Data Processing Agreement - Seesaw | Elementary Learning Experience Platform

This Data Processing Agreement and its Exhibits (“DPA“) forms part of and is subject to the terms and
conditions of the Agreement (as defined below) by and between you (“Customer“) and Seesaw Learning, Inc. (“Seesaw” and, together with the Customer, the “Parties“).

1. Definitions

1.1 Capitalized terms not defined in this DPA will have the meaning set forth in the Agreement. The following capitalized terms used in this DPA are defined as follows:

“Adequate Jurisdiction” means the UK, European Economic Area (“EEA“) or a country or territory deemed to provide adequate protection for the rights and freedoms of individuals, as set out in: (a) the Data Protection Act 2018 or regulations made by the UK Secretary of State under the Data Protection Act 2018; (b) a decision of the European Commission; or (c) a decision of the Swiss Federal Council as listed in Annex 1 to the Ordinance (as amended from time to time).

“Agreement” means the agreement entered into between the Customer and Seesaw in respect of the Services, comprising Seesaw’s Terms of Service or as otherwise agreed between the Parties.

“Controller Purposes” means the purposes described in Exhibit A in respect of Processing that Seesaw conducts as a controller, business or third party (as identified in Exhibit A).

“Customer” has the meaning given to it in the Agreement.

“Customer Personal Data” means: (a) any Personal Data that is provided by or on behalf of Customer to Seesaw in connection with the performance of the Services; or (b) Personal Data that is obtained by Seesaw directly from Data Subjects, or is otherwise developed or produced by Seesaw, or its agents or subcontractors, in connection with the provision of the Services, in each case as further described in Exhibit A.

“Data Subject” means a natural person to whom Personal Data relates.

“Data Protection Laws” means all applicable data protection and privacy laws and regulations applicable to the processing of Personal Data under the Agreement, including the GDPR and Swiss Data Protection Laws.

“DPF” means the “DPF”, “EU-US Data Privacy Framework” or (where applicable) the “UK Extension to the EU-US Data Privacy Framework”, in each case as defined in the relevant US Adequacy Decision.

“DPF List” means the “Data Privacy Framework List” or “DPF List” as defined in the applicable US Adequacy Decision.

“DPF Principles” means the “EU-US Data Privacy Framework Principles” or “Principles” as defined in the applicable US Adequacy Decision.

“Effective Date” means the date the Parties enter into the Agreement or, if different, the date on which such Agreement is deemed to take effect.

“GDPR” means Regulation (EU) 2016/679 (the “EU GDPR“) or, where applicable, the “UK GDPR” as defined in section 3 of the UK Data Protection Act 2018.

“Personal Data” means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise “personal data”, “personal information”, “personally identifiable information”, or similarly defined data or information under Data Protection Laws.

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Process“, “Processes” and “Processed” will be interpreted accordingly.

“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Customer Personal Data.

“Standard Contractual Clauses” or “SCCs” means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.

“Subprocessor” means a Processor appointed to Process Personal Data on behalf of a Processor.

“Swiss Data Protection Laws” means the Swiss Federal Act on Data Protection of 25 September 2020 (“FADP“) and the Swiss Data Protection Ordinance of 31 August 2022 (the “Ordinance“), and any new or revised version of these laws that may enter into force for time to time.

“US Adequacy Decisions” means: (a) the UK Data Protection (Adequacy) (United States of America) Regulations 2023; and (b) Commission Implementing Decision C(2023) 4745 on the adequate level of protection of personal data under the EU-US Data Privacy Framework.

Relationship with the Agreement

2.1 If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

2.2 Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.

2.3 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

3. Roles

3.1 The Parties acknowledge and agree that:

(a) save as set out in section 3.1(b) and 3.1(c), Seesaw acts as a processor in Processing Customer Personal Data and Customer acts as a controller; and

(b) Seesaw acts as a controller in respect of its Processing of Customer Personal Data for the Controller Purposes.

4. Compliance

4.1 Each Party shall comply with its obligations under Data Protection Laws in respect of its Processing of Customer Personal Data.

4.2 Without prejudice to the foregoing, and subject to the obligations set out in section 8 and Exhibit C in respect of any Processing carried out by the Parties as joint controllers, each Party shall, with respect to Processing it undertakes as controller:

(a) provide such information to Data Subjects regarding the Processing of Customer Personal Data as required under Data Protection Laws; and

(b) to the extent required for the lawful Processing of Customer Personal Data under Data Protection Laws, obtain valid consents from Data Subjects for such Processing in the form required under Data Protection Laws.

4.3 Each Party shall promptly notify the other if it receives a request from a Data Subject to assert their rights to the erasure or rectification of their Customer Personal Data.

5. Confidentiality

5.1 Seesaw shall:

(a) limit access to Customer Personal Data to personnel who have a business need to have access to such Customer Personal Data; and

(b) ensure that such personnel are subject to obligations at least as protective of the Customer Personal Data as the terms of this DPA and the Agreement, including duties of confidentiality with respect to any Customer Personal Data to which they have access.

6. Data processing

6.1 This section 6 applies to the extent that Seesaw acts as a processor or service provider in Processing the Customer Personal Data.

6.2 The details of the Processing of Personal Data under the Agreement and this DPA (including subject matter, nature and purpose of the Processing, categories of Personal Data and Data Subjects) are described in the Agreement and in Exhibit A.

6.3 Seesaw will only Process Customer Personal Data on behalf of and under the instructions of Customer and in accordance with Data Protection Laws, unless Processing is required under applicable law in the EEA, a Member State of the EEA or any part of the United Kingdom, in which case Seesaw shall notify Customer of that legal requirement before Processing unless that law such information on important grounds of public interest.

6.4 Seesaw shall:

(a) provide Customer with information to enable Customer to conduct and document any data protection assessments required under Data Protection Laws and provide such reasonable assistance to Customer as required in connection with any investigation by or consultation with the Client’s supervisory authority;

(b) immediately notify Customer if, in its reasonable opinion, an instruction infringes Data Protection Laws;

(c) promptly notify Customer of any request received by Seesaw or any Subprocessor from a Data Subject to assert their rights in relation to Customer Personal Data under Data Protection Laws (a “Data Subject Request“);

(d) not respond to any Data Subject Requests and, taking into account the nature of the Processing, provide Customer with reasonable assistance through technical and organizational measures, insofar as this is possible, for Customer to fulfil its obligation under Data Protection Laws to respond to Data Subject Requests.

6.5 Seesaw may engage any of the Subprocessors listed at https://seesaw.com/subprocessor, as amended in accordance with section 6.6 (the “Authorized Subprocessors“), to Process Customer Personal Data. Seesaw shall:

(a) enter into a written agreement with each Subprocessor imposing data protection obligations that, in substance, are no less protective of Customer Personal Data than Seesaw’s obligations under this DPA; and

(b) remain liable for each Sub-processor’s compliance with the obligations under this DPA.

6.6 Seesaw will provide Customer with at least fifteen (15) days’ notice of any proposed changes to the Authorized Sub-processors. Customer shall comply with any reasonable instructions provided by Seesaw for receiving such notifications, including (where applicable) subscribing to any data feeds or mailing lists that Seesaw makes available for such notifications. The webpage where Customers can subscribe through RSS feeds is https://seesaw.com/subprocessor. Customer shall notify Seesaw if it objects to the proposed change to the Authorized Sub-processors by providing Seesaw with written notice of the objection within ten (10) days after Seesaw has provided notice to Customer of such proposed change. In such event, the parties shall discuss such concerns in good faith with a view to achieving resolution. If this is not possible, Customer may suspend or terminate the Agreement and request a pro-rated refund of any fees paid.

6.7 Seesaw shall, subject to section 9, provide Customer with all information reasonably necessary to demonstrate its compliance with this DPA. Seesaw shall, no more than once per year, allow for, and contribute to, reasonable audits and inspections by Customer or Customer’s designated auditor.

6.8 Upon becoming aware of a Security Incident, Seesaw shall notify Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer. Seesaw shall provide reasonable assistance to Customer as required for Customer to comply with any notification obligations in respect of the Security Incident arising under Data Protection Laws.

7. Joint control

7.1 To the extent that Seesaw and Customer act as joint controllers in respect of the Processing of Customer Personal Data, as identified in Exhibit A, they shall perform their obligations under the GDPR as set out in Exhibit B, save where their responsibilities are otherwise determined by applicable law.

8. Security

8.1 Seesaw shall implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data, in accordance with Seesaw’s security standards described in https://help.seesaw.me/hc/en-us/articles/203258429.

8.2 Customer acknowledges that the Security Measures are subject to technical progress and development and that Seesaw may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.

9. Audits

9.1 The Parties agree that any audits conducted in accordance with section 6.7 shall be conducted as follows:

(a) Following receipt by Seesaw of an audit request, Seesaw and Customer will discuss and agree in advance on the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any audit. Any audit must be: (i) conducted during Seesaw’s regular business hours; (ii) with reasonable advance notice to Seesaw; (iii) carried out in a manner that prevents unnecessary disruption to Seesaw’s operations; and (iv) subject to reasonable confidentiality procedures.

(b) Seesaw may charge a fee (based on Seesaw’s reasonable costs) for any audit. Seesaw will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Customer will be responsible for any fees charged by any third-party auditor appointed by Customer to execute any such audit.

(c) Seesaw may object to any third-party auditor appointed by Customer to conduct any audit under section 6.7(a) if the auditor is, in Seesaw’s reasonable opinion, not suitably qualified or independent, a competitor of Seesaw, or otherwise manifestly unsuitable. Any such objection by Seesaw will require Customer to appoint another auditor or conduct the audit itself.

(d) Nothing in this DPA shall require Seesaw either to disclose to Customer or its third-party auditor, or to allow Customer or its third-party auditor to access:

(i) any data of any other customer of Seesaw;

(ii) Seesaw’s internal accounting or financial information;

(iii) any trade secret of Seesaw;

(iv) any information that, in Seesaw’s reasonable opinion, could: (A) compromise the security of Seesaw’s systems or premises; or (B) cause Seesaw to breach its obligations under Data Protection Laws or

(v) its security and/or privacy obligations to Customer or any third party; or
any information that Customer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under Data Protection Laws.

9.2 Seesaw may, in response to the Customer’s audit request:

(a) provide the Customer with any independent audit reports or data protection compliance certifications issued by a commonly accepted certification and obtained by Seesaw in support of Seesaw’s obligations under this DPA; or

(b) arrange for a qualified and independent auditor to conduct an audit of Seesaw’s policies and technical and organizational measures in support of the obligations under this DPA using an appropriate and accepted control standard or framework and audit procedure for the audits as applicable, and provide the report of such audit to Customer,

and Customer agrees to accept any such audit reports or certifications provided by Seesaw in place of conducting an audit.

10. International Transfers

10.1 Seesaw shall not transfer any Customer Personal Data to a recipient outside the UK or EEA unless:

(a) the recipient is in an Adequate Jurisdiction; or

(b) Seesaw complies with the requirements of the DPF when making such transfer, including taking reasonable and appropriate steps to ensure that the recipient provides the same level of protection as the DPF Principles and notifies Seesaw if it makes a determination that it can no longer meet this obligation; or

10.2 To the extent that Seesaw ceases to be listed as a participating organization in the applicable DPF List for the purposes of a US Adequacy Decision, or a US Adequacy Decision is repealed, withdrawn or otherwise ceases to apply to transfers of Customer Personal Data from Customer (as data exporter) to Seesaw (as data importer) where the GDPR applies to Customer’s Processing of such Customer Personal Data when making the transfer, the Parties agree that:

(a) the SCCs, as further set out in Exhibit C, shall apply to such transfers and be deemed incorporated in this DPA;

(b) signature of this DPA shall have the same effect as signing the SCCs; and

11. Term, Return or Deletion of Data

11.1 This DPA shall be deemed to commence on the Effective Date and, notwithstanding termination of the Agreement, will remain in effect until, and automatically expire on, Seesaw’s deletion or anonymization of all Customer Personal Data.

11.2 Seesaw shall:

(a) if requested to do so by Customer within ninety (90) days of termination or expiry of the Agreement (the “Termination Retention Period”), provide Customer a copy of all Customer Personal Data Processed by Seesaw as a processor or service provider in such commonly used format as requested by Customer, or provide a self-service functionality allowing Customer to download such Customer Personal Data; and

(b) on expiry of the Termination Retention Period, delete all copies of Customer Personal Data Processed by Seesaw or any Authorized Subprocessors, other than: (a) Customer Personal Data that Seesaw is required to retain by applicable law; and (b) Customer Personal Data that Seesaw Processes as a controller or business for the Controller Purposes.

List of Exhibits

Exhibit A: Details of the Processing
Exhibit B: Allocation of Responsibilities between Joint Controllers
Exhibit C: Standard Contractual Clauses

EXHIBIT A
DETAILS OF THE PROCESSING

Customer Personal Data
Seesaw receives the following Personal Data from Customer, or collects the following Personal Data from Authorized Users, and Processes such Personal Data for the following purposes, in each case in connection with the provision of the Services:

Data Subjects	Category of Personal Data	Purpose of Processing	Seesaw’s role	Retention period
Authorized Users who: access the Services through a School Administrator account (“Administrators“); access the Services through a teacher account (“Teachers“).	Contact information, such as name, email address, phone number and Customer granting the Administrator or Teacher access to the Services.	Create and authenticate the Authorized User’s account on the Services. Send the Authorized User service-related communications in accordance with the Authorized User’s account preferences. Respond to support requests received in respect of the Services.	Processor	Until the earlier of: deletion of the Authorized User’s account in accordance with the Customer’s instructions; if the Authorized User’s account is inactive for a period of 5 years.
		Communicate with Administrators in relation to the administration of the Agreement and relationship between the Parties.	Controller
		Send promotional emails in accordance with the Authorized User’s preferences.	Controller
	Single sign-on or third-party login authentication token	Create and authenticate the Authorized User’s account on the Services.	Processor
	Questions, comments and other correspondence submitted by the Authorized User to Seesaw.	Respond to support requests in relation to the Services.	Processor
		Identify and remedy errors and inform product development.	Controller
	Communication preferences, such as preferences for service-related communications and promotional emails.	Send service-related communications only in accordance with the Authorized User’s preferences.	Processor
		Send promotional emails only in accordance with the Authorized User’s preferences.	Controller
	Activities and tasks created or uploaded to the Services and / or assigned to Students for completion.	Provide the interactive learning functionalities of the Services.	Processor
	Comments and feedback on Student activities (including approval of content uploaded by Students to the Services) and messages sent and received through the Services.	Provide the interactive learning functionalities of the Services. Facilitate communication between Teachers, Students and Family Members.	Processor
	Content and posts to online classrooms for access by all Students and Family Members enrolled to that class.	Facilitate communication between Teachers, Students and Family Members.	Processor
	Contributions to the Community Library ^[c]and Teacher Scrapbook^[d].	Provide community-driven resource libraries to teachers. Promote the Services and community engagement between teachers and schools using the Services.	Controller	For as long as we maintain the Community Library and Teacher Scrapbook on the Services.
Authorized Users who are granted access to the Services through a family member account (“Family Members“).	Account information such as name, email address, phone number and Teacher or Administrator granting the Family Member access to the Services.	Create and authenticate the Authorized User’s account on the Services. Send the Authorized User service-related communications in accordance with the Authorized User’s account preferences. Respond to support requests received in respect of the Services.	Processor	Until the earlier of: deletion of the Authorized User’s account in accordance with the Customer’s instructions; if the Authorized User’s account is inactive for a period of 5 years.
	Single sign-on or third-party login authentication token	Create and authenticate the Authorized User’s account on the Services.	Processor
	Linked student details, including name of the Family Member’s child that accesses the Services.	Grant the Family Member access to the relevant Student’s activities on the Services in accordance with the access settings set by the Administrator or Teacher. Grant the Family Member access to the content / updates posted by Teachers and Administrators in respect of the Student or the Student’s class for review by Family Members.	Processor
	Messages and comments sent or uploaded by the Family Member through the Services.	Facilitate communication between family members, teachers and schools in accordance with the functionalities of the Seesaw Service.	Processor
	Questions, comments and other correspondence submitted by the Authorized User to Seesaw.	Respond to support requests in relation to the Services.	Processor
		Identify and remedy errors and inform product development.	Controller
Authorized Users who are granted access to the Services through a student account (“Students“)	Account information, such as name, email address, Teacher or Administrator granting the Student access to the Services.	Create and authenticate the Authorized User’s account on the Services. Send the Authorized User service-related communications in accordance with the Authorized User’s account preferences.	Processor	Until the earlier of: deletion of the Authorized User’s account in accordance with the Customer’s instructions; if the Authorized User’s account is inactive for a period of 5 years.
	Single sign-on or third-party login authentication token	Create and authenticate the Authorized User’s account on the Services.	Processor
	Profile photo / avatar	Allow Students to personalize their accounts on the Services.	Processor
	Teacher and class to which the Student is enrolled.	Grant the Authorized User access to activities and content assigned to the Student’s class.	Processor
	Activities assigned to the Student by their Teacher or Administrator and completed by the Student through the Services.	Provide the interactive learning functionalities of the Services. Facilitate communication between Teachers, Students and Family Members.	Processor
	Content and comments uploaded by the Student as part of their journal on the Services, including images, text and audio.	Provide the interactive learning functionalities of the Services. Facilitate communication between Teachers, Students and Family Members.	Processor
	Feedback from Teachers on Student work uploaded to the Services.	Provide the interactive learning functionalities of the Services. Facilitate communication between Teachers, Students and Family Members.	Processor
	Messages sent between the Student and their Teacher on the Services, and between the Teacher and Family Members in relation to the Student.	Provide the interactive learning functionalities of the Services. Facilitate communication between Teachers, Students and Family Members.	Processor
	Linked Family Member account details, including name of Family Member.	Grant the Family Member access to the relevant Student’s activities on the Services in accordance with the access settings set by the Administrator or Teacher. Grant the Family Member access to the content / updates posted by Teachers and Administrators in respect of the Student or the Student’s class for review by Family Members.	Processor
Administrators, Teachers, Family Members, Students	Information about the device used to access the Services, such as IP address, unique device identifying numbers, type of device used, operating system, screen size, browser type, browser window size and device model and approximate location derived from IP address. Information about how the Authorized User interacts with the Services such as the pages viewed and visited and features used on the Services, and any errors that occur on the Services while the Authorized User uses it.	Grant Authorized Users access to the Services and provide the features and functionalities of the Services.	Processor	1 year
Administrators, Teachers, Family Members, Students		Detect and prevent fraudulent use of the Services.	Joint controller	1 year
Administrators, Teachers, Family Members, Students			Joint controller	1 year

EXHIBIT B

ALLOCATION OF RESPONSIBILITIES BETWEEN JOINT CONTROLLERS

Responsibility	Customer	Seesaw	Description
Lawfulness (Art. 5, 6 and 9)		✔	Seesaw shall, to the extent required under legislation implementing the ePrivacy Directive 2002/58/EC, obtain consent to the Processing of Personal Data. Where Seesaw has obtained consent to the processing of Personal Data, neither Party shall Process any Personal Data to the extent that a Data Subject has withheld or withdrawn their consent.
Notification (Art. 13, 14 GDPR)		✔	Seesaw shall provide Data Subjects with a privacy notice setting out the information required under Article 13 in respect of the processing of Personal Data. Neither the Customer nor the Seesaw shall process shared Personal Data other than as set out in such privacy notice.
Data Subject Requests (Art. 15 – 21 GDPR)		✔	Seesaw shall be the contact point for any Data Subject requests concerning Personal Data processed by the Parties jointly. Customer shall notify Seesaw promptly following receipt of a Data Subject request concerning Personal Data processed jointly. Seesaw shall determine how to respond and be responsible for giving effect to the Data Subject request (including the application of any exemptions).
Processors (Art 28)		✔	Subject to any restrictions on the onward transfer of Personal Data in the Agreement, Seesaw may appoint processors in accordance with Article 28. Seesaw shall be responsible for ensuring the processors it appoints comply with applicable processing agreements.
Records (Art 30)		✔	Seesaw shall maintain Art 30 records for the processing activities undertaken by the Parties jointly, and make such records available to Customer on request.
Security (Art 32)		✔	Seesaw shall implement and be responsible for implementing appropriate security measures with respect to the processing undertaken by the Parties jointly.
Consultation with supervisory authority (Art. 31, 36)		✔	Seesaw shall be the primary point of contact for any requests from or consultation with supervisory authorities. Each Party shall notify the other promptly upon, and in any event within forty-eight (48) hours of receiving a request from any supervisory authority in relation to the joint processing of Personal Data. The Parties shall cooperate and coordinate responses and requests to supervisory authorities.
Security notification (Art. 33, 34)		✔	Seesaw shall be the primary point of contact for any notifications to supervisory authorities or Data Subjects under Articles 33 and 34.
DPIA (Art. 35, 36 GDPR)		✔	Seesaw shall identify any processing that is likely to result in high risk to the rights and freedoms of Data Subjects and notify the other of any data protection impact assessments to be conducted in respect of the processing.
Data Protection Officers (Art. 37)	✔	✔	Each Party shall appoint a DPO where required under applicable Data Protection Laws.
International transfers (Art. 44-50)		✔	Seesaw shall determine and be responsible for the transfers of Personal Data under Chapter V of the GDPR and UK GDPR undertaken by Seesaw in respect of Personal Data processed jointly.

EXHIBIT C
STANDARD CONTRACTUAL CLAUSES

1. EU SCCS

With respect to any transfers referred to in section 11.2, the Standard Contractual Clauses shall be completed as follows:

1.1 Module One (controller to controller) of the SCCs will apply with respect to Seesaw’s Processing of Customer Personal Data for Controller Purposes; otherwise, Module Two (controller to processor) of the SCCs will apply to Seesaw’s Processing of Customer Personal Data.

1.2 Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.

1.3 Option 2 of Clause 9(a) (General written authorization) shall apply, and the time period to be specified is determined in section 6.6.

1.4 The option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.

1.5 With regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that option 1 will apply and the governing law will be Irish law.

1.6 In Clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of Ireland.

1.7 For the Purpose of Annex I of the Standard Contractual Clauses:

(a) details of the Parties are as set out in the signature blocks to this DPA;

(b) Exhibit A to the DPA contains descriptions of the transfers;

1.8 For the Purpose of Annex II of the Standard Contractual Clauses, the technical and organisational measures are set out at https://help.seesaw.me/hc/en-us/articles/203258429.

2. UK Addendum

2.1 This paragraph 2 (UK Addendum) shall apply to any transfer of Customer Personal Data from Customer (as data exporter) to Seesaw (as data importer), to the extent that the UK Data Protection Laws apply to Customer when making that transfer.

2.2 As used in this paragraph 2:

“Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Approved Addendum.

“UK Data Protection Laws” means all laws relating to data protection, the processing of Personal Data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.

2.3 The Approved Addendum will form part of this DPA with respect to any transfers referred to in paragraph 2.1, and execution of this DPA shall have the same effect as signing the Approved Addendum.

2.4 The Approved Addendum shall be deemed completed as follows:

(a) the “Addendum EU SCCs” shall refer to the SCCs as they are incorporated into this Agreement in accordance with section 11.2 and this Exhibit C;

(b) Table 1 of the Approved Addendum shall be completed as set out in the signature blocks to this DPA;

(c) the “Appendix Information” shall refer to the information set out in Exhibit A to this DPA and the security measures described at https://help.seesaw.me/hc/en-us/articles/203258429;

(d) for the purposes of Table 4 of the Approved Addendum, neither party may exercise the right to terminate the Approved Addendum in accordance with Section ‎19 of the Approved Addendum; and

(e) Section 16 of the Approved Addendum does not apply.

3. Swiss addendum

3.1 This Swiss Addendum will apply to any Processing of Customer Personal Data that is subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the EU GDPR.

3.2 Interpretation of this Addendum

(a) Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:

“Addendum” means this addendum to the Clauses;

“Clauses” means the Standard Contractual Clauses as incorporated into this DPA in accordance with clause 13 and as further specified in this Schedule 3; and

“FDPIC” means the Federal Data Protection and Information Commissioner.

(b) This Addendum shall be read and interpreted in a manner that is consistent with Swiss Data Protection Laws, and so that it fulfils the Parties’ obligations under Article 16(2)(d) of the FADP.

(c) This Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.

(d) Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Swiss Addendum has been entered into.

(e) In relation to any Processing of Personal Data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends and supplements the Clauses to the extent necessary so they operate:

(i) for transfers of Customer Personal Data made by Customer to Seesaw, to the extent that Swiss Data Protection Laws apply to Customer’s Processing when making that transfer; and

(ii) as standard data protection clauses approved, issued or recognised by the FDPIC for the purposes of Article 16(2)(d) of the FADP.

3.3 Hierarchy

In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects will prevail.

3.4 Changes to the Clauses for transfers exclusively subject to Swiss Data Protection Laws

To the extent that Customer’s Processing of Customer Personal Data is exclusively subject to Swiss Data Protection Laws, the following amendments are made to the Clauses:

(a) References to the “Clauses” or the “SCCs” mean this Swiss Addendum as it amends the SCCs.

(b) Clause 6 Description of the transfer(s) is replaced with:
“The details of the transfer(s), and in particular the categories of Personal Data that are transferred and the purpose(s) for which they are transferred, are those specified in Exhibit A to this DPA where Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer.”

(c) References to “Regulation (EU) 2016/679” or “that Regulation” or “”GDPR” are replaced by “Swiss Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” or “GDPR” are replaced with the equivalent Article or Section of Swiss Data Protection Laws, as applicable.

(d) References to Regulation (EU) 2018/1725 are removed.

(e) References to the “European Union”, “Union”, “EU” and “EU Member State” are all replaced with “Switzerland”.

(f) Clause 13(a) and Part C of Annex I are not used; the “competent supervisory authority” is the FDPIC;

(g) Clause 17 is replaced to state: “These Clauses are governed by the laws of Switzerland”.

(h) Clause 18 is replaced to state: “Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts of Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts.”

3.5 Supplementary provisions for transfers of Personal data subject to both the GDPR and Swiss Data Protection Laws

(a) To the extent that Customer’s Processing of Customer Personal Data is subject to both Swiss Data Protection Laws and the GDPR:

(i) for the purposes of Clause 13(a) and Part C of Annex I:

(A) the FDPIC shall act as competent supervisory authority with respect to any transfers of Personal Data to the extent Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer; and

(B) subject to the provisions of paragraph 2 of this Exhibit C (UK Addendum), the Irish Data Protection Commissioner shall act as competent supervisory authority with respect to any transfers of Personal Data to the extent the GDPR applies to the data exporter’s processing.

(b) the terms “European Union”, “Union”, “EU”, and “EU Member State” shall not be interpreted in a way that excludes the ability of Data Subjects in Switzerland bringing a claim in their place of habitual residence in accordance with Clause 18(c) of the Clauses.