Data Processing Addendum @ AcceleratorApp

This Data Processing Addendum (the “DPA”) forms part of the Client Terms of Service, unless Client has entered into a superseding written master subscription agreement with AcceleratorApp, in which case, it forms part of such written agreement (in either case, the “Agreement”).

By signing this DPA, Client enters into this DPA on behalf of itself and, to the extent required under Data Protection Laws, in the name and on behalf of its Controller Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the term “Client” shall include Client and Controller Affiliates.

In the course of providing the Services under the Agreement, AcceleratorApp may process certain Personal Data on behalf of Client, and where AcceleratorApp processes such Personal Data on behalf of Client, the Parties agree to comply with the terms and conditions of this DPA in connection with such Personal Data.

How to execute this DPA:

1. This DPA consists of two parts; the main body of the DPA, and Exhibit 1 (including Appendices 1 and 2).
2. This DPA has been pre-signed on behalf of AcceleratorApp. The Standard Contractual Clauses in Exhibit 1 have been pre-signed by AcceleratorApp, as the data importer.
3. To complete this DPA, Client must:
   1. Complete the information in Section 6 of this DPA;
   2. Complete the information in the signature box and sign on page 8.
   3. Complete the information as the data exporter on page 9.
   4. Complete the information in the signature box and sign on pages 19 and 17.
   5. Send the completed and signed DPA to AcceleratorApp by email to:legal@acceleratorapp.co

Data Processing Addendum

NOW, THEREFORE, the Parties agree as follows:

1. Precedence. In case of a contradiction between this DPA and the Agreement, this DPA shall supersede the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
2. Definitions.In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
   1. “Affiliates” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Company, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
   2. “Applicable Laws” means any applicable laws and regulations to a given situation, regardless of the jurisdiction or subject of the law or regulation;
   3. “Controller Affiliate" means any of Client’s Affiliate(s) (a) (i) that are subject to applicable Data Protection Laws, and (ii) permitted to use the Services pursuant to the Agreement between Client and Acceleratorapp, and are not a “Client” as defined under the Agreement, (b) to the extent AcceleratorApp processes Personal Data for which such Affiliate(s) qualify as the Controller.
   4. “Data Protection Laws" means all laws and regulations, including laws and regulations of the European Union, the European Economic Area, their member states, Switzerland and/or the United Kingdom, and including specifically the GDPR, applicable to the Processing of Personal Data under the Agreement;
   5. “Deletion” shall mean to remove or obliterate Personal Data such that it cannot be recovered or reconstructed, and therefore, excludes encryption and similar techniques.
   6. “EU Applicable Laws" means any applicable laws and regulations to a given situation, to the extent that these are recognized in the European Union;
   7. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation);
   8. “Personal Data" means any information that AcceleratorApp Processes on behalf of the Client in connection with the Agreement or the documented instructions of the Client that qualify as Personal Data as per Art. 4 of the GDPR. Personal Data under this DPA shall refer to Personal Data subject to the Data Protection Laws.
   9. “Process” or “Processing” means any operation or set of operations that are performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as access, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclose by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
   10. “Data Subject”, “Member State”, “Controller”, “Processor”, “Supervisory Authority”, “Recipients” and “Personal Data Breach” shall have the meaning set forth in the GDPR;
   11. “Restricted Transfer" means (i) a transfer of Personal Data from AcceleratorApp to a Subprocessor, or another establishment of AcceleratorApp; (ii) an onward transfer of Personal Data from a Subprocessor to another Subprocessor or another establishment, in each case, where such transfers would be prohibited by Data Protection Laws, such as in the absence of a proper mechanism pursuant to Art. 44 and seq. GDPR. For avoidance of doubt and without limitation to the generality of the foregoing, the Parties to this DPA intend that transfers of Personal Data to or from the United Kingdom, following any exit by the United Kingdom from the European Union, shall be considered Restricted Transfers, unless and until an Adequacy Decision or another agreement of the sort has been established.
   12. "Subprocessor” means any legal or natural person (excluding an employee of AcceleratorApp) appointed pursuant to Section 11 to Process Personal Data.
3. Details of the Processing
   1. Subject Matter, Nature and Purposes of the Processing.

      The Nature and Purposes of the Processing are generally described in the Agreement. Additional comments:

      AcceleratopApp Processes Personal Data to deliver the services described in the Agreement. These services support accelerators and incubators in their handling of startups, and include tracking applications and simplifying the logistic around portfolio selection, recording communications and decisions over time, updating applicants on progress, connecting applicants with mentors for coaching sessions, recording feedback on coaching sessions, and generally speaking, tracking startups and their progress.

      The processing occurs through an online web application which provides various functionalities. AcceleratorApp may make available to clients other electronic means to access the platform in the future, such as mobile applications. AcceleratopApp may use various means of processing to provide the services in the future, including, without limitation, artificial intelligence and other types of data manipulation which will be described in the Privacy Policy available on the website. Changes to the Privacy Policy will be communicated by e-mails to Client.

   2. Duration of the Processing. The Processing shall continue for the duration of the Agreement, and until all Personal Data is securely deleted in accordance with this DPA.
   3. Category of Data Subjects. The Personal Data Processed concerns the following categories of Data Subjects:
      • Employees of incubators, startups, accelerators (including founders, executives, interns and directors)
      • Users of the web application (end users)
   4. Types of Personal Data.The Personal Data Processed pursuant to the Agreement shall include:
      • Electronic data (identifiers, e-mails, passwords, cookies, etc.)
      • Identification data (including government IDs)
      • Employment and performance data
4. Processing of Personal Data
   1. AcceleratorApp shall (i) comply with all Applicable Laws in the Processing of Personal Data, including, without limitation, the GDPR, the e-Privacy directive (as amended or replaced), and all other applicable anti-spam laws; (ii) not Process Personal Data other than on the documented instructions of Client, unless Processing is required by EU Applicable Laws to which AcceleratorApp is subject, in which case, to the extent permitted by EU Applicable Laws, AcceleratorApp shall inform the Client of such legal requirements before the relevant Processing of that Personal Data.
   2. The Client instructs AcceleratorApp to Process Personal Data as required to perform its responsibilities under the Agreement, and follow all information security, confidential and privacy requirements as required under this DPA.
   3. If AcceleratorApp believes that the instructions of the Client infringe Data Protection Laws, it shall immediately inform the Client.
5. Restricted Transfers
   1. Client acknowledges and agrees that, in connection with the performance of the services under the Agreement, Personal Data will be transferred outside of the EEA. AcceleratorApp may access and perform Processing of Personal Data on a global basis as necessary to provide the services in accordance with the Agreement.
   2. The Standard Contractual Clauses at Exhibit 1 will apply with respect to Personal Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the Data Protection Laws).
6. Notices All notices pursuant to this DPA shall be sent to:

   Client	AcceleratorApp
   Att:	Att: Privacy Officer
   E-mail:	E-mail: privacy@acceleratorapp.co

7. Personal Data Breach
   1. AcceleratorApp shall notify the Client without undue delay upon AcceleratorApp becoming aware of a Personal Data Breach affecting Personal Data, providing the Client with sufficient information to allow the Client to meet its obligations to report or inform Data Subjects or a Supervisory Authority or any authority of the Personal Data Breach under Data Protection Laws. For greater precision, the notification shall minimally include (i) a description of the nature of the Personal Data Breach, including where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned; (ii) a description of the likely consequences of the Personal Data Breach; (iii) a description of the measures taken or proposed to be taken by AcceleratorApp to address the Personal Data Breach, including, where appropriate, measures to mitigate possible adverse effects.
   2. If the information referred to in Section 7.1 is not available at the time of disclosure, AcceleratorApp shall follow up as the information is available, to complete its disclosure to AcceleratorApp.
   3. AcceleratorApp shall cooperate with the Client and take such commercially reasonable steps as to assist in any investigation, mitigation and remediation pursuant to each such Personal Data Breach.
   4. In the event of a Personal Data Breach, AcceleratorApp shall not notify any third party without first obtaining the Client’s prior written consent, unless notification is required by Applicable Laws to which AcceleratorApp is subject, in which case, AcceleratorApp shall, to the extent permitted by Applicable Laws, inform the Client of that legal requirement prior to notify, provide a copy of the proposed notification, and attempt to consider any comments made by the Clients before notifying the Personal Data Breach (where possible given the timeline).
8. Data Subjects Rights
   1. Taking into account the nature of the Processing, AcceleratorApp shall assist the Client by implementing appropriate technical and organizational measures, as reasonably required to respond to requests to exercise Data Subject Rights under the Data Protection Laws, including sections 12-23 GDPR.
   2. Such technical and organizational measures as referred to in Section 8.1 and shall minimally include:
      1. The capacity to erase Personal Data from IT systems within thirty (30) days of the receipt of a request, subject to normal backup retention periods.
      2. The capacity to cease immediately the Processing of Personal Data except as it relates to the storage when the right to restriction is exercised;
      3. The capacity to effectively and efficiently contact all third parties to inform them that a right to erasure and/or objection has been exercised (e.g. distribution lists);
      4. The capacity to respond to questions regarding the Processing, such as the retention periods, the location of the data, the list of recipients, and any risks associated with the Personal Data.
   3. AcceleratorApp shall:
      1. Promptly notify the Client if AcceleratorApp receives a request from a Data Subject under Data Protection Laws in respect of any the Personal Data; and
      2. Ensure that it does not respond to that request except on the documented instructions of the Client, or as required by Data Protection Laws to which AcceleratorApp is subject, in which case, AcceleratorApp shall, to the extent permitted by Data Protection Laws, inform the Client of that legal requirement before responding to the request.
9. Obligation to Cooperate
   1. Each Party shall make commercially reasonable efforts to support the other Party’s efforts to comply with Data Protection Laws, including answering promptly and diligently any requests for information.
10. Audit Rights
    1. AcceleratorApp shall make available to the Client all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits conducted by the Client or another auditor mandated by the Client as set forth in this Section 10.
    2. The Client shall give a reasonable notice of at least thirty (30) days prior to proceed with an audit. The Client will ensure that such audit is only carried out to the extent necessary so as not to inappropriately disturb AcceleratorApp’s operations.
    3. AcceleratorApp shall be obliged to provide information to the Client to the extent necessary for auditing pursuant to Section 10.1.
    4. The audit pursuant to Section 10.1 shall be conducted no more than once every calendar year, except for any additional audits which:
       1. Client reasonably considers necessary due to genuine concerns as to AcceleratorApp’s compliance with this DPA and any documented instructions regarding the Processing of Personal Data;
       2. Client is required to carry out by Supervisory Authority or Applicable Laws;
       3. Client decides to conduct after an audit performed pursuant to paragraph 10.1 revealed some concerns.
    5. Audits pursuant to this section shall be conducted at the Client’s expense.
11. Subprocessors
    1. The Client acknowledges and agrees that AcceleratorApp may use the Subprocessors listed on AcceleratorApp’s website, and that AcceleratorApp and its Affiliates respectively may engage third-party subprocessors in connection with the provision of the services described in the Agreement. For the avoidance of doubt, the above authorization constitutes Client’s prior written consent to the subprocessing for purposes of Clause 11 of the Standard Contractual Clauses, Exhibit 1.
    2. Prior to allow a Subprocessor to process the Personal Data, AcceleratorApp will select the Subprocessor by conducting reasonable third-party risk management activities, including verifying that the Subprocessor can meet the requirements set forth in this DPA.
    3. In the event of the change of Subprocessor or appointment of a new Subprocessor, AcceleratorApp will inform in writing the Client at least two (2) weeks before the change or appointment ("Subprocessor Notice"). The Client is entitled to object to such change or appointment of a Subprocessor, stating reasonable rounds in writing within one (1) week of receipt of the "Subprocessor Notice". Such objection may be withdrawn by the Client at any time by writing. The Subprocessor Notice shall include a description of the third-party risk management activities that have been performed to ensure that the Subprocessor is adequate.
    4. Prior to allow a Subprocessor to process the Personal Data, AcceleratorApp will conclude a data processing agreement with the Subprocessor which corresponds to the requirements of Art. 28 GDPR and contains terms and conditions similar to those set forth in this DPA.
12. Confidentiality Obligation
    1. AcceleratorApp shall take reasonable steps to ensure the reliability of any employee, agent, Subprocessor or any third party who may have access to the Personal Data, ensuring in each case that access is limited to those individuals who need to know / access the relevant the Personal Data, as necessary for the purposes of the Agreement. All such individuals must be subject to confidentiality undertakings or professional or statutory obligations of confidentiality which must survive to the term of their employment, mandate or engagement with AcceleratorApp.
13. Data Protection Impact Assessment
    1. AcceleratorApp shall provide reasonable assistance to the Client with any data protection impact assessments and prior consultations with a Supervisory Authority, which the Client reasonably considers to be required by article 35 or 36 GDPR or equivalent provisions of any other Data Protection Laws, in each case solely in relation to Processing of Personal Data by AcceleratorApp and taking into account the nature of the Processing and information available to AcceleratorApp. Unless agreed otherwise, such reasonable assistance shall be conducted without any additional fees to the Client and shall include at a minimum all necessary information on the applicable security measures, the processing, the features, and technologies involved in the processing (including any solutions and software).
14. Technical and organizational measures regarding data security
    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, AcceleratorApp shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, and substantially as described under Appendix 2 to the Standard Contractual Clauses.
    2. AcceleratorApp will agree in advance with the Client on material changes to its security posture which can adversely affect the integrity, confidentiality or availability of the Personal Data. Measures which only lead to slight technical or organizational changes and/or which do not adversely affect the integrity, confidentiality and availability of Personal Data can be implemented by AcceleratorApp without the Client’s prior approval. The Client may demand a current version of the technical and organizational measures implemented by the AcceleratorApp once a year or at suitable junctures.
15. Deletion or Return of Personal Data
    1. Subject to paragraphs (2) and (3), Client will have thirty (30) days after the end of the Term or the termination of the Agreement to export all the Personal Data on the Platform. After this delay, AcceleratorApp will delete all Personal Data within thirty (30) days, subject to backup retention periods.
    2. AcceleratorApp may retain Personal Data to the extent required by EU Applicable Laws, always provided that AcceleratorApp continues to ensure the confidentiality of all such Personal Data until complete Deletion. Such further Processing shall be strictly as required by EU Applicable Laws, and limited to storage, unless indicated otherwise by EU Applicable Laws.
    3. AcceleratorApp shall certify in writing to the Client that AcceleratorApp, and if applicable, any and all Subprocessors, has fully complied with this section within thirty (30) days of the Deletion of the Personal Data pursuant to 15.1., upon the request of the Client.
16. Liability and Indemnity
    1. Nothing in this DPA shall be interpreted as relieving the Client of its own direct responsibilities and liabilities under Data Protection Laws.
17. Changes in Applicable Laws
    1. The AcceleratorApp may:
       1. By at least thirty (30) calendar days’ written notice to the Client from time to time make any variations to this DPA which are required as a result of Data Protection Laws;
       2. Propose any other variations to this DPA which AcceleratorApp considers to be necessary to address the requirements of any Applicable Laws.

IN WITNESS WHEREOF, the Parties have executed this Data Processing Agreement as of the date first written below by their respective duly authorized officers.

Exhibit 1 - Standard Contractual Clauses

STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

(the dataexporter)

And

(the dataimporter)

each a ‘party’; together ‘the parties’,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

1. personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(1)
2. the data exporter’ means the controller who transfers the personal data;
3. ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
4. ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
5. ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
6. technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

1. that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
2. that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
3. that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
4. that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
5. that it will ensure compliance with the security measures;
6. that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
7. to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
8. to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
9. that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
10. that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer(2)

The data importer agrees and warrants:

1. to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
2. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
3. that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
4. that it will promptly notify the data exporter about:
   1. any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
   2. any accidental or unauthorised access; and
   3. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
5. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
6. at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
7. to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
8. that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
9. that the processing services by the sub-processor will be carried out in accordance with Clause 11;
10. to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

   The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
1. to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
2. to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9

Governing law

The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely …

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Sub-processing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses(3). Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely …
4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data-processing services

1. The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

Appendix 1

to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

Data exporter

The data exporter is an accelerator, an incubator or a similar organization which operates in the start-up industry or similar industry. The data exporter is required to manage a portfolio of various entities and the objective of the standard contractual clauses is to allow AcceleratorApp to provide such services through a web application.

Data importer

The data importer is a software development company which makes available to clients a web application to manage a portfolio of start-ups, as further described in Section 3 of the DPA and pursuant to the Agreement.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

• Employees of incubators, start-ups, accelerators (including founders, executives, interns and directors);
• Users of AcceleratorApp’s web application (end users)

Categories of data

The personal data transferred concern the following categories of data (please specify):

• Electronic data (identifiers, e-mails, passwords, cookies, etc.)
• Identification data (including government ID)
• Employment and performance data

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

The Parties do not intend on processing special categories of data.

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

Processing occurs through the web application to deliver the functionalities indicated, included through subprocessors as set forth in the DPA.

Appendix 2

to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

• Penetration testing is performed on an annual basis by an independent third party.
• Techniques of secure coding are applied, such as peer reviews, automated testing and manual testing.
• Personal data is accessed on a need-to-know basis only based on access controls.
• All employees are subject to a confidentiality agreement.
• Personal data is encrypted at rest and in-transit.
• Personal data is hosted on Amazon Web Services, which is designed and managed in full compliance with security best practices and a wide range of IT security standards, including SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II), SOC2, SOC3, FISMA, DIACAP, FedRAMP, PCI DSS Level 1, ISO 27001, ITAR, HIPPA, and Cloud Security Alliance.
• Data is backed up twice daily on 2 different continents for each server. There are 3 running servers for each geo-location.

These technical and organizational measures are improved on a continuous basis. An updated list of technical and organizational security measures can be obtained atprivacy@acceleratorapp.co.