Data Processing Addendum

Definitions

"Controller" has the meaning given in Data Protection Laws and, if not defined, means the entity that determines the purposes and means of the Processing of Personal Data and includes a "business" under the CCPA. "Customer Personal Data" means Personal Data Processed by Handbid on behalf of Customer to provide the Handbid Service under the Agreement. "Data Protection Laws" means the data privacy and security laws and regulations applicable to the Processing of Customer Personal Data, including, in each case to the extent applicable, European Data Protection Laws, and the California Consumer Privacy Act of 2018 together with its implementing regulations (in each case as amended from time to time, the "CCPA"). "Data Subject" means the identified or identifiable natural person who is the subject of Personal Data. "European Data Protection Laws" means, in each case to the extent applicable: (a) the EU General Data Protection Regulation 2016/679 ("GDPR"); (b) the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"), the Data Protection Act of 2018, and all other laws relating to data protection, the processing of personal data, privacy, or electronic communications in force from time to time in the United Kingdom (collectively, "UK Data Protection Laws"); (c) the Swiss Federal Act on Data Protection ("Swiss FADP"); and (d) any other applicable law, rule, or regulation related to the protection of Customer Personal Data in the European Economic Area, United Kingdom, or Switzerland that is already in force or that will come into force during the term of this DPA. "Personal Data" means any information that constitutes "personal information," "personal data," "personally identifiable information," or similar term specifically regulated under applicable Data Protection Laws. "Process" means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available. "Processed," "Processes," and "Processing" will be interpreted accordingly. "Processor" has the meaning given in Data Protection Laws and, if not defined, means an entity that Processes Personal Data on behalf of a Controller and includes a "service provider" under the CCPA. "SCCs" means, as applicable, Module Two (Transfer controller to processor) or Module Three (Transfer processor to processor) of the standard contractual clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available at http://data.europa.eu/eli/dec_impl/2021/914/oj), as supplemented or modified by Schedule 3. "Security Incident" means a breach of Handbid's security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data in Handbid's possession, custody, or control, which compromises the confidentiality, integrity, or availability of such data. "Security Incident" does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems. "Subprocessor" means any Processor appointed by Handbid to Process Customer Personal Data on behalf of Customer under the Agreement. "Supervisory Authority" means a regulator or other independent competent public authority established or recognized under Data Protection Laws.

Roles Of The Parties

Roles of the Parties. For purposes of this DPA, and except as otherwise provided in Section 2.2, the parties acknowledge and agree that, with regard to the Processing of Customer Personal Data under the Agreement, Customer acts as a Controller and Handbid acts as a Processor. Notwithstanding the foregoing, to the extent Customer is acting as a Processor to a third-party Controller with respect to certain Customer Personal Data, Handbid shall be deemed a Processor to Customer in its capacity as a Processor, and Handbid shall remain a Processor with respect to such Customer Personal Data. Handbid as Controller. The parties acknowledge and agree that with respect to certain Processing activities involved in providing the Handbid Service, such as the Processing of Personal Data to provide AI-assisted image enhancement, AI-generated content tools, and customer chat support as described in Handbid's AI Features Policy, available at handbid.com/ai-policy, Handbid may combine Customer Personal Data with Personal Data from third parties (including other customers), and develop, operate, and improve machine learning and fraud detection technologies (collectively, the "Controller Services"). With respect to the Controller Services Handbid acts as an independent Controller and not as a Processor or joint Controller. In connection with the Controller Services, Handbid will Process Customer Personal Data as a Controller solely for the purposes of providing the Controller Services in accordance with the Agreement, applicable Data Protection Laws, and the Handbid privacy policy. When Handbid acts as a Controller pursuant to this Section 2.2, the other provisions of this DPA do not apply to the Controller Services. Compliance. Each party shall comply with the obligations applicable to it in its respective role under Data Protection Laws with respect to the Processing of Customer Personal Data.

Processing Of Customer Personal Data

Customer Instructions. Handbid will Process Customer Personal Data only in accordance with Customer's documented instructions unless otherwise required by applicable law, in which case Handbid will inform Customer of such Processing unless notification is prohibited by applicable law. Customer hereby instructs Handbid to Process Customer Personal Data: (a) to provide the Handbid Service to Customer; (b) to perform its obligations and exercise its rights under the Agreement and this DPA; and (c) as necessary to prevent or address technical problems with the Handbid Service. Handbid will inform Customer if it becomes aware that, in its opinion, an instruction of Customer infringes upon Data Protection Laws. Customer's instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. Customer shall be responsible for: (i) giving adequate notice and making all appropriate disclosures to Data Subjects regarding Customer's use and disclosure and Handbid's Processing of Customer Personal Data; and (ii) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Customer Personal Data to Handbid to permit the Processing of such Customer Personal Data by Handbid for the purposes of performing Handbid's obligations under the Agreement or as may be required by Data Protection Laws. Customer shall notify Handbid of any changes in, or revocation of, the permission to use, disclose, or otherwise Process Customer Personal Data that would impact Handbid's ability to comply with the Agreement, this DPA, or Data Protection Laws.
Details of Processing. The parties acknowledge and agree that the nature and purpose of the Processing of Customer Personal Data, the types of Customer Personal Data Processed, the categories of Data Subjects, and other details regarding the Processing of Customer Personal Data are as set forth in Schedule 1. Processing Subject to the CCPA. As used in this Section 3.3, the terms "Sell," "Share," and "Business Purpose" shall have the meanings given in the CCPA and "Personal Information" shall mean any personal information (as defined in the CCPA) contained in Customer Personal Data. Handbid will not: (a) Sell or Share any Personal Information; (b) retain, use, or disclose any Personal Information (i) for any purpose other than for the Business Purposes specified in the Agreement and this DPA or as otherwise permitted by the CCPA, or (ii) outside of the direct business relationship between Customer and Handbid unless expressly permitted by the CCPA; or (c) combine or update Personal Information with Personal Data received from another source or collected from Handbid's own interaction with the Data Subject, except as expressly permitted by the CCPA. The parties acknowledge that the Personal Information disclosed by Customer to Handbid is provided to Handbid only for the limited and specified purposes set forth in Schedule 1. Handbid will comply with applicable obligations under the CCPA, including by providing the same level of privacy protection to Personal Information required by the CCPA. Customer has the right to take reasonable and appropriate steps to help ensure that Handbid uses the Personal Information transferred in a manner consistent with Customer's obligations under the CCPA by exercising Customer's information and audit rights set forth in Section 9. Handbid will inform Customer if it makes a determination that Handbid can no longer meet its obligations under the CCPA. If unauthorized use of Personal Information by Handbid occurs, Customer will have the right, upon written notice to Handbid, to take reasonable and appropriate steps to stop and remediate such unauthorized use by limiting the Personal Information shared with Handbid or such other steps mutually agreed between the parties in writing. De-identified Data. If the Agreement requires Handbid to receive and retain de-identified data from Customer, Handbid will: (a) take any necessary measures to ensure that such de-identified data cannot be associated with a Data Subject; (b) publicly commit to maintaining and using de-identified data without attempting to re-identify the data; (c) comply with other applicable restrictions under Data Protection Laws in respect of such de-identified data; and (d) contractually obligate any recipients of the de-identified data to comply with applicable restrictions required by Data Protection Laws. No Restricted Countries or Covered Persons. Handbid confirms that it is not a "covered person" as such term is defined in 28 C.F.R. § 202.21. Handbid will take reasonable steps designed to ensure that no Subprocessor is a covered person and that Customer Personal Data will not be accessed by a covered person.

Confidentiality

Handbid shall use commercially reasonable efforts to ensure that Handbid personnel who Process Customer Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality with respect to such Customer Personal Data.

Security

Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Handbid shall implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, in accordance with the security standards in Schedule 2 (the "Security Measures"). Customer acknowledges that the Security Measures may be updated from time to time upon reasonable notice to Customer to reflect process improvements or changing practices, provided that the modifications will not materially reduce the overall level of security. Security Incidents. Upon becoming aware of a confirmed Security Incident, Handbid will: (a) notify Customer of the Security Incident without undue delay; and (b) take reasonable steps to identify the cause of such Security Incident, minimize harm, and prevent a recurrence. Handbid will take reasonable steps to provide Customer with information available to Handbid that is reasonably necessary and proportionate for Customer to comply with its obligations under Data Protection Laws. Handbid's notification of or response to a Security Incident under this Section 5.2 will not be construed as an acknowledgement by Handbid of any fault or liability with respect to the Security Incident. Customer Responsibilities. Customer agrees that, without limitation of Handbid's obligations under this Section 5, Customer is solely responsible for its use of the Handbid Service, including: (a) making appropriate use of the Handbid Service to ensure a level of security appropriate to the risk in respect of the Customer Personal Data; and (b) securing any account authentication credentials, systems, and devices Customer uses to access or connect to the Handbid Service, where applicable. Without limiting Handbid's obligations hereunder, Customer is responsible for reviewing the information made available by Handbid relating to data security and making an independent determination as to whether the Handbid Service meet Customer's requirements and legal obligations under Data Protection Laws.

Subprocessing

Subject to the requirements of this Section 6, Customer generally authorizes Handbid to engage Subprocessors as Handbid considers reasonably appropriate for the Processing of Customer Personal Data. Customer hereby approves Handbid's Subprocessors, which can be found in Schedule 1. Handbid will inform Customer of the addition or replacement of any Subprocessor not listed in Schedule 1 at least ten (10) days prior to such engagement. Customer may object to such changes on reasonable data protection grounds by providing Handbid written notice of such objection within ten (10) days. Upon receiving such an objection, where practicable and at Handbid's sole discretion Handbid will use commercially reasonable efforts to: (a) work with Customer in good faith to make available a commercially reasonable change in the provision of the Handbid Service that avoids using the proposed Subprocessor; or (b) take corrective steps requested by Customer in its objection, subject to mutual agreement and commercial feasibility, and proceed to use the new Subprocessor. Handbid shall be liable for the acts and omissions of the Subprocessor to the extent Handbid would be liable under the Agreement and this DPA.

Data Subject Rights

If Handbid receives a request from a Data Subject under Data Protection Laws in respect of their Customer Personal Data (such as requests to access, know, correct, delete, restrict, port, object or opt-out), Handbid will advise the Data Subject to submit the request to Customer. Handbid will, taking into account the nature of the Processing of Customer Personal Data and the functionality of the Handbid Service, provide reasonable assistance to Customer by appropriate technical and organizational measures, insofar as this is possible, to assist Customer with fulfilling its obligations under Data Protection Laws to respond to requests by Data Subjects to exercise their rights. Handbid reserves the right to charge Customer on a time and materials basis in the event that Handbid considers that such assistance is onerous, complex, frequent, or time consuming.

Assessments And Prior Consultations

In the event that Data Protection Laws require Customer to conduct a data protection impact assessment, transfer impact assessment, or prior consultation with a Supervisory Authority in connection with Handbid's Processing of Customer Personal Data, following written request from Customer, Handbid will reasonably assist Customer by providing relevant information and assistance to Customer to fulfil such request, taking into account the nature of Handbid's Processing of Customer Personal Data, the requirements of Data Protection Laws, and the information available to Handbid. Handbid reserves the right to charge Customer on a time and materials basis in the event that such assistance is onerous, complex, frequent, or time consuming.

Relevant Records And Audit Rights

Review of Information and Records. Upon Customer's reasonable written request, Handbid will make available to Customer all information in Handbid's possession reasonably necessary to demonstrate Handbid's compliance with Data Protection Laws and Handbid's obligations set out in this DPA. Such information will be made available to Customer no more than once per calendar year and subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement. Audits. If Customer requires information for its compliance with Data Protection Laws in addition to the information provided under Section 9.1, at Customer's sole expense and to the extent Customer is unable to access the additional information on its own, Handbid will allow for, cooperate with, and contribute to reasonable assessments and audits, including inspections, by Customer or an auditor mandated by Customer ("Mandated Auditor"), provided that (a) Customer provides Handbid with reasonable advance written notice including the anticipated date of the audit, the proposed scope of the audit, and the identity of any Mandated Auditor, which shall not be a competitor of Handbid; (b) Handbid approves the Mandated Auditor in writing, with such approval not to be unreasonably withheld; (c) the audit is conducted during normal business hours and in a manner that does not have any adverse impact on Handbid's normal business operations; (d) Customer or any Mandated Auditor complies with Handbid's standard safety, confidentiality, and security policies or procedures in conducting any such audits; (e) any records, data, or information accessed by Customer or any Mandated Auditor in the performance of any such audit, or any results of any such audit, will be deemed to be the Confidential Information of Handbid and subject to a nondisclosure agreement to be provided by Handbid; and (f) Customer may initiate such audit not more than once per calendar year unless otherwise required by a documented request from a Supervisory Authority or where legally mandated by Data Protection Laws. Results of Audits. Customer will promptly notify Handbid of any non-compliance discovered during the course of an audit and provide Handbid any reports generated in connection with any audit under this Section, unless prohibited by Data Protection Laws or otherwise instructed by a Supervisory Authority. Customer may use the audit reports solely for the purposes of meeting Customer's audit requirements under Data Protection Laws to confirm that Handbid's Processing of Customer Personal Data complies with this DPA.

Data Transfers

Data Processing Facilities. Handbid may, subject to Sections 10.2 and 10.3, Process Customer Personal Data in the United States or anywhere Handbid or its Subprocessors maintains facilities or has personnel. Customer is responsible for ensuring that its use of the Handbid Service complies with any cross-border data transfer restrictions of Data Protection Laws. Transfers of Personal Data Subject to European Data Protection Laws. If Customer transfers Customer Personal Data to Handbid that is subject to European Data Protection Laws, and such transfer is not subject to an alternative adequate transfer mechanism under European Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then Customer (as "data exporter") and Handbid (as "data importer") agree that the applicable terms of the SCCs shall apply to and govern such transfer and are hereby incorporated herein by reference. In furtherance of the foregoing, the parties agree that: (a) the execution of this DPA shall constitute execution of the applicable SCCs as of the DPA Effective Date; (b) the relevant selections, terms, and modifications set forth in Schedule 3 shall apply, as applicable; and (c) the SCCs shall automatically terminate once the Customer Personal Data transfer governed thereby becomes lawful under European Data Protection Laws in the absence of such SCCs on any other basis. Other Jurisdictions. If Customer transfers Customer Personal Data to Handbid that is subject to Data Protection Laws other than European Data Protection Laws which require the parties to enter into standard contractual clauses to ensure the protection of the transferred Customer Personal Data, and the transfer is not subject to an alternative adequate transfer mechanism under Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then the parties agree that the applicable terms of any standard contractual clauses approved or adopted by the relevant Supervisory Authority pursuant to such Data Protection Laws shall automatically apply to such transfer and, where applicable, shall be completed on a mutatis mutandis basis to the completion of the SCCs as described in Section 10.2.

Deletion Or Return Of Customer Personal Data

Following termination or expiration of the Agreement, Handbid shall, at Customer's option, delete or return Customer Personal Data and all copies to Customer, except as required by applicable law. If Handbid retains Customer Personal Data pursuant to applicable law, Handbid agrees that all such Customer Personal Data will continue to be protected in accordance with this DPA.

General Provisions

This DPA will, notwithstanding the expiration or termination of the Agreement, remain in effect until, and automatically expire upon, Handbid's deletion or return of all Customer Personal Data. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. To the extent of any conflict or inconsistency between this DPA and the other terms of the Agreement in relation to the Processing of Customer Personal Data, this DPA will govern. Any liabilities arising in respect of this DPA are subject to the limitations of liability under the Agreement. This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.

Schedule 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

Subject matter and duration of the Processing of Customer Personal Data:

The subject matter and duration of the Processing are as described in the Agreement and the DPA

Nature and purposes of the Processing of Customer Personal Data:

The nature of the Processing involves those activities reasonably required to facilitate or support the provision of the Handbid Service as described in the Agreement and the DPA

The purpose of the Processing of Customer Personal Data includes the following: Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards; Helping to ensure security and integrity, to the extent the use of Customer Personal Data is reasonably necessary and proportionate for these purposes; Debugging to identify and repair errors that impair existing intended functionality; Providing the Handbid Service as described in the Agreement and carrying out the instructions set forth in Section 3.1, including providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of Customer; Providing advertising and marketing services, except for cross-context behavioral advertising, to Data Subjects provided that, for the purpose of advertising and marketing, Handbid shall not combine the Customer Personal Data of opted-out Data Subjects that Handbid receives from, or on behalf of, Customer with Personal Data that Handbid receives from, or on behalf of, another person or persons or collects from its own interaction with Data Subjects; Undertaking internal research for technological development and demonstration; and

Undertaking activities to verify or maintain the quality or safety of the Handbid Service, and to improve, upgrade, or enhance the Handbid Service

The categories of Data Subjects to whom Customer Personal Data relates: The categories of Data Subjects are determined by Customer in Customer's sole discretion and may include Customer's employees, business contacts, customers, website visitors, event attendees, etc.. The categories of Customer Personal Data: The categories of Customer Personal Data Processed are those categories permitted by the Agreement and may include data related to registration and participation in events. The sensitive data included in Customer Personal Data:

The parties do not anticipate exchanging sensitive personal data in order to provide the Handbid Service

The frequency of Customer's transfer of Customer Personal Data to Handbid:

On a continuous basis for the term of the Agreement

The period for which Customer Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:

As set forth in the DPA or the Agreement

Subprocessor Name	Description of Processing Purpose	Location of Processing
### For the same subject matter, nature, and duration set forth above
List of Subprocessors:
Subprocessor Name
Description of Processing Purpose
Location of Processing
Amazon Web Services (AWS)
Cloud infrastructure and hosting
U.S.A.
Firebase / Google LLC
Analytics and crash reporting
U.S.A.
Stripe
Payment processing
U.S.A.

Schedule 2: SECURITY MEASURES

Information Security Program. Implement, maintain, and comply with information security policies and procedures designed to protect the confidentiality, integrity, and availability of Customer Personal Data and any systems that store or otherwise Process it, which are: (a) aligned with an industry-standard control framework (e.g., NIST SP 800-53, ISO 27001, CIS Critical Security Controls); (b) approved by executive management; (c) reviewed and updated at least annually; and (d) communicated to all personnel with access to Customer Personal Data. Handbid will comply with the requirements of any applicable security standards imposed on merchants and their vendors who accept payment with credit cards and store, process or transmit cardholder data, including, without limitation, the Payment Card Industry Data Security Standards ("PCI-DSS"), as such may be revised from time to time. Handbid's payment processing is PCI-DSS compliant via its third-party payment processor (Stripe). Risk Assessment. Maintain risk assessment procedures for the purposes of periodic review and assessment of risks to the organization, monitoring and maintaining compliance with the organization's policies and procedures, and reporting the condition of the organization's information security and compliance to internal senior management. Personnel Training. Train personnel to maintain the confidentiality, integrity, and availability of Customer Personal Data, consistent with the terms of the Agreement and Data Protection Laws. Vendor Management. Prior to engaging Subprocessors and other subcontractors, conduct reasonable due diligence and monitoring to ensure subcontractors are capable of maintaining the confidentiality, integrity, and availability of Customer Personal Data. Handbid's cloud hosting providers maintain SOC2 Type II compliance for infrastructure and physical security. Access Controls. Only authorized personnel and third parties are permitted to access Customer Personal Data. Maintain role-based, logical access controls with user-level authentication and granular permissioning designed to limit access to Customer Personal Data and relevant information systems (e.g., granting access on a need-to-know basis, use of unique IDs and passwords for all users, periodic review and revoking or changing access when employment terminates or changes in job functions occur). Secure User Authentication. Maintain password controls designed to manage and control password strength, expiration, and usage. These controls include prohibiting users from sharing passwords and requiring that passwords controlling access to Customer Personal Data must: (a) be at least 8 characters in length and meet minimum complexity requirements; (b) not be stored in readable format on the organization's computer systems; (c) have a history threshold to prevent reuse of recent passwords; and (d) if newly issued, be changed after first use. Incident Detection and Response. Maintain policies and procedures to detect and respond to actual or reasonably suspected Security Incidents, and encourage the reporting of such incidents. Encryption. Apply industry standard encryption (TLS 1.2 or higher) to Customer Personal Data: (a) stored at rest on any medium (i.e., laptops, mobile devices, portable storage devices, file servers and application databases) in high-risk environments or where required by law; and (b) transmitted across any public network (such as the Internet) or wirelessly. Network Security. Implement network security controls such as up-to-date firewalls, layered DMZs, updated intrusion detection and prevention systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack. Keys used for server-level access or integration are generated using OpenSSL and are rotated periodically. Vulnerability Management. Detect, assess, mitigate, remove, and protect against new and existing security vulnerabilities and threats, including viruses, bots, and other malicious code, by implementing vulnerability management, threat protection technologies, and scheduled monitoring procedures. Change Control. Follow change management procedures and implement tracking mechanisms designed to test, approve, and monitor all changes to the organization's technology and information assets. Physical Security. Take steps to ensure the physical and environmental security of data centers, server room facilities and other areas containing Customer Personal Data, including by: (a) protecting information assets from unauthorized physical access; (b) managing, monitoring, and logging movement of persons into and out of the organization's facilities; and (c) guarding against environmental hazards such as heat, fire, and water damage. Business Continuity and Disaster Recovery. Maintain business continuity and disaster recovery policies and procedures designed to maintain service and recover from foreseeable emergency situations or disasters. Handbid's policies are designed around hourly incremental backups and daily full backups; 4-week rolling backup retention; recovery point objective (RPO) of 15 minutes; recovery time objective (RTO) of 1 hour for full environment rebuild.

Schedule 3: STANDARD CONTRACTUAL CLAUSES

Application of Modules. If Customer is acting as a Controller with respect to Customer Personal Data, "Module Two: Transfer controller to processor" of the SCCs shall apply. If Customer is acting as a Processor to a third-party Controller with respect to Customer Personal Data, Handbid is a sub-Processor and "Module Three: Transfer processor to processor" of the SCCs shall apply. Sections I-V. The parties agree to the following selections in Sections I-IV of the SCCs: (a) the parties select Option 2 in Clause 9(a) and the specified time period shall be the notification time period set forth in Section 5 of the DPA; (b) the optional language in Clause 11(a) is omitted; (c) the parties select Option 1 in Clause 17 and the governing law of the Republic of Ireland will apply; and (d) in Clause 18(b), the parties select the courts of the Republic of Ireland. Annexes. The name, address, contact details, activities relevant to the transfer, and role of the parties set forth in the Agreement and the DPA shall be used to complete Annex I.A. of the SCCs. The information set forth in Schedule 1 to the DPA shall be used to complete Annex I.B. of the SCCs. The competent Supervisory Authority in Annex I.C. of the SCCs shall be determined pursuant to Clause 13 of the SCCs. The technical and organizational measures in Annex II of the SCCs shall be the measures set forth in Schedule 2 to the DPA. Supplemental Business-Related Clauses. In accordance with Clause 2 of the SCCs, the parties wish to supplement the SCCs with business-related clauses, which shall neither be interpreted nor applied in such a way as to contradict the SCCs (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of Data Subjects. Handbid and Customer therefore agree that the applicable terms of the Agreement and the DPA shall apply to the extent that they are permitted under the SCCs, including without limitation the following: (a) the instructions described in Clause 8.1 are set forth in Section 2.2 of the DPA; (b) in the event a Data Subject requests a copy of the SCCs or the DPA under Clause 8.3, Customer shall make all redactions reasonably necessary to protect business secrets or other confidential information of Handbid; (c) deletion or return of Customer Personal Data by Handbid under the SCCs shall be governed by Section 10 of the DPA; (d) certification of deletion of Customer Personal Data under Clause 8.5 or Clause 16(d) will be provided by Handbid upon the written request of Customer; (e) any information requests or audits provided for in Clause 8.9 shall be fulfilled in accordance with Section 8 of the DPA; (f) the relevant terms of the Agreement which govern indemnification or limitation of liability shall apply to Handbid's liability under Clauses 12(a), 12(d), and 12(f); and (g) the relevant terms of the Agreement which govern termination shall apply to a termination pursuant to Clauses 14(f) or 16. Transfers from the United Kingdom. If Customer transfers Customer Personal Data to Handbid that is subject to UK Data Protection Laws, the parties acknowledge and agree that: (a) the template Addendum issued by the Information Commissioner's Office of the United Kingdom and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf), as it may be revised from time to time by the Information Commissioner's Office (the "UK Addendum") shall be incorporated by reference herein; (b) the UK Addendum shall apply to and modify the SCCs solely to the extent that UK Data Protection Laws apply to Customer's Processing when making the transfer; (c) the information required to be set forth in "Part 1: Tables" of the UK Addendum shall be completed using the information provided in this Schedule 3 and the DPA; and (d) either party may end the UK Addendum in accordance with section 19 thereof. Transfers from Switzerland. If Customer transfers Customer Personal Data to Handbid that is subject to the Swiss FADP, the following modifications shall apply to the SCCs to the extent that the Swiss FADP applies to Customer's Processing when making that transfer: (a) the term "member state" as used in the SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from suing for their rights in their place of habitual residence in accordance with Clause 18(c) of the SCCs; (b) references to the GDPR or other governing law contained in the SCCs shall also be interpreted to include the Swiss FADP; and (c) the parties agree that the Supervisory Authority as indicated in Annex I.C of the SCCs shall be the Swiss Federal Data Protection and Information Commissioner.