Data Processing

“Applicable Data Protection Laws” means all privacy and data protection laws and regulations applicable to either party under the Agreement. Every party determines on its own its Applicable Data Protection Laws and understands that for Funler and Customer Applicable Data Protection Laws may be different.

"Controller” means a person or legal entity that determines the purposes and means of the Personal Data Processing.

“Customer” means Party to the Agreement with Funler. Customer may be a client, marketing agency, individual, individual entrepreneur or legal entity on behalf of which End Users use the Service.

“Customer Account Data” means Personal Data related to Customer, its representatives and End Users which Funler processes as a separate Controller as more particularly described in this Data Processing.

“Customer Content” means Personal Data related to End Users and Customer’s Subscribers which Funler processes on behalf of Customer as a Processor in the course of providing the Service, as more particularly described in this Data Processing.

“Customer’s Subscribers” Data Subjects with whom Customer communicates with use of the Service and(or) whose data is uploaded to the Service by Customer (customers, prospective customers, social media and messaging platform contacts or other individuals).

“Data Breach” means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data being Processed by Funler. Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.

“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.

“End Users” means Customer and other Data Subjects with lawful access to the Service on behalf of or under a lawful authorization of Customer.

“Personal Data” means “personal data”, “personal information”, “personally identifiable information” or similar information defined in and governed by Applicable Data Protection Laws and means any information relating to Data Subject. Under this Data Processing, Personal Data covers Customer Content and Customer Account Data. If the term Personal Data is used, then such provisions apply to both Customer Content and Customer Account Data.

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means an entity that processes Personal Data on behalf of a Controller.

“Service” means any product or service provided by Funler to Customer pursuant to the Agreement.

“Sub-processor” means any Processor engaged by Funler to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this Data Processing.

All capitalized terms not defined in this Data Processing shall have the meanings set forth in the Agreement.

We collect and process the following personal data:

• Funler as a Processor.
  ‍The parties acknowledge and agree that with regard to the Processing of Customer Content, Funler is a Processor acting on behalf of Customer (whether itself a Controller or a Processor). Funler Processes Customer Content in accordance with Customer’s instructions as set forth in Section 2.4. Funler shall Process Customer Content only for the purposes described in this Data Processing and only in accordance with Customer’s instructions.
• Funler as a Controller.
  The parties acknowledge that, with regard to the Processing of Customer Account Data, Funler is an independent controller, not a joint controller with Customer. Funler will Process Customer Account Data as a Controller in order to carry out the necessary functions, such as entering into the agreement, account management, compliance with law, accounting, tax, billing, audit, sales and marketing communication with Customer. Funler will Process such data in accordance with its Privacy Policy, which can be found in section ‘Privacy Policy’, and with applicable provisions of this section.
• Details of Data Processing.
  ‍Details of Processing Customer Content and Customer Account Data are set in Annex 1. It further specifies the nature and purpose of the Processing, the duration of the Processing, the types of personal data and categories of data subjects, sources of Personal Data, Processors and Sub-processors engaged by Funler.
• Customer Instructions.
  ‍Funler will Process Customer Content only in accordance with Customer’s instructions. By entering into the Agreement, including this Data Processing, Customer instructs Funler to Process Customer Content in order to provide the Service.
• Customer as a Processor.
  ‍If Customer is a processor on behalf of some other Controller, Customer warrants on an ongoing basis that the relevant Controller has authorized (i) the instructions described in Data Processing and the appointment of Funler as a sub-processor and (ii) Funler’s engagement of Sub-processors as described in Section 3. Customer will immediately forward to the relevant Controller any notice provided by Funler under this Data Processing to Customer (on the engagement of a new Sub-processor, Data Breach, request of data subjects, etc.).
• Compliance with Law.
  ‍Each party will comply with its obligations under its Applicable Data Protection Laws with respect to its Processing of Personal Data.
• Customer’s Obligations.
  ‍Customer agrees that it shall comply with its obligations under Customer’s Applicable Data Protection Laws with respect to its Processing of Personal Data and any processing instructions it issues to Funler. In particular, Customer must provide notice and obtain all consents (or other legal grounds) and rights necessary under Customer’s Applicable Data Protection Laws for (i) engaging Funler to Process Customer Content on behalf of Customer and (ii) transfer of Customer Account Data to Funler pursuant to the Agreement and this Data Processing.

Customer must inform Funler about any requirements to Processing Customer Content by Funler which are set under the Customer’s Applicable Data Protection Laws and are not covered directly by this Data Processing

We collect and process your personal data for the following purposes:

• Adequate Measures.
  ‍Funler will implement and maintain throughout the term of this Data Processing technical and organizational security measures set forth in Annex 2 (“Security Measures”) to protect Personal Data from Data Breach and to preserve the security and confidentiality of the Personal Data, in accordance with Funler’s security standards.
• Confidentiality of Processing.
  ‍Funler shall ensure that any person who is authorized by Funler to Process Personal Data (including its staff, agents, subcontractors and Sub-processors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
• Customer Responsibilities.
  ‍Customer acknowledges and agrees that:
  - it has reviewed and assessed the list of Security Measures and deems it appropriate for the protection of Personal Data under Customer’s Applicable Data Protection Laws and provides appropriate safeguards for cross-border transfer of Personal Data, if applicable. Upon a Customer request, Funler may implement additional measures or safeguards that may be reasonably required to enable the lawful transfer of Personal Data.
  - except as provided by this Data Processing, Customer is responsible for its secure use of the Service, including securing its account authentication credentials and protecting the security of Personal Data when in transit, securing Customer’s systems and devices that it uses for accessing the Service.
• Updates to Security Measures.
  ‍Customer acknowledges that the Security Measures are subject to technical progress and development and that Funler may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service purchased by the Customer. Customer is responsible for reviewing the information made available by Funler relating to updated data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Customer’s Applicable Data Protection Laws.

• Security Reports.
  ‍Funler uses external auditors to verify the adequacy of its security measures and obtained ISO 27001 certification for the Service. Such audits are performed at least annually by independent third-party security professionals at Funler’s selection and result in the generation of a confidential audit report (“Audit Report”). Upon written request, and subject to reasonable confidentiality controls, Funler will make available to Customer a summary copy of Funler’s most recent Audit Report.
• Security Due Diligence.
  ‍In addition to the Audit Report, Funler will respond to reasonable requests for information sent by Customer to confirm Funler’s compliance with this Data Processing, including responses to Customer’s information security and due diligence questionnaires. Customer shall not exercise this right more than once per calendar year.

• Notification Timeframe.
  ‍Upon becoming aware of a confirmed Data Breach, Funler will notify Customer without undue delay and in no event later than 52 hours after the discovery of such incident unless prohibited by applicable law. A delay in giving such notice requested by law enforcement and/or in light of Funler’s legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay.
• Content of Notification.
  ‍Such notices will describe, to the extent possible, details of the Data Breach, including steps taken to mitigate the potential risks and steps Funler recommends Customer take to address the Data Breach.
• Cooperation by Funler.
  ‍Funler shall cooperate with Customer and take such reasonable commercial steps to assist in the investigation, mitigation and remediation of each such Data Breach. Funler’s notification of or response to a Data Breach under this section will not be construed as an acknowledgment by Funler of any fault or liability with respect to the Data Breach.
• Data Breach Notification to Authorities and Data Subjects.
  ‍Customer is solely responsible for fulfilling any third-party notification obligations related to any Data Breach under the Customer’s Applicable Data Protection Laws (e.g. notification to data protection authorities or communication to Data Subjects).

• Data Subjects Requests.
  ‍Funler will upon Customer’s request provide Customer with the assistance that may be reasonably required by Customer to comply with its obligations under Customer’s Applicable Data Protection Laws to respond to Data Subjects’ requests to exercise their rights under Customer’s Applicable Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability and objection), in cases where Customer cannot reasonably fulfill such requests independently by using the self-service functionality of the Service.
• Authorization for Direct Requests to Funler.
  ‍If Funler receives a request from a Data Subject in relation to Customer Content, (i) for unsubscription of the Data Subject from messages sent by Customer through the Service or (ii) for deletion of Customer Content in the Service with respect to the Data Subject in part or entirely, Customer authorizes and instructs Funler to unsubscribe or delete Content Data related to such Data Subject.
• Assistance by Funler.
  ‍Funler will provide Customer with reasonable assistance specifically requested by Customer to comply with its obligations under Customer’s Applicable Data Protection Laws, taking into account the nature of processing and the information available to Funler as a Processor (e.g. with respect to the security of Processing, notification of Data Breach, data protection impact assessment, prior consultations with supervisory authorities). If such reasonable assistance requires Funler to assign significant resources to that effort, it will be provided at a Customer’s expense.

‍Return or Deletion of Data
Upon receipt of a request by Customer and following the termination of the Agreement, Funler must delete or return to Customer all Customer Content from Funler’s systems. Notwithstanding the foregoing, Customer understands that Funler may have to retain some parts of Customer Content if required by law according to its data retention policies and such data will remain subject to the requirements of this Data Processing
‍
Use of Anonymized Data
Funler may use anonymized and aggregated data generated through its customer support services to improve the performance and functionality of its systems. This usage will be restricted to data that has been fully anonymized, ensuring that no personal or identifiable information about any client or their customers can be traced back to any individual. All use of anonymized data will be conducted in compliance with applicable data protection regulations.

• Processing in the United States.
  ‍Customer acknowledges that provision of the Service and related Funler’s activities as a Controller may also require processing of Personal Data by Sub-processors or Processors in countries outside the EEA and, including in the United States.
• Way of Communication.
  ‍Funler shall send all notifications mentioned in Data Processing via email provided by Customer during the sign-up process or post them in the user interface of the Service. All objections and requests by Customer mentioned in Data Processing or other communication related to Processing of Personal Data must be sent by Customer to the same email from which Customer received a Funler’s notification or to privacy@funler.ai.
• Claims.
  ‍Any claims brought under or in connection with this Data Processing shall be subject to the terms and conditions, including but not limited to the exclusions and limitations, set forth in the Agreement.
• No Third-party Beneficiary Rights.
  ‍This Data Processing does not confer any third-party beneficiary rights, it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.
• Governing Law.
  ‍This Data Processing will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Customer’s Applicable Data Protection Laws or set in Jurisdiction Specific Terms under Annex 3.
• Termination.
  ‍This Addendum will automatically terminate upon expiration or termination of the Agreement. Termination of Data Processing is only possible subject to termination of the Agreement.
• Liability.
  ‍Customer further agrees that any regulatory penalties incurred by Funler in relation to the Personal Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this Data Processing or any Customer’s Applicable Data Protection Laws shall count toward and reduce Funler’s liability under the Agreement as if it were a liability to the Customer under the Agreement. Funler is liable for any regulatory penalties incurred by Customer or Funler in relation to the Personal Data that arise as a result of, or in connection with, Funler’s failure to comply with its obligations under this Data Processing or Funler’s Applicable Data Protection Laws.
  
  Notwithstanding anything to the contrary in this Data Processing or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any fines issued or levied against the other party by a regulatory authority or governmental body in connection with such other party’s violation of its Applicable Data Protection Laws.
• Relationship with the Agreement.
  ‍This Data Processing forms an integral part of the Agreement and except as expressly set forth in this Data Processing, the Agreement remains unchanged and in full force and effect. If there is any conflict between this Data Processing and the Agreement, this Data Processing will govern. The parties agree that this Data Processing shall replace any existing Data Processing the parties may have previously entered into in connection with the Service.

1A. Funler as a Processor

• Purpose and nature of Processing.
  ‍Provision of the Service under the Agreement, including provision of support to the Customer, communicating regarding Customer Account (sending announcements, technical notices, updates, security alerts, and support and administrative messages) and responding to Service-related requests, questions and feedback, logging of activities, errors and incidents tracking, bugs and errors fixing, ensuring the accessibility, security and usability of the Service and its improvement in the interest of Customer.
• Period for which the personal data will be retained.
  ‍Until the termination or expiration of the Agreement in accordance with its terms.
• Categories of data subjects.
  ‍- End Users
  - Customer’s Subscribers.
• Categories of personal data.
  ‍End Users: identification information (name, email), publicly available social media profile information, linked pages and accounts, IT information (IP addresses, geographic location, usage data, cookies data, browser data), financial information (credit card details, account details, payment information).
  Customer’s Subscribers:
  - identification information, publicly available social media profile information (photo, name, date of birth, gender, geographic location),
  - chat history and content, chatbot usage information and other electronic data submitted, stored, sent, or received by End Users and other personal information, the extent of which is determined and controlled by the Customer in its sole discretion,
  - IT information (IP addresses, geographic location, usage data, cookies data, browser data).
• Sensitive data.
  ‍No. Other types of Personal Data are also not used to indirectly reveal information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, or sexual orientation.
• The frequency of the transfer.
  ‍On a continuous basis until it is deleted in accordance with the Agreement and Data Processing terms.
• Data source.
  ‍Customers (or End Users) sign-up process and use of the Service by Customer (End User), including communication with subscribers and third-party integrations and apps linked by Customer (e.g. Facebook, Inc., Instagram, Telegram, WhatsApp and other integrations and apps specified which are linked by Customer to its account in the Service).
• Onward transfer.
  ‍The duration of sub-processing is limited to the retention period of Processing by Manychat specified in this table.

1A. Funler as a Controller

• Purpose and nature of Processing.
  ‍Entering into the Agreement, account management, compliance with laws, including sanction laws, accounting, tax, billing, audit, sales and marketing communication with Customer.
• Period for which the personal data will be retained.
  ‍Until the termination of the Agreement, unsubscription from marketing communications and expiration of retention period required by law.
• Categories of data subjects.
  ‍- Customer and its representatives
  - End Users
• Categories of personal data.
  ‍Customer and its representatives: full name, title, company, email.End Users: identification information (id, name, email, status), linked pages and accounts, products in use, IT information (IP addresses, geographic location), financial information (credit card details, account details, payment information).
• Sensitive data.
  ‍Other types of Personal Data are also not used to indirectly reveal information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, or sexual orientation.
• The frequency of the transfer.
  ‍On a continuous basis until it is deleted in accordance with the Agreement and Data Processing terms.
• Data source.
  ‍Customers sign up process and use of the Service by Customer.
• Onward transfer.
  ‍We may also disclose Personal Information to public authorities, such as law enforcement, if we are legally required to do so.

Funler implements and maintains technical and organizational security measures designed to protect Personal Data from Data Breaches. We currently observe the Security Measures described in this Annex 2. If applicable, this Annex 2 serves as Annex II to the EU Standard Contractual Clauses.

1. Security Program and Policies

   • Funler maintains and enforces a risk-based security program and framework that addresses how we manage security. Funler’s security framework is based on the ISO 27001 Information Security Management System and includes the following areas: Policies and Procedures, Asset Management, Access Management, Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Disaster Recovery Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Third-Party Security, Vulnerability Management, and Security Monitoring and Incident Response.
   • Our security program includes:
     - documented policies that we approve, publish and communicate to appropriate personnel internally and review at least annually,
     - documented, clear assignment of responsibility and authority for security program activities,
     - regular testing of the key controls, systems and procedures.

2. Security Program and Policies

   • Funler utilizes an integrated risk management approach with a focus on both technical and operational security practices. Ongoing and systematic risk assessment is a consistent part of selecting appropriate improvement protection controls and ensuring that Personal Data is safe.
   • Funler takes reasonable actions to identify assets and their level of criticality. The full inventory and categorization are the basis to select and implement optimal technical and organizational security measures to make sure that the assets and information are protected.

3. Personnel security and awareness

   • Funler’s personnel (employees and contractors) do not process Personal Data without authorization. Personnel is obligated to maintain the confidentiality of any Personal Data and this obligation continues even after their engagement ends.
   • Funler’s personnel (employees and contractors) acknowledge their data security and privacy responsibilities under Funler’s policies.
   • Funler is focused on employee security awareness as a key driver to improve overall security maturity level and culture. Funler’s personnel (employees and contractors) conduct security and privacy training at least annually.
   • Pre-employment verification checks are carried out on all new employees and contractors.

4. Access Management

   • Funler manages access based on “Need to know” and “Least privilege” principles. That means that personnel is only permitted to have access to Personal Data when needed for the performance of their functions.
   • Funler deactivates the authentication credentials of personnel immediately upon the termination of their employment or services.
   • In order to access the production environment and critical systems, a user must have a unique username and password and multi-factor authentication enabled.
   • Funler implements measures to prevent information systems from being used by unauthorized persons, including the following measures (a) user identification and authentication procedures; (b) unique username/password (c) password complexity policies (special characters, minimum length, change of password) (c) automatic blocking (e.g., password or timeout).
   • Funler performs access monitoring and logging for the production environment and critical systems.

5. Technical and Application Security Measures

   • Funler has implemented and will maintain appropriate technical and application security measures, internal controls, and information security routines intended to protect Personal Data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction as follows:
     - Segregation of environments. Funler segregates development and production environments to make sure that Personal Data is protected from any kind of unauthorized access.
     - Encryption in transit. All external network communications are protected with encryption. We support the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocols, AES256 encryption, and SHA2 hash functions, whenever supported by the clients.
     - Encryption at rest. Customer data at rest is encrypted using FIPS 140-2 compliant encryption standards, which applies to all types of data at rest within Funler’s systems—relational databases, file drives, backups, etc. Access to cryptographic keys is restricted to a limited number of authorized Funler personnel.
     - Redundancy. Funler selects IT Infrastructure suppliers that are committed to provide mechanisms with built-in security best practices for confidentiality, integrity, and availability. Funler’s main IaaS provider AWS (Frankfurt, EU) is committed to meet the strict Disaster Recovery (DR) Service Level Agreement.
     - Vulnerability assessment. Funler performs automated and manual application and infrastructure security testing to identify and patch potential security vulnerabilities. Critical software patches are evaluated, tested, and applied proactively.
     - Penetration Testing. We engage independent service providers to perform penetration tests to assess the potential system security threats at least on an annual basis.
     - Software Development and Acquisition. Funler follows security-by-design principles across different phases of the Service creation lifecycle from requirements gathering and product design all the way through product deployment. For the software developed by Funler, Funler follows secure coding standards and procedures set out in its standard operating procedures.
     - Storage. Funler’s production databases and data processing servers are hosted in a data center located in AWS (Frankfurt, EU). Funler maintains complete administrative control over the databases and virtual servers, and no third-party vendors have logical access to Personal Data.
     - Change Management. Funler implements documented change management procedures that provide a consistent approach for controlling, implementing, and documenting changes (including emergency changes) for Funler’s software, information systems or network architecture.
     - Network security. All network access between servers is restricted, using access control lists to allow only authorized services to interact in the network. We utilize third-party tools to detect, mitigate, and prevent Distributed Denial of Service (DDoS) attacks.

6. Third-Party Provider Management

   • Funler may use third-party providers to provide the Services. In selecting third-party providers who may gain access to, store, transmit or use Personal Data, Funler conducts a quality and security assessment pursuant to the provisions of its standard operating procedures.
   • Funler enters into written agreements with all of its providers which include confidentiality, privacy, and security obligations that provide an appropriate level of protection for Personal Data that these providers may Process.

7. Physical and Environmental Security

   • Funler uses AWS data centers to host its production infrastructure. AWS data centers are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week.
   • Funler offices have a physical security program that manages visitors, building entrances, video surveillance, and overall office security. All employees, contractors, and visitors are required to wear identification badges.
   • Funler reviews third-party audit reports to verify that Funler’s service providers maintain appropriate physical access controls for the managed data centers.

8. Resilience and Service Continuity

   • Funler implements measures to ensure the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident, including:
     - Ongoing Personal Data backup procedures. Backups are retained redundantly across multiple availability zones and encrypted in transit and at rest.
     - Funler uses specialized tools to monitor the Service performance. The alert is triggered in the event of any suboptimal server performance or overloaded capacity.
     - Disaster recovery plans are in place to recover in case of Personal Data availability issues.
   • Funler offices have a physical security program that manages visitors, building entrances, video surveillance, and overall office security. All employees, contractors, and visitors are required to wear identification badges.
   • Funler reviews third-party audit reports to verify that Funler’s service providers maintain appropriate physical access controls for the managed data centers.

9. Security Certifications and Attestations

   • Funler holds the following security-related certifications and attestations:
     ISO 27001 Certification. The International Organization for Standardization 27001 Standard (ISO 27001) is an information security standard that ensures office sites, development centers, support centers, and data centers are securely managed. This certification is valid for 3 years (renewal audits) and is subject to annual touchpoint audits (surveillance audits).

10. Information Security Incident Management

    • Funler implements security incident management policies and procedures that address how we manage Data Breach and other security incidents.
    • In case of Data Breach Funler will promptly investigate the incident upon discovery. To the extent permitted by applicable law, Funler will notify Customer of a Data Breach. Data Breach incident notifications will be provided to Customers via email or in the other way agreed with Customer.

1. California
   If the Customer’s Applicable Data Protection Laws include the California Consumer Privacy Act (“CCPA”) the following provisions apply. The terms “business”, “commercial purpose”, “service provider”, “sell” and “personal information” have the meanings given in the CCPA. With respect to Customer Content, Funler is a service provider under the CCPA.
   
   Funler will not (i) sell Customer Data; (ii) retain, use or disclose any Customer Data for any purpose other than for the specific purpose of providing the Service, including retaining, using or disclosing the Customer Content for a commercial purpose other than providing the Service; or (iii) retain, use or disclose the Customer Content outside of the direct business relationship between Funler and Customer.
   
   The parties acknowledge and agree that the Processing of Customer Content authorized by Customer’s instructions described in Section 2.4 of Data Processing is integral to and encompassed by Funler’s provision of the Service and the direct business relationship between the parties.
   
   Notwithstanding anything in the Agreement, the parties acknowledge and agree that Funler’s access to Customer Content does not constitute part of the consideration exchanged by the parties in respect of the Agreement.
   
   Notwithstanding any use restriction contained elsewhere in this section, Funler may de-identify or aggregate Customer Content as part of performing the Service specified in this Data Processing and the Agreement.
   
   Where Sub-processors Process Personal Data, Funler takes steps to ensure that such Sub-processors are Service Providers under the CCPA with whom Funler has entered into a written contract that includes terms substantially similar to this “California” section or are otherwise exempt from the CCPA’s definition of “sale”. Funler conducts appropriate due diligence on its Sub-processors.
   
   With respect to Customer Account Data Funler is the business with respect to such data and will Process such data in accordance with its Privacy Policy.

2. European Economic Area, Switzerland and the United Kingdom
   If the Customer’s Applicable Data Protection Laws include the General Data Protection Regulation (EU 2016/679) (“GDPR”), the Swiss Federal Act on Data Protection (“FADP”), or corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018) (“UK GDPR”) the following provisions apply.
   
   Transfer of Personal Data to Funler under the Agreement is regulated by the Standard Contractual Clauses attached as follows:

   • for transfers of Personal Data subject to GDPR the parties apply Standard Contractual Clauses approved under the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 published at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=en (“EU SCCs”):
     - for Customer Content: Module Two (Controller to Processor) or Module Three (Processor to Processor) depending on the status of Customer with respect to Customer Content.
     - for Customer Account Data (e.g. if Customer transfers to Funler data of its End Users or representatives): Module One (Controller to Controller).
   • for each Module of EU SCCs, the following provisions apply, where applicable:
     - in Clause 7 of EU SCCs, the optional docking clause will not apply;
     - in Clause 9 of EU SCCs, Option 2 will apply and the time period for prior written notice of sub-processor changes will be as set forth in Section 3.3 of Data Processing (Engagement of New Sub-processors);
     - in Clause 11 of EU SCCs, the optional part on lodge of a complaint with an independent dispute resolution body will not apply;
     - in Clause 17 (Option 1) of EU SCCs will be governed by the law of Germany;
     - in Clause 18(b) of EU SCCs, disputes will be resolved before the courts of Germany;
   • for transfers of Personal Data subject to FADP the parties apply EU SCCs as specified above with respect to Customer Content and Customer Account Data with the following modifications:
     - references to "Regulation (EU) 2016/679" will be interpreted as references to the FADP;
     - references to "EU law", "Union law" and "Member State law" will be interpreted as references to Swiss law;
     - references to "EU", "Union" and "Member State" will be interpreted as references to Switzerland, and in particular, Clause 18 of EU SCCs must be interpreted as entitling data subjects to exercise their rights at their place of habitual residence in Switzerland;
     - references to the "competent supervisory authority" and "competent courts" will be replaced with the "the Swiss Federal Data Protection and Information Commissioner" and the "relevant courts in Switzerland".
   • for transfers of Personal Data subject to UK GDPR the parties apply EU SCCs as specified above with respect to Customer Content and Customer Account Data, together with the International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (Adopted by ICO, Version B1.0, in force 21 March 2022) published at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf