporter:

Name: Customer. 

Role: data processor. 

Other details: as for Module Two.

Module Three - Data Exporter:

Name: DreamTeam HR Apps Ltd. d/b/a Shapes. 

Role: sub-processor. 

Other details: as for Module Two.

Module Four - Data Exporter:

Name: DreamTeam HR Apps Ltd. d/b/a Shapes. 

Role: data processor. 

Other details: as for Module Two.

Module Four - Data Exporter:

Name: Customer. 

Role: data controller. 

Other details: as for Module Two.

Part 2 - UK Trans-Border Transfers

The UK Addendum is hereby incorporated by reference and shall apply to UK Transfers as set out in this Part 2, together with the EU SCCs as set out in Part 1.

1. Table 1 (Parties): as stipulated in Annex I.A of Part 1;
2. Table 2 (Selected SCCs, Modules and Selected Clauses): as stipulated in Part 1;
3. Table 3 (Appendix Information): Annex 1A - as stipulated in Annex I.A of Part 1; Annex 1B -  as stipulated in the Annex I.B paragraph of Part 1; Annex II - as stipulated in the Annex II paragraph of Part 1; Annex III - as set forth at the Sub-processor List URL detailed in Section 5.2 of this DPA; and
4. Table 4 (Ending the Addendum when the Approved Addendum Changes): neither Party may end the UK Addendum in the manner set out in Section 19 of the Mandatory Clauses of the UK Addendum.

Part 2 (Mandatory Clauses) of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament under section 119A of the Data Protection Act 2018 on 2 February 2022 (as it may be revised under Section 18 of those Mandatory Clauses), shall apply.

Part 3 - Swiss Trans-Border Transfers

The Parties agree that the EU SCCs in Part 1, as adjusted below, shall apply where the FADP applies to Swiss Transfers:

1. references to the Standard Contractual Clauses mean the EU SCCs as amended by this Part 3;
2. the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) shall be the sole Supervisory Authority for Swiss Transfers exclusively subject to the FADP;
3. references to the GDPR or Regulation (EU) 2016/679 in the EU SCCs shall be interpreted to include the FADP with respect to Swiss Transfers;
4. references to Regulation (EU) 2018/1725 are removed;
5. Swiss Transfers subject to both the FADP and the GDPR shall be dealt with by the FDPIC insofar as the Swiss Transfer is governed by the FADP, and by the EU Supervisory Authority named in Part 1 insofar as it is governed by the GDPR;
6. references to the “Union”, “EU” and “EU Member State” shall not be interpreted to exclude Data Subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs;
7. where Swiss Transfers are exclusively subject to the FADP, all references to the GDPR in the EU SCCs are to be understood as references to the FADP; and
8. where Swiss Transfers are subject to both the FADP and the GDPR, all references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the Swiss Transfer is subject to the FADP.

Part 4 - Additional Safeguards

In the event of an EEA Transfer, UK Transfer or Swiss Transfer, the Parties supplement Parts 1–3 with the following safeguards and representations:

1. Shapes shall maintain, in accordance with good industry practice, measures to protect the Personal Data from interception, including in transit between Customer and Shapes and between different systems and services. These measures include network protection intended to deny attackers the ability to intercept data, and encryption of Personal Data in transit and at rest intended to deny attackers the ability to read the data;
2. Shapes shall make commercially reasonable efforts to resist, subject to applicable law, any request for bulk surveillance relating to the Personal Data protected under the GDPR or the UK GDPR, including under section 702 of the United States Foreign Intelligence Surveillance Act (“FISA”);
3. If Shapes becomes aware that any government authority (including a law-enforcement authority) wishes to obtain access to or a copy of any Personal Data -  whether on a voluntary or mandatory basis -  then, unless legally prohibited or under a mandatory legal compulsion that requires otherwise, Shapes shall (i) inform the relevant authority that Shapes is a processor of the Personal Data and that the Controller has not authorized Shapes to disclose the Personal Data, and direct any request to the Controller in writing; and (ii) use commercially reasonable legal mechanisms to challenge any such demand, recognizing that challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended access; and
4. No more than once every twelve (12) months and only at Customer’s written request, Shapes shall inform Customer of the types of binding legal demands for Personal Data it has received (to the extent permitted by law), including national-security orders and directives, including any process issued under section 702 of FISA.

SCHEDULE 3 – CCPA TERMS

1. SCOPE, APPLICATION & INTERPRETATION
   
   1. This Schedule 3 shall apply and bind the Parties if and to the extent that (i) Customer is a Business under the CCPA, and (ii) Shapes Processes Personal Information (as defined below) that is subject to the CCPA in the course of providing the Services to Customer pursuant to the Agreement. 
   2. This Schedule 3 prevails over any conflicting terms of the Agreement or the DPA but does not otherwise modify the Agreement or the DPA.
   3. This Schedule 3 shall be interpreted in favor of the Parties’ intent to comply with the CCPA, and therefore any ambiguity shall be resolved in favor of a meaning that complies and is consistent with the CCPA.
   4. Capitalized terms not specifically defined herein shall have the meanings ascribed to them in the DPA, as amended by this Schedule 3.
2. DEFINITIONS

For the purposes of this Schedule 3:

1. The terms “Business”, “Collects” (and “collected” and “collection”), “Consumer”, “Business Purpose”, “Sell” (and “selling”, “sale”, and “sold”), “Share” (and “shared”, or “sharing”), and “Service Provider” shall each have the same meaning as in the CCPA.
2. "Personal Information" means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable Consumer or household of a Consumer, which is processed by Shapes solely on behalf of Customer under this Schedule 3 and the Agreement.

3. PROCESSING OF PERSONAL INFORMATION
   
   • Customer hereby appoints Shapes as a Service Provider to Process Personal Information on behalf of Customer. Customer, in its use of the Services, and Customer’s instructions to Shapes, shall comply with the CCPA. Customer represents and warrants that it has provided notice consistent with Section 1798.135 of the CCPA, and has obtained consents to the extent required under the CCPA for Shapes to lawfully Collect and Process the Personal Information in pursuit of the permitted purposes (as defined in Section ‎3.2 below).
   • Shapes shall Process Personal Information solely for the purposes set forth in Section 2.3 of the DPA and as necessary to comply with this Schedule 3 and the CCPA (“Permitted Purposes”). 
   • Sections 3-8, 11.2 of the DPA shall apply to the Processing of Personal Information and the following terms shall be replaced as follows: "Data Protection Laws" shall mean the CCPA; “DPA” shall mean this Schedule 3; "Personal Data" shall mean "Personal Information"; “Data Subject” shall mean “Consumer”; "Controller" shall mean "Business"; "Processor" shall mean "Service Provider"; and Sub-processor shall refer to the concept of a Service Provider engaged by Shapes to Process Personal Information.
   • Shapes shall Process Personal Information in accordance with the provisions of the CCPA, and in a manner that provides the same level of privacy protection to Personal Information as required by the CCPA. Shapes certifies that it understands the rules, requirements, and definitions of the CCPA and this Schedule 3, and shall comply with them.
   • Shapes acknowledges and confirms that it does not receive or process any Personal Information as consideration for any services or other items that Shapes provides to Customer under the Agreement. Shapes agrees to refrain from Selling and/or Sharing any Personal Information Processed hereunder without Customer’s prior written consent, nor taking any action that would cause any transfer of Personal Information to or from Shapes under the Agreement or this Schedule 3 to qualify as Selling and/or Sharing such Personal Information. Shapes shall not have, derive, or exercise any rights or benefits regarding the Personal Information, and shall not retain, use, or disclose any Personal Information (i) for any purpose other than the Permitted Purposes, and/or (ii) outside of the direct business relationship between the Parties. 
   • Shapes shall not combine Personal Information with any other data if and to the extent that this would be inconsistent with the limitations on Service Providers under the CCPA. 
   • Shapes shall notify Customer if Shapes makes a determination that it can no longer meet its obligations under this Schedule 3 and/or the CCPA.

Last updated: 20 May 2026