Version 20260525

This Data Processing Addendum (“DPA”) forms part of the Agreement between Uniphore Technologies Inc., having its principal place of business at 1001 Page Mill Road, Building 2, Palo Alto, CA 94304, on behalf of itself and its Affiliates (“Uniphore”) and Customer (as defined in the Agreement) and will be effective on the Effective Date. All capitalized terms not defined in this DPA have the meanings set forth in the Agreement. This DPA sets out the terms that apply to the Processing of Personal Data (as defined below) by Uniphore, on behalf of Customer, when providing the Services.

1. APPLICABILITY OF THIS DPA

This DPA applies only to the extent Uniphore processes Personal Data on behalf of Customer as a Processor in the provision of the Services under the Agreement.

2. DEFINITIONS

“Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.

“Agreement” means the MSA, together with all Order Forms, Statements of Work, this DPA, and all other documents incorporated therein by reference.

“Authorized Affiliate” means any of Customer’s Affiliate(s) which is permitted to use the Services pursuant to the Agreement between Customer and Uniphore, but has not signed its own Order Form with Uniphore.

“Control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term “Controlled” will be construed accordingly.

“Data Protection Laws” means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, European Data Protection Law.

“Controller” means an entity that determines the purposes and means of the processing of Personal Data.

“Processor” means an entity that processes Personal Data on behalf of a Controller.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

“European Data Protection Law” means all data protection and privacy laws and regulations of Europe applicable to the processing of Personal Data under the Agreement, including (as applicable) (a) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (b) the UK General Data Protection Regulation (“UK GDPR”); and (c) the Swiss Federal Act on Data Protection (“Swiss DPA”).

“Europe” means, for the purposes of this DPA, the European Union and the European Economic Area, and each of their member states, as well as UK and Switzerland.

“Model Clauses” means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679, as adopted by the European Commission in its Implementing Decision (EU) 2021/914 (also referred to in this DPA as “SCCs”), as may be amended or superseded from time to time.

“MSA” means the Main Services Agreement between Customer and Uniphore.

“Personal Data” means any information that constitutes “personal data,” “personal information,” or similar terms as defined under applicable Data Protection Laws and that is processed by Uniphore on behalf of Customer under the Agreement.

“Processing” has the meaning given to it in the GDPR (whether or not the GDPR applies) and “process”, “processes” and “processed” will be interpreted accordingly.

“Security Incident” means a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. For the avoidance of doubt, unsuccessful attempts at unauthorized access, pings, port scans, denial-of-service attacks, and other network attacks that do not result in unauthorized access to Personal Data do not constitute Security Incidents.

“Security Program” means Uniphore’s written security program that includes administrative, technical and physical safeguards.

“Subprocessor” means any Data Processor engaged by Uniphore or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement (including this DPA). Subprocessors may include third parties or any Uniphore Affiliate.

“Supervisory Authority” means an independent public authority which is established by a country in Europe pursuant to applicable European Data Protection Law.

“Special Categories of Personal Data” means Personal Data that consists of special categories of data, as defined under GDPR Article 9(1), or that consists of “sensitive personal data” or “sensitive personal information”, as defined under equivalent provisions of applicable Data Protection Laws.

3. RELATIONSHIP WITH THE AGREEMENT

The parties agree that this DPA will supersede and replace any existing DPA (including the Model Clauses (as applicable)) the parties may have previously entered into in connection with the Services.

Except for the changes made by this DPA, the rest of the Agreement remains unchanged and in full force and effect. With respect to the subject matter of this DPA, in the event of any inconsistencies between the provisions of this DPA and any other part of the Agreement, the provisions of this DPA will prevail. In the event of any inconsistency between the provisions of this DPA and the Model Clauses, the Model Clauses will prevail.

Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA is subject to, and will not exceed the aggregate liability cap set forth in, the Limitation of Liability section of the MSA. For the avoidance of doubt, this DPA does not create any liability that is separate from or in addition to the liability limits in the MSA.

No one other than a party to this DPA, its successors and permitted assignees will have any right to enforce any of its terms.

This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable European Data Protection Law.

This DPA and the Model Clauses will terminate simultaneously and automatically with the termination or expiration of the Agreement.

Where Customer has executed a Business Associate Agreement (“BAA”) with Uniphore in connection with Customer’s use of the Services to process Protected Health Information (“PHI”) as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the BAA will control and govern all obligations of the parties with respect to PHI. In the event of any conflict between the BAA and this DPA with respect to PHI, the BAA will prevail. This DPA will not apply to PHI except to the extent expressly incorporated by reference in the BAA. Customer will not submit PHI to the Services unless it has executed a BAA with Uniphore.

4. SCOPE AND PROCESSING

4.1 Role of the Parties.

As between Uniphore and Customer, Customer is the Controller of Personal Data, and Uniphore will Process Personal Data only as a Processor, acting on behalf of Customer.

4.2 Customer Processing of Personal Data.

Customer is responsible for its compliance with applicable Data Protection Laws in its use of the Services and its provision of Personal Data to Uniphore.

4.3 Uniphore Processing of Personal Data.

Uniphore will process Personal Data only for the purposes described in the Agreement (including this DPA) and only in accordance with Customer’s documented lawful instructions. Uniphore will, unless legally prohibited from doing so, inform Customer if it believes that an instruction from Customer conflicts with applicable Data Protection Laws.  Uniphore may suspend processing if it believes an instruction violates Data Protection Laws until the violation is cured. The parties agree that the Agreement, including this DPA, set out Customer’s complete and final instructions to Uniphore in relation to the processing of Personal Data and processing outside the scope of these instructions (if any) will require prior written agreement between the parties.

4.4 Details of Data Processing.

Subject matter: The subject matter of the data processing under this DPA is the Personal Data.

Duration: As between Uniphore and Customer, the duration of the data processing under this DPA is until the termination of processing under the Agreement in accordance with its terms.

Frequency: The processing is continuous.

Purpose: The purpose of the Personal Data processing under this DPA is the provision of the Services to the Customer and the performance of Uniphore’s obligations under the Agreement (including this DPA).

Nature of the processing: Uniphore provides AI-powered customer service transcription, analytics, virtual assistant, conversational insight, and agent verification platforms and support services for the platforms.

Categories of data subjects: Any individual whose information is uploaded to or collected via the Services.

Types of Personal Data: Personal Data provided by or on behalf of Customer in connection with Customer’s use of the Services.

Special Categories of Personal Data: Uniphore does not want to, nor does it intentionally, collect or process any Special Categories of Personal Data in connection with the provision of the Services. Customer will not submit Special Categories of Personal Data to Uniphore or through the Services without Uniphore’s prior written consent and a written amendment to this DPA. Customer’s unauthorized submission of Special Categories of Personal Data constitutes a material breach of this DPA, and Customer will indemnify Uniphore for all resulting costs, fines, and liability.

Period of Retention. Unless a shorter period is specified in the applicable Order Form or Documentation, Uniphore will retain Personal Data for no longer than thirty (30) days following expiration or termination of the applicable Order Form, after which Uniphore will delete or return Personal Data in accordance with the Return or Deletion of Data section of this DPA.

Subprocessors. To the extent applicable to the particular subprocessor, the descriptions above also apply to Uniphore’s then-current list of Subprocessors, which is available at uniphore.com/subprocessors.

5. UNIPHORE AS CONTROLLER

Uniphore processes certain Personal Data as a Controller in its own right, including data relating to account administration, billing, support interactions, and service operations. Such processing is governed by Uniphore’s Privacy Policy and applicable Data Protection Laws, and is not subject to this DPA.

6. DATA SUBJECT REQUESTS

To the extent legally permitted, Uniphore will promptly notify Customer if Uniphore receives a request from a Data Subject to exercise its rights under Data Protection Laws related to that person’s Personal Data in connection with the Services performed for Customer. Considering the nature of the processing, Uniphore will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the Data Subject’s rights under Data Protection Laws. Customer will be responsible for all reasonable costs associated with Uniphore’s assistance, at Uniphore’s then-current professional services rates. Uniphore’s obligation to assist with Data Subject requests is limited to Personal Data that Uniphore holds at the time of the request.

7. SUBPROCESSING

Customer authorizes Uniphore’s use of Subprocessors to assist Uniphore with respect to the performance of Uniphore’s obligations under the Agreement. Uniphore will be responsible for the acts and omissions of its Subprocessors to the same extent as if it were performing the services of each Subprocessor directly under the terms of this DPA. Uniphore will ensure that all Subprocessors agree to: (i) maintain reasonable and appropriate confidentiality obligations with respect to Personal Data; and (ii) enter into a written contract with Uniphore that provides for substantially the same data protection obligations as set out in this DPA. Uniphore’s current Subprocessors are listed at uniphore.com/subprocessors.

Uniphore will provide thirty (30) days’ advance written notice of any material change to its Subprocessor list. Customer may raise a written objection within ten (10) business days of receipt of such notice. In the event Customer has a legitimate objection to the new Subprocessor, the parties will work together in good faith to resolve the grounds for the objection. If the parties fail to agree upon a resolution within twenty (20) days, Customer may upon thirty (30) days’ written notice to Uniphore terminate the applicable affected Service under the applicable Order Form(s) with respect to those aspects of the Service performed through the use of the objected-to Subprocessor.  If Customer does not terminate in accordance with the foregoing, then it waives its objection to use that Subprocessor.

8. SECURITY

8.1 Security Measures.

Uniphore will implement and maintain appropriate technical and organizational security measures designed to protect Personal Data from Security Incidents, as set forth in Uniphore’s Security Program. Uniphore may update or modify the security measures contained within the Security Program (“Security Measures”) from time to time, provided that such updates and modifications do not materially and adversely degrade the level of security of the Services purchased by Customer.

8.2 Review of Security Measures.

Customer is responsible for reviewing the information made available by Uniphore relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws.

8.3 Customer Responsibilities.

Customer agrees that, without limiting Uniphore’s obligations under this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Personal Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any Personal Data uploaded to the Services. Uniphore’s security obligations under this DPA do not extend to Customer’s own infrastructure, network, systems, or any Third-Party Applications.

8.4 Security Reports and DPIAs.

Uniphore will obtain the third-party certifications and audit results set forth in the Security Program. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Uniphore will make available to Customer the then-current certifications or audit results. Upon Customer’s request, Uniphore agrees to provide reasonable cooperation and assistance needed to fulfil Customer’s obligation under applicable Data Protection Laws to carry out a data protection impact assessment or prior consultations with data protection authorities as required by Data Protection Laws in connection with Customer’s use of the Services.

8.5 Audit Rights.

Except as specified in this Section 8.5, Customer’s audit rights under this DPA and the Model Clauses are satisfied in full by Uniphore’s provision of its then-current certifications or audit results specified in Section 8.4. An on-site audit may be requested only if: (a) Customer provides a written explanation demonstrating that such certifications and results are materially inadequate to satisfy a specific, identified compliance obligation under applicable Data Protection Laws; and (b) Customer provides no less than thirty (30) days’ advance written notice. Any on-site audit will be: (i) limited to Uniphore’s controls applicable to the specific Services subscribed to by Customer and solely as they relate to Customer’s own data; (ii) conducted no more than once per calendar year; (iii) not include access to other customers’ data, shared infrastructure, co-tenancy architecture, or Uniphore’s general business operations; (iv) conducted through written questions submitted to Uniphore’s designated personnel, with Uniphore retaining sole discretion over system access; and (v) not unreasonably interfere with Uniphore’s operations. Audit findings are confidential and may be used solely for Customer’s internal compliance purposes. Customer will reimburse all of Uniphore’s reasonable costs, including personnel time at then-current professional services rates and reasonable out-of-pocket expenses. Notwithstanding the foregoing, where Customer is subject to a specific, documented regulatory obligation under applicable law that requires Customer to conduct an on-site audit of Uniphore as a vendor (including under applicable financial services regulations), Customer may exercise such audit rights to the minimum extent necessary to satisfy that regulatory obligation, subject in all cases to the scheduling, scope limitation, confidentiality, and cost reimbursement requirements set forth in this Section 8.5.

8.6 Confidentiality of Processing.

Uniphore will ensure that any person who is authorized by Uniphore to process Personal Data has committed themselves to confidentiality or is under an appropriate statutory obligation of confidentiality.

9. SECURITY INCIDENT RESPONSE

Uniphore will notify Customer without undue delay after becoming aware of a Security Incident. Uniphore will assist Customer with its notification obligations under Data Protection Laws in connection with a Security Incident taking into account the nature of processing and the information available to Uniphore.  Any such assistance will be performed at Uniphore’s then-current professional services rates.  Uniphore will make reasonable efforts to identify the cause of such Security Incident and take those steps as Uniphore deems necessary and reasonable in order to remediate the cause of such a Security Incident to the extent the remediation is within Uniphore’s reasonable control. Customer will bear all remediation costs to the extent a Security Incident is caused or contributed to by Customer, Customer’s Users, Customer’s systems, or Third-Party Applications. Uniphore’s obligation to report or respond to a Security Incident under this Section is not and will not be construed as an acknowledgement by Uniphore of any fault or liability with respect to the Security Incident.

10. INTERNATIONAL TRANSFERS

10.1 Authorization.

Customer authorizes Uniphore and its Subprocessors to transfer Personal Data across international borders, including from Europe to the United States and other countries.

10.2 Data Center Locations.

Uniphore may transfer and process Personal Data anywhere in the world where Uniphore, its Affiliates or its Subprocessors maintain data processing operations. Uniphore will ensure such transfers are made in compliance with the requirements of Data Protection Laws.

10.3 Model Clauses.

To the extent that Uniphore processes any Personal Data protected by European Data Protection Law under the Agreement in a country that does not provide an adequate level of data protection within the meaning of applicable European Data Protection Law, the parties agree that:

1) In relation to transfers of Personal Data protected by the GDPR and processed in accordance with this DPA, the Model Clauses apply, and:

the Module 2 terms will apply;

in Clause 7, the optional docking clause will apply;

for purposes of Clause 9 of the Model Clauses, Option 2 (‘General authorization’) will apply and the processes and timelines of Section 9 (Subprocessing) of this DPA will apply;

in Clause 11 of the Model Clauses, the optional language will be deleted;

for purposes of Clause 13 of the Model Clauses: where the data exporter is established in an EU Member State, the supervisory authority responsible for ensuring compliance will act as competent supervisory authority; otherwise, the Irish Data Protection Commission will act as competent supervisory authority;

in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

in Clause 18(b), disputes will be resolved before the courts of Ireland; Annex 1.A, Annex 1.B and Annex 1.C of the Model Clauses will be as set forth in Schedule 1; Annex 2 of the Model Clauses will be as set forth in Schedule 2; supplemental clauses implemented by the Data Importer include those set forth in Schedule 4; and the parties acknowledge that Clause 2(a) of the Model Clauses permits them to include additional business-related terms provided they do not contradict the Model Clauses, as set forth in Schedule 5.

(2) In relation to transfers of Personal Data protected by the UK GDPR, the SCCs will also apply with the following modifications: any references to “Regulation (EU) 2016/679” will be interpreted as references to the UK GDPR; references to “EU”, “Union” and “Member State law” are replaced with “UK”; the competent supervisory authority is the UK Information Commissioner; and Clause 17 is replaced to state that the Clauses are governed by the laws of England and Wales.

(3) In relation to transfers of Personal Data protected by the Swiss DPA, the SCCs will also apply with appropriate modifications for Swiss law, with the Swiss Federal Data Protection and Information Commissioner as competent supervisory authority.

It is not the intention of either party to contradict or restrict any of the provisions set forth in the Model Clauses and, accordingly, if and to the extent the Model Clauses conflict with any provision of this DPA, the Model Clauses will prevail to the extent of such conflict.

10.4 Alternative Transfer Mechanism.

The parties agree that the data export solution identified in Section 10.3 will not apply if and to the extent that Uniphore adopts an alternative data export solution for the lawful transfer of Personal Data (as recognized under European Data Protection Laws), in which event the Alternative Transfer Mechanism will apply instead (and will not require an amendment to this DPA). In the event the Model Clauses are invalidated, amended, or superseded by a new decision of the European Commission or a competent supervisory authority, the parties agree to cooperate in good faith to implement a replacement mechanism as promptly as practicable, without requiring a full renegotiation or amendment of this DPA.

11. RETURN OR DELETION OF DATA

Upon termination or expiration of the Agreement, Uniphore will (at Customer’s election) delete or return to Customer all Personal Data in Uniphore’s active production systems (including copies thereof) in its possession or control, save that this requirement will not apply to the extent Uniphore is required by applicable law to retain some or all of the Personal Data. Uniphore’s obligation to return or delete Personal Data does not extend to data held in disaster recovery systems, backup archives, or log files, which will be deleted in the ordinary course of Uniphore’s standard backup rotation and log retention schedule. Customer’s election to return or deletion of data must be made in writing within thirty (30) days of termination or expiration; if no election is made within such period, Uniphore may delete all Personal Data in its active production systems without further notice. The provisions of this Section will survive the termination or expiration of the Agreement for a period of one (1) year.

SCHEDULE 1 — ANNEX I TO THE STANDARD CONTRACTUAL CLAUSES

A. List of Parties.

Data exporter(s): The data exporter is the entity identified as the “Customer” in the Data Processing Addendum (“DPA”) to which these Clauses are appended, including its Authorized Affiliates.

Data importer(s): The data importer is US headquartered company, Uniphore Technologies Inc., or any of its subsidiaries or Affiliates who execute an Order Form.

B. Description of Transfer.

Please see the details set forth in Section 4.4 of the DPA to which these Clauses are appended.

C. Competent Supervisory Authority.

Where the data exporter is established in an EU or EEA Member State, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer will act as competent supervisory authority. Where the data exporter is not established in an EU or EEA Member State, the Irish Data Protection Commission will act as competent supervisory authority.

SCHEDULE 2 — ANNEX II TO THE STANDARD CONTRACTUAL CLAUSES (SECURITY MEASURES)

Uniphore’s technical and organizational security measures applicable to the Services are as described in Uniphore’s then-current Security Program, available upon request. Uniphore will make a summary of applicable technical and organizational measures available to Customer upon written request and subject to confidentiality obligations no less protective than the Agreement.

SCHEDULE 3 — CCPA ADDENDUM

This CCPA Addendum governs Uniphore’s processing of Personal Data subject to the California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act of 2020 (“CCPA”) on behalf of Customer (such Personal Data, the “CCPA Data”). 

1. Roles. For purposes of the CCPA Data, Customer is a ‘business’ and Uniphore is a ‘service provider,’ as such terms are defined under the CCPA.

2. Restrictions. Uniphore will not: (a) retain, use, or disclose CCPA Data except to perform Services on behalf of Customer and its Authorized Affiliates or as otherwise permitted for service providers under the CCPA; (b) Process the Personal Data outside of the direct business relationship between the Customer and Uniphore;  or (c) combine Personal Data with any other personal data or information it collects (directly or via any third party) other than as expressly permitted under the CCPA for service providers.

3. No Sale or Sharing. Uniphore will not “sell” or “share” (each, as defined under the CCPA) such Personal Data to any third party.

4. Other Compliance.  Uniphore will notify the Customer if it makes a determination that it can no longer meet its obligations under the CCPA.  The Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of CCPA Data.  The Customer is granted the right to take reasonable and appropriate steps to ensure Uniphore uses the CCPA in a manner consistent with the Customer’s obligations, provided, however, that Customer agrees to exercise that right through its rights in Section 8.5 of the DPA.

5. Certification. Uniphore certifies that it understands the restrictions in this Schedule 3 and will comply with them.

6. Conflict. In the event of any conflict between the terms of this Schedule 3 and the terms of the remainder of the Agreement, the terms of this Schedule 3 will govern.

SCHEDULE 4 — SUPPLEMENTAL CLAUSES (U.S. NATIONAL SECURITY)

For the purposes of this Schedule, supplemental clauses implemented by the Data Importer include the following.

Non-receipt of directives under FISA Section 702: Data importer represents and warrants that, as of the Effective Date of this DPA, it has not received any directive under Section 702 of the Foreign Intelligence Surveillance Act (50 U.S.C. § 1881a) and is not subject to any national security legal process requiring it to provide access to or information about Personal Data.

FISA Section 702 ineligibility: Data importer represents that it reasonably believes it is not eligible to be subject to any such national security legal process. It does not believe it qualifies as an “electronic communication service provider” within the meaning of 50 U.S.C. § 1881(b)(4).

Court-review safeguard: Data importer will use all reasonable legal mechanisms to challenge any unlawful demands for data access it receives from public authorities, including under national security legislation, and/or to obtain the right to communicate the existence of such a demand to the data exporter.

EO 12333 non-cooperation: Data importer will take no action pursuant to U.S. Executive Order 12333.

Notice of non-compliance: Data importer will promptly notify the Data Exporter if Data importer can no longer comply with the provisions of this Schedule or the Model Clauses, without indicating the specific provision, so that the Data Exporter can exercise its rights under Clause 14(f) of the Model Clauses.

SCHEDULE 5 — ADDITIONAL BUSINESS TERMS (APPENDIX IV)

The parties acknowledge that Clause 2(a) of the Clauses permits them to include additional business-related terms provided they do not contradict, directly or indirectly, the Model Clauses or prejudice the fundamental rights or freedoms of data subjects.

Accordingly, to the extent permissible and to the extent it does not invalidate the Model Clauses, this Schedule 5 sets out additional business-related terms that will apply in connection with the Model Clauses.

Clauses 3 and 8.6(d): Disclosure of these Clauses.

Data exporter agrees that these Model Clauses constitute data importer’s Confidential Information (as that term is defined in the MSA) and therefore will not be disclosed by data exporter to any third party without data importer’s prior written consent, except as required by applicable law or a supervisory authority.

Clause 8.1(a) and Clause 8.1(b): Suspension of data transfers and termination.

The parties acknowledge that for the purposes of Clause 8.1(a), data importer may process the Personal Data only on documented instructions from data exporter (as set out in the DPA or any other part of the Agreement) unless data importer is required to process Personal Data under Union or Member State law.

The parties acknowledge that if data importer cannot provide compliance in accordance with Clause 8.1(a) and/or Clause 8.1(b), data exporter has the right to suspend the transfer of data. If the data exporter intends to suspend the transfer of Personal Data and/or terminate the affected parts of the Service, data exporter will provide Uniphore with a written notice in advance and a cure period of no less than thirty (30) days (“Cure Period”) to remediate or resolve the non-compliance.

If, after the Cure Period, the data importer has not or cannot cure the non-compliance, either party may terminate the Agreement in accordance with the Agreement’s termination provisions.

Clause 8.9: Audit.

Data exporter acknowledges and agrees that it exercises its audit right under Clause 8.9 by instructing data importer to comply with the audit measures described in Section 8.5 of the DPA.

Clause 9(c): Disclosure of Subprocessor Agreements.

The parties acknowledge the obligation of the data importer to send promptly upon request a copy of any onward Subprocessor agreement it concludes under the Model Clauses, subject to any Subprocessor confidentiality restrictions. Where data importer cannot disclose a Subprocessor agreement, the parties agree that data importer will provide all information it reasonably can in connection with such Subprocessing agreement.

Clause 12: Liability.

To the extent permissible, any claims brought under the Model Clauses will be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the MSA.