Filevine Data Protection Agreement

This Data Protection Agreement (“DPA”) is entered into between Filevine, Inc., (“Filevine”) and the customer who purchased the Filevine Services (“Subscriber”) (Each, a “Party” or collectively, the “Parties”) as set forth in one or more Sales Orders. This DPA is incorporated into and forms part of the Parties’ Filevine Subscription Agreement and applicable Sales Order (hereinafter, collectively the “Subscription Agreement”).

By signing the Subscription Agreement, Subscriber enters into this DPA on behalf of itself and, to the extent required under applicable Privacy and Data Protection Requirements, in the name and on behalf of its Authorized Affiliates, if and to the extent Filevine processes Personal Information for which such Authorized Affiliates qualify as the Controller. For the purpose of this DPA only, and except where indicated otherwise, the term “Subscriber” shall include Subscriber and Authorized Affiliates. Capitalized terms not defined herein shall have the same meaning set forth in the Subscription Agreement.

1. DEFINITIONS AND INTERPRETATION
   1. The following definitions and rules of interpretation apply in this DPA.
      • “Authorized Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity (“Control” for purposes of this definition, means direct or indirect ownership or control of more than fifty percent (50%) of the voting interests of the subject entity) which is (a) subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Subscription Agreement between Subscriber and Filevine, but has not signed its own Subscription Agreement with Filevine and is not “Subscriber” as defined under this DPA.
      • “Business Purpose” means the purpose of delivering the Filevine Services, as such term is defined in the Subscription Agreement (hereinafter the “Services”) or any other purpose specifically identified in the Appendix.
      • “Controller” means the entity which determines the purposes and means of the Processing of Personal Information.
      • “Data Subject” means an individual who is the subject of Personal Information.
      • “Employee” means any natural person in their capacity as a worker. It includes temporary employees, agents, executors, contractors, contingent workers, and other kinds of workers.
      • “GDPR” means the EU General Data Protection Regulation 2016/679 including the applicable implementing legislation of each Member State and the UK Data Protection Act 2018 and the UK General Data Protection Regulation as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019).
      • “Personal Information” means (a) any information Filevine processes for Subscriber that identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in Filevine’s possession/control or that Filevine is likely to have access to, or (b) the relevant Privacy and Data Protection Requirements otherwise defined as protected personal information.
      • “Processing, processes, or process” means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, storing, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, transmitting, or destroying it. Processing also includes transferring Personal Information to third parties.
      • “Processor” means the Party which Processes Personal Information on behalf of the Controller, including as applicable any "Service Provider" as that term is defined by the CCPA.
      • “Privacy and Data Protection Requirements” means applicable laws and regulations, to which Filevine is subject, relating to the processing, protection, or privacy of personal information, including where applicable, the common law and the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. Depending on the scope of processing as set forth elsewhere in this DPA, this may include the GDPR, the California Consumer Privacy Act, as amended by the California Privacy Rights Act and any binding regulations promulgated thereunder (“CCPA”), Canada’s Personal Information Protection and Electronic Documents Act as well as other Canadian federal or provincial laws governing the collection, use, disclosure, or protection of Personal Information.
      • “Security Breach” means a breach of Filevine’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information in Filevine’s possession, custody or control. Security Breaches do not include unsuccessful attempts or activities that do not compromise the security of Personal Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
      • “Standard Contractual Clauses” or “SCCs” refer to any standardized contractual clauses promulgated by a jurisdiction’s data protection regulator or authority to legitimize the flow of personal information to other jurisdictions. SCCs include the European Commission’s Standard Contractual Clauses for the transfer of Personal Information from the European Union to processors established in third countries as well as the “International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for International Data Transfers” promulgated by the United Kingdom’s Information Commissioner’s Office (“UK Addendum”). To the extent this DPA includes SCCs, they are included as set forth in the Appendix.
      • “Sub-processor” means any Processor engaged by Filevine.
      • “Term” refers to the period of time during which this DPA is in full force and effect, as governed under Section 12 of this DPA.
      1. For the sake of readability, this DPA does not use initial capitalization of most defined terms. Any defined terms shall be construed as defined, regardless of their capitalization.
   2. The Appendix forms part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Appendix.
   3. A reference to writing or written includes email.
   4. Notwithstanding anything to the contrary in the Subscription Agreement, if there is a conflict between this DPA and the Subscription Agreement, this DPA will control. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
2. PERSONAL INFORMATION TYPES AND PROCESSING PURPOSES
   1. The parties acknowledge and agree that with regard to the Processing of Personal Information, Subscriber is the Controller and Filevine is the Processor, as applicable, and that Filevine will engage Sub-processors pursuant to the requirements set forth in Section 9 below.
   2. Filevine shall process Personal Information for the purposes of providing the Services, as set forth in the Subscription Agreement, or this DPA. Filevine shall not determine the purposes or means of processing the Personal Information. Unless otherwise set forth herein or in the Subscription Agreement, Subscriber, either on its own behalf or on behalf of the Controller, shall ensure that it is lawful under the applicable Privacy and Data Protection Requirements for Filevine to process the personal data and that necessary notices have been or shall be provided to data subjects. Subscriber shall also be responsible for the processing instructions it gives Filevine.
   3. Annex A describes the general Personal Information categories and data-subject types Filevine may process to fulfill the business purpose of the Subscription Agreement.
3. FILEVINE’S OBLIGATIONS
   1. Filevine will process the Personal Information to the extent, and in such a manner, as is necessary for the business purposes in accordance with Subscriber’s instructions for the following specific purposes: (i) Processing in accordance with the Subscription Agreement; (ii) Processing initiated by users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Subscriber (e.g., via email or support ticket) where such instructions are consistent with the terms of the Agreement.
   2. Filevine will reasonably comply with Subscriber’s written request or instruction requiring Filevine to amend, transfer, or delete Personal Information, or to stop, mitigate, or remedy unauthorized processing of this Personal Information.
   3. Filevine will maintain the confidentiality of Personal Information and will not disclose it to third parties unless Subscriber or this DPA specifically authorizes the disclosure, or as required by law. If a law requires Filevine to process or disclose Personal Information, Filevine will first inform Subscriber of the legal requirement and give Subscriber an opportunity to object or challenge the requirement, unless the law prohibits such notice, and provided such opportunity for objection or challenge does not serve to prejudice Filevine or subject Filevine to liability for non-disclosure. Any disclosure of Personal Information shall be limited to the minimum necessary to accomplish the purpose of the disclosure.
   4. Subscriber acknowledges that Filevine is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Subscriber instructions or personal information except when required under the Privacy and Data Protection Requirements.

   5. Filvine acknowledges and agrees that it is a “service provider” as defined under CCPA and shall not (a) “sell” or “share” (as both terms are defined in the CCPA) Personal Information; or (b) retain, use, or disclose any Personal Information for any purpose other than for the specific purpose of providing the Services under the Subscription Agreement, including retaining, using, or disclosing Personal

      Information for a commercial purpose (as defined in CCPA) other than providing the Services under the Subscription Agreement.

   6. Filevine shall notify Subscriber in the event Filevine makes a determination that it can no longer meet its obligations under Privacy and Data Protection Requirements.
   7. To the extent Filevine receives deidentified data from Subscriber or the Services under the Subscription Agreement allow for the deidentification of Personal Information, Filevine represents and warrants to not reidentify, attempt to reidentify, or direct any other party to reidentify any data that has been deidentified.
4. FILEVINE’S EMPLOYEES

   1. Filevine will limit Personal Information access to:

      (a) those employees who require Personal Information access to meet Filevine’s obligations under this DPA and the Subscription Agreement; and

      (b) the part or parts of the Personal Information that those employees strictly require for the performance of their duties.

   2. Filevine will ensure that its relevant employees:

      (a) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

      (b) have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Information and how it applies to their particular duties; and

      (c) are aware both of Filevine’s duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this DPA.

   3. Filevine will take reasonable steps to ensure the reliability, integrity, and trustworthiness of, and conduct background checks to the extent permissible under applicable law, on Filevine’s employees with access to Personal Information.
5. SUBSCRIBER OBLIGATIONS

   Subscriber is solely responsible for its use of the Services, including (a) obtaining any needed consents or authorizations for Filevine to process Personal Information; (b) without limitation of Filevine’s obligations under Section 6 (Security), making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Information; (c) securing the account authentication credentials, systems and devices Subscriber uses to access the Services; (d) securing Subscriber’s systems and devices that Filevine uses to provide the Services; and (e) backing up Personal Information (if not provided by the Services).

6. SECURITY
   1. Filevine will endeavor to maintain appropriate technical and organizational measures to safeguard Personal Information against unauthorized or unlawful processing and against accidental loss, destruction, disclosure, or damage. The appropriateness of such measures shall be judged against the risk of harm to Subscriber or to data subjects if the data were to be used, disclosed, altered, or deleted without proper authorization. These include the security measures listed in Annex B. Nevertheless, Filevine agrees to maintain a level of security appropriate to the risk. Filevine will take commercially reasonable steps to document those measures in writing and periodically review them, at least annually, to ensure they remain current, complete, and appropriate to the risk.
   2. Filevine shall promptly remediate any non-public vulnerability that jeopardizes Personal Information if it becomes aware that an exploit of the vulnerability is available and known to persons or organizations other than Filevine, its employees, contractors, and other agents.
7. SECURITY BREACHES AND DATA LOSS
   1. Filevine will promptly notify Subscriber without undue delay after becoming aware of a Security Breach. Such notification shall, to the extent possible, describe the categories of Personal Information affected, the approximate number of data subjects involved, the steps taken to investigate and remedy the breach, and provide the contact information for a person that can respond to questions regarding the Security Breach. Such information may be provided in phases as it becomes available.
   2. Following discovery of a Security Breach, Filevine shall take prompt action to investigate the Security Breach and shall use industry standard, commercially reasonable efforts to mitigate the effects of any such Security Breach in accordance with its obligations hereunder.
   3. Subject to Section 15, Filevine will cover reasonable expenses associated with the performance of the obligations under Sections 7.1 and Section 7.2, unless the matter arose from Subscriber’s specific instructions, negligence, willful default, or breach of this DPA, in which case Subscriber will cover these expenses.
8. CROSS-BORDER TRANSFERS OF PERSONAL INFORMATION.

   If any personal information transfer between Filevine and Subscriber requires execution of Standard Contractual Clauses to comply with the Privacy and Data Protection Requirements, the Parties hereby incorporate, with any noted exceptions and details, those clauses set forth in the Appendix. By executing this DPA, the parties also agree to the incorporation of the Standard Contractual Clauses with such exceptions and details as are set forth below regardless of whether the Standard Contractual Clauses are separately executed.

9. SUB-PROCESSORS.
   1. Subscriber acknowledges and agrees that Filevine may engage third-party Sub-processors in connection with the provision of the Services. Filevine has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Personal Information to the extent applicable to the nature of the services provided by such Sub-processor.
   2. Filevine’s current list of Sub-processors for the applicable Services are in Annex C, and Subscriber authorizes Filevine’s use of such Sub-processors. Filevine shall also provide a mechanism to subscribe to notifications of new Sub-processors, to which Subscriber shall subscribe, whereupon Filevine will provide notification of any new Sub-processors to Process Personal Information in connection with the provision of the applicable Services.
   3. Subscriber may object to Filevine’s use of a new Sub-processor on reasonable grounds relating to the protection of Personal Information, by notifying Filevine promptly in writing within ten (10) business days after receipt of Filevine’s notice in accordance with the mechanism described in Sections 9.2 and 9.5. In the event Subscriber objects to a new Sub-processor, as permitted in the preceding sentence, Filevine will use reasonable efforts to make available to Subscriber a change in the Services or recommend a commercially reasonable change to Subscriber’s configuration or use of the Services to avoid Processing of Personal Information by the objected-to new Sub-processor without unreasonably burdening Subscriber. If Filevine is unable to make available such change within a reasonable period of time, Filevine will permit Subscriber to terminate the applicable Subscription Agreement with respect only to those Services which cannot be provided by Filevine without the use of the objected-to new Sub-processor in accordance with the termination provisions of the Subscription Agreement.
   4. Filevine shall be liable for the acts and omissions of its Sub-processors to the same extent Filevine would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Subscription Agreement. Filevine will refund Subscriber any prepaid fees covering the remainder of the term of such Subscription Agreement following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Subscriber.
   5. To subscribe to the notifications described in Section 9.2, Subscriber shall email the word “subscribe” to privacy@filevine.com.
10. DATA SUBJECT REQUESTS AND COMPLAINTS/THIRD-PARTY INQUIRIES, REQUESTS, AND COMPLAINTS
    1. Filevine will notify Subscriber promptly if it receives any complaint, notice, or communication that directly or indirectly relates to the Personal Information processing or to either party’s compliance with the Privacy and Data Protection Requirements. This shall include requests or inquiries from data subjects relating to their Personal Information. Filevine will endeavor to include the complaint, notice, or communication in its notification to Subscriber. Subscriber shall be responsible with regard to any determinations related to a request or inquiry made by a data subject.
    2. Filevine will give Subscriber its full cooperation and assistance in responding to any complaint, notice, inquiry, communication, or data subject request. Filevine shall also fully cooperate and assist Subscriber in complying with data subject rights in situations where Subscriber cannot reasonably comply without Filevine’s assistance. Such cooperation and assistance shall be provided without charge unless, in the aggregate, it exceeds two hours of effort in a single calendar month. Filevine may charge Subscriber to recover for the costs of labor incurred in excess of two hours.
    3. Filevine will make records of its internal practices as well as its books and records relating to the processing of Personal Information available to government agencies when required by applicable law for the government agency to determine compliance with the Privacy and Data Protection Requirements.
    4. Filevine must not disclose Personal Information to any data subject or to a third party unless the disclosure is at Subscriber’s request or instruction, permitted by the Subscription Agreement or this DPA, or required by law.
11. PRIVACY IMPACT ASSESSMENTS.

    Upon request, Filevine shall provide reasonable cooperation and assistance to Subscriber in ensuring compliance with data security obligations, as well as in carrying out any data protection impact assessment or similar activity, including but not limited to, providing a description of processing operations, assisting with an assessment of the risks to the rights and freedoms of the data subjects to whom the Personal Information relates, and/or assisting with an assessment of the necessity and proportionality of the processing operations in relation to the underlying purpose. Filevine shall also cooperate and provide any assistance or information needed for Subscriber to engage in consultations with regulatory authorities or otherwise respond to requests for information from such authorities. Unless such request follows a Security Breach or is otherwise required by Privacy and Data Protection Requirements, Subscriber shall not make any such request more than once in any 12-month period.

12. TERM AND TERMINATION.
    1. This DPA will remain in full force and effect so long as the Subscription Agreement remains in effect.
    2. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Subscription Agreement in order to protect Personal Information will remain in full force and effect.
    3. If a change in any Privacy and Data Protection Requirement prevents either party from fulfilling all or part of its Subscription Agreement obligations, the Parties will suspend the processing of Personal Information until that processing complies with the new requirements.
13. DATA RETURN AND DESTRUCTION.
    1. On termination of the Subscription Agreement for any reason or expiration of its term, Filevine will destroy or, if directed in writing by Subscriber, return all or any Personal Information, in accordance with the relevant provisions of the Subscription Agreement.
    2. If any law, regulation, or government or regulatory body requires Filevine to retain any data that Filevine would otherwise be required to return or destroy, Filevine will notify Subscriber in writing of that retention requirement, provide details of the documents or materials that it must retain, identify the legal basis for retention, and establish a specific timeline for destruction once the retention requirement ends.
    3. Filevine will certify in writing that it has destroyed Personal Information within thirty (30) days after it completes the destruction.
14. AUDIT.
    1. At least once per year, Filevine will retain an independent third party to conduct an audit of its data processing practices and the information technology and information security controls for facilities, infrastructure, and systems that are used to process Personal Information.
    2. Upon Subscriber’s written request, Filevine will make the relevant audit reports available to Subscriber for review. Subscriber will treat such audit reports as Filevine’s confidential information.
       1. Filevine’s failure to comply with Section 14.1 or Section 14.2 shall not be considered a breach of this contract or the Subscription Agreement unless Filevine also breaches Section 14.4.
    3. Filevine will promptly address any issues, concerns, or exceptions noted in the audit reports with the development and implementation of a corrective action plan by Filevine’s management.

    4. If Filevine has not conducted an audit as described in Section 14.1 within the last year or if Filevine has declined to make the reports resulting from such audits available to Subscriber, Filevine will permit Subscriber, along with any third-party representatives Subscriber shall retain for this purpose, to audit Filevine’s compliance with its DPA obligations, upon at least 21 days’ notice, during the Term. Filevine will give Subscriber and its third-party representatives the necessary assistance to conduct such audits. The assistance may include, but is not limited to:

       (a) to the extent practical, physical access to, remote electronic access, with Filevine supervision to, and electronic access to the records and any other information held at Filevine’s premises or on systems storing Personal Information;

       (b) access to and meetings with any of Filevine’s personnel reasonably necessary to provide explanations and perform the audit effectively; and

       (c) inspection of pertinent records and the infrastructure, electronic data, or systems, facilities, equipment, or application software used to store, process, or transport Personal Information.

    5. In addition to the obligations set forth above, Filevine agrees to fully and honestly respond in writing annually to a security questionnaire from Subscriber. Subscriber agrees that Filevine shall not be required to respond to such a questionnaire more frequently than once each year. Filevine agrees to tender its responses to the questionnaire within six (6) weeks after Filevine receives it.
15. LIMITATION OF LIABILITY.

    Each Party’s and all of its Authorized Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Filevine, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Subscription Agreement, and any reference in such section to the liability of a Party means the aggregate liability of that party and all of its Authorized Affiliates under the Subscription Agreement and all DPAs together. For the avoidance of doubt, Filevine's and its affiliates’ total liability for all claims from Subscriber and all of its Authorized Affiliates arising out of or related to the Subscription Agreement and all DPAs shall apply in the aggregate for all claims under both the Subscription Agreement and all DPAs established under the Subscription Agreement, including by Subscriber and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Subscriber and/or to any Authorized Affiliate that is a contractual party to any such DPA.

16. NOTICES AND MISCELLANEA.
    1. Any notice or other communication given to a party under or in connection with this DPA must be in writing and delivered to:

       For Subscriber: Subscriber’s primary contact listed in the Sales Order.

       For Filevine: Privacy@filevine.com.

    2. Section 16.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
    3. Notwithstanding anything to the contrary contained herein, and without prejudice to the ‘Security’ section of this DPA, and compliance with Subscriber’s instructions, Filevine reserves the right to make any updates and changes to this DPA. Updates and changes will be effective as of the time of posting, or such later date as may be specified herein. Subscriber’s continued access or use of the Services after the modifications have become effective will be deemed Subscriber’s acceptance of the modified DPA.
    4. The Parties acknowledge and agree that, to the extent the Services contemplate the processing of Personal Information that is subject to Privacy and Data Protection Requirements that require additional terms in this DPA, the Parties shall enter into an amendment to this DPA that addresses such additional terms.

APPENDIX: STANDARD CONTRACTUAL CLAUSES OPERATIVE PROVISIONS AND ADDITIONAL TERMS

The Standard Contractual Clauses are hereby incorporated into this Processing Addendum and available here:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en

The UK Addendum, issued by the ICO in accordance with s119A of the Data Protection Act 2018 and available below. In addition, for the purposes of the UK Addendum, Tables 1 through 3 shall be completed with the appropriate information in Annexes A through C. For Table 4, the option of “Exporter” and “Importer” shall be selected.

https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf

The Standard Contractual Clauses are amended as follows:

Standard Contractual Clauses, Operative Provisions and Additional Terms

For the purposes of the Standard Contractual Clauses, Subscriber is the data exporter and Filevine is the data importer, and the Parties agree to the following. If and to the extent an Authorized Affiliate relies on the Standard Contractual Clauses for the transfer of Personal Information, any references to “Subscriber” in this Appendix, include such Authorized Affiliate.

1. The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA.
2. Docking clause. The option under clause 7 shall not apply.
3. Certification of Deletion. The parties agree that the certification of deletion of Personal Information that is described in clause 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by Filevine to Subscriber only upon Subscriber’s written request.
4. Instructions. This DPA and the Subscription Agreement are Subscriber’s complete and final documented instructions at the time of signature of the Subscription Agreement to Filevine for the Processing of Personal Information. Any additional or alternate instructions must be consistent with the terms of this DPA and the Subscription Agreement. For the purposes of clause 8.1(a), the instructions by Subscriber to Process Personal Information are set out in Section 3.1 of this DPA.
5. Security of Processing. For the purposes of clause 8.6(a), Subscriber is solely responsible for making an independent determination as to whether the technical and organizational measures set forth in the Appendix meet Subscriber’s requirements and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing of its Personal Information as well as the risks to individuals) the security measures and policies implemented and maintained by Filevine provide a level of security appropriate to the risk with respect to its Personal Information. For the purposes of clause 8.6(c), personal data breaches will be handled in accordance with section 7 of this DPA.
6. Audits of the SCCs. The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with section 14 of this DPA.
7. General authorization for use of Sub-processors. Option 2 under clause 9 shall apply. For the purposes of clause 9(a), Filevine has Subscriber’s general authorization to engage Sub-processors in accordance with section 9 of this DPA. Filevine shall make available to Subscriber the current list of Sub-processors in accordance with section 9.2 of this DPA. Where Filevine enters into Standard Contractual Clauses with a Sub-processor in connection with the provision of the Services, Subscriber hereby grants Filevine authority to provide a general authorization on Controller's behalf for the engagement of sub-processors by Sub-processors engaged in the provision of the Services, as well as decision making and approval authority for the addition or replacement of any such sub-processors.
8. Notification of New Sub-processors and Objection Right for new Sub-processors. Pursuant to clause 9(a), Subscriber acknowledges and expressly agrees that Filevine may engage new Sub-processors as described in section 9.1 of this DPA. Filevine shall inform Subscriber of any changes to Sub-processors following the procedure provided for in section 9.5 of this DPA.
9. Complaints - Redress. For the purposes of clause 11, and subject to section 10 of this DPA, Filevine shall inform Data Subjects on its website of a contact point authorized to handle complaints. Filevine shall inform Subscriber if it receives a complaint by, or a dispute from, a Data Subject with respect to Personal Information and shall without undue delay communicate the complaint or dispute to Subscriber. Filevine shall not otherwise have any obligation to handle the request (unless otherwise agreed with Subscriber). The option under clause 11 shall not apply.
10. Liability. Filevine’s liability under clause 12(b) shall be limited to any damage caused by its Processing where Filevine has not complied with its obligations under the GDPR specifically directed to Processors, or where it has acted outside of or contrary to lawful instructions of Subscriber, as specified in Article 82 GDPR.
11. Supervision. Clause 13 shall apply as follows:
    1. Where Subscriber is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by Subscriber with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
    2. Where Subscriber is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and have appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.
    3. Where Subscribers is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679, Commission nationale de l'informatique et des libertés (CNIL) - 3 Place de Fontenoy, 75007 Paris, France shall act as competent supervisory authority.
    4. Where Subscriber is established in the United Kingdom or falls within the territorial scope of application of UK data protection laws and regulations, the Information Commissioner's Office shall act as competent supervisory authority.
    5. Where Subscriber is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws and Regulations, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations.
12. Notification of Government Access Requests. For the purposes of clause 15(1)(a), Filevine shall notify Subscriber (only) and not the Data Subject(s) in case of government access requests. Subscriber shall be solely responsible for promptly notifying the Data Subject as necessary.
13. Governing Law. The governing law for the purposes of clause 17 shall be the law that is designated in the ‘Governing Law’ section of the Subscription Agreement. If the Subscription Agreement is not governed by an EU Member State law, the Standard Contractual Clauses will be governed by either (i) the laws of France; or (ii) where the Subscription Agreement is governed by the laws of the United Kingdom, the laws of the United Kingdom.
14. Choice of forum and jurisdiction. The courts and venue under clause 18 shall be those designated in the Governing Law section of the Subscription Agreement. If the Subscription Agreement does not designate an EU Member State court as having exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with the Subscription Agreement, the parties agree that the courts of either (i) France; or (ii) where the Agreement designates the United Kingdom as having exclusive jurisdiction, the United Kingdom, shall have exclusive jurisdiction to resolve any dispute arising from the Standard Contractual Clauses. For Data Subjects habitually resident in Switzerland, the courts of Switzerland are an alternative place of jurisdiction in respect of disputes.
15. Conflict. The Standard Contractual Clauses are subject to this DPA and the additional safeguards set out hereunder. The rights and obligations afforded by the Standard Contractual Clauses will be exercised in accordance with this DPA, unless stated otherwise. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

ANNEX A TO THE APPENDIX: Details of Processing

A. LIST OF PARTIES

B. DESCRIPTION OF TRANSFER

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority shall be the supervisory authority that has jurisdiction over the Data Exporter/Controller.

ANNEX B TO THE APPENDIX: Data Security

Filevine maintains a strong commitment to information security, compliance, and data privacy. Filevine aligns activities with industry recognized security best practices, compliance frameworks or privacy regulations (where applicable) and contractual obligations. As compliance frameworks and security or privacy obligations change, Filevine strives to update these security policies accordingly. Further information can be found at https://www.filevine.com/security/.

ANNEX C TO THE APPENDIX: Subprocessors

Subprocessors List