Data Processing Addendum

1.  Definitions

For this DPA:

1.1. “CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 or "CPRA")

1.2. "Controller" means the entity which determines the purposes and means of the Processing of Personal Data;

1.3. “Customer Personal Data” means the Personal Data described under Schedule 1 to this DPA;

1.4. “Data Protection Laws” shall mean the applicable data protection and data privacy laws, rules and regulations that apply to the Customer Personal Data, including without limitation the European Data Protection Laws, the CCPA and other applicable U.S. federal and state privacy laws and UK Data Protection Laws

1.5. “Data Subjects” means the individuals identified in Schedule 1;

1.6. “European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) Swiss Federal Data Protection Act and its Ordinance ("Swiss DPA"); in each case, as may be amended, superseded or replaced

1.7. EU SCCs” means the Standard Contractual Clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time;

1.8. “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

1.9. “Personal Data” and “Personal Data Breach” will each have the meaning given to them in the Data Protection Laws. The term “Personal Data” includes “personal information,” “personally identifiable information,” and equivalent terms as such terms may be defined by the Data Protection Laws. The term “Personal Data Breach” includes equivalent terms as defined by the Data Protection Laws;

1.10. “Processor” means the entity which Processes Personal Data on behalf of the Controller;

1.11. “Sell” has the meaning given in the Data Protection Laws; and

1.12. “UK SCCs” means the Standard Contractual Clauses for controller to processor transfers set forth in the European Commission’s decision (C(2010)593) of 5 February 2010.

1.13. UK Data Protection Laws” means GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR") and the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018, as may be amended, superseded, or replaced.

2. Processing of Customer Personal Data

2.1. The parties acknowledge and agree that Customer is the Controller of Customer Personal Data and 5X is a Processor of Customer Personal Data. 5X will only Process Customer Personal Data as a Processor on behalf of the Customer, and with respect to the CCPA as a “service provider” as defined therein, in each case regardless of whether the Customer acts as the Data Controller or as a Data Processor (on behalf of a third-party Data Controller) with respect to Customer Personal Data.

2.2. 5X will Process Customer Personal Data to the extent necessary to provide the Service and shall ensure that such Processing shall be lawful and the Processing of Customer Personal Data will not violate applicable Data Protection Laws . 5X shall not (1) retain, use, or disclose Customer Personal Data other than as provided for in the Agreement, as needed to provide the Service, or as otherwise permitted by Data Protection Laws; (2) combine Customer Personal Data with Personal Data 5X receives from other customers or individuals (except as permitted by the CCPA); or (3) Sell Customer Personal Data. 5X shall notify Customer if it determines that it cannot meet its obligations under the CPRA. Upon receiving written notice from Customer that 5X has Processed Customer Personal Data without authorization, 5X will stop and remediate such Processing.

2.3. Any additional requested instructions for Processing as received from the Customer shall require a written agreement with 5X. 5X shall promptly notify Customer if, in 5Xs opinion, such instruction violates Data Protection Law. Where applicable, Customer shall be responsible for any communications, notifications, assistance and/or authorizations that may be required in connection with a third-party Data Controller.

2.4. Each party will comply with its respective obligations under Data Protection Laws. Customer agrees (i) it will use the Service in a manner designed to ensure a level of security appropriate to the particular content of the Customer Personal Data, such as pseudonymizing and backing-up Customer Personal Data; and (ii) it has obtained all consents, permissions and/or rights necessary under Data Protection Laws for 5X to lawfully Process Customer Personal Data for the Purposes, including, without limitation, Customer’s sharing and/or receiving of Customer Personal Data with third-parties via the Service.

2.5. The details of Processing of Customer Personal Data by 5X is provided under Schedule 1 of this DPA.

3. Cross-Border Transfers of Personal Data

3.1. With respect to Customer Personal Data originating from the European Economic Area (“EEA”) or Switzerland that is transferred from Customer to 5X, the parties agree to comply with the general clauses and with “Module Two” (Controller to Processor) of the EU SCCs, which are incorporated herein by reference, with Customer as the “data exporter” and 5X as the “data importer.”

3.2. For purposes of the EU SCCs the parties agree that:

(i) In Clause 7, the optional docking clause will not apply;

(ii) In Clause 9, Option 2 will apply and the time period for prior notice of Sub-Processor changes will be as set forth in Section 5.1 of this DPA;

(iii) In Clause 11, the optional language will not apply;

(iv) For the purposes of Clause 15(1)(a), 5X shall notify Customer (only) and not the Data Subject(s) in case of government access requests and Customer shall be solely responsible for promptly notifying the affected Data Subjects as necessary;

(v) In Clause 17, the EU SCCs shall be governed by the laws of Ireland;

(vi) In Clause 18(b), the parties agree to submit to the jurisdiction of the courts of Ireland;

(vii) In Annex I, Section A (List of Parties), (i) the data exporter’s and the data importer’s identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in the Agreement or as otherwise communicated by each party to the other party; (ii) Customer is a Controller or Processor, and 5X is a Processor; (iii) the activities relevant to the data transferred under the EU SCCs relate to the provision of the Services pursuant to the Agreement; and (iv) entering into this DPA shall be treated as each party’s signature of Annex I, Section A, as of the effective date of this DPA;

(viii) In Annex I, Section B (Description of Transfer): (i) Schedule 1 to this DPA describes 5X’s Processing of Customer Personal Data; (ii) the frequency of the transfer is continuous (for as long as Customer uses the Services); (iii) Customer Personal Data will be retained in accordance with Clause 8.5 of the EU SCCs and this DPA; (iv) 5X uses sub-Processors to support the provision of the Services.

(ix) In Annex I, Section C (Competent Supervisory Authority), the competent supervisory authority identified in accordance with Clause 13 of the EU SCCs is the competent supervisory authority communicated by Customer to 5X. Unless and until Customer communicates a competent supervisory authority to 5X, the competent supervisory authority shall be the Irish Data Protection Commission.

(x) In Annex II, data importer has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Customer Personal Data as described in Schedule 2.

3.3. If the transfer of Customer Personal Data is subject to the Swiss Federal Act on Data Protection, the parties agree to rely on the EU SCCs with the following modifications: (i) the Federal Data Protection and Information Commissioner (FDPIC) will be the competent supervisory authority under Clause 13 of the EU SCCs; (ii) the parties agree to abide by the GDPR standard in relation to all Processing of Customer Personal Data that is governed by the Swiss Federal Act on Data Protection; (iii) the term ‘Member State’ in the EU SCCs will not be interpreted in such a way as to exclude Data Subjects who habitually reside in Switzerland from initiating legal proceedings in Switzerland in accordance with Clause 18(c) of the EU SCCs; and (iv) references to the ‘GDPR’ in the EU SCCs will be understood as references to the Swiss Federal Act on Data Protection insofar as the transfer of Customer Personal Data is subject to the Swiss Federal Act on Data Protection.

3.4. With respect to transfers from Customer to 5X of Customer Personal Data originating from the United Kingdom, the parties agree to comply with the UK SCCs, which are incorporated herein by reference. The parties agree that, for the UK SCCs: (i) Customer is the “data exporter”, and 5X is the “data importer”; (ii) all references to the “Directive 95/46/EC” and its provisions shall be deemed to refer to the relevant provisions of the UK GDPR and the Data Protection Act 2018 of the United Kingdom; (iii) all references to the “Commission” shall be deemed to refer to the Information Commissioner; (iv) all references to the “European Economic Area” or the “European Union” shall be deemed to refer to the United Kingdom; (v) for Appendix 1 to the UK SCCs, information about the exporter and importer, the categories of Data Subjects, types of Personal Data and type of Processing operations are as set out in Schedule 1 to this DPA; and (vi) for Appendix 2 to the UK SCCs, the security measures are as described in Schedule 2. The parties acknowledge that the Information Commissioner’s Office has not yet approved new standard contractual clauses under the UK GDPR. The UK SCCs will apply only until such time as the Information Commissioner’s Office issues new standard contractual clauses under the UK GDPR. If the Information Commissioner’s Office approves the EU SCCs for transfers from the UK, the parties agree to adopt the EU SCCS as the mechanism to legitimize such transfers. Where necessary, the parties shall work together, in good faith, to enter into an updated version of the UK SCCs or negotiate an alternative solution to enable transfers of Customer Personal Data in compliance with Data Protection Laws.

4. Confidentiality and Security

4.1. 5X will require 5X’s personnel who access Customer Personal Data to be under an appropriate obligation of confidentiality to protect the Customer Personal Data.

4.2. 5X will implement commercially reasonable technical and organisational measures, as further described in Schedule 2, that are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

4.3. To the extent required by Data Protection Laws, 5X will provide Customer with reasonable assistance as necessary for the fulfilment of Customer’s obligations under Data Protection Laws to maintain the security of Customer Personal Data.

4.4. It is hereby clarified that 5X is under no obligation to assess the contents of or the accuracy of any Customer Personal Data, including to identify information subject to any specific legal, regulatory, or other requirement. Customer is responsible for making an independent determination as to whether its use of the Service will meet Customer’s requirements and legal obligations under Data Protection Laws.

5. Sub-Processing

5.1. Customer agrees that 5X may engage the Sub-Processors identified at in Schedule 3 to Process Customer Personal Data on Customer’s behalf. 5X will inform Customer of any intended changes concerning the addition or replacement of Sub-Processors at least fifteen days prior to the change taking effect and Customer will have an opportunity to object to such changes on reasonable grounds within seven days after being notified. If the parties are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party.

5.2. 5X will impose on its Sub-Processors substantially the same obligations that apply to 5X under this DPA. 5X will be liable to Customer for breaches of its Sub-Processors’ obligations as it would be for its own.

5.3. The parties agree that the copies of the Authorized Sub-Processor agreements that must be provided by 5X to Customer pursuant to Clause 9(c) of the EU SCCs and Clause 5 of the UK SCCs, if applicable, may have commercial information or clauses unrelated to the EU or UK SCCs removed by 5X beforehand; and, that such copies will be provided by 5X, in a manner to be determined in its discretion, only upon Customer’s written request.

6. Data Subject Rights

Customer is responsible for responding to any Data Subject requests relating to Customer Personal Data (“Requests”). If 5X receives any Requests during the term, 5X will advise and redirect the Data Subject to submit the request directly to Customer. 5X will provide Customer with self-service functionality or other reasonable assistance to permit Customer to respond to Requests.

7. Personal Data Breaches

Upon becoming aware of a Personal Data Breach affecting Customer Personal Data, 5X will (i) without undue delay take measures designed to remediate the Personal Data Breach and where feasible, (ii) notify Customer without undue delay. 5X’s notification shall be sent to the email registered by the Customer for the Service. In the event that the Customer is unreachable via this email, the Customer hereby acknowledges that 5X’s ability to notify is negatively impacted and 5X shall attempt to communicate at its reasonable discretion. Customer acknowledges that they are solely responsible for complying with Personal Data Breach notification requirements applicable to the Customer. At the Customer’s request, 5X will reasonably assist Customer’s efforts to notify Personal Data Breaches to the competent data protection authorities and/or affected Data Subjects, if Customer is required to do so under the Data Protection Laws. 5X’s notice of or response to a Personal Data Breach under this Section 7 will not be an acknowledgement or admission by 5X of any fault or liability with respect to the Personal Data Breach.

8. Data Protection Impact Assessment; Prior Consultation

5X shall provide reasonably requested information regarding the Service to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws, so long as Customer does not otherwise have access to the relevant information.

9. Deletion / Retention of Customer Personal Data

In the event that 5X receives a demand to retain, disclose, or otherwise Process Customer Personal Data from law enforcement or any other government and/or public authority (“Third-Party Demand”), then 5X shall attempt to redirect such Third-Party Demand back to the Customer. . 5X may retain Customer Personal Data to the extent and for the period required by Third-Party Demand or for compliance with applicable laws.

10. Analytics Data

Customer acknowledges and agrees that 5X may create and derive from Processing related to the Service anonymized and/or aggregated data that does not identify or relate to Customer or any Data Subject (“Analytics Data”), and use, publicize or share with third parties such Analytics Data to improve the Service and for 5X’s other legitimate business purposes.

11. Liability

11.1. Each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.

11.2. Customer acknowledges that 5X is reliant on Customer for direction as to the extent to which 5X is entitled to Process Customer Personal Data on behalf of Customer in performance of the Service.  Consequently, 5X will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by 5X in compliance with Customer’s instructions or (b) from Customer’s failure to comply with its obligations under the Data Protection Laws.

12. General Provisions

12.1. The Parties agree that this DPA shall replace and supersede any existing data processing addendum, attachment, exhibit or standard contractual clauses that 5X and Customer may have previously entered into in connection with the Service.

12.2. Except as provided by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict in connection with the Processing of Customer Personal Data. 

12.3. In no event shall this DPA benefit or create any right or cause of action on behalf of a third party (including a Third-Party Controller), but without prejudice to the rights or remedies available to Data Subjects under Data Protection Laws or this DPA.

12.4. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.

SCHEDULE 1

Details of Processing

1. Categories of Data Subjects. As a data-as-a-service company, 5X may Process Customer Personal Data relating to broad categories of individuals. Depending on the data Customer instructs 5X to process, those individuals may include Customer’s employees, contractors, and other authorized users of the Service as well as any individuals to whom the Customer Personal Data relates (“Data Subjects”).

2. Types of Personal Data. As a data-as-a-service company, the types of Customer Personal Data Processed by 5X are determined and controlled by Customer in its sole discretion. Customer Personal Data could include names, email addresses, and any other Personal Data that Customer may instruct 5X to Process.

3. Subject-Matter and Nature of the Processing. Customer Personal Data will be subject to the Processing activities that 5X needs to perform in order to provide the Service pursuant to the Agreement.

4. Purpose of the Processing. 5X will Process Customer Personal Data for purposes of providing the Service as set out in the Agreement.

5. Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 9 of the DPA.

SCHEDULE 2

1. Purpose. 5X is committed to maintaining customer trust. The purpose of this security overview is to describe the security program for the 5X Services. This security overview describes the minimum security standards that 5X maintains in order to protect Customer Personal Data from unauthorized use, access, disclosure, theft, or manipulation. As security threats shift and evolve, 5X continues to update its security program and strategy to help protect Customer Personal Data. 5X reserves the right to update this security overview from time to time; provided, however, any update will not materially reduce the overall protections set forth in this security overview. Any capitalized term not defined in this security overview will have the meaning given in the Agreement or the DPA.

2. Services Covered. This security overview describes the architecture, administrative, technical and physical controls as well as third party security audit certifications that are applicable to the Services.

3. Security Organization & Program. 5X maintains a risk-based assessment security program. The framework for 5X’s security program includes administrative, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability of Customer Personal Data. 5X’s security program is intended to be appropriate to the nature of 5X Services and the size and complexity of 5X’s business operations. 5X’s security framework includes programs covering: Policies and Procedures, Asset Management, Access Management, Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Third-Party Security, Vulnerability Management, as well as Security Monitoring and Incident Response. Information security policies and standards are reviewed and approved by management at least annually and are made available to all 5X employees for their reference.

4. Confidentiality. 5X has controls in place to maintain the confidentiality of Customer Personal Data that Customer makes available to the Services, in accordance with the Agreement. All 5X employees and contract personnel are bound by 5X’s internal policies regarding maintaining confidentiality of Customer Personal Data and contractually commit to these obligations.

5. Employee Training. At least once a year, all 5X employees must complete the 5X security and privacy training which covers 5X’s security policies, security best practices, and privacy principles. Employees on a leave of absence may have additional time to complete this annual training. 5X has established an anonymous channel for employees to report any unethical behavior where anonymous reporting is legally permitted.

6. Third Party Vendor Management.

• Vendor Assessment. 5X may use third party vendors to provide Services. 5X carries out a security risk-based assessment of prospective vendors before working with those vendors to validate that prospective vendors meet 5X’s security requirements. 5X periodically reviews each vendor in light of 5X’s security and business continuity standards, including the type of access and classification of data being accessed (if any), controls necessary to protect data, and legal/regulatory requirements. 5X ensures that Customer Personal Data is returned and/or deleted at the end of a vendor relationship. For the avoidance of doubt, third-party services that Customer chooses to integrate via 5X Services are not considered subcontractors of 5X.

• Vendor Agreements. 5X enters into written agreements with all of its critical vendors who process, transmit or hold 5X and or Customer Data which include confidentiality, privacy and security obligations that provide an appropriate level of protection for the personal data contained within the Customer Personal Data that these vendors may process.

7. Security Certificates.

• 5X Certificates. 5X has obtained the following security-related certifications for the 5X Services:

  • System and Organization Control (“SOC”) 2 – Type II. 5X maintains SOC 2 – Type II certification for 5X Services. SOC 2 audits for the 5X Services are conducted at least once a year by an independent third-party auditor. The SOC 2 audits validate 5X’s physical and environmental safeguards for production data centers, backup and recovery procedures, software development processes, and logical security controls.

• AWS Certifications. In addition, the Services use and leverage AWS data centers. 5X uses and leverages AWS data centers, with a reputation of being highly scalable, secure, and reliable. Information about AWS audit certifications are available at AWS Security website https://aws.amazon.com/security and AWS Compliance website https://aws.amazon.com/compliance.

8. Architecture and Data Segregation. The cloud communication platform for the 5X Services is hosted by Amazon Web Services (“AWS”). The current location of the AWS data center infrastructure used in providing 5X Services is located in the United States. Further information about security provided by AWS is available from the AWS security webpage available at https://aws.amazon.com/security/. In addition, the overview of AWS’s security process is available at https://aws.amazon.com/whitepapers/overview-of-security-processes/. 5X separates Customer Personal Data using logical identifiers tagging all communications data with the associated Customer ID to clearly identify ownership. 5X’s APIs are designed and built to identify and allow access only to and from these tags and enforce access controls to ensure the confidentiality and integrity requirements for each Customer are appropriately addressed. These controls are in place so one customer’s communications cannot be accessed by another customer.

9. Physical Security. AWS data centers that host 5X Services are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week. Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. More details about the physical security of AWS data centers used by5X for the 5X Services, are available at https://aws.amazon.com/whitepapers/overview-of-security-processes/. In addition, 5X headquarters and office spaces have a physical security program that manages visitors, building entrances, CCTVs (closed circuit television), and overall office security. All contractors and visitors are required to wear identification badges.

10. Security by Design. The 5X’s Software Development Lifecycle (SDLC) standard defines the process by which 5X creates secure products and the activities that the product teams must perform at different stages of development (requirements, design, implementation, and deployment). 5X engineers perform numerous security activities for the Services including internal security reviews before products are launched.

11. Access Controls.

• Provisioning Access. To minimize the risk of data exposure, 5X follows the principles of least privilege when provisioning system access. 5X personnel are authorized to access Customer Personal Data based on their job function, role and responsibilities, and such access requires approval of the employee’s manager. Access rights to production environments are reviewed at least semi-annually. An employee’s access to Customer Personal Data is promptly removed upon termination of their employment. Before an engineer is granted access to the production environment, access must be approved by management and the engineer is required to complete internal trainings for such access including trainings on the relevant team’s systems. 5X logs high risk actions and changes in the production environment. 5X leverages automation to identify any deviation from internal technical standards that could indicate anomalous/unauthorized activity to raise an alert within minutes of a configuration change.

• Password Controls. 5X’s current policy for employee password management follows the NIST 800-63B guidance, and as such, our policy is to use longer passwords, with multi-factor authentication but not require special characters or frequent changes. 5X does not store Customer passwords in any form.

12. Change Management. 5X has a formal change management process to manage changes to software, applications and system software that will be deployed within the production environment. Change requests are documented using a formal, auditable, system of record. Prior to a high-risk change being made, an assessment is carried out to consider the impact and risk of a requested change, evidence acknowledging applicable testing for the change, approval of deployment into production by appropriate approvers(s) and roll back procedures. A change is reviewed and tested before being deployed to production.

13. Encryption. For the 5X Services, 5X’s cloud platform supports TLS 1.3 to encrypt network traffic transmitted between a Customer application and 5X’s cloud infrastructure. When supported by integrations selected by Customer, 5X’s cloud platform will also encrypt network traffic between 5X’s cloud infrastructure and the integration provider. All Customer Personal Data is stored encrypted using 256-bit Advanced Encryption Standard (AES-256).

14. Security Incident Management. 5X maintains security incident management policies and procedures in accordance with NIST SP 800-61. 5X assesses the threat of all relevant vulnerabilities or security incidents and establishes remediation and mitigation actions for all events. 5X utilizes AWS platforms and third-party tools to detect, mitigate, and to help prevent Distributed Denial of Service attacks (DDoS) attacks.

15. Discovery, Investigation and Notification of a Security Incident. Upon discovery or notification of any security incident, 5X will:

• promptly investigate such security incident;

• to the extent that is permitted by applicable law, promptly notify Customer.

16. Resilience and Service Continuity. 5X infrastructure for the 5X Services uses a variety of tools and mechanisms to achieve high availability and resiliency. For the 5X Services, 5X’s infrastructure spans multiple fault-independent AWS availability zones. For the 5X Services, there are manual or automatic capabilities to re-route and regenerate hosts within 5X’s infrastructure. 5X leverages specialized tools that monitor server performance, data, and traffic load capacity within each availability zone. If suboptimal server performance or overloaded capacity is detected on a server within an availability zone, then these specialized tools will increase the capacity or shift traffic to relieve any suboptimal server performance or capacity overload. 5X will also be notified immediately and have the ability to take prompt action to correct the cause(s) behind these issues if the specialized tools are unable to do so.

17. Backups and Recovery. 5X performs regular backups of 5X Services account information, message templates, message logs and other critical data using Amazon cloud storage. Backup data are retained redundantly across availability zones and are encrypted in transit and at rest using 256-bit Advanced Encryption Standard (AES-256) server-side encryption.

SCHEDULE 3

Sub-Processors:

The locations in which these SubProcessors will Process Customer Personal Data varies based on the Customers’ location and other factors but may include the United States and other regions that have not been deemed adequate by supervisory authorities in the EU.