Go Testify -Data Processing Addendum


1. Definitions and Interpretation

1.1 Terms used in this Data Processing Addendum shall have the meanings set out below or as otherwise defined in the Agreement. Where a term is defined in both the Agreement and this Data Processing Addendum, the meaning of the term defined in this Data Processing Addendum shall have precedence in relation to this Data Processing Addendum. References in this Data Processing Addendum to paragraphs, parts and exhibits are to the paragraphs, parts and exhibits of this Data Processing Addendum.

    Agreement

    the Go Testify – Customer Terms and conditions which apply to any Order made by you, and which incorporate this Data Processing Addendum.

      Applicable Laws

      any applicable laws, regulations or other subordinate legislation of (i) the United Kingdom or a part of the United Kingdom if UK GDPR applies; or (ii) the European Union or a member state of the European Union if the EU GDPR applies, and in force from time to time.

        Appropriate Safeguards

        such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time.

          Commissioner

          the Information Commissioner as defined in Article 4(A3) UK GDPR and Section 114 Data Protection Act 2018.

            Complaint

            a complaint or request relating to either party’s obligations under Data Protection Laws relevant to the Services or the Agreement including any complaint by a Data Subject or any notice, investigation or other action by a Supervisory Authority.

              Controller

              has the meaning given to that term in Data Protection Laws.

                Data Processing Addendum

                this Data Processing Addendum including the exhibits.

                  Data Protection Details

                  the data protection details set out in Exhibit 1 to this Data Processing Addendum.

                    Data Protection Laws

                    all applicable laws relating to data protection and privacy in force from time to time as applicable to a party, the Services or the Agreement including the following laws to the extent applicable in the circumstances: (i) UK Data Protection Act Laws (ii) the EU GDPR; (iii) the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426); (iv) any laws which implement any of the above laws and any corresponding or equivalent national laws (including the California Consumer Privacy Act ("CCPA") where applicable); (v) any laws which replace, extend, re-enact, consolidate or amend any of the foregoing whether or not before or after the date of the Agreement from the date they come into force; and (vi) the guidance and codes of practice issued by a relevant Supervisory Authority and applicable to a party, the Services and/or the Agreement.

                      Data Subject

                      has the meaning given to that term in Data Protection Laws.

                        Data Subject Request

                        a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws in connection with Protected Data.

                          EU GDPR

                          the General Data Protection Regulation (EU) 2016/679.

                            EU SCCs Approved EU SCCs

                            the Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

                              GDPR

                              the UK GDPR or EU GDPR (as applicable).

                                Group

                                in relation to a party means any subsidiary or holding company of such party or any subsidiary of such holding company (and the terms "subsidiary" and "holding company" have the meanings set out in section 1159 of the Companies Act 2006).

                                  Permitted Purpose

                                  has the meaning given to that term in paragraph 2.1(b) of Part 2 – Controller to Controller Terms of this Data Processing Addendum.

                                    Personal Data

                                    has the meaning given to that term in Data Protection Laws.

                                      Personal Data Breach

                                      has the meaning given to that term in Data Protection Laws and includes any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data.

                                        Processing

                                        has the meaning given to that term in Data Protection Laws (and related terms such as process and processed have corresponding meanings) and shall include the Processing activities expressly described in this Data Processing Addendum or the Agreement.

                                          Processing Instructions

                                          has the meaning given to that term in paragraph 2.1(a) of Part 1 - Controller to Processor Terms of this Data Processing Addendum.

                                            Processor

                                            has the meaning given to that term in Data Protection Laws.

                                              Protected Data

                                              any Personal Data (i) processed by us as your Processor, as indicated in the Data Protection Details; or (ii) shared by us with you and processed by you as a Controller, as indicated in the Data Protection Details and in either (i) or (ii) processed in connection with the provision of the Services under the Agreement.

                                                Records

                                                has the meaning given to that term in paragraph 2.1(h) of Part 1 - Controller to Processor Terms of this Data Processing Addendum.

                                                  Restricted Data Transfer Appendix

                                                  the restricted data transfer set out in Exhibit 2 of this Data Processing Addendum, detailing authorised transfers of Protected Data by the parties outside of the United Kingdom or the European Economic Area.

                                                    Restricted Transfer

                                                    a transfer which is covered by Chapter V of the GDPR.

                                                      Sub-Processor

                                                      another Processor engaged by either party for carrying out Processing activities in respect of the Protected Data under or in connection with the Agreement.

                                                        Supervisory Authority

                                                        any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws, including the Commissioner.

                                                          UK Data Protection Laws

                                                          all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection 2018.

                                                            UK GDPR

                                                            has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

                                                              1.2 Any words following the terms including, include, in particular, for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.

                                                                1. 3 This Data Processing Addendum is incorporated into and forms part of the Agreement.

                                                                1.4 The exhibits or other terms appended hereto or incorporated by reference shall all form part of this Data Processing Addendum. Any reference to this Data Processing Addendum includes any such exhibits or terms.

                                                                2. Scope and Term

                                                                2.1 This Data Processing Addendum is in addition to, and does not relieve, remove or replace a party's obligations or rights under Data Protection Laws.

                                                                2.2 Nothing in this Data Processing Addendum permits you to process (or permit the Processing of) Personal Data in a manner which is prohibited by the Agreement. Where there is any conflict between the terms of this Data Processing Addendum and the terms of the Agreement, the terms of this Data Processing Addendum shall prevail.

                                                                2.3 Notwithstanding termination of the Agreement, this Data Processing Addendum will remain in effect until the Processing of any Protected Data ceases.

                                                                2.4 This Data Processing Addendum is divided into the following parts:

                                                                (a) Part 1 - Controller to Processor Terms – these terms apply only where we process Protected Data relating to Customer Participants, as a Processor of you, as indicated in the Data Protection Details;

                                                                (b) Part 2 – Controller to Controller Terms - these terms apply only where you process Protected Data relating to Testify Network Participants, as an independent Controller, as indicated in the Data Protection Details ; and

                                                                (c) Part 3 – General Terms – these terms apply to all processing of Protected Data under this Data Processing Addendum.

                                                                2.5 Each party shall comply with all Data Protection Laws directly applicable to it (including as expressly provided for in this Data Processing Addendum) in connection with the exercise and performance of its respective rights and obligations under the Agreement.

                                                                Part 1 - Controller to Processor Terms

                                                                1. Roles of parties

                                                                1.1 The parties agree that, in relation to the Protected Data of Customer Participants, you are the Controller and we are the Processor.

                                                                1.2 We shall process Protected Data in compliance with:

                                                                (a) Data Protection Laws; and

                                                                (b) the terms of this Data Processing Addendum.

                                                                2. Processor's obligations in respect to Protected Data

                                                                2.1 Insofar as we process Protected Data as a Processor on behalf of you, we shall comply in full with the following obligations:

                                                                - 2.1.1 Processing Instructions

                                                                -- 2.1.1.1 Unless required to do otherwise by Applicable Laws, We shall process the Protected Data only on and in accordance with the Data Protection Details (Controller to Processor Processing), the terms of this Data Processing Addendum and the Agreement (including with regard to any transfers to a third country or international organisation) all as updated from time to time upon written agreement between us ("Processing Instructions") save that if Applicable Laws require us to process Protected Data other than in accordance with the Processing Instructions, we shall notify you of any such requirement before Processing the Protected Data (unless any Applicable Laws prohibits such information on important grounds of public interest).

                                                                  - 2.1.2 Confidentiality

                                                                  -- 2.1.2.1 We shall grant access to the Protected Data only to members of our personnel to the extent strictly necessary for implementing, managing and monitoring the Agreement. We shall ensure that all persons so authorised to process Protected Data are subject to an obligation to keep the Protected Data confidential.

                                                                    - 2.1.3 Technical and Organisational Security

                                                                    -- 2.1.3.1 We shall implement and maintain, appropriate technical and organisational measures to:

                                                                    (a) ensure that the Processing will meet the requirements of Data Protection Laws with respect to security of Processing and to ensure the protection of the rights of Data Subjects;

                                                                    (b) ensure the security, integrity, availability and confidentiality of the Protected Data and protect against accidental loss or destruction of, or damage to, Protected Data, such measures to be appropriate to the harm that might result from the unauthorised or unlawful Processing or accidental loss, destruction or damage and the nature of the data to be protected having regard to the state of technological development and the cost of implementing any measures.

                                                                      - 2.1.4 Sub-Processors

                                                                      -- 2.1.4.1 You authorise us to appoint Sub-Processors to carry out any Processing activities in respect of Protected Data in connection with the provision of the Services. A list of the Sub-Processors used by us at the date of the Agreement is set out in Exhibit 1 Part 2 (Approved Sub-Processors). We shall notify you in advance of any change in a Sub-Processor. You may object to any new Sub-Processor withing ten days of being notified (acting reasonably and in good faith) and we will use reasonable efforts to address any objections that you have to such Sub-Processors, including using commercially reasonable efforts to change the Services to avoid the Processing of the Protected Data by that Sub-Processor. If a resolytion has not been agreed to within 10 business days, you shall be entitled to terminate (without liability), the Agreement or that part of the Agreement that involves Processing of Protected Data by the Sub-Processor Prior to the relevant Sub-Processor carrying out any Processing in respect of the Protected Data, we shall appoint each Sub-Processor under a written contract containing the same or substantially the same data protection obligations as those set out in this Data Processing Addendum (excluding Part 2 – Controller to Controller Terms of this Data Processing Addendum) and which require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organisational measures in such a way that the Processing will meet the requirements of Data Protection Laws. We shall ensure that the Processing of Protected Data by the Sub-Processor terminates immediately on termination of this Data Processing Addendum. We shall remain fully liable to you under this Data Processing Addendum for any and all acts and omissions of any Sub-Processor and any persons engaged or authorised by it (or by any Sub-Processor) to process Protected Data as if they were our own.

                                                                        - 2.1.5 Assistance with Data Subject Rights

                                                                        -- 2.1.5.1 We shall, taking into account the nature of the Processing, assist you with appropriate technical and organisational measures insofar as this is possible for the fulfilment of your response to Data Subject Requests. We shall promptly refer all Data Subject Requests we receive to you upon receipt . We shall not respond to a Data Subject Request except on your documented instructions or as required by Applicable Laws (in which case we shall, to the extent permitted by Applicable Laws, inform you of that legal requirement before we respond to the Data Subject Request).

                                                                          - 2.1.6 Assistance with other Controller’s Obligations under Data Protection Laws

                                                                          -- 2.1.6.1 We shall provide such assistance as you reasonably require (taking into account the nature of Processing and the information available to us) to assist you in ensuring your compliance with your obligations under Data Protection Laws with respect to:

                                                                          (a) Article 32 (Security of processing);

                                                                          (b) Articles 33 and 34 (notifications to the Supervisory Authority and/or communications to Data Subjects by you in response to any Personal Data Breach);

                                                                          (i) Article 35 (Data protection impact assessments);

                                                                          (ii) Article 36 (Prior consultation with a Supervisory Authority regarding high-risk processing); and

                                                                          (iii) any remedial action to be taken in response to a Personal Data Breach and/or a Complaint or request relating to either party’s obligations under Data Protection Laws relevant to this Data Processing Addendum.

                                                                            - 2.1.7 Deletion or Return of Protected Data

                                                                            -- 2.1.7.1 At your option, we shall delete or return to you all the Protected Data within a reasonable time after the end of the provision of Services under the Agreement and delete or return to you any existing copies (unless storage of any Protected Data is required by Applicable Laws and, if so, we shall inform you of any such requirement). Until the Protected Data is deleted or returned, we shall continue to ensure compliance with the Applicable Laws.

                                                                              - 2.1.8 Records, Information and Audit

                                                                              --2.1.8.1 We shall maintain, in accordance with Data Protection Laws, complete and up to date written records of the Processing activities carried out on behalf of you ("Records"). We shall, in accordance with Data Protection Laws, make available to you such information as is reasonably necessary to demonstrate our compliance with the obligations of Processors under this Data Processing Addendum and Data Protection Laws, including the Records, on your reasonable request and at least 30 days' prior notification. Without prejudice to the above, you shall be entitled on reasonable notice and at reasonable times (but no more than once in any 12 month period, except to the extent required by a Supervisory Authority)to request that we contribute to any audit, carried out on your behalf relating to the Processing of Protected Data to demonstrate our compliance with the obligations of Processors under this Data Processing Addendum and Data Protection Laws (including where required by a Supervisory Authority). All such inspections and audits shall be at reasonable times and with reasonable prior written notice, except where the inspection or audit is required by a Supervisory Authority. You may choose to conduct any inspection or audit yourself or mandate an qualified independent auditor. On request, we shall provide you with copies of the results of any security testing procedures and third party audit reports (if such reports are available) subject to any confidentiality obligations in the Agreement. You will bear the full cost and expense of any audit carried out in accordance with this clause, unless such audit reveals a material breach of this Data Processing Addendum, in which case, we will bear the reasonable cost and expense of such audit. You understand and agree that any audits carried out in accordance with this clause will be subject to the confidentiality obligations set out in the Agreement and you will not be permitted to carry out any activities that could impair the security or confidentiality of any of our other customers.

                                                                              3. International Data Transfers

                                                                              3.1 To the extent that either party transfers Personal Data originating in the European Economic Area or the United Kingdom to a country that has not been designated by the European Commission, or UK Information Commissioner’s Office (respectively) as providing an adequate level of protection for Personal Data, the parties agree to the provisions set forth in Restricted Data Transfer Appendix shall apply. The data exporter will provide all disclosures to Data Subjects as legally required to permit such transfers.

                                                                              4. Breach notification and complaint

                                                                              4.1 In respect of any Personal Data Breach involving Protected Data, we shall:

                                                                              - 4.1.1 without undue delay, notify you of the Personal Data Breach and provide you with details of the Personal Data Breach including the nature of the Personal Data Breach, the categories and approximate volume of Data Subjects and Protected Data records concerned, and any measures taken or to be taken by us to mitigate the effects of the Personal Data Breach; and

                                                                              - 4.1.2 take such reasonable steps to investigate the Personal Data Breach and to identify, prevent and mitigate the effects of any Personal Data Breach to the extent that such steps are within our reasonable control.

                                                                              4.2 We shall promptly inform you if we receive a Complaint, and shall not respond to the Complaint without your prior written approval.

                                                                              Part 2 - Controller to Controller Terms

                                                                              1. Role of the parties

                                                                              1.1 The parties acknowledge and agree that, in relation to the Protected Data of Testify Network Participants, both parties are independent Controllers.

                                                                              1. 2 Each party shall use its reasonable endeavours to assist the other to comply with its respective obligations under Data Protection Laws.

                                                                              2. Your obligations

                                                                              2.1 You shall:

                                                                              - 2.1.1 ensure that you have a lawful basis for your processing of the Protected Data as required under Data Protection Laws;

                                                                              - 2.1.2 process the Protected Data solely for the purpose set out in the Data Protection Details (Controller to Controller Processing) ("Permitted Purpose") and not process the Protected Data in any manner inconsistent with the Permitted Purpose or any other provision of the Agreement;

                                                                              - 2.1.3 retain the Protected Data for the duration set out in the Data Protection Details (Controller to Controller Processing) or where such period is not specified, you shall only retain the Protected Data for as long as is necessary to enable you to comply with your obligations under the Agreement (unless storage of the Protected Data is required by Applicable Laws and, if so, you shall inform us of any such requirement);

                                                                              -2.1.4 grant access to the Protected Data to members of your personnel only to the extent strictly necessary for the Permitted Purpose. You shall ensure that all personnel so authorised or engaged by it (or by any Processor it engages) to process the Protected Data have committed themselves to confidentiality or are subject to any obligation to keep the Protected Data confidential and are appropriately trained to handle and process the Protected Data in accordance with this Data Processing Addendum and Data Protection Laws; and

                                                                              - 2.1.5 be fully liable to us under this Data Processing Addendum for any and all acts and omissions of any Processor and any persons engaged by you (or by any Processor) to process Protected Data as if they were your own.

                                                                              2.2 In respect of any processing of Protected Data performed by a Processor on behalf of you, you shall:

                                                                              - 2.2.1 carry out adequate due diligence on such Processor to ensure that it is capable of providing the level of protection for the Protected Data as is required by this Data Processing Addendum and Data Protection Laws; and;

                                                                              - 2.2.2 ensure that suitable written agreements are at all times in place with each Processor as required under Data Protection Laws (including Articles 28 and 32 of the EU GDPR or UK GDPR (as applicable)).

                                                                              3. Technical and Organisational Measures

                                                                              3.1 You shall implement and maintain, at your own cost and expense, appropriate technical and organisational measures to:

                                                                              - 3.1.1 ensure that the Processing will meet the requirements of Data Protection Laws with respect to the security of Processing and ensure the protection of the rights of Data Subjects; and

                                                                              - 3.1.2 ensure the security, integrity, availability and confidentiality of the Protected Data and protect against accidental loss or destruction of, or damage to, Protected Data, such measures to be appropriate to the harm that might result from the unauthorised or unlawful Processing or accidental loss, destruction or damage and the nature of the data to be protected having regard to the state of technological development and the cost of implementing any measures.

                                                                              4. Assistance and Data Subject Rights

                                                                              4.1 Each party is responsible for dealing with any Data Subject Request it receives in accordance with Data Protection Laws.

                                                                              4.2 In the event that a party receives a Data Subject Request or any request which relates to the Processing of Personal Data by the other party, the receiving party shall promptly notify the other party, and in any event within 2 business days from receipt and provide full details of the Data Subject Request or request to the other party.

                                                                              4.3 Each party shall provide such assistance as is reasonably required to enable the other party to comply with any Data Subject Request within the response times under the Data Protection Laws.

                                                                              5. International Data Transfers

                                                                              5.1 To the extent that either party transfers Personal Data originating in the European Economic Area or the United Kingdom to a country that has not been designated by the European Commission, or UK Information Commissioner’s Office (respectively) as providing an adequate level of protection for Personal Data, the parties agree to the provisions set forth in Restricted Data Transfer Appendix shall apply. The data exporter will provide all disclosures to Data Subjects as legally required to permit such transfers.

                                                                              6. Breach Notifications and Complaints

                                                                              6.1 In respect of any Personal Data Breach involving Protected Data, you shall:

                                                                              - 6.1.1 without undue delay but in no event later than 24 hours after becoming aware, notify us of the Personal Data Breach and provide us with details of the Personal Data Breach including the nature of the Personal Data Breach, the categories and approximate volume of Data Subjects and Protected Data records concerned and any measures taken or to be taken by you to mitigate the effects of the Personal Data Breach;

                                                                              - 6.1.2 take action immediately, at your own expense, to investigate the Personal Data Breach and to identify, prevent and mitigate the effects of and to remedy any Personal Data Breach; and

                                                                              -6.1.3 not release or publish any filing, communication, notice, press release or report concerning any Personal Data Breach without our prior written approval or unless otherwise required by Applicable Laws and/or a Supervisory Authority.

                                                                              6.2 You shall promptly (but in no event later than one business day after becoming aware) inform us if you receive a Complaint and shall not respond to the Complaint without our prior written approval unless otherwise required by Applicable Laws and/or a Supervisory Authority.

                                                                                Part 3 - General Terms

                                                                                1. Indemnity

                                                                                1.1 You shall indemnify and keep us indemnified from and against any and all losses, liabilities, damages, fines, penalties, sanctions, compensation, settlements, costs (including legal fees on an indemnity basis), interest, cost of compliance and expenses incurred by or awarded against or agreed to be paid by us arising from or in connection with breach by you of this Data Processing Addendum and/or of Data Protection Laws.

                                                                                2. Updates

                                                                                2.1 This Data Processing Addendum may be amended only by written document signed by authorised representatives of both parties. In the event that you do not agree to make any changes requested by us that we (acting reasonably) deem necessary in order to comply with Data Protection Laws and/or that are required by a Supervisory Authority and/or any competent authority, we shall have the right to terminate (without liability) this Data Processing Addendum and the Agreement on written notice to you.

                                                                                3. Non-Compliance

                                                                                3.1 Supplier shall inform us immediately if, at any time, it is unable to comply with its data protection obligations set out in this Data Processing Addendum and/or Data Protection Laws.

                                                                                3.2 Without prejudice to any provisions of Data Protection Laws, in the event that you are in breach of your obligations under this Data Processing Addendum and/or Data Protection Laws, we may (without liability) instruct you to suspend the Processing of Protected Data until you rectify the non-compliance or the Agreement is terminated, for whatever reason.

                                                                                3.3 We shall be entitled to terminate the Agreement insofar as it concerns the Processing of Protected Data if:

                                                                                - 3.3.1 the Processing of Protected Data by you has been suspended by us pursuant to paragraph 3.2 of this Part 3 - General Terms and, if compliance with this Data Processing Addendum and/or Data Protection Laws is not restored within a reasonable time and in any event, within one month following suspension;

                                                                                - 3.3.2 you are in substantial or persistent breach of this Data Processing Addendum; and/or

                                                                                - 3.3.3 you fail to comply with a binding decision of a competent court or Supervisory Authority regarding your obligations pursuant to this Data Processing Addendum and/or Data Protection Laws.


                                                                                Exhibit 1 to the Go Testify Data Processing Addendum

                                                                                Defined terms in this Exhibit 1 have the meanings set out in the Data Processing Addendum.

                                                                                1. Details of Parties: Data exporter(s) and data importer(s):

                                                                                1.1 The data exporter is the party transferring the Protected Data to the extent either of them is involved in such transfer, and the data importer is the party to which the Protected Data is being transferred to the extent either of them is involved in such transfer.

                                                                                1.2 The parties names, addresses and contact details are as follows

                                                                                Testify

                                                                                Customer

                                                                                Address: Unit 17 Ormeau Business Park, 8 Cromac Avenue, Belfast, Antrim, BT7 2JA

                                                                                Company No: NI636713

                                                                                Contact details:

                                                                                Position: Data Protection Officer

                                                                                E-mail: support@gotestify.com

                                                                                The Name, Address and Contact Details for the Customer are set out in the Order (as defined in the Agreement)

                                                                                Activities relevant to the processing described in table (B) below

                                                                                Activities relevant to the processing described in table (B) below

                                                                                Role: Controller with regard to Protected Data relating to Testify Network Participants; and Processor with regard to Protected Data relating to Customer Participants

                                                                                Role: Controller with regard to Protected Data relating to both Testify Network Participants and Customer Participants


                                                                                2. Processing Details

                                                                                2.1 Controller to Processor Processing

                                                                                Subject matter of the Processing

                                                                                The Processing of Protected Data relating to Customer Participants by Testify in the performance of the Services

                                                                                Nature and Purpose of the Processing

                                                                                In order to provide the Services to the Customer, including the running of testing services and the provision of feedback from the Customer Participants.

                                                                                Categories of Personal Data

                                                                                • First name

                                                                                • Last name

                                                                                • User name and account details

                                                                                • Home address

                                                                                • Country of residence

                                                                                • Phone number

                                                                                • Paypal address

                                                                                • Date of birth

                                                                                • Email address

                                                                                • Gender

                                                                                • Demographic data, including (i) device data; (ii) details of games you have played; (iii) in-game player IDs or usernames; and (iv) details of how often you play games and how much you spend in-game.

                                                                                • Audio feedback

                                                                                • Video feedback

                                                                                • Facial feedback

                                                                                • Personal information entered as a survey response

                                                                                • Account details for third party platforms (e.g. Discord username)

                                                                                Special Category of Data or Criminal Offence Data (if applicable)

                                                                                Not Applicable

                                                                                Categories of Data Subject

                                                                                Customer Participants

                                                                                Duration of Processing

                                                                                The Term of the Agreement

                                                                                Frequency of processing

                                                                                For the duration of the tests being conducted by the Customer Participants

                                                                                Volumes (no of affected data subjects) (if known)

                                                                                Unknown


                                                                                2.2 Controller to Controller Processing

                                                                                Subject matter of the Processing

                                                                                The Processing of Protected Data relating to Testify Network Participants by Customer in the performance of the Services

                                                                                Nature and Purpose of the Processing

                                                                                ("Permitted Purpose")

                                                                                In order to provide the Services to the Customer, including the running of testing services and the provision of feedback from the Testify Network Participants.

                                                                                Categories of Personal Data

                                                                                • First name

                                                                                • Last name

                                                                                • User name and account details

                                                                                • Home address

                                                                                • Country of residence

                                                                                • Phone number

                                                                                • Paypal address

                                                                                • Date of birth

                                                                                • Email address

                                                                                • Gender

                                                                                • Demographic data, including (i) device data; (ii) details of games you have played; (iii) in-game player IDs or usernames; and (iv) details of how often you play games and how much you spend in-game.

                                                                                • Audio feedback

                                                                                • Video feedback

                                                                                • Facial feedback

                                                                                • Personal information entered as a survey response

                                                                                • Account details for third party platforms (e.g. Discord username)

                                                                                Special Category of Data or Criminal Offence Data (if applicable)

                                                                                Not Applicable

                                                                                Categories of Data Subject

                                                                                Testify Network Participants

                                                                                Duration of Processing

                                                                                The term of the Agreement

                                                                                Frequency of processing

                                                                                For the duration of the tests being conducted by the Customer Participants

                                                                                Volumes (no of affected data subjects) (if known)

                                                                                Unknown


                                                                                3. UK/EU Data Protection Laws

                                                                                Applicable GDPR

                                                                                UK GDPR

                                                                                Where the UK GDPR applies, the competent Supervisory Authority is the UK Information Commissioner; and

                                                                                EU GDPR

                                                                                Where the EU GDPR applies, the competent Supervisory Authority is the Irish Data Protection Commissioner.

                                                                                4. Approved Sub-Processors

                                                                                  Name

                                                                                  Role / processing activities

                                                                                  Territory

                                                                                  [X]

                                                                                  [X]

                                                                                  [X]

                                                                                  Exhibit 2 to the Go Testify Data Processing Addendum: Restricted Data Transfer Appendix ("RDTA")


                                                                                  Defined terms in this RDTA have the meanings set out in the Agreement, the Data Protection Addendum or as otherwise defined in this RDTA.

                                                                                  1. Restricted Transfer

                                                                                  1.1 The parties agree that, to the extent that either party transfers Personal Data originating in the European Economic Area or the United Kingdom to a country that has not been designated by the European Commission, or UK Information Commissioner’s Office (respectively) as providing an adequate level of protection for Personal Data, any such transfer(s) may only take place subject to the terms of this RDTA.

                                                                                  1.2 In the case of the Restricted Transfer, the parts of this RDTA that will apply depend upon whether the Restricted Transfer is governed by the UK GDPR or the EU GDPR as follows:

                                                                                  - 1.2.1 Part 1 – INCORPORATION OF (AND ELECTIONS FOR) THE UK ADDENDUM TO THE APPROVED EU SCCs: is applicable to a Restricted Transfer governed by UK GDPR only;

                                                                                  - 1.2.2 Part 2 – INCORPORATION OF (AND ELECTIONS FOR) THE EU SCCs: is applicable to a Restricted Transfer governed by EU GDPR only;

                                                                                  - 1.2.3 Part 3 – General: applicable to Restricted Transfers under both UK GDPR and EU GDPR.


                                                                                  Part 1: Incorporation of (and Elections for) the UK Addendum to the Approved EC SCCs

                                                                                  1. Table 1 - Parties

                                                                                    Start Date

                                                                                    the date of an agreement entitled [X[ (the “Agreement”)

                                                                                    The Parties

                                                                                    Exporter/data exporter (who sends the Restricted Transfer)

                                                                                    Importer/data importer (who receives the Restricted Transfer)

                                                                                    Parties Details

                                                                                    Full name, main address and official registration number (if any) are all as set out in Part 1(A) (Details of Parties) of Exhibit 1 (Data Protection Details) to the Data Processing Addendum.

                                                                                    Full name, main address and official registration number (if any) are all as set out in Part 1(A) (Details of Parties) of Exhibit 1 (Data Protection Details) to the Data Processing Addendum.

                                                                                    .

                                                                                    Key Contact

                                                                                    Contact Details are as set out in Part 1(A) (Details of Parties) of Exhibit 1 (Data Protection Details) to the Data Processing Addendum.

                                                                                    Contact Details are as set out in Part 1(A) (Details of Parties) of Exhibit 1 (Data Protection Details) to the Data Processing Addendum.


                                                                                    2. Table 2 - Selected SCCs, Modules and Selected Clauses

                                                                                      2.1 The Approved EU SCCs including the Appendix Information shall apply (and are hereby incorporated by reference into this Part 1 of the Restricted Data Transfer Appendix) with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum ("Addendum EU SCCs"):

                                                                                      Module

                                                                                      Module

                                                                                      in Operation

                                                                                      Clause 7 (Docking Clause)

                                                                                      Clause 11 (Option)

                                                                                      Clause 9a (Prior Authorisation or General Authorisation)

                                                                                      Clause 9a (Time Period)

                                                                                      One

                                                                                      (Controller to Controller)

                                                                                      Will apply with regard to Protected Data relating to Testify Network Participants

                                                                                      Will apply

                                                                                      The optional language will not apply

                                                                                      Not Applicable

                                                                                      Not applicable

                                                                                      Two

                                                                                      (Controller to Processor)

                                                                                      Will apply with regard to Protected Data relating to Customer Participants

                                                                                      Will apply

                                                                                      The optional language will not apply

                                                                                      Option 1 Specific Prior Authorisation will apply

                                                                                      30 days


                                                                                      3. Table 3 - Appendix Information

                                                                                        Annex

                                                                                        Title

                                                                                        Location

                                                                                        Annex 1A

                                                                                        List of Parties

                                                                                        Is deemed completed with the information set out in Part 1(A) (Details of Parties) of Exhibit 1 (Data Protection Details) to the Data Processing Addendum.

                                                                                        Annex 1B

                                                                                        Description of Transfer

                                                                                        Is deemed completed with the information set out in Part 1 (B) (Processing Details) of Exhibit 1 (Data Protection Details) to the Data Processing Addendum.


                                                                                        Annex II

                                                                                        Technical and Organisational Measures Including Technical and Organisational Measures to ensure the Security of the Data


                                                                                        Is deemed completed with the information set out in the Clause 2.1(c) of the Data Processing Addendum.

                                                                                        Annex III

                                                                                        List of Sub Processors

                                                                                        Is deemed completed with the details of Sub-processors (if any) set out in Part 2 (Approved Sub-Processors) of Exhibit 1 (Data Protection Details) of the Data Processing Addendum.


                                                                                        4. Table 4 - Ending this Addendum when the approved Addendum Changes

                                                                                        4.1 For the purposes of Section 19 of the Mandatory Clauses to the UK Addendum, only the Exporter may end this Addendum.

                                                                                        5. Mandatory Clauses

                                                                                        5.1 The parties agree that the following clauses are incorporated into this Part 1:

                                                                                        - 5.1.1 Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.


                                                                                        Part 2: Incorporation of (and Elections for) the EU SCCs

                                                                                          1. The EU SCCs apply (and are hereby incorporated by reference into this Part 2 of the Restricted Data Transfer Appendix) with only the following modules and clauses of the EU SCCs brought into effect as follows:

                                                                                          Module

                                                                                          Module

                                                                                          in Operation

                                                                                          Clause 7 (Docking Clause)

                                                                                          Clause 11 (Option)

                                                                                          Clause 9a (Prior Authorisation or General Authorisation)


                                                                                          Clause 9a (Time Period)

                                                                                          One

                                                                                          (Controller to Controller)

                                                                                          Will apply with regard to Protected Data relating to Testify Network Participants

                                                                                          Will apply

                                                                                          The optional language will not apply


                                                                                          Not Applicable

                                                                                          Not applicable

                                                                                          Two

                                                                                          (Controller to Processor)

                                                                                          Will apply with regard to Protected Data relating to Customer Participants

                                                                                          Will apply

                                                                                          The optional language will not apply


                                                                                          Option 1 Specific Prior Authorisation will apply

                                                                                          30 days



                                                                                          2. The following selections are made:

                                                                                          Clause

                                                                                          Option


                                                                                          Clause 17

                                                                                          Option 1 will apply and the SCCs will be governed by Irish law


                                                                                          Clause 18(b)

                                                                                          Disputes will be resolved before the courts in Ireland


                                                                                          3. The Annexes of the SCCs shall be deemed completed with the details set out in the Appendix Information in Part 1.

                                                                                          Part 3: General

                                                                                          1. Conflict

                                                                                          1.1 It is not the intention of either party to contradict or restrict any of the provisions set out in the Data Processing Addendum, the UK Addendum or the Approved EU SCCs and, accordingly, if and to the extent that any provision of this RDTA conflicts with the Data Processing Addendum, the UK Addendum or the Approved EU SCCs, then the Data Processing Addendum, the UK Addendum or Approved EU SCCs (as applicable) will prevail to the extent of such conflict.

                                                                                          2. Signature of the SCCs and Addendum

                                                                                          2.1 By entering into an Order which incorporates this RDTA, the parties are deemed to have signed Annex 1A and Clause 7 (Docking Clause) (where applicable) of the UK Addendum and Approved EU SCCs (as applicable).